CISSP - Communications and Network Security Tutorial

1 Domain 04—Communications and Network Security

Hello and welcome to Domain 4 of the CISSP certification course offered by Simplilearn. This domain provides an introduction to the Communications and Network Security. Let us explore the objectives of this domain in the next screen.

2 Objectives

After completing this domain, you will be able to: ?Describe the various secure network architectures and designs ?Recognize the importance of securing network components ?List the different secure communication channels ?List the common network attacks and the countermeasures Let us begin with a scenario highlighting the importance of communication and network security in the next screen.

3 Importance of Communications and Network Security—Case Study

Kevin, who is preparing for his CISSP exam, read an internal case file on a recent spam attack on Nutri Worldwide Inc. At the Minnesota plant, a vendor who had visited the plant used his laptop to complete a few transactions. He connected to the wireless after taking approvals. He used his flash drive to take back up of the transactions. The flash drive had viruses and these entered the network through his laptop, causing the local server to crash. This had far-reaching effects. In the next screen, we will focus on the Introduction to Secure Network Architecture and Design. ?

4 Introduction to Secure Network Architecture and Design

Various communication protocols define communication. The protocols can be grouped into stacks, family, or suite. There are two most popular models, OSI and TCP/IP Models. Both the models divide communication into different layers. Each layer addresses specific requirements of the communication process. Security can be addressed more efficiently using the layered approach.

5 Open Systems Interconnection

Let us now discuss the OSI Reference model. International Organization for Standardization (ISO) created the Open Systems Interconnection (OSI) reference model in the early 1980s. The purpose was to help vendors create interoperable network devices. OSI is a standard model for network communications, which allows dissimilar networks to communicate. The OSI reference model describes how data and network information are communicated from one computer to another computer, through a network media. The OSI reference model breaks this approach into seven distinct layers, also called the protocol stack. Layering divides a piece of data into functional groups that permit an easy understanding of each piece of data. “Mapping” each protocol to the model is useful for comparing protocols. Each layer has unique set of properties and directly interacts with its adjacent layers. In the process of data encapsulation, data from one layer is wrapped around a data packet from an adjoining layer. Each layer on one workstation communicates with its respective layer on another workstation using protocols that are agreed-upon communication formats. The following chart describes the OSI reference model. “Please Do Not Take Sales Person Advice” can be used as the mnemonic phrase to remember each layer of the OSI model. Physical Layer—at this layer, bits from the data-link layer are converted into electrical signals and transmitted on a physical circuit. Data-Link Layer—this layer prepares the packet it receives from the network layer to be transmitted as frames on the network. Network Layer—this layer provides switching and routing technologies, creating logical paths known as virtual circuits, for transmitting data from node to node. The functions of this layer are routing and forwarding, addressing, internetworking, error handling, congestion controlling, and packet sequencing. Transport Layer—this layer provides transparent transfer of data between end systems or hosts, and is responsible for end-to-end error recovery and flow control. It ensures complete data transfer. Session Layer—this layer establishes, manages, and terminates connections between applications. The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applications at each end. It deals with session and connection coordination. Presentation Layer—this layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is also called the syntax layer. Application Layer—this layer supports application and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that exist entirely in the application level. Tiered application architectures are a part of this layer.

6 OSI Model Layers

Let us now understand the working of the OSI Model. Data is sent from a source to a destination computer. In a layered architecture model, the data passes down through each layer from the highest (Application Layer, Layer seven in the OSI model) to the lowest layer (Physical Layer, Layer one of the OSI model) of the source. It is then transmitted across the medium (cable) and is received by the destination computer, where it is passed to the layers in the opposite direction from the lowest (Layer one) to the highest (Layer seven). Each protocol operates at specific layers. Each protocol in the source computer has a job allocated. They are responsible for attaching its own unique information to the data packet when it comes to its layer. When the data packet reaches the destination computer, it moves up the model. Each protocol detaches and examines only the data that was attached by its protocol counterpart at the source computer; then it sends the rest of the packet up the protocol stack to the next higher layer. Each layer at the individual destination sees and deals only with the data that was packaged by its counterpart on the sending side.

7 Physical Layer

Let us now learn about each layer of the OSI model in detail. The first layer is the Physical Layer. This layer defines the physical connection between a computer and a network and converts the bits into voltages or light impulses for transmission. It also defines the electrical and mechanical aspects of the device’s interface to a physical transmission medium, such as twisted pair, coaxial, or fiber-optic. Communications hardware and software drivers as well as electrical specifications are found in this layer. The Physical Layer has only two responsibilities. Firstly, it sends bits and receives bits. Signal regeneration and repeating is primarily a Physical Layer function. Secondly, it defines standard interfaces such as RS-232 and RS-449, X.21, and High-Speed Serial Interface (HSSI). Examples of Physical Layer are EIA-232 or RS-232 and Synchronous Optical NETwork (SONET) (Pronounce as: sawnet). The physical layer provides services to the data link layer.

8 Data Link Layer

The second layer is the Data Link Layer. This layer defines the protocol that computers must follow in order to access the network for transmitting and receiving messages. Token Ring and Ethernet operate within this layer. This layer establishes the communications link between individual devices over a physical link or channel. It also ensures that messages are delivered to the proper device and translates the messages from layers above into bits for the Physical Layer to transmit. It also formats the message into data frames and adds a customized header that contains the hardware destination and source address. The Data Link Layer contains the Logical Link Control Sub-layer and the Media Access Control (MAC) Sub-layer. MAC controls the way a system on the network gains access to the data and permission to transmit it. LLC controls frame synchronization, error check, and flow. Bridging is a Data Link Layer function. Examples of Data Link Layer protocols are Address Resolution Protocol (ARP), Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP), etc. The data link layer uses services provided by the physical layer, and provides services to the network layer.

9 Network Layer

The third layer is the Network Layer. This layer defines how the small packets of data are routed and relayed between end systems on the same network or on interconnected networks. At this layer, message routing, error detection, and control of node data traffic are managed. The Network Layer’s primary function is to send packets from the source network to the destination network. Therefore, the Network Layer is primarily responsible for routing. Examples of Network Layer protocols are Internet Protocol (IP), Open Shortest Path First (OSPF), Internet Control Message Protocol (ICMP), and Routing Information Protocol (RIP). The network layer uses services provided by the data link layer and provides services to the transport layer.

