Cissp Domain 4
Cissp Domain 4
Cissp Domain 4
breaches. a
sections to reduce the attack surface of security
N for different departments or isolating
e tVLANs
ajegeneral user networks.
• Example: Creating separate
h
sensitive systems from
b
Redundancy:
S u
o lremain available
• Building redundancy into the network ensures that critical systems and
for • Using secure communication protocols like HTTPS, SSL/TLS, and IPsec
orn helps detect anomalies, unauthorized access, and potential security threats
in real-time.
C • Example: Utilizing SIEM (Security Information and Event Management)
systems to log and analyze network activity.
• Implementing secure design principles in network architecture ensures the protection of systems
through defense in depth, least privilege, segmentation, and redundancy.
• Utilizing secure protocols and continuous monitoring helps maintain security and detect threats
early. These practices enhance the overall resilience of the network.
o
7.Application Layer: Interfaces with end-user applicationst (e.g., HTTP, FTP, DNS).
Devices and Protocols at Each OSI Layer:
a ,N
•
a
Physical Layer: Hubs, cables, wirelessh signals.
•
e
Data Link Layer: Switches, MACt Naddresses.
•
a
Network Layer: Routers, jeIP, ICMP.
h
bTCP, UDP.
•
S u
Transport Layer:
Session lLayer: Session management protocols.
Co Layer: Encryption and data translation.
•
•
y
Presentation
• BApplication Layer: Web browsers, HTTP, DNS, FTP.
P
S Encapsulation and Decapsulation:
CI S
for • Encapsulation refers to the process of adding headers (control information) to
data as it moves down the OSI layers, preparing it for transmission.
tes Decapsulation is the reverse process, where headers are stripped as data
moves up the OSI layers, making it readable for the application.
o
ll N
Role of Networking in Organizational Objectives:
• The OSI Model provides a layered framework for understanding how data is transmitted across
networks. Each layer has specific responsibilities, with various devices and protocols functioning at
different layers.
• The processes of encapsulation and decapsulation ensure data is properly transmitted and
received. Networks are essential to organizational success, requiring robust security measures to
protect their integrity.
SP• Example: The HTTP protocol operates at the Application Layer of the
data is properly sent and received.
CI S
for OSI model to enable web communication.
tes
o
ell N
orn
C
• A network is a connection between two or more devices, and protocols are the standardized rules
that enable communication between these devices.
• The OSI Model helps structure these communications, with different protocols operating at various
layers to ensure successful data exchange.
CI S Encapsulation: As data moves down the OSI layers, each layer adds
ell N
orn
C
on
layers Devices and Protocols at Each OSI Layer:
• Importance of security at
• Physical Layer: Hubs, NICs, cables.
u ti
different layers
• Data Link Layer: Switches, MAC addresses, L2TP, PPTP. t r i b
D is
• Network Layer: Routers, IP addresses, ICMP, NAT.
t for
• Transport Layer: TCP, UDP, iSCSI.
N o
,
• Application Layer: HTTP, DNS, FTP,aSSH.
h
t Na
Firewalls at Multiple OSI Layers:
je e
h a
• Network Layer: Packet-filtering firewalls provide basic filtering with
I SSP• Lower layers (Physical, Data Link, Network) offer high efficiency and
C
or
speed but limited security.
s f
o te • Higher layers (Session, Presentation, Application) provide advanced
security features but introduce complexity and slower processing.
ell N
orn
C
The OSI Model structures network communication into seven layers, with specific roles
for each layer. Encapsulation and decapsulation enable data to move between devices.
The TCP/IP model is a simplified four-layer version used to implement OSI concepts.
Security decisions vary across OSI layers, with a balance between speed and complexity
needed at each level.
CIS • Fiber Optic: Offers high security and speed; not as prone to
for interference or eavesdropping.
tes
o
ell N
orn
C
• The Physical layer handles the transmission of raw bits using wired or wireless media. Different
network topologies dictate how devices are connected, with hubs, repeaters, and NICs being key
devices at this layer.
• Transmission methods like unicast, multicast, and broadcast define how data flows, while
collision avoidance is crucial for network efficiency. The choice between cut-through and store-
and-forward switching balances speed and error checking.
on
methods: unicast, multicast,
broadcast
•
to avoid collisions.
u i
Ring Topology: Devices connected in a closed loop, with token passing
t
• Collision avoidance and
tr i b
•
CSMA
Cut-through vs. Store-and-
Layer 1 Devices:
D is
for
• Devices at Layer 1 include:
forward switching
• t
o distance.
Hubs: Simple devices that broadcast data to all connected devices.
N
a, between computers and
• Repeaters: Amplify signals to extend transmission
h
Na
• NICs (Network Interface Cards): Interface
networks.
e t
je
hatransmitting data:
Transmission Methods:
b
Su communication.
Three primary methods for
l
Co One-to-many communication.
• Unicast: One-to-one
B y
• Multicast:
P
S Collision Avoidance and CSMA:
• Broadcast: One-to-all communication within the network.
CI S
for
tes • In shared media, collisions occur when two devices send data at the same time.
Collision avoidance is managed using CSMA (Carrier Sense Multiple Access)
o protocols to prevent simultaneous transmissions.
orn • Cut-through: Switch starts forwarding data immediately after reading the
C destination address. Low latency, but error checking is minimal.
• Store-and-forward: Switch waits for the entire packet, checks for errors, and
then forwards it. Higher latency, but error-free transmission.
• The Physical layer handles the transmission of raw bits using wired or wireless media. Different
network topologies dictate how devices are connected, with hubs, repeaters, and NICs being key
devices at this layer.
• Transmission methods like unicast, multicast, and broadcast define how data flows, while
collision avoidance is crucial for network efficiency. The choice between cut-through and store-
and-forward switching balances speed and error checking.
a,
in modern networks.
h
Na
CSMA/CA vs. CSMA/CD:
et
1. CSMA/CA (Collision Avoidance):
•
je
Used in wireless networks, this method prevents collisions
bha
by using two communication lanes: one for sending and one
for receiving data.
•
l SuWireless networks use CSMA/CA to communicate with
Co
access points and avoid collisions entirely.
SP
• Used in older wired networks, like Ethernet networks with
ot CSMA/CD Process:
ell N 1. The device checks if the line is idle before sending a frame. If the line is
busy, it waits until the line is free.
orn 2. After sending, the device monitors for collisions. If a collision occurs, a
C jam signal is sent.
3. The device waits for a random amount of time before attempting to
send the data again.
• Collisions occur in shared media networks, and several methods—token-based, polling, and
CSMA—are used to handle them.
• CSMA/CA is used in wireless networks to avoid collisions, while CSMA/CD was used in older wired
networks to detect and correct collisions.
• Modern Ethernet networks now use switches to avoid collisions altogether, making CSMA/CD less
relevant.
•
o
Example: Sending an ARP request across t a local network to identify
,N
connected devices.
4. Anycast (One-to-Nearest/Best):
a
h or best-performing server.
•
a
Routes requests to the nearest
N Networks (CDNs) to direct users to
the closest or mosttoptimal server for content delivery.
• Used in Content Distribution
e
•
h aje and security by connecting to the best
Improves performance
available server.
5.
S ub
Geocast (One-to-Geographic Region):
•
olDelivers messages to devices within a specific geographical area.
y C systems.
• Often used in location-based services or emergency notification
P B
I SS • Unicast is the most secure, as it limits communication to specific devices.
Security Considerations for Transmission Methods:
C
for • Broadcast exposes data to all devices, making it less secure in comparison.
rn e This is ideal for CDNs, where data is delivered from the server nearest to the
user to enhance performance and security.
C o Geocast Explained:
• Geocast targets devices in a specific geographical location. It is useful for
applications like emergency alerts or localized services.
• Transmission methods define how devices communicate on a network. The most common methods
are unicast (one-to-one), multicast (one-to-many), broadcast (one-to-all), and anycast (one-to-
nearest/best).
• Unicast offers the best security, while anycast enhances performance and security by directing
users to the nearest or best server.
• Geocast is used for location-specific messaging.
D i
for
3. Signal-to-Noise Ratio (SNR):
• The comparison of the desired signal strength to the amount of
t
No
background noise.
• A higher SNR indicates better signal quality, leading to fewer lost
a,
packets and less corrupt data.
h
Example: In a wireless network, a high SNR means a clearer signal,
Na
•
allowing faster data transfer rates.
4. Latency:
je et
ha
• The time it takes for a signal to travel from the source to the
destination and back, measured in milliseconds (ms).
b
Su
• Example: If it takes 50 ms for a data packet to reach its destination
Jitter:o
l and return, the latency is 50 ms.
5.
y C
P B • The variation in time delay between data packets. It measures the
inconsistency of latency over time, which can lead to
I SS •
communication issues in real-time applications.
Low jitter is preferred for a smooth and consistent network
r C experience.
fo • Example: In VoIP calls, high jitter can result in poor audio quality and
es delays.
ot
ell N
orn
C
• Key performance metrics include bandwidth (maximum data capacity), throughput (actual data
transfer), signal-to-noise ratio (signal quality), latency (round-trip time for data), and jitter
(variation in packet delay).
• Understanding these metrics is crucial for optimizing network performance and ensuring efficient
communication.
• North-south traffic moves in and out of the data center, while east-west traffic moves within the
data center between devices.
• These traffic flows are critical in designing the data center's network architecture, routing, and
security strategies.
et
exposure to threats, providing an added layer of security.
3.
je
Air-gapped Management:
1.
bha
Complete physical isolation: The network is entirely
Su
disconnected from other networks, making it inaccessible
l from outside networks.
y Co
2. Example: Industrial control systems that need to be physically
B managed onsite.
SP
3. Most secure: Air-gapped networks are often used for
for network.
• Physical segmentation improves network security by isolating traffic and devices. In-band
management uses the same network for both management and user traffic, while out-of-band
management uses a dedicated management network.
• Air-gapped networks provide the highest level of security through complete physical isolation but
may introduce management challenges.
l
Co
• Advantage: It allows greater network scalability and segmentation without
additional
y
BVirtual domains allow for the creation of multiple separate security domains
Virtual Domains:
P
S within a single physical device.
•
CI S
or
• Example: A firewall can be partitioned into multiple virtual firewalls, each
orn • Benefits: Logical segmentation is cheaper and more flexible than physical
C •
segmentation, allowing easier management and scaling.
Risks: If not properly configured, logical segmentation may not provide
effective isolation, leading to potential security vulnerabilities.
• Logical segmentation enables the division of a network into virtual segments through methods like
VLANs, VPNs, VRF, and virtual domains.
• This approach offers flexibility, cost-effectiveness, and scalability. However, proper configuration is
essential to ensure network isolation and security.
a h
clear communication during calls, even during periods of high
tN
network usage.
Capacity Management: ee
h aj involves monitoring the current usage of
ub and planning for future needs.
• Capacity management
S
network resources
C
• Example: olIn cloud environments, rapid elasticity allows resources to
beyscaled up or down based on demand, helping reduce the
B
P complications of capacity management.
S
CIS • Goal: Ensure that the network can meet both present and future
for demands.
rn
followed by handling those issues using appropriate methods.
• Monitoring and management are critical for ensuring network performance and reliability.
• Key concepts include network observability (understanding network behavior), traffic shaping
(controlling and prioritizing data flows), capacity management (planning resource usage), and fault
detection (identifying and resolving issues efficiently).
tr
collisions because all devices share the same collision
s
domain.
D i
for
• Example: Older Ethernet networks often used hubs to connect
t
devices, but they are now replaced by switches.
2. Repeaters:
No
•
h a,
A repeater regenerates weakened signals and amplifies them
Na
to extend the transmission distance.
et
• It is used to mitigate signal attenuation (loss of signal
je
strength) when data travels over long distances.
•
bha
Example: Repeaters are commonly used in large cabled
Su
networks to ensure signal integrity over extended distances.
l
Co
3. Concentrators:
ot
systems where multiple data streams are merged for
ll N
transmission over a single connection.
C o •
•
Very fast due to their simple function of transmitting raw data (bits).
No decision-making capabilities, meaning they cannot direct traffic
or perform filtering.
