Professional Documents
Culture Documents
Domain 4.1 - OSI, IP, protocols Saved Comment 0 Export as PNG Share
Switches, ARP, PPP, MAC, Ethernet, benefits: performance. reduce congestion, isolating traffic, granular
Frames, ATM, PPP, L2F, L2TP, PPtP control, simplify fw policies
49152 - 65535 = random, dynamic, ephemeral, private Orthogonal Frequency-Division Multiplexing (OFDM) -
frequencies simultaneously in parallel. [802.11a,g,n]
IPv4 - 32 bit, 4 octets ., NAT
site survey - investigate presence,
wireless speed strength, reach of wireless access point
migration concern - 128 address space
more source address to attack, upgrade IPv6 - 128 bit, 8 hex :, NOT
issue, reduce privacy bcz NAT missing ad-hoc mode - connect 2 devices
using NAT, IPSec auto
integrate, no checksum, no
benefits - greater address, simpler autoconfiguration, add packet fragmentation, no standalone mode - wireless access point + no wired resource
scope to multicast, drop IPv4 header, packet labeling, option field mode
extension support to authenticaiton, integrity infrastructure mode - connect endpoint to central network, not directly each other
IPv6, IPv6 coexists in dual stack, tunneling, NAT-PT (mutual convert) wired extension mode - wireless access point + wired network
APIPA assign DHCP client with IP in range 169.254.0.1 LEAP (CISCO) - reauthenticaiton for WEP
Loopback address - 127.0.0.1 (127.0.0.0/8) PEAP (Protected)- encapsulated EAP within TLS
802.11X - authentication protocol
LAN extender - remote access, multilayer IEEE 802.1AE: MAC Security Standard (MACSec),
switch connect distant network over WAN encryption, integrity, origin authentication
prevent non-zero attack, traffic encryption, AAA Network Access inbound packet which have internal source address
Domain 4.2 Secure
service, enforce security policy, access control Control (NAC)
Network Component outbound packet which have external source address
blocking rules
asynchronous - simpler, less cost, parity for error
control,use for irregular transmission pattern packet that have source/destination address from LAN but yet
to assign to as host
synchronous - complex, costly, robust error checking through cyclic redundancy
checking (CRC), high speed, high volume transmission, minimal protocol overhead examine msg header, source/destination IP add, port (ACL)
static packet-filtering (network++)
center core of copper wire, fairly resist for EMI weakness: limited logging, no authentication, can't detect
fragmentation attack
Baseband (single signal), Broadband
coaxial (TV)
(multiple signal simultaneously) stateful/dynamic (network3) evaluate state, sesstion, context of packet
10Base5 (low EMI) - speed, base/broad, distance decision based on protocol header & session info
transmission media circuit level (session5) (SOCKS), protect wide range of protocls
shielded twisted-pair (STP) – metal foil
types deep packet inspection, WAF, filter based on protocol, app, content
cabling Firewall
unshielded twisted-pair (UTP) – without foil twisted-pair (telephone)
each protocol require a unique proxy
UTP categories 100m - Cat 5 100
Mbps, Cat 5e 1 Gbps, Cat 6 1 Gbps application level proxy (app7) pros: extensive logging, authenticate
user, address spoofing attack
copper, best, least expensive, resist of metal (temperature) conductor
cons: not for high bandwidth or real time app, limited
transmit light instead of electricity, fast, costly, support for new network app, performance issue
good security (electromagnetic) interface fiber optic (data)
next generation firewall (multiple layers) VPN, Antivirus, IDPS, UTM
single point of failure
Ring (token along circle) dual-homed - a single pc with separate
token ring NICs connected to each network
all systems transmit simultaneously (collision), screened host (bastion host)- router filter
architecture
central trunk single point of failure raffic before it pass to firewall
Bus (trunk or backbone cable) Network topology
ethernet screened subnet - external router filter traffic before it
enters subject (2 firewalls)
secure - use SRTP, SIPS, a dedicated VLAN for VoIP phones Point-to-Point Tunneling Protocol (PPTP) -
Microsoft, no encryption, rely on PAP, CHAP, EAP
remote meeting - authentication, encrypted tunnel,
end-to-end encryption, activies logged Serial Line IP (SLIP) - TCP/IP low speed dial up
Multimedia collaboration
