The network layer is responsible for routing data across interconnected networks through logical addressing and packet encapsulation. It uses protocols like IP, ICMP, and routing protocols to determine the best path and encapsulate higher layer data into packets with a network header for transmission. Functions include routing, fragmentation and reassembly, and providing a logical addressing scheme independent of physical hardware addresses.

1. http://www.enterprisegrc.com
Networking and Communications Security – Network Architecture
Design Principles
CISSP Study Notes –
prepared by Robin Basham, CISSP, CISA, CRISC, CGEIT, CRP, VRP

2. http://www.enterprisegrc.com
Data Sources
All slides are a summary of information directly located in the study sources for the CISSP or
CISCO, Windows certified online technet training; The majority is directly summarized
CISSP® (ISC)2® Certified Information Systems Security Professional Official Study Guide
Seventh Edition CISSP Certified Information Systems Security Professional Study Guide,
7th Edition has completely been updated for the latest 2015 CISSP Body of Knowledge.
This Sybex Study Guide covers 100% of all exam objectives. You'll prepare for the exam
smarter and faster with Sybex thanks to expert content, real-world examples, advice on
passing each section of the exam, access to the Sybex online interactive learning
environment, and much more. Reinforce what you've learned with key topic exam
essentials and chapter review questions.
Coverage of all of the exam topics in the book means you'll be ready for Access Control,
Application Development Security, Business Continuity and Disaster Recovery Planning,
Cryptography, Information Security Governance and Risk Management, Legal,
Regulations, Investigations and Compliance, Operations Security, Physical
(Environmental) Security, Security Architecture and Design, and Telecommunications and
Network Security.
MGT414: SANS Training Program for CISSP Certification (A04_3877)
MGT414: SANS Training Program for CISSP Certification (A04_3877) The SANS Institute was established in 1989
as a cooperative research and education organization. Its programs now reach more than 165,000 security
professionals around the world. A range of individuals from auditors and network administrators, to chief
information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges
they face. At the heart of SANS are the many security practitioners in varied global organizations from
corporations to universities working together to help the entire information security community.
SANS is the most trusted and by far the largest source for information security training and security
certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of
research documents about various aspects of information security, and it operates the Internet's early warning
system - the Internet Storm Center.

3. Remember the ISO Open System Interconnect OSI REFERENCE Model

4. http://www.enterprisegrc.com
Encapsulation
OSI Conceptually explains movement of information
• Process of moving information down the
stack and up the stack
• Each layer communicates with
corresponding layer just below in the
stack.
• Data encapsulation is the process in which
information from one packet is wrapped
around or attached to the data of another
packet.
OSI Layers - Encapsulation appends header footer across 7 layers
Strippingofftheheader

5. Protocols = data “language” managed generated here
 Application : HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI, POP3, IMAP,
SNMP, NNTP, S-RPC, and SET
 Presentation: Encryption protocols and format types, such as ASCII,
EBCDICM, TIFF, JPEG, MPEG, and MIDI
 Session: NFS, SQL, and RPC
 Transport: SPX, SSL, TLS, TCP, and UDP
 Network: ICMP, RIP, OSPF, BGP, IGMP, IP, IPSec, IPX, NAT, ARP and SKIP
 Data Link: SLIP, PPP, ARP, RARP, L2F, L2TP, PPTP, FDDI, ISDN
 Physical: EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET, V.24, and V.35

6. Actual transmission across physical media
How do we hand off and what do we peel off?
SENDINGPROCESS
Encapsulation
Application (Layer 7) “data stream”
Presentation (layer 6) still “data stream”
Session (layer 5) still “data stream”
Transport (layer 4) becomes “segment” if
TCP “datagram” if UDP
Network (layer 3) becomes “packet”
Data link (layer 2) becomes a “frame”
Physical (layer 1) converted into “bits”
for transmission
Application (Layer 7) “data stream”
Presentation (layer 6) still “data stream”
Session (layer 5) still “data stream”
Transport (layer 4) becomes “segment” if
TCP “datagram” if UDP
Network (layer 3) becomes “packet”
Data link (layer 2) becomes a “frame”
Physical (layer 1) converted into “bits”
for transmission
AH DATA
DATA
PH AH DATA
SH PH AH DATA
TH SH PH AH DATA
TH SH PH AH DATANH
DH TH SH PH AH DATANH
DH TH SH PH AH DATANH
Client A -SENDING PROCESS Client B RECIEVING PROCESS
Application Protocol + Application Header
Presentation Layer Protocol + Header
Session Layer Protocol + Header
Transport Layer Protocol + Header
Network Layer Pro. + Header
Data Link Lay. Pro. + Hr
BITS
RECEIVINGPROCESS
De-Encapsulation-strippingofftheheader
DATA
-DH
-NH
-TH
-SH
-PH
-AH