• Typically, they operate in the same collision domain, leading to
potential performance issues in certain network environments.
• Layer 1 devices, such as hubs, repeaters, and concentrators, handle the transmission of raw data
without intelligent decision-making.
• While hubs broadcast data to all devices, leading to potential collisions, repeaters amplify signals
to extend transmission distances, and concentrators aggregate signals for efficient transmission.
t r i
•
is
Circuit-switched networks: Establish a dedicated connection between
devices before transmitting data (e.g., traditional telephone systems).
D sent over a
•
shared network, with each packet potentially taking fao
Packet-switched networks: Data is broken into packets r and
internet).
o t different route (e.g., the
t N
data as it travels between two directly devices, protecting it from
interception.
je e
hadividehelping
Layer 2 Devices: Bridges and Switches:
•
u
Bridges: Devices b that a network into segments and manage traffic
based on MAC
S addresses, to reduce collisions.
l Devices that connect multiple devices within a network and forward
•
C obased
Switches:
B y
frames
reducing
on MAC addresses. Switches improve network efficiency by
collisions and increasing data transmission speed.
P
S • L2TP (Layer 2 Tunneling Protocol): A tunneling protocol used for VPNs that
Layer 2 Protocols:
CI S
or
provides data privacy and security.
ll N
• ARP (Address Resolution Protocol): Resolves IP addresses to MAC
• The Data Link layer (Layer 2) is responsible for framing data and ensuring it can be transmitted
between devices using MAC addresses.
• It connects the Physical layer (Layer 1) and the Network layer (Layer 3), playing a critical role in
managing data flow and security.
• Devices like bridges and switches operate at this layer, using protocols such as L2TP, PPTP, and
ARP to facilitate communication.
on
Structure of MAC Addresses:
• ti
First 24 bits: Organizational Unique Identifier (OUI), which identifies the
u
device’s manufacturer (e.g., Cisco, Intel).
tr i b
•
device.
D s
Last 24 bits: Uniquely assigned by the manufacturer to identify the specific
i
•
t for
Example: A MAC address could look like 00:1A:2B:3C:4D:5E, where the
No
first three pairs identify the manufacturer and the last three pairs identify
the device.
a,
Address Resolution Protocol (ARP) and Reverse ARP (RARP):
h
Na
• ARP: Maps IP addresses (Layer 3) to MAC addresses (Layer 2), facilitating
et
communication between devices.
•
je
Example: When sending data to a device, ARP helps translate the
bha
destination's IP address into its MAC address.
Su
• RARP: Reverses this process by mapping MAC addresses to IP
l
addresses.
y Co
ARP Poisoning:
B • ARP poisoning is a form of attack where an attacker spoofs or
SP
masquerades as another device on the network by altering the ARP table.
CI S • By doing this, the attacker can intercept data intended for the legitimate
for •
device.
Example: In a man-in-the-middle attack, ARP poisoning allows the
es
ot
attacker to reroute traffic through their device without detection.
ll N
Circuit-Switched vs. Packet-Switched Networks:
• At Layer 2, devices are uniquely identified by MAC addresses, which consist of 48 bits. ARP and
RARP are used to map IP addresses to MAC addresses and vice versa.
• However, this layer is susceptible to attacks like ARP poisoning, where attackers can spoof devices
to intercept data.
• The distinction between circuit-switched and packet-switched networks is important for
understanding how data travels across networks.
•
D is
Example: In a phone call, both parties can talk and listen at the same time
for
without waiting for the other to finish.
t
No
Establishing a Connection:
In a circuit-switched network, the connection can be established
a,
•
permanently or on demand. It is maintained between switches to ensure
h
Na
that traffic is routed to the correct destination.
et
Transmission of Digital Data over Analog Connections:
•
je
Analog communication was originally designed for voice, as the human
ha
voice is analog in nature.
b
Su
• However, with the rise of digital data, a solution was needed to transmit
l
digital information over analog telephone lines.
y Co
Modems (Modulation/Demodulation):
B • Modems were introduced to convert digital data into analog signals for
SP
transmission over analog telephone lines and back to digital data at the
CI S receiving end.
for • Example: Early internet connections used modems to allow data to travel
over phone lines, but these connections were limited to 65,000 bits per
es second.
ot Introduction of VoIP (Voice over IP):
ell N • As data networks grew, the need for faster communication led to the
rn
development of VoIP (Voice over IP), which allows voice communication
C o •
over data networks.
VoIP uses the internet protocol to transmit digital data more efficiently
than analog phone lines.
• Security risks: Though VoIP is faster, it also introduces security concerns,
such as potential eavesdropping or data breaches.
jeet
the availability and traffic on the network.
Unreliable Delivery: a
u bh networks, there is no guarantee of delivery.
l S may be lost during transmission, and the data must be
• In packet-switched
o
Some packets
B yC
reassembled upon arrival.
S P• Packets may also arrive out of order, but sequence numbers allow
C o over long distances, but they introduce the risk of lost packets and
reassembly errors.
• In a packet-switched network, data is broken into packets, which travel independently and may
take different routes to the destination.
• Switches route the packets based on header information, but the network does not guarantee
delivery, and packets may arrive out of order.
• This type of network is more efficient than circuit-switched networks, though it introduces risks such
as packet loss.
et
2. Example: PPTP is commonly used for remote access VPNs, though it
e
is less secure than newer protocols.
j
ha
3. L2TP (Layer 2 Tunneling Protocol):
b
Su
1. A more advanced tunneling protocol that combines the best features
of L2F and PPTP, providing strong encryption and security for VPNs.
l
Co
2. Example: L2TP is often used for site-to-site VPNs due to its enhanced
By security features.
SLIP (Serial Line Internet Protocol):
I SSP • An older protocol used for remote access via serial connections and modems.
r C • Example: SLIP was once used for dial-up internet access, though it has been largely
replaced by more modern protocols like PPP (Point-to-Point Protocol).
fo
es ARP (Address Resolution Protocol):
ot
• ARP maps IP addresses to MAC addresses, allowing devices to communicate
ll N
over a network.
rn e • Example: When sending data to another device on a network, ARP helps to identify
the device's MAC address, ensuring proper delivery.
• Layer 2 protocols manage data transmission at the Data Link layer. Tunneling protocols like L2F,
PPTP, and L2TP are used to create VPNs, while ARP and RARP map between IP and MAC
addresses.
• SLIP is an older protocol for remote access, replaced by more secure options today.
N o
• Example: In a LAN environment, switches
, and improving efficiency
between devices, reducing networkatraffic
forward data packets
compared to hubs. a h
t N
e
• Switches vs. Hubs: Unlike
j eto the
hubs, which broadcast data to all devices,
h a
switches send data only device that needs it.
Layer 2 vs. Layer 3bSwitches:
u
l S work at the Data Link layer and forward frames
• Layer 2oswitches
y Con MAC addresses.
based
B
S P• Layer 3 switches operate at the Network layer, performing
CIS
additional tasks like routing based on IP addresses.
or
• Example: A Layer 3 switch can forward data across different subnets,
orn as exam questions may specify whether they refer to a regular switch
(Layer 2) or a Layer 3 switch with added functionalities.
C
• Layer 2 devices, such as bridges and switches, operate at the Data Link layer and manage network
traffic based on MAC addresses.
• While bridges connect different networks, Layer 2 switches forward data to the intended recipient
within the network.
• Layer 3 switches provide additional routing functionality by operating at the Network layer.
orn • EAP-MD5: A simpler version of EAP using ID and password, with low
C security and limited industry support.
• Authentication protocols have evolved to meet the needs of remote access. PPP introduced PAP,
CHAP, and EAP for secure connections, with EAP being the most flexible and secure.
• PEAP enhances EAP by using an encrypted TLS tunnel.
• Various types of EAP offer different levels of security and authentication, with EAP-TLS providing
the highest security using certificates for both client and server authentication.
on
IGMP, IPsec, OSPF) needs to discover its IP address.
• Fragmentation and IP Route Selection:
uti
addressing
i b
• The Network layer is responsible for selecting the best route for data packets to
tr
take to reach their destination, considering factors like congestion or node
failure.
D is
for
• Example: If a primary route is congested, Layer 3 protocols may
t
choose an alternate route to ensure data reaches its destination.
Layer 3 Devices:
No
a,
• Routers: Forward data packets between different networks, ensuring that the
h
packets are routed to the correct destination.
Na
• Packet filtering firewalls: Filter network traffic based on IP addresses,
jeet
providing security by allowing or blocking specific packets.
• Layer 3 switches: Combine the functionality of both switches and routers,
ha
allowing for packet forwarding based on IP addresses.
b
Su
Layer 3 Protocols:
l
Co
• ICMP (Internet Control Message Protocol): Used for diagnostic purposes, such
as pinging to test network connectivity.
SP
memberships, allowing devices to join or leave multicast groups.
CI S • IPsec (Internet Protocol Security): Provides encryption and security for data
packets transmitted over IP networks.
for • OSPF (Open Shortest Path First): A routing protocol that finds the best path for
data packets within a network.
es
ot
Fragmentation and IP Addressing:
ll N
• Fragmentation is the process of breaking large chunks of data into smaller
packets for transmission.
• At Layer 3, data is formatted as packets, and logical addressing is used to map IP addresses to
MAC addresses using ARP and RARP. Routing is a key responsibility, with Layer 3 devices like
routers and firewalls managing traffic.
• Layer 3 protocols such as ICMP, IGMP, and IPsec ensure smooth network operations, while
fragmentation and IP addressing allow data to be efficiently transmitted across networks.
on
First)Common routing between source and destination.
protocols: BGP, OSPF, RIP
uti
• Example: Traceroute shows the number of hops taken from one
network to another.
tr i b
is
• Security concerns: ICMP can be used for reconnaissance by attackers,
D
for
making it common to filter ICMP traffic at firewalls.
IGMP (Internet Group Management Protocol):
t
No
• IGMP is used to manage group memberships for multicast
a,
communications.
h
• It helps hosts, routers, and similar devices join or leave multicast groups.
Na
• Example: Streaming video services use IGMP to manage data distribution
jeet
to multiple users.
ha
IPsec (Internet Protocol Security):
b
• IPsec is a tunneling protocol that provides authentication and
Su
encryption at Layer 3.
l
Co
• Example: IPsec is commonly used to secure VPNs, ensuring that data is
I SSP routers).
fo • OSPF is a routing protocol used by routers to determine the best path for
es network traffic.
ll N
routing protocols like RIP.
on
First)Common routing communication problems exist.
protocols: BGP, OSPF, RIP
uti
•Both tools can help identify if a host is reachable and map network paths,
i b
but they can also be used in reconnaissance attacks, which is why they are
tr
often filtered.
D is
t for
No
h a,
Na
jeet
bha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C
• Layer 3 protocols like ICMP, IGMP, IPsec, and OSPF handle network routing, security, and logical
addressing.
• ICMP provides network feedback through tools like ping and traceroute, while IGMP manages
multicast groups.
• IPsec ensures secure communication through encryption, and OSPF is a secure and efficient
routing protocol.
• Routing protocols like BGP, OSPF, and RIP manage data flow between and within networks.
on
OSPF, BGP) to determine the best route for data.
Layer 3 Switches:
uti
•
r i b
Layer 3 switches are similar to routers in their ability to route traffic
t
is
between networks but are often used to connect devices within a VLAN
(Virtual Local Area Network).
D
•
t for
Example: A Layer 3 switch can route traffic between different
No
subnets within the same organization.
a,
• They combine switching and routing functionalities, enabling faster
h
internal communication while also providing Layer 3 routing capabilities.
Packet Filtering Firewalls:
Na
•
jeet
Packet filtering firewalls operate at Layer 3 and make decisions based
ha
on the header portion of data packets, such as source and destination
b
IP addresses and port numbers.
•
l Su Example: A packet filtering firewall can block traffic from certain
Co
IP addresses marked as malicious.
SP
headers, and therefore provide basic protection.
ll N
• Devices at Layer 3 balance speed and decision-making capability.
rn e • Layer 3 firewalls are fast but only offer limited filtering based on simple
IP addresses and port numbers.
• Layer 3 devices, such as routers, Layer 3 switches, and packet filtering firewalls, manage
network traffic by making decisions based on IP addresses.
