Domain 1: Security & Risk Management CISSP Cheat Sheet Series

CIA Triad Achieving CIA - Best Practices

Preserving authorized restrictions on information Separation Mandatory Job Least Need to
Dual Control
access and disclosure, including means for protecting of Duties Vacations Rotation Privileges know
Confidentiality
personal privacy and proprietary information. Note –
Encryption (At transit – TLS) (At rest - AES – 256) Availability
RTO/MTD/RPO, MTBF, SLA
Guarding against improper information modification or Measuring Metrics
Integrity destruction and includes ensuring information
non-repudiation and authenticity.
IAAAA
Ensuring timely and reliable access to and use of
Availability Identification Unique user identification
information by authorized users.
*Citation: https://www.isc2.org/Certifications/CISSP/CISSP-Student-Glossary Authentication Validation of identification
Verification of privileges and permissions for
Authorization
D.A.D. authenticated user
Only authorized users are accessing and use the
Disclosure Alteration Destruction Accountability
system accordingly
Opposite of Tools, processes, and activities used to achieve and
Confidentiality
Opposite of Integrity Opposite of Availability Auditing
maintain compliance

Plans Protection Mechanisms

Type Duration Example Layering Abstractions Data Hiding Encryption
Strategic Plan up to 5 Years Risk Assessment
Tactical Plan Maximum of 1 year Project budget, staffing etc Data classification
Patching computers Entails analyzing the data that the organization retains, determining its
Operational Plan A few months Updating AV signatures
importance and value, and then assigning it to a category.
Daily network administration

Risk Management Risk Terminology

● No risk can be completely avoided . Asset Anything of value to the company.
● Risks can be minimized and controlled to avoid
Vulnerability A weakness; the absence of a safeguard
impact of damages.
Threat Things that could pose a risk to all or part of an asset
● Risk management is the process of identifying,
examining, measuring, mitigating, or transferring Threat Agent The entity which carries out the attack
risk Exploit An instance of compromise
*Citation:https://resources.infosecinstitute.com/category/certifications-traini
ng/cissp/domains/security-and-risk-management/ Risk The probability of a threat materializing

Solution – Keep risks at a tolerable and acceptable level. *Citation:https://resources.infosecinstitute.com/category/certifications-training/cissp/domains

Risk management constraints – Time, budget /security-and-risk-management/

Risk Management Frameworks

Preventive Deterrent
Detective Corrective Recovery
Ex ISO 27001 Ex ISO 27000
Security Policies Security Personnel Logs Alarms Backups
Security Cameras Guards Security Cameras Antivirus Solutions Server Clustering
Callback Security Cameras Intrusion Detection Systems Intrusion Detection Systems Fault Tolerant Drive Systems
Security Awareness Training Separation of Duties Honey Pots Business Continuity Plans Database Shadowing
Job Rotation Intrusion Alarms Audit Trails Antivirus Software
Encryption Awareness Training Mandatory Vacations
Data Classification Firewalls
Risk Framework Types
Smart Cards Encryption
Security and Risk Management

Asset Security
Risk Management Life Cycle
Security Engineering
Assessment Analysis Mitigation / Response
Communications and Network Security
Categorize, Classify & Evaluate
Qualitative vs Quantitative Reduce, Transfer, Accept Identity and Access Management
Assets
Security Assessment and Testing
as per NIST 800-30: Qualitative – Judgments Reduce / Avoid
Security Operations
System Characterization Quantitative – Main terms Transfer Software Development Security
Threat Identification AV – Asset Value Accept / Reject

Vulnerability Identification EF – Exposure Factor

The 6 Steps of the Risk
Management Framework
Control Analysis ARO – Annual Rate of Occurrence Security
Governance Categorize
Likelihood Determination Single Loss Expectancy = AV * EF
Select
Annual Loss Expectancy = BS 7799
Impact Analysis Implement
SLE*ARO
ISO 17799 & 2700 Series
Risk Determination Risk Value = Probability * Impact Asses
COBIT & COSO

Control Recommendation OCTAVE Authorize

Results Documentation ITIL Monitor

Threat Identification Models

S.T.R.I.D.E. Spoofing - Tampering - Repudiation - Information Disclosure - Denial of Service - Escalation of Privilege

D.R.E.A.D. Damage - Reproducibility - Exploitability - Affected - Discoverability

M.A.R.T. Mitigate - Accept - Reject - Transfer

Disaster Recovery / Types of Law

Intellectual Property
Business Continuity Plan Criminal law

Continuity plan goals Civil Law Copyright

Statement of importance Administrative Law
Statement of priorities Comprehensive Crime Control Act (1984)
Trademarks
Statement of organization
Computer Fraud and Abuse Act (1986) Patents
responsibility
Computer Security Act (1987)
Statement of urgency and timing Trade Secrets
Government Information Security Reform Act (2000)
Risk assessment
Risk acceptance / mitigation Federal Information Security Management Act (2002) Licensing
Domain 2: Asset Security CISSP Cheat Sheet Series

Classification Levels Typical Data Retention Durations Data Security Controls

Military Sector Private Sector Business documents 7 years
Top Secret Sensitive Data in Use Scoping & tailoring
Invoices 5 years
Secret Confidential
Confidential Private Accounts Payable / Receivable 7 years Data at Rest Encryption
Company Human Resources - Hired 7 years
Sensitive but restricted
Human Resources - Unhired 3 years
unclassified Company Secure protocols e.g.
Tax records 4 years Data in Motion
confidential https
Unclassified Public Legal correspondence Permanently

Data Ownership
Data Ownership Data Custodian Systems Owners Administrators End User
Grant permissions on daily basis
Ensure compliance with data policy and
Top level/Primary responsibility for
data ownership guidelines Grant permission
data Apply Security Controls
for data handling
Ensure accessibility, maintain and
Define level of classification
monitor security
Define controls for levels of
Data archive
classification Data Remanence
Data documentation
Define baseline security standards Series of processes that removes data,
Take regular backups , restore to check Sanitizing
Impact analysis completely
validations
Decide when to destroy Erase form magnetic tapes etc to ensure not
Ensure CIA Degaussing
information recoverable
Conduct user authorization
Erasing Deletion of files or media
Implement security controls
Overwriting Writing over files, shredding
Zero fill Overwrite all data on drives with zeros
Data Classification Criteria Destruction Physical destruction of data hardware device
Value - Usefulness - Age - Association Make data unreadable without special keys or
Encryption
algorithm
Data Retention Policies
The State of Florida Electronic Records and Records Management Practices,
2010
Standards
The European Documents Retention Guide, 2012 National Institute of Standards
NIST
Technology
Security Policies, Standards & Guidelines NIST SP 800 Series Computer security in a variety of areas
Regulatory Required by law and industrial standards Securing Information Technology
800-14 NIST SP
systems
Advisory Not compulsory, but advisable
Informative As guidance to others 800-18 NIST Develop security plans

