Networking devices(layer 1,2,3)

When studying for network certification exams such as CompTIA Network+, a deep
understanding of all of the OSI layers is crucial to your success. Layers 1 through 3 specifically
are pivotal but often ignored; they can be convoluted.

An important thing to understand is that each protocol implements these layers in nuanced
ways. It is easiest to understand them in terms of how each specific protocol has implemented
them. Let's take a brief look at Layers 1 through 3 of the OSI model — and how they work with
different elements of networks.

Layer 1: Physical Layer

Layer 1 is fairly easy to understand. It covers the physical aspects of networking, and is the
lowest and most physical "rocks and blocks" layer of the model. Wiring standards play an
important role in this layer such as T568A and B for Ethernet, or which radio frequencies to use
for Wi-Fi. Some protocols operate in multiple layers. Ethernet is an example. In Layer 1, it
utilizes physical cabling and radio frequency standards along with the conversion of data to bits.
We will talk more later about its presence and operation in Layer 2.

Layer 1 Data
Data at this layer is simply bits sent across a wire, many many zeros and ones. The argument
could be made that all computer data is stored in bits and, ultimately, it is. This is the network
layer where that happens so that it can be transmitted somewhere else.

Become a security expert

Cybersecurity training from CBT Nuggets

Start training
Become a security expert
Layer 1 Equipment
The type of equipment involved in Layer 1 uses little to no logic when operating: copper ethernet
cables, fiber optic cables, and ethernet hubs. This is not only limited to physical cables though.
The physical transmission aspects of Wi-Fi, Bluetooth, Microwave, and other over the air
technologies fall under this layer.

An easy-to-understand non-network example of this is electricity. For the most part you simply
plug your appliance into the outlet and power is delivered. In the OSI model, swap out power
with data.

Layer 2: Data Link Layer

Layer 2 is where many students get hung up when learning networking basics. Most people
understand that MAC addresses exist at Layer 2, but other than that, why does this layer exist?
This layer is primarily involved in transmitting data from one specific node to another. These
nodes are usually directly connected, whether that's via LAN, WAN or MAN.
Two sublayers exist here, which is where the confusion can set in. Those are Medium Access
Control (MAC) and Logical Link Control (LLC). It is important to understand that each protocol
implements its lower layers differently. Ethernet follows IEEE 802 and allows for variable sized
data, while protocols like ATM (Asynchronous Transfer Mode) have fixed 53 bytes of data that it
calls "cells."

In ethernet, Virtual LAN (VLAN) is an important technology implemented here. VLANs help split
up broadcast domains by allowing you to segment devices to their own dedicated LAN. When
combining VLANs over a single port, they are differentiated with a VLAN header. 802.1Q is the
standard today; Cisco's proprietary ISL was another before 802.1Q was the standard.

Layer 2 Data
Data at this layer is referred to as a frame. Frames have basic data in them such as a source
address and a destination address as well as payload. That basic data is often referred to as a
header, a type of metadata. The protocol "Frame Relay" gets its name from operating at this
layer.

Layer 2 Equipment
Equipment at this layer is a little more intelligent and consists of switches, bridges, and
networkcards. It can use the headers of the packet to determine exactly where it goes. A switch
can read the destination MAC address and forward it directly to the specific port the MAC
address is plugged into. On the contrary, a hub simply broadcasts traffic to all ports because it
does not operate at Layer 2 and therefore does not have this intelligence.

Layer 2A – Medium Access Control

Medium Access Control entails quite a few important functions. Carrier Sense Multiple Access
with Collision Detection (CSMA/CD) is a mechanism ethernet uses to help deal with collisions
on half duplex networks. Today, with Gigabit Ethernet and higher, there is virtually no half duplex
and therefore no need to do this.

With that said, sometimes speed and duplex negotiation can go wrong for a number of reasons
and fall back to half duplex. Wi-Fi networks tend to use a different but similar protocol
(CSMA/CA) which is Collision Avoidance. Media Access Control (MAC) Address materializes
here as well to provide a unique address for each endpoint on the Layer 2 topology.

Layer 2B – Logical Link Control

One of LLC's main features is that it is a helper layer to assist between Layer 2's MAC and
Layer 3. It does this by providing mechanisms for multiplexing Layer 3 Protocols. This is a fancy
way of saying it helps facilitate the ability for multiple Layer 3 protocols to be used
simultaneously over the same medium.