7. Encapsulation
Encapsulation appends header footer across 7 layers
 OSI is the conceptual model, however, TCP/IP is the
implementation model.
TCP/IP
Is 4 Layer Implementation
of protocols
Application (Ap, Pre, Ses)
Transport (TCP) (Transport)
Internet IP (Network)
Network (Phys/Data)

8. TCP/IP DARPA or DOD model – example SSH
OSI TCP/IP Protocols Description
7 Application
Application Layer 4
HTTP SMTP
Consists of the applications and processes
that use the network.
6 Presentation
5 Session
4 Transport
Transport Layer 3
Host to Host
TCP and UDP
Provides end-to-end data delivery service to
the Application Layer.
3 Network Internet Layer 2
IP IPv4 IPv6 ICMP ICMPv6 ECN IGMP
IPSec, ARP, RARP
Defines the IP datagram and handles the
routing of data across networks.
2 Data link
Link Layer 1
Network Access
ARP NDP OSPF Tunnels L2TP PPP MAC
Ethernet DSL ISDN FDDI
Consists of routines for accessing physical
networks and the electrical connection.
1 Physical

9. TCP/IP DARPA or DOD model = Internet protocol suite
Application layer includes protocols from the Application Layer of the Internet
Protocol Suite as well as the protocols of OSI Layer 7. The Application Layer of
the Internet Protocol Suite includes Session Layer protocols and Presentation
Layer protocols from OSI.
 BGP DHCP DNS FTP HTTP IMAP LDAP MGCP NNTP NTP POP ONC/RPC RTP
RTSP RIP SIP SMTP SNMP SSH Telnet TLS/SSL XMPP
Transport layer is a conceptual division of methods in the layered architecture
of protocols in the network stack in the Internet Protocol Suite and the Open
Systems Interconnection (OSI). The protocols of the layer provide host-to-host
communication services for applications. It provides services such as
connection-oriented data stream support, reliability, flow control, and
multiplexing.
 TCP UDP DCCP SCTP RSVP

10. TCP/IP DARPA or DOD model = Internet protocol suite
Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol
suite that are used to transport datagrams (packets) from the originating host across network boundaries, if
necessary, to the destination host specified by a network address (IP address) which is defined for this
purpose by the Internet Protocol (IP). The internet layer derives its name from internetworking, which is the
concept of connecting multiple networks with each other through gateways.
Internet-layer protocols use IP-based packets. The internet layer does not include the protocols that define
communication between local (on-link) network nodes which fulfill the purpose of maintaining link states
between the local nodes, such as the local network topology, and that usually use protocols that are based on
the framing of packets specific to the link types. Such protocols belong to the link layer.
A common design aspect in the internet layer is the robustness principle: "Be liberal in what you accept, and
conservative in what you send“ as a misbehaving host can deny Internet service to many other users.
 IP IPv4 IPv6 ICMP ICMPv6 ECN IGMP IPsec
Link layer
 ARP NDP OSPF Tunnels L2TP PPP MAC Ethernet DSL ISDN FDDI

11. Encapsulation
Hardware changes across 7 layers
Don’t confuse TCP/IP
Implementation model organizing as:
Application (Ap, Pre, Ses) - Transport (TCP) (Transport) - Internet IP
(Network) - Network (Phys/Data)
802.1x NAC layer 2 authentication
Unknown system connects to 802.1x enabled
port – Extensible Authentication Protocol over
LAN EAPOL can pass but TCP and UDP are
blocked. Local 802.x software authenticates
client supplicant. Authenticator running on
switch negotiates EAP, passing supplied
credentials to RADIUS or DIAMETER

12. Application Data Stream – Application specific
protocols
 Security: Confidentiality,
authentication, data integrity, non-
repudiation
 Technology: gateways
 Protocols: FTP, SMB, TELNET, TFTP,
SMTP, HTTP, NNTP, CDP, GOPHER,
SNMP, NDS, AFP, SAP, NCP, SET
Application is
protocols responsible
for interfacing or
transmitting files,
message exchange,
connect to remote
terminals.
TCP/IP
Application Layer 4