Define best practices for information handling and usage 800-27 NIST SP Baseline for achieving security
Information -Security policies: Technical details of the policies Guidelines for sanitation and disposition,
800-88 NIST
Policy i.e. SYSTEM security policy: lists hardware / software in prevents data remanence
use and steps for using policies Continuous monitoring program: define,
800-137
Standards Define usage levels establish, implement, analyze and report
Guidelines Non-compulsory standards 800-145 Cloud computing standards
Procedures Steps for carrying out tasls and policies Federal Information Processing
FIPS
Baseline Minimum level of security Standards
 CISSP Cheat Sheet Series
Security Models and Concepts Security Models System Evaluation and Assurance Levels Hardware architecture
Security architecture frameworks - Provides access rights including discretionary access control Evaluates operating systems, application and systems. But not Simultaneous running of
Trusted Computer Multitasking
A 2D model considering interrogations such as what, where MATRIX to subjects for different objects. network part. Consider only about confidentiality. Operational two or more tasks.
System Evaluation
Zachman Framework and when with, etc. With various views such as planner, owner, (Access control model) - Read, write and execute access defined in ACL as matrix assurance requirements for TCSEC are: System Architecture, Simultaneous running of
Criteria Multi programming
designer etc. columns and rows as capability lists. System Integrity, Covert Channel analysis, Trusted Facility two or more programs
(TCSEC)
-A subject cannot read data at a higher security level. (A.K.A Management and Trusted recovery.
Sherwood Applied CPU consists or more
simple security rule) A collection of criteria based on the Bell-LaPadula model used Multi-processing
Business Security To facilitate communication between stakeholders than one processor
Architecture (SABSA) - Subject in a defined security level cannot write to a lower Orange Book to grade or rate the security offered by a computer system
Processing Types
security level unless it is a trusted subject. (A.K.A *-property product.
Information Technology One security level at a
BELL-LAPADULA (star property) rule Red Book Similar to the Orange Book but addresses network security. Single State
Infrastructure Library Set of best practices for IT service management time.
(Confidentiality model) - Access matrix specifies discretionary access control.
(ITIL) Green Book Password Management.
- subject with read and write access should write and read at Multiple security levels at
Evaluates operating systems, application and systems. But not Multi State
Security architecture documentation the same security level (A.K.A Strong star rule :) Trusted Computer a time.
network part. Consider only about confidentiality. Operational
Establish security controls published by Standardization (ISO) - Tranquility prevents security level of subjects change between System Evaluation Software built in to in the
ISO/IEC 27000 Series assurance requirements for TCSEC are: System Architecture, Firmware
and the Electrotechnical Commission (IEC) levels. Criteria ROM.
System Integrity, Covert Channel analysis, Trusted Facility
Control Objectives for - Cannot read data from a lower integrity level (A.K.A The (TCSEC) Base Input Output Set of instructions used to
Define goals and requirements for security controls and the Management and Trusted recovery.
Information and Related simple integrity axiom) System (BIOS) load OS by the computer.
mapping of IT security controls to business objectives. Consider all 3 CIA (integrity and availability as well as
Technology (CobiT) - Cannot write data to an object at a higher integrity level. ITSEC
Types of security models BIBA (A.K.A the * (star) integrity axiom)
confidentiality
Mobile Security
(Integrity model) - Cannot invoke service at higher integrity. (A.K.A The TCSEC Explanation
Check each of the possible system state and ensure the proper Device Encryption • Remote wiping • Remote lock out
invocation property) D Minimal protection
State Machine Models security relationship between objects and subjects in each • Internal locks (voice, face recognition, pattern, pin,
- Consider preventing information flow from a low security level
state. DAC; Discretionary Protection (identification, authentication, password) • Application installation control • Asset
to a high security level. C1
Allocate each security subject a security label defining the resource protection) tracking (IMIE) • Mobile Device Management •
User: An active agent Removable storage (SD CARD, Micro SD etc.)
highest and lowest boundaries of the subject’s access to the C2 DAC; Controlled access protection
Multilevel Lattice Models • Transformation Procedure (TP): An abstract operation, such
system. Enforce controls to all objects by dividing them into
as read, writes, and modify, implemented through B1 MAC; Labeled security (process isolation, devices) IoT & Internet Security
levels known as lattices.
Programming B2 MAC; Structured protection
Network Segmentation (Isolation) • Logical Isolation
Arrange tables known as matrix which includes subjects and • Constrained Data Item (CDI): An item that can be manipulated B3 MAC; security domain (VLAN) • Physical isolation (Network segments) •
Matrix Based Models objects defining what actions subjects can take upon another only through a TP A MAC; verified protection Application firewalls • Firmware updates
object. • Unconstrained Data Item (UDI): An item that can be
CLARK WILSON Common criteria assurance levels
Consider the state of the system at a point in time for a
Noninterference Models subject, it consider preventing the actions that take place at
(Integrity model)
manipulated by a user via read and write operations
EAL0 Inadequate assurance
Physical Security
- Enforces separation of duty
one level which can alter the state of another level. - Requires auditing EAL1 Functionality tested Internal vs external threat and mitigation