• Routers direct traffic between networks, while Layer 3 switches handle routing within VLANs.
• Packet filtering firewalls provide fast but basic security by filtering packets based on header
information, while higher-layer firewalls offer more advanced protection at the cost of speed.
on
• IPv6: Consists of 128 bits, divided into eight 16-bit groups, significantly
increasing the number of available IP addresses.
• Example: An IPv6 address might look like
uti
2001:0db8:85a3:0000:0000:8a2e:0370:7334.
tr i b
Private vs. Public IP Addresses:
D is
for
• Private IP addresses are not routable on the public internet and are used within
local networks.
t
No
• Example: 192.168.0.0 – 192.168.255.255 is a private IP range used in
a,
many home networks.
•
h
Public IP addresses are globally unique and routable on the internet.
•
Na
Example: Websites like google.com have public IP addresses to be
et
accessible globally.
je
Network Classes (Subnetting):
•
bha
Subnetting allows for the creation of smaller networks (subnets) within a larger
Su
network, optimizing the use of available IP addresses.
l
Co
• Example: The 192.168.1.0 network can be divided into smaller subnets,
such as 192.168.1.0/24 for more efficient IP address allocation.
By • Network classes in IPv4 are divided into Class A, B, and C, allowing networks of
SP
varying sizes:
CI S •
•
Class A: Large networks
Class B: Medium networks
ll N
address when accessing the internet.
• IPv4 addresses are made up of 32 bits and have become limited due to the increasing
number of connected devices, leading to the adoption of IPv6 (with 128 bits). Private IP
addresses are used within local networks, while public IP addresses are routable on
the internet. NAT allows internal devices to share a public IP address, improving security
and IP address efficiency.
• IEEE sets the global standards for wired, wireless, and virtual networks.
• The IEEE 802.3 standard covers Ethernet-based wired networks, while IEEE 802.11 governs
wireless LAN (Wi-Fi) technology.
• IEEE 802.1Q is the standard for VLANs, which allow network segmentation for enhanced security
and efficiency.
et
bits, providing an almost infinite number of IP addresses (2^128).
•
je
Example: An IPv6 address looks like
ha
2001:0db8:85a3:0000:0000:8a2e:0370:7334 (represented in
b
Su
hexadecimal format, separated by colons).
•
l Benefits: Backward compatibility with IPv4, larger address
SP
addressing the limitations of IPv4 and ensuring enough
for • Reason for IPv6 Creation: IPv4’s address space was insufficient for the
growing number of devices connecting to the internet. IPv6 solves this
• IP is the protocol responsible for addressing and routing data across networks. IPv4 uses a 32-bit
address space, limiting the number of available addresses.
• To solve this, IPv6 was developed, offering a 128-bit address space and built-in IPsec security.
While IPv6 adoption is increasing, NAT and other techniques continue to extend the life of IPv4.
jee
networks are isolated internet traffic.
• a can usearetheonlysame
haddresses
Multiple organizations private IP range without
b
conflict, as these used internally.
•
l Su Twoprivate
Example: companies next door can both use the
C o without any issues. range for their internal networks
192.168.1.0
• Private IPv4 addresses are used for internal networks, providing non-routable IP
addresses that cannot be accessed from the internet, ensuring isolation and security.
They come in three main ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as
defined by RFC 1918.
on
Class C would have 254 addresses.
r i b
• Subnetting solves these issues by allowing the creation of smaller, logical
t
networks that can better fit organizational needs.
D is
for
IP Address Classes (A, B, C):
• Class A: Supports 16+ million IP addresses, typically used by large
t
No
organizations or ISPs.
• Class B: Supports 65,534 IP addresses, generally used by medium-sized
organizations.
h a,
Na
• Class C: Supports 254 IP addresses, typically used in small networks like
et
home or small business networks.
je
Class D and Class E Uses:
ha
• Class D: Reserved for multicast addressing, which is used for broadcasting
b
information to multiple hosts on a network.
Su
• Class E: Reserved for experimental purposes and not used for normal
l
Co
networking.
y
Maximum Number of IP Addresses Per Class:
B • Explanation: The difference between the total and usable addresses comes
SP
from the network address and broadcast address, which are reserved.
CI S
for Class Exponent
Total Usable
s Addresses Addresses
ell N
rn
Class B 2^16 65,536 65,534
• Subnetting optimizes the allocation of IP addresses by breaking a larger network into smaller, more
manageable sub-networks.
• This addresses the inefficiencies and limitations of traditional Class A, B, and C networks, ensuring
that the right number of addresses is allocated.
• Class A networks are the largest, followed by Class B and Class C, while Class D is reserved for
multicast and Class E for experimentation.
on
• UDP is often referred to as a "send and pray" protocol due to its
unreliable nature.
u ti
TCP Three-Way Handshake:
r i b
t between
•
i s
TCP uses a three-way handshake to establish a reliable connection
r D(synchronize)
two devices.
•
packet.
t fo
SYN: The sender initiates a connection with a SYN
B y C• port 53.
Well-known ports: Ports numbered 0–1023 are reserved for
S P • commonly used services.
CIS
Ephemeral ports: Ports numbered 1024–65535 are dynamic and
often used for temporary client connections.
• Layer 4 (Transport Layer) manages the reliable and efficient transportation of data using TCP and
UDP protocols.
• TCP provides reliable, ordered communication, ensuring data integrity, while UDP offers faster,
unordered transmission, ideal for real-time applications.
• The TCP three-way handshake establishes reliable connections, and ports associate specific
network services with unique numbers.
Na
(e.g., 2000), so the packet contains SYN-ACK flags.
•
jeet
Step 3: ACK (Acknowledge)
ha
• Device A responds with an ACK packet that acknowledges the
b
new session ID from Device B by incrementing it to 2001.
uthree steps—SYN, SYN-ACK, ACK—complete the connection
•
l S
The
es The server tries to send ACK packets for each request, but if the
ot
•
requests flood in too quickly, the server’s connection queue fills
• The TCP three-way handshake is essential for establishing reliable connections between devices
using SYN, SYN-ACK, and ACK.
• Although TCP ensures ordered and sequenced communication, it is vulnerable to SYN flood
attacks, which can overwhelm servers by filling up connection queues.
• Implementing SYN proxies can help mitigate these attacks by handling incoming SYN requests
intelligently.
on
• SSH (Secure Shell):
• Port 22 for secure remote login.
uti
• Telnet:
tr i b
• Port 23 for remote command line access.
• SMTP (Simple Mail Transfer Protocol):
D is
for
• Port 25 for sending emails.
t
No
• HTTP:
• Port 80 for web traffic.
• HTTPS (Secure HTTP):
h a,
Na
• Port 443 for secure web traffic.
et
Hardening and Securing Ports:
je
• If a service is not needed, close the associated port to prevent potential
ha
abuse by attackers.
b
Su
• Use packet filtering to block traffic targeting these ports in the
l header.
y Co
• Hardening involves disabling unnecessary services, blocking dangerous
ports, and applying patches to fix known vulnerabilities.
B
SP
• Example: Instead of HTTP, use HTTPS to encrypt web traffic.
CI S Port Classes:
• Well-Known Ports (0-1023): Used for widely known services like HTTP,
ll N
• Dynamic/Private Ports (49152-65535): Used by applications and
• Ports act as gateways for various services, and securing them (via hardening techniques like closing
unnecessary ports or using encryption protocols) is crucial.
• Layer 4 protocols—TCP (reliable) and UDP (fast, unreliable)—play key roles in data transport, while
SSL/TLS ensures secure communication over the Internet.
t
used for encrypted connections across the Internet.
No
h a,
Na
jeet
bha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C
Ports act as gateways for various services, and securing them (via hardening techniques
like closing unnecessary ports or using encryption protocols) is crucial. Layer 4
protocols—TCP (reliable) and UDP (fast, unreliable)—play key roles in data transport,
while SSL/TLS ensures secure communication over the Internet.
r Dchanges or
authentication.
• Weak security as it doesn't prompt for password
encryption.
t fo
• o
N regular challenges to validate
CHAP (Challenge Handshake Authentication Protocol):
•
the authenticity of a session. a
Provides encrypted transmission , and
h
More secure than PAP butastill used in conjunction with other
t Nsecurity.
•
e
protocols for additional
•
h aandjeflexible,Protocol):
EAP (Extensible Authentication
•
u b certificates forallowing
Extensible
and digital
vendors to incorporate smart keys
authentication.
S in wireless network security protocols (e.g., WPA2) for
lUsed
•
o
y C (Network Basic Input/Output System):
connecting to secure networks and authenticating users.
•
BNetBIOS
P • Alocal legacy protocol enabling communication between devices in a
C •
•
Provides security by establishing sessions for applications and
controlling access based on session-level data.
Primarily used to monitor connections and ensure they are valid
before data transfer occurs.
• The Session layer is crucial for managing connections and communication between hosts,
providing mechanisms for authentication and ensuring secure, reliable dialogues between
processes.
• Key protocols like PAP, CHAP, EAP, NetBIOS, and RPC provide authentication and communication
services. Circuit proxy firewalls secure sessions at this layer.
ti
• Unlike Application layer firewalls, circuit proxy firewalls do not on
i bu
analyze the content of the traffic but instead manage the session
between hosts.
str
D i
Benefits of Circuit Proxy Firewalls:
fo r
• Provide anonymity and protection for internal t
o networks by hiding
N
a, appears as though it
internal IP addresses through Network Address Translation (NAT).
h
NIPaaddress, enhancing security by
• Outgoing traffic from the internal network
t
originates from the gateway's
e
je
masking internal details.
for
tes • Circuit proxy firewalls are simpler and faster due to their focus on
managing sessions rather than filtering content, making them more
o
ll N
efficient in certain scenarios.
rn e
C o
• Circuit proxy firewalls at the Session layer focus on securing TCP sessions by managing the
connection's handshake process.
• They offer anonymity and protect internal networks via NAT, ensuring that only legitimate traffic
passes through while hiding internal details from external users.
for
tes Importance of Content Distribution Networks (CDNs):
orn • Role of CDNs: Helps reduce latency and improve speed by hosting
C media files closer to users.
• CDNs manage the distribution of large media files, overcoming
the limitations of individual codecs by streamlining the delivery of
content such as YouTube videos.
• The Presentation layer focuses on the formatting, encryption, and compression of data to ensure
compatibility for exchange between applications.
• Codecs are essential for handling media compression but pose malware risks.
• Content Distribution Networks (CDNs) mitigate these risks by optimizing the delivery of large
media files globally.
o
Application security measures (e.g., secure coding, input t validation, and patch
,N
•
management) are critical to protect against these vulnerabilities.
Common Layer 7 Protocols: a
h Used for web traffic, with HTTPS providing
a
tforNtransferring files between systems.
• HTTP/S (Hypertext Transfer Protocol/Secure):
e
encrypted communication.
•
DNS (Domain Nameh
aje
FTP (File Transfer Protocol): Used
•
u b System): Translates domain names into IP addresses.
•
Telnet. l S
Telnet and SSH: Used for remote command-line access; SSH is the secure version of
o Mail Transfer Protocol): Used for sending emails.
C(Simple
•
y
SMTP
• BSNMP (Simple Network Management Protocol): Used for managing network devices.
P
S Layer 7 Devices:
CI S
or
• Gateways: Devices that manage communication between different networks, converting
o te • Application firewalls: Advanced firewalls that inspect traffic at the application level,
blocking or allowing traffic based on the content of the data (e.g., web content or specific
ll N
applications).
rn e
C o
• The Application layer (Layer 7) provides the user interface for communication services and handles
most application-level protocols.
• It is the most vulnerable layer due to the significant amount of application code involved, making it
a prime target for security breaches and attacks.
• End-to-end encryption, access control, and application firewalls are crucial for securing Layer 7
interactions.
•
o t and authenticity of
DNSSEC: Adds security to DNS by protecting the integrity
,N
DNS data, preventing spoofing attacks.
Telnet a
hterminal access, but insecure as it
•
transmits data in plaintext. t N
a
Telnet (port 23): A protocol for remote
e
Best practice is to usejSSH
efor secure remote connections instead of Telnet.
