top of page

CruSec’s 2019 CISSP Study Guide - Domain 4: Communication and Network Security

Domain 4: Communication and Network Security

4.1 Implement secure design principles in network architectures

Communications and Network Security

  • OSI Model – Please Do Not Teach Students Pointless Acronyms. Developed by ISO

  • Encapsulation is when the payload has the headers and footers added as the message goes down layers. Decapsulation is the unwinding of the message as it travels back up. This means data has the most information at the physical layer

  • Layer 1 – Physical – cabling standards, radio waves etc. Devices include hubs, repeaters and cables. Protocol Data Unit (PDU) is the bit

  • EIA/TIA, X.21, HSSI, SONET, v.24, V.35

  • Layer 2 – Data Link – PDU is called the Frame. Uses MAC addresses. Devices used at Layer 2 include Switches


  • PPTP, L2f and L2TP are used for VPNs.

  • Layer 3 – Network – PDU is the Packet/Datagram. Performs routing using IP addresses. Devices used at layer 3 include Routers.


  • Layer 4 – Transport – Connection between computers. PDU is the Segment (TCP) or Datagram (UDP). Protocols include UDP and TCP. Port numbers operate here. TCP is reliable, re-sends undelivered segments (connection-oriented).


  • Layer 5 – Session – Connection between applications. PDU is the datastream


  • Layer 6 – Presentation – presents data to the application layer in a comprehensive way, like character encoding (ASCII), image formats (GIF, JPEG), data conversion, encryption and compression.

  • Encryption protocols, format types such as ASCII, TIFF, JPEG, MPEG, MIDI

  • Layer 7 – Application – Human readable data. Web browsing, word processing, and IM clients operate at this layer. Protocols include Telnet, FTP, HTTP, etc The primary purpose of a gateway is to translate protocols


TCP/IP Model

  • Developed originally by DoD. Only has 4 layers. Comparison chart:

LAN Technologies, Protocols, and Network Toplogies

  • Ethernet – today its used in a physical star topology with twisted pair cables

  • Bus – A straight line of devices. A is connected to B, which is connected to C. A single cable break brings the network down.

  • Ring – A is connected to Z and B, B is connected to A and C, and so on. Doesn’t really improve on a Bus topology

  • Star – ethernet uses a star. Everything is connected to a central hub/switch/whatever. A cable break only affects that single node.This provides fault tolerance.

  • Mesh – everything is connected to everything.

  • MAC Addresses – Media Access Control. 48 bits long. First 24 bits form the OUI, last 24 bit identify the specific device.

  • EUI-64 MAC Address – created for 64-bit MA addresses. OUI is still 24 bits, but the serial number is the last 40. Probably for IPv6

  • ARP resolves IP addresses to MAC addresses

  • ARP Cache Poisoning occurs when an attacker sends fake responses to ARP requests. This can be countered by hardcoding ARP entries

  • IPv4 – 32-bit address written as four bytes in decimal (x.x.x.x)

  • CIDR – allows for many network sizes (ie, subnetting)

  • Class A network is /8

  • Class b is /16

  • Class C is /24

  • Single IP is /32

  • NAT – hides private IP addresses behind a single public IP. A Pool NAT would be multiple public IPs

  • IPv6 – addresses are 128-bit instead of IPv4’s 32-bit addresses. Provides. 340 undecillion addresses. Routing and address assigning are easier through autoconfiguration using a host’s MAC address. This removes the need for DHCP.

  • TCP 3-way handshake – SYN > SYN/ACK > ACK

  • Ports:

  • Well known – 0-1023

  • Registered – 1024-49151

  • Dynamic/Private/Ephemeral – 49152-65525

  • Socket – IP and port: 10.10.1 0.100:443

  • ICMP – ping, tracert, netstat, etc. Used to troubleshoot and report error conditions.

  • FTP – many varieties. TCP port 21 (control collection), and TCP 20 (data collection)

  • SFTP – port 22 uses SSH to add security

  • FTPS – uses TLS to add security

  • TFTP – UDP 69. Used for bootstrapping

Application Layer Protocols

  • SMTP – TCP 22. Send email between servers

  • Secure SMTP uses port 456

  • POP – TCP 110, downloads email to a local client from server

  • Secure POP uses port 995

  • IMAP – TCP port 143, downloads email to local client like POP

  • Secure IMAP is 993

  • S/MIME- allows attachments and foreign character sets in email. Uses PKI to encrypt and authenticate MIME-encoded email

  • DNS – TCP 53. Resolves domain names to IP addresses. Handles zone transfers

  • SOA – start of authority server. Contains the master record for the zone

  • Weaknesses of DNS:

  • Uses UDP

  • No authentication

  • DNSSEC – adds authentication and integrity to DNS responses and uses PKI, but offers no confidentiality. Like a digital signature.