10 Transport Layer

The fourth layer is the Transport Layer. This layer defines how to address the physical locations and devices on the network, how to make connections between nodes, and how to handle the networking of messages. It is responsible for maintaining the end-to-end integrity and control of the session. Services located in the Transport Layer both segment and reassemble the data from upper-layer applications and unite it with the same data stream, which provides end-to-end data transport services. It establishes a logical connection between the sending host and destination host on a network. The Transport Layer is also responsible for providing mechanisms for multiplexing upper-layer applications, session establishment, and the teardown of virtual circuits. Examples of Transport Layer protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). The transport layer uses services provided by the network layer and provides services to the session layer.

11 Session Layer

The fifth layer is the Session Layer. This layer makes the initial contact with other computers and sets up the lines of communication. It formats the data for transfer between end nodes, provides session restart and recovery, and performs the general maintenance of the session from end to end. The Session Layer offers three different modes, Simplex, Half-duplex, and Full-duplex. It also splits up a communication session into three different phases, such as connection establishment, data transfer, and connection release. Some examples of Session Layer protocols are Network File System (NFS), Structured Query Language (SQL) and Remote Procedure Call (RPC). The session layer uses services provided by the transport layer and provides services to the presentation layer.

12 Presentation Layer

The sixth layer is the Presentation Layer. This layer presents data to the Application Layer. It functions as a translator, such as Extended Binary-Coded Decimal Interchange Code (EBCDIC) or American Standard Code for Information Interchange (ASCII). Tasks such as data compression, decompression, encryption, and decryption are all associated with this layer. This layer defines how the applications can enter a network. While surfing the Web, it is most likely to encounter some of the following Presentation Layer standards, such as Hypertext Transfer Protocol (HTTP), Tagged Image File Format (TIFF), a standard graphics format, Joint Photographic Experts Group (JPEG). Also a standard for graphics defined by the Joint Photographic Experts Group, Musical Instrument Digital Interface (MIDI), a format used for digitized music, and Motion Picture Experts Group (MPEG). The Motion Picture Experts Group is standard for the compression and coding of motion video. The presentation layer uses services provided by the session layer and provides services to the application layer.

13 Application Layer

The seventh layer is the Application Layer. This layer supports the components that deal with the communication aspects of an application. The Application Layer is responsible for identifying and establishing the availability of the intended communication partner. It is also responsible for determining whether sufficient resources exist for the intended communication. This layer is the highest level and is the interface to the user. Some of the examples of Application Layer applications are World Wide Web (WWW), File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), Line Printer Daemon (LPD), and Simple Mail Transfer Protocol (SMTP).

14 Transmission Control Protocol/Internet Protocol (TCP/IP) Model

Let us discuss the Transmission Control Protocol/Internet Protocol (TCP/IP) in this screen. Transmission Control Protocol/Internet Protocol (TCP/IP) is the common name for the suite of protocols originally developed by the Department of Defense (DoD), in the 1970s to support the construction of the Internet. The Internet is based on TCP/IP, which is named after the two best-known protocols in the suite. A CISSP candidate should be familiar with the major properties of TCP/IP and should know which protocols operate at which layers of the TCP/IP protocol suite. The TCP/IP model consists of four layers. The Network Access layer, which controls the hardware devices and media that make up the network. The Internet layer that determines the best path through the network. The Transport layer, which supports communication between diverse devices across diverse networks. The Application layer, which represents data to the user plus encoding and dialog control. The next screen will focus on TCP/IP Model Layers.

15 Network Access Layer and Internet Layer

The four types of TCP/IP layers are network access layer, internet layer, host-to-host layer, and application layer. At the end of the TCP/IP model, the Network Access Layer monitors the data exchange between the host and the network. This layer is equivalent to the Data-Link and Physical Layers of the OSI model, it oversees hardware addressing and defines protocols for the physical transmission of data. Example Wi-Fi, Ethernet, Token Ring, ATM, and PPP. The Internet Layer corresponds to the OSI Network Layer. It designates the protocols relating to the logical transmission of packets over the network. It gives network nodes an IP address and handles the routing of packets among multiple networks. It also controls the communication flow between hosts. The primary Internet layer protocols are Internet Protocol (IP), Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP), and Internet Control Message Protocol (ICMP).

16 Host-to-Host Layer and Application Layer

The Host-To-Host Layer is similar to the OSI Transport Layer. It defines protocols for setting up the level of transmission service. It provides for reliable end-to-end communications, ensures the error-free delivery of the data, handles packet sequencing of the data, and maintains the integrity of the data. The primary host-to-host layer protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). The Application Layer is exactly the TCP/IP. It is made up of everything that the application is trying to communicate using TCP/IP. TCP/IP views everything above the three bottom layers as the responsibility of the application, so that the Application, Presentation, and Session Layers of the OSI model are considered folded into this top layer. Therefore, the TCP/IP suite primarily operates in the Transport and Network Layers of the OSI model. HTTP, FTP, and SMTP are some of the example protocols. In the next screen, we will look into the comparison of OSI and TCP/IP models.

17 Comparison of OSI and TCP/IP Models

The TCP/IP model is very similar to the OSI model, however with fewer layers. The Network Interface layer provides physical communication and routing within a network. It corresponds to everything required to implement an Ethernet. It is sometimes described as two layers, a physical layer and a link layer. In terms of the OSI model, it covers layers 1 and 2. The Internet layer includes everything that is required to move data between networks. It corresponds to the IP protocol, but also to Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP). In terms of the OSI model, it corresponds to layer 3. The Host-to-Host transport layer includes everything required to move data between applications. It corresponds to TCP and UDP. In terms of the OSI model, it corresponds to layer 4. The application layer covers everything specific to a session or application, in other words, everything relating to the data payload. In terms of the OSI model, it corresponds to layers 5 through 7. Owing to its coarse structure, it is not well suited to describe application-level information exchange.

