3

Steve Bonillastevebonilla702@outlook.com

4

• We are all IT people. IT people google stuff. When I ask a question, if you don’t know the answer, google it and share what you find. (What alternatives to google do you guys use?)

• I don’t know everything, but I try to act as if I do by attempting to portray modest confidence (does that even make sense?). Fact check what I say. If I am wrong, please correct me and let’s discuss. Please try to change my point of view.

• The true wise person has more questions than answers. Ask in this forum, get us all talking.

• Please, please, pretty please don’t allow me to talk at you for hours on a Saturday. Let’s talk about stuff and learn from each other.

• If you are non‐technical and have a different point of view, share it. We can all benefit from your perspective. 

• Take notes of things you DON’T know or completely confuse you, then research those things.

• There will be areas of this domain that I just… don’t know well. Yet, I passed the exam.

5

• Pearson Vue near LV Blvd & D.I.• Did not allow studying in the waiting room• Had me put all of my belongings in a locker• I’m really not sure how it would have worked if I needed to go to the 

restroom• Computer‐based exam• Kiosk‐type screen• Eraseable dry erase notepad with dry erase marker• Could exchange the notepad for a new one, but only have one at a time• The test program had a built‐in calculator and a note section for each 

question• There was a clock in the room, and an attendant who could see every 

screen• There was a camera above that I guess could see everything I did• There were headphones for noise‐cancelation• Questions were multiple choice• Some questions were grouped together… i.e. 2‐3 question for one 

scenario• They didn’t tell me whether or not I passed, just handed me a sheet, 

and the sheet had the results. No score, just “pass”.

The communication and network security domain encompasses the network architecture, transmission methods, transport protocols, control devices, and the security measures used to maintain the confidentiality, integrity and availability of information transmitted over both private and public communication networks

• Upon completion of this review class– OSI & TCP/IP models– Network topologies– Basic Protocols– IP addressing & NAT– Firewall architectures– Wireless– Endpoint security– Network Attacks– Cryptology (SSL/TLS)

• Structures– Personal Area Network– Wireless Personal Area network– Local Area Network– Metropolitan Area Network– Campus Area Network– Wide Area Network– Internet– Intranet– Extranet

• Network Components– Servers, Mainframes– File Servers– Workstations– Network Interface card– Network Operating Systems (NOS)– Hub/Concentrator/Repeater, Bridges, Switches (Layer 2, 3,

4), Routers– Physical cabling– Wireless

OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB

9

• Open System Interconnect (OSI)–7 Layers (4 Layers TCP/IP)–Provides guidelines–Data transfer is done by interacting

with the layer above or below–Data Encapsulation

• ProtocolA Protocol is a standard set of

rules that determine how systems will communicate across networks. Two different systems can communicate and understand each other because they use the same protocols in spite of their differences.

* SHON HARRIS

RFC 1149: Frame Format The IP datagram is printed, on a small scroll of paper, in hexadecimal, with each octet separated by whitestuff and blackstuff. The scroll of paper is wrapped around one leg of the avian carrier. A band of duct tape is used to secure the datagram's edges. The bandwidth is limited to the leg length. The MTU is variable, and paradoxically, generally increases with increased carrier age. A typical MTU is 256 milligrams. Some datagram padding may be needed. Upon receipt, the duct tape is removed and the paper copy of the datagram is optically scanned into a electronically transmittable form.

www.faqs.org/rfcs/rfc1149.html April 1, 1990

aka Transport

http://tools.ietf.org/html/rfc1122

aka Link Layer

13

Reference: Miller, Lawrence, (2012), CISSP for Dummies, Wiley

• Examples of Layers– Application -WWW, FTP, TFTP, LPD, SMTP,

DNS– Presentation –HTTP, TIFF, JPEG, MPEG– Session –NFS, SQL, RPC– Transport –TCP, UDP, SPX– Network –IP, ICMP, RIP, OSPF– Data Link –ARP, SLIP, PPP,– Physical –EIA/TIA, X.21, High-Speed Serial

Interface (HSSI)

* http://www.tcpipguide.com/free/t_TCPIPProtocols.htm

• Application Layer– Similar to top three layers of OSI model

• Host-to-Host Layer (aka Transport)– TCP, UDP

• Internet Layer– IP, ARP, RARP, ICMP

• Network Access Layer (aka Link Layer)– Equivalent to OSI’s data and physical

layers

• TCP (SURF PA)– Reliable– connection-oriented, full-duplex, virtual

circuit (3 way handshake)– Very costly and slower due to network

SA.ORG CISSP Training 21

SV‐ISSA.ORG CISSPTraining 22

• UDP– “Best Effort” delivery

(unreliable).–Connectionless, no

sequence, no virtual circuit, does not contact destination before delivery data

–Faster than TCP due to low overhead

What’s the best part of a UDP joke?

• TCP vs. UDP

25

Layer Data

Application Data stream

Presentation Data stream

Session Data stream

Transport Segment (TCP) Datagram (UDP)

Network Packet

Data Link Frame

Physical Bits

• Internet Layer Protocols– Internet Protocol (IP)

• Defines Packet (basic unit of transmission in the internet)• Logical ID called IP address (32 bit –IPv4, 128 bit –IPv6)

– Address Resolution Protocol (ARP)• Have IP address, want Ethernet (MAC) address

– Reverse Address Resolution Protocol (RARP)• Have MAC address, want IP address• Sometimes used to boot diskless machines onto the network

• Other Protocols– Telnet– FTP– TFTP– SMTP– LPD– SNMP– BOOTP

Dynamic Host Configuration Protocol• Distributes network config parameters such as IP

Address and DNS Servers

• Manages pool of addresses

• Extension to bootp

• DORA – discovery, offer, request, acknowledgement

• UDP 67 on server, UDP 68 on client

• Maps domain names like example.com to ipaddresses like 192.168.1.3

• Hierarchical, TLD down

• UDP 53, TCP 53

• Caches results

• Many record types A, CNAME, MX, NS, PTR,TXT

Are all these record types handled by the same entity?Hint: PTR

SB1

Slide 28

SB1 Steve Bonilla, 2/12/2017

••

• SCADA Supervisory Control and Data AcquisitionNetwork Attacks, Vendor Backdoors, Modems

Modbus, Fieldbus ICS protocols, not designed with security.

• Block storage data mng, Remote mng Biz centric data

• iSCSI Internet SCSI• Storage Consolidation

• Disaster Recovery

• FCIP Internet FC Protocol (iFCP)

• FCoE (10GbE) supports Data Center Bridging (DCB) protocols, layer 2, FC frames encapsulated in ethernet

• Internet Layer Protocols– Internet Protocol (IP)

• Defines Packet (basic unit of transmission in the internet)• Logical ID called IP address (32 bit –IPv4, 128 bit –IPv6)

– Address Resolution Protocol (ARP)• Have IP address, want Ethernet (MAC) address

– Reverse Address Resolution Protocol (RARP)• Have MAC address, want IP address• Sometimes used to boot diskless machines onto the network

• Security Focused– At Application layer

• Secure Electronic Transaction (SET)– By VISA and MasterCard

• Secure HTTPS (tcp port 443)

– At Transport Layer• Secure Socket Layer (SSL,TLS)• Secure Shell (SSH-2)

OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB

• Types– Twisted Pair, Coaxial, Fiber Optic– Avoid excess lengths, why?

• UTP Category– Cat 1 –Used for phone NOT suitable for data– Cat 2 –Can handle up to 4 Mbps– Cat 3 –10BaseT networks, up to 10 Mbps– Cat 4 –Used in Token Rings, up to 16 Mbps– Cat 5 –Up to 100 Mbps– Cat 5e –Up to 1 Gbps– Cat 6 –Up to 1 Gbps

• Coaxial Cable (Coax)Resistance50 Ohm for digital signaling, 75 Ohm for analog & high-speed digital signaling

Thinnet (10Base2) and Thicknet (10Base5) Transmission methodsBaseband (one Single channel)Broadband (several channels such as data, voice, video)

• Fiber Optic Cable– Modulated light transmission– Higher speeds and greater

distances due to less attenuation– Difficult to tap due to high

resistance to Electro Magnetic Interference

– Most expensive to install andneed expertise to terminate

• Emanations Security (EMSEC)

• Signals moving through a wire creates a magnetic field

Research• Tempest project from 1960s and 1970s. and standards on EMSEC

• Shielding• Faraday Cage – box or room encompassed with

metal sheathing

• Use of white noise to mask emanations

Wireless No protection

UTP Benefit from twisting

STP Additional Benefit from shielding

Coax Grounded shielding provides

Fiber optics Signal carried by photons, not electrons, no emanationsconcern

Emanation protection, lowest to highest

–Carrier Sense Multiple Access (CSMA)• CSMA/CA (Appletalk) nodes attempt to avoid collisions by transmitting only when the channel is sensed to be "idle".

• CSMA/CD (Ethernet Standard) uses a carrier sensing scheme in which a transmitting station detects collisions by sensing transmissions from other stations while transmitting a frame. When this collision condition is detected, the station stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame.

–Polling• Mostly used in Mainframe environments• In electronic communication, 'polling' is the

continuous checking of other programs or devices by one progam or device to see what state they are in, usually to see whether they are still connected or want to communicate.

– Token-Passing• Used in Token Ring, FDDI, ARCnet

Transmission Methods– Unicast

• Packet is sent from single source to single destination

– Anycast• Packet is sent to nearest node of many

– Multicast• Packet is copied and sent to specific multiple destinations

For TCP/IP reserved multicast addresses are 224.0.0.1 to239.255.255.255

– Broadcast• Packet is copied and sent to all nodes on the network

• Topologies– Bus– Tree– Ring– Star– Mesh

• Physical vs Logical

Media Access Methods– AppleTalk

• CSMA/CA

– Ethernet• CSMA/CD• Thinnet (10Base2, up to 185 meters)• Thicknet (10Base5, up to 500 meters)• UTP (10BaseT, 100BaseTX, 1000BaseT, all 100 meters)

– ARCnet• Provides predictable network performance

– Token Ring• IBM

– FDDI• Dual counter rotating rings

• Devices–Repeater–Hubs–Bridges–Switches–Routers–Gateways

Defines what is local and what is forwarded to gateway

255.255.255.0 aka11111111 1111111111111111 00000000 aka 192.168.1.0/24means if the first three numbers (octets) are the same, then it is on the same network (subnet, vlan)

–Private Circuit• Dedicated analog or Digital point-to-point• Leased Line

– Type and speeds» Digital Signal 0 (DS-0) 64 kbps» DS-1 1.544 Mbps (T1, US), 2.108 Mbps (E1)» DS-3 44.736 (T3)» E3 34.368 Mbps

• ISDN– Combination of digital telephony and data

transport services (data, music, video etc)• xDSL

– Uses existing twisted pair telephone lines• –ADSL (Asymmetric)

– Usually downstream speed is more than upstream• –SDSL (Symmetric)• –HDSL (High Rate)

– 1.544 Mbps each way over two copper twisted pairs• –VDSL (Very High Data Rate)

– Downstream 13 to 52 Mbps, Upstream 1.5 to 2.3 Mbps

• Packet Switched Technologies– More cost effective– X.25

• First packet switching network• Defines communication between Data Terminal

Equipment (DTE), Data Circuit Equipment (DCE usually a modem) or a Channel Service Unit/Data Service Unit (CSU/DSU)

• Supports both Switched Virtual Circuits (SVC) andPermanent Virtual Circuits (PVC)

• Frame Relay– High-performance packet switched, WAN protocol– Data Link Connection Identifiers (DLCIs) for addressing– Uses Permanent Virtual Circuits (PVC) and– Switched Virtual Circuits (SVC) (active only when in use)

• ATM– High-bandwidth, low delay– Uses fixed size (53 byte) cells instead of frames like Ethernet

• Wireless– Satellite, Microwave

• SDLC (Synchronous Data Link Control)– Created by IBM for easier connection

between mainframes and remote offices– Based on dedicated, leased with

permanent physical connections• HDLC (High-Level Data Link Control)

– Based on SDLC– Created by ISO to support point-to-point

and multi-point configurations

• MPLS – Multiprotocol Label Switching– Used MPLS cloud network– Packets assigned labels,

forwarded based on label– MPLS operates between

OSI layer 2 and 3– Much cheaper than

dedicated leased lines

• Devices– Routers– Multiplexers

• Enables more than one signal to be sent out simultaneously over one physical circuit

– WAN Switches• Multiport networking devices that are used in carrier networks

– Access Servers• Provides dial-in and dial-out connections to the network

– Modems• A Device that converts digital to analog signals and analog to

digital signals

What type of switching is this?

• Staticip route 172.31.10.0 255.255.255.0 10.10.10.2

• Dynamic routing protocols• Distance Vector• Link State

•

••

••

•

RIP - Routing Information Protocol, DV, hop count, regular updates

RIP v2 – DV, Added VLSM and CIDR

IGRP – Interior Gateway Routing Protocol, DV Cisco Proprietary

EIGRP – Enhanced IGRP, DV, improved performance

OSPF – Open Shortest Path First, LS, medium to largenetworks, event driven updates, divides network in toAutonomous Systems (AS) or areas

BGP – BorderGateway Protocol – LS, very large network, e.g.Internet uses Autonomous Systems (AS)

VOIP – Voice over IP

IPT – Internet Protocol Telephony• Protocols Used

• RTP Real –time Transport Protocol

• SIP Session Initiation Protocol

• H.323

• SRTP Secure Real-time Transport Protocol

• Considerations• Lose redundant communication (separate phone line)

• Open to Network Attacks (sniffing, DOS, etc)

• Lower cost

• Integrated Services (voice mail, email, directories)

SDN App

SDN Controller

SDN Datapath

SDN Control to Data-Plane Interface (CDPI)

SDN Northbound Interface (NBI)

https://www.opennetworking.org/sdn-resources/sdn-definition

A variety of algorithms are used to route the request. These include Global Server Load Balancing, DNS-based request routing, Dynamic metafile generation, HTML rewriting, and anycasting.

"NCDN - CDN" by Kanoha - Own work. Licensed under CC BY-SA 3.0 viaWikimedia Commons - http://commons wikimedia org/wiki/File:NCDN -

OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB

• Types– Asynchronous Dial-Up access– ISDN

• Two Interface types– –BRI (Basic Rate Interface)

» Two 64K B channels and one 16K D channel– –PRI (Primary Rate Interface) T1 total speed

» 23 64K B channels for voice or data and One 64 kbps D channel

– Cable modem– xDSL

• Security Methods– Restricted Address– Caller ID– Callback

• Protocols– Password Authentication Protocol (PAP)

• Uses Static replayable password• No encryption of userid and password

– Challenge Handshake Authentication Protocol (CHAP)

• Uses non-replayable challenge/response dialog• Used for network-to-network communications

• Authentication Systems– Must provide Authentication, Authorization

and Accountability– Types

• Remote Authentication Dial-in User Server (RADIUS) (UDP)

• Terminal Access Controller Access Control System (TACACS)

• TACACS+ (Cisco, TCP 49)• DIAMETER (Telecom industry)

• Virtual Machine for Desktop• Users access with Thin Client• Desktops can be persistent or transient• Can be paired with BYOD

• Remote Desktop – RDP Microsoft• VNC – Virtual Network Computing• GoToMyPC• LogMeIn• TeamViewer

• Citrix XenApp (MetaFrame)• Program on endpoint• Publish apps from server

• Microsoft App-V (SoftGrid)• Program on endpoint• Sandboxes each app• Stream apps from server

• Spread-Spectrum Technologies– Direct-Sequence Spread Spectrum (DSSS)

• Wideband• Spreads the signal over a wide frequency band

– Frequency-Hopping Spread Spectrum (FHSS)• Narrowband• Changes frequency in a known pattern• Spreads the signal by operating on one frequency for a short

period of time and then hopping to another.

– Orthogonal Frequency-Division Multiplexing (OFDM)

• Newer, allows simultaneous transmission using non interfering frequencies.

• Standards– Bluetooth

• short distance, 2.4 GHz, Less than 1 Mbps, FHSS

– IEEE 802.11 (WLANs)• 802.11, 2.4 GHz, 2 Mbps• 802.11a, 5 GHz range, 54 Mbps,• 802.11b, 2.4 GHz, 11 Mbps, DSSS• 802.11g, 2.4 GHz, 54 Mbps, backward compatible with 802.11b• 802.11n, 2.4/5 GHz, 144Mbps, MIMO, 4 transmitters/receivers• 802.11ac, up to 8 transmitters/receivers

– IEEE 802.16 (WiMAX)• Associated with Wireless local loop (WLL)

• Operational Modes– Ad Hoc Mode, Infrastructure

• WAP (Wireless Application Protocol)– Developed as a set of technologies related

to HTML for handhelds– Uses less resources and is simpler than

TCP/IP– Gateway gets full page and provides WAP

version

• WEP (Wired Equivalent Privacy)Encryption

• WPA WiFi Protected Access–Uses RC4 and TKIP (temporal key

integrity protocol). No hardware upgrade required.

–WPA2–Uses AES encryption

• Anti Virus – Core functionality is signature based detection of malicious files.

• HIDS/HIPS – Create a database of file hashes, monitor forchanges

• Application Whitelisting• Known good hash

• Signed by Trusted CA

• Trusted path and filename

• Trusted Install

• Removable Media Controls

• Endpoint encryption

OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN Disaster Prep, Security Issues LAB

– Packet filtering (Static Filtering)• Inspects both source and destination

– Stateful Inspection (Dynamic Filtering)• Maintains a “State” table

– Proxy• Separate connections for client and server• Application (Application)• Circuit level (Session {layer 5}) SOCKS (socksify apps)

– Next Generation• Define policy based on users, not IP address• Define policy based on application, not port

• Architectures• Bastion host• Screened host• Dual-homed host• DMZ/Screened-subnet

– 2 firewalls– 1 firewall (3 legged)

• Very important concept in datanetworking

• Typically converts a private (aka RFC 1918, aka non-routable) address into real “ip address”– 10.0.0.0 –10.255.255.255– 172.16.0.0 –172.31.255.255– 192.168.0.0 –192.168.255.255

Class First Oc Mask # Networks # Hosts/net

A 1-126 /8 126 16,777,216

127 /8 Loop back

B 128-191 /16 16,384 65,535

C 192-223 /24 2,097,152 256

D 224-239 N/A N/A N/A

E 240-255 N/A N/A N/A

SV-ISSA.ORG CISSP Training 79

Enabled by default in modern Operating Systems•

• Example:IPv6 address (128bits) 8 groups of 4 hex digits

2001:0db8:85a3:0000:0000:8a2e:0370:7334

• DNS uses AAAA record for IPv6 instead of A for IPv4C:\>nslookup

> set type=a> google.com

Non-authoritative answer: Name: google.com Addresses: 74.125.224.100

74.125.224.9874.125.224.105

C:\>nslookup

> set type=aaaa> google.com

Non-authoritative answer: Name: google.comAddress: 2001:4860:4001:803::1006

IPv4, 2^32 = 4.2e+9

IPv6, 2^128 = 3.4e+38

• Secure communication link– Using software or hardware agents– User or node authentication– Key or certificate exchange– Encrypted connection

• Client VPN– Initiated by host to VPN device

• Site-to-Site VPN– Initiated between two similar

devices (routers)

• SLIP (1988)Supports TCP/IP over low-speed serial interfaces in

Berkeley Unix computersNT computers can communicate with remote computers

using TCP/IP and SLIP• PPPUsed for transmitting data over dial-up and dedicated

networksImprovement over SLIP (Login, Password and error

correction)Uses CHAP and PAP

• Common protocols– Point-to-Point Tunneling Protocol (PPTP)

• Tunnels PPP via IP• Uses native PPP authentication and encryption

– Layer 2 Forwarding (L2F)• Permits tunneling at Link layer• No encryption

• Layer 2 Tunneling Protocol (L2TP)– Combination of L2F and PPTP– No encryption– Supports TACACS+ and RADIUS

• IPSec Protocol– Operates at Network Layer– Standard for encryption and authentication– Built into Ipv6

• SSL (TLS) VPN

– Clientless

– Network Client

OSI and TCP/IP models Networking: Cables, Topology, LAN, WAN Remote Access, Wireless, Endpoint Firewall, NAT, VPN

Disaster Prep, Security Issues LAB

• Single points of failure• Save configuration files• UPS• RAID• Redundant Servers• Clustering• Backups

– Tape Arrays, NAS, SAN, Online-backup

Example: Shows redundancy in network components

• Wireless–Detection, Eavesdropping,

Modification, Injection, Hijacking, War driving

• Traditional Voice Networks–PBX Private Branch Exchange–Modems

• War dialing

• IP– IP fragmentation attacks

• Tiny fragment attack• Overlapping fragment attack

– IP address spoofing– Source routing– Smurf (icmp echo req to broadcast)– Fraggle (udp echo, port 7, broadcast)

Video!

• IP– TCP SYN Flood– LAND Attack, spoof src IP to match dst– Teardrop Attack, multiple overlapping

fragments• DDOS Distributed Denial of Service

• Victim is attacked from multiple sources, for example an attacker controlled botnet

• TCP– TCP sequence number attacks– Session hijacking

• UDP– Offers no error correction, no protection from lost or

duplicated packets– Easier to spoof since there is no session identifier

• ICMP– DoS (Ping of Death, 65,536 byte icmp request)– ICMP redirect (sent from router)

• DNS–DNS Cache Poisoning–Brute force DNS mapping

• ARP–Poison the ARP table

• IP Phones• Instant Messaging

• Peer to peer• Brokered commnications• Server oriented networks• Additional features, screen sharing, file transfer.• SPIM Spam over Instant Messaging

Man In the Middle• Attacker can intercept communication

between two parties• Can alter communication, transaction• Man in the Browser – malware intercepts

browser communication

Video, Defeating SSL

• Any device connected to the external network– Step on e

• Map the target network using traceroute, ping, port scanning– Step two

• Analysis of the collected information– Step three

• Gain access to the target, social engineering– Step four

• Escalate privileges– Step five

• Complete the attack by installing backdoor mechanisms, create accounts, close the vulnerability so that no one can detect, erase the traces

Hash aka Message Digest (md5, sha1)

MAC Message authentication Code

HMAC Hash based MAC

Symmetric (DES, AES)

Asymmetric (RSA)

SSL/TLS

Certificates, Certificate Authority

Arbitrary size to fixed size

One Way

Small input change>large output change

Infeasible to find two messages w/ same hash

The quick brown fox jumped over the lazy dog.

5C6FFBDD40D9556B73A21E63C3E0E904

The quick brown fox jumped over the lazy dog!

EFC05C070367008ABB43 88B189AC2B1E

Full Text of War and Peace 4002D081551035B03E4979B0C94A08D8

Symmetric Asymmetric

Number of Keys One Key Two Key

Names Public Key Crypto

Key Names ‘The Key’ Public, Private

Speed Faster Slower

Key Size Smaller Larger

SSL

https://www.sslshopper.com/ssl-details.html

Hernandez, Steven (2012) Official (ISC)2guide to the cissp exam 3rd Edition. (ISC)2 Press LLC

Harris, S. (2012) All in one cissp certification exam guide, 6th ed.McGraw-Hill/Osborne

Conrad, Eric (2012) CISSP Study Guide. 2nd ed. Syngress

Miller, David R. (2013) CISSP Training Kit, O’Reilly/Microsoft Press

Miller, Lawrence C. (2012) CISSP for Dummies, Wiley

121

Q & A