13. Do not set your
credit card on a
server and
leave it out on
the application
layer
Application specific protocols LAYER 7 PROTOCOLS
LAYER 7 PROTOCOLS
 Hypertext Transfer Protocol HTTP 80
 SECURE Hypertext Transfer Protocol HTTPS 443
 File Transfer Protocol FTP 20/21
 Line Print Daemon LPD
 Simple Mail Transfer Protocol SMTP 25
 Telecommunications Network Protocol Telnet 23
 Trivial File Transfer Protocol TFTP
 Electronic Data Interchange EDI
 Post Office Protocol V3 POP3
 Internet Message Access Protocol IMAP
 Simple Network Management Protocol SNMP
 Network News Transport Protocol NNTP
 Secure Remote Procedure Call S-RPC
 Secure Electronic Transaction SET
 Session Initiation Protocol SIP
 Server Message Block Protocol SMB
Application is protocols responsible
for interfacing or transmitting files,
message exchange, connect to remote
terminals.
TCP/IP
Application Layer 4

14. Presentation Layer 6 - Machine Dependent 2 Machine
Independent format – File and Data
EBDIC to ASCII Encryption
Compression; Extended Binary Coded Decimal
Interchange Code (EBCDIC) is an 8-bit character
encoding used mainly on IBM mainframe and IBM
midrange computer operating systems.
How data may enter the network
TCP/IP
Application Layer 4

15. Presentation Layer 6 - Takes Machine Dependent Info
2 Machine Independent format – file and data
Security: confidentiality,
authentication,
encryption
Technology: gateway
Protocols: ASCII,
EBCDIC, POSTSCRIPT,
JPEG, MPEG, GIF
How data may
enter the
network
LAYER 6 PROTOCOLS
• American Standard Code For Information
Interchange ASCII
• Extended Binary Coded Decimal Interchange Mod
EBCDICM
• Tagged Image File Format TIFF
• Joint Photographic Experts Group JPEG
• Moving Pictures Experts Group MPEG
• Musical Instrument Digital Interface MIDI
TCP/IP
Application Layer 4

16. Session layer 5 formats data for transfer
Sets up links, maintains the link, and link tear-down between
applications
TCP/IP
Application Layer 4

17. Session layer 5 formats data for transfer
LAYER 5 PROTOCOLS
 Network File System NFS
 Structured Query Language SQL
 Remote Procedure Call RPC
 RADIUS (using L4 UDP) TACACS (using L4 TCP)
 Responsible for the setup of the links, maintaining of the link, and the link tear-down between applications.
TCP/IP
Application Layer 4
(includes Application,
Presentation and
Session)

18. Transport layer 4
Ensures end to end
delivery; addressing
Security: Confidentiality,
authentication, integrity
Technology: gateways
Protocols: TCP, UDP, SSL, SSH-2,
SPX, ATP.
Responsible for the guaranteed
delivery of user information. It is
also responsible for error
detection, correction, and flow
control. User information at this
layer is called datagrams.
TCP/IP
Transport Layer 3
Host to Host (TCP/UDP)

19. Introduction to Transport Layer 4
TCPIP Joke – Syn Synack Ack 3 Way
TCP/IP
Internet Layer 2
IP, ARP, RARP, ICMP
Datagrams

20. Transport layer 4
LAYER 4 PROTOCOLS
• Transmission Control Protocol TCP
• User Datagram Protocol UDP
• Secure Socket Layer SSL
• Transport Layer Security TLS
• Secure Shell + SFTP Protocol SSH-2*
• Sequenced Packet Exchange SPX
• Stream Control Transmission Protocol
SCTP
• AppleTalk Transaction Protocol ATP
• Fiber Channel Protocol FCP
• Reliable Datagram Protocol RDP
• Security: Confidentiality, authentication,
integrity
• Technology: gateways
• * The program SSH (Secure Shell)
provides an encrypted channel for
logging into another computer over a
network, executing commands on a
remote computer, and moving files from
one computer to another. SSH provides
strong host-to-host and user
authentication as well as secure
encrypted communications over the
Internet. SSH2 is a more secure,
efficient, and portable version of SSH
that includes SFTP, which is functionally
similar to FTP, but is SSH2 encrypted.
TCP/IP
Transport Layer 3
Host to Host (TCP/UDP)

21. Network Layer 3 - Packets
Based on routing tables, Routs this package according to
shortest or best path
Security: confidentiality,
authentication, data integrity
Technology: virtual circuits (ATM),
routers
Protocols: IP, IPX, ICMP, OSPF, IGRP,
EIGRP, RIP, BOOTP, DHCP, ISIS, ZIP,
DDP, X.25
Responsible for the routing of user
data from one node to another
through the network including the
path selection. Logical addresses are
used at this layer. User information
maintained at this layer is called
packets.
TCP/IP
Internet Layer 2
IP, ARP, RARP, ICMP
Datagrams