Internet Protocol (IP) currently is the predominant Layer 3 protocol, but it is not the only one.
Flow control and error handling at this layer are not used by ethernet. Other protocols like X.25
do, in fact, implement it here.
Layer 3: Network Layer
The network layer may be the one most people are most exposed to. It is hard to come across
any IT professional who has not heard of an IP address. The "IP" in TCP/IP is a Layer 3
protocol. IPX was a very popular Layer 3 protocol within the IPX/SPX protocol group in
NetWare's heyday.

The network layer provides a logical address of an endpoint. Layer 2 addresses are typically
automatically generated by the vendor during the manufacturing process. But layer 3 addresses
are usually configured. This could be a static IP configuration or a DHCP automated
configuration.

Layer 3 Data
Data at this layer is referred to as a packet, which is a stateless grouping of data. Devices that
forward packets do not validate that the other end receives the data. Instead, devices leave it to
higher layer protocols to implement — should they choose. For example, in the case of Layer 4
protocol TCP, it does. Layer 4 protocol, UDP, however, does not.

Layer 3 Equipment
Routers are the common equipment used at this layer but there are many others. Layer 3
switches are also very common. Those are essentially Layer 2 switches with a router built into
the backplane for speed. Firewalls, while able to operate at higher layers, can operate purely at
this layer. Earlier versions of firewalls were not stateful and often used static filtering at Layer 3.

L1, L2 vs L3: What's the Difference?

This can be a lot to take in and digest. To sum it up though, Layer 3 packets carry payloads from
higher layer protocols that are ultimately generated from applications like web browsers and
email clients. At Layer 3, the source and destinations could be very far from the location of the
traffic.

The packets are like passengers on a flight. Their departure could have been at one end of the
country and arrival at the other end — but their current position somewhere in between with
layovers along the way. Along each hop, this packet is encapsulated and decapsulated with a
frame header. Usually the source and destination of these frames have adjacency with each
other which means direct connectivity.

At each node, it receives bits over a wire (or air) and converts that into a frame and climbs up
the OSI layers. After processing, it is time to send to the next node and it goes back down the
OSI layers. The frames are broken down into bits and transmitted over wires to the next hop. All
of the OSI model works in this encapsulation and decapsulation process.
Network Security Attack
Network security attack is malicious attempts that are carried out by cybercriminals to
compromise the security of a network. These attacks are the reasons why there is a great need
for network security. Network security is responsible for preventing these attacks on the network
infrastructure. Let us learn more about such attacks that can help you identify the methods to
prevent them.

Types of Attacks in Network Security

Some of the different types of network security attacks are mentioned below:

Virus: It is a malicious file that is downloadable, and once opened by a user, it starts to replace
the codes in the computer with its own set of codes. On spreading, the system files in the
computer will be corrupted, which can result in the corruption of the files of other computer
systems in the network.
Malware: It is among the severe-most and fastest types of malicious attacks that help gain
unauthorized access to a system or network of systems. Malware is generally self-replicating,
i.e., once a system is corrupted, malware gains entry through the internet and easily corrupts all
computer systems that are connected to the network via the internet. In the case of malware,
even an external device connected to the system will get corrupted.
Worm: It enters a given system without the need of a user. If a user is running an application
that is not too strong, any attacker or hacker using the same internet connection can easily send
malware to that app. Without the knowledge of the user, the application could accept and
execute this malware over the internet, leading to the creation of a worm. Ethical hackers are in
high demand to prevent this type of network security attack.
Packet sniffer: If a user places a passive receiver in the region of a wireless transmitter, then it
ends up seeing a copy of the transmitted packets. Often, these packets consist of confidential
organization data, trade secrets, etc., which can get through to the packet receiver. The packet
receiver becomes a packet sniffer and it goes through all the packets transmitted in the range.
Cryptography is the best way to prevent this form of network security attack.
Phishing: This is one of the most common forms of attacks on network security. In this, attackers
send emails to users pretending to be from a known source, such as investors and bankers, and
building a sense of urgency to catch the users’ attention and/or excite them. These emails have
probable chances of containing malicious attachments or links, which ask users to share
confidential data.
Compromised key: When an attacker gets a network security key, it is known as a compromised
key that acts as a tool to extract sensitive data. In this case, the attacker uses a compromised
key and gets unauthorized access to secure data. This key comprises of a code or number that
assists in interpreting secure data without any notification to the sender or receiver.
Botnet: It is a malicious software that attacks a set of computers connected through a private
network. The attacker gains access and controls all the systems on that network without the
knowledge of the owner. All the computers on that network are referred to as zombies that
spread and corrupt a large number of devices as per the instructions of the attacker.
DoS: DoS is known as denial of service. This attack is capable of destroying the users’ networks
partially or completely. DoS can also attack even a complete IT infrastructure, making it
unavailable to the actual users. DoS attacks can generally be classified into three categories,
namely, connection flooding, vulnerability attacks, and bandwidth flooding.
What Are the Types of Intrusion Detection Systems?
There are two main types of IDSes based on where the security team sets them up:

