MODULE 3

NETWORK PROTOCOLS AND SERVICES

SUBTOPIC 1

Network Communications Process

Views of the Network

> Views of the network

Small home network
SOHO (Small Office/Home Office)
Medium to large networks
World-wide networks

Networks come in all sizes. They can range from simple networks consisting of two computers to
networks connecting millions of devices. Click the plus signs (+) in the figure to read about
networks of different sizes.

Home office networks and small office networks are often set up by individuals that work from a
home or a remote office and need to connect to a corporate network or other centralized
resources. Additionally, many self-employed entrepreneurs use home office and small office
networks to advertise and sell products, order supplies and communicate with customers.

In businesses and large organizations, networks can be used on an even broader scale to provide
consolidation, storage, and access to information on network servers. Networks also allow for
rapid communication such as email, instant messaging, and collaboration among employees. In
addition to internal benefits, many organizations use their networks to provide products and
services to customers through their connection to the Internet.

The Internet is the largest network in existence. In fact, the term Internet means a ‘network of
networks. The Internet is literally a collection of interconnected private and public networks.

Client-Server Communications

> File Client and Server communications

e Server stores corporate and user files.
e Client devices access these files or services with client software.
Web Client Server
e Web Server runs web server software and client uses browser software.
Email Client-Server communications
e Email Server runs email server software.
All computers that are connected to a network and that participate directly in network
communication are classified as hosts. Hosts are also called end devices, endpoints, or nodes.
 Much of the interaction between end devices is client-server traffic. For example, when you
access a web page on the Internet, your web browser (the client) is accessing a server. When you
send an email message, your email client will connect to an email server.

Client computers have software installed, such as web browsers, email, and file transfers. This
software enables them to request and display the information obtained from the server. A single
computer can also run multiple types of client software. For example, a user can check email and
view a web page while listening to Internet radio. Click the plus signs (+) in the figure to read about
different clients in a client-server networks.

A Typical Session: Student

> ATypical Session: Student

Determine the origin of the traffic enter the network.
For example, Terry’s data flows with the data of thousands of other users along a fiber-
optic network that connects Terry’s ISP with the several other ISPs, including the ISP that
is used by the search engine company. Eventually, Terry’s search string enters the search
engine company’s website and is processed by its powerful servers. The results are then
encoded and addressed to Terry’s school and her device.

A Typical Session: Gamer

>» ATypical Session: Gamer

Determine the origin of the traffic enter the network.
Michelle’s network, like many home networks, connects to an ISP using a router and
modem. These devices allow Michelle’s home network to connect to a cable TV network
that belongs to Michelle’s ISP. The cable wires for Michelle’s neighborhood all connect to
a central point on a telephone pole and then connect to a fiber-optic network. This fiber-
optic network connects many neighborhoods that are served by Michelle’s ISP.

A Typical Session: Surgeon

A Typical Session: Surgeon
Determine the origin of the traffic enter the network
Dr. Ismael Awad is an oncologist who performs surgery on cancer patients. He frequently
needs to consult with radiologists and other specialists on patient cases. The hospital that
Dr. Awad works for subscribes to a special service called a cloud. The cloud allows medical
data, including patient x-rays and MRIs to be stored in a central location that is accessed
over the Internet.

Tracing the Path

> Cybersecurity analysts must be able to determine the origin of traffic that enters the network,
and the destination of traffic that leaves it. Understanding the path that network traffic takes is
essential to this.
Tier 1 Network and Tier 2 networks usually connect through an Internet Exchange Point {IXP).
Larger networks connect to Tier 2 networks, usually through a Point of Presence (POP).
 > Tier 3 ISPs connect homes and businesses to the Internet.

Communications Protocols

What are Protocols?

» Protocol —The rules of communications
e Network protocols provide the means for computers to communicate on networks.
e Network protocols dictate the message encoding, formatting, encapsulation, size, timing,
and delivery options.
For example, consider two people communicating face-to-face. Prior to communicating, they must
agree on how to communicate. If the communication is using voice, they must first agree on the language.
Next, when they have a message to share, they must be able to format that message in a way that is
understandable. For example, if someone uses the English language, but poor sentence structure, the
message can easily be misunderstood. Figure 1 shows an example of communication not adhering to
protocols for grammar and language.

Network Protocol Suites

>» Describe precise requirements and interactions.
>» Define a common format and set of rules for exchanging messages between devices.
» Some common networking protocols are Hypertext Transfer Protocol (HTTP), Transmission
Control Protocol (TCP), and Internet Protocol (IP)

A protocol suite is a set of protocols that work together to provide comprehensive network
communication services. A protocol suite may be specified by a standards organization or developed by a
vendor. For devices to successfully communicate, a network protocol suite must describe precise
requirements and interactions. Networking protocols define a common format and set of rules for
exchanging messages between devices. Some common networking protocols are Hypertext Transfer
Protocol {HTTP), Transmission Control Protocol (TCP), and Internet Protocol (IP).

TCP/IP Protocol Suite

Networks today use the TCP/IP protocol suite. The individual protocols are organized in layers
using the TCP/IP protocol model: Application, Transport, Internet, and Network Access Layers. TCP/IP
protocols are specific to the Application, Transport, and Internet layers. The network access layer
protocols are responsible for delivering the IP packet over the physical medium, such as through a network
cable or wireless signal.
The TCP/IP protocol suite is implemented on both the sending and receiving hosts to provide end-
to-end delivery of messages over a network. TCP/IP has standardized the way the computers
communicate, which has enabled the Internet as we know it today. Unfortunately, this widespread usage
has attracted the attention of people who want to misuse networks. Much of the work of the
cybersecurity analyst concerns analysis of the behavior of the TCP/IP suite of protocols
 TCP/IP has standardized the way the computers communicate.
VV V TCP/IP protocols are specific to the application, transport, Internet, and network access layers.
TCP/IP protocol suite is implemented on both the sending and receiving hosts to provide end-to-
end delivery of messages over a network.

Format, Size, and Timing

>» Format
e Encapsulation - process of placing one message format inside another message format.
e Decapsulation - the reverse process of encapsulation.
» Size — Message is broken up into many frames when sent and reconstructed into the original
message when received.
>» Timing — includes the access method, flow control, and response timeout.

Unicast, Multicast, and Broadcast

>» Unicast
— one-to-one
> Multicast — one-to-many
> Broadcast — one-to-all

A message can be delivered in different ways. Sometimes, a person wants to communicate

information to a single individual. At other times, the person may need to send information to a group of
people at the same time, or even to all people in the same area. Hosts on a network use similar delivery
options to communicate, as shown in the figure.

>» Aone-to-one delivery option is referred to as a unicast, meaning there is only a single destination
for the message.

>» When a host needs to send messages using a one-to-many delivery option, it is referred to as a
multicast.

> If all hosts on the network need to receive the message at the same time, a broadcast may be
used. Broadcasting represents a one-to-all message delivery option.

Reference Models
 OSI Model TCP/IP Protocol Suite TCP/IP Model

vi Application

Application

eae te cs)

As you learned earlier, the TCP/IP protocol suite is represented by four-layer model: Application,
Transport, Internet, and Network Access. Another popular reference model is the Open Systems
Interconnection (OSI) model, which uses a seven-layer model, as shown in the figure. In networking
literature, when a layer is referred to by a number, such as Layer 4, then the reference is using the OSI
model. Reference to layers in the TCP/IP model use the name of the layer, such as the transport layer.

The OSI Reference Model

The OSI model provides an extensive list of functions and services that can occur at each layer. It
also describes the interaction of each layer with the layers directly above and below.

The TCP/IP Protocol Model

The TCP/IP protocol model for internetwork communications was created in the early 1970s. As
shown in Figure, it defines four categories of functions that must occur for communications to be
successful.

Three Addresses

>» Three important addresses:

e Protocol address
e Network host address
e Physical address

Addressing is used by the client to send requests and other data to a server. The server uses the
client’s address to return the requested data to the client that requested it.

Application Application

rl elay alee)

Session Session
|
lt

es
Transport Birt sles
i Protocol address

Network —.. Lien

network host address
 Network protocols require that addresses be used for network communication. Addressing is
used by the client to send requests and other data to a server. The server uses the client’s address to
return the requested data to the client that requested it.
Protocols operate at layers. The OSI transport, network, and data link layers all use addressing in
some form. The transport layer uses protocol addresses in the form of port numbers to identify network
applications that should handle client and server data. The network layer specifies addresses that identify
the networks that clients and servers are attached to and the clients and servers themselves. Finally, the
data link layer specifies the devices on the local LAN that should handle data frames

Encapsulation

> This division of data into smaller pieces is called segmentation. Segmenting messages has two
primary benefits:
e Segmentation - This process increases the efficiency of network communications. If part
of the message fails to make it to the destination, due to failure in the network or network
congestion, only the missing parts need to be retransmitted.
e Multiplexing - By sending smaller individual pieces from source to destination, many
different conversations can be interleaved on the network.
The application data is encapsulated with various protocol information as it is passed down the
protocol stack.
The form that an encapsulated piece of data takes at any layer is called a protocol data unit (PDU).

Scenario: Sending and Receiving a Web Page

HTTP — This application protocol governs the way a web server and a web client interact.
TCP — This transport protocol manages individual conversations. TCP divides the HTTP messages
into smaller pieces, called segments. TCP is also responsible for controlling the size and rate at
which messages are exchanged between the server and the client.
IP — This is responsible for taking the formatted segments from TCP, encapsulating them into
packets, assigning them the appropriate addresses, and delivering them to the destination host.
Ethernet — This network access protocol is responsible for taking the packets from IP and
formatting them to be transmitted over the media.
Ethernet

The Ethernet Protocol

> Operates at Layer 1 and 2

Defined by the IEEE 802.2 and 802.3 standards
Ethernet Sublayers
© Logical Link Layer (LLC)
o Media Access Control Layer (MAC)
> Ethernet responsibilities
Data encapsulation - Ethernet encapsulates the IP packet into a frame, adding timing
information, destination and source MAC addresses, and error checking feature.
Media access control - Ethernet manages the process of converting the frame into bits
and sending the frame out onto the network. In older wired networks, devices could not
send and receive data at the same time. This is still the case for wireless networks. In such
situations, Ethernet use a process to determine when a device can send and what to do
if the data sent by two devices collides on the network.

Ethernet

Ethernet is defined by data link

layer and physical layer
protocols.
nw

ie) Be) ee EE
ics
802.3. Ethernet

>» Minimum Ethernet frame size 64 bytes

>» Maximum Ethernet frame size 1518 bytes
> Two key identifiers
Destination MAC address
Source MAC address
> Uses hexadecimal

MAC Address Format

>» Ethernet MAC address is 48-bit binary expressed as 12 hexadecimal digits.

Uses numbers 0 to 9 and letters A to F.
All data that travels on the network is encapsulated in Ethernet frames.
Hexadecimal Numbering

Different Representations of MAC Addresses

Decimal and Binary equivalents of 0 to F Hexadecimal

Decimal Binary Hexadecimal

= a

==
2 t

-—

—
a —_
-———J
IPv4

IPv4 Encapsulation
IP encapsulates the transport layer segment by adding an IP header.
The Exchange of Data

Host Itc Network Layer PDU = IP Packet

g-

Application Mra read

te

Presentation eae)
* 2 [==| =]
v1

Session lol)
r

Biro eed Transport

Cg
Network Layer Encapsulation
Fy

Fg
x

Network Layer PDU

TTT Packet
pa R pe aR
n

Deole) pi) Pht

Network layer protocols forward renapor layer PDUs between hosts.

IPv4 Characteristics

Connectionless — no dedicated end-to-end connection is created before data is sent.

Vv

Unreliable (Best Effort) - |P protocol does not guarantee that all packets that are delivered are, in
fact, received.
>» Media Independent - IP operates independently of the media that carry the data at lower layers
of the protocol stack.

IPv4 Packet

Packet header consists of fields containing important information about the packet.
VVVV

Fields contain binary numbers examined by the Layer 3 process.

The binary values of each field identify various settings of the IP packet.
Two most commonly referenced fields are the source and destination IP addresses.
IPV4 Addressing Basics

IPv4 Address Notation

> IP address is a series of 32 binary bits (ones and zeros).

» When a host is configured with an IPv4 address, it is entered as a dotted decimal number such as
192.168.10.10.
>» The equivalent address in binary is 1100000.10101000.00001010.00001010

IPv4 Host Address Structure

> |Pv4 address is a hierarchical address that is made up of a network portion and a host portion.
» The network portion of the address must be identical for all devices that reside in the same
network.
>» The bits within the host portion of the address must be unique to identify a specific host within a
network.

IPv4 Subnet Mask and Network Address

>» Subnetting takes a network space and divides it into smaller spaces called subnets.
>» Identifying network address of an IPv4host:
e IP address is logically ANDed, bit by bit with subnet mask.
e ANDing between the address and the subnet mask yields the network address.

Subnetting Broadcast Domains

>» Subnetting takes a network space and divides it into smaller spaces called subnets.
>» Identifying network address of an IPv4 host:
e IP address is logically ANDed, bit by bit with subnet mask.
e ANDing between the address and the subnet mask yields the network address.

Types of IPv4 Addresses

IPv4 Address Classes and Default Subnet Masks

Assigned Classes — A, B, C, D, and E

Class A - Designed to support extremely large networks.
VVVVV

Class B — Designed to support moderate to large networks.

Class C- Designed to support small networks.
Class D - Multicast block.
Class E - Experimental address block.

Reserved Private Addresses

 VVVWV Blocks of addresses mostly used by organizations to assign IPv4 addresses to internal hosts.
Not unique to any network.
Not allowed on Internet and are filtered by internal router.
Router usually connects the internal network to the ISP network.

The Default Gateway

Host Forwarding Decision

>» Ahost can send a packet to three types of destinations:
e Itself - A host can ping itself by sending a packet to a special IPv4 address
of 127.0.0.1. Pinging the loopback interface tests the TCP/IP protocol stack.
e Local host - This is a host on the same local network.
e Remote host - This is a host on a remote network. The hosts do not share
the same network address.

Default Gateway
>» Three dotted decimal IPv4 addresses must be configured when assigning an IPv4 configuration to
host:
e |Pv4 address — Unique IPv4 address of the host.
e Subnet mask - Used to identify the network/host portion of the IPv4 address.
e Default gateway — Identifies the local gateway (i.e. local router interface IPv4 address) to
reach remote networks.
e The default gateway is the network device that can route traffic to other networks. It is
the router that can route traffic out of the local network.

Using the Default Gateway

A host's routing table will typically include a default gateway.

>» The host receives the IPv4 address of the default gateway.
>» IP addressing information:
e Configured manually.
e Obtained automatically/dynamically using Dynamic Host Configuration Protocol (DHCP).
e Placed in computer’s routing table.

IPv6

Need for IPv6

>» The depletion of IPv4 address space has been the motivating factor for moving to IPv6.128-bit
address space.
>» Four out of the five Regional Internet Registries (RIRs) have run out of IPv4 addresses.

IPv6 Size and Representation

> 128-bit address space.
 e String of 32 hexadecimal values.
e Every 4 bits represented by one hexadecimal digit.
e Hextet is 16 bits or 4 hexadecimal digits.

IPv6 Address Formatting

>» IPv6 Addresses:

128 bit address space.
Can remove leading zeros.
Can leave out 1 “all zeros” segment.
Two sections: Prefix and Interface ID.
ICMP

ICMPv4 Messages

» Used to provide feedback and troubleshoot network problems.

> Message types:
e Host confirmation — echo request and echo reply with the ping utility.
e Destination or service unreachable codes:
o O-net unreachable
o 1-host unreachable
© 2-protocol unreachable
© 3-port unreachable
e Time exceeded - used by a router to indicate that a packet cannot
be sent onward:
© |Pv4 is due to the time to live (TTL) field having a value of 0.
© IPv6 does not have a TTL field but has a hop limit field instead.

ICMPv6 RS and RA Messages

>» Anew protocols as part of the Neighbor Discovery Protocol {ND or NDP):
>» Messaging between IPv6 router and IPv6 device:
e¢ Router Solicitation (RS) — used between an IPv6 device and a router.
e Router Advertisement (RA) — used between an IPv6 router and a device to provide
addressing info using Stateless Address Autoconfiguration (SLAAC).
>» Messaging between IPv6 devices:
e Neighbor Solicitation (NS) message
e Neighbor Advertisement (NA) message
>» IPv6 Duplicate Address Detection (DAD)
e Not required but recommended.
e If another device on the network has the same global unicast or link-local unicast address,
the device will respond with an NA message.

Ping and Traceroute Utilities

Ping — Testing and Local Stack

>» Ping is a testing utility that uses ICMP echo request and echo reply messages to test connectivity
between hosts.
>» To test connectivity to another host on a network, an echo request is sent to the host address
using the ping command.
>» If the host at the specified address receives the echo request, it responds with an echo reply.

Ping — Testing Connectivity to Local LAN

= You can also use ping to test the ability of a host to communicate on the local network. This is
generally done by pinging the IP address of the gateway of the host.
= A successful ping to the gateway indicates that the host and the router interface serving as the
gateway are both operational on the local network.
= For this test, the gateway address is most often used because the router is normally always
operational.

Ping — Testing Connectivity to Remote Host

= Ping can also be used to test the ability of a local host to communicate across an internetwork.
= Successful ping across the internetwork confirms communication on the local network.
= It also confirms the operation of the router serving as the gateway, and the operation of all other
routers that might be in the path between the local network and the network of the remote host.

Traceroute- Testing the Path

>» Traceroute provides information about the details of devices between the hosts.
> Generates a list of hops that were successfully reached along the path:
e Round trip Time (RTT) — time for each hop along path.
e = |Pv4 TTL and IPv6 Hop Limit - Traceroute makes use of a function of the TTL field in IPv4
and the Hop Limit field in IPv6 in the Layer3 headers, along with the ICMP time exceeded
message.
>» After the final destination is reached, the host responds with either an ICMP port unreachable
message or an ICMP echo reply message instead of the ICMP time exceeded message.

ICMP Packet Format

= ICMP is considered to be a Layer 3 protocol.

= ICMP acts as a data payload within the IP packet.
= |t has a special header data field.
= These are some common message codes:
* 0Q-Echo reply (response to a ping)
* 3-Destination Unreachable
¢ 5-Redirect (use another route to your destination)
* 8-Echo request (for ping)
 * 11-Time Exceeded (TTL became 0)

SUBTOPIC 2

MAC and IP

Destination on Same Network

> Two addresses assigned to an Ethernet device:
* MAC address (Layer 2 physical address)
¢ IP address (Layer 3 logical address)
>» Adevice must have both addresses to communicate with another TCP/IP-based device:
* Uses the source and destination MAC address
* Uses the source and destination IP address
There are two primary addresses assigned to a device on an Ethernet LAN:
1. Physical address (the MAC address)- This is used for Ethernet NIC to Ethernet NIC
communications on the same network.
2. Logical address (the IP address) — This is used to send the packet from the original source to
the final destination. IP addresses are used to identify the address of the original source
device and the final destination device. The destination IP address may be on the same IP
network as the source or may be ona remote network.

Destination on Remote Network

>» When communicating with a device on a remote network, the destination MAC address is the
MAC address of the Layer 3 device interface on the same network as the device originating the
packet.
>» When the destination IP address is on a remote network, the destination MAC address will be the
address of the host’s default gateway, which is the router’s NIC, as shown in the figure. Using a
postal analogy, this would be similar to a person taking a letter to their local post office. All they
need to do is take the letter to the post office and then it becomes the responsibility of the post
office to forward the letter on towards its final destination.

ARP

Introduction to ARP

>» Whena device sends an Ethernet frame, it contains these two addresses:
e Destination MAC address - The MAC address of the Ethernet NIC, which will be either the
MAC address of the final destination device or the router.
e Source MAC address - The MAC address of the sender’s Ethernet NIC.
e To determine the destination MAC address, the device uses ARP. ARP resolves IPv4
addresses to MAC addresses and maintains a table of mappings.

ARP Functions
> Used to resolve IPv4 addresses to MAC addresses.
> |Pv4 and MAC address mappings kept in an ARP table.
 When a packet is sent to the data link layer to be encapsulated into an Ethernet frame, the device
refers to a table in its memory to find the MAC address that is mapped to the IPv4 address. This table is
called the ARP table or the ARP cache. The ARP table is stored in the RAM of the device.

The sending device will search its ARP table for a destination IPv4 address and a corresponding MAC
address. If the packet’s destination IPv4 address is on the same network as the source |IPv4 address, the
device will search the ARP table for the destination IPv4 address. If the destination IPv4 address is on a
different network than the source IPv4 address, the device will search the ARP table for the IPv4 address
of the default gateway.

In both cases, the search is for an IPv4 address and a corresponding MAC address for the device.

Each entry, or row, of the ARP table binds an |Pv4 address with a MAC address. We call the relationship
between the two values a map. It simply means that you can locate an IPv4 address in the table and
discover the corresponding MAC address. The ARP table temporarily saves (caches) the mapping for the
devices on the LAN.

If the device locates the IPv4 address, its corresponding MAC address is used as the destination MAC
address in the frame. If no entry is found, then the device sends an ARP request.

Removing Entries from an ARP Table

>» For each device, an ARP cache timer removes ARP entries that have not been used for a specified
period of time.
>» Commands may also be used to manually remove all or some of the entries in the ARP table.
>» Network hosts and routers keep ARP tables.

ARP Tables on Networking Devices

>» Network hosts and routers keep ARP tables.

>» Held in memory called ARP cache.
>» Age out and removed from table.

ARP Issues

ARP Broadcasts
As a broadcast frame, an ARP request is received and processed by every device on the
local network. On a typical business network, these broadcasts would probably have minimal
impact on network performance. However, if a large number of devices were to be powered up
and all start accessing network services at the same time, there could briefly be some reduction
in performance, as shown in the figure. After the devices send out the initial ARP broadcasts and
have learned the necessary MAC addresses, any impact on the network will be minimized.
ARP Spoofing

> ARP Spoofing (ARP poisoning) — security risk

This is a technique used by an attacker to reply to an ARP request for an IPv4 address belonging
to another device, such as the default gateway.

Transport Layer Characteristics

Transport Layer Protocol Role in Network Communication

>» Tracks individual conversations. - A host may have multiple applications that are communicating
across the network simultaneously. Each of these applications communicates with one or more
applications on one or more remote hosts.
>» Moves data between applications on network devices.
>» Segments data and reassembles segments.
>» Identifies applications using a port number.

Transport Layer Mechanisms

» Segmenting the data into smaller chunks enables many different communications, from many
different users, to be interleaved (multiplexed) on the same network.
>» The transport layer is also responsible for managing reliability requirements of a conversation.
>» TCP/IP provides two transport layer protocols:
e Transmission Control Protocol {TCP)
e User Datagram Protocol (UDP)

The transport layer is also responsible for managing reliability requirements of a conversation.
Different applications have different transport reliability requirements.

IP is concerned only with the structure, addressing, and routing of packets. IP does not specify
how the delivery or transportation of the packets takes place. Transport protocols specify how to
transfer messages between hosts. TCP/IP provides two transport layer protocols, Transmission
Control Protocol (TCP) and User Datagram Protocol (UDP), as shown in Figure. IP uses these transport
protocols to enable hosts to communicate and transfer data.

TCP is considered a reliable, full-featured transport layer protocol, which ensures that all of the
data arrives at the destination. However, this requires additional fields in the TCP header which
increases the size of the packet and also increases delay. In contrast, UDP is a simpler transport layer
protocol that does not provide for reliability. It therefore has fewer fields and is faster than TCP.

TCP Local and Remote Ports

>» TCP and UDP manage these multiple simultaneous conversations by using header fields that can
uniquely identify these applications. These unique identifiers are the port numbers:
e The source port number is associated with the originating application on the local host.
 e The destination port number is associated with the destination application on the remote
host.

Socket Pairs

>» The combination of the source IP address and source port number, or the destination IP address
and destination port number is known as a socket.
>» The socket is used to identify the server and service being requested by the client.
» Sockets enable multiple processes, running on a client, to distinguish themselves from each other,
and multiple connections to a server process to be distinguished from each other.

TCP versus UDP

> TCP
e Used for majority of the major TCP/IP protocols.
e Reliable, acknowledges data, resends lost data, delivers data in sequenced order.
¢ Examples: email, HTTP
> UDP
e Fast, low overhead, does not require acknowledgments, does not resend lost data,
delivers data as it arrives.
¢ Examples: VoIP, streaming live videos

TCP and UDP Headers

> TCP
e TCP isa stateful protocol. A stateful protocol is a protocol that keeps track of the state of
the communication session.
e To track the state of a session, TCP records which information it has sent and which
information has been acknowledged.
e The stateful session begins with the session establishment and ends when closed with the
session termination.

e UDPis astateless protocol, meaning neither the client, nor the server, is obligated to keep
track of the state of the communication session.
e = If reliability is required when using UDP as the transport protocol, it must be handled by
the application.

TCP Port Allocation

>» Destination port numbers:

e Uses well-known port numbers.
» Source port numbers:
e Uses dynamic port numbers.
e When establishing a connection with a server, the transport layer on the client establishes
a source port to keep track of data sent from the server.
 e Just as a server can have many ports open for server processes, clients can have many
ports open for connections to multiple sockets.

A TCP Session Part 1: Connection Establishment and Termination

> ATCP connection is established in three steps:

1. The initiating client requests a client-to-server communication session with the
server.
2. The server acknowledges the client-to-server communication session and
requests a server-to-client communication session.
3. The initiating client acknowledges the server-to-client communication session.

ATCP Session Part 2: Data Transfer

>» TCP Order Delivery:

e Segment sequence numbers indicate how to reassemble, and reorder received segments.
e The receiving TCP process places the data into a receiving buffer.
e Out of order segments are held for later processing.
e When the segments with the missing bytes arrive, these segments are processed in order.

> Flow Control:

e Controls the amount of data that the destination can receive and process reliably by adjusting
the rate of data flow.

UDP Session

» Resembles the data in the order it was received.

>» Assigned well-known or registered port numbers.

DHCP

DHCP Overview

>» Dynamic Host Configuration Protocol (DHCP)

e Provides IP addressing information such as IP address, subnet mask, default gateway, DNS
server IP address and domain name.
e Messages
o Discover
o Offer
o Request
o Ack({nowledge)

DHCPv4 Message Format

A DHCP message contains the following fields:
> Operation (OP) Code - Specifies the general type of message.
>» Hardware Type - Identifies the type of hardware used in the network.
>» Hardware Address Length - Specifies the length of the address.
> Hops - Controls the forwarding of messages.
» Transaction Identifier - Used by the client to match the request with replies received from
DHCPV4 servers.
» Seconds - Identifies the number of seconds elapsed since a client began attempting to acquire or
renew a lease.
>» Flags - Used by a client that does not know its IPv4 address when it sends a request.
>» Client IP Address - Used by a client during lease renewal when the address of the client is valid
and usable, not during the process of acquiring an address.
> Your IP Address - Used by the server to assign an IPv4 address to the client.
>» Server IP Address - Used by the server to identify the address of the server that the client should
use for the next step in the bootstrap process.
>» Gateway IP Address - Routes DHCPv4 messages when DHCPv4 relay agents are involved.
>» Client Hardware Address - Specifies the physical layer of the client.
>» Server Name - Used by the server sending a DHCPOFFER or DHCPACK message.
> Boot Filename - Optionally used by a client to request a particular type of boot file in a
DHCPDISCOVER message.
> DHCP Options - Holds DHCP options, including several parameters required for basic DHCP
operation.

DNS Overview

>» Dynamic Name System (DNS)

e Manages and provides domain names and associated IP addresses.
e Hierarchy of servers.
e 90% of malicious software used to attack networks uses DNS to carry out attack
campaigns.

DNS Domain Hierarchy

> Dynamic Name System (DNS)

e The DNS consists of a hierarchy of generic top level domains (gTLD) which consist of
.com, .net, .org, .gov, .edu, and numerous country-level domains, such as .br (Brazil), .es
(Spain),.uk (United Kingdom).
e Second-level domains are represented by a domain name that is followed by a top-level
domain.
e Subdomains are found at the next level of the DNS hierarchy and represent some
division of the second-level domain.
e Finally, a fourth level can represent a host in a subdomain.

DNS Lookup Process

To understand DNS, cybersecurity analysts should be familiar with the following terms:
 Resolver- A DNS client that sends DNS messages to obtain information about the requested
domain name space.
Recursion - The action taken when a DNS server is asked to query on behalf of a DNS resolver.
Authoritative Server - A DNS server that responds to query messages with information stored in
Resource Records (RRs) for a domain name space stored on the server.
Recursive Resolver - A DNS server that recursively queries for the information asked in the DNS
query.
FQDN - A Fully Qualified Domain Name is the absolute name of a device within the distributed
DNS database.
RR - A Resource Record is a format used in DNS messages that is composed of the following fields:
NAME, TYPE, CLASS, TTL, RDLENGTH, and RDATA.
Zone- A database that contains information about the domain name space stored on an
authoritative server

DNS Message Format

> DNS uses UDP port 53 for DNS queries and responses.
> DNS queries originate at a client and responses are issued from DNS servers.
> If a DNS response exceeds 512 bytes such as when Dynamic DNS (DDNS) is used, TCP port 53 is
used to handle the message.
DNS Record Types:
A- An end device IPv4 address
NS - An authoritative name server
AAAA - An end device IPv6 address
MX - A mail exchange record

Dynamic DNS

>» Allows a user or organization to register an IP address with a domain name as in DNS.
>» When the IP address of the mapping changes, the new mapping can be propagated through the
DNS almost instantaneously.

The WHOIS Protocol

WHOIS is a TCP-based protocol that is used to identify the owners of Internet domains through
the DNS system.

NAT — Overview

> Network Address Translation (NAT)

e Not enough public |Pv4 addresses to assign a unique address to each device connected to
the Internet.
e Private IPv4 addresses are used within an organization or site to allow devices to
communicate locally.
e Private IPv4 addresses cannot be routed over the Internet.
e Used on border devices.
NAT — Enabled Routers

> Network Address Translation (NAT)

e When an internal device sends traffic out of the network, the NAT-enabled router
translates the internal IPv4 address of the device to a public address from the NAT pool.
e To outside devices, all traffic entering and exiting the network appears to have a public
|Pv4 address from the provided pool of addresses.
e ANAT router typically operates at the border of a stub network.

Port Address Translation

>» One-to-many — Many internal address translations to one or more public IP addresses

File Transfer and Sharing Services

FTP and TFTP

> File Transfer Protocol (FTP)
e TCP-based.
e Used to push and pull data from a server.
> Trivial File Transfer Protocol {TFTP)
e UDP-based.
e Fast, but unreliable.
>» Server Message Block (SMB)
e Client/server-based file sharing protocol

SMB

>» Server Message Block (SMB)

e Client/server-based file sharing protocol.
e This format uses a fixed-sized header, followed by a variable-sized parameter and data
component.
e SMB messages can start, authenticate, and terminate sessions, control file and printer
access, and allow an application to send or receive messages to or from another device.

Email Overview

>» Email supports three separate protocols for operation:

e Simple Mail Transfer Protocol (SMTP)
e Post Office Protocol version 3 (POP3)
e IMAP

The application layer process that sends mail uses SMTP. A client retrieves email using one of the
two application layer protocols: POP3 or IMAP.
SMTP

> SMTP
e Simple Mail Transfer Protocol (SMTP) — Port 25.
> After the connection is made, the client attempts to send the email to the server across
the connection.
> When the server receives the message, it either places the message in a local account, if
the recipient is local, or forwards the message to another mail server for delivery.

SMTP message formats require a message header and a message body. While the message body can
contain any amount of text, the message header must have a properly formatted recipient email address
and a sender address.
When a client sends email, the client SMTP process connects with a server SMTP process on well-
known port 25. After the connection is made, the client attempts to send the email to the server across
the connection. When the server receives the message, it either places the message in a local account, if
the recipient is local, or forwards the message to another mail server for delivery.
The destination email server may not be online or may be busy when email messages are sent.
Therefore, SMTP spools messages to be sent at a later time. Periodically, the server checks the queue for
messages and attempts to send them again. If the message is still not delivered after a predetermined
expiration time, it is returned to the sender as undeliverable.

POP3

> With POP3, mail is downloaded from the server to the client and then deleted on the server.
>» With POP3, email messages are downloaded to the client and removed from the server, so there
is no centralized location where email messages are kept.

>» When a user connects to an IMAP-capable server, copies of the messages are downloaded to the
client application.
>» When a user decides to delete a message, the server synchronizes that action and deletes the
message from the server.

HTTP Overview

> Hypertext Transfer Protocol (HTTP):

e Port 80
e Governs the way a web server and client interact.
e TCP-based
e Has specific server responses.

>» Steps:
e Client initiates HTTP request to server.
e HTTP returns code for a webpage.
 Browser interprets HTML code and displays on webpage.

The HTTP URL

>» HTTP URLs can also specify the port on the server that should handle the HTTP methods.
>» In addition, it can specify a query string and fragment.
> Query string typically contains information that is not handled by the HTTP server process itself
but is instead handled by another process that is running on the server.

The HTTP Protocol

>» HTTP is a request/response protocol that uses TCP port 80.

>» When a client, typically a web browser, sends a request to a web server, it will use one of six
methods that are specified by the HTTP protocol.
GET - Aclient request for data. A client (web browser) sends the GET message to the web
server to request HTML pages.
POST- Submits data to be processed by a resource.
PUT - Uploads resources or content to the web server.
DELETE - Deletes the resource specified.
OPTIONS - Returns the HTTP methods that the server supports.
CONNECT- Requests that an HTTP proxy server forwards the HTTP TCP session to the
desired destination.

HTTP Status Code

> The HTTP server responses are identified with various status codes that inform the host
application of the outcome of client requests to the server. The codes are organized into
five groups.
e 1xx - Informational
e 2xx - Success
e 3xx - Redirection
e Axx - Client Error
5xx - Server Error
 MODULE 4
NETWORK INFRASTRUCTURE

SUBTOPIC 1

Network Devices

End Devices

» End Devices:
¢ Computers, laptops, servers, printers, smart devices, and mobile devices.
e Individual end devices are connected to the network by intermediary devices.
>» Intermediary Devices:
e Connect the individual end devices to the network and also connect multiple individual
networks to form an internetwork.
e Provide connectivity and ensure that data flows across the network.

Routers

» Function ofa Router:

e Provides path determination and packet forwarding.
e Responsible for encapsulating and de-encapsulating packets.
e Uses a routing table to determine the best path to use to send packets to a specified
network.
> Routing Table:
e Contains directly connected routes and remote routes.
e Router searches its routing table for a network address that matches the destination IP
address of a packet.
e Uses the gateway of last resort if learned or configured; otherwise, the packet is
discarded.
>» The router performs the following three major steps:
1. It de-encapsulates the Layer 2 frame header and trailer to expose the Layer 3 packet.
2. It examines the destination IP address of the IP packet to find the best path in the routing
table.
3. If the router finds a path to the destination, it encapsulates the Layer 3 packet into a new
Layer 2 frame and forwards that frame out the exit interface.
>» Devices have Layer 3 IPv4 addresses, while Ethernet interfaces have Layer 2 data link addresses.
The MAC addresses are shortened to simplify the illustration.

What does a router do with a packet received from one network and destined for another network? The
router performs the following three major steps:

1. It de-encapsulates the Layer 2 frame header and trailer to expose the Layer 3 packet.
2. It examines the destination IP address of the IP packet to find the best path in the routing table.
3. If the router finds a path to the destination, it encapsulates the Layer 3 packet into a new Layer
2 frame and forwards that frame out the exit interface.
Router Operation

>» Aprimary function of a router is to determine the best path to use to send packets to each subnet.
To determine the best path, the router searches its routing table for a network address that
matches the destination IP address of the packet. The routing table search results in one of three
path determinations:
Directly connected network - If the destination IP address of the packet belongs to a
device on a network that is directly connected to one of the interfaces of the router, that
packet is forwarded directly to the destination device
Remote network- If the destination IP address of the packet belongs to a remote network,
then the packet is forwarded to another router. Remote networks can only be reached by
forwarding packets to another router.
No route determined - If the destination IP address of the packet does not belong to either
a connected or remote network, the router determines if there is a Gateway of Last Resort
available.

Routing Information

>» The routing table of a router stores the following information:

Directly connected routes - These routes come from the active router interfaces
Remote routes - These are remote networks connected to other routers. Routes to these
networks can either be statically configured or dynamically learned through dynamic
routing protocols.
>» The destination network entries in the routing table can be added in several ways:
Local Route interfaces — These are added when an interface is configured and active.
Directly connected interfaces — These are added to the routing table when an interface
is configured and active.
Static routes — These are added when a route is manually configured and the exit
interface is active.
Dynamic routing protocol — This is added when routing protocols that dynamically learn
about the network, such as EIGRP or OSPF, are implemented and networks are identified.

Hubs, Bridges, LAN Switches

>» An Ethernet hub acts as a multiport repeater that receives an incoming electrical signal (data)
on a port. It then immediately forwards a regenerated signal out all other ports. Hubs use
physical layer processing to forward data.
>» Bridges have two interfaces and are connected between hubs to divide the network into
multiple collision domains. Each collision domain can have only one sender at a time.
>» LAN switches are essentially multiport bridges that connect devices into a star topology. Like
bridges, switches segment a LAN into separate collision domains, one for each switch port. A
switch makes forwarding decisions based on Ethernet MAC addresses.

Switching Operation
 Switches use MAC addresses to direct network communications through the switch, to the
appropriate port, and toward the destination. A switch is made up of integrated circuits and the
accompanying software that controls the data paths through the switch. For a switch to know which port
to use to transmit a frame, it must first learn which devices exist on each port. As the switch learns the
relationship of ports to devices, it builds a table called a MAC address table, or content addressable
memory (CAM) table. CAM is a special type of memory used in high-speed searching applications.
LAN switches determine how to handle incoming data frames by maintaining the MAC address
table. A switch builds its MAC address table by recording the MAC address of each device connected to
each of its ports. The switch uses the information in the MAC address table to send frames destined for a
specific device out the port which has been assigned to that device.

The following two-step process is performed on every Ethernet frame that enters a switch.

1. Learn — Examining the Source MAC Address

Every frame that enters a switch is checked for new information to learn. It does this by
examining the frame’s source MAC address and port number where the frame entered the switch.
If the source MAC address does not exist, it is added to the table along with the incoming port
number. If the source MAC address does exist, the switch updates the refresh timer for that entry.
By default, most Ethernet switches keep an entry in the table for five minutes.

2. Forward — Examining the Destination MAC Address

If the destination
between the destination
destination MAC address
destination MAC address
the incoming port. This is
MAC address is a unicast address, the switch will look for a match
MAC address of the frame and an entry in its MAC address table. If the
is in the table, it will forward the frame out the specified port. If the
is not in the table, the switch will forward the frame out all ports except
called an unknown unicast.

VLANs

VLANs allow an administrator to segment networks based on factors such as function, project
team, or application, without regard for the physical location of the user or device, as shown in Figure.
Devices within a VLAN act as if they are in their own independent network, even if they share a common
infrastructure with other VLANs. Any switch port can belong to a VLAN. Unicast, broadcast, and multicast
packets are forwarded and flooded only to end devices within the VLAN where the packets are sourced.
Each VLAN is considered a separate logical network. Packets destined for devices that do not belong to
the VLAN must be forwarded through a device that supports routing.
>» Segments networks based on multiple factors (function, project team, or application) regardless
of physical location.
>» Creates logical broadcast domains that can span multiple physical LAN segments.
> Improves network performance by separating large broadcast domains into smaller ones.
>» Prevents users on different VLANs from snooping on each other’s traffic.

STP

» Spanning Tree Protocol (STP)

e Ensures a single logical pathway between all destinations on a network by blocking
redundant paths.
 e Prevents loops using strategically placed "blocking-state" ports.
e Uses bridge protocol data unit (BPDU) frames to prevent loops.

Multilayer Switching

>» Multilayer switches support routed ports and Switched Virtual Interfaces (SVIs) to forward frames
based on Layer 3 information.
e Routed Ports — physical port acts like an interface on a router, not associated with any
VLANs.
e = SVlI-virtual interface can be configured for any VLAN within a multilayer switch.