Try to avoid the flow of information from one entity to another - Commercial use EAL2 Structurally tested Hurricanes, tornadoes, earthquakes
Information Flow Models Natural threats
which can violate the security policy. - Data item whose integrity need to be preserved should be EAL3 Methodically tested and checked floods, tsunami, fire, etc
Read and Write are allowed or restricted using a specific audited EAL4 Methodically designed, tested and reviewed Politically
Confinement - An integrity verification procedure (IVP) -scans data items and motivated Bombs, terrorist actions, etc
memory location, e.g. Sandboxing. EAL5 Semi-formally designed and tested
confirms their integrity against external threats EAL6 Semi-formally verified, designed and tested threats
Data in Use Scoping & tailoring
Information is restricted to flow in the directions that are EAL7 Formally verified, designed and tested Power/utility General infrastructure damage
Security Modes Information flow model permitted by the security policy. Thus flow of information from
ITSEC security evaluation criteria - required levels
supply threats (electricity telecom, water, gas, etc)
one security level to another. (Bell & Biba). Man Made
Use a single classification level. All objects can access all D + E0 Minimum Protection Sabotage, vandalism, fraud, theft
- Use a dynamic access control based on objects previous threats
Dedicated Security Mode subjects, but users they must sign an NDA and approved prior C1 + E1 Discretionary Protection (DAC)
actions. Liquids, heat, gases, viruses,
to access on need-to-know basis C2 + E2 Controlled Access Protection (Media cleansing for reusability) Major sources
- Subject can write to an object if, and only if, the subject bacteria, movement: (earthquakes),
All users get the same access level but all of them do not get Brewer and Nash B1 + E3 Labelled Security (Labelling of data) to check
System High Security cannot read another object in a different dataset. radiation, etc
the need-to-know clearance for all the information in the (A.K.A Chinese wall B2 + E4 Structured Domain (Addresses Covert channel)
Mode - Prevents conflict of interests among objects.
system. model) Natural threat control measures
Citation B3 + E5 Security Domain (Isolation)
In addition to system high security level all the users should https://ipspecialist.net/fundamental-concepts-of-security-mod Hurricanes, Move or check location, frequency of
A + E6 Verified Protection (B3 + Dev Cycle)
Compartmented Security Tornadoes, occurrence, and impact. Allocate
have need-to-know clearance and an NDA, and formal approval els-how-they-work/ Common criteria protection profile components
Mode Earthquakes budget.
for all access required information. Lipner Model Commercial mode (Confidentiality and Integrity,) -BLP + Biba Descriptive Elements • Rationale • Functional Requirements • Development assurance
Use two classification levels as System Evaluation and Raised flooring server rooms and
Multilevel Security Mode Graham-Denning Model Rule 1: Transfer Access, Rule 2: Grant Access, Rule 3: Delete requirements • Evaluation assurance requirements Floods
Assurance Levels offices to keep computer devices .
Objects, subjects and 8 Access, Rule 4: Read Object, Rule 5: Create Object, Rule 6: Certification & Accreditation
rules destroy Object, Rule 7: Create Subject, Rule 8: Destroy Electrical UPS, Onsite generators
Virtualization Harrison-Ruzzo-Ullman Restricts operations able to perform on an object to a defined
Certification
Evaluation of security and technical/non-technical features to ensure
if it meets specified requirements to achieve accreditation.
Fix temperature sensors inside
Guest operating systems run on virtual machines and hypervisors run on one or more Model set to preserve integrity. server rooms , Communications -
Declare that an IT system is approved to operate in predefined
host physical machines.
Accreditation Temperature Redundant internet links, mobile
conditions defined as a set of safety measures at given risk level.
Virtualization security Web Security NIACAP Accreditation Process
communication links as a back up to
Trojan infected VMs, misconfigured hypervisor cable internet.
threats Open-source application security project. OWASP creates Phase 1: Definition • Phase 2: Verification • Phase 3: Validation • Phase 4: Post Man-Made Threats
Software as A Service (SaaS), Infrastructure As A Service OWASP guidelines, testing procedures, and tools to use with web Accreditation
Cloud computing models Avoid areas where explosions can
(IaaS), Platform As A Service (PaaS) security.
Accreditation Types Explosions occur Eg. Mining, Military training
Account hijack, malware infections, data breach, loss of data Injection / SQL Injection, Broken Authentication, Sensitive Data
Cloud computing threats Type Accreditation Evaluates a system distributed in different locations. etc.
and integrity Exposure, XML External Entity, Broken Access Control, Security
OWASP Top 10 Misconfiguration, Cross-Site Scripting (XSS), Insecure System Accreditation Evaluates an application system. Minimum 2 hour fire rating for walls,
Fire
Memory Protection Deserialization, Using Components with Known Vulnerabilities, Site Accreditation Evaluates the system at a specific location. Fire alarms, Fire extinguishers.
Insufficient Logging and Monitoring Deploy perimeter security, double
Register Directly access inbuilt CPU memory to access CPU and ALU. Vandalism
Stack Memory Segment Used by processors for intercommunication.
Attackers try to exploit by allowing user input to modify the Symmetric vs. Asymmetric Encryption locks, security camera etc.
back-end/server of the web application or execute harmful Use measures to avoid physical
Monolithic Operating SQL Injections: Use a private key which is a secret key between two parties.
All of the code working in kernel mode/system. code which includes special characters inside SQL codes Fraud/Theft access to critical systems. Eg.
System Architecture Each party needs a unique and separate private key.
results in deleting database tables etc. Fingerprint scanning for doors.
Symmetric Algorithms Number of keys = x(x-1)/2 where x is the number of users. Eg.
Memory Addressing Identification of memory locations by the processor. SQL Injection prevention: Validate the inputs and parameters. DES, AES, IDEA, Skipjack, Blowfish, Twofish, RC4/5/6, and
Register Addressing CPU access registry to get information. Cross-Site Scripting Attacks carryout by inputting invalidated scripts inside CAST.
Site Selection
Immediate Addressing Part of an instruction during information supply to CPU. (XSS) webpages. Stream Based Symmetric Encryption done bitwise and use keystream generators Eg. Deter Criminal Activity - Delay
Physical
