4
• We are all IT people. IT people google stuff. When I ask a question, if you don’t know the answer, google it and share what you find. (What alternatives to google do you guys use?)
• I don’t know everything, but I try to act as if I do by attempting to portray modest confidence (does that even make sense?). Fact check what I say. If I am wrong, please correct me and let’s discuss. Please try to change my point of view.
• The true wise person has more questions than answers. Ask in this forum, get us all talking.
• Please, please, pretty please don’t allow me to talk at you for hours on a Saturday. Let’s talk about stuff and learn from each other.
• If you are non‐technical and have a different point of view, share it. We can all benefit from your perspective.
• Take notes of things you DON’T know or completely confuse you, then research those things.
• There will be areas of this domain that I just… don’t know well. Yet, I passed the exam.
5
• Pearson Vue near LV Blvd & D.I.• Did not allow studying in the waiting room• Had me put all of my belongings in a locker• I’m really not sure how it would have worked if I needed to go to the
restroom• Computer‐based exam• Kiosk‐type screen• Eraseable dry erase notepad with dry erase marker• Could exchange the notepad for a new one, but only have one at a time• The test program had a built‐in calculator and a note section for each
question• There was a clock in the room, and an attendant who could see every
screen• There was a camera above that I guess could see everything I did• There were headphones for noise‐cancelation• Questions were multiple choice• Some questions were grouped together… i.e. 2‐3 question for one
scenario• They didn’t tell me whether or not I passed, just handed me a sheet,
and the sheet had the results. No score, just “pass”.
The communication and network security domain encompasses the network architecture, transmission methods, transport protocols, control devices, and the security measures used to maintain the confidentiality, integrity and availability of information transmitted over both private and public communication networks
• Upon completion of this review class– OSI & TCP/IP models– Network topologies– Basic Protocols– IP addressing & NAT– Firewall architectures– Wireless– Endpoint security– Network Attacks– Cryptology (SSL/TLS)
• Structures– Personal Area Network– Wireless Personal Area network– Local Area Network– Metropolitan Area Network– Campus Area Network– Wide Area Network– Internet– Intranet– Extranet
• Network Components– Servers, Mainframes– File Servers– Workstations– Network Interface card– Network Operating Systems (NOS)– Hub/Concentrator/Repeater, Bridges, Switches (Layer 2, 3,
4), Routers– Physical cabling– Wireless
OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB
9
• Open System Interconnect (OSI)–7 Layers (4 Layers TCP/IP)–Provides guidelines–Data transfer is done by interacting
with the layer above or below–Data Encapsulation
• ProtocolA Protocol is a standard set of
rules that determine how systems will communicate across networks. Two different systems can communicate and understand each other because they use the same protocols in spite of their differences.
* SHON HARRIS
RFC 1149: Frame Format The IP datagram is printed, on a small scroll of paper, in hexadecimal, with each octet separated by whitestuff and blackstuff. The scroll of paper is wrapped around one leg of the avian carrier. A band of duct tape is used to secure the datagram's edges. The bandwidth is limited to the leg length. The MTU is variable, and paradoxically, generally increases with increased carrier age. A typical MTU is 256 milligrams. Some datagram padding may be needed. Upon receipt, the duct tape is removed and the paper copy of the datagram is optically scanned into a electronically transmittable form.