18 Introduction to IP Addressing

All hosts on the Internet have a logical and numerical ID called an Internet Protocol (IP) address. On the Internet or on any network using IP, each data packet is assigned an IP address of the sender and the recipient. Each device receives the packet and makes routing decisions based on the packet’s destination IP address. IP addressing provides an unreliable datagram service. This means it does not guarantee that the packets will be delivered at all, delivered only once, or even delivered in the order in which it was sent. IP address has two parts, Network and host. A Subnet mask is used to distinguish between the network and host portions in an IP address. Now let us look at the different types of IP Addressing.

19 IPv4 and IPv6

There are two versions of the IP in use, IP Version 4 (IPV4) and IP Version 6 (IPV6). Each version explains an IP address differently. IPv4 and IPv6 are designed not to be interoperable. IPv4 or Internet Protocol version 4 is a simple form of network addressing designed to carry data across networks. It is connectionless and unreliable and provides best effort packet delivery. If it requires connections or reliability, it has to be provided by a higher-level protocol carried by IP, such as the Transmission Control Protocol or TCP. Network addresses in IPv4 are 32 bits in length and are expressed as a dot-decimal notation, that is xx.xx.xx.xx, where the range of each ‘xx’ is 0-255 (Pronounce as: zero to two fifty five) decimal. A 32-bit address field allows 232, or nearly 4.3 billion addresses. Example of a typical IPv4 network address is The availability of IPv4 addresses in a world where humans and their devices outnumbered them became a major problem. This led to the creation of IPv6, which uses 128-bit addresses. The new address space provides the potential for a maximum of 2128 (Pronounce as: two to the power one hundred twenty eight) or about 3.403×1038 addresses. IPv6 became more predominant since the release of Microsoft Vista and Windows 7 Operating Systems. These operating systems support IPv6 and have it enabled by default. Most modern Linux operating systems, such as Ubuntu are also by default IPv6 enabled. IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons. Example of a typical Ipv6 network address is FE80:0000:0000:0000:0202:B3FF:FE1E:8329. The main intent of this addressing is not just to provide an adequate quantity of addresses, but to allow an effective combination of sub network routing prefixes at the routing nodes.

20 Classful IP Addressing

Now let us discuss Classful IP Addressing. Originally, the entire available IP address space was divided into two parts: The network number that consists of the first 8 bits of an IP address. The host address that consists of the remaining 24 bits. This resulted in only 256 possible networks in the entire Internet, which was not feasible. Thus the concept of classful networks was introduced, which resulted in a greater number of smaller networks. There are five types of Classful IP Addressing. Class A, B, C, D, and E.

21 Class A

Class A network consists of an 8-bit network address and a 24-bit host address. IP ranges from to and implied net mask is Thus, Class A network could contain 16,777,214 nodes. 126 such networks were created for large organizations.

22 Class B

Class B network consists of a 16-bit network address and a 16-bit host address. IP ranges from to and implied net mask is Each network could contain 65,534 nodes. 16,382 of such networks were created.

23 Class C

Class C network consists of a 24-bit network address and an 8-bit host address. IP ranges from to and implied net mask is . Thus, Class C network could contain 254 nodes. Over 2 million such networks were created.

24 Class D and Class E

Class D network is reserved for multicast. IP ranges from to Class E network is reserved for research purposes. IP ranges from to In the next screen, we will discuss the classless inter-domain routing.

25 Classless Inter-Domain Routing

Classless Inter-Domain Routing (CIDR) will be discussed in this screen. The scheme of classful networks lived for a short-term. This gave rise to CIDR. CIDR is a method for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design on the Internet. The goal of CIDR was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. IP addresses consist of two groups of bits in the address. The most significant bits are the network address, which identifies a whole network or subnet, and the least significant set forms the host identifier, which specifies a particular interface of a host on that network. The process of dividing a network into two or more networks is called subnetting. A subnet is a logical and visible unit of an IP network. A subnet mask determines which IP address a subnet belongs to. CIDR disposed the rigid scheme of Class A, B, and C networks and permitted the creation of subnet mask of any length, called a Variable Length Subnet Mask, or VLSM, from 8 bits to 31 bits. This permitted Internet Service Providers (ISPs) to allocate small networks to customers that did not require more than a few addresses. The introduction of CIDR led to more efficient allocation of available IP addresses on the Internet. This division is used as the basis of traffic routing between IP networks and for address allocation policies. Classful network design for IPv4, sized the network address as one or more 8-bit groups, resulting in the blocks of Class A, B, or C addresses. Classless Inter-Domain Routing allocates address space to Internet service providers and end users on any address bit boundary, instead of on 8-bit segments. In IPv6, however, the interface identifier has a fixed size of 64 bits by convention, and smaller subnets are never allocated to end users. CIDR notation is a syntax of specifying IP addresses and their associated routing prefix. It appends a slash character to the address and the decimal number of leading bits of the routing prefix, e.g., for IPv4, and 2001:db8::/32 (Pronounce as: two thousand one colon d b eight double colon slash thirty two).

26 Private Networks and Loopback Address

Let us discuss private networks and loopback address in this screen. Not all the network addresses are available for general use. Some address blocks that are reserved include private networks and loopback addresses. Private Network allows accessing a guest machine by an address not publically accessible from the global internet. Organizations are encouraged to assign private network IP addresses to nodes in its internal networks. It can then utilize Network Address Translation (NAT) at its border routers to translate those private network addresses into one of its allocated addresses. The address blocks reserved for private network are: to to to 192.168.255. The image shows the IP Packets network address translation where the private address is translated to public address and vice versa at boundary routers. Loopback address is a special address ( to used to signify a node’s own address. As shown in the image, Loopback addresses point back to the issuing computer.

27 Types of IP Addressing

Now let us look at the different types of IP Addressing. The internet layer provides different addressing types that will result in messages sent to one or more destination nodes. They are unicast, anycast, multicast, and broadcast. The Unicast addressing type is the most common type of addressing, where a packet is sent to a single IP address destination. Anycast address type is where a packet is sent only to one of the groups of nodes, whichever is closest or most available. Multicast address type is where a packet is sent to a group of receiving nodes on different networks. A packet is sent to a multicast address, in the range to 239.255.255.. It is also sent to the routers in the network track recipients. It propagates packets to destinations as needed. Broadcast address type is where a packet is sent to a network’s broadcast address, which causes the packet to be sent to all nodes on a network. Dynamic Host Configuration Protocol (DHCP) and Address Resolution Protocol (ARP) utilize broadcast node.

28 Routed and Routing Protocols

Let us now discuss routed and routing protocols. Routers use router-to-router communication protocol to determine the most efficient network routes between two nodes on a network. They help routers in making good routing decisions (making the right choice about which way to forward packets). Routed Protocol is a protocol, which provides enough information in its network layer address to allow the packet to reach its destination. IP and IPX are the examples of Routed Protocol. Routing Protocol is a protocol used by routers to share routing information. For example, Routing Information Protocol (RIP) is one of the earliest routing protocols. The RIP uses hop count as the primary routing metric. Fewer the number of hops for a given destination, more favored a destination will be, regardless of the actual link speeds involved. The maximum number of hops supported by RIP is 15, which seemed adequate when it was invented in the 1970s; however, this limitation is one of several reasons why RIP has given way to more scalable and reliable protocols, such as OSPF and IS-IS. RIP runs over the UDP protocol on port 520. Cisco’s proprietary Interior Gateway Routing Protocol (IGRP) was developed to overcome the limitations of RIP (its only routing metric was hop count). IGRP supports multiple metrics; bandwidth, delay, load, MTU, and reliability. IGRP’s maximum hop count is 255 . IGRP was replaced by EIGRP. IGRP does not use TCP or UDP but runs directly over IP. It is used by routers to exchange routing data within an autonomous system.

29 Types of Network Protocols

Following are the types of network protocols: transmission control protocol; User datagram protocol; internet protocol; address resolution protocol; and, Internet Control Message Protocol (ICMP).

30 Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP) provides a complete duplex and reliable connection. The incoming TCP packets are sequenced to match the original transmission sequence numbers. Any lost or damaged packets are retransmitted. TCP is costly in terms of network overhead and is slower than UDP. Reliable data transport is addressed by TCP to ensure the following goals are achieved: An acknowledgment is sent back to the sender on the reception of delivered segments. Any unacknowledged segments are retransmitted. Segments are sequenced back in their proper order on arrival at their destination. A manageable data flow is maintained in order to avoid congestion, overloading, and data loss. Port types are reserved or well-known ports (0 to 1023), registered ports (1024 to 49151), & dynamic ports (49152 to 65535). Examples include HTTP, FTP, and Telnet

31 User Datagram Protocol (UDP)

UDP is similar to TCP, however, it gives only “best effort” delivery, which means it offers no error correction, does not sequence the packet segments, and does not care in which order the packet segments arrive at their destination. It is referred to as an unreliable protocol. UDP does not create a virtual circuit and does not contact the destination before delivering the data. Thus, it is considered a connectionless protocol. UDP imposes less overhead, which makes it faster than TCP. This is for applications that can afford to lose a packet now and then, such as streaming video or audio. Examples include DNS, TFTP, and VoIP

32 Internet Protocol

Internet Protocol is a network layer protocol, which handles addressing and routing. IP specifies the packet format or datagrams, and the addressing scheme. There are two types of IP versions, IPv4 (32-bit address) and IPv6 (128-bit address).

33 Address Resolution Protocol

Internet Protocol needs to know the hardware address of the packet’s destination so it can send the packet. ARP is used to match an IP address to a Media Access Control (MAC) address. ARP allows the 32-bit IP address to be matched with this hardware address. A MAC address is a 6-byte, 12-digit hexadecimal number subdivided into two parts. The first three bytes or first half of the MAC address is the manufacturer’s identifier. This can be a good troubleshooting aid if a network device is malfunctioning, because it will isolate the brand of the failing device. The second half of the MAC address is the serial number the manufacturer has assigned to the device. ARP interrogates the network by sending out a broadcast seeking a network node that has a specific IP address and then asking it to reply with its hardware address. ARP maintains a dynamic table (known as the ARP cache) of these translations between IP addresses and MAC addresses so that it has to broadcast a request to every host only the first time it is needed. In some cases, the MAC address is known but the IP address needs to be discovered. It is sometimes the case when diskless machines are booted onto the network. Using Reverse Address Resolution Protocol (RARP), the machine sends out a packet that includes its MAC address along with a request to be informed of which IP address should be assigned to that MAC address. An RARP server responds with the answer.

34 Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP) is a management protocol and messaging service provider for IP. ICMP’s primary function is to send messages between network devices regarding the health of the network. It can inform hosts a better route to a destination, if there is trouble with an existing route, and it can help identify the problem with a route. PING is an ICMP utility used to check the physical connectivity of machines on a network.

35 Hypertext Transfer Protocol (HTTP)

HTTP works on Application Layer or Layer 7 and is the foundation of data communication for the World Wide Web (WWW). It is a stateless protocol used to exchange or transfer hypertext. HTTP is mapped to TCP port 80. HTTP has a simple access control and authentication mechanism. It does not support encryption. The access control and authentication is carried out through an extensible set of challenge-response authentication schemes, which can be used by a server to challenge a client request and by a client to provide authentication information. Let us now discuss how HTTP proxying can be used as a security measure with HTTP. An HTTP Proxy is a server that receives requests from a user’s web browser and makes the requests to the internet on behalf of the user. HTTP proxying hides the information of the internal network from the public network. Open Proxy Servers allow unrestricted access to GET commands from the Internet. They can be used as stepping stones for launching attacks or to obscure the origin of illegitimate requests. An open proxy server bears an inherent risk of opening access to protected intranet pages from the Internet. Anonymizing Proxies provide security and allow anonymization of HTTP requests. Since HTTP transmits the data in cleartext, it creates several logging information on web servers and proxy servers, which can be a security issue if an unauthorized person gets access to it. Content Filtering prevents users from downloading unwanted content. It also prevents access to unauthorized services. Let us discuss the implications of Multi-Layer Protocols in the following screen.