Network intrusion detection system (NIDS).

Host intrusion detection system (HIDS).
The way an intrusion detection system detects suspicious activity also allows us to define two
categories:

A signature-based intrusion detection system (SIDS).

An anomaly-based intrusion detection system (AIDS).
Depending on your use case and budget, you can deploy a NIDS or HIDS or rely on both main
IDS types. The same applies to detection models as many teams set up a hybrid system with
SIDS and AIDS capabilities.

Before you determine a strategy, you need to understand the differences between IDS types
and how they complement each other. Let us look at each of the four main IDS types, their pros
and cons, and when to use them.

Types of intrusion detection system

Network Intrusion Detection System (NIDS)

A network-based intrusion detection system monitors and analyzes traffic coming to and from all
network devices. A NIDS operates from a strategic point (or points, if you deploy multiple
detection systems) within the network, typically at data chokepoints.

Pros of a NIDS:

● Provides IDS security across the entire network.

 ● A few strategically placed NIDSes can monitor an enterprise-size network.
● A passive device that does not compromise network availability or throughput.
● Relatively easy to secure and hide from intruders.
● Covers networks parts where traffic is most vulnerable.
Cons of a NIDS:

● Expensive to set up.

● If a NIDS must monitor an extensive or busy network, the system can suffer from low
specificity and an occasional unnoticed breach.
● Detecting threats within encrypted traffic can be problematic.
● Typically not an ideal fit with switch-based networks.

Host Intrusion Detection System (HIDS)

A HIDS operates from a specific endpoint where it monitors network traffic and system logs to
and from a single device.

This type of IDS security relies on regular snapshots, file sets that capture the entire system’s
state. When the system takes a snapshot, the IDS compares it with the previous state and
checks for missing or altered files or settings.

Pros of a HIDS

● Offers deep visibility into the host device and its activity (changes to the configuration,
permissions, files, registry, etc.).
● An excellent second line of defense against a malicious packet a NIDS failed to detect.
● Good at detecting packets originating from inside the organization, such as unauthorized
changes to files from a system console.
● Effective at detecting and preventing software integrity breaches.
● Better at analyzing encrypted traffic than a NIDS due to less packets.
● Far cheaper than setting up a NIDS.
Cons of a HIDS

● Limited visibility as the system only monitors one device.

● Less available context for decision-making.
● Hard to manage for large companies as the team needs to configure and handle info for
every host.
● More visible to attackers than a NIDS.
 ● Not good at detecting network scans or other network-wide surveillance attacks.

Signature-Based Intrusion Detection System (SIDS)

A SIDS monitors packets moving through a network and compares them to a database of
known attack signatures or attributes. This common type of IDS security looks for specific
patterns, such as byte or instruction sequences.

Pros of a SIDS

● Works well against attackers using known attack signatures.

● Helpful for discovering low-skill attack attempts.
● Effective at monitoring inbound network traffic.
● Can efficiently process a high volume of network traffic.
Cons of a SIDS

● Cannot identify a breach without a specific signature in the threat database.

● A savvy hacker can modify an attack to avoid matching known signatures, such as
changing lowercase to uppercase letters or converting a symbol to its character code.
● Requires regular updates of the threat database to keep the system up to date with the
latest risks.
Anomaly-Based Intrusion Detection System (AIDS)
An AIDS monitors ongoing network traffic and analyzes patterns against a baseline. It goes
beyond the attack signature model and detects malicious behavior patterns instead of specific
data patterns.