•
SSH (Secure Shell) bh
a
S uProvides a secure way to access remote computers, using
l
Co execution,
• SSH (port 22):
public-key cryptography to encrypt data. Commonly used for secure login,
y
command
B (Email Protocols)
and file transfers on remote servers.
PSMTP/POP3
S • SMTP (port 25): Used for sending emails from client to server.
CI S
or
• POP3 (port 110): Used for receiving emails, allowing users to download
ll N
• SNMP (ports 161 and 162): Used for network device management, helping
C o •
•
SNMPv1 and v2: Vulnerable to security risks.
SNMPv3: The latest version, offering enhanced security features such as
encryption and authentication.
• Layer 7 protocols are critical for communication, file transfer, email, and network management.
HTTPS and SSH provide secure alternatives to their insecure counterparts (HTTP, Telnet).
• SNMPv3 and DNSSEC are important advancements in securing network management and domain
name systems, respectively.
a je
slower than firewalls operating as Layer 3 or Layer
bh
4 firewalls.
u
o lS
B yC
S P
CI S
for
es
ot
ell N
orn
C
• Layer 7 devices, such as gateways and application-proxy firewalls, provide advanced security and
connectivity solutions.
• Gateways connect different networks, while application-proxy firewalls filter traffic based on
application-level data, ensuring detailed, content-aware protection.
h a,
• Vulnerability Management: Regularly scan and assess the network
Na
for vulnerabilities and mitigate or fix identified issues to enhance
network security.
jeet
CIA Triad Support ha
or
transmission and preventing unauthorized modifications,
s f and
ll N
minimal downtime.
rn e
C o
• Network administrators are responsible for the configuration, patching, and vulnerability
management of network resources.
• They play a key role in maintaining the CIA triad and ensuring the security and smooth operation of
an organization's network.
ti on
to be carried over IP networks, often used in storage and backup systems.
•
i bu
Voice over Internet Protocol (VoIP): Enables voice communications over IP
r
networks instead of traditional phone lines. Protocols like H.323 and SIP are
used.
ist
VoIP Security Concerns
D
•
t for
VoIP introduces security challenges due to its transmission over IP networks,
No
which lack native security.
a,
• Common VoIP attacks include eavesdropping, denial-of-service (DoS) attacks,
and phishing via VoIP channels (vishing).
h
Na
• Encryption (e.g., using SRTP) helps protect voice communications but may add
et
latency.
je
Common VoIP Protocols
1.
ha
Secure Real-time Transport Protocol (SRTP):
b
Su
1. Provides encryption, authentication, integrity, and replay attack
l protection for streaming voice and video over IP.
y Co
2. Optimizes bandwidth and has low resource requirements. Described in
B RFC 3711.
SP
2. Session Initiation Protocol (SIP):
for 2. Also supports direct connections between PBX systems and public
es telephony networks.
ell N • PBX (Private Branch Exchange): A private telephone network for internal
communications within an organization.
• IP Convergence enables data networks to carry multiple types of traffic, including voice and
multimedia.
• Converged protocols like VoIP, FCoE, and iSCSI have specific uses, but they also bring security
risks.
• VoIP is especially vulnerable and requires protocols like SRTP and SIP to ensure secure
communication.
Su
message.
l
y Co
P B
I SS
C
for
tes
o
ell N
orn
C
• Vishing is a voice-based phishing attack that manipulates victims through spoofed phone calls,
while smishing uses text messages to achieve similar goals.
• Both forms of phishing rely on social engineering to deceive and steal information from
unsuspecting individuals.
on
• ARP Poisoning
• ARP Tables
Passive vs. Active Attacks
uti
• Passive Attacks: The attacker does not alter the target’s environment (e.g.,
traffic monitoring).
tr i b
D is
• Active Attacks: The attacker engages with the target to alter systems or
for
data (e.g., SYN flooding or DoS attacks).
t
No
SYN Scanning
• A type of active attack that manipulates the TCP three-way handshake to
a,
identify open services on a target machine.
h
SYN Flooding
Na
jeet
• A Denial-of-Service (DoS) attack where multiple SYN requests are sent to
ha
the target to exhaust resources and cause a crash.
b
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
l Su
• DoS: One machine disrupts a target’s functionality by overwhelming it with
Co
requests.
rn e ARP Poisoning
C o • An attacker alters their ARP table to redirect traffic meant for another
device to their own.
• ARP Tables map IP addresses to MAC addresses, and every device on a
network maintains an ARP table.
• Network security attacks follow phases similar to network assessments but differ during the
exploitation phase. Attacks can be passive (e.g., eavesdropping) or active (e.g., SYN flooding).
• Understanding the difference between types of attacks (DoS, DDoS, MitM, ARP poisoning) is crucial
for implementing detection and preventative measures to protect against network threats.
a
• Sniffing tools can be used to intercept,thisNtraffic without leaving a
trace. a h
etN
h aje
S ub
C ol
B y
I SSP
C
for
tes
o
ell N
orn
C
• Passive eavesdropping is a form of attack where the attacker listens to or monitors traffic without
changing it.
• This is also known as network sniffing and is difficult to detect, making it highly effective for
gathering sensitive information that could be used later in an active attack.
B yC
This leaves the connection half-open and avoids detection.
S PSYN Flooding
I
C •S
for SYN flooding is a form of denial-of-service attack that abuses the
TCP three-way handshake by sending multiple SYN requests to a
s
ote
target machine.
ll N
• The target system becomes overwhelmed with SYN requests, causing
• SYN scanning is an active scanning technique used to discover open or closed ports.
• It manipulates the normal three-way handshake, and attackers can use stealth scanning to avoid
detection.
• SYN flooding is a type of DoS attack that overwhelms a target by sending multiple SYN requests,
consuming its resources.
,N
times, or it may crash entirely or become unresponsive.
Three-Way Handshake Abuse
h a
a
of the target system bye e t N resources
• SYN flooding is an active attack as it disrupts the normal functioning
j exhausting and causing a denial of
service (DoS).
b ha
u the first step of the three-way TCP handshake
SSYN
• The attack leverages
l
o requests but never completing the process with an
by sending
ACK,C
B y leaving connections in a half-open state.
rn ell at detecting and blocking SYN flood traffic, preventing the attack
from overwhelming the target system.
C o
• SYN flooding attacks abuse the TCP three-way handshake by overwhelming a target with SYN
requests, consuming system resources, and potentially causing a denial of service.
• Proxies, firewalls, and IPS devices are effective at detecting and mitigating SYN flood attacks.
on
• This TCP-based attack involves sending fragmented packets of
differing sizes and out of order, along with fake sequence
uti
numbers.
r i
The target system struggles to reassemble the packets,twhich leads
b
•
to resource exhaustion, degraded performance, orD s crash
a isystem
(denial-of-service attack).
t for
IP Spoofing
N o
•
if it is coming from a legitimate h
a,
Spoofing is when an attacker disguises their IP address to appear as
Na
source, often to bypass security
checks.
e t
je
ha
Smurf Attack
• Steps: b
Su spoofs their IP address to match the victim’s IP.
• lAttacker
rn ell packets.
C o • Attacker sends UDP packets to open ports (e.g., ports 7 and 19)
that generate responses, flooding the victim’s network with traffic.
• This attack is aimed at overwhelming the target with massive
amounts of UDP traffic, causing a DoS attack.
• IP-based attacks include fragment attacks like overlapping fragments and teardrop attacks, as well
as IP spoofing attacks such as Smurf and Fraggle.
• These attacks aim to exploit network vulnerabilities, leading to denial-of-service (DoS) or bypassing
security measures by manipulating packet structures or spoofing IP addresses.
o te Spoofing Attack
• Denial-of-Service (DoS) attacks are aimed at overloading systems with traffic or requests to deny
functionality.
• A Distributed-Denial-of-Service (DDoS) attack leverages multiple machines to amplify the attack's
impact. Both are serious threats that can incapacitate networks and services.
• Man-in-the-middle and spoofing attacks are additional network attack vectors, with MITM
intercepting communications and spoofing faking identities to manipulate or steal data.
t
data to gain access or trust. This could involve pretending to be a trusted
No
IP, email, or another entity to deceive the target.
a,
• Spoofing is often used in attacks to bypass security measures like
h
access control lists (ACLs) or deceive systems/users into granting
access.
Na
Types of Spoofing
jeet
ha
• IP Spoofing: The attacker falsifies their IP address to disguise
themselves as a trusted source to bypass filters or firewall rules.
b
Su
• Email Spoofing: Attackers send emails with forged sender addresses to
l
Co
trick users into divulging sensitive information or downloading malware
(often used in phishing attacks).
By • DNS Spoofing: The attacker alters DNS records to redirect traffic to
SP
malicious websites without the user's knowledge.
ll N
• IP Spoofing allows an attacker to send traffic from a forged IP address
rn e but does not allow the attacker to receive responses. Any response is
on
• Nmap 3) codes, which are valuable for attackers during network reconnaissance.
• John the Ripper (JtR) DHCP (Dynamic Host Configuration Protocol)
uti
• Netstat •
network.
tr i b
Automatically assigns IP addresses to devices when they connect to a
•
is
Attackers can create a rogue DHCP server to intercept traffic by assigning
D
for
malicious gateway information.
Ipconfig
t
No
• A Windows command used to display network configurations and refresh
DHCP and DNS settings.
WHOIS
h a,
Na
• Tool used to query information about domain ownership and IP address
blocks.
•
jeet
Useful for attackers conducting reconnaissance to gather information about
target organizations.
Dig
bha
Su
• Command-line tool to query DNS records and obtain domain or IP address
information.
l
Co
Putty
By • Terminal emulator and file transfer application supporting protocols like SSH,
Telnet, and SCP.
SP
Nmap
ot
forcing or cracking encrypted password files.
Netstat
rn
statistics.
• Common network tools like Ping, Traceroute, and Nmap can be used by attackers to gather
information about a target network.
• Protocols such as ICMP and DHCP can be leveraged for reconnaissance or traffic interception.
• Tools like John the Ripper are used for password cracking, while WHOIS, Dig, and Nslookup
provide DNS and domain information useful for attackers during the reconnaissance phase.
on
map MAC addresses to their corresponding port on the switch.
ti
• If a switch does not have an entry for a particular device, it broadcasts
u
an ARP request to all devices.
tr i b
ARP Poisoning
D is
for
• An attacker can exploit ARP by sending malicious ARP replies,
t
No
tricking the switch into thinking the attacker's device is the legitimate
destination for traffic.
h a,
• The attacker modifies their ARP table to redirect traffic meant for the
legitimate device to their own.
Na
eet
• ARP poisoning allows attackers to intercept traffic and potentially
j
ha
modify or drop it (man-in-the-middle attack).
u b
Lack of Authentication
l Sand
C o
• ARP tables the ARP protocol itself lack built-in security or
B y
authentication
attacks.
mechanisms, making them vulnerable to spoofing
• ARP poisoning exploits the ARP protocol's lack of security to redirect network traffic.
• Attackers can send malicious ARP replies to manipulate MAC-IP mappings in the switch’s CAM
table, enabling them to intercept or alter data.
• Monitoring and implementing compensating controls like logging can help detect and prevent ARP
poisoning attacks.
for
originally used WEP.
WEP (Wired Equivalent Privacy)
t
• No
WEP was the original security protocol for wireless networks but was
a,
found to have serious vulnerabilities.
h
Na
• WPA and WPA2 were developed to replace WEP, offering stronger
et
encryption and key management.
je
Wireless Security Needs
•
bha
Wireless communication requires the following for adequate
Su
protection:
l
Co
• Access Control: Controlling who can connect to the wireless
network.
By • Authentication: Ensuring that users are who they claim to be.
ot Wireless Segregation
rn
vendors) into separate wireless networks enhances security.
C o •
•
Each group can be isolated with different security policies.
Guest networks can have limited access, while employee
networks can offer more privileges.
• Network architecture is essential to maintaining segregation and
minimizing vulnerabilities.
a,
• Signal leakage outside a controlled area can expose the network to
attack.
h
Na
et
Unlicensed Frequencies
je
• Certain frequencies, such as 2.4 GHz, 5 GHz, and 900 MHz, are
ha
unlicensed. This means any device or technology can operate within
b
Su
these bands.
• l These frequencies are widely used for Wi-Fi, Bluetooth,
ll N
to avoid interference and security breaches.
rn e
C o
• Radio frequency management is essential for controlling Wi-Fi signals and protecting
wireless networks.
• It involves managing signal strength to prevent unauthorized access from outside a
building, especially in unlicensed frequency bands like 2.4 GHz and 5 GHz.
• Effective management prevents signal leakage and enhances network security.
devices. ti on
• Widely used for internet connectivity, printing, and as hotspots for
i bu
•
str
Example: Connecting a computer to a mobile phone’s Wi-
Fi hotspot.
D i
Bluetooth
t for
N o
• Designed for close-proximity wireless communication.
ha
mobile phones
b
Cellular
l Su
• Refersoto mobile communication protocols and standards like CDMA,
y C 3G, 4G, and 5G.
BGSM,
I SSP• 5G is the latest standard, offering faster data speeds and enhanced
connectivity for mobile devices.
r C
fo RFID (Radio Frequency Identification)
s
ote • Involves readers and tags (chips or labels) for wireless tracking.
• Wireless technologies enable communication over radio frequencies without physical cables.
• Key technologies include Wi-Fi (for network connectivity), Bluetooth (for short-range device
communication), Cellular (for mobile phone communication), and RFID (for wireless tracking).
• Each of these plays a critical role in modern wireless infrastructure.
• The IEEE 802.11 wireless protocol family has evolved from 802.11 with speeds of 2 Mbps to 802.11be
(Wi-Fi 7) capable of reaching 40 Gbps.
• Frequencies range from 2.4 GHz to 60 GHz. However, security is not native to these protocols,
necessitating the use of external security measures like WPA2 and WPA3.
on
• WPA3, released in 2018, offers better encryption and authentication
mechanisms, including GCMP.
u t i
Access Control
r i b
t requiring
is
• Access control mechanisms define how wireless clients gain access to the network.
rD
• 802.1X is a common standard for dynamic access control,
•
authentication from a central server.
t
Pre-Shared Key (PSK) is another method used, f o especially for home
o
, Nusers.
networks.
Authentication Methods
a
h Protocol) methods are used in
N a
• Authentication verifies the identity of devices and
C
• Encryption
y • WEP
B (weak encryption protocol) was the original standard, now
SP
considered insecure.
CI S • WPA uses TKIP (RC4) for encryption, which has also been proven
vulnerable.
for • WPA2 uses AES (CCMP), which is much stronger and still widely used.
tes • WPA3 further strengthens encryption using GCMP (Galois Counter Mode
o Protocol) or CCMP-AES.
ll N
Integrity Protection
C o •
•
WEP and WPA lacked strong integrity measures.
WPA2 uses CCMP for integrity, providing both encryption and message
integrity.
• WPA3 enhances this with GCMP, providing even stronger protection
against tampering.
• Wireless security standards have evolved from WEP (weakest) to WPA3 (strongest).
• Key security services like access control, authentication, encryption, and integrity protection are
necessary to secure wireless communications.
• WPA3, the latest standard, provides improved encryption (GCMP) and stronger protection against
tampering and unauthorized access.
str
EAP (Extensible Authentication Protocol) Authentication:
•
exchange mechanism.
D i
A more secure option, requiring an authenticated key
•
t for
Provides flexibility for different authentication methods and
No
can support one- or two-factor authentication.
One-Factor vs. Two-Factor Authentication
• One-Factor Authentication:
h a,
Na
• Utilizes a single factor, like a password or network credential, to
et
authenticate users.
•
je
Common EAP-based one-factor methods include:
ha
• EAP-MD5 (less secure, uses MD5 hash).
b
Su
• LEAP (Lightweight EAP, proprietary to Cisco).
Co
• Two-Factor Authentication:
ot
Mutual Authentication
ll N
• To achieve the highest level of security, mutual authentication is
rn e recommended.
• Client-side authentication: Ensures the client can verify the
C o •
legitimacy of the access point (AP).
Access point authentication: Verifies the validity of the client
attempting to connect.
• This helps prevent attacks like rogue APs and man-in-the-middle
attacks.
• Wireless authentication methods include open authentication (least secure), shared key
authentication, and EAP-based authentication (most secure).
• EAP allows for one- or two-factor authentication, with two-factor providing stronger security.
• Mutual authentication ensures that both the client and access point verify each other’s legitimacy,
creating a more secure wireless network environment.
a,
weaknesses.
h
a protocol introduced with WPA2 and
Counter-Mode-CBC-MAC Protocol (CCMP)
•
t N
CCMP is a more robust encryption
WPA3.
je e
•
b ha standard.
Uses AES (Advanced Encryption Standard), which is a widely
CI S
for • WPA (Wi-Fi Protected Access) initially used TKIP to allow for better
tes hardware compatibility with WEP, but it has since been replaced due
to vulnerabilities.
o
ll N
• WPA2 uses CCMP-AES, which significantly strengthens wireless
• TKIP was a short-term fix for WEP vulnerabilities but remains susceptible to certain attacks due to
hardware compatibility issues.
• CCMP-AES, used in WPA2 and WPA3, offers significantly stronger encryption, using 128-bit AES
keys for secure wireless communication.
• CCMP is currently the most secure protocol for wireless encryption.
on
• Developed as a short-term solution to address WEP's vulnerabilities,
ti
particularly the weak initialization vector (IV) in WEP, which made it
u
easy to crack.
tr i b
•
D
which improves upon WEP's flawed static key approach. s
Key Mixing: TKIP sends each new packet with a unique encryption key,
i
•
t for
Michael: TKIP uses a Message Integrity Code (MIC) called Michael to
No
check data integrity.
a,
• Michael provides a basic form of integrity control, ensuring
h
packets have not been altered during transmission.
•
Na
However, TKIP is now considered obsolete due to security
jeet
vulnerabilities and is no longer recommended for modern
networks.
bha
WPA2 (Wi-Fi Protected Access 2) and CCMP
•
l Su
WPA2 implements CCMP (Counter Mode with Cipher Block Chaining
Co
Message Authentication Code Protocol), which uses AES for
By •
encryption and integrity.
AES in CBC-MAC (Cipher Block Chaining) mode ensures that both
es networks.
ell N • TKIP was a stopgap solution that allowed older hardware to operate
rn
with better security compared to WEP.
• TKIP was designed to replace WEP and implemented integrity protection through a Message Integrity
Code called Michael.
• However, TKIP is now considered insecure and is replaced by AES with CCMP in WPA2, which offers
robust encryption and integrity protection.
et
• SDN architecture is split into three planes:
•
je
Application Plane: Where applications and services reside.
•
bha
Control Plane: Manages the flow of traffic and network
Su
resources.
l
Co
• Data Plane: Carries the actual data and executes the
decisions made by the control plane.
By Northbound and Southbound APIs in SDN
ot
and the data plane. They enable the control plane to instruct the data
ll N
plane on handling traffic.
• VLANs allow the creation of logical local area networks using Layer 3 switches and reduce physical
wiring needs, with IEEE 802.1Q providing the standard for VLAN implementation.
• SDNs manage networks using software, divided into application, control, and data planes, and
leverage northbound and southbound APIs to handle network management and traffic control.
on
virtualization now extends to network segmentation via VLANs.
•
uti
VLANs offer a way to separate traffic between devices while using
r i
the same physical network, creating virtual tunnels that link
t b
devices into isolated logical segments.
D is
for
Security through Segmentation
t
VLANs improve security by allowing network traffic to be isolated
No
•
into different segments. For instance, different departments within
a,
a company can have their own VLANs, limiting access to their
h
Na
network resources.
•
jeet
Isolation ensures that devices within the same VLAN can
communicate freely, but devices in other VLANs cannot
ha
communicate without going through a router or firewall, adding a
b
Su
security layer.
l
Co
Layer 3 Switch and VLAN Creation
es
ot
VLAN Ports and Isolation
ll N
• Devices connected to specific ports on a switch that are
• VLANs allow the segmentation of networks into logical, isolated segments without the need for
physical rewiring, enhancing security and flexibility.
• They are created and managed using Layer 3 switches, where ports can be assigned to different
VLANs based on security and functional needs.
b h
all the routing and traffic decisions.
• The centralized
S uoncontrol allows for rapid reconfiguration of the
ol resources. enabling dynamic adjustments to traffic,
network based needs,
yC
security, and
P B
Planes in SDN: Control Plane and Data Plane
tes • Data Plane: The data plane is the execution layer that performs the
o actual forwarding of packets based on instructions from the control
ell N plane.
orn • SDN’s separation of the control and data planes simplifies network
C management and increases flexibility by decoupling decision-making
from physical devices.
CI S
or
connected to the Data Plane, making it the execution layer of the
s f SDN.
rn
Application Plane and the Control Plane. Applications send network
• The SDN architecture consists of the Application, Control, and Data Planes. Communication
between these layers is handled by Northbound APIs (Application to Control) and Southbound APIs
(Control to Data).
• The Application Plane sends requests, the Control Plane makes network decisions, and the Data
Plane executes them by routing traffic.
h aj
Benefits of VPC
u b
S
l since
C o
• Cost-effective:
infrastructures
VPCs are less expensive than dedicated private cloud
they use shared resources.
• B
y
S P Scalability: Like other public cloud services, VPCs offer easy
• A Virtual Private Cloud (VPC) is a portion of a public cloud that provides logically isolated,
customizable network environments without separate physical hardware.
• It combines the cost-effectiveness and scalability of public clouds with enhanced security
controls and virtual network isolation.
or
can isolate and direct traffic based on VLAN tagging.
ll N
networks.
rn e
C o
• IEEE 802.1Q is the standard that defines VLAN tagging and how switches and bridges handle VLAN
traffic.
• It plays a crucial role in ensuring network isolation and security for VLANs and supports
virtualization technologies like SDNs.
a,
• Frame Relay: Focuses on speed over error correction and supports
h
both permanent virtual circuits (PVCs) and switched virtual
circuits (SVCs).
Na
eet
• Asynchronous Transfer Mode (ATM): Supports high-speed
j
ha
transmission with connection-oriented virtual circuits that can be
b
permanent or on-demand.
l Su
• Multi-Protocol Label Switching (MPLS): The most advanced WAN
y Co
protocol, MPLS offers built-in security using labeling schemes and
forwarding tables. However, data can still be vulnerable to provider
B snooping, so organizations often choose to encrypt their data.
ot
links and SVCs allowing for on-demand virtual circuits, similar to
ll N
older PSTN networks.
• WANs are essential for connecting LANs across large geographical distances using protocols like
X.25, Frame Relay, ATM, and MPLS. Each protocol has unique features, with MPLS being the most
advanced, providing built-in security and fast, efficient data transmission.
a,
certain areas, which can prevent lateral movement of threats within
the network.
h
Na
et
• Switches, routers, and firewalls are used to implement
e
segmentation by controlling access between segments.
j
Bastion Hosts
bha
Su
• Bastion hosts are hardened devices (typically servers) designed to
l
resist attacks and are placed on the perimeter of a network or in a
y Co
DMZ.
B • These devices are exposed to external traffic and are usually
• Network architecture is vital for ensuring network security and performance. Elements like
defense in depth, partitioning, network segmentation, bastion hosts, and proxies contribute to a
secure network environment.
• NAT/PAT hides internal IPs, while segmentation limits the visibility of network traffic, adding
additional layers of protection.
No
security, building access controls, surveillance, and
securing the physical environment.
•
h a,
Physical Infrastructure: Securing servers, network
Na
devices, and workstations through hardware-based
jeet
measures.
ha
• Operating Systems: Implementing secure configurations,
b
patches, and hardening operating systems to minimize
l Su
vulnerabilities.
y Co
• Software Configurations: This inner layer focuses on
firewall settings, application security, and encryption to
B protect data from external and internal threats.
• Defense in depth is a security strategy that uses multiple, layered security controls to protect a
network or system.
• Each layer addresses different aspects of security, starting from policies and procedures down to
operating systems and software configurations, ensuring comprehensive protection.
je
• Access control rules can e
and control the flowaof traffic between the network segments.
h
S ub Partitioning
Importance of Internet
tes network.
on
respond to attacks.
•
u t
Preventive controls: Firewalls, intrusion prevention systems (IPS),i
access control lists (ACLs), and network segmentation.
tr i b
• s
Detective controls: Intrusion detection systems (IDS), inetwork
monitoring tools, and alerting mechanisms.
fo r D logging,
• Corrective controls: Security incident response
o t protocols,
,N
and traffic filtering or blocking.
Choke Points a
h in a network where all traffic
a
t Nfor centralized control and monitoring.
• Choke points are strategic locations
must pass through, allowing
e
jeexist at the network perimeter, where firewalls
•
h
A choke point should adevices
u b
and other security can enforce rules on both incoming and
I S
C Importance of Limiting Entry and Exit Points
for Limiting the ingress and egress points to one creates a controlled
tes •
entry and exit, which simplifies monitoring and securing traffic flow.
o
ll N
• A single point of entry and exit reduces potential vulnerabilities and
• The network perimeter serves as the boundary of an organization’s internal network, and choke
points allow for centralized monitoring and control of network traffic.
• To strengthen security, organizations should minimize entry and exit points, applying preventive,
detective, and corrective controls at the perimeter.
et
• Security risks arise when public-facing applications, like an e-
je
commerce platform or email server, are hosted within the
ha
internal network.
b
Su
• Hosting these applications internally would allow external users
l
from the public network to access the internal environment,
y Co
exposing critical assets to potential attacks.
BSecurity Benefits of Segmentation
ll N
segments, allowing controlled access while protecting sensitive
rn e •
data from external threats.
Best practices suggest hosting public-facing services (like
C o websites or email) in a DMZ (Demilitarized Zone) to maintain
security separation between public and private networks.
• A Bastion Host is a fortified server placed in a DMZ to handle public-facing services securely.
• The DMZ provides a buffer zone between the internal network and the internet, controlled by
boundary routers to manage traffic flow and enhance network security.
on
services.
• ti
Disadvantage: If a server (e.g., the web server) is compromised, attackers
u
i b
can gain a foothold in the network and potentially move laterally to other
tr
servers.
Microsegmentation in Virtualized Networks
D is
•
t for
Virtual firewalls can be deployed in front of each server at low cost,
No
creating separate DMZs for each server (web, FTP, mail).
a,
• Each virtual firewall can have strict firewall rules for its respective
h
server, such as allowing only web traffic for the web server, only FTP
Na
traffic for the FTP server, etc.
•
jeet
Benefit: If one server is compromised, attackers cannot easily move to
other servers as they must still penetrate other firewalls.
bha
Benefits of Microsegmentation
•
l Su
Tighter security: Each segment has specific firewall rules, making it
Co
more difficult for attackers to bypass security.
I SSP • Granular firewall rules: More precise control over traffic and security in
each segment, enhancing network protection.
r C Technologies Supporting Microsegmentation
fo
es • Network overlays/encapsulation: Virtual networks that are overlaid on
ot
top of physical networks.
ll N
• Distributed firewalls: Multiple virtual firewalls deployed across
rn e segments.
• Microsegmentation enables the virtualization of networks into smaller segments, each with
individual firewall rules, enhancing security and preventing lateral movement of attackers.
• Technologies such as distributed firewalls and IDS/IPS further support this approach, providing
granular protection for each network segment.
ti on
connection to the server, but the server recognizes the connection
as being from the proxy.
i bu
Role in Security
s tr
i
D security
•
o rdestinations.
Proxies are often used to filter requests and enforce
f
t
rules by blocking traffic destined for malicious
o
Proxies provide enhanced security by N
•
a ,cancontrolling what content can
ah
reach the client and what the client access, thus minimizing
tN
exposure to threats.
e e
ajfound
Layer 7 in OSI Model
• h
b they handle
Proxies are usually at Layer 7 (Application layer) of the OSI
S u
model because intelligent routing and decision-
makingo l regarding application-level traffic.
C
y of Web Proxy Usage
B
Example
I SSP• Amalicious
web proxy is used to filter web traffic. It can block access to
C domains or unsafe content, ensuring that the user is
tes
o
ell N
orn
C
• A proxy acts as an intermediary between a client and a server, enhancing network security by
filtering and blocking malicious traffic.
• By making intelligent decisions at the Application layer (Layer 7), proxies help enforce rules that
secure the environment from potential threats.
rD
multiple
f o
devices to use the same public IP address simultaneously.
t
o
, N is associated with a
Role of PAT in Port Translation
a
h to port 1058), allowing
• PAT ensures that each outgoing connection
a
t N through the same public IP while
unique port (e.g., port 1037 is translated
je e
multiple devices to communicate
maintaining unique connections.
h a
ub
NAT and PAT in Security
S
C ol networks.
•NAT and PAT add a layer of security by hiding internal IP addresses
B y reconnaissanceThisonmakes
from external
perform
it more difficult for attackers to
the internal network structure, as the
S Pinternal IP addresses are masked.
CIS
for
tes
o
ell N
orn
C
• NAT translates private IP addresses to public ones, allowing internal devices to communicate with
the internet.
• PAT ensures that multiple devices can share a single public IP address by assigning unique ports to
each connection, providing both efficiency and an additional layer of security.
Types of Firewalls h a,
1. Packet Filtering Firewallst N
a
je e
ha
• Simple packet filtering operates at Layer 3 of the OSI model
b
(Network Layer).
P B valid session.
a ,
• Application-Level Proxy Firewalls
a h
• Pros: Deep packet
etN inspection, ability to filter based on
a je
specific applications, provides granular control.
•
u bhanalysis
Cons: High processing overhead, slower performance due to
l S
detailed of traffic.
y Co
P B
I SS
r C
fo
es
ot
ell N
orn
C
• A firewall is a security control that filters network traffic based on predefined rules and is essential
for protecting internal networks from external threats.
• Different firewall technologies offer varying levels of security and performance, from simple packet
filtering to application-level inspection.
• Application-level firewalls provide the most detailed traffic filtering but come with increased
processing overhead.
t Na statistics on network
je
protocols and connections,e which helps with monitoring and
• Additionally, CBAC can give advanced
analysis.
b ha
u
SFiltering
l
Session-Based
o the state and context of a session (similar to stateful
y
• CBAC Ctracks
B
firewalls but with deeper protocol analysis).
s f needed and only for the duration of the session, minimizing risk
o te exposure.
ell N
orn
C
• CBAC adds context awareness to firewall filtering, inspecting traffic at the Application Layer for
enhanced security.
• It allows for deep traffic inspection and provides additional security capabilities, such as DDoS
detection and real-time traffic analysis.
• The main advantage of CBAC is its ability to filter TCP/UDP traffic based on the session state and
content, making it a more advanced and dynamic method of access control compared to traditional
static packet filtering.
•
tr
A firewall software resides on the host, controlling all traffic between the two
s
interfaces.
D i
for
• Pros: Simple architecture, cost-effective.
• Cons: Single point of failure (host), less flexible.
t
No
3. Screened Host Architecture:
• Adds a bastion host (a hardened server) to the architecture, which serves as an
a,
intermediary between the internal and external network.
h
Na
• A router filters external traffic, forwarding allowed traffic to the bastion host, which
provides application-level security.
et
• Pros: Better security than dual-homed, single point of defense.
•
je
Cons: The bastion host can still be targeted for attacks.
ha
4. Screened Subnet Architecture:
b
Su
• Also known as a Demilitarized Zone (DMZ) architecture.
• Consists of two screening routers, one between the internal network and the DMZ,
l
Co
and the other between the DMZ and the external network.
• Pros: Provides an additional layer of defense; external services (like web or email)
SP
• Cons: More complex, requires careful configuration of two routers.
5. Three-Legged Firewall Architecture:
CI S • A single firewall with three interfaces: one connected to the internal network, one
r
to the external network (internet), and one to the DMZ.
fo • Allows for secure separation of internal, external, and DMZ traffic with a single
es firewall device.
ot
• Pros: Simplifies network design with fewer devices, flexible rules for controlling
traffic between segments.
rn
Firewall Architecture Considerations
C o •
•
The architecture selected should reflect the security requirements and operational needs of
the organization.
For example, an e-commerce business may require a screened subnet or three-legged firewall
to separate web services from internal databases.
• The cost, complexity, performance, and threat model of the organization should guide the
choice of architecture.
• Firewall architectures are tailored based on an organization’s specific needs, balancing between
security and performance.
• The simplest form is packet filtering, while more sophisticated architectures like screened
subnets and three-legged firewalls offer layered security for sensitive services.
• The DMZ in screened subnet and three-legged firewall architectures helps isolate public-facing
applications, enhancing security.
olfiltering is fast.
on header information without inspecting the content of the packet,
C
packet
• By Low cost: Packet filtering firewalls are simple and cost-effective to
S P deploy.
CIS Cons
for
tes • Limited security: Since only Layer 3 information is analyzed, the
o firewall cannot examine the payload or provide deeper inspection
ll N
into application-level data.
• Packet filtering firewalls provide basic security by filtering traffic based on Layer 3 packet
headers.
• Efficiency and low cost are key benefits, but security is limited due to the lack of application-layer
filtering or session awareness.
• Best suited for simple, low-risk environments where speed is a priority and advanced threats are
less likely.
i on
application-layer data, session information, and even packet
t
content.
i bu
•
tr
The architecture allows the host to serve as a gatekeeper, managing
s
traffic between two distinct network segments.
D i
for
• Can use advanced firewall technologies like stateful inspection,
t
circuit-level proxy, and application-level filtering.
Pros
No
•
h a,
Increased Security: By having two network cards, the host can
Na
physically separate traffic between the trusted and untrusted
et
networks.
•
je
This makes direct packet forwarding between the two
bha
networks impossible without the host’s decision-making
Su
process.
•
l
Granular Control: The dual-homed host can make more complex
y Co
decisions than simple packet filtering, using techniques like stateful
SP
Cons
es
ot
• Single Point of Failure: The dual-homed host becomes a critical single
point in the network. If it goes down or is compromised, the network
• A dual-homed host has two network cards and can perform more advanced filtering than a simple
packet filtering router.
• It operates across all OSI layers, making it capable of complex decision-making for traffic between
two network segments.
• While providing enhanced security, it can also introduce bottlenecks and act as a single point of
failure.
•
D i
The bastion host adds an additional layer of filtering by inspecting traffic at
for
higher layers of the OSI model, such as application data.
Advantages
t
• Layered Security:
No
•
h a,
The packet filtering router performs basic checks before allowing any traffic
to reach the bastion host. This creates a layered defense system, making it
Na
harder for attackers to penetrate.
•
jeet
Attackers must first bypass the router before attempting to compromise the
bastion host.
•
bha
Performance Optimization:
Su
• The router handles simpler decisions, reducing the load on the bastion host,
l
which only processes traffic that has passed the first layer of filtering.
Co
• Versatility:
By • The bastion host can be highly customized, with various firewall technologies
applied based on specific security needs (e.g., application-level filtering,
SP
stateful inspection).
CI S Disadvantages
ot • Potential Bottlenecks:
ll N
• If the router or bastion host becomes overloaded with traffic, it can cause a
• The screened host architecture combines a packet filtering router with a bastion host, providing
multiple layers of filtering and enhanced security.
• Attackers would need to bypass the router before targeting the bastion host, offering layered
defense.
• This architecture offers versatility but can be complex to configure and may experience
bottlenecks under heavy traffic loads.
on
• The D MZ acts as a buffer zone between the public and internal networks.
•
uti
Pub lic-facing services like web servers, mail servers, and D NS servers can
reside in the DMZ, making them accessible to external users while limiting
access to the internal network.
tr i b
Advantages
• Enhanced Security:
D is
for
• The dual-firewall setup creates two layers of defense, making it difficult for
attackers to reach the internal network.
t
No
• If an attacker compromises the D MZ, they still need to bypass the second
a,
firewall to access internal resources.
h
• Traffic Segmentation:
Na
• The architecture allows for sp ecific traffic routing—external traffic is directed
et
only to the DMZ, while the internal network remains isolated. This segmentation
limits the spread of attacks.
je
ha
• Vendor Diversification:
b
• Using two firewalls from different vendors reduces the risk that a vulnerability
Su
in one firewall will affect the entire system. If one firewall has a weakness, the
l
second firewall from a different vendor is unlikely to have the same vulnerability.
Co
Disadv antages
By • Cost:
• The deployment of two firewalls increases the cost of both hardware and
SP
software.
s
• Configuring and managing two firewalls requires more technical ex pertise and
ote • Latency:
careful coordination, especially if they are from different vendors.
ll N
• The extra layer of security can introduce network latency, particularly if both
• A screened subnet architecture uses two firewalls to create a DMZ between the external and
internal networks.
• It provides enhanced security and traffic segmentation by isolating public-facing services from the
internal network.
• While costly and complex, using two firewalls from different vendors increases security by
mitigating the risk of a shared vulnerability.
on
Key Features
• Multiple Zones:
uti
•
tr i b
The firewall can support three or more distinct network zones:
•
(e.g., the Internet).
D is
External Network: Represents the untrusted, public network
•
t for
DMZ: A zone where public-facing servers (e.g., web servers,
No
mail servers) reside. These servers need to be accessible
from the external network.
•
h a,
Internal Network: Contains highly sensitive data and is not
Na
accessible directly from the external network.
et
• Traffic Control:
•
je
The firewall controls traffic between the three zones, allowing
ha
specific rules and policies to be applied to each connection point.
b
Su
• For example:
SP
controlled, allowing only certain types of connections, such
as database queries from a web application.
CI S Security Customization
for • The three-legged firewall allows for customized security policies tailored to
ot
• For instance, the firewall could apply lenient rules for the external
ll N
network, stricter rules for the DMZ, and the strictest rules for traffic
moving into the internal network.
rn e • Granular Security:
No
the management and monitoring of network traffic are centralized,
a,
reducing administrative complexity.
Disadvantages
h
• Single Point of Failure:
Na
•
jeet
If the firewall fails, all three network zones become inaccessible,
ha
making this a single point of failure. Therefore, high availability
features or redundancy may be necessary.
b
Su
• Resource Intensive:
l
Co
• The firewall must handle traffic for three separate zones, which can
increase processing load, especially if deep packet inspection or
By complex rules are applied. This can slow performance if not properly
SP
sized.
for want to securely host public-facing applications (e.g., websites) in a DMZ while
ll N
separate its public web server from its payment processing system in the
internal network, ensuring that external users never directly access sensitive
rn e data.
C o
• A three-legged firewall has three connection points that create multiple network zones: the
external network, DMZ, and internal network.
• This architecture allows for customized security policies between zones and provides cost-
effective network protection.
• While versatile, it can be a single point of failure and may require resource-intensive
management.
for
to investigate and respond to incidents.
t
No
Intrusion Prevention System (IPS)
• IPS also inspects data, but unlike IDS, it prevents or mitigates intrusions
by actively blocking traffic.
h a,
•
Na
Additional Action: Automatically takes corrective measures
et
(e.g., dropping malicious packets, resetting connections).
je
ha
• Main Role: Provides real-time protection by actively stopping
threats.
b
Su
Types of IDS/IPS
l
Co
1.Network-Based IDS/IPS (NIDS/NIPS)
rn e Mirror/Span/Promiscuous Port
on
• Detection Methods • Useful for detecting new or unknown threats but may lead to
• Ingress and Egress Monitoring false positives.
uti
• Whitelisting and Blacklisting Ingress and Egress Monitoring
tr i b
• Ingress: Monitoring of incoming traffic into a network.
D is
for
• Egress: Monitoring of outgoing traffic from a network.
t
• Key Role: Ensures both incoming and outgoing traffic is inspected for
No
malicious behavior, preventing data exfiltration or external threats.
a,
Whitelisting and Blacklisting
h
Na
• Whitelisting: Only allows traffic from specific trusted IP addresses; all
et
other traffic is blocked.
•
je
Pro: Highly secure but may block legitimate traffic
ha
unintentionally.
b
Su
• Blacklisting: Specifically blocks traffic from known malicious IP
l
addresses; all other traffic is allowed.
y
•
Co Pro: Easier to implement, but new or unknown threats might
B bypass the blacklist.
I SSP
r C
fo
es
ot
ell N
orn
C
• IDS and IPS systems perform data inspection, with IDS focusing on detection and IPS providing
prevention.
• IDS/IPS systems can be network-based or host-based, with different monitoring approaches for
traffic and host activities.
• Detection methods include signature-based for known threats and anomaly-based for unknown
or evolving threats.
• Ingress and egress monitoring are key for securing traffic flow, and whitelisting/blacklisting
strategies add additional layers of protection.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Data Inspection
Definition of Data Inspection
• Definition of Data Inspection
• Virus Scanning • Data inspection refers to the process of monitoring and examining
• Stateful Inspection transmitted data to ensure compliance with security rules.
• Content Inspection • It focuses on detecting unauthorized or malicious data and triggering
appropriate actions when a violation is detected.
Virus Scanning
• Function: Scans files for known malware or virus signatures.
on
• Mechanism: Compares files against a database of known malware
signatures to detect malicious content. t i
u the
• Example: Antivirus software scanning email attachments to
tr i b
block
delivery of infected files. is
Stateful Inspection
fo rD
• Function: Tracks and analyzes the stateN ofo
t
communications between
systems.
h a,
• Mechanism: Maintains a dynamic
t Na state/context table to follow the
je e
status of active network connections.
• Example: A firewall
b hathat inspects and tracks connection states to
S uaccess.
ensure that only valid communication flows are allowed, preventing
ol
unauthorized
C
y Inspection
Content
B
S P• Function: Inspects transmitted mobile code or content for compliance
CIS
with defined security rules.
C o
• Data inspection ensures transmitted data adheres to security rules by identifying threats like
malware or harmful scripts.
• The key methods include virus scanning, stateful inspection, and content inspection, all of which
add layers of defense.
• Proper data inspection safeguards the network by actively monitoring and responding to potential
security threats.
on
• Pros and Cons of Host-Based • Requires proper sensor placement for maximum efficiency.
IDS/IPS
uti
b
• Example: A NIDS placed on a network's main router monitors traffic entering
• Example Use Cases
r i
and leaving the network, alerting administrators to any suspicious traffic
t
patterns.
D is
for
Host-Based IDS/IPS (HIDS/HIPS):
•
t
Installed directly on specific devices (like servers or mission-critical
No
systems) and monitors that device's activity.
•
itself.
h a,
Provides more detailed visibility into the activity occurring on the device
• Pros:
Na
•
je et
Granular protection at the host level, making it highly effective for
protecting critical systems.
•
b ha
Can detect internal attacks and changes made directly on the host.
• Cons:
l Su
•
o Resource-intensive (requires processing power and storage on each
yC
host).
B •
P• Example:
Does not monitor broader network traffic, limited to the host device.
for
es • Network-Based IDS/IPS: Monitors the flow of data across network segments
ot
(broader coverage).
ll N
• Host-Based IDS/IPS: Focuses on monitoring activity within a specific device
C o
• Network-based IDS/IPS provide broad monitoring of network traffic and can detect threats across
multiple devices, while host-based IDS/IPS offer detailed monitoring of specific systems.
• A combination of both types provides the most comprehensive protection by covering both the
network level and individual hosts.
on
Detection
•
hashes, suspicious IP addresses, or byte sequences).
uti
Relies on known attack signatures (such as malicious file
for
existing signatures.
t
No
• Example: An IDS detects malware by matching the packet's
signature with a known malicious file hash.
• Anomaly-Based Detection:
h a,
•
Na
Detects deviations from normal behavior by establishing a
jeet
baseline of expected network activity.
ha
• Pros: Can detect unknown or new threats.
•
b
Cons: Resource-intensive and can result in false positives.
•
l SuExample: An IDS raises an alert when a spike in network traffic
Co
deviates from normal patterns.
SP
• Stateful Matching:
for •
triggers an alert or blocks traffic.
Statistical Anomalies:
es
ot
• Detects statistical deviations from normal behavior patterns,
ll N
triggering alerts or blocking suspicious traffic.
rn e • Traffic Anomalies:
• Mirror, span, and promiscuous ports are essential for IDS/IPS, enabling devices to monitor network
traffic without disrupting it.
• Signature-based detection works well against known threats, while anomaly-based detection can
catch new threats by identifying unusual network behavior, though it requires more resources and
can lead to false positives.
on
• Prevents data loss or the unauthorized transmission of
sensitive information outside the network.
u t i
• Can also detect compromised systems attemptingito
tr b
communicate with external attackers.
is
D and block
Example: Monitoring outbound traffic to r
•
t fo detect
unauthorized file transfers or command-and-control
o
, NMonitoring:
communications from infected machines.
• a
h requires analyzing traffic in both
Importance of Both Ingress and Egress
a
t Nattacks and detect data exfiltration.
• Comprehensive monitoring
e
directions to prevent
je Protects the network from external
•
h a
Ingress Monitoring:
u b
threats.
S
lEgress
•
C o Monitoring: Prevents insider threats, data
breaches, and outgoing malicious activity.
•
y
BRole of IDS/IPS in Monitoring:
S P
CI S • IDS/IPS should be placed in strategic positions to monitor
both incoming (ingress) and outgoing (egress) traffic.
for • An IDS/IPS system monitoring ingress can detect suspicious
tes traffic before it enters the network, while monitoring egress
o
ll N
can prevent data theft or malicious activity from being sent
outside.
rn e
C o
• Ingress monitoring focuses on detecting threats entering the network, while egress monitoring
focuses on threats exiting the network.
• Both are critical for protecting against external attacks and preventing data loss or unauthorized
communications from inside the network.
Na
• Example:
et
• A network may employ a deny list to block known malicious
je
IP addresses, preventing access to those sources.
bha
Importance of Terminology:
Su
• The terms "allow list" and "deny list" are gaining popularity as they
l
Co
avoid the racial connotations associated with "whitelist" and
By "blacklist."
• Awareness of these terms is essential, as both may appear on exams
r C Use Cases:
fo • Allow Lists: Commonly used for restricting access to a limited number
es of approved services, enhancing security by minimizing exposure to
ot untrusted sources.
ell N • Deny Lists: Useful for preventing access to known harmful sites or IPs,
• Allow lists permit access only to specified IP addresses, blocking all others, while deny lists explicitly
block certain IPs, allowing all others.
• The shift toward using the terms "allow list" and "deny list" reflects a more inclusive language in
cybersecurity practices.
ell N systems.
orn
C
A sandbox is a crucial cybersecurity tool that allows for the safe execution and analysis of
untrusted code. It aids in detecting true threats while minimizing the risk of undetected
malicious activity, making it essential for both IDS/IPS systems and malware analysts.
CoNegative:
4. False
y
P B • Description: No alert is generated despite an ongoing
I SS attack.
tes
o
ell N
orn
C
• Understanding alert statuses is crucial for effective security monitoring. Tuning security
tools is necessary to balance between minimizing false positives and preventing false
negatives, which can leave the organization vulnerable. Effective tuning varies
depending on the organization's specific context and threat landscape.
ote
crime they were already planning.
ll N
• Example: Using a honeypot to attract a known attacker.
rn e • Entrapment:
• Honeypots and honeynets serve as valuable tools in cybersecurity by detecting and analyzing
malicious activities.
• However, organizations must navigate the legal implications of their use, ensuring they do not
engage in entrapment.
• Understanding the balance between enticement and entrapment is crucial for ethical security
practices.
for
ensuring that even if traffic is intercepted, it remains unreadable without
the proper decryption key.
t
• Types of VPNs: No
•
h a,
Client-based VPNs: Installed on the user’s device, securing
Na
remote access to the corporate network.
•
jeet
Site-to-Site VPNs: Securely connect two different networks,
often used between a company’s headquarters and branch
bha
offices.
Tunneling:
l Su
Co
• Tunneling is a process that involves encapsulating a data packet inside
By •
another packet for secure transmission.
Tunneling protocols include PPTP, L2TP (usually combined with IPsec for
r C Split Tunneling:
fo • This feature allows users to access corporate resources via a VPN while
rn
Authentication and Encryption:
• VPNs are essential tools for securing remote access, especially over untrusted networks.
• They provide encryption and secure communication channels, reducing the risk of data interception.
While split tunneling offers convenience, it also introduces security risks, and organizations must
carefully weigh these factors when implementing remote access solutions.
Na
the number of vulnerable entry points into the corporate network.
et
• By securing these devices, organizations can prevent or mitigate
je
cyberattacks before they impact critical systems.
ha
Role of Network Access Control (NAC):
b
•
l Su
NAC solutions complement endpoint security by managing which
Co
devices can connect to the corporate network.
By • NAC ensures that only healthy, compliant devices with updated security
measures (e.g., antivirus or encryption) are allowed access to the
I SSP •
network.
Devices that fail to meet the security requirements may be quarantined
r C or denied access.
fo
es Evolved Endpoint Security Strategies:
ll N
comprehensive strategies, including:
C o ✓
✓
Endpoint Data Leak Prevention (DLP) solutions
Endpoint Detection and Response (EDR) platforms
✓ Threat detection, response, and continuous monitoring
• Endpoint security protects individual devices within a corporate network, helping to reduce potential
entry points for attackers.
• Modern strategies go beyond antivirus solutions, incorporating NAC, DLP, and EDR systems to
ensure robust protection.
• NAC plays a critical role in verifying device security and preventing unauthorized access to the
network.
No
network, independent of the original packet’s intended route.
•
h a,
The outer packet’s header dictates the network route, effectively
"forcing" the packet to travel through a predetermined path.
Na
et
• However, the encapsulated packet remains readable unless encryption
is applied.
je
ha
Tunneling with or without Encryption:
b
•
l Su
Tunneling by itself does not provide security—it only encapsulates the
Co
packet. If security is needed, the encapsulated packet must be
I SSP • Without encryption, the encapsulated packet can still be read by any
ell N important:
orn • Lower layers (Layer 2): Highly efficient but with limited functionality.
C • Higher layers (Layer 7): Provide more functionality, such as application-
level capabilities, but are less efficient.
i b u
• This encapsulation allows GRE to support multiple protocol types and
s tr provide
flexibility for network routing.
i
Use Cases for GRE:
f o rtoDbe routed across an IP
•
o t
GRE is useful in scenarios where multiple protocols need
network.
N
For example, it can transport IPv6 packets,over an IPv4 network, or multicast
•
a
h natively support it.
a
traffic over an IP network that does not
• GRE is often used in VPNs, where
e tN it provides routing flexibility alongside other
aje
security protocols like IPsec.
Pros of GRE:
h
b GRE can encapsulate multiple protocols, making it versatile
•
S u
Protocol Flexibility:
o l Multicast
for different network needs.
•
y C which are not
Supports Traffic: GRE allows multicast traffic to be routed over IP
B networks, always natively supported.
P bridge between different network
S • IPv6 Compatibility: GRE can tunnel IPv6 traffic over an IPv4 network, offering a
CIS
types.
tes • No Encryption: Unlike IPsec, GRE does not provide any encryption or security
ll N
tunnel is not protected from interception.
rn e • Overhead: GRE adds an additional header to each packet, which increases the
o
size of the packet and can lead to network overhead and reduced performance.
C • Not Secure by Itself: Since GRE does not provide confidentiality or integrity
protection, it is typically combined with IPsec for secure tunneling.
• Generic Routing Encapsulation (GRE) is a versatile tunneling protocol that enables the encapsulation
of multiple network protocols over IP networks.
• Its strength lies in its ability to support IPv6 and multicast traffic over IP networks.
• However, GRE does not offer security, so it is commonly used in combination with other protocols
like IPsec for secure transmission.
je et
and performance, as not all traffic needs to go through the corporate
VPN, which can result in faster browsing and downloads.
•
b ha Users can access corporate resources
Increased Efficiency:
securely viau
l S the VPN while simultaneously using direct connections
Co and Risks:
for less sensitive tasks.
y
BSecurity Risks: Split tunneling can bypass corporate security
Weaknesses
P
S controls, exposing the user's device to threats from unsecured
•
CI S
or
networks, such as hotel or public Wi-Fi. Malicious actors can exploit
o te network.
• Split tunneling allows for efficient use of bandwidth and optimized performance by
routing non-corporate traffic outside the VPN.
• However, the feature poses significant security risks, as it can bypass corporate security
controls, leaving the device vulnerable to attacks and reducing the organization's ability
to monitor or protect network traffic.
on
through a proxy server.
• SSL/TLS (Secure Sockets Layer/Transport Layer Security): Layer 4 protocol
u ti
(Transport Layer), providing encryption for web traffic, commonly used in HTTPS.
r i b
ist
• IPsec (Internet Protocol Security): Works at Layer 3 (Network Layer), offering
encryption and authentication to secure IP packets.
GRE (Generic Routing Encapsulation): Encapsulates packetsD
for
• at multiple OSI layers,
but lacks encryption by default.
L2TP (Layer 2 Tunneling Protocol): Operates at Layert2 (Data Link Layer). Often paired
•
with IPsec to add encryption.
N o
L2F (Layer 2 Forwarding Protocol): Another ,Layer 2 protocol, but less commonly used
ha
•
today.
a
•
e t N A basic Layer 2 tunneling protocol for
PPTP (Point-to-Point Tunneling Protocol):
aje
VPNs, which includes encryption.
PPTP vs. L2TP:
h
ubat Layer 2 and includes built-in encryption.
• PPTP (Point-to-Point Tunneling Protocol):
•
S
• olSimple and efficient, but vulnerable to attacks due to weaker encryption
Operates
C
y • mechanisms.
P B Commonly used in older VPNs, but has been largely replaced due to security
S concerns.
CIS
• L2TP (Layer 2 Tunneling Protocol):
or
• Also a Layer 2 protocol, but lacks encryption on its own.
s f • Typically paired with IPsec to create a secure VPN, where IPsec provides the
ll N
• More secure than PPTP, but can be slightly slower due to the added
encryption overhead.
C o • A VPN (Virtual Private Network) is not just a tunnel—it requires encryption for security.
Protocols like IPsec, SSH, and SSL/TLS add encryption to tunnels, ensuring secure
transmission of data across untrusted networks like the internet.
• L2TP is paired with IPsec to form a secure VPN, while PPTP offers its own encryption
but is less secure.
on
packets.
•
t i
Provides data-origin authentication and replay protection, but it does not
u
•
encrypt the payload.
Encapsulating Security Payload (ESP):
t r i b
is
rD
• Provides encryption of the payload, ensuring confidentiality in addition to the
o
integrity, data-origin authentication, and replay protection offered by AH.
t f
o
• ESP is commonly used for its encryption capabilities, making it essential for
secure VPN communications.
, N
IPsec Modes: Transport and Tunnel
h a
• Transport Mode:
a
•
Commonly used ine
t N of the IP packet is encrypted or authenticated.
In this mode, only the payload
•
a je end-to-end communications (e.g., client to server) within
h
a trusted network.
Tunnel Mode: b
•
S u
•
l
o offering maximum security.
The entire IP packet (header and payload) is encapsulated and encrypted,
y C
P B • Typically used in site-to-site VPNs where two networks are securely
connected over an untrusted network like the internet.
for • It generates the session keys that are shared between the two endpoints of the VPN,
tes ensuring that communication is encrypted with a dynamically created key that is valid
o
only for the duration of the session.
ll N
Security Associations (SAs):
C o •
session in IPsec.
Each SA contains parameters such as the encryption algorithm, session keys, and
authentication methods.
• An SA is needed for each direction (inbound and outbound) of the communication and
for each component (AH or ESP) being used.
• IPsec is a robust protocol suite used for VPNs, offering both authentication through AH and
encryption through ESP.
• It can operate in transport or tunnel mode, depending on the level of security required. IPsec is
integrated into IPv6, making it a standard for modern secure communications.
• Additionally, Internet Key Exchange (IKE) and Security Associations (SAs) are essential for the secure
exchange of session keys and for defining the security parameters of the VPN connection.
a,
and authenticity are critical.
h
Na
• Encapsulating Security Payload (ESP):
• ESP offers more robust security by providing encryption in addition to integrity,
jeet
data-origin authentication, and replay protection. It ensures confidentiality by
encrypting the payload, making it the preferred choice for VPNs.
ha
Internet Key Exchange (IKE)
b
Su
• IKE is the protocol used to exchange keys securely between the two endpoints of an IPsec
VPN.
l
Co
• Since VPNs require symmetric encryption (using the same key at both ends), IKE ensures
By that both endpoints generate and use the same session key. It’s essentially a version of the
Diffie–Hellman key exchange protocol and helps establish secure communication between
SP
the endpoints.
for communication session in IPsec. Since communication is one-way, two SAs are
s
needed for bi-directional communication—one for each direction.
ote • If both AH and ESP are used in the connection, four SAs are required: two for AH and
two for ESP, each for inbound and outbound communication.
ll N
Key attributes in an SA include:
rn e • Authentication algorithm
C o •
•
Encryption algorithm
Encryption keys
• Mode (transport or tunnel)
• Sequence number
• Expiry of the SA
• IPsec provides a robust solution for securing communications, offering both integrity and encryption
through its AH and ESP subprotocols.
• It operates in two modes: transport, which encrypts only the payload, and tunnel, which encrypts
the entire IP packet.
• IKE is essential for establishing secure key exchange, while Security Associations ensure the secure
management of each communication session.
l
server now S
with the server’s
share the same session key for secure communication.
Asymmetrico
y C and Symmetric Cryptography in SSL/TLS:
• BAsymmetric Cryptography: The server's public key is used to encrypt the
CIS
• Symmetric Cryptography: After the session key is shared, symmetric
or
encryption is used for fast, secure communication between the client and the
o te DROWN Attack:
ell
decrypt communications between a client and server.
orn • It’s crucial to disable backward compatibility with SSLv2 to protect against this
attack. Server owners should ensure private keys are not used with servers that
C allow SSLv2 connections.
• SSL/TLS is vital for securing online communications, with TLS being the modern standard.
• The handshake process ensures that a session key is securely created, using both asymmetric and
symmetric encryption to protect data during transmission.
• Proper implementation is necessary to avoid vulnerabilities such as the DROWN attack, which can
exploit older SSL protocols.
et
specific applications or services.
je
IPsec VPN: Does not encrypt connections by default but uses IKE
ha
•
(Internet Key Exchange) for key management and data
b
Su
authentication. It is more versatile for encrypting traffic across entire
l
Co
networks, but the setup can be more complex.
ll N
authentication.
• TLS VPNs provide easier setup, application-specific encryption, and more granular control at the
Transport layer, while IPsec VPNs offer broader network-level encryption at the Network layer but
with added complexity.
• The choice between TLS and IPsec VPNs depends on organizational needs such as performance,
security, and ease of management.
i bu
•
and allows users to connect to network resources securely.
s tr
It provides AAA functionality—authentication, authorization, and accounting—
i
•
fo rD
RADIUS operates at the application layer and uses UDP for transmission.
However, it has limitations in security as it only obfuscates user passwords.
TACACS+:
o t
• Terminal Access Controller Access Control System
developed by Cisco as an improvementa
N Plus (TACACS+) was
, RADIUS.
a h over
t N It isand
• It uses TCP for reliable transmission and encrypts all packets, not just
e
passwords, making it more secure. often used for device administration
j e
tasks, providing robust authentication access control.
Diameter:
b ha to RADIUS and offers enhanced security. It addresses
• Diameter is theu
SEAPsuccessor
o l
RADIUS’s shortcomings by providing stronger encryption and improved security
o • TACACS+: More secure with full packet encryption and uses TCP, making it
ll N
reliable for administrative tasks.
rn e • Diameter: Successor to RADIUS with advanced security features like EAP and is
o
more scalable.
C
• Remote authentication protocols like RADIUS, TACACS+, and Diameter are essential for ensuring the
security of remote access.
• RADIUS provides basic AAA services but has limitations in security, while TACACS+ improves upon it
with full encryption.
• Diameter is the modern successor, offering enhanced security and scalability, making it suitable for
today’s complex networks.