Direct Addressing Actual address of the memory location is used by CPU. Attackers use POST/GET requests of the http web pages with Cipher RC4. Intruders - Detect Intruders - Assess
security goals
Indirect Addressing Same as direct addressing but not the actual memory location. HTML forms to carry out malicious activity with user accounts. Situation - Respond to Intrusion
Encryption done by dividing the message into fixed-length
Block Symmetric Cipher Visibility - External Entities -
Base + Offset Addressing Value stored in registry is used as based value by the CPU. Cross-Request Forgery Prevention can be done by authorization user accounts to carry blocks Eg. IDEA, Blowfish and, RC5/6. Site selection
the actions. Eg. using a Random string in the form, and store it Accessibility - Construction - Internal
*Citation CISSP SUMMARY BY Maarten De Frankrijker Use public and private key where both parties know the public issues
on the server. Compartments
and the private key known by the owner .Public key encrypts
Cryptographic Terminology Cryptography Asymmetric Algorithms
the message, and private key decrypts the message. 2x is total • Middle of the building (Middle
number of keys where x is number of users. Eg. Diffie-Hellman, floor)
Encryption Convert data from plaintext to cipher text. • Single access door or entry point
• P - Privacy (Confidentiality) RSA, El Gamal, ECC, Knapsack, DSA, and Zero Knowledge
Decryption Convert from ciphertext to plaintext. • A – Authentication Proof. Server room • Fire detection and suppression
Key A value used in encryption conversion process. Cryptography Goals • I - Integrity security systems
Symmetric Algorithms Asymmetric Algorithms Hybrid Cryptography
(P.A.I.N.) • N - Non-Repudiation. • Raised flooring
Synchronous Encryption or decryption happens simultaneously. Use of both Symmetric and
Use of private key which is a Use of public and private key • Redundant power supplies
Encryption or decryption requests done subsequently or after a • Key space = 2n. (n is number of key bits) Asymmetric encryption. Eg.
Asynchronous secret key pairs • Solid /Unbreakable doors
waiting period. • Confidentiality SSL/TLS
8 feet and taller with razor wire.
Symmetric Single private key use for encryption and decryption. • Integrity Provide integrity. One way Fences and
Provides confidentiality but Provides confidentiality, Remote controlled underground
Key pair use for encrypting and decrypting. (One private and • Proof of origin function divides a message Gates
Asymmetrical Use of Cryptography not authentication or integrity, authentication, and concealed gates.
one public key) • Non-repudiation or a data file into a smaller
nonrepudiation nonrepudiation Perimeter Infrared Sensors - Electromechanical
• Protect data at rest fixed length chunks.
Use to verify authentication and message integrity of the Intrusion Systems - Acoustical Systems -
Digital Signature sender. The message use as an input to a hash functions for • Protect data in transit One key encrypts and One key encrypts and other Encrypted with the private
Detection CCTV - Smart cards -
validating user authentication. decrypts key decrypts key of the sender.
A one-way function, convert message to a hash value used to
Codes vs. Ciphers Message Authentication
Systems Fingerprint/retina scanning
Continuous Lighting - Standby
Hash verify message integrity by comparing sender and receiver Substitution cipher, Transposition cipher, Caesar Cipher, Larger key size. Bulk Code (MAC) used to encrypt Lighting
Classical Ciphers Small blocks and key sizes Lighting - Movable Lighting -
values. Concealment. encryptions the hash function with a Systems
Emergency Lighting
Modern Ciphers Block cipher, Stream cipher, Steganography, Combination. symmetric key.
Digital Certificate An electronic document that authenticate certification owner. Offsite media storage - redundant
Cipher converts Plaintext to another written text to hide original Allows for more trade-offs Media storage
Plaintext Simple text message. Concealment Cipher Faster and less complex. Not backups and storage
text. Slower. More scalable. between speed, complexity,
Normal text converted to special format where it is unreadable scalable Faraday Cage to avoid
Ciphertext and scalability.
without reconversion using keys. Uses a key to substitute letters or blocks of letters with electromagnetic emissions - White
Substitution Ciphers different letters or block of letters. I.e. One-time pad, Hash Functions and Digital
The set of components used for encryption. Includes Electricity noise results in signal interference -
Cryptosystem stenography. Certificates
algorithm, key and key management functions. Out-of-band key exchange In-band key exchange Control Zone: Faraday cage + White
Hashing use message
Reorder or scramble the letters of the original message where noise
Breaking decrypting ciphertext without knowledge of digests.
Cryptanalysis Transposition Ciphers the key used to decide the positions to which the letters are Use anti-static spray, mats and
cryptosystem used.
Cryptographic Algorithm Procedure of enciphers plaintext and deciphers cipher text.
moved.
Key Escrow and Recovery Static wristbands when handling electrical
Electricity equipment - Monitor and maintain
Cryptography
The science of hiding the communication messages from Common Algorithms Secret key is divided into two parts and handover to a third party.
humidity levels.
unauthorized recipients.
Cryptology Cryptography + Cryptanalysis
Symmetric/ PKI HVAC control
Heat - High Humidity - Low Humidity
Algorithm Asymmetric Key length Based on Structure levels
Decipher Convert the message as readable. confidentiality, message integrity, authentication, and nonrepudiation
64 bit cipher block size and 56 bit key • 100F can damage storage media
Encipher Convert the message as unreadable or meaningless. Recipient's Public Key - Encrypt message
128-bit with 8 bits parity. such as tape drives.
One-time pad (OTP) Encipher all of the characters with separate unique keys. DES Symmetric 64 bit Lucifer • 16 rounds of transposition and Recipient's Private Key - Decrypt message • 175 F can cause computer and
Different encryption keys generate the same plaintext algorithm substitution Sender’s Private Key - Digitally sign electrical equipment damage.
Key Clustering • 350 F can result in fires due to
message. (ECB, CBC, CFB, OFB, CTR) Sender’s Public Key - Verify Signature
Key Space Every possible key value for a specific algorithm. 3 * 56 bit keys paper based products.
3 DES or
A mathematical function used in encryption and decryption of TDES Symmetric 56 bit*3 DES
• Slower than DES but higher security PKI Structure HVAC
• HVAC: UPS, and surge protectors
Algorithm (DES EE3, DES EDE3 ,DES EEE2, DES to prevent electric surcharge.
