Professional Documents
Culture Documents
SUBTOPIC 1
Networks come in all sizes. They can range from simple networks consisting of two computers to
networks connecting millions of devices. Click the plus signs (+) in the figure to read about
networks of different sizes.
Home office networks and small office networks are often set up by individuals that work from a
home or a remote office and need to connect to a corporate network or other centralized
resources. Additionally, many self-employed entrepreneurs use home office and small office
networks to advertise and sell products, order supplies and communicate with customers.
In businesses and large organizations, networks can be used on an even broader scale to provide
consolidation, storage, and access to information on network servers. Networks also allow for
rapid communication such as email, instant messaging, and collaboration among employees. In
addition to internal benefits, many organizations use their networks to provide products and
services to customers through their connection to the Internet.
The Internet is the largest network in existence. In fact, the term Internet means a ‘network of
networks. The Internet is literally a collection of interconnected private and public networks.
Client-Server Communications
Client computers have software installed, such as web browsers, email, and file transfers. This
software enables them to request and display the information obtained from the server. A single
computer can also run multiple types of client software. For example, a user can check email and
view a web page while listening to Internet radio. Click the plus signs (+) in the figure to read about
different clients in a client-server networks.
> Cybersecurity analysts must be able to determine the origin of traffic that enters the network,
and the destination of traffic that leaves it. Understanding the path that network traffic takes is
essential to this.
Tier 1 Network and Tier 2 networks usually connect through an Internet Exchange Point {IXP).
Larger networks connect to Tier 2 networks, usually through a Point of Presence (POP).
> Tier 3 ISPs connect homes and businesses to the Internet.
Communications Protocols
A protocol suite is a set of protocols that work together to provide comprehensive network
communication services. A protocol suite may be specified by a standards organization or developed by a
vendor. For devices to successfully communicate, a network protocol suite must describe precise
requirements and interactions. Networking protocols define a common format and set of rules for
exchanging messages between devices. Some common networking protocols are Hypertext Transfer
Protocol {HTTP), Transmission Control Protocol (TCP), and Internet Protocol (IP).
Networks today use the TCP/IP protocol suite. The individual protocols are organized in layers
using the TCP/IP protocol model: Application, Transport, Internet, and Network Access Layers. TCP/IP
protocols are specific to the Application, Transport, and Internet layers. The network access layer
protocols are responsible for delivering the IP packet over the physical medium, such as through a network
cable or wireless signal.
The TCP/IP protocol suite is implemented on both the sending and receiving hosts to provide end-
to-end delivery of messages over a network. TCP/IP has standardized the way the computers
communicate, which has enabled the Internet as we know it today. Unfortunately, this widespread usage
has attracted the attention of people who want to misuse networks. Much of the work of the
cybersecurity analyst concerns analysis of the behavior of the TCP/IP suite of protocols
TCP/IP has standardized the way the computers communicate.
VV V TCP/IP protocols are specific to the application, transport, Internet, and network access layers.
TCP/IP protocol suite is implemented on both the sending and receiving hosts to provide end-to-
end delivery of messages over a network.
>» Format
e Encapsulation - process of placing one message format inside another message format.
e Decapsulation - the reverse process of encapsulation.
» Size — Message is broken up into many frames when sent and reconstructed into the original
message when received.
>» Timing — includes the access method, flow control, and response timeout.
>» Unicast
— one-to-one
> Multicast — one-to-many
> Broadcast — one-to-all
>» Aone-to-one delivery option is referred to as a unicast, meaning there is only a single destination
for the message.
>» When a host needs to send messages using a one-to-many delivery option, it is referred to as a
multicast.
> If all hosts on the network need to receive the message at the same time, a broadcast may be
used. Broadcasting represents a one-to-all message delivery option.
Reference Models
OSI Model TCP/IP Protocol Suite TCP/IP Model
vi Application
Application
eae te cs)
As you learned earlier, the TCP/IP protocol suite is represented by four-layer model: Application,
Transport, Internet, and Network Access. Another popular reference model is the Open Systems
Interconnection (OSI) model, which uses a seven-layer model, as shown in the figure. In networking
literature, when a layer is referred to by a number, such as Layer 4, then the reference is using the OSI
model. Reference to layers in the TCP/IP model use the name of the layer, such as the transport layer.