This type of IDS uses machine learning to establish a baseline of expected system behavior
(trust model) in terms of bandwidth,protocols, ports, and device usage. The system can then
compare any new behavior to verified trust models and discover unknown attacks a
signature-based IDS cannot identify.

For example, someone in the Sales department trying to access the website’s backend for the
first time may not be a red flag for a SIDS. For an anomaly-based setup, however, a person
trying to access a sensitive system for the first time is a cause for investigation.

Pros of an AIDS

● Can detect signs of unknown attack types and novel threats.

● Relies on machine learning and AI to establish a model of trustworthy behavior.
Cons of an AIDS

● Complex to manage.
● Requires more processing resources than a signature-based IDS.
● High amounts of alarms can overwhelm admins.
Policy-based IDS
 [Instructor] With Policy-Based Detection the administrator defines suspicious behavior and can
create a customized policy to monitor for that activity. Policy-based intrusion detection is like
pattern-based detection, but instead of trying to define a specific pattern, policy-based
signatures can be used to analyze a specific type of packet. For example, having data in the
flow label in an IPv6 header. How this can be used, we can use this example. The network
administrator can set up a honeypot and gather evidence of an attacker trying to exploit a
vulnerability that would be indicative of a possible zero day attack. The administrator then can
create a customized intrusion rule. An intrusion rule is a set of criteria listing details and
conditions the intrusion detection system must match. Much like a blueprint, the rule provides
details of what to look for, and what action to take once the criteria is found. A standard rule will
have two sections, the header and the options.
What is Honeypot?
Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study
the tricks and types of attacks used by hackers. It acts as a potential target on the internet and
informs the defenders about any unauthorized attempt to the information system.

Honeypots are mostly used by large companies and organizations involved in cybersecurity. It
helps cybersecurity researchers to learn about the different type of attacks used by attackers. It
is suspected that even the cybercriminals use these honeypots to decoy researchers and
spread wrong information.
The cost of a honeypot is generally high because it requires specialized skills and resources to
implement a system such that it appears to provide an organization’s resources still preventing
attacks at the backend
A honeynet is a combination of two or more honeypots on a network.Types of Honeypot:
Honeypots are classified based on their deployment and the involvement of the intruder.
Based on their deployment, honeypots are divided into :

Research honeypots- These are used by researchers to analyze hacker attacks and deploy
different ways to prevent these attacks.
Production honeypots- Production honeypots are deployed in production networks along with
the server. These honeypots act as a frontend trap for the attackers, consisting of false
information and giving time to the administrators to improve any vulnerability in the actual
system.
Based on interaction, honeypots are classified into:

Low interaction honeypots:Low interaction honeypots gives very little insight and control to the
hacker about the network. It simulates only the services that are frequently requested by the
attackers. The main operating system is not involved in the low interaction systems and
therefore it is less risky. They require very fewer resources and are easy to deploy. The only
disadvantage of these honeypots lies in the fact that experienced hackers can easily identify
these honeypots and can avoid it.
Medium Interaction Honeypots: Medium interaction honeypots allows more activities to the
hacker as compared to the low interaction honeypots. They can expect certain activities and are
designed to give certain responses beyond what a low-interaction honeypot would give.
High Interaction honeypots:A high interaction honeypot offers a large no. of services and
activities to the hacker, therefore, wasting the time of the hackers and trying to get complete
information about the hackers. These honeypots involve the real-time operating system and
therefore are comparatively risky if a hacker identifies the honeypot. High interaction honeypots
are also very costly and are complex to implement. But it provides us with extensively large
information about hackers.
Advantages of honeypot:
● Acts as a rich source of information and helps collect real-time data.
● Identifies malicious activity even if encryption is used.
● Wastes hackers’ time and resources.
Improves security.
Disadvantages of honeypot:
● Being distinguishable from production systems, it can be easily identified by experienced
attackers.
● Having a narrow field of view, it can only identify direct attacks.
● A honeypot once attacked can be used to attack other systems.
● Fingerprinting(an attacker can identify the true identity of a honeypot ).
Malwares – Malicious Software
Malware is a software that gets into the system without user consent with an intention to steal
private and confidential data of the user that includes bank details and password. They also
generates annoying pop up ads and makes changes in system settings
They get into the system through various means:

Along with free downloads.