data; A.K.A. cipher. (Triple DES) Certificates Provides authorization between the parties verified by CA. Guidelines
EDE2) • Noise: Electromagnetic
Cryptology The science of encryption. Authority performing verification of identities and provides Interference (EMI), Radio Frequency
Use 3 different bit size keys Certificate Authority
Rearranging the plaintext to hide the original message; A.K.A. certificates. Interference
Transposition 128,192 or Rijndael Examples Bitlocker, Microsoft EFS
Permutation. AES Symmetric Registration Authority Help CA with verification. Temperatures, Humidity
256 bit algorithm Fast, secure 10,12, and 14
Exchanging or repeating characters (1 byte) in a message with Certification Path • Computer Rooms should have 15°
Substitution transformation rounds Certificate validity from top level.
another message. Validation C - 23°C temperature and 40 - 60%
64 bit cipher blocks (Humidity)
Key of a random set of non-repeating characters. A.K.A. One Certification Revocation
Vernam each block divide to 16 smaller Valid certificates list • Static Voltage
time pad. List
blocks • 40v can damage Circuits, 1000v
Confusion Changing a key value during each circle of the encryption. IDEA symmetric 128 bit Online Certificate status
Each block undergo 8 rounds of Used to check certificate validity online Flickering monitors, 1500v can
Diffusion Changing the location of the plaintext inside the cipher text. transformation protocol (OCSP) Voltage levels
cause loss of stored data, 2000v can
When any change in the key or plaintext significantly change Example PGP Cross-Certification Create a trust relationship between two CA’s control
Avalanche Effect cause System shut down or reboot,
the ciphertext. Skipjack Symmetric 80 bit 64 bit Block cipher 17000 v can cause complete
Split Knowledge Segregation of Duties and Dual Control.
Blowfish Symmetric 32-448bit 64 bit Block cipher
Digital Signatures electronic circuit damage.
Work factor The time and resources needed to break the encryption. • Sender’s private key used to encrypt hash value Fire proof Safety lockers - Access
128, 192, Equipment
Arbitrary number to provide randomness to cryptographic TwoFish Symmetric 128 bit blocks • Provides authentication, nonrepudiation, and integrity control for locking mechanisms
Nonce 256 safety
function. • Public key cryptography used to generate digital signatures such as keys and passwords.
Example SSL and WEP • Users register public keys with a certification authority (CA).
Dividing plaintext into blocks and assign similar encryption Maintain raised floor and proper
Block Cipher RC4 Symmetric 40-2048 • Stream cipher • Digital signature is generated by the user’s public key and validity period according to
algorithm and key. Water leakage drainage systems. Use of barriers
• 256 Rounds of transformation the certificate issuer and digital signature algorithm identifier.
Encrypt bit wise - one bit at a time with corresponding digit of such as sand bags
Stream Cipher 255 rounds transformation
the keystream. RC5 Symmetric 2048 Fire retardant materials - Fire
• 32, 64 & 128 bit block sizes Digital Certificate - Steps suppression - Hot Aisle/Cold Aisle
Dumpster Diving Unauthorized access a trash to find confidential information. Fire safety
CAST 128 Enrollment - Verification - Revocation Containment - Fire triangle (Oxygen -
Phishing Sending spoofed messages as originate from a trusted source. (40 to 128
64 bit block 12 transformation rounds Heat - Fuel) - Water, CO2, Halon
Social Engineering Mislead a person to provide confidential information. bit)
A moderate level hacker that uses readily found code from the
CAST Symmetric
CAST 256
128 bit block 48 rounds Cryptography Applications & Secure Protocols Fire extinguishers
Script kiddie transformation
internet. (128 to 256 Class Type Suppression
• BitLocker: Windows full volume encryption feature (Vista
bit)
Hardware -BitLocker and onward)
Requirements for Hashing Message Digest No confidentiality, authentication, or truecrypt • truecrypt: freeware utility for on-the-fly encryption A
Common Water , SODA
Diffie - combustible acid
Variable length input - easy to compute - one way function - digital signatures - fixed Asymmetric non-repudiation (discontinued)
Hellman
length output • Secure key transfer
CO2, HALON,
Uses 1024 keys A hardware chip installed on a motherboard used to manage B Liquid
MD Hash Algorithms • Public key and one-way function for Hardware-Trusted Symmetric and asymmetric keys, hashes, and digital
SODA acid
encryption and digital signature Platform Module (TPM) certificates. TPM protect passwords, encrypt drives, and
MD2 128-bit hash, 18 rounds of computations
verification manage digital permissions. C Electrical CO2, HALON
MD4 128-bit hash. 3 rounds of computations, 512 bits block sizes
RSA Asymmetric 4096 bit • Private key and one-way function for
128-bit hash. 4 rounds of computations, 512 bits block sizes, decryption and digital signature Encrypts entire packet components except Data Link Control
MD5 Link encryption D Metal Dry Powder
Merkle–Damgård construction generation information.
MD6 Variable, 0<d≤512 bits, Merkle tree structure • Used for encryption, key exchange End to end encryption Packet routing, headers, and addresses not encrypted.
and digital signatures Water based
Phased out, collision found with a complexity of 2^33.6 (approx
SHA-0 Privacy (Encrypt), Authentication (Digital signature), Integrity, suppression Wet pipes - Dry Pipe - Deluge
1 hr on standard PC) Retired by NIST Diffie - Used for encryption, key exchange
(Hash) and Non-repudiation (Digital signature) Email (Secure systems
160-bit MD, 80 rounds of computations, 512 bits block sizes, Elgamal Asymmetric Any key size Hellman and digital signatures
SHA-1 Merkle–Damgård construction (not considered safe against algorithm • Slower Email (PGP) MIME (S/MIME): Encryption for confidentiality, Hashing for • HI VIS clothes
well funded attackers) integrity, Public key certificates for authentication, and Personnel • Safety garments /Boots
Elliptic Used for encryption, key exchange
Message Digests for nonrepudiation. safety • Design and Deploy an Occupant
224, 256, 384, or 512 bits, 64 or 80 rounds of computations, Curve and digital signatures
Asymmetric Any key size Emergency Plan (OEP)
SHA-2 512 or 1024 bits block sizes, Merkle–Damgård construction Cryptosyste • Speed and efficiency and better Web application SSL/TLS. SSL encryption, authentication and integrity.
with Davies–Meyer compression function m (ECC) security
Cross-Certification Create a trust relationship between two CA’s • Programmable multiple control
Cryptographic Attacks (Privacy, authentication, Integrity, Non Repudiation).
locks
• Electronic Access Control - Digital
Use eavesdropping or packet sniffing to find or gain access to IPSEC Tunnel mode encrypt whole packet (Secure). Transport mode