Three Addresses
Addressing is used by the client to send requests and other data to a server. The server uses the
client’s address to return the requested data to the client that requested it.
Application Application
rl elay alee)
Session Session
|
lt
es
Transport Birt sles
i Protocol address
Encapsulation
> This division of data into smaller pieces is called segmentation. Segmenting messages has two
primary benefits:
e Segmentation - This process increases the efficiency of network communications. If part
of the message fails to make it to the destination, due to failure in the network or network
congestion, only the missing parts need to be retransmitted.
e Multiplexing - By sending smaller individual pieces from source to destination, many
different conversations can be interleaved on the network.
The application data is encapsulated with various protocol information as it is passed down the
protocol stack.
The form that an encapsulated piece of data takes at any layer is called a protocol data unit (PDU).
HTTP — This application protocol governs the way a web server and a web client interact.
TCP — This transport protocol manages individual conversations. TCP divides the HTTP messages
into smaller pieces, called segments. TCP is also responsible for controlling the size and rate at
which messages are exchanged between the server and the client.
IP — This is responsible for taking the formatted segments from TCP, encapsulating them into
packets, assigning them the appropriate addresses, and delivering them to the destination host.
Ethernet — This network access protocol is responsible for taking the packets from IP and
formatting them to be transmitted over the media.
Ethernet
Ethernet
ie) Be) ee EE
ics
802.3. Ethernet
= a
==
2 t
-—
—
a —_
-———J
IPv4
IPv4 Encapsulation
IP encapsulates the transport layer segment by adding an IP header.
The Exchange of Data
Presentation eae)
* 2 [==| =]
v1
Session lol)
r
Fg
x
IPv4 Characteristics
Unreliable (Best Effort) - |P protocol does not guarantee that all packets that are delivered are, in
fact, received.
>» Media Independent - IP operates independently of the media that carry the data at lower layers
of the protocol stack.
IPv4 Packet
Packet header consists of fields containing important information about the packet.
VVVV
> |Pv4 address is a hierarchical address that is made up of a network portion and a host portion.
» The network portion of the address must be identical for all devices that reside in the same
network.
>» The bits within the host portion of the address must be unique to identify a specific host within a
network.
>» Subnetting takes a network space and divides it into smaller spaces called subnets.
>» Identifying network address of an IPv4host:
e IP address is logically ANDed, bit by bit with subnet mask.
e ANDing between the address and the subnet mask yields the network address.
>» Subnetting takes a network space and divides it into smaller spaces called subnets.
>» Identifying network address of an IPv4 host:
e IP address is logically ANDed, bit by bit with subnet mask.
e ANDing between the address and the subnet mask yields the network address.
Default Gateway
>» Three dotted decimal IPv4 addresses must be configured when assigning an IPv4 configuration to
host:
e |Pv4 address — Unique IPv4 address of the host.
e Subnet mask - Used to identify the network/host portion of the IPv4 address.
e Default gateway — Identifies the local gateway (i.e. local router interface IPv4 address) to
reach remote networks.
e The default gateway is the network device that can route traffic to other networks. It is
the router that can route traffic out of the local network.
IPv6
ICMPv4 Messages
>» Anew protocols as part of the Neighbor Discovery Protocol {ND or NDP):
>» Messaging between IPv6 router and IPv6 device:
e¢ Router Solicitation (RS) — used between an IPv6 device and a router.
e Router Advertisement (RA) — used between an IPv6 router and a device to provide
addressing info using Stateless Address Autoconfiguration (SLAAC).
>» Messaging between IPv6 devices:
e Neighbor Solicitation (NS) message
e Neighbor Advertisement (NA) message
>» IPv6 Duplicate Address Detection (DAD)
e Not required but recommended.
e If another device on the network has the same global unicast or link-local unicast address,
the device will respond with an NA message.
>» Ping is a testing utility that uses ICMP echo request and echo reply messages to test connectivity
between hosts.
>» To test connectivity to another host on a network, an echo request is sent to the host address
using the ping command.
>» If the host at the specified address receives the echo request, it responds with an echo reply.
= You can also use ping to test the ability of a host to communicate on the local network. This is
generally done by pinging the IP address of the gateway of the host.
= A successful ping to the gateway indicates that the host and the router interface serving as the
gateway are both operational on the local network.