36 Implications of Multi-Layer Protocols

Transmission Control Protocol or Internet Protocol, or TCP/IP (TCP slash IP) protocol suite consists of various layers with many individual protocols and is also known as Multi-layer protocol. Using Multi-layer protocol, encryption can be incorporated on various layers. It gives added security. The higher layers support wide range of protocols. The security practitioner can make use of appropriate protocol from the pool of available protocols. Use of Multi-layer protocols can give rise to vulnerabilities. The security filters can be evaded by manipulating the use of protocols. There can be issues of covert channels that can give unauthorized access to the system or can cause information disclosure. In the next screen, we will discuss Distributed Network Protocol.

37 Distributed Network Protocol

In process automation systems, different components communicate with each other using a set of communications protocols known as DNP3 or Distributed Network Protocol. It was developed for communications between various types of data acquisition and control equipment. It is commonly used in electric and water companies. One of the examples of systems using DNP3 is Supervisory Control and Data Acquisition or SCADA. It is a system operating with coded signals over communication channels to provide control of remote equipment. It is a centralized system that monitors and controls entire sites, or complexes of systems spread over large areas. SCADA uses many different communication methods, which includes Wide Area Networks or WANS, networking devices, and modems. It is used for communications between a master station and Remote Terminal Units or RTUs, or Intelligent Electronic Devices or IEDs. Let us discuss the LAN or Network Technologies in the next screen.

38 LAN/Network Technologies

There are three types of LAN/Network (Pronounce as: lan and network) Technologies, Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI). Ethernet, defined in IEEE 802.3, played a major role in the rapid spread of LANs in the 1980s. The architecture was flexible, relatively inexpensive, and it was easy to add and remove devices from the LAN. It is the most popular LAN architecture. The physical topologies that are supported by Ethernet are bus, star, and point-to-point, however the logical topology is the bus. With the exception of full-duplex Ethernet, which does not have the issues of collisions, the architecture uses CSMA/CD. This protocol allows devices to transmit data with a minimum of overhead, compared to Token Ring, resulting in an efficient use of bandwidth. Because devices must retransmit when more than one device attempts to send data on the medium, too many retransmissions due to collisions can cause serious amount of degradation. The Ethernet standard supports coaxial cable, unshielded twisted pair, and fiber optics. Ethernet was originally rated at 10 Mbps, however with 10-megabyte disk drives, users quickly figured out how to use and exceed its capacity. To meet the growing demand for more bandwidth, 100 Base-TX (100 Mbps over twisted pair) and 100 Base-FX (100 Mbps over multimode fiber optics) were created. When the demand grew for even more bandwidth over unshielded twisted pair, 1000 Base-T was defined, and 1000 Base-SX and 1000 Base-LX were defined for fiber optics. These standards support 1,000 Mbps. IBM originally designed Token Ring IEEE 802.5. Token Ring was adapted with some modification by the IEEE as IEEE 802.5. Despite the architecture’s name, Token Ring uses a physical star topology. The logical topology, however, is a ring. Each device receives data from its upstream neighbor and transmits to its downstream neighbor. Token Ring uses ring passing to mediate which device may transmit. A special frame, called a token, is passed on the LAN. To transmit, a device must possess the token. To transmit on the LAN, the device appends data to the token and sends it to its next downstream neighbor. Devices retransmit frames whenever the token is not the intended recipient. When the destination device receives the frame, it copies the data, marks the frame as read, and sends it to its downstream neighbor. When the packet returns to the source device, it confirms that the packet has been read. It then removes the frame from the ring. Token ring is now considered a “legacy” technology that is rarely seen and only then because there has been no reason to upgrade away from it. Token ring has almost entirely been replaced with Ethernet technology. FDDI is a token-passing architecture that uses two rings. Since FDDI employs fiber optics, FDDI was designed to be a 100-Mbps network backbone. Only one ring (the primary) is used; the other ring (secondary) is used as a backup. Information in the rings flows in opposite directions from each other. Hence, the rings are referred to as counter-rotating. If a break or outage occurs, the ring will then wrap back the other direction, keeping the ring intact. FDDI is not considered a legacy technology and has been supplanted by more modern transport technologies; initially Asynchronous Transfer Mode (ATM) but more recently Multiprotocol Label Switching (MPLS). Like Token Ring, FDDI is a token-passing media access topology. The major advantage of FDDI is that it operates over long distances with high speeds and less electromagnetic or radio frequency interference.

39 Transmission Media

Let us begin with Transmission media. Transmission media is used for transmitting data from a source to destination. Classes of transmission media includes conducted or guided media and wireless or unguided media. Types of transmission media include unshielded twisted pair; shielded twisted pair; coaxial cable; and fiber optic cable. In the next screen, we will discuss the types of transmission media.

40 Twisted Pair

Twisted pair cabling is a relatively low-speed transmission medium, consisting of two insulated wires arranged in a regular spiral pattern. The wires can be shielded (STP) or unshielded (UTP). STP cable is shielded; therefore, it has better electro-magnetic interference (EMI) immunity. UTP cabling is a four-pair wire medium used in a variety of networks. It does not require the fixed spacing between connections that is necessary with coaxial-type connections. It is unshielded, therefore is more susceptible to EMI and crosstalk. UTP comes in several categories. The category rating is based on how tightly the copper cable is wound within the shielding. They are: •Category 1 - Used for telephone communications and not suitable for transmitting data •Category 2 - Specified in the EIA/TIA-586 standard to be capable of handling data rates of up to 4 million bits per second (Mbps) •Category 3 - Used in 10BaseT networks and specified to be capable of handling data rates of up to 10 Mbps •Category 4 - Used in Token Ring networks and able to transmit data at speeds of up to 16 Mbps •Category 5- Consists of four twisted pairs in a single jacket, Maximum length is 100m, Suitable for 100Mbit/s and can be used for Gigabit Ethernet •Category 6 – Backward compatible with Category 5 and 5e, Higher specifications for noise and crosstalk, Suitable for Gigabit Ethernet, Maximum cable length is 100m •Category 7 – More stringent than Category 6 cabling, Cat-7 is suitable for 10Gbit/s networks, Maximum length is 100m