Passive Attacks Algebraic Attack Uses known words to find out the keys scanning, Sensors
information. encrypt payload (Faster) Internal
• Door entry cards and badges for
Attacker tries different methods such as message or file modification Frequency Attacker assumes substitution and transposition ciphers use repeated Security
Active Attacks staff
Authentication Header (AH): Authentication, Integrity, Non
attempting to break encryption keys, algorithm. Analysis patterns in ciphertext. • Motion Detectors- Infrared, Heat
repudiation. Encapsulated Security Payload (ESP): Privacy,
Ciphertext-Only An attacker uses multiple encrypted texts to find out the key used for Assumes figuring out two messages with the same hash value is IPSEC components Based, Wave Pattern, Photoelectric,
Birthday Attack Authentication, and Integrity. Security Association (SA):
Attack encryption. easier than message with its own hash value Passive audio motion
Distinct Identifier of a secure connection.
Known Plaintext An attacker uses plain text and cipher text to find out the key used for
Dictionary Attacks Uses all the words in the dictionary to find out correct key
Attack encryption using reverse engineering or brute force encryption. Internet Security Association Key Management Protocol Create, distribute, transmission,
ISAKMP
Chosen Plaintext An attacker sends a message to another user expecting the user will Authentication, use to create and manage SA, key generation. storage - Automatic integration to
Replay Attacks Attacker sends the same data repeatedly to trick the receiver. Key application for key distribution,
Attack forward that message as cipher text.
Key exchange used by IPsec .Consists of OAKLEY and management storage, and handling. Backup keys
Social Engineering An attacker attempts to trick users into giving their attacker try to
Analytic Attack An attacker uses known weaknesses of the algorithm Internet Key Exchange Internet Security Association and Key Management Protocol should be stored secure by
Attack impersonate another user to obtain the cryptographic key used.
(IKE) (ISAKMP). IKE use Pre-Shared keys, certificates, and public key designated person only.
Brute Force Try all possible patterns and combinations to find correct key. Statistical Attack An attacker uses known statistical weaknesses of the algorithm authentication.
Differential Calculate the execution times and power required by the cryptographic Pilot testing for all the backups and
Factoring Attack By using the solutions of factoring large numbers in RSA
Cryptanalysis device. A.K.A. Side-Channel attacks Wired Equivalent Privacy (WEP): 64 & 128 bit encryption. Wi-Fi safety systems to check the
Testing
Linear Reverse Wireless encryption Protected Access (WPA): Uses TKIP. More secure than WEP working condition and to find any
Uses linear approximation Use a cryptographic device to decrypt the key WPA2: Uses AES. More secure than WEP and WPA. faults.
Cryptanalysis Engineering
 Common TCP Protocols CISSP Cheat Sheet Series
Port Protocol
OSI Reference Model IP Addresses Port Ranges
20,21 FTP
7 layers, Allow changes between layers, Standard hardware/software interoperability. • Class A: 0.0.0.0 – 127.255.255.255 Authentication methods:
22 SSH Public IPv4
Tip, OSI Mnemonics • Class B: 128.0.0.0 – 191.255.255.255 • PAP=Clear text, unencrypted
23 TELNET address space Point to Point Tunneling Protocol (PPTP)
All People Seem To Need Data Processing • Class C: 192.0.0.0 – 223.255.255.255 • CHAP=unencrypted, encrypted
25 SMTP • Class A: 10.0.0.0 – 10.255.255.255 • MS-CHAP=encrypted, encrypted
Please Do Not Throw Sausage Pizza Away Private IPv4
53 DNS • Class B: 172.16.0.0 – 172.31.255.255
Layer Data Security address space Challenge-Handshake Authentication Encrypt username/password and
110 POP3 • Class C: 192.168.0.0 – 192.168.255.255 Protocol (CHAP) re-authenticate periodically. Use in PPP.
Application Data C, I, AU, N
80 HTTP • Class A: 255.0.0.0
Presentation Data C, AU, Encryption Subnet Masks • Class B: 255.255.0.0 Layer 2 Tunneling Protocol (L2TP) Use with IPsec for encryption.
143 IMAP
Session Data N • Class C: 255.255.255.0
389 LDAP Provide authentication and integrity, no
Transport Segment C, AU, I IPv4 32 bit octets Authentication Header (AH)
443 HTTPS confidentiality.
Network Packets C, AU, I IPv6 128 bit hexadecimal
636 Secure LDAP Encapsulating Security Payload (ESP) Encrypted IP packets and preserve integrity.
Data link Frames C
Physical Bits C
445 ACTIVE DIRECTORY Network Types Shared security attributes between two
1433 Microsoft SQL Security Associations (SA)
C=Confidentiality, AU=Authentication, I=Integrity, N=Non repudiation Geographic Distance and are is limited to one network entities.
3389 RDP Local Area
building. Usually connect using copper wire or Transport Mode Payload is protected.
Hardware / Network (LAN)
Layer (No) Functions Protocols 137-139 NETBIOS fiber optics
Formats Tunnel Mode IP payload and IP header are protected.
Campus Area Multiple buildings connected over fiber or
Cables, HUB, Attacks in OSI layers Network (CAN) wireless
Internet Key Exchange (IKE) Exchange the encryption keys in AH or ESP.
Electrical signal USB, DSL Remote Authentication Dial-In User Service Password is encrypted but user
Physical (1) Layer Attack Metropolitan
Bits to voltage Repeaters, (RADIUS) authentication with cleartext.
ATM Phishing - Worms - Area Network Metropolitan network span within cities
SNMP v3 Encrypts the passwords.
Application Trojans (MAN)
Frames setup
PPP - PPTP - L2TP - - ARP - Dynamic Ports 49152 - 65535
Error detection and control Wide Area Interconnect LANs over large geographic area
RARP - SNAP - CHAP - LCP - Layer 2 Phishing - Worms -
Data Link Check integrity of packets network (WAN) such as between countries or regions.
Presentation Trojans
Layer (2) Destination address, Frames
MLP - Frame Relay - HDLC -
ISL - MAC - Ethernet - Token
Switch -
bridges Session Session hijack
Intranet A private internal network Remote Access Services
use in MAC to IP address connects external authorized persons access to Telnet Username /Password authentication. No encryption.
Ring - FDDI Transport SYN flood - fraggle Extranet
conversion. intranet Remote login (rlogin) No password protection.
Routing, Layer 3 switching, Layer 3 smurfing flooding -
Network ICMP - BGP - OSPF - RIP - IP - Internet Public network SSH (Secure Shell) Secure telnet
segmentation, logical Switch - Network ICMP spoofing - DOS
layer BOOTP - DHCP - ICMP
addressing. ATM. Packets. Router Collision - DOS /DDOS Networking Methods & Standards Terminal Access Controller
Access-Control System
User credentials are stored in a server known as a
TACACS server. User authentication requests are
TCP - UDP datagrams. Data link - Eavesdropping