= For this test, the gateway address is most often used because the router is normally always
operational.
= Ping can also be used to test the ability of a local host to communicate across an internetwork.
= Successful ping across the internetwork confirms communication on the local network.
= It also confirms the operation of the router serving as the gateway, and the operation of all other
routers that might be in the path between the local network and the network of the remote host.
>» Traceroute provides information about the details of devices between the hosts.
> Generates a list of hops that were successfully reached along the path:
e Round trip Time (RTT) — time for each hop along path.
e = |Pv4 TTL and IPv6 Hop Limit - Traceroute makes use of a function of the TTL field in IPv4
and the Hop Limit field in IPv6 in the Layer3 headers, along with the ICMP time exceeded
message.
>» After the final destination is reached, the host responds with either an ICMP port unreachable
message or an ICMP echo reply message instead of the ICMP time exceeded message.
SUBTOPIC 2
MAC and IP
>» When communicating with a device on a remote network, the destination MAC address is the
MAC address of the Layer 3 device interface on the same network as the device originating the
packet.
>» When the destination IP address is on a remote network, the destination MAC address will be the
address of the host’s default gateway, which is the router’s NIC, as shown in the figure. Using a
postal analogy, this would be similar to a person taking a letter to their local post office. All they
need to do is take the letter to the post office and then it becomes the responsibility of the post
office to forward the letter on towards its final destination.
ARP
Introduction to ARP
>» Whena device sends an Ethernet frame, it contains these two addresses:
e Destination MAC address - The MAC address of the Ethernet NIC, which will be either the
MAC address of the final destination device or the router.
e Source MAC address - The MAC address of the sender’s Ethernet NIC.
e To determine the destination MAC address, the device uses ARP. ARP resolves IPv4
addresses to MAC addresses and maintains a table of mappings.
ARP Functions
> Used to resolve IPv4 addresses to MAC addresses.
> |Pv4 and MAC address mappings kept in an ARP table.
When a packet is sent to the data link layer to be encapsulated into an Ethernet frame, the device
refers to a table in its memory to find the MAC address that is mapped to the IPv4 address. This table is
called the ARP table or the ARP cache. The ARP table is stored in the RAM of the device.
The sending device will search its ARP table for a destination IPv4 address and a corresponding MAC
address. If the packet’s destination IPv4 address is on the same network as the source |IPv4 address, the
device will search the ARP table for the destination IPv4 address. If the destination IPv4 address is on a
different network than the source IPv4 address, the device will search the ARP table for the IPv4 address
of the default gateway.
In both cases, the search is for an IPv4 address and a corresponding MAC address for the device.
Each entry, or row, of the ARP table binds an |Pv4 address with a MAC address. We call the relationship
between the two values a map. It simply means that you can locate an IPv4 address in the table and
discover the corresponding MAC address. The ARP table temporarily saves (caches) the mapping for the
devices on the LAN.
If the device locates the IPv4 address, its corresponding MAC address is used as the destination MAC
address in the frame. If no entry is found, then the device sends an ARP request.
>» For each device, an ARP cache timer removes ARP entries that have not been used for a specified
period of time.
>» Commands may also be used to manually remove all or some of the entries in the ARP table.
>» Network hosts and routers keep ARP tables.
ARP Issues
ARP Broadcasts
As a broadcast frame, an ARP request is received and processed by every device on the
local network. On a typical business network, these broadcasts would probably have minimal
impact on network performance. However, if a large number of devices were to be powered up
and all start accessing network services at the same time, there could briefly be some reduction
in performance, as shown in the figure. After the devices send out the initial ARP broadcasts and
have learned the necessary MAC addresses, any impact on the network will be minimized.
ARP Spoofing
>» Tracks individual conversations. - A host may have multiple applications that are communicating
across the network simultaneously. Each of these applications communicates with one or more
applications on one or more remote hosts.
>» Moves data between applications on network devices.
>» Segments data and reassembles segments.
>» Identifies applications using a port number.
» Segmenting the data into smaller chunks enables many different communications, from many
different users, to be interleaved (multiplexed) on the same network.
>» The transport layer is also responsible for managing reliability requirements of a conversation.