Clicking on suspicious link.
Opening mails from malicious source.
Visiting malicious websites.
Not installing an updated version of antivirus in the system.
Types:
Virus
Worm
Logic Bomb
Trojan/Backdoor
Rootkit
Advanced Persistent Threat
Spyware and Adware
What is computer virus:
Computer virus refers to a program which damages computer systems and/or destroys or
erases data files. A computer virus is a malicious program that self-replicates by copying itself to
another program. In other words, the computer virus spreads by itself into other executable
code or documents. The purpose of creating a computer virus is to infect vulnerable systems,
gain admin control and steal user sensitive data. Hackers design computer viruses with
malicious intent and prey on online users by tricking them.
Symptoms:
Letter looks like they are falling to the bottom of the screen.
The computer system becomes slow.
The size of available free memory reduces.
The hard disk runs out of space.
The computer does not boot.
Types of Computer Virus:
These are explained as following below.

Parasitic –
These are the executable (.COM or .EXE execution starts at first instruction). Propagated by
attaching itself to particular file or program. Generally resides at the start (prepending) or at the
end (appending) of a file, e.g. Jerusalem.
Boot Sector –
Spread with infected floppy or pen drives used to boot the computers. During system boot, boot
sector virus is loaded into main memory and destroys data stored in hard disk, e.g. Polyboot,
Disk killer, Stone, AntiEXE.
Polymorphic –
Changes itself with each infection and creates multiple copies. Multipartite: use more than one
propagation method. >Difficult for antivirus to detect, e.g. Involutionary, Cascade, Evil, Virus
101., Stimulate.
Three major parts: Encrypted virus body, Decryption routine varies from infection to infection,
and Mutation engine.

Memory Resident –
Installs code in the computer memory. Gets activated for OS run and damages all files opened
at that time, e.g. Randex, CMJ, Meve.
Stealth –
Hides its path after infection. It modifies itself hence difficult to detect and masks the size of
infected file, e.g. Frodo, Joshi, Whale.
Macro –
Associated with application software like word and excel. When opening the infected document,
macro virus is loaded into main memory and destroys the data stored in hard disk. As attached
with documents; spreads with those infected documents only, e.g. DMV, Melissa, A, Relax,
Nuclear, Word Concept.
Hybrids –
Features of various viruses are combined, e.g. Happy99 (Email virus).
Worm:
A worm is a destructive program that fills a computer system with self-replicating information,
clogging the system so that its operations are slowed down or stopped.

Types of Worm:

Email worm – Attaching to fake email messages.

Instant messaging worm – Via instant messaging applications using loopholes in network.
Internet worm – Scans systems using OS services.
Internet Relay Chat (IRC) worm – Transfers infected files to web sites.
Payloads – Delete or encrypt file, install backdoor, creating zombie etc.
Worms with good intent – Downloads application patches.
Logical Bomb:
A logical bomb is a destructive program that performs an activity when a certain action has
occurred. These are hidden in programming code. Executes only when a specific condition is
met, e.g. Jerusalem.

Script Virus:
Commonly found script viruses are written using the Visual Basic Scripting Edition (VBS) and
the JavaScript programming language.

Trojan / Backdoor:
Trojan Horse is a destructive program. It usually pretends as computer games or application
software. If executed, the computer system will be damaged. Trojan Horse usually comes with
monitoring tools and key loggers. These are active only when specific events are alive. These
are hidden with packers, crypters and wrappers.
RootKits:
Collection of tools that allow an attacker to take control of a system.

Can be used to hide evidence of an attacker’s presence and give them backdoor access.
Can contain log cleaners to remove traces of attacker.
Can be divided as:
– Application or file rootkits: replaces binaries in Linux system
– Kernel: targets kernel of OS and is known as a loadable kernel module (LKM)
Gains control of infected m/c by:
– DLL injection: by injecting malicious DLL (dynamic link library)
– Direct kernel object manipulation: modify kernel structures and directly target trusted part of
OS
– Hooking: changing applicant’s execution flow
Advanced Persistent Threat:
Created by well funded, organized groups, nation-state actors, etc. Desire to compromise
government and commercial entities, e.g. Flame: used for reconnaissance and information
gathering of system.

Spyware and Adware:

Normally gets installed along with free software downloads. Spies on the end-user, attempts to
redirect the user to specific sites. Main tasks: Behavioral surveillance and advertising with pop
up ads Slows down the system.