WAN Switching
instant messaging - malicious code, file transfer, social engineering X.25 - oldest packet switched WAN tech, error correction
Load balancing Frame relay - packet switched WAN tech, focus on speed
rather than reliablity , data link layer (TCP)
dial up modem, VPN RADIUS packet (logical) - msg broken into
small segments. variable delay,
ATM - cell switched WAN tech, fixed length cell
Centralized Remote connectionless, sensitive for data
2FA TATACS+
Authentication Services loss, for any traffic
Synchronous Data Link Control (SDLC) - IBM full-duplex serial
successor of TATACS+ with added reliability Diameter protocol. Use in mainframe <--> remote
unsecure protocol (no authentication): SMTP (25), POP3 High-level Data Link Control (HDLC) - synchronous protocol
(110), IMAP (143) X.400 standard Data communication
(email) Permanent virtual circuits (PVCs) - dedicated 2 way walkie talkie
security goal: integrity, authenticity, classify sensitive content virtual (logical)
Switched virtual circuits (SVCs) - create each time
Domain 4.3:
obsolete encapsulation protocol, data link Communiation Channel 4G - IP based (WiMax), 1 Gbps
layer, transmit over IP, use for dial up
Cellular Network
Point-to-Point Tunneling Protocol (PPTP) 5G - ICS, IoT, 10 Gbps but reduced network, mutual
authentication protocol: PAP, CHAP, authentication, enhanced subscriber identity protection
EAP, MS-CHAPv2
Content Distribution geographically distributed network close to user. low
Layer 2 Forwarding (L2F) - Cisco Network (CDN) latency, high performance, and high availability
PPTP + L2F. Use with IPSec zigbee (802.15.4) - PAN, lower power, personal area
Layer 2 Tunneling Protocol (L2TP) network, IoT. Support both centralized & distributed
VPN over WAN (IP, X.25, frame relay) security models, mesh topology
VPN LiFi - use light to transmit data at high speed (cant penetrate
AH - authentication, integrity, and nonrepudiation
opaque wall), not susceptible to EM interference, speed 100 Gbit/s
ESP - confidentiality
satellite - LEO, MEO, GEO orbits support tel, tv, internet, military
transport mode - encrypt only payload, host to
host VPN (end at individual host) NFC - very short range
IPSec
mode other communication
tunnel mode - encrypt IP header+payload, site to site infrared - requires line of sight
VPN (end at boundaries)
bluetooth (802.15)
IKE - OAKLEY (key generation), SKEME (exchange
keys), ISAKMP (manage encryption keys) MAN (802.16)
port mirror - duplicate traffic from one port on specific port WPA2 (802.11i)
DNS cache poisoning - place incorrect war driving - detect wireless network signal [WPA2 prevent]
info in zone file or cache
cybersquatting - buy a look alike genuine url replay attack - defense: firmware updated, WIDS, OTP,
then resell to business [no establish website] timestamp, challenge response authentication
domain hijacking - change registration defense: update firmware, change default admin pass, enabling
of domain name without authorization WPA2/WPA3, disabling SSID broadcast, MAC filtering, IDS, WIDS,
VPN, captive portal, tracking wireless activities
fraggle - UDP spoof source virus, worm, trojan, spoofing source address, DoS, mail storm reply all
smurf- ICMP spoof source S/MIME - authentication, confidentiality through public key ,
digital envelop, digital signature
network
teardrop - fragment data packet
PGP - encrypt file and email msg
privacy violating RFID phreaking (attack telephone system to make free call)
on-path attack, eavesdropping, data VoIP toll fraud (spam), identity fraud (caller ID),
manipulation, and replay Attack NFC eavesdropping, DoS
sniffing - network packet capturing defense: patches, encrypt, disabled unnecessary port, real time
monitoring (IDS,IPS), record call logs, block international calling,
smacking - DoS garbage traffic/signal jamming outsource, VoIP-to-PSTN gateway must present
bluetooth 4.1 - use AES-CCM strong cipher intercept, provider susceptible for
Mitm/on-path attack, cell phone access
cellular to office
security issue: volume of data
VXLAN - MAC spoofing, DoS
least privilege, back up, SIEM, app whitelisting, file
network architecture
encryption, automated patch, restrict use of removable media endpoint
SDN - MiTm, DoS. Secure with TLS!
defense
Endpoint detection and response (EDR) - evolution of
antimalware, IDS, firewall solution