22. Just give me the &*() address and
I’ll pick the shortest path.
Just make sure its fast, secure, and we get their in one piece.
And I’ll tell you if we’re lost mister.
Security: confidentiality,
authentication, data integrity
Technology: virtual circuits (ATM),
routers
Network: Distance Vector DV and Link State LS Routing Protocols
LAYER 3 PROTOCOLS
• Internet Protocol IP
• Routing Information Protocol RIP DV
• Network Address Translation NAT
• Internet Protocol Security IPSec
• Internet Packet Exchange IPX
• Internet Control Message Protocol ICMP
• Open Shortest Path first Protocol OSPF LS
• Internet Gateway Routing Protocol IGRP DV
• Border Gateway Protocol BGP path
• Enhanced Interior Gateway Protocol EIGRP
• Routing Information Protocol RIP DV
• Bootstrap Protocol BOOTP
• Dynamic Host Configuration Protocol DHCP
• Intermediate System - Intermediate System ISIS
• Zone Information Protocol ZIP
• Distributed Data Protocol DDP
• X.25 Protocol - ITU-T standard protocol suite for
packet switched wide area network (WAN)
communication. An X.25 WAN consists of packet-
switching exchange (PSE) nodes as the
networking hardware, and leased lines, plain old
telephone service connections or
ISDN connections as physical links.
• NON IP PROTOCOLS: IPX, AppleTalk, NetBEUI aka
NetBios
TCP/IP
Internet Layer 2
IP, ARP, RARP, ICMP
Datagrams

23. Network Layer 3 Functions
 Logical Addressing: a logical address, sometimes called a layer three address. On the Internet, the Internet Protocol (IP)
is the network layer protocol and every machine has an IP address.
 Addressing is done at the data link layer as well, but those addresses refer to local physical devices. In contrast, logical addresses are
independent of particular hardware and must be unique across an entire internetwork.
 Routing: Moving data across a series of interconnected networks, it is the job of the devices and software routines that
function at the network layer to handle incoming packets from various sources, determine their final destination, and
figure out where they need to be sent to get them where they are supposed to go
 Datagram Encapsulation: The network layer normally encapsulates messages received from higher layers by placing
them into datagrams (also called packets) with a network layer header.
 Fragmentation and Reassembly: The network layer must send messages down to the data link layer for transmission.
Some data link layer technologies have limits on the length of any message that can be sent. If the packet that the
network layer wants to send is too large, the network layer must split the packet up, send each piece to the data link
layer, and then have pieces reassembled once they arrive at the network layer on the destination machine. A good
example is how this is done by the Internet Protocol.
 Error Handling and Diagnostics: Special protocols are used at the network layer to allow devices that are logically
connected, or that are trying to route traffic, to exchange information about the status of hosts on the network or the
devices themselves.
TCP/IP
Internet Layer 2
IP, ARP, RARP, ICMP, Datagrams
(paraphrased from http://www.tcpipguide.com/free/t_NetworkLayerLayer3.htm

24. Data Link Layer 2
Security: confidentiality,
Technology: bridges, switch
Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP,
RARP, SLARP, IARP, SNAP, BAP, CHAP, LCP, LZS,
MLP, Frame Relay, Annex A, Annex D, HDLC,
BPDU, LAPD, ISL, MAC, Ethernet, Token Ring,
FDDI (protocol, not media)
TCP/IP
Link Layer 1
Network Access
routines for accessing
physical networks and
the electrical connection

25. Data Link Layer 2 - frames
LAYER 2 PROTOCOLS
 Medium Access Control Protocol MAC
 Ethernet, Token Ring, StarLan
 Spanning Tree Protocol STP using BPDU
 Fiber Distributed Data Interface FDDI
 Layer 2 Forwarding Protocol L2F
 Point to Point Tunneling Protocol PPTP
 Layer 2 Tunneling Protocol L2TP
 Link Control Protocol LCP forms part PPP
 Point to Point Protocol PPP
 Address Resolution Protocol ARP
 Reverse Address Resolution Protocol RARP
 Serial Line Address Resolution Protocol
SLARP
 Protocol IARP
 Protocol SNAP
 Protocol BAP
 Challenge handshake authentication
Protocol CHAP RFC 1994
 LZS-DCP Compression Protocol LZS
 Integrated Services Digital Network Protocol
ISDN
 Asynchronous Transfer Mode ATM
 Protocol Frame Relay
 High Level Data Link Control HDLC
 Synchronous Data Link Control SDLC
 Link Access Procedures, D channel Protocol
LAPD
 Protocol ISL
Responsible for the physical addressing of the network via MAC addresses. There
are two sublevels to the Data-Link layer. MAC and LLC. The Data-Link layer has
error detection, frame ordering, and flow control. User information maintained at
this layer is called frames.
TCP/IP
Link Layer 1 Network Access - routines for accessing physical
networks and the electrical connection