>» TCP/IP provides two transport layer protocols:
e Transmission Control Protocol {TCP)
e User Datagram Protocol (UDP)
The transport layer is also responsible for managing reliability requirements of a conversation.
Different applications have different transport reliability requirements.
IP is concerned only with the structure, addressing, and routing of packets. IP does not specify
how the delivery or transportation of the packets takes place. Transport protocols specify how to
transfer messages between hosts. TCP/IP provides two transport layer protocols, Transmission
Control Protocol (TCP) and User Datagram Protocol (UDP), as shown in Figure. IP uses these transport
protocols to enable hosts to communicate and transfer data.
TCP is considered a reliable, full-featured transport layer protocol, which ensures that all of the
data arrives at the destination. However, this requires additional fields in the TCP header which
increases the size of the packet and also increases delay. In contrast, UDP is a simpler transport layer
protocol that does not provide for reliability. It therefore has fewer fields and is faster than TCP.
>» TCP and UDP manage these multiple simultaneous conversations by using header fields that can
uniquely identify these applications. These unique identifiers are the port numbers:
e The source port number is associated with the originating application on the local host.
e The destination port number is associated with the destination application on the remote
host.
Socket Pairs
>» The combination of the source IP address and source port number, or the destination IP address
and destination port number is known as a socket.
>» The socket is used to identify the server and service being requested by the client.
» Sockets enable multiple processes, running on a client, to distinguish themselves from each other,
and multiple connections to a server process to be distinguished from each other.
> TCP
e Used for majority of the major TCP/IP protocols.
e Reliable, acknowledges data, resends lost data, delivers data in sequenced order.
¢ Examples: email, HTTP
> UDP
e Fast, low overhead, does not require acknowledgments, does not resend lost data,
delivers data as it arrives.
¢ Examples: VoIP, streaming live videos
> TCP
e TCP isa stateful protocol. A stateful protocol is a protocol that keeps track of the state of
the communication session.
e To track the state of a session, TCP records which information it has sent and which
information has been acknowledged.
e The stateful session begins with the session establishment and ends when closed with the
session termination.
e UDPis astateless protocol, meaning neither the client, nor the server, is obligated to keep
track of the state of the communication session.
e = If reliability is required when using UDP as the transport protocol, it must be handled by
the application.
UDP Session
DHCP
DHCP Overview
DNS Overview
To understand DNS, cybersecurity analysts should be familiar with the following terms:
Resolver- A DNS client that sends DNS messages to obtain information about the requested
domain name space.
Recursion - The action taken when a DNS server is asked to query on behalf of a DNS resolver.
Authoritative Server - A DNS server that responds to query messages with information stored in
Resource Records (RRs) for a domain name space stored on the server.
Recursive Resolver - A DNS server that recursively queries for the information asked in the DNS
query.
FQDN - A Fully Qualified Domain Name is the absolute name of a device within the distributed
DNS database.
RR - A Resource Record is a format used in DNS messages that is composed of the following fields:
NAME, TYPE, CLASS, TTL, RDLENGTH, and RDATA.
Zone- A database that contains information about the domain name space stored on an
authoritative server
> DNS uses UDP port 53 for DNS queries and responses.
> DNS queries originate at a client and responses are issued from DNS servers.
> If a DNS response exceeds 512 bytes such as when Dynamic DNS (DDNS) is used, TCP port 53 is
used to handle the message.
DNS Record Types:
A- An end device IPv4 address
NS - An authoritative name server
AAAA - An end device IPv6 address
MX - A mail exchange record
Dynamic DNS
>» Allows a user or organization to register an IP address with a domain name as in DNS.
>» When the IP address of the mapping changes, the new mapping can be propagated through the
DNS almost instantaneously.
WHOIS is a TCP-based protocol that is used to identify the owners of Internet domains through
the DNS system.
NAT — Overview
>» One-to-many — Many internal address translations to one or more public IP addresses
SMB
Email Overview
The application layer process that sends mail uses SMTP. A client retrieves email using one of the
two application layer protocols: POP3 or IMAP.
SMTP
> SMTP
e Simple Mail Transfer Protocol (SMTP) — Port 25.
> After the connection is made, the client attempts to send the email to the server across
the connection.
> When the server receives the message, it either places the message in a local account, if
the recipient is local, or forwards the message to another mail server for delivery.