www.faqs.org/rfcs/rfc1149.html April 1, 1990
aka Transport
http://tools.ietf.org/html/rfc1122
aka Link Layer
13
Reference: Miller, Lawrence, (2012), CISSP for Dummies, Wiley
• Examples of Layers– Application -WWW, FTP, TFTP, LPD, SMTP,
DNS– Presentation –HTTP, TIFF, JPEG, MPEG– Session –NFS, SQL, RPC– Transport –TCP, UDP, SPX– Network –IP, ICMP, RIP, OSPF– Data Link –ARP, SLIP, PPP,– Physical –EIA/TIA, X.21, High-Speed Serial
Interface (HSSI)
* http://www.tcpipguide.com/free/t_TCPIPProtocols.htm
• Application Layer– Similar to top three layers of OSI model
• Host-to-Host Layer (aka Transport)– TCP, UDP
• Internet Layer– IP, ARP, RARP, ICMP
• Network Access Layer (aka Link Layer)– Equivalent to OSI’s data and physical
layers
• TCP (SURF PA)– Reliable– connection-oriented, full-duplex, virtual
circuit (3 way handshake)– Very costly and slower due to network
SA.ORG CISSP Training 21
SV‐ISSA.ORG CISSPTraining 22
• UDP– “Best Effort” delivery
(unreliable).–Connectionless, no
sequence, no virtual circuit, does not contact destination before delivery data
–Faster than TCP due to low overhead
What’s the best part of a UDP joke?
• TCP vs. UDP
25
Layer Data
Application Data stream
Presentation Data stream
Session Data stream
Transport Segment (TCP) Datagram (UDP)
Network Packet
Data Link Frame
Physical Bits
• Internet Layer Protocols– Internet Protocol (IP)
• Defines Packet (basic unit of transmission in the internet)• Logical ID called IP address (32 bit –IPv4, 128 bit –IPv6)
– Address Resolution Protocol (ARP)• Have IP address, want Ethernet (MAC) address
– Reverse Address Resolution Protocol (RARP)• Have MAC address, want IP address• Sometimes used to boot diskless machines onto the network
• Other Protocols– Telnet– FTP– TFTP– SMTP– LPD– SNMP– BOOTP
Dynamic Host Configuration Protocol• Distributes network config parameters such as IP
Address and DNS Servers
• Manages pool of addresses
• Extension to bootp
• DORA – discovery, offer, request, acknowledgement
• UDP 67 on server, UDP 68 on client
• Maps domain names like example.com to ipaddresses like 192.168.1.3
• Hierarchical, TLD down
• UDP 53, TCP 53
• Caches results
• Many record types A, CNAME, MX, NS, PTR,TXT
Are all these record types handled by the same entity?Hint: PTR
SB1
Slide 28
SB1 Steve Bonilla, 2/12/2017
••
• SCADA Supervisory Control and Data AcquisitionNetwork Attacks, Vendor Backdoors, Modems
Modbus, Fieldbus ICS protocols, not designed with security.
• Block storage data mng, Remote mng Biz centric data
• iSCSI Internet SCSI• Storage Consolidation
• Disaster Recovery
• FCIP Internet FC Protocol (iFCP)
• FCoE (10GbE) supports Data Center Bridging (DCB) protocols, layer 2, FC frames encapsulated in ethernet
• Internet Layer Protocols– Internet Protocol (IP)
• Defines Packet (basic unit of transmission in the internet)• Logical ID called IP address (32 bit –IPv4, 128 bit –IPv6)
– Address Resolution Protocol (ARP)• Have IP address, want Ethernet (MAC) address
– Reverse Address Resolution Protocol (RARP)• Have MAC address, want IP address• Sometimes used to boot diskless machines onto the network
• Security Focused– At Application layer
• Secure Electronic Transaction (SET)– By VISA and MasterCard
• Secure HTTPS (tcp port 443)
– At Transport Layer• Secure Socket Layer (SSL,TLS)• Secure Shell (SSH-2)
OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB
• Types– Twisted Pair, Coaxial, Fiber Optic– Avoid excess lengths, why?