26. How 802.1x authentication works
 Three-component architecture features a supplicant, access device (switch, access point)
and authentication server (RADIUS). This architecture leverages the decentralized access
devices to provide scalable, but computationally expensive, encryption to many supplicants
while at the same time centralizing the control of access to a few authentication servers.
This latter feature makes 802.1x authentication manageable in large installations.
 When EAP is run over a LAN, EAP packets are encapsulated by EAP over LAN (EAPOL)
messages. The format of EAPOL packets is defined in the 802.1x specification. EAPOL
communication occurs between the end-user station (supplicant) and the wireless access
point (authenticator). The RADIUS protocol is used for communication between the
authenticator and the RADIUS server.
 The authentication process begins when the end user attempts to connect to the WLAN.
The authenticator receives the request and creates a virtual port with the supplicant. The
authenticator acts as a proxy for the end user passing authentication information to and
from the authentication server on its behalf. The authenticator limits traffic to
authentication data to the server.

27. What are the steps in negotiation?
1. The client may send an EAP-start message.
2. The access point sends an EAP-request identity message.
3. The client's EAP-response packet with the client's identity is "proxied" to the
authentication server by the authenticator.
4. The authentication server challenges the client to prove themselves and may send its
credentials to prove itself to the client (if using mutual authentication).
5. The client checks the server's credentials (if using mutual authentication) and then
sends its credentials to the server to prove itself.
6. The authentication server accepts or rejects the client's request for connection.
7. If the end user was accepted, the authenticator changes the virtual port with the end
user to an authorized state allowing full network access to that end user.
8. At log-off, the client virtual port is changed back to the unauthorized state.

28. Physical Layer 1
Herearemy
Rawbinarydata
Repeaters – amplify signal, no
added intelligence, no filtering –
Hubs – used to connect multiple
LAN devices, no added
intelligence
Give me your
bits
TCP/IP
Link Layer 1
Network Access
routines for accessing physical networks
and the electrical connection
Fiber Distributed Data Interface – FDDI - Dual token ring LAN at 100 MBps on Fiber
Copper Distributed Data Interface - CDDI – can be used with UTP cable but subject to
interference and length issues associated with Copper.

29. Physical Layer 1 Protocols
LAYER 1 PROTOCOLS
The Physical Layer receives data from the data link Layer and
transmits it to the wire. The physical layer controls the electrical and
mechanical functions related to the transmission and receipt of a
communications signal including encoding and decoding of data
contained within the modulated signal.
Note that for two devices to communicate, they must be connected
to the same type of physical medium (wiring). 802.3 Ethernet to
802.3 Ethernet, FDDI to FDDI, serial to serial etc.
 RS-232 (Recommend Standard number 232) is standard
communication protocol for linking computer and its peripheral
devices to allow serial data exchange RS232
 Synchronous Optical Network SONET
 High-Speed Serial Interface HSSI used between devices that are
within fifty feet of each other and achieves data rates up to
52 Mbps
 Interface specification for differential communications, X.21 a 15-
pin D-Sub connector running full-duplex data transmissions. X.21
 Digital subscriber line DSL
 Integrated Services Digital Network (ISDN)
 EIA-422, EIA-423, RS-449, RS-485
 10BASE-T, 10BASE2, 10BASE5, 100BASE-TX, 100BASE-FX, 100BASE-
T, 1000BASE-T, 1000BASE-SX
TCP/IP
Link Layer 1
Network Access
routines for accessing physical networks and the electrical
connection

30. OSI Security - 6 Security Services
A security service is a collection of security mechanisms, files,
and procedures that help protect the network.
 Authentication
 Access control
 Data confidentiality
 Data integrity
 Non-repudiation
 Logging and monitoring

31. OSI Security - 8 Security Mechanisms
A security mechanism is a control that is implemented in
order to provide the 6 basic security services.
 Encipherment
 Digital signature
 Access Control
 Data Integrity
 Authentication
 Traffic Padding
 Routing Control
 Notarization

32. Insecure TCP/IP Protocols Telnet, FTP, TFTP, SMTP
 Telnet
 File Transfer Protocol – FTP Port 20/21
 Trivial File Transfer Protocol
 Simple Mail Transfer Protocol - SMTP
http://map.norsecorp.com/

33. Multi-layer Protocol
 DNP3 Distributed Network Protocol – open protocol
that supports the Smart Grid computing
 Provides interoperability between vendor SCADA
systems
 IEEE standard 2010
 IEEE 1815-2012 is current standard and supports PKI