Wireless Communications

Protocols and Features

> Wireless LANs (WLANs):

e Use Radio Frequencies (RF) instead of cables at the physical layer and MAC sublayer of
the data link layer.
e Connect clients to a network through a wireless access point (AP) or wireless router,
instead of an Ethernet switch.

Wireless Network Operations

» Wireless client association process with AP includes discovering a new wireless AP, authenticating
with that AP, then associating with that AP.
>» Common configurable wireless parameters include:
Network mode
SSID
Channel settings
Security mode
Encryption
e Password
» Wireless devices must discover and connect to an AP or wireless router. This process can be
passive or active.
>» The 802.11 standard was originally developed with two authentication mechanisms: open
authentication provides wireless connectivity to any wireless device, and the shared key
authentication technique is based on a key that is pre-shared between the client and the AP.

WLANs also differ from wired LANs as follows:

>» WLANs connect clients to the network through a wireless access point (AP) or wireless router,
instead of an Ethernet switch.
>» WLANs connect mobile devices that are often battery powered, as opposed to plugged-in LAN
devices. Wireless NICs tend to reduce the battery life of a mobile device.
>» WLANs support hosts that contend for access on the RF media (frequency bands). 802.11
prescribes collision-avoidance (CSMA/CA) instead of collision-detection (CSMA/CD) for media
access to proactively avoid collisions within the media.
 WLANs use a different frame format than wired Ethernet LANs. WLANs require additional
information in the Layer 2 header of the frame.
WLANs raise more privacy issues because radio frequencies can reach outside the facility.
All Layer 2 frames consist of a header, payload, and FCS section as shown in Figure 2. The 802.11
frame format is similar to the Ethernet frame format, with the exception that it contains additional
fields.
As shown in Figure 2, all 802.11 wireless frames contain the following fields:
Frame Control - Identifies the type of wireless frame and contains subfields for protocol version,
frame type, address type, power management, and security settings.
Duration - Typically used to indicate the remaining time needed to receive the next frame
transmission.
Address1 - Usually contains the MAC address of the receiving wireless device or AP.
VV V

Address2 - Usually contains the MAC address of the transmitting wireless device or AP.
Address3 - Sometimes contains the MAC address of the destination, such as the router interface
(default gateway) to which the AP is attached.
Sequence Control - Contains the Sequence Number and the Fragment Number subfields. The
Sequence Number indicates the sequence number of each frame. The Fragment Number indicates
the number of each frame sent of a fragmented frame.
> Address4 - Usually empty because it is used only in ad hoc mode.
> Payload - Contains the data for transmission.
> FCS - Frame Check Sequence; used for Layer 2 error control.

The Client to AP Association Process

> A wireless client goes through a three-stage process to associate with an AP.
> Discovery: A wireless client locates the AP to associate.
> Authentication:
e The wireless client sends an authentication frame to the AP.
e The AP responds with a challenge text.
e The client encrypts the message using its shared key and returns the encrypted text back
to the AP.
e The AP then decrypts the encrypted text using its shared key.
e If the decrypted text matches the challenge text, the AP authenticates the client.
Association:
e The wireless client forwards an Association Request frame that includes its MAC address.
e The AP responds with an Associate Response that includes the AP MAC address.
e The AP maps a logical port to the wireless client.

Wireless Devices — AP, LWAP, WLC

> Access Point (AP):

e Small network— usually a wireless router that integrates the functions of a router.
e Large network — can be many APs.
> Wireless LAN Controller (WLC):
e Controls and manages the functions of the APs on a network.
e Simplifies configuration and monitoring of numerous APs.
> Lightweight AP (LWAP):
 e Centralized management by WLC.
e No longer acts autonomously.

SUBTOPIC 2

Security Devices

Firewalls

> Some common firewall properties:

e Firewalls are resistant to network attacks.
e = All traffic flows through the firewall.
e Firewalls enforce the access control policy.
> Several benefits of using a firewall in a network:
Prevents the exposure of sensitive hosts, resources, and applications to untrusted users.
Sanitizes protocol flow.
Blocks malicious data from servers and clients.
e Reduces security management complexity.
> Firewalls also present some limitations:
e Amisconfigured firewall can have serious consequences for the network.
The data from many applications cannot be passed over firewalls securely.
Users search for ways around the firewall to receive blocked material.
Network performance can slow down.
Unauthorized traffic can be tunneled as legitimate traffic through the firewall.

Firewall Type Descriptions

> Packet filtering (Stateless) firewalls - usually part of a router firewall, which permits or denies
traffic based on Layer 3 and Layer 4 information.
> Stateful firewalls:
e Allows or blocks traffic based on state, port, and protocol.
e Monitors all activity from the opening of a connection until it is closed.
Application gateway firewalls (Proxy firewall) - filters information at Layers 3, 4,5, and 7 of the
OSI reference models.
Host-based (server and personal) firewall - A PC or server with firewall software running on it.
VV V

Transparent firewall - filters IP traffic between a pair of bridged interfaces.

Hybrid firewall - a combination of the various firewall types.

Packet Filtering Firewalls

> Usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4
information.
> Are stateless firewalls that use a simple policy table look-up that filters traffic based on specific
criteria.
Stateful Firewalls

>» The most versatile and common firewall technology in use.

>» Provides stateful packet filtering by using connection information maintained in a state table.
>» Classified at the network layer but also analyzes traffic at OSI Layer 4 and Layer 5.
Layer 7 Nae)

a?

led |

——
Layer 2 Data Link

———_
Layer 1 Physical

Next-Generation Firewalls

Provide standard firewall capabilities like stateful inspection.

VVVVV

Contain integrated intrusion prevention.

Use application awareness and control to see and block risky apps.
Upgrade paths to include future information feeds.
Implement techniques to address evolving security threats.

Intrusion Prevention and Detection Devices

Common Characteristics of IDS and @

IPS
Both s.

Advantages and Disadvantages of IDS and IPS

OS
IDS
0 * No impact on network (latency, jitter) - Response action cannot stop trigger
No network impact if there is a sensor packets
failure : Correct tuning required for response
No network impact if there is sensor actions
overload » More vulnerable to network security
evasion techniques
IPS - Stops trigger packets - Sensor issues might affect network
Can use stream normalization techniques traffic
Sensor overloading impacts the network
Some impact on network (latency, jitter)

Types of IPS

> Host-based IPS (HIPS):

e Software installed on a single host to monitor and analyze suspicious activity.
e Monitor and protect operating system and critical system processes that are specific to
that host.
e Combine antivirus software, antimalware software, and firewall.
>» Network-based IPS:
e Implemented using a dedicated or non-dedicated IPS device.
e Are acritical component of intrusion prevention.
e Sensors detect malicious and unauthorized activity in real time and can take action when
required.

Specialized Security Appliances

» Cisco Advanced Malware Protection (AMP):

¢ Is enterprise-class advanced malware analysis and protection solution.
* Provides comprehensive malware protection for organizations before, during, and after
an attack.
» Cisco Web Security Appliance (WSA) with Cloud Web Security (CWS):
* WSA protects the network by automatically blocking risky sites and testing unknown sites
before allowing users to access them.
* WSA provides malware protection, application visibility and control, acceptable use policy
controls, insightful reporting and secure mobility.
* CWS enforces secure communication to and from the Internet.
* CWS provides remote workers the same level of security as onsite employees.
>» Cisco Email Security Appliance (ESA):
¢* Defends mission-critical email systems.
* Detects and correlates threats using a worldwide database monitoring system.

Traffic Control with ACLs

> Access Control Lists (ACLs) - Is a series of commands that control whether a device forwards or
drops packets based on information found in the packet header:
e Limit network traffic to increase network performance.
 Provide traffic flow control.
Provide a basic level of security for network access.
Filter traffic based on traffic type.
Screen hosts to permit or deny access to network services.

ACLs: Important Features

>» The two types of Cisco IPv4 ACLs are standard and extended.
>» Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. Extended
ACLs filter IPv4 packets based on several attributes that include:
e Protocol type
Source IPv4 address
Destination IPv4 address
Source TCP or UDP ports
Destination TCP or UDP ports
e Optional protocol type information for finer control
» Standard and extended ACLs can be created using either a number or a name to identify the ACL
and its list of statements.
>» An ACL message can be generated and logged when traffic meets the permit or deny criteria
defined in the ACL.

SNMP

= SNMP allows administrators to manage end devices such as servers, workstations, routers,
switches, and security appliances.
= The SNMP system consists of three elements:
¢ Manager that runs SNMP management software.
¢ Agents which are the nodes being monitored and managed.
¢ Management Information Base (MIB) — this is a database on the agent that stores data
and operational statistics about the device.

NetFlow

» A Cisco IOS technology that provides statistics on packets flowing through a Cisco router or
multilayer switch.
>» Provides data to enable network and security monitoring, network planning, traffic analysis, and
IP accounting for billing purposes.

Port Mirroring

>» A feature that allows a switch to make duplicate copies of traffic passing through a switch, and
then send data out a port with a network monitor attached.
>» The original traffic is forwarded in the usual manner.

Syslog Servers
= The most common method of accessing system messages.
 = Allows networking devices to send their system messages across the network to syslog servers.
= The syslog logging service provides three primary functions:
¢ Gather logging information for monitoring and troubleshooting.
¢ Select the type of logging information that is captured.
* Specify the destination of captured syslog messages.

NTP

>» Allows routers on the network to synchronize their time settings with an NTP server and use strata
levels.
>» NTP can be set up to synchronize to a private master clock or it can synchronize to a publicly
available NTP server on the Internet.
>» NTP servers are arranged in levels known as strata:
e §©Stratum 0 - high-precision timekeeping devices assumed to be accurate and with little or
no delay.
e Stratum 1 - connected to the authoritative time sources. They act as the primary network
time standard.
e Stratum 2 and Lower - connected to stratum 1 devices through network connections.
Stratum 2 devices synchronize their time using the NTP packets from stratum 1 servers.
They could also act as servers for stratum 3 devices.

AAA Servers

» AAA Services is a set of three independent security functions: Authentication, Authorization, and
Accounting/auditing.
e Authentication - Users and administrators must prove that they are who they say they
are.
o Username and password combinations, challenge and response questions, token
cards, and other methods.
o AAA authentication provides a centralized way to control access to the network.
e Authorization - After authentication, determine which resources the user can access and
which operations the user is allowed to perform.
e Accounting and auditing - Accounting records what the user does, what is accessed, the
amount of time the resource is accessed, and any changes that were made. Accounting
keeps track of how network resources are used.

VPN

>» This is a private network that is created over a public network.

>» AVPNis private in that the traffic is encrypted to keep the data confidential while it is transported
across the public network.
>» |Psec services allow for authentication, integrity, access control, and confidentiality.

Network Topologies

Overview of Network Components

 >» Network infrastructure contains three categories of network components:
* Devices
* Media
*« Services
Service
Processes and Services

Rule 1, Rule 2, Rule 3

Device

Devices Devices
Devices Devices

Media
LAN LAN

Internetwork

Physical and Logical Topologies

» Physical Topology refers to the physical connections and identifies how end devices and
infrastructure devices are interconnected.
>» Logical Topology refers to the way a network transfers frames from one node to the next.

WAN Topologies

>» Point-to-Point - Consists of a permanent link between two endpoints.

>» Hub and Spoke - A WAN version of the star topology in which a central site interconnects branch
sites using point-to-point links.
» Mesh- This topology provides high availability but requires that every end system be
interconnected to every other system.
LAN Topologies

» Star - End devices are connected to a central intermediate device.

>» Extended Star- In an extended star topology, additional Ethernet switches interconnect other
star topologies. A
> Bus - All end systems are chained to each other and terminated in some form on each end.
>» Ring - End systems are connected to their respective neighbors, forming a ring. Unlike the bus
topology, the ring does not need to be terminated.

The Three-Layer Network Design Model

>» Three-Layer Hierarchical Model

Access layer:
o Provides endpoints and users direct access to the network.
o User traffic is initiated at this layer.
Distribution layer
o Aggregates access layers.
o Provides connectivity to services.
Core layer
o Provides connectivity between distribution layers.
» Collapsed Core
Core and distribution layers are collapsed into one layer.
Reduces cost and complexity.

Common Security Architectures

>» Firewall design is primarily about device interfaces permitting or denying traffic based on the
source, the destination, and the type of traffic. Some designs are as simple as designating an
outside network and inside network. A firewall with two interfaces is configured as follows:
Traffic originating from the private network is permitted and inspected as it travels
toward the public network. Inspected traffic returning from the public network and
associated with traffic that originated from the private network is permitted.
Traffic originating from the public network and traveling to the private network is
generally blocked.
>» A demilitarized zone (DMZ) is a firewall design where there is typically one inside interface
connected to the private network, one outside interface connected to the public network, and
one DMZ interface:
Traffic originating from the private network is inspected as it travels toward the public or
DMZ network. This traffic is permitted with little or no restriction. Return traffic is usually
permitted.
Traffic originating from the DMZ network and traveling to the private network is usually
blocked.
Traffic originating from the DMZ network and traveling to the public network is selectively
permitted based on service requirements.
Traffic originating from the public network and traveling toward the DMZ is selectively
permitted and inspected. Return traffic is dynamically permitted.
 e Traffic originating from the public network and traveling to the private network is
blocked.
>» Zone-based policy firewalls (ZPFs) use the concept of zones to
provide additional flexibility.
>» Azone isa group of one or more interfaces that have similar functions or features