• UTP Category– Cat 1 –Used for phone NOT suitable for data– Cat 2 –Can handle up to 4 Mbps– Cat 3 –10BaseT networks, up to 10 Mbps– Cat 4 –Used in Token Rings, up to 16 Mbps– Cat 5 –Up to 100 Mbps– Cat 5e –Up to 1 Gbps– Cat 6 –Up to 1 Gbps
• Coaxial Cable (Coax)Resistance50 Ohm for digital signaling, 75 Ohm for analog & high-speed digital signaling
Thinnet (10Base2) and Thicknet (10Base5) Transmission methodsBaseband (one Single channel)Broadband (several channels such as data, voice, video)
• Fiber Optic Cable– Modulated light transmission– Higher speeds and greater
distances due to less attenuation– Difficult to tap due to high
resistance to Electro Magnetic Interference
– Most expensive to install andneed expertise to terminate
• Emanations Security (EMSEC)
• Signals moving through a wire creates a magnetic field
Research• Tempest project from 1960s and 1970s. and standards on EMSEC
• Shielding• Faraday Cage – box or room encompassed with
metal sheathing
• Use of white noise to mask emanations
Wireless No protection
UTP Benefit from twisting
STP Additional Benefit from shielding
Coax Grounded shielding provides
Fiber optics Signal carried by photons, not electrons, no emanationsconcern
Emanation protection, lowest to highest
–Carrier Sense Multiple Access (CSMA)• CSMA/CA (Appletalk) nodes attempt to avoid collisions by transmitting only when the channel is sensed to be "idle".
• CSMA/CD (Ethernet Standard) uses a carrier sensing scheme in which a transmitting station detects collisions by sensing transmissions from other stations while transmitting a frame. When this collision condition is detected, the station stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame.
–Polling• Mostly used in Mainframe environments• In electronic communication, 'polling' is the
continuous checking of other programs or devices by one progam or device to see what state they are in, usually to see whether they are still connected or want to communicate.
– Token-Passing• Used in Token Ring, FDDI, ARCnet
Transmission Methods– Unicast
• Packet is sent from single source to single destination
– Anycast• Packet is sent to nearest node of many
– Multicast• Packet is copied and sent to specific multiple destinations
For TCP/IP reserved multicast addresses are 224.0.0.1 to239.255.255.255
– Broadcast• Packet is copied and sent to all nodes on the network
• Topologies– Bus– Tree– Ring– Star– Mesh
• Physical vs Logical
Media Access Methods– AppleTalk
• CSMA/CA
– Ethernet• CSMA/CD• Thinnet (10Base2, up to 185 meters)• Thicknet (10Base5, up to 500 meters)• UTP (10BaseT, 100BaseTX, 1000BaseT, all 100 meters)
– ARCnet• Provides predictable network performance
– Token Ring• IBM
– FDDI• Dual counter rotating rings
• Devices–Repeater–Hubs–Bridges–Switches–Routers–Gateways
Defines what is local and what is forwarded to gateway
255.255.255.0 aka11111111 1111111111111111 00000000 aka 192.168.1.0/24means if the first three numbers (octets) are the same, then it is on the same network (subnet, vlan)
–Private Circuit• Dedicated analog or Digital point-to-point• Leased Line
– Type and speeds» Digital Signal 0 (DS-0) 64 kbps» DS-1 1.544 Mbps (T1, US), 2.108 Mbps (E1)» DS-3 44.736 (T3)» E3 34.368 Mbps
• ISDN– Combination of digital telephony and data
transport services (data, music, video etc)• xDSL
– Uses existing twisted pair telephone lines• –ADSL (Asymmetric)
– Usually downstream speed is more than upstream• –SDSL (Symmetric)• –HDSL (High Rate)
– 1.544 Mbps each way over two copper twisted pairs• –VDSL (Very High Data Rate)
– Downstream 13 to 52 Mbps, Upstream 1.5 to 2.3 Mbps
• Packet Switched Technologies– More cost effective– X.25
• First packet switching network• Defines communication between Data Terminal
Equipment (DTE), Data Circuit Equipment (DCE usually a modem) or a Channel Service Unit/Data Service Unit (CSU/DSU)
• Supports both Switched Virtual Circuits (SVC) andPermanent Virtual Circuits (PVC)
• Frame Relay– High-performance packet switched, WAN protocol– Data Link Connection Identifiers (DLCIs) for addressing– Uses Permanent Virtual Circuits (PVC) and– Switched Virtual Circuits (SVC) (active only when in use)
• ATM– High-bandwidth, low delay– Uses fixed size (53 byte) cells instead of frames like Ethernet
• Wireless– Satellite, Microwave
• SDLC (Synchronous Data Link Control)– Created by IBM for easier connection
between mainframes and remote offices– Based on dedicated, leased with
permanent physical connections• HDLC (High-Level Data Link Control)
– Based on SDLC– Created by ISO to support point-to-point
and multi-point configurations
• MPLS – Multiprotocol Label Switching– Used MPLS cloud network– Packets assigned labels,
forwarded based on label– MPLS operates between
OSI layer 2 and 3– Much cheaper than
dedicated leased lines
• Devices– Routers– Multiplexers
• Enables more than one signal to be sent out simultaneously over one physical circuit
– WAN Switches• Multiport networking devices that are used in carrier networks
– Access Servers• Provides dial-in and dial-out connections to the network
– Modems• A Device that converts digital to analog signals and analog to
digital signals
What type of switching is this?
• Staticip route 172.31.10.0 255.255.255.0 10.10.10.2
• Dynamic routing protocols• Distance Vector• Link State
•
••
••
•
RIP - Routing Information Protocol, DV, hop count, regular updates
RIP v2 – DV, Added VLSM and CIDR
IGRP – Interior Gateway Routing Protocol, DV Cisco Proprietary
EIGRP – Enhanced IGRP, DV, improved performance
OSPF – Open Shortest Path First, LS, medium to largenetworks, event driven updates, divides network in toAutonomous Systems (AS) or areas
BGP – BorderGateway Protocol – LS, very large network, e.g.Internet uses Autonomous Systems (AS)
VOIP – Voice over IP
IPT – Internet Protocol Telephony• Protocols Used
• RTP Real –time Transport Protocol
• SIP Session Initiation Protocol
• H.323
• SRTP Secure Real-time Transport Protocol
• Considerations• Lose redundant communication (separate phone line)
• Open to Network Attacks (sniffing, DOS, etc)
• Lower cost
• Integrated Services (voice mail, email, directories)
SDN App
SDN Controller
SDN Datapath
SDN Control to Data-Plane Interface (CDPI)
SDN Northbound Interface (NBI)
https://www.opennetworking.org/sdn-resources/sdn-definition
A variety of algorithms are used to route the request. These include Global Server Load Balancing, DNS-based request routing, Dynamic metafile generation, HTML rewriting, and anycasting.
"NCDN - CDN" by Kanoha - Own work. Licensed under CC BY-SA 3.0 viaWikimedia Commons - http://commons wikimedia org/wiki/File:NCDN -
OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB
• Types– Asynchronous Dial-Up access– ISDN
• Two Interface types– –BRI (Basic Rate Interface)
» Two 64K B channels and one 16K D channel– –PRI (Primary Rate Interface) T1 total speed
» 23 64K B channels for voice or data and One 64 kbps D channel
– Cable modem– xDSL
• Security Methods– Restricted Address– Caller ID– Callback
• Protocols– Password Authentication Protocol (PAP)
• Uses Static replayable password• No encryption of userid and password
– Challenge Handshake Authentication Protocol (CHAP)
• Uses non-replayable challenge/response dialog• Used for network-to-network communications
• Authentication Systems– Must provide Authentication, Authorization
and Accountability– Types
• Remote Authentication Dial-in User Server (RADIUS) (UDP)
• Terminal Access Controller Access Control System (TACACS)
• TACACS+ (Cisco, TCP 49)• DIAMETER (Telecom industry)
• Virtual Machine for Desktop• Users access with Thin Client• Desktops can be persistent or transient• Can be paired with BYOD
• Remote Desktop – RDP Microsoft• VNC – Virtual Network Computing• GoToMyPC• LogMeIn• TeamViewer
• Citrix XenApp (MetaFrame)• Program on endpoint• Publish apps from server
• Microsoft App-V (SoftGrid)• Program on endpoint• Sandboxes each app• Stream apps from server
• Spread-Spectrum Technologies– Direct-Sequence Spread Spectrum (DSSS)
• Wideband• Spreads the signal over a wide frequency band
– Frequency-Hopping Spread Spectrum (FHSS)• Narrowband• Changes frequency in a known pattern• Spreads the signal by operating on one frequency for a short
period of time and then hopping to another.
– Orthogonal Frequency-Division Multiplexing (OFDM)
• Newer, allows simultaneous transmission using non interfering frequencies.
• Standards– Bluetooth
• short distance, 2.4 GHz, Less than 1 Mbps, FHSS
– IEEE 802.11 (WLANs)• 802.11, 2.4 GHz, 2 Mbps• 802.11a, 5 GHz range, 54 Mbps,• 802.11b, 2.4 GHz, 11 Mbps, DSSS• 802.11g, 2.4 GHz, 54 Mbps, backward compatible with 802.11b• 802.11n, 2.4/5 GHz, 144Mbps, MIMO, 4 transmitters/receivers• 802.11ac, up to 8 transmitters/receivers
– IEEE 802.16 (WiMAX)• Associated with Wireless local loop (WLL)
• Operational Modes– Ad Hoc Mode, Infrastructure
• WAP (Wireless Application Protocol)– Developed as a set of technologies related
to HTML for handhelds– Uses less resources and is simpler than
TCP/IP– Gateway gets full page and provides WAP
version
• WEP (Wired Equivalent Privacy)Encryption
• WPA WiFi Protected Access–Uses RC4 and TKIP (temporal key
integrity protocol). No hardware upgrade required.
–WPA2–Uses AES encryption
• Anti Virus – Core functionality is signature based detection of malicious files.
• HIDS/HIPS – Create a database of file hashes, monitor forchanges
• Application Whitelisting• Known good hash
• Signed by Trusted CA
• Trusted path and filename
• Trusted Install
• Removable Media Controls
• Endpoint encryption
OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB
– Packet filtering (Static Filtering)• Inspects both source and destination
– Stateful Inspection (Dynamic Filtering)• Maintains a “State” table
– Proxy• Separate connections for client and server• Application (Application)• Circuit level (Session {layer 5}) SOCKS (socksify apps)
– Next Generation• Define policy based on users, not IP address• Define policy based on application, not port
• Architectures• Bastion host• Screened host• Dual-homed host• DMZ/Screened-subnet
– 2 firewalls– 1 firewall (3 legged)
• Very important concept in datanetworking
• Typically converts a private (aka RFC 1918, aka non-routable) address into real “ip address”– 10.0.0.0 –10.255.255.255– 172.16.0.0 –172.31.255.255– 192.168.0.0 –192.168.255.255
Class First Oc Mask # Networks # Hosts/net
A 1-126 /8 126 16,777,216
127 /8 Loop back
B 128-191 /16 16,384 65,535
C 192-223 /24 2,097,152 256
D 224-239 N/A N/A N/A
E 240-255 N/A N/A N/A
SV-ISSA.ORG CISSP Training 79
Enabled by default in modern Operating Systems•
• Example:IPv6 address (128bits) 8 groups of 4 hex digits
2001:0db8:85a3:0000:0000:8a2e:0370:7334
• DNS uses AAAA record for IPv6 instead of A for IPv4C:\>nslookup
> set type=a> google.com
Non-authoritative answer: Name: google.com Addresses: 74.125.224.100
74.125.224.9874.125.224.105
C:\>nslookup
> set type=aaaa> google.com
Non-authoritative answer: Name: google.comAddress: 2001:4860:4001:803::1006
IPv4, 2^32 = 4.2e+9
IPv6, 2^128 = 3.4e+38
• Secure communication link– Using software or hardware agents– User or node authentication– Key or certificate exchange– Encrypted connection
• Client VPN– Initiated by host to VPN device
• Site-to-Site VPN– Initiated between two similar
devices (routers)
• SLIP (1988)Supports TCP/IP over low-speed serial interfaces in
Berkeley Unix computersNT computers can communicate with remote computers
using TCP/IP and SLIP• PPPUsed for transmitting data over dial-up and dedicated
networksImprovement over SLIP (Login, Password and error
correction)Uses CHAP and PAP
• Common protocols– Point-to-Point Tunneling Protocol (PPTP)
• Tunnels PPP via IP• Uses native PPP authentication and encryption
– Layer 2 Forwarding (L2F)• Permits tunneling at Link layer• No encryption
• Layer 2 Tunneling Protocol (L2TP)– Combination of L2F and PPTP– No encryption– Supports TACACS+ and RADIUS
• IPSec Protocol– Operates at Network Layer– Standard for encryption and authentication– Built into Ipv6
• SSL (TLS) VPN
– Clientless
– Network Client
OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN
Disaster Prep, Security Issues LAB
• Single points of failure• Save configuration files• UPS• RAID• Redundant Servers• Clustering• Backups
– Tape Arrays, NAS, SAN, Online-backup
Example: Shows redundancy in network components
• Wireless–Detection, Eavesdropping,
Modification, Injection, Hijacking, War driving
• Traditional Voice Networks–PBX Private Branch Exchange–Modems
• War dialing
• IP– IP fragmentation attacks
• Tiny fragment attack• Overlapping fragment attack
– IP address spoofing– Source routing– Smurf (icmp echo req to broadcast)– Fraggle (udp echo, port 7, broadcast)
Video!
• IP– TCP SYN Flood– LAND Attack, spoof src IP to match dst– Teardrop Attack, multiple overlapping
fragments• DDOS Distributed Denial of Service
• Victim is attacked from multiple sources, for example an attacker controlled botnet
• TCP– TCP sequence number attacks– Session hijacking
• UDP– Offers no error correction, no protection from lost or
duplicated packets– Easier to spoof since there is no session identifier
• ICMP– DoS (Ping of Death, 65,536 byte icmp request)– ICMP redirect (sent from router)
• DNS–DNS Cache Poisoning–Brute force DNS mapping
• ARP–Poison the ARP table
• IP Phones• Instant Messaging
• Peer to peer• Brokered commnications• Server oriented networks• Additional features, screen sharing, file transfer.• SPIM Spam over Instant Messaging
Man In the Middle• Attacker can intercept communication
between two parties• Can alter communication, transaction• Man in the Browser – malware intercepts
browser communication
Video, Defeating SSL
• Any device connected to the external network– Step on e
• Map the target network using traceroute, ping, port scanning– Step two
• Analysis of the collected information– Step three
• Gain access to the target, social engineering– Step four
• Escalate privileges– Step five
• Complete the attack by installing backdoor mechanisms, create accounts, close the vulnerability so that no one can detect, erase the traces
Hash aka Message Digest (md5, sha1)
MAC Message authentication Code
HMAC Hash based MAC
Symmetric (DES, AES)
Asymmetric (RSA)
SSL/TLS
Certificates, Certificate Authority
Arbitrary size to fixed size
One Way
Small input change>large output change
Infeasible to find two messages w/ same hash
The quick brown fox jumped over the lazy dog.
5C6FFBDD40D9556B73A21E63C3E0E904
The quick brown fox jumped over the lazy dog!
EFC05C070367008ABB43 88B189AC2B1E
Full Text of War and Peace 4002D081551035B03E4979B0C94A08D8
Symmetric Asymmetric
Number of Keys One Key Two Key
Names Public Key Crypto
Key Names ‘The Key’ Public, Private
Speed Faster Slower
Key Size Smaller Larger
SSL
https://www.sslshopper.com/ssl-details.html
Hernandez, Steven (2012) Official (ISC)2guide to the cissp exam 3rd Edition. (ISC)2 Press LLC
Harris, S. (2012) All in one cissp certification exam guide, 6th ed.McGraw-Hill/Osborne
Conrad, Eric (2012) CISSP Study Guide. 2nd ed. Syngress
Miller, David R. (2013) CISSP Training Kit, O’Reilly/Microsoft Press
Miller, Lawrence C. (2012) CISSP for Dummies, Wiley
121
Q & A