34. Software Defined Networks SDN
 Isolates control plane from data plane
 Control plane: data sent to/from a router such as protocol updates
OSPF BGP
 Data plane: data sent through router, such as routed packets
 Routing decisions are made remotely
 The open source OpenFlow protocol is used for remote management
of data plane in Software Defined Networks
 OpenFlow is a TCP protocol that uses TLS encryption

35. Content Distribution Networks
Improves performance and availability by bringing data closer to
users
 Also called Content Delivery Networks
 Uses a series of distributed caching servers
 Determines servers closest to end user
Notable CDNs include Akamai, Amazon CoudFront and CloudFlare
 Many ISPs are also CDNs

36. • transport segment from sending to receiving
host
• on sending side encapsulates segments into
datagrams
• on rcving side, delivers segments to transport
layer
• network layer protocols in every host, router
• Router examines header fields in all IP
datagrams passing through it
Circuit vs. Packet Switching

37. http://www.enterprisegrc.com
Remote Access and Secure Communications
Channels

38. IPSec IETF open standard RFC 2401 (Layer 3)
 Enables encrypted communication between users and devices
 Implemented transparently into network infrastructure
 Scales
 Commonly implemented (most VPN are IPSec compliant)

39. Type of VPN
 Client to site VPN (Transport)
Encrypts the DATA
 Example: Laptop dial up connection to
remove access server at HQ
 Site to site VPN (Tunnel) Encrypts
the entire packet
 Example: L.A. office connection to D.C.
office location
Tunnel means
encrypt the
entire packet
Transport
means encrypt
the data

40. Encryption can stop us from seeing our adversary
 Bypassing firewalls, IDS, virus scanners, web filters
 Trusting the other end – home and bad actors
 Encrypted content prevents eavesdropping but
prevent Intrusion Detection Systems IDS from seeing
outbound malicious content.

41. Types of IPSec Headers
AH - Data Integrity
No modification of
data in transit
Origin authentication:
Identifies where data
originated; non
repudiation, integrity
and authentication
No Confidentiality
ESP - Data Integrity
No modification of
data in transit
Origin
authentication:
Identifies where
data originated
Confidentiality: All
data encrypted
AHAuthenticationHeader
EncapsulationSecurityPayloadESP

42. IPSec site between Layer 3 and 4
 Layer 4 and higher is encrypted
 ESP in transport mode impacts the firewall
 You can only do layer 3 filtering
 In tunnel mode, source and destination are private addresses, so are un-routable – has
to be tunneled over the internet

43. Remote Access Security Management
 Securing external connections VPNs SSL SSH
 Data Access, screen scrapers, virtual desktops
 Remote-access authentication systems (Radius and TACACS)
 Remote node authentication protocols such as PAP and CHAP
 A password authentication protocol (PAP) is an authentication
protocol that uses a password.
 PAP is used by Point to Point Protocol to validate users before allowing
them access to server resources. Almost all network operating system
remote servers support PAP.

44. BAGN – 802.11 Wireless
 802.11 supports infrared and Radio Frequency (FHSS and
DSSS)
 B + G only 2.4 GHZ
 B approved first was only 11 Mbps, then everything else is 54
till n at 144
 Only N can have either 2.4 or 5 and is what is see today

45.  Digital Signal Level 0 (DS-0) Partial T1; 64 Kbps up to 1.544 Mbps
 Digital Signal Level 1 (DS-1) T1; 1.544 Mbps
 Digital Signal Level 3 (DS-3) T3; 44.736 Mbps
 European digital transmission format 1 El; 2.108 Mbps
 European digital transmission format 3 E3; 34.368 Mbps
 Cable modem or cable routers 10+ Mbps

46. Firewalls
 Packet filtering
 Stateful
 Proxy
 Next Generation Firewalls
(NGFW)

47. Firewall Topologies-
"Where should the firewall be placed?"
 Bastion host
 Screened subnet
 Dual-firewall architectures
The next decision to be made, after the topology
chosen, is where to place individual firewall
systems in it. At this point, there are several
types to consider, such as bastion host, screened
subnet and multi-homed firewalls.

48. Packet Filtering Firewalls - physical, data-link and network
 Examines each packet independently and determines whether packets
should pass or be dropped
 Has no idea of what traffic came before it
 Very fast, but not very secure
 Referred to as access control lists (ACL) on some devices
 Several types of attacks can be used to bypass these firewalls. Packet filtering
firewalls complement detailed defense in depth policies
 Effective at layer 3, ineffective at layer 4
 Because they treat each packet in isolation, this makes them vulnerable to
spoofing attacks and also limits their ability to make more complex decisions
based on what stage communications between hosts are at.