41 Coaxial Cable Box

The hollow outer cylindrical conductor of a coaxial cable surrounds a single, inner wire conductor. It needs repeaters in every 200-500 meters and works at 2-50Mbps. Two types of coaxial cables are currently used in LAN: 50-ohm cable, used for digital signaling 75-ohm cable, used for analog signaling and high-speed digital signaling Coax requires fixed spacing between connections. Coax is more expensive, yet it is more resistant to electromagnetic interference (EMI) than twisted pair cabling. It can transmit at a greater bandwidth and distance. Coax can come in two types for LANs: Thinnet - (RG58 size) Thicknet - (RG8 or RG11 size) There are two common types of coaxial cable transmission methods: Baseband - The cable carries only a single channel. Baseband is a transmission method that is accomplished by applying a direct current to a cable. The current, or signals, hold binary information. Higher voltage usually represents the binary value 1, whereas lower voltage represents the binary value 0. Baseband permits only one signal to be transmitted at a time. Example: Ethernet Broadband - The cable carries several usable channels, such as data, voice, audio, and video. Broadband includes leased lines (T1 and T3), ISDN, ATM, DSL, Broadband wireless, and CATV. It carries several signals over different channels.

42 Fiber-Optic Cable Box

Fiber-optic cable carries signals as light waves, allowing higher transmission speeds and greater distances due to less dilution. It is also called optical fiber. Fiber-optic cable is the most reliable cable type, and it is also the expensive one to install and terminate. The light source transmits the optical signal on the fiber cable. There are two types of light sources. Light-Emitting Diodes (LEDs) and Diode Lasers. Light-emitting diodes (LEDs) are the sophisticated LEDs found in consumer electronic, less expensive than diode lasers. They offer less bandwidth over a shorter distance. Diode lasers are an expensive alternative. They require more expensive fiber cables and light detectors and the carriers on their backbone use this optical source. There are two types of optical fiber, such as multimode fiber and single-mode fiber. Multimode fiber, where the light is transmitted in different modes or paths in fibers that are about 50 to 100 microns in diameter. Single-mode fiber is about 10 microns in diameter. The transmitted light takes a direct path down the center of the fiber. Fiber-optic cable has three basic physical elements, such as core, cladding, and jacket. Core is the innermost transmission medium, which can be glass or plastic. Cladding is the next outer layer, also made of glass or plastic but having different properties. It helps reflect the light back into the core. Jacket is the outermost layer, providing protection from heat, moisture, and other environmental elements.

43 Network Topologies

Let us now discuss the different types of network topologies. A network topology defines the manner in which the network devices are organized to facilitate communications. A LAN topology defines this transmission manner for a Local Area Network. There are five common LAN topologies, such as bus, ring, star, hierarchical, and mesh. In a bus topology, all transmissions of the network nodes travel the full length of cable and are received by all other stations. Ethernet primarily uses this topology. However, when any station on the bus experiences cabling termination errors, the entire bus can cease to function. In a ring topology, the network nodes are connected by unidirectional transmission links to form a closed loop. Token Ring and FDDI use this topology. In a star topology, the nodes of a network are connected directly to a central LAN device. The logical bus and ring topologies are often implemented physically in a star topology. Although Ethernet is logically thought of as a bus topology (its first implementations were Thinnet and Thicknet on a bus), 10BaseT is actually wired as a star topology. It provides more resiliencies for the entire topology when a station experiences errors. Hierarchical or tree topology is a bus-type topology where branches with multiple nodes are possible. In a mesh topology, all the nodes are connected to every other node in a network. This topology may be used to create backbone-redundant networks. A full mesh topology has every node connected to every other node. A partial mesh topology may be used to connect multiple full mesh networks together. Let us discuss Network Transmission Channel in the following screen.

44 Media Access Technologies

No matter what type of media access technology is being used, the main resource that has to be shared by all systems and devices on the network is the network transmission channel. The media access technologies are Ethernet over STP/UTP in the corporate network, Token Ring over coaxial cabling for LAN, FDDI over fiber for backbone connectivity, or Wi-Fi over a frequency spectrum. There must be methods in place to make sure that each system gets access to the channel, that the system’s data is not corrupted during transmission, and that there is a way to control traffic in peak times. Examples of media sharing technologies include CSMA/CD, CSMA/CA, Token passing etc.

45 Carrier-Sense Multiple Access with Collision Detection

Under the Ethernet Carrier-Sense Multiple Access or CSMA with Collision Detection or CD media-access process, any computer on a CSMA/CD LAN can access the network anytime. Before sending the data, the CSMA/CD hosts listen to the traffic on the network. A host that wants to send the data waits until there is no traffic. Ethernet enables any host on a network to transmit whenever the network is quiet. In addition, the transmitting host constantly monitors the wire to ensure no other hosts begin transmitting. If the host detects another signal on the wire, it sends an extended jam signal, which causes all the nodes on the segment to stop sending data. These nodes respond to the jam signal by waiting before attempting to transmit again. CSMA/CD was created to overcome the problem of collisions that occur when packets are simultaneously transmitted from different nodes. Collisions occur when two hosts listen for traffic and, upon hearing none, they both transmit simultaneously. In this situation, both transmissions are damaged and the hosts must retransmit at a later time. Let us discuss the Carrier-Sense Multiple Access with Collision Avoidance in the next screen.

46 Carrier-Sense Multiple Access with Collision Avoidance

In Carrier-Sense Multiple Access with Collision Avoidance or CSMA, workstations are attached to two coaxial cables. Each coax cable carries data signals in one direction. A workstation monitors its receive cable to determine whether the carrier is busy. Then, it communicates on its transmit cable if no carrier is detected. It sends a short message ‘Ready to Send or RTS’ to avoid any collision. RTS communicates to everyone to retreat for that duration; it also contains destination address and duration of message. Once the medium is free, destination sends a message, ‘Clear to Send or CTS.’ Thus, the workstation transmits its intention to send when it feels the line is clear due to a precedence that is based on previously established tables. CSMA does not have a feature to avoid the problem of one workstation dominating a conversation. In the following screen, we will discuss the three types of LAN transmission methods.

47 Flavors of LAN transmission methods

Let us now discuss the flavors of LAN transmission methods. There are three flavors of LAN transmission methods. They are: Unicast—the packet is sent from a single source to a single destination address. Multicast—the source packet is copied and sent to specific multiple destinations on the network. Broadcast—the packet is copied and sent to all the nodes on a network or segment of a network. Let us identify various network devices in the following screen.

48 List of Networking Devices

Repeaters and hubs operate at the Physical Layer of the OSI model. Repeaters amplify the data signal to extend the length of a network segment. Hubs and repeaters are used to connect multiple LAN devices, such as servers and workstations. Bridges also amplify data signals. If the destination computer is on the local network segment, it does not forward the data. Bridges operate at the Data Link Layer and OSI Layer 2. They do not use IP addresses (IP information is attached in the Network Layer, Layer 3). Bridge automatically forwards any broadcast traffic to all ports. An error state known as a broadcast storm can develop, overwhelming the network devices. A switch is similar to a bridge or a hub. Switches send the data packet only to the specific port where the destination MAC address is located. A switch relies on the MAC addresses to determine the source and destination of a packet, which is Layer 2 networking. Switches primarily operate at the Data Link Layer, Layer 2, although intelligent Layer 3 switching techniques (combining, switching, and routing) are more frequently used. Although most standard switches operate at the Data Link Layer, Layer 3 switches operate at the Network Layer and function like a router by incorporating some router features. Routers add more intelligence to the process of forwarding packets. When a router receives a packet, it looks at the Network layer source and destination addresses (IP address) to determine the path the packet should take, and forwards the packet only to the intended network. This prevents unnecessary network traffic from being sent over the network by blocking broadcast information and traffic to unknown addresses. Routers operate at the Network Layer, Layer 3 of the OSI protocol model. Routers are necessary when communicating between virtual LANs (VLANs). A wireless access point (WAP) is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards. The WAP usually connects to a router (via a wired network), and can relay data between the wireless devices (such as computers or printers) and wired devices on the network. A hotspot is a common public application of WAPs, where wireless clients can connect to the Internet without regard for the particular networks to which they have attached for the moment. A collection of connected hotspots can be referred to as a lily-pad network.

49 VLANs

A VLAN is a collection of nodes that are grouped together in a single broadcast domain in a switch and are based on something other than physical segment location. Virtual Local Area Networks (VLANs) allow the ports on the same or different switches to be grouped so that the traffic is confined to the members of that group only. It also restricts broadcast, unicast, and multicast traffic. A VLAN creates an isolated broadcast domain, and a switch with multiple broadcast domains, similar to a router. A VLAN also restricts flooding to only those ports included in the VLAN. However, VLANs cannot route from one to another. Such routing would defeat the purpose of the VLAN to isolate the traffic from the general traffic flow. VLANs can aid in isolating segments with sensitive data from the rest of the broadcast domain and can increase security assurance. They can reduce the number of router hops and increase the usable bandwidth. VLAN reduces routing broadcasts, because ACLs control the stations and the traffic they receive. VLANs are segmented logically, rather than physically. They may be created to segregate job or department functions that require heavy bandwidth, without affecting the rest of the network. VLANs can span across multiple switches, and you can have more than one VLAN on each switch. For multiple VLANs on multiple switches to be able to communicate via a single link between the switches, you must use a process called trunking. Trunking is the technology that allows information from multiple VLANs to be carried over just one link between switches. The VLAN Trunking Protocol (VTP) is the protocol that switches use to communicate among themselves about VLAN configuration. When a VLAN is implemented with private-port, or single-user, switching, it provides fairly stringent security because broadcast vulnerabilities are minimized. A closed VLAN authenticates a user to an access control list on a central authentication server, where the user is assigned authorization parameters to determine his or her level of network access.

50 Gateways

Gateways are the software products that can be run on computers or other network devices. They can be multi-protocol and can examine the entire packet. Mail gateways are used to link dissimilar mail programs. Gateways can also be used to translate between two dissimilar network protocols. Microsoft Windows describe the standard networking feature as Internet Connection Sharing, which acts as a gateway, offering a connection between the internet and an internal network. Such a system might also act as a Dynamic Host Configuration Protocol or DHCP server. DHCP is a protocol used by networked devices or clients to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. By using this protocol, system administration workload decreases, and devices can be added to the network with minimal or no manual configurations. In the next screen, we will focus on Network Access Control Devices.

51 Network Access Control Devices

Network Access Control Devices are used to allow only the legitimate traffic on the network. An example is a Firewall. Firewalls were invented in the 1980s. These devices are placed at a network boundary, designed to block unwanted incoming or outgoing traffic. A firewall works by examining each packet and consulting a list of rules to determine whether the packet should be permitted to pass through the firewall or be blocked. In a large organization, the list of rules in a firewall can become heavy, possibly resulting in unwanted traffic entering or leaving the network. In the next screen, we will look at the types of firewalls.

52 Packet-Filtering and Application-Level

Firewalls act as perimeter access-control devices. Firewalls are categorized into Packet-filtering, Application-level, Circuit-level, and Stateful inspection. The packet-filtering firewall examines the source and destination address of the incoming data packet. This firewall either blocks the packet or passes it to its intended destination network. The firewall can allow or deny the access to the specific applications or services based on the Access Control Lists (ACLs). The firewall can be configured to allow access to authorized application port or service numbers only. It looks at the data packet to get information about the source and destination addresses of an incoming packet, the session’s communications protocol, such as TCP, UDP, or ICMP, and the source and destination application port for the desired service. A packet-level firewall does not keep a history of the communications session. It operates at the Network Layer of the OSI model and offers good performance. A dynamic packet-filtering firewall employs a technology that enables the modification of the firewall security rule. This type of technology is used mostly for providing limited support for UDP. An application-level firewall is commonly a host computer that is running proxy server software, making it a proxy server. This firewall works by transferring a copy of each accepted data packet from one network to another, thereby masking the data’s origin. A proxy server can control which services a workstation uses on the Internet. It also aids in protecting the network from outsiders who may be trying to get information about the network’s design. It inspects the packet up through the application layer and can make access decisions based on the content of the packets. Also called an application-layer gateway, the application-level firewall is commonly used with a dual-homed host. It operates at the OSI protocol Layer 7, the Application Layer. It is more secure because it examines the packet at the Application Layer, but it does so at the expense of performance. It controls the services a workstation uses on the internet, and it aids in protecting the network from outsiders who may be trying to get information about the network’s design. As opposed to packet firewalls, proxy firewalls capture some session history. Proxy firewalls have higher protocols carried on low-level protocols, such as e-mail or HTML.

53 Circuit-Level and Stateful-Inspection

Similar to an application-level firewall, a circuit-level firewall is used as a proxy server. Although it is similar to the application-level firewall, this firewall does not need a special proxy application software. Circuit-level firewall creates a virtual circuit between the workstation client or destination and the server or host. It works at the session layer of the OSI model and does not carry out deep-packet inspection. It also provides security for a wide variety of protocols and is easy to maintain, and takes decisions based upon protocol header and session information. For example, Socket Secure (SOCKS) creates a circuit between client and server without requiring knowledge about the internetworking service, i.e., no application specific controls. A stateful inspection firewall intercepts incoming packets at the Network Layer and then uses an inspection engine to extract state-related information from upper layers. This firewall maintains the information in a dynamic state table and evaluates subsequent connection attempts. Stateful inspection firewalls keep low-protocol records at the IP level. The packets are queued and analyzed at all OSI layers against the state table. By examining the state and context of the incoming data packets, protocols that are considered connectionless, such as UDP-based applications and Remote Procedure Calls (RPCs), can be tracked easily. Let us understand the firewall architectures in the following screen.

54 Firewall Architectures

The four basic types of firewall architectures are Packet-filtering routers, Screened-host firewalls, Dual-homed host firewalls, and Screened-subnet firewalls. Some of these architectures are specifically associated with one of the previously discussed firewall types, while other architectures can employ a combination of types. Packet-Filtering Routers Packet-filtering router is the common and the oldest firewall device in use. A packet-filtering router is located between the private “trusted” network and the “untrusted” network or network segment. This firewall architecture is used as a packet-filtering firewall. A packet-filtering router is sometimes used to directly manage access to a demilitarized zone (DMZ) network segment. A DMZ is a network added between an internal network and an external network to provide an additional layer of security. It is also called a perimeter network. Screened-Host Firewalls A screened-host firewall uses two network cards to connect to the trusted and untrusted networks. However, it adds a screening router between the host and the untrusted network. It provides network-layer or routing and application-layer or proxy services. This type of firewall system requires an intruder to penetrate two separate systems before he or she can compromise the trusted network. The host is configured between the local trusted network and untrusted network. Since the firewall can be the focus of external attacks, it is sometimes called the sacrificial lamb. Dual-Homed Host Firewalls A dual-homed host has two Network Interface Cards (NICs) but no screening router. It uses two NICs to attach to two separate networks, commonly a trusted network and an untrusted network. This architecture is a simple configuration that consists of a single computer (the host) with two NICs, one connected to the local trusted network and the other connected to the Internet or an untrusted external network. A dual-homed host firewall usually acts to block or filter some or all of the traffic trying to pass between the networks. Screened-Subnet Firewalls A screened-subnet firewall also uses two NICs. It has two screening routers with the host acting as a proxy server on its own network segment. One screening router controls local traffic to the network, while the second monitors and controls incoming and outgoing Internet traffic. It employs two packet-filtering routers and a bastion host.

55 Network Security Terms

Let us now take a look at some important network security terms, such as Demilitarized zone (DMZ), Bastion Host, and End-Point Security. Demilitarized zone (DMZ) DMZ, also known as perimeter networking, is a physical or logical sub-network that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. It is the buffer zone between an unprotected network and a protected network that allows for the monitoring and regulation of traffic between the two. The purpose of a DMZ is to add a layer of security to an organization's local area network (LAN). The name is derived from the term "demilitarized zone", an area between nation states in which military action is not permitted. Bastion Host A bastion host is any computer that is fully exposed to attack by being on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Firewalls and routers, anything that provides perimeter access-control security, can be considered bastion hosts. Other types of bastion hosts can include Web, mail, DNS, and FTP servers. End-Point Security It is an information security concept, which assumes that each device or end-point is responsible for its own security. Traditionally, firewalls, central virus scanners, and other intrusion detection or intrusion prevention devices are responsible for securing an end-point. End-point security places the responsibility of security on the device. Some of the examples are broadband users' increasing use of desktop firewalls, spam, and antivirus software. It also includes the protection of a business’s network from employee memory devices that may unknowingly contain malware.

56 Business Scenario

Kevin Butler, Firewall Administrator at Nutri Worldwide Inc. has been working on a new firewall. The firewall is able to do a deep packet inspection on all the layers mentioned in OSI model. The firewall is transparent to the user and is context based. It can also discard unsolicited packets arriving in the network from the internet. Which type of firewall Kevin is working on? It is Stateful Inspection Firewall.

57 Networks

Let us learn about networks in this screen. A data network consists of two or more computers connected for the purpose of sharing files, printers, data, and so forth. To communicate on the network, every workstation must have an NIC inserted into the computer, a transmission medium such as copper, fiber, or wireless, a Network Operating System or NOS , and a LAN device such as a hub, bridge, router, or switch to physically connect the computers together. In addition to these local area networks, there are two other common types

Find our CISSP®- Certified Information Systems Security Professional Online Classroom training classes in top cities:

Name Date Place
CISSP®- Certified Information Systems Security Professional 17 May -7 Jun 2021, Weekdays batch Your City View Details
CISSP®- Certified Information Systems Security Professional 28 May -19 Jun 2021, Weekdays batch Atlanta View Details
CISSP®- Certified Information Systems Security Professional 5 Jun -27 Jun 2021, Weekend batch Washington View Details
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*