Common TCP Protocols CISSP Cheat Sheet Series

Port Protocol
OSI Reference Model IP Addresses Port Ranges
20,21 FTP
7 layers, Allow changes between layers, Standard hardware/software interoperability. • Class A: 0.0.0.0 – 127.255.255.255 Authentication methods:
22 SSH Public IPv4
Tip, OSI Mnemonics • Class B: 128.0.0.0 – 191.255.255.255 • PAP=Clear text, unencrypted
23 TELNET address space Point to Point Tunneling Protocol (PPTP)
All People Seem To Need Data Processing • Class C: 192.0.0.0 – 223.255.255.255 • CHAP=unencrypted, encrypted
25 SMTP • Class A: 10.0.0.0 – 10.255.255.255 • MS-CHAP=encrypted, encrypted
Please Do Not Throw Sausage Pizza Away Private IPv4
53 DNS • Class B: 172.16.0.0 – 172.31.255.255
Layer Data Security address space Challenge-Handshake Authentication Encrypt username/password and
110 POP3 • Class C: 192.168.0.0 – 192.168.255.255 Protocol (CHAP) re-authenticate periodically. Use in PPP.
Application Data C, I, AU, N
80 HTTP • Class A: 255.0.0.0
Presentation Data C, AU, Encryption Subnet Masks • Class B: 255.255.0.0 Layer 2 Tunneling Protocol (L2TP) Use with IPsec for encryption.
143 IMAP
Session Data N • Class C: 255.255.255.0
389 LDAP Provide authentication and integrity, no
Transport Segment C, AU, I IPv4 32 bit octets Authentication Header (AH)
443 HTTPS confidentiality.
Network Packets C, AU, I IPv6 128 bit hexadecimal
636 Secure LDAP Encapsulating Security Payload (ESP) Encrypted IP packets and preserve integrity.
Data link Frames C
Physical Bits C
445 ACTIVE DIRECTORY Network Types Shared security attributes between two
1433 Microsoft SQL Security Associations (SA)
C=Confidentiality, AU=Authentication, I=Integrity, N=Non repudiation Geographic Distance and are is limited to one network entities.
3389 RDP Local Area
building. Usually connect using copper wire or Transport Mode Payload is protected.
Hardware / Network (LAN)
Layer (No) Functions Protocols 137-139 NETBIOS fiber optics
Formats Tunnel Mode IP payload and IP header are protected.
Campus Area Multiple buildings connected over fiber or
Cables, HUB, Attacks in OSI layers Network (CAN) wireless
Internet Key Exchange (IKE) Exchange the encryption keys in AH or ESP.
Electrical signal USB, DSL Remote Authentication Dial-In User Service Password is encrypted but user
Physical (1) Layer Attack Metropolitan
Bits to voltage Repeaters, (RADIUS) authentication with cleartext.
ATM Phishing - Worms - Area Network Metropolitan network span within cities
SNMP v3 Encrypts the passwords.
Application Trojans (MAN)
Frames setup
PPP - PPTP - L2TP - - ARP - Dynamic Ports 49152 - 65535
Error detection and control Wide Area Interconnect LANs over large geographic area
RARP - SNAP - CHAP - LCP - Layer 2 Phishing - Worms -
Data Link Check integrity of packets network (WAN) such as between countries or regions.
Presentation Trojans
Layer (2) Destination address, Frames
MLP - Frame Relay - HDLC -
ISL - MAC - Ethernet - Token
Switch -
bridges Session Session hijack
Intranet A private internal network Remote Access Services
use in MAC to IP address connects external authorized persons access to Telnet Username /Password authentication. No encryption.
Ring - FDDI Transport SYN flood - fraggle Extranet
conversion. intranet Remote login (rlogin) No password protection.
Routing, Layer 3 switching, Layer 3 smurfing flooding -
Network ICMP - BGP - OSPF - RIP - IP - Internet Public network SSH (Secure Shell) Secure telnet
segmentation, logical Switch - Network ICMP spoofing - DOS
layer BOOTP - DHCP - ICMP
addressing. ATM. Packets. Router Collision - DOS /DDOS Networking Methods & Standards Terminal Access Controller
Access-Control System
User credentials are stored in a server known as a
TACACS server. User authentication requests are
TCP - UDP datagrams. Data link - Eavesdropping
Routers - Software Decoupling the network control and the (TACACS) handled by this server.
Reliable end to end data Signal Jamming -
Segment - Connection VPN defined forwarding functions. More advanced version of TACACS. Use two factor
Transport transfer - Physical Wiretapping networking Features -Agility, Central management, TACACS+
oriented concentrato authentication.