  • SNMP – UDP 161. Used to monitor and control network devices. “Community string” is transmitted in plain text in v1 and v2. SNMPv3 adds encryption

  • HTTP and HTTPS

  • DHCP – UDP 67 for servers and 68 for clients

4.2 Secure network components


  • Hub – layer 1 device. Provides no security, confidentiality and security because it does not isolate traffic. Half duplex, meaning it cannot send and receive simultaneously.

  • Repeater – has two ports. Receives traffic on one port and repeats it out the other

  • Switches – uses a SPAN (cisco) or mirror port to mirror all traffic through this particular port, normally to send it to an IDS/IPS. One issue here can be bandwidth overload.

  • Routers – layer 3 device routes traffic from one network to another. Often times routers are default gateways


  • Separate broadcast domains, segment traffic which provides defense in depth


  • All firewalls are multi-homed, meaning they are connected to multiple networks (WAN and LAN)

  • Allow/block traffic using:

  • Ingress rules – traffic coming in

  • Egress rules – traffic going out

  • Generally deployed between a private network and a link to the internet.

  • Use an “implicit deny” rule

  • Rules at the top of an ACL take priority. Traffic that meets the first applicable rule will be used.

  • Screened-Host Architecture -when a router forces traffic to only go to a Bastion Host, which alone can access LAN. A Bastion Host is a heavily secured device, such as a firewall, that would then allow traffic to LAN. Creates a SPOF.

  • DMZ - “perimeter” or “edge” network. Two firewalls, public available resources sit in between them to allow things like HTTPS and DNS through. The second firewall would stop anything from coming into the internal network.

  • DMZs can be accomplished with a single firewall, but creates opportunities for misconfiguration


  • Packet Filtering – works at layer 3 where the PDU is the packet. Filtering decisions are made on each individual packet. Just looks at IP addresses and port numbers (header)

  • Stateful – stores info about who initiates a session, and blocks unsolicited communications (nothing from the outside that didn’t originate internally can get through). This information is stored on the firewall’s “state table”, which can be DoSed by flooding it with communication requests.

  • Application Level Firewall – act as an intermediary server and proxies connection between client and application server. They can see the entire packet as the packet won’t be encrypted until layer 6. Other firewalls can only inspect the packet but not the payload. Application firewalls can then detect unwanted applications or services attempting to bypass the firewall

  • Next-Gen Firewalls – bundle a ton of shit together, such as deep-packet inspected, application-level inspection, IDS/IPS, integrating threat intel, etc


  • Electromagnetic Interference – caused by electricity and causes unwanted signals, or noise.

  • Crosstalk occurs when one wire leaks into another

  • Attenuation is the weakening of a signal as it travels further from the source

  • Twisted Pair cabling is the most common type of cabling. They are copper cables twisted with a pair like ethernet

  • Unshielded Twisted Pair are the twisted pairs inside the cable. The twists provide protection against EMI.

  • Shielded Twisted Pair has a sheath around each individual pair. This provides better protection than UTP, but it is more expensive and more difficult to work with. Prices of fiber are getting low enough that STP doesn’t make sense

  • Coax cable – More resistant to EMI than UTP or STP, and provides a higher bandwidth

  • Fiber Optic Cable – uses light pulses. Cable is made of glass so it is very fragile. It is immune to EMI and much faster than coax. Several types:

  • Multimode – many paths of light. Shorter distance and lower bandwidth. Uses LED as its light source

  • Singlemode – one path, long haul, long side. Uses a laser

  • Multiplexing – sends multiple signals over different colors of light. Exceeds speeds of 10GB

Wireless (802.11)

  • SSID – service set Identifier. Basically the network name. Normally broadcasted, but you can disable it.

  • WEP – old, can be broken due to weakness in the implementation of its IV.

  • WPA – fixed issues with WEP by implementing RC4 and TKIP. Also no longer secure

  • TKIP was designed as the replacement for WEP without requiring replacement of hardware.

  • WPA2 – Uses AES and CCMP to provide confidentiality and integrity. Current standard for test purposes, although WPA3 is being rolled out. Allows for MFA functionality

  • CCMP was created to replace WPA and uses AES with a 128-bit key

  • Bluetooth – 802.15. uses 2.4 GHz. Sensitive devices should disable automatic discovery. Uses 128-bit E0 symmetric stream cipher. Several classes:

  • Class 3 – under 10 meters

  • Class 2 – 10 meters

  • Class 1 – 100 meters

  • Bluetooth Attacks:

  • Blue Jacking – sending forged messages to nearby bluetooth devices

  • Blue Snarfing – copies information off of remote devices

  • Blue Bugging – allows full use of device

  • Asset inventory and faraday cages are common protections against these attacks. Faraday cages block the emissions of RFID signals

  • Captive Portals are when you’re forced to sign in or redirected to a website upon connecting to a wireless network

4.3 Implement secure communication channels according to design


  • Type 1 Hypervisor – runs directly on a host hardware. Think ESXi

  • Type 2 – Runs as an application. Think Virtualbox

  • Security Issues:

  • VM Escape

  • Inexperienced administrators may run guests with different security requirements on the same host

  • Creates single points of failure

  • Guests that are not carefully managed can consume host resources needed for other guests

Routing Protocols

  • Two primary types:

  • IGP – internal gateway protocol. used by private networks. Examples include RIP and OSPF. Two types of IGP:

  • Distant Vector Routing Protocols – such as RIP. routers don’t know the whole network map. They only use hop-counts as a metric for getting traffic to its destination. As such, it is prone to inefficient decisions, like using a slower link with fewer hops.

  • Examples:

  • RIP – routing information protocol. Old and inefficient, used on old routers. Uses hop count as metric for routing traffic. Sends updates every 30 seconds and convergence is slow (if router 15 goes down and is the only way to Network B, it’s going to take several minutes for every router to communicate all the way back to let router 1 know). Max hop count is 15 (16 is considered infinite). Prone to routing loops (router 1 and 2 just keep sending traffic to each other and it never goes anywhere). Loop prevention include:

  • Split Horizon – router doesn’t echo a route back to the router it received it from

  • Poison Reverse – bad routes are marked with metric 16

  • Hold-down timer – route can’t change more often than once every 180 seconds

  • RIP v2 slightly improved on RIP by implementing multicast.

  • Link State Routing Protocols – each router knows the entire network. Uses additional metrics, including bandwidth, to determine best route. Much better than RIP but requires more processing power from other routers. Should be considering link state after 10 or so routers. Examples:

  • OSPF – open shortest path first. Routers send updates when events occur, and so convergence occurs much faster than RIP.

  • EGP – external gateway protocol. used on the internet. Examples:

  • BGB – border gateway protocol. Used on the internet. Routes between autonomous systems, such as networks with multiple internet connects. It is a “path-vector” protocol.

WAN Terms

  • SLIP – layer 2 protocol. Old, provides no confidentiality, integrity or authentication

  • PPP – replaced SLIP. Adds confidentiality, integrity and authentication

  • PAP and CHAP are both based on PPP. CHAP improves on PAP by implementing encryption.

  • ISDN – provides digital service over copper-wire phone lines.

  • DSL – symmetric (UL and DL speeds are the same) and asymmetric (DL speeds are faster)

  • T1 Connection – 1.5Mbps

  • T3 – 45 Mbps

  • E1 – 2Mbps

  • E3 – 34 Mbps

  • MPLS – Multiprotocol Label Switching. Forwards WAN data using labels

  • VoIP – uses two protocols:

  • RTP – carries audio and video

  • Not secure until SRTP, which uses AES and SHA1 to privde confidentiality, integrity and secure authentication.

  • SIP – for signals like “phone ringing”

Storage Protocols

  • Mimics directly attaching a h ard drive, and allows block-level file access over a network

  • SAN

  • Fibre Channel – uses a special cable and hardware, has a couple variations like Fiber Chanel over Ethernet (FCoE) (layer 2, does not use TCP/IP) and Fiber Channel over IP (layer 3, uses TCP/IP). Allows for high speed transfer and is often used with NAS or SAN

  • iSCSI – allows access to storage over a WAN.


  • Generic term for building a secure virtual network over a public network. Often used to connect remote users to their offