CruSec’s 2019 CISSP Study Guide - Domain 4: Communication and Network Security
Domain 4: Communication and Network Security
4.1 Implement secure design principles in network architectures
Communications and Network Security
OSI Model – Please Do Not Teach Students Pointless Acronyms. Developed by ISO
Encapsulation is when the payload has the headers and footers added as the message goes down layers. Decapsulation is the unwinding of the message as it travels back up. This means data has the most information at the physical layer
Layer 1 – Physical – cabling standards, radio waves etc. Devices include hubs, repeaters and cables. Protocol Data Unit (PDU) is the bit
EIA/TIA, X.21, HSSI, SONET, v.24, V.35
Layer 2 – Data Link – PDU is called the Frame. Uses MAC addresses. Devices used at Layer 2 include Switches
SLIP, PPP, ARP, L2F, L2TP, PPTP, FDDI, ISDN
PPTP, L2f and L2TP are used for VPNs.
Layer 3 – Network – PDU is the Packet/Datagram. Performs routing using IP addresses. Devices used at layer 3 include Routers.
ICMP, RIP, OSPF, BGP, IGMP, IP, IPSec, IPX, NAT, SKIP
Layer 4 – Transport – Connection between computers. PDU is the Segment (TCP) or Datagram (UDP). Protocols include UDP and TCP. Port numbers operate here. TCP is reliable, re-sends undelivered segments (connection-oriented).
SPX, SSL, TLS, TCP, UDP
Layer 5 – Session – Connection between applications. PDU is the datastream
NFS, SQL, RPC
Layer 6 – Presentation – presents data to the application layer in a comprehensive way, like character encoding (ASCII), image formats (GIF, JPEG), data conversion, encryption and compression.
Encryption protocols, format types such as ASCII, TIFF, JPEG, MPEG, MIDI
Layer 7 – Application – Human readable data. Web browsing, word processing, and IM clients operate at this layer. Protocols include Telnet, FTP, HTTP, etc The primary purpose of a gateway is to translate protocols
HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI, POP3, IMAP, SNMP, NNTP, S-RPC, SET
Developed originally by DoD. Only has 4 layers. Comparison chart:
LAN Technologies, Protocols, and Network Toplogies
Ethernet – today its used in a physical star topology with twisted pair cables
Bus – A straight line of devices. A is connected to B, which is connected to C. A single cable break brings the network down.
Ring – A is connected to Z and B, B is connected to A and C, and so on. Doesn’t really improve on a Bus topology
Star – ethernet uses a star. Everything is connected to a central hub/switch/whatever. A cable break only affects that single node.This provides fault tolerance.
Mesh – everything is connected to everything.
MAC Addresses – Media Access Control. 48 bits long. First 24 bits form the OUI, last 24 bit identify the specific device.
EUI-64 MAC Address – created for 64-bit MA addresses. OUI is still 24 bits, but the serial number is the last 40. Probably for IPv6
ARP resolves IP addresses to MAC addresses
ARP Cache Poisoning occurs when an attacker sends fake responses to ARP requests. This can be countered by hardcoding ARP entries
IPv4 – 32-bit address written as four bytes in decimal (x.x.x.x)
CIDR – allows for many network sizes (ie, subnetting)
Class A network is /8
Class b is /16
Class C is /24
Single IP is /32
NAT – hides private IP addresses behind a single public IP. A Pool NAT would be multiple public IPs
IPv6 – addresses are 128-bit instead of IPv4’s 32-bit addresses. Provides. 340 undecillion addresses. Routing and address assigning are easier through autoconfiguration using a host’s MAC address. This removes the need for DHCP.
TCP 3-way handshake – SYN > SYN/ACK > ACK
Well known – 0-1023
Registered – 1024-49151
Dynamic/Private/Ephemeral – 49152-65525
Socket – IP and port: 10.10.1 0.100:443
ICMP – ping, tracert, netstat, etc. Used to troubleshoot and report error conditions.
FTP – many varieties. TCP port 21 (control collection), and TCP 20 (data collection)
SFTP – port 22 uses SSH to add security
FTPS – uses TLS to add security
TFTP – UDP 69. Used for bootstrapping
Application Layer Protocols
SMTP – TCP 22. Send email between servers
Secure SMTP uses port 456
POP – TCP 110, downloads email to a local client from server
Secure POP uses port 995
IMAP – TCP port 143, downloads email to local client like POP
Secure IMAP is 993
S/MIME- allows attachments and foreign character sets in email. Uses PKI to encrypt and authenticate MIME-encoded email
DNS – TCP 53. Resolves domain names to IP addresses. Handles zone transfers
SOA – start of authority server. Contains the master record for the zone
Weaknesses of DNS:
DNSSEC – adds authentication and integrity to DNS responses and uses PKI, but offers no confidentiality. Like a digital signature.
SNMP – UDP 161. Used to monitor and control network devices. “Community string” is transmitted in plain text in v1 and v2. SNMPv3 adds encryption
HTTP and HTTPS
DHCP – UDP 67 for servers and 68 for clients
4.2 Secure network components
Hub – layer 1 device. Provides no security, confidentiality and security because it does not isolate traffic. Half duplex, meaning it cannot send and receive simultaneously.
Repeater – has two ports. Receives traffic on one port and repeats it out the other
Switches – uses a SPAN (cisco) or mirror port to mirror all traffic through this particular port, normally to send it to an IDS/IPS. One issue here can be bandwidth overload.
Routers – layer 3 device routes traffic from one network to another. Often times routers are default gateways
Separate broadcast domains, segment traffic which provides defense in depth
All firewalls are multi-homed, meaning they are connected to multiple networks (WAN and LAN)
Allow/block traffic using:
Ingress rules – traffic coming in
Egress rules – traffic going out
Generally deployed between a private network and a link to the internet.
Use an “implicit deny” rule
Rules at the top of an ACL take priority. Traffic that meets the first applicable rule will be used.
Screened-Host Architecture -when a router forces traffic to only go to a Bastion Host, which alone can access LAN. A Bastion Host is a heavily secured device, such as a firewall, that would then allow traffic to LAN. Creates a SPOF.
DMZ - “perimeter” or “edge” network. Two firewalls, public available resources sit in between them to allow things like HTTPS and DNS through. The second firewall would stop anything from coming into the internal network.
DMZs can be accomplished with a single firewall, but creates opportunities for misconfiguration
SEVERAL TYPES OF FIREWALLS:
Packet Filtering – works at layer 3 where the PDU is the packet. Filtering decisions are made on each individual packet. Just looks at IP addresses and port numbers (header)
Stateful – stores info about who initiates a session, and blocks unsolicited communications (nothing from the outside that didn’t originate internally can get through). This information is stored on the firewall’s “state table”, which can be DoSed by flooding it with communication requests.
Application Level Firewall – act as an intermediary server and proxies connection between client and application server. They can see the entire packet as the packet won’t be encrypted until layer 6. Other firewalls can only inspect the packet but not the payload. Application firewalls can then detect unwanted applications or services attempting to bypass the firewall
Next-Gen Firewalls – bundle a ton of shit together, such as deep-packet inspected, application-level inspection, IDS/IPS, integrating threat intel, etc
Electromagnetic Interference – caused by electricity and causes unwanted signals, or noise.
Crosstalk occurs when one wire leaks into another
Attenuation is the weakening of a signal as it travels further from the source
Twisted Pair cabling is the most common type of cabling. They are copper cables twisted with a pair like ethernet
Unshielded Twisted Pair are the twisted pairs inside the cable. The twists provide protection against EMI.
Shielded Twisted Pair has a sheath around each individual pair. This provides better protection than UTP, but it is more expensive and more difficult to work with. Prices of fiber are getting low enough that STP doesn’t make sense
Coax cable – More resistant to EMI than UTP or STP, and provides a higher bandwidth
Fiber Optic Cable – uses light pulses. Cable is made of glass so it is very fragile. It is immune to EMI and much faster than coax. Several types:
Multimode – many paths of light. Shorter distance and lower bandwidth. Uses LED as its light source
Singlemode – one path, long haul, long side. Uses a laser
Multiplexing – sends multiple signals over different colors of light. Exceeds speeds of 10GB
SSID – service set Identifier. Basically the network name. Normally broadcasted, but you can disable it.
WEP – old, can be broken due to weakness in the implementation of its IV.
WPA – fixed issues with WEP by implementing RC4 and TKIP. Also no longer secure
TKIP was designed as the replacement for WEP without requiring replacement of hardware.
WPA2 – Uses AES and CCMP to provide confidentiality and integrity. Current standard for test purposes, although WPA3 is being rolled out. Allows for MFA functionality
CCMP was created to replace WPA and uses AES with a 128-bit key
Bluetooth – 802.15. uses 2.4 GHz. Sensitive devices should disable automatic discovery. Uses 128-bit E0 symmetric stream cipher. Several classes:
Class 3 – under 10 meters
Class 2 – 10 meters
Class 1 – 100 meters
Blue Jacking – sending forged messages to nearby bluetooth devices
Blue Snarfing – copies information off of remote devices
Blue Bugging – allows full use of device
Asset inventory and faraday cages are common protections against these attacks. Faraday cages block the emissions of RFID signals
Captive Portals are when you’re forced to sign in or redirected to a website upon connecting to a wireless network
4.3 Implement secure communication channels according to design
Type 1 Hypervisor – runs directly on a host hardware. Think ESXi
Type 2 – Runs as an application. Think Virtualbox
Inexperienced administrators may run guests with different security requirements on the same host
Creates single points of failure
Guests that are not carefully managed can consume host resources needed for other guests
Two primary types:
IGP – internal gateway protocol. used by private networks. Examples include RIP and OSPF. Two types of IGP:
Distant Vector Routing Protocols – such as RIP. routers don’t know the whole network map. They only use hop-counts as a metric for getting traffic to its destination. As such, it is prone to inefficient decisions, like using a slower link with fewer hops.
RIP – routing information protocol. Old and inefficient, used on old routers. Uses hop count as metric for routing traffic. Sends updates every 30 seconds and convergence is slow (if router 15 goes down and is the only way to Network B, it’s going to take several minutes for every router to communicate all the way back to let router 1 know). Max hop count is 15 (16 is considered infinite). Prone to routing loops (router 1 and 2 just keep sending traffic to each other and it never goes anywhere). Loop prevention include:
Split Horizon – router doesn’t echo a route back to the router it received it from
Poison Reverse – bad routes are marked with metric 16
Hold-down timer – route can’t change more often than once every 180 seconds
RIP v2 slightly improved on RIP by implementing multicast.
Link State Routing Protocols – each router knows the entire network. Uses additional metrics, including bandwidth, to determine best route. Much better than RIP but requires more processing power from other routers. Should be considering link state after 10 or so routers. Examples:
OSPF – open shortest path first. Routers send updates when events occur, and so convergence occurs much faster than RIP.
EGP – external gateway protocol. used on the internet. Examples:
BGB – border gateway protocol. Used on the internet. Routes between autonomous systems, such as networks with multiple internet connects. It is a “path-vector” protocol.
SLIP – layer 2 protocol. Old, provides no confidentiality, integrity or authentication
PPP – replaced SLIP. Adds confidentiality, integrity and authentication
PAP and CHAP are both based on PPP. CHAP improves on PAP by implementing encryption.
ISDN – provides digital service over copper-wire phone lines.
DSL – symmetric (UL and DL speeds are the same) and asymmetric (DL speeds are faster)
T1 Connection – 1.5Mbps
T3 – 45 Mbps
E1 – 2Mbps
E3 – 34 Mbps
MPLS – Multiprotocol Label Switching. Forwards WAN data using labels
VoIP – uses two protocols:
RTP – carries audio and video
Not secure until SRTP, which uses AES and SHA1 to privde confidentiality, integrity and secure authentication.
SIP – for signals like “phone ringing”
Mimics directly attaching a h ard drive, and allows block-level file access over a network
Fibre Channel – uses a special cable and hardware, has a couple variations like Fiber Chanel over Ethernet (FCoE) (layer 2, does not use TCP/IP) and Fiber Channel over IP (layer 3, uses TCP/IP). Allows for high speed transfer and is often used with NAS or SAN
iSCSI – allows access to storage over a WAN.
Generic term for building a secure virtual network over a public network. Often used to connect remote users to their offices. It aims to be as secure as a dedicated leased line like a T1.
L2TP – provides authentication but has no encryption by itself, and therefore no confidentiality. Almost always uses IPSec for this purpose
IPSEC – adds encryption to L2TP. It has a ton of moving parts, so SSL/TLS is more popular
rlogin and rsh are old unix remote access systems. Cleartext, use TCP 513 and 514 respectively
VNC (TCP 5900) and RDP (3389) are used more commonly today