Routers - Software Decoupling the network control and the (TACACS) handled by this server.
Reliable end to end data Signal Jamming -
Segment - Connection VPN defined forwarding functions. More advanced version of TACACS. Use two factor
Transport transfer - Physical Wiretapping networking Features -Agility, Central management, TACACS+
oriented concentrato authentication.
Segmentation - sequencing -
rs - Gateway (SDN) Programmatic configuration, Vendor neutrality.
and error checking Hardware Devices Converged
Remote Authentication Dial-In Client/server protocol use to enable AAA services for
TCP - UDP - NSF - SQL - Transfer voice, data, video, images, over single User Service (RADIUS) remote access servers.
Session Data, simplex, half duplex, full Layer 1 device forward protocols for
RADIUS - and RPC - PPTP - Gateways HUB network. Secure and encrypted communication channel
Layer dupl Eg. peer connections. frames via all ports media transfer
PPP between two networks or between a user and a
digital to analog Fibre Channel Virtual private network (VPN)
Modem network. Use NAT for IP address conversion. Secured
Data Gateways conversion over Ethernet Running fiber over Ethernet network.
Presentation with strong encryptions such as L2TP or IPSEC.
compression/decompression TCP - UDP messages JPEG - TIFF - Routers Interconnect networks (FCoE)
layer
and encryption/decryption MID - HTML Multiprotocol
Interconnect networks in
TCP - UDP - FTP - TELNET -
Bridge
Ethernet Label
Transfer data based on the short path labels VPN encryption options
instead of the network IP addresses. No need of
Application TFTP - SMTP - HTTP CDP - Inbound/outbound data Switching • PPP for authentication
Data Gateways Gateways route table lookups.
layer SMB - SNMP - NNTP - SSL - entry points for networks (MPLS) • No support for EAP
HTTP/HTTPS. Internet Small Standard for connecting data storage sites such Point-to-Point Tunneling Protocol • Dial in
Frame forward in local
Switch Computer as storage area networks or storage arrays. (PPTP) • Connection setup uses plaintext
network.
TCP/IP Model Interface (ISCI) Location independent. • Data link layer
Share network traffic
Encryption and different protocols at different • Single connection per session
Layers Action Example Protocols load by distributing
Load balancers Multilayer
levels. Disadvantages are hiding coveted channels • Same as PPTP except more secure
Token ring • Frame Relay • FDDI traffic between two Protocols Layer 2 Tunneling Protocol (L2TP)
Network access Data transfer done at this layer and weak encryptions. • Commonly uses IPsec to secure L2TP packets
• Ethernet • X.25 devices
Voice over • Network layer
Create small data chunks called Hide internal public IP Allows voice signals to be transferred over the
Internet • Multiple connection per session
Internet datagrams to be transferred via IP • RARP • ARP • IGMP • ICMP address from external public Internet connection. Internet Protocol Security (IPsec)
Protocol (VoIP) • Encryption and authentication
network access layer Proxies public internet
Packet switching technology with higher • Confidentiality and integrity
Transport Flow control and integrity TCP • UDP /Connection caching and
Asynchronous
filtering. bandwidth. Uses 53-byte fixed size cells. On
Application
Convert data into readable Telnet • SSH • DNS • HTTP • FTP transfer mode
demand bandwidth allocation. Use fiber optics.
Communication Hardware Devices
format • SNMP • DHCP Use to create VPN or (ATM)
aggregate VPN Popular among ISPs Divides connected devices into one input signal for transmission over
VPNs and VPN Concentrator
TCP 3-way Handshake concentrators
connections provide PTP connection between Data terminal equipment one output via network.
using different internet X25 (DTE) and data circuit-terminating equipment Multiplexer Combines multiple signals into one signal for transmission.
SYN - SYN/ACK - ACK links (DCE) Hubs Retransmit signal received from one port to all ports.
Use with ISDN interfaces. Faster and use multiple
LAN Topologies Protocol analyzers
Capture or monitor
network traffic in PVCs, provides CIR. Higher performance. Need to
Repeater Amplifies signal strength.
Frame Relay
Topology Pros Cons real-time ad offline have DTE/DCE at each connection point. Perform
WAN Transmission Types
• No redundancy New generation error correction.
Unified threat • Dedicated permanent circuits or communication paths required.
BUS • Simple to setup • Single point of failure vulnerability scanning Synchronous Circuit-switched
management IBM proprietary protocol use with permanent • Stable speed. Delay sensitive.
• Difficult to troubleshoot application Data Link networks
dedicated leased lines. • Mostly used by ISPs for telephony.
Create collision Control (SDLC)
RING • Fault tolerance • No middle point • Fixed size packets are sending between nodes and share
domains. Routers High-level Data
Start • Fault tolerance • Single point of failure VLANs Use DTE/DCE communications. Extended Packet-switched bandwidth.
separate broadcast Link Control
• Redundant protocol for SDLC. networks • Delay sensitive.
Mesh • Fault tolerance domains (HDLC)
• Expensive to setup • Use virtual circuits therefore less expensive.
Intrusion detection and Domain name Map domain names /host names to IP Address
IDS/IPS
system (DNS) and vice versa.
Types of Digital Subscriber Lines (DSL) prevention.
Wireless Networking
Asymmetric Digital • Download speed higher than upload
Firewall and Perimeter Leased Lines Wireless personal area network (WPAN) standards
Subscriber Line • Maximum 5500 meters distance via telephone lines. T1 1.544Mbps via telephone line IEEE 802.15 Bluetooth
(ADSL) • Maximum download 8Mbps, upload 800Kbps. Security T3 45Mbps via telephone line IEEE 802.3 Ethernet
Rate Adaptive DSL • Upload speed adjust based on quality of the transmission line
DMZ Secure network between ATM 155Mbps IEEE 802.11 Wi-Fi
(RADSL) • Maximum 7Mbps download, 1Mbps upload over 5500 meters.
(Demilitarized external internet facing and ISDN 64 or 128 Kbps REPLACED BY xDSL IEEE 802.20 LTE
Symmetric Digital • Same rate for upstream and downstream transmission rates.
zone) internal networks. Reserved 1024-49151
Subscriber Line • Distance 6700 meters via copper telephone cables Wi-Fi
(SDSL) • Maximum 2.3Mbps download, 2.3Mbps upload. Bastion Host - Dual-Homed - Three-Legged - BRI B-channel 64 Kbps
Standard Speed Frequency (GHz)
• Higher speeds than standard ADSL Screened Subnet - Proxy Server - PBX - Honey BRI D-channel 16 Kbps
Very-high-bit-rate DSL 802.11a 54 Mbps 2.4
• Maximum 52Mbps download, 16 Mbps upload up to 1200 Pot - IDS/IPS PRI B & D channels 64 Kbps
(VDSL) 802.11b 11 Mbps 5
Meters
802.11g 54 Mbps 2.4
High-bit-rate DSL
(HDSL)
T1 speed for two copper cables for 3650 meters Network Attacks 802.11n 200+ Mbps 2.4/5

Committed Virus Malicious software, code and executables 802.11ac 1Gbps 5

Minimum guaranteed bandwidth provided by service provider. Worms Self propagating viruses
Information Rate (CIR) • 802.11 use CSMA/CA protocol as DSSS or FHSS
Logic Bomb Time or condition locked virus • 802.11b uses only DSSS
LAN Packet Transmission Code and/or executables that act as legitimate software, but are not legitimate and are Wireless Security Protocols
Trojan
Unicast Single source send to single destination malicious Directly connects peer-to-peer mode clients without a
Backdoor Unauthorized code execution entry Ad-hoc Mode
Multicast Single source send to multiple destinations central access point.
Broadcast Source packet send to all the destinations. A series of small attacks and network intrusions that culminate in a cumulative large Infrastructure Mode Clients connect centrally via access point.
Salami, salami slicing
scale attack WEP (Wired Equivalent
Carrier-sense Multiple One workstations retransmits frames until destination
Data diddling Alteration of raw data before processing Confidentiality, uses RC4 for encryption.
Access (CSMA) workstation receives. Privacy)
CSMA with Collision Terminates transmission on collision detection. Used by Sniffing Unauthorized monitoring of transmitted data WPA (Wi-Fi Protected Uses Temporal Key Integrity Protocol (TKIP) for data
Detection (CSMA/CD) Ethernet. Monitor and capture of authentication sessions with the purpose of finding and hijacking Access) encryption.
Session Hijacking
Upon detecting a busy transmission, pauses and then credentials WPA2 Uses AES, key management.
CSMA with Collision
re-transmits delayed transmission at random interval to DDoS (Distributed Denial of Overloading a server with requests for data packets well beyond its processing capacity WPA2-Enterprise Mode Uses RADIUS
Avoidance (CSMA/CA)
minimise two nodes re-sending at same time. Service) resulting in failure of service TKIP (Temporal Key Integrity
Combination of a DDoS attack and TCP 3-way handshake exploit that results in denial of Uses RC4 stream cipher.
Sender sends only if polling system is free for the Protocol)
Polling SYN Flood
destination. service EAP (Extensible Utilizes PPP and wireless authentication. Compatible with
Sender can send only when token received indicating free to Particular kind of DDoS attack using large numbers of Internet Control Message Authentication Protocol) other encryption technologies.
Token-passing Smurf
send. Protocol (ICMP) packets PEAP (Protected Extensible Encapsulates EAP within an encrypted and authenticated
Broadcast Domain Set of devices which receive broadcasts. Fraggle Smurf with UDP instead of TCP Authentication Protocol) TLS tunnel.
Set of devices which can create collisions during LOKI Uses the common ICMP tunnelling program to establish a covert channel on the network Port Based Authentication 802.1x, use with EAP in switching environment
Collision Domain
simultaneous transfer of data.
Wireless Spread Spectrum
Layer 2 Switch Creates VLANs A type of DDoS attack that exploits a bug in TCP/IP fragmentation reassembly by
Teardrop FHSS (Frequency Hopping Uses all available frequencies, but only a single frequency
Layer 3 Switch Interconnects VLANs sending fragmented packets to exhaust channels
Spectrum System) can be used at a time.
Zero-day Exploitation of a dormant or previously unknown software bug
LAN / WAN Media DSSS (Direct Sequence
Spread Spectrum)
Parallel use of all the available frequencies leads to higher
throughput of rate compared to FHSS.
Land Attack Caused by sending a packet that has the same source and destination IP
Pair of twisted copper wires. Used in ETHERNET. Cat5/5e/6. Cat5 OFDM (Orthogonal
Twisted Pair Anonymously sending malicious messages or injecting code via bluetooth to
speed up to 100Mbps over 100 meters. Cat5e/6 speed 1000Mbps. Bluejacking, Bluesnarfing Frequency-Division Orthogonal Frequency-Division Multiplexing
unprotected devices within range Multiplexing)
Unshielded Twisted DNS Spoofing, DNS The introduction of corrupt DNS data into a DNS servers cache, causing it to serve
Less immune to Electromagnetic Interference (EMI)
Pair (UTP)
Shielded Twisted
Poisoning corrupt IP results Firewall Generation Evolution
Similar to UTP but includes a protective shield. Session hijacking Change TCP structure of the packet to show the source as trusted to gain access to
Pair (STP) • Packet Filter Firewalls: Examines source/destination address,
(Spoofing) targeted systems. First Generation
protocol and ports of the incoming packets. And deny or permit
Thick conduit instead of two copper wires. 10BASE-T, 100BASE-T, A TCP sequence prediction A successful attempt to predict a TCP number sequence resulting in an ability to Firewalls
Coaxial Cable according to ACL. Network layer, stateless.
and 1000BASE-T. / number attack compromise certain types of TCP communications
Uses light as the media to transmit signals. Gigabit speed at long Second Generation • Application Level Firewall / Proxy Server: Masks the source
Fiber Optic distance. Less errors and signal loss. Immune to EMI. Multimode Email Security Firewalls during packet transfer. Operating at Application layer, stateful.
and single mode. Single mode for outdoor long distance. LDAP (Lightweight Directory Access
Active directory based certificate management for email authentication. Third Generation • Stateful Inspection Firewall: Faster. State and context of the
Over a public switched network. High Fault tolerance by relaying Protocol) Firewalls packets are inspected.
Frame Relay WAN
fault segments to working. SASL (Simple Authentication and
Secure LDAP authentication. • Dynamic Packet Filtering Firewall: Dynamic ACL modification
Security Layer) • Packet Filtering Routers: Located in DMZ or boundary networks.
Secure Network Design - Components Client SSL Certificates Client side certificate to authenticate against a server. Includes packet-filter router and a bastion host. Packet filtering and
Network address S/MIME Certificates Used for signed and encrypted emails in single sign on (SSO) Fourth Generation proxy
Hide internal public IP address from external internet
translation (NAT) Uses the multipart/signed and multipart/encrypted framework to apply Firewalls • Dual-homed Host Firewall: Used in networks facing both internal
MOSS (MIME Object Security Services) and external
Port Address Allow sharing of public IP address for internal devices and digital signatures.
• Screened-subnet Firewall: Creates a Demilitarized Zone (DMZ) -
Translation (PAT) applications using a given single public IP address assigned by ISP A sequence of RfCs (Request for Comments) for securing message
PEM (Privacy-Enhanced Mail) network between trusted and untrusted
authenticity.
Stateful NAT Keeps track of packets transfer between source and destinations Fifth Generation • Kernel Proxy Firewall: Analyzes packets remotely using virtual
One to one private to public IP address assigned between two end DKIM (Domainkeys Identified Mail) Technique for checking authenticity of original message. Firewalls network
Static NAT
devices Next-generation
An open protocol to allow secure authorization using tokens instead of • Deep packet inspection (DPI) with IPS: Integrated with IPS/IDS
Dynamic NAT Pool of internal IP maps one or several public IP address OAuth Firewalls (NGFW)
passwords.