49. NGFW Next Gen Firewall
 Replacing Stateful Inspection SI at each hardware refresh cycle
 They should compliment, not replace

50. Network layer firewalls
 Makes decisions based on the source address, destination
address and ports in individual IP packets. A simple router is the
traditional network layer firewall, since it is not able to make
particularly complicated decisions about what a packet is
actually talking to or where it actually came from.
 One important distinction many network layer firewalls possess
is that they route traffic directly through them, which means in
order to use one, you either need to have a validly assigned IP
address block or a private Internet address block. Network layer
firewalls tend to be very fast and almost transparent to their
users.

51. Proxy Firewall - Application layer firewalls
 Application layer firewalls are hosts that run proxy servers,
which permit no traffic directly between networks, and they
perform elaborate logging and examination of traffic passing
through them. Since proxy applications are simply software
running on the firewall, it is a good place to do logging and
access control. Application layer firewalls can be used as
network address translators, since traffic goes in one side and
out the other after having passed through an application that
effectively masks the origin of the initiating connection.
 Application layer firewalls offer Layer 7 security on a more
granular level, and may even help organizations get more out of
existing network devices.

52. Host Based Firewalls
 Host Based Firewalls are software that runs on protected host
 Additional defense in depth layer when combined with network
firewalls
 Examples include:
 Windows Firewall
 IPtables (Linux/Unix)
 IPFilter(Linux/Unix)
 Application Firewall (Mac OS X)
 McAfee Personal Firewall (Mac OS X)
 ZoneAlarm (Windows)

53. Stateful Packet Inspection Firewall
 Keeps a state table of all traffic
going across the network
 Uses the state table to determine
whether a packet should pass or
be dropped
 More secure, but slower than a
packet filtering firewall

54. Network Intrusion Protection System NIPS and Network
Intrusion Detection System NIDS
 NIPS hardware and software systems that protect computer networks from
unauthorized access and malicious activity.
-hardware: dedicated Network Intrusion Detection System (NIDS) device, an Intrusion
Prevention System (IPS), or a combination of the two such as an Intrusion Prevention
and Detection System (IPDS).
 NIDS can only detect intrusions
 IPS can pro-actively stop an attack by following established rules, such as changing
firewall settings, blocking particular Internet protocol (IP) addresses or dropping
certain packets entirely.

55. Network Intrusion Protection System NIPS and Network
Intrusion Detection System NIDS
 The software firewall, sniffer and antivirus tools, dashboards and
other data visualization tools.
NIPS continually monitors networks for abnormal traffic patterns,
generate event logs, alerting system administrators to significant
events and stopping potential intrusions when possible.
 NIPS are useful for internal security auditing and provide
documentation for compliance regulations.
 NIPS is part of a layered combination of security systems working
together is necessary to protect computer networks from
compromise.
 A NIPS in some form is vital for any computer network that can be
accessed by unauthorized persons.
 Computers holding sensitive data always need protection; however,
even seemingly insignificant networks can be hijacked for use
in botnet attacks.

56. Kerberos Ticket authentication mechanism
 Kerberos offers a single sign-on solution for users and provides protection for
logon credentials. The current version, Kerberos 5, relies on symmetric-key
cryptography (also known as secret-key cryptography) using the Advanced
Encryption Standard (AES) symmetric encryption protocol. Kerberos provides
confidentiality and integrity for authentication traffic using end-to-end
security and helps prevent against eavesdropping and replay attacks. It uses
several different elements that are important to understand:
 Key Distribution Center The key distribution center (KDC) is the trusted third
party that provides authentication services. Kerberos uses symmetric-key
cryptography to authenticate clients to servers. All clients and servers are
registered with the KDC, and it maintains the secret keys for all network
members.

57. Kerberos Ticket authentication mechanism
 Kerberos Authentication Server The authentication server hosts the functions of the
KDC:
 a ticket-granting service (TGS), and an authentication service (AS). However, it is possible to host the
ticket-granting service on another server. The authentication service verifies or rejects the
authenticity and timeliness of tickets. This server is often called the KDC.
 Ticket-Granting Ticket (TGT) provides proof that a subject has authenticated through
a KDC and is authorized to request tickets to access other objects.
 A TGT is encrypted and includes a symmetric key, an expiration time, and the user’s IP address.
Subjects present the TGT when requesting tickets to access objects.
 Ticket A ticket is an encrypted message that provides proof that a subject is
authorized to access an object. It is sometimes called a service ticket (ST).
 Subjects request tickets to access objects, and if they have authenticated and are authorized to access
the object, Kerberos issues them a ticket. Kerberos tickets have specific lifetimes and usage
parameters. Once a ticket expires, a client must request a renewal or a new ticket to continue
communications with any server.
https://www-01.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/csec_kerb_auth_explain.html

58. http://www.enterprisegrc.com
The Kerberos logon process works as follows:
1. The user types a username and password into the client.
2. The client encrypts the username with AES for transmission to the KDC.
3. The KDC verifies the username against a database of known credentials.
4. The KDC generates a symmetric key that will be used by the client and
the Kerberos server. It encrypts this with a hash of the user’s password.
The KDC also generates an encrypted time-stamped TGT.
5. The KDC then transmits the encrypted symmetric key and the encrypted
time-stamped TGT to the client.
6. The client installs the TGT for use until it expires. The client also decrypts
the symmetric key using a hash of the user’s password.
Kerberos is a versatile authentication mechanism that works over local LANs, remote access, and
client-server resource requests. However, Kerberos presents a single point of failure—the KDC. If the
KDC is compromised, the secret key for every system on the network is also compromised. Also, if a
KDC goes offline, no subject authentication can occur.
https://technet.microsoft.com/en-us/library/bb463152.aspx

59. Client wants to access an object, such as a resource hosted on
the network, it must request a ticket through the Kerberos
server
1. The client sends its TGT back to the KDC with a request for access to
the resource.
2. The KDC verifies that the TGT is valid and checks its access control
matrix to verify that the user has sufficient privileges to access the
requested resource.
3. The KDC generates a service ticket and sends it to the client.
4. The client sends the ticket to the server or service hosting the
resource.
5. The server or service hosting the resource verifies the validity of the
ticket with the KDC.
6. Once identity and authorization is verified, Kerberos activity is
complete. The server or service host then opens a session with the
client and begins communications or data transmission.
It also has strict time requirements and the default
configuration requires that all systems be time-
synchronized within five minutes of each other. If a
system is not synchronized or the time is changed, a
previously issued TGT will no longer be valid and the
system will not be able receive any new tickets. In
effect, the client will be denied access to any
protected network resources.
https://technet.microsoft.com/en-us/library/bb463152.aspx

60. Ports that are important to spot visually as their number
 Telnet, TCP Port 23 This is a terminal emulation network application that supports remote
connectivity for executing commands and running applications but does not support transfer of fi les.
 File Transfer Protocol (FTP), TCP Ports 20 and 21 This is a network application that supports an
exchange of fi les that requires anonymous or specific authentication.
 Trivial File Transfer Protocol (TFTP), UDP Port 69 This is a network application that supports an
exchange of fi les that does not require authentication.
 Simple Mail Transfer Protocol (SMTP), TCP Port 25 This is a protocol used to transmit email messages
from a client to an email server and from one email server to another.
 Post Office Protocol (POP3), TCP Port 110 This is a protocol used to pull email messages from an
inbox on an email server down to an email client.
 Internet Message Access Protocol (IMAP), TCP Port 143 This is a protocol used to pull email messages
from an inbox on an email server down to an email client. IMAP is more secure than POP3 and offers
the ability to pull headers down from the email server as well as to delete messages directly off the
email server without having to download to the local client first.
 Dynamic Host Configuration Protocol (DHCP), UDP Ports 67 and 68 DHCP uses port 67 for server
point-to-point response and port 68 for client request broadcasts. It is used to assign TCP/IP
configuration settings to systems upon bootup. DHCP enables centralized control of network
addressing.

61. Ports that are important to spot visually as their number
 Hypertext Transport Protocol (HTTP), TCP Port 80 This is the protocol used to transmit web page
elements from a web server to web browsers.
 Secure Sockets Layer (SSL), TCP Port 443 (for HTTP Encryption) This is a VPN-like security
protocol that operates at the Transport layer. SSL was originally designed to support secured web
communications (HTTPS) but is capable of securing any Application layer protocol
communications.
 Line Print Daemon (LPD), TCP Port 515 This is a network service that is used to spool print jobs
and to send print jobs to printers.
 X Window, TCP Ports 6000–6063 This is a GUI API for command-line operating systems.
 Bootstrap Protocol (BootP)/Dynamic Host Configuration Protocol (DHCP), UDP Ports 67 and 68
This is a protocol used to connect diskless workstations to a network through auto assignment of
IP configuration and download of basic OS elements. BootP is the forerunner to Dynamic Host
Configuration Protocol (DHCP).
 Network File System (NFS), TCP Port 2049 This is a network service used to support file sharing
between dissimilar systems.
 Simple Network Management Protocol (SNMP), UDP Port 161 (UDP Port 162 for Trap
Messages) This is a network service used to collect network health and status information by
polling monitoring devices from a central monitoring station.