SMTP message formats require a message header and a message body. While the message body can
contain any amount of text, the message header must have a properly formatted recipient email address
and a sender address.
When a client sends email, the client SMTP process connects with a server SMTP process on well-
known port 25. After the connection is made, the client attempts to send the email to the server across
the connection. When the server receives the message, it either places the message in a local account, if
the recipient is local, or forwards the message to another mail server for delivery.
The destination email server may not be online or may be busy when email messages are sent.
Therefore, SMTP spools messages to be sent at a later time. Periodically, the server checks the queue for
messages and attempts to send them again. If the message is still not delivered after a predetermined
expiration time, it is returned to the sender as undeliverable.
POP3
> With POP3, mail is downloaded from the server to the client and then deleted on the server.
>» With POP3, email messages are downloaded to the client and removed from the server, so there
is no centralized location where email messages are kept.
>» When a user connects to an IMAP-capable server, copies of the messages are downloaded to the
client application.
>» When a user decides to delete a message, the server synchronizes that action and deletes the
message from the server.
HTTP Overview
>» Steps:
e Client initiates HTTP request to server.
e HTTP returns code for a webpage.
Browser interprets HTML code and displays on webpage.
>» HTTP URLs can also specify the port on the server that should handle the HTTP methods.
>» In addition, it can specify a query string and fragment.
> Query string typically contains information that is not handled by the HTTP server process itself
but is instead handled by another process that is running on the server.
> The HTTP server responses are identified with various status codes that inform the host
application of the outcome of client requests to the server. The codes are organized into
five groups.
e 1xx - Informational
e 2xx - Success
e 3xx - Redirection
e Axx - Client Error
5xx - Server Error
MODULE 4
NETWORK INFRASTRUCTURE
SUBTOPIC 1
Network Devices
End Devices
» End Devices:
¢ Computers, laptops, servers, printers, smart devices, and mobile devices.
e Individual end devices are connected to the network by intermediary devices.
>» Intermediary Devices:
e Connect the individual end devices to the network and also connect multiple individual
networks to form an internetwork.
e Provide connectivity and ensure that data flows across the network.
Routers
What does a router do with a packet received from one network and destined for another network? The
router performs the following three major steps:
1. It de-encapsulates the Layer 2 frame header and trailer to expose the Layer 3 packet.
2. It examines the destination IP address of the IP packet to find the best path in the routing table.
3. If the router finds a path to the destination, it encapsulates the Layer 3 packet into a new Layer
2 frame and forwards that frame out the exit interface.
Router Operation
>» Aprimary function of a router is to determine the best path to use to send packets to each subnet.
To determine the best path, the router searches its routing table for a network address that
matches the destination IP address of the packet. The routing table search results in one of three
path determinations:
Directly connected network - If the destination IP address of the packet belongs to a
device on a network that is directly connected to one of the interfaces of the router, that
packet is forwarded directly to the destination device
Remote network- If the destination IP address of the packet belongs to a remote network,
then the packet is forwarded to another router. Remote networks can only be reached by
forwarding packets to another router.
No route determined - If the destination IP address of the packet does not belong to either
a connected or remote network, the router determines if there is a Gateway of Last Resort
available.
Routing Information
>» An Ethernet hub acts as a multiport repeater that receives an incoming electrical signal (data)
on a port. It then immediately forwards a regenerated signal out all other ports. Hubs use
physical layer processing to forward data.
>» Bridges have two interfaces and are connected between hubs to divide the network into
multiple collision domains. Each collision domain can have only one sender at a time.
>» LAN switches are essentially multiport bridges that connect devices into a star topology. Like
bridges, switches segment a LAN into separate collision domains, one for each switch port. A
switch makes forwarding decisions based on Ethernet MAC addresses.
Switching Operation
Switches use MAC addresses to direct network communications through the switch, to the
appropriate port, and toward the destination. A switch is made up of integrated circuits and the
accompanying software that controls the data paths through the switch. For a switch to know which port
to use to transmit a frame, it must first learn which devices exist on each port. As the switch learns the
relationship of ports to devices, it builds a table called a MAC address table, or content addressable
memory (CAM) table. CAM is a special type of memory used in high-speed searching applications.
LAN switches determine how to handle incoming data frames by maintaining the MAC address
table. A switch builds its MAC address table by recording the MAC address of each device connected to
each of its ports. The switch uses the information in the MAC address table to send frames destined for a
specific device out the port which has been assigned to that device.
The following two-step process is performed on every Ethernet frame that enters a switch.
VLANs
VLANs allow an administrator to segment networks based on factors such as function, project
team, or application, without regard for the physical location of the user or device, as shown in Figure.
Devices within a VLAN act as if they are in their own independent network, even if they share a common
infrastructure with other VLANs. Any switch port can belong to a VLAN. Unicast, broadcast, and multicast
packets are forwarded and flooded only to end devices within the VLAN where the packets are sourced.
Each VLAN is considered a separate logical network. Packets destined for devices that do not belong to
the VLAN must be forwarded through a device that supports routing.
>» Segments networks based on multiple factors (function, project team, or application) regardless
of physical location.
>» Creates logical broadcast domains that can span multiple physical LAN segments.
> Improves network performance by separating large broadcast domains into smaller ones.
>» Prevents users on different VLANs from snooping on each other’s traffic.
STP
Multilayer Switching
>» Multilayer switches support routed ports and Switched Virtual Interfaces (SVIs) to forward frames
based on Layer 3 information.
e Routed Ports — physical port acts like an interface on a router, not associated with any
VLANs.
e = SVlI-virtual interface can be configured for any VLAN within a multilayer switch.
Wireless Communications
» Wireless client association process with AP includes discovering a new wireless AP, authenticating
with that AP, then associating with that AP.
>» Common configurable wireless parameters include:
Network mode
SSID
Channel settings
Security mode
Encryption
e Password
» Wireless devices must discover and connect to an AP or wireless router. This process can be
passive or active.
>» The 802.11 standard was originally developed with two authentication mechanisms: open
authentication provides wireless connectivity to any wireless device, and the shared key
authentication technique is based on a key that is pre-shared between the client and the AP.
Address2 - Usually contains the MAC address of the transmitting wireless device or AP.
Address3 - Sometimes contains the MAC address of the destination, such as the router interface
(default gateway) to which the AP is attached.
Sequence Control - Contains the Sequence Number and the Fragment Number subfields. The
Sequence Number indicates the sequence number of each frame. The Fragment Number indicates
the number of each frame sent of a fragmented frame.
> Address4 - Usually empty because it is used only in ad hoc mode.
> Payload - Contains the data for transmission.
> FCS - Frame Check Sequence; used for Layer 2 error control.
> A wireless client goes through a three-stage process to associate with an AP.
> Discovery: A wireless client locates the AP to associate.
> Authentication:
e The wireless client sends an authentication frame to the AP.
e The AP responds with a challenge text.
e The client encrypts the message using its shared key and returns the encrypted text back
to the AP.
e The AP then decrypts the encrypted text using its shared key.
e If the decrypted text matches the challenge text, the AP authenticates the client.
Association:
e The wireless client forwards an Association Request frame that includes its MAC address.
e The AP responds with an Associate Response that includes the AP MAC address.
e The AP maps a logical port to the wireless client.
SUBTOPIC 2
Security Devices
Firewalls
> Packet filtering (Stateless) firewalls - usually part of a router firewall, which permits or denies
traffic based on Layer 3 and Layer 4 information.
> Stateful firewalls:
e Allows or blocks traffic based on state, port, and protocol.
e Monitors all activity from the opening of a connection until it is closed.
Application gateway firewalls (Proxy firewall) - filters information at Layers 3, 4,5, and 7 of the
OSI reference models.
Host-based (server and personal) firewall - A PC or server with firewall software running on it.
VV V
> Usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4
information.
> Are stateless firewalls that use a simple policy table look-up that filters traffic based on specific
criteria.
Stateful Firewalls
a?
led |
——
Layer 2 Data Link
———_
Layer 1 Physical
Next-Generation Firewalls
Types of IPS
> Access Control Lists (ACLs) - Is a series of commands that control whether a device forwards or
drops packets based on information found in the packet header:
e Limit network traffic to increase network performance.
Provide traffic flow control.
Provide a basic level of security for network access.
Filter traffic based on traffic type.
Screen hosts to permit or deny access to network services.
>» The two types of Cisco IPv4 ACLs are standard and extended.
>» Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. Extended
ACLs filter IPv4 packets based on several attributes that include:
e Protocol type
Source IPv4 address
Destination IPv4 address
Source TCP or UDP ports
Destination TCP or UDP ports
e Optional protocol type information for finer control
» Standard and extended ACLs can be created using either a number or a name to identify the ACL
and its list of statements.
>» An ACL message can be generated and logged when traffic meets the permit or deny criteria
defined in the ACL.
SNMP
= SNMP allows administrators to manage end devices such as servers, workstations, routers,
switches, and security appliances.
= The SNMP system consists of three elements:
¢ Manager that runs SNMP management software.
¢ Agents which are the nodes being monitored and managed.
¢ Management Information Base (MIB) — this is a database on the agent that stores data
and operational statistics about the device.
NetFlow
» A Cisco IOS technology that provides statistics on packets flowing through a Cisco router or
multilayer switch.
>» Provides data to enable network and security monitoring, network planning, traffic analysis, and
IP accounting for billing purposes.
Port Mirroring
>» A feature that allows a switch to make duplicate copies of traffic passing through a switch, and
then send data out a port with a network monitor attached.
>» The original traffic is forwarded in the usual manner.
Syslog Servers
= The most common method of accessing system messages.
= Allows networking devices to send their system messages across the network to syslog servers.
= The syslog logging service provides three primary functions:
¢ Gather logging information for monitoring and troubleshooting.
¢ Select the type of logging information that is captured.
* Specify the destination of captured syslog messages.
NTP
>» Allows routers on the network to synchronize their time settings with an NTP server and use strata
levels.
>» NTP can be set up to synchronize to a private master clock or it can synchronize to a publicly
available NTP server on the Internet.
>» NTP servers are arranged in levels known as strata:
e §©Stratum 0 - high-precision timekeeping devices assumed to be accurate and with little or
no delay.
e Stratum 1 - connected to the authoritative time sources. They act as the primary network
time standard.
e Stratum 2 and Lower - connected to stratum 1 devices through network connections.
Stratum 2 devices synchronize their time using the NTP packets from stratum 1 servers.
They could also act as servers for stratum 3 devices.
AAA Servers
» AAA Services is a set of three independent security functions: Authentication, Authorization, and
Accounting/auditing.
e Authentication - Users and administrators must prove that they are who they say they
are.
o Username and password combinations, challenge and response questions, token
cards, and other methods.
o AAA authentication provides a centralized way to control access to the network.
e Authorization - After authentication, determine which resources the user can access and
which operations the user is allowed to perform.
e Accounting and auditing - Accounting records what the user does, what is accessed, the
amount of time the resource is accessed, and any changes that were made. Accounting
keeps track of how network resources are used.
VPN
Network Topologies
Device
Devices Devices
Devices Devices
Media
LAN LAN
Internetwork
» Physical Topology refers to the physical connections and identifies how end devices and
infrastructure devices are interconnected.
>» Logical Topology refers to the way a network transfers frames from one node to the next.
WAN Topologies
>» Firewall design is primarily about device interfaces permitting or denying traffic based on the
source, the destination, and the type of traffic. Some designs are as simple as designating an
outside network and inside network. A firewall with two interfaces is configured as follows:
Traffic originating from the private network is permitted and inspected as it travels
toward the public network. Inspected traffic returning from the public network and
associated with traffic that originated from the private network is permitted.
Traffic originating from the public network and traveling to the private network is
generally blocked.
>» A demilitarized zone (DMZ) is a firewall design where there is typically one inside interface
connected to the private network, one outside interface connected to the public network, and
one DMZ interface:
Traffic originating from the private network is inspected as it travels toward the public or
DMZ network. This traffic is permitted with little or no restriction. Return traffic is usually
permitted.
Traffic originating from the DMZ network and traveling to the private network is usually
blocked.
Traffic originating from the DMZ network and traveling to the public network is selectively
permitted based on service requirements.
Traffic originating from the public network and traveling toward the DMZ is selectively
permitted and inspected. Return traffic is dynamically permitted.
e Traffic originating from the public network and traveling to the private network is
blocked.
>» Zone-based policy firewalls (ZPFs) use the concept of zones to
provide additional flexibility.
>» Azone isa group of one or more interfaces that have similar functions or features