Segmentation - sequencing -
rs - Gateway (SDN) Programmatic configuration, Vendor neutrality.
and error checking Hardware Devices Converged
Remote Authentication Dial-In Client/server protocol use to enable AAA services for
TCP - UDP - NSF - SQL - Transfer voice, data, video, images, over single User Service (RADIUS) remote access servers.
Session Data, simplex, half duplex, full Layer 1 device forward protocols for
RADIUS - and RPC - PPTP - Gateways HUB network. Secure and encrypted communication channel
Layer dupl Eg. peer connections. frames via all ports media transfer
PPP between two networks or between a user and a
digital to analog Fibre Channel Virtual private network (VPN)
Modem network. Use NAT for IP address conversion. Secured
Data Gateways conversion over Ethernet Running fiber over Ethernet network.
Presentation with strong encryptions such as L2TP or IPSEC.
compression/decompression TCP - UDP messages JPEG - TIFF - Routers Interconnect networks (FCoE)
layer
and encryption/decryption MID - HTML Multiprotocol
Interconnect networks in
TCP - UDP - FTP - TELNET -
Bridge
Ethernet Label
Transfer data based on the short path labels VPN encryption options
instead of the network IP addresses. No need of
Application TFTP - SMTP - HTTP CDP - Inbound/outbound data Switching • PPP for authentication
Data Gateways Gateways route table lookups.
layer SMB - SNMP - NNTP - SSL - entry points for networks (MPLS) • No support for EAP
HTTP/HTTPS. Internet Small Standard for connecting data storage sites such Point-to-Point Tunneling Protocol • Dial in
Frame forward in local
Switch Computer as storage area networks or storage arrays. (PPTP) • Connection setup uses plaintext
network.
TCP/IP Model Interface (ISCI) Location independent. • Data link layer
Share network traffic
Encryption and different protocols at different • Single connection per session
Layers Action Example Protocols load by distributing
Load balancers Multilayer
levels. Disadvantages are hiding coveted channels • Same as PPTP except more secure
Token ring • Frame Relay • FDDI traffic between two Protocols Layer 2 Tunneling Protocol (L2TP)
Network access Data transfer done at this layer and weak encryptions. • Commonly uses IPsec to secure L2TP packets
• Ethernet • X.25 devices
Voice over • Network layer
Create small data chunks called Hide internal public IP Allows voice signals to be transferred over the
Internet • Multiple connection per session
Internet datagrams to be transferred via IP • RARP • ARP • IGMP • ICMP address from external public Internet connection. Internet Protocol Security (IPsec)
Protocol (VoIP) • Encryption and authentication
network access layer Proxies public internet
Packet switching technology with higher • Confidentiality and integrity
Transport Flow control and integrity TCP • UDP /Connection caching and
Asynchronous
filtering. bandwidth. Uses 53-byte fixed size cells. On
Application
Convert data into readable Telnet • SSH • DNS • HTTP • FTP transfer mode
demand bandwidth allocation. Use fiber optics.
Communication Hardware Devices
format • SNMP • DHCP Use to create VPN or (ATM)
aggregate VPN Popular among ISPs Divides connected devices into one input signal for transmission over
VPNs and VPN Concentrator
TCP 3-way Handshake concentrators
connections provide PTP connection between Data terminal equipment one output via network.
using different internet X25 (DTE) and data circuit-terminating equipment Multiplexer Combines multiple signals into one signal for transmission.
SYN - SYN/ACK - ACK links (DCE) Hubs Retransmit signal received from one port to all ports.
Use with ISDN interfaces. Faster and use multiple
LAN Topologies Protocol analyzers
Capture or monitor
network traffic in PVCs, provides CIR. Higher performance. Need to
Repeater Amplifies signal strength.
Frame Relay
Topology Pros Cons real-time ad offline have DTE/DCE at each connection point. Perform
WAN Transmission Types
• No redundancy New generation error correction.
Unified threat • Dedicated permanent circuits or communication paths required.
BUS • Simple to setup • Single point of failure vulnerability scanning Synchronous Circuit-switched
management IBM proprietary protocol use with permanent • Stable speed. Delay sensitive.
• Difficult to troubleshoot application Data Link networks
dedicated leased lines. • Mostly used by ISPs for telephony.
Create collision Control (SDLC)
RING • Fault tolerance • No middle point • Fixed size packets are sending between nodes and share
domains. Routers High-level Data
Start • Fault tolerance • Single point of failure VLANs Use DTE/DCE communications. Extended Packet-switched bandwidth.
separate broadcast Link Control
• Redundant protocol for SDLC. networks • Delay sensitive.
Mesh • Fault tolerance domains (HDLC)
• Expensive to setup • Use virtual circuits therefore less expensive.
Intrusion detection and Domain name Map domain names /host names to IP Address
IDS/IPS
system (DNS) and vice versa.
Types of Digital Subscriber Lines (DSL) prevention.
Wireless Networking
Asymmetric Digital • Download speed higher than upload
Firewall and Perimeter Leased Lines Wireless personal area network (WPAN) standards
Subscriber Line • Maximum 5500 meters distance via telephone lines. T1 1.544Mbps via telephone line IEEE 802.15 Bluetooth
(ADSL) • Maximum download 8Mbps, upload 800Kbps. Security T3 45Mbps via telephone line IEEE 802.3 Ethernet
Rate Adaptive DSL • Upload speed adjust based on quality of the transmission line
DMZ Secure network between ATM 155Mbps IEEE 802.11 Wi-Fi
(RADSL) • Maximum 7Mbps download, 1Mbps upload over 5500 meters.
(Demilitarized external internet facing and ISDN 64 or 128 Kbps REPLACED BY xDSL IEEE 802.20 LTE
Symmetric Digital • Same rate for upstream and downstream transmission rates.
zone) internal networks. Reserved 1024-49151
Subscriber Line • Distance 6700 meters via copper telephone cables Wi-Fi
(SDSL) • Maximum 2.3Mbps download, 2.3Mbps upload. Bastion Host - Dual-Homed - Three-Legged - BRI B-channel 64 Kbps
Standard Speed Frequency (GHz)
• Higher speeds than standard ADSL Screened Subnet - Proxy Server - PBX - Honey BRI D-channel 16 Kbps
Very-high-bit-rate DSL 802.11a 54 Mbps 2.4
• Maximum 52Mbps download, 16 Mbps upload up to 1200 Pot - IDS/IPS PRI B & D channels 64 Kbps
(VDSL) 802.11b 11 Mbps 5
Meters
802.11g 54 Mbps 2.4
High-bit-rate DSL
(HDSL)
T1 speed for two copper cables for 3650 meters Network Attacks 802.11n 200+ Mbps 2.4/5

Committed Virus Malicious software, code and executables 802.11ac 1Gbps 5

Minimum guaranteed bandwidth provided by service provider. Worms Self propagating viruses
Information Rate (CIR) • 802.11 use CSMA/CA protocol as DSSS or FHSS
Logic Bomb Time or condition locked virus • 802.11b uses only DSSS
LAN Packet Transmission Code and/or executables that act as legitimate software, but are not legitimate and are Wireless Security Protocols
Trojan
Unicast Single source send to single destination malicious Directly connects peer-to-peer mode clients without a
Backdoor Unauthorized code execution entry Ad-hoc Mode
Multicast Single source send to multiple destinations central access point.
Broadcast Source packet send to all the destinations. A series of small attacks and network intrusions that culminate in a cumulative large Infrastructure Mode Clients connect centrally via access point.
Salami, salami slicing
scale attack WEP (Wired Equivalent
Carrier-sense Multiple One workstations retransmits frames until destination
Data diddling Alteration of raw data before processing Confidentiality, uses RC4 for encryption.
Access (CSMA) workstation receives. Privacy)
CSMA with Collision Terminates transmission on collision detection. Used by Sniffing Unauthorized monitoring of transmitted data WPA (Wi-Fi Protected Uses Temporal Key Integrity Protocol (TKIP) for data
Detection (CSMA/CD) Ethernet. Monitor and capture of authentication sessions with the purpose of finding and hijacking Access) encryption.
Session Hijacking
Upon detecting a busy transmission, pauses and then credentials WPA2 Uses AES, key management.
CSMA with Collision
re-transmits delayed transmission at random interval to DDoS (Distributed Denial of Overloading a server with requests for data packets well beyond its processing capacity WPA2-Enterprise Mode Uses RADIUS
Avoidance (CSMA/CA)
minimise two nodes re-sending at same time. Service) resulting in failure of service TKIP (Temporal Key Integrity
Combination of a DDoS attack and TCP 3-way handshake exploit that results in denial of Uses RC4 stream cipher.
Sender sends only if polling system is free for the Protocol)
Polling SYN Flood
destination. service EAP (Extensible Utilizes PPP and wireless authentication. Compatible with
Sender can send only when token received indicating free to Particular kind of DDoS attack using large numbers of Internet Control Message Authentication Protocol) other encryption technologies.
Token-passing Smurf
send. Protocol (ICMP) packets PEAP (Protected Extensible Encapsulates EAP within an encrypted and authenticated
Broadcast Domain Set of devices which receive broadcasts. Fraggle Smurf with UDP instead of TCP Authentication Protocol) TLS tunnel.
Set of devices which can create collisions during LOKI Uses the common ICMP tunnelling program to establish a covert channel on the network Port Based Authentication 802.1x, use with EAP in switching environment
Collision Domain
simultaneous transfer of data.
Wireless Spread Spectrum
Layer 2 Switch Creates VLANs A type of DDoS attack that exploits a bug in TCP/IP fragmentation reassembly by
Teardrop FHSS (Frequency Hopping Uses all available frequencies, but only a single frequency
Layer 3 Switch Interconnects VLANs sending fragmented packets to exhaust channels
Spectrum System) can be used at a time.
Zero-day Exploitation of a dormant or previously unknown software bug
LAN / WAN Media DSSS (Direct Sequence
Spread Spectrum)
Parallel use of all the available frequencies leads to higher
throughput of rate compared to FHSS.
Land Attack Caused by sending a packet that has the same source and destination IP
Pair of twisted copper wires. Used in ETHERNET. Cat5/5e/6. Cat5 OFDM (Orthogonal
Twisted Pair Anonymously sending malicious messages or injecting code via bluetooth to
speed up to 100Mbps over 100 meters. Cat5e/6 speed 1000Mbps. Bluejacking, Bluesnarfing Frequency-Division Orthogonal Frequency-Division Multiplexing
unprotected devices within range Multiplexing)
Unshielded Twisted DNS Spoofing, DNS The introduction of corrupt DNS data into a DNS servers cache, causing it to serve
Less immune to Electromagnetic Interference (EMI)
Pair (UTP)
Shielded Twisted
Poisoning corrupt IP results Firewall Generation Evolution
Similar to UTP but includes a protective shield. Session hijacking Change TCP structure of the packet to show the source as trusted to gain access to
Pair (STP) • Packet Filter Firewalls: Examines source/destination address,
(Spoofing) targeted systems. First Generation
protocol and ports of the incoming packets. And deny or permit
Thick conduit instead of two copper wires. 10BASE-T, 100BASE-T, A TCP sequence prediction A successful attempt to predict a TCP number sequence resulting in an ability to Firewalls
Coaxial Cable according to ACL. Network layer, stateless.
and 1000BASE-T. / number attack compromise certain types of TCP communications
Uses light as the media to transmit signals. Gigabit speed at long Second Generation • Application Level Firewall / Proxy Server: Masks the source
Fiber Optic distance. Less errors and signal loss. Immune to EMI. Multimode Email Security Firewalls during packet transfer. Operating at Application layer, stateful.
and single mode. Single mode for outdoor long distance. LDAP (Lightweight Directory Access
Active directory based certificate management for email authentication. Third Generation • Stateful Inspection Firewall: Faster. State and context of the
Over a public switched network. High Fault tolerance by relaying Protocol) Firewalls packets are inspected.
Frame Relay WAN
fault segments to working. SASL (Simple Authentication and
Secure LDAP authentication. • Dynamic Packet Filtering Firewall: Dynamic ACL modification
Security Layer) • Packet Filtering Routers: Located in DMZ or boundary networks.
Secure Network Design - Components Client SSL Certificates Client side certificate to authenticate against a server. Includes packet-filter router and a bastion host. Packet filtering and
Network address S/MIME Certificates Used for signed and encrypted emails in single sign on (SSO) Fourth Generation proxy
Hide internal public IP address from external internet
translation (NAT) Uses the multipart/signed and multipart/encrypted framework to apply Firewalls • Dual-homed Host Firewall: Used in networks facing both internal
MOSS (MIME Object Security Services) and external
Port Address Allow sharing of public IP address for internal devices and digital signatures.
• Screened-subnet Firewall: Creates a Demilitarized Zone (DMZ) -
Translation (PAT) applications using a given single public IP address assigned by ISP A sequence of RfCs (Request for Comments) for securing message
PEM (Privacy-Enhanced Mail) network between trusted and untrusted
authenticity.
Stateful NAT Keeps track of packets transfer between source and destinations Fifth Generation • Kernel Proxy Firewall: Analyzes packets remotely using virtual
One to one private to public IP address assigned between two end DKIM (Domainkeys Identified Mail) Technique for checking authenticity of original message. Firewalls network
Static NAT
devices Next-generation
An open protocol to allow secure authorization using tokens instead of • Deep packet inspection (DPI) with IPS: Integrated with IPS/IDS
Dynamic NAT Pool of internal IP maps one or several public IP address OAuth Firewalls (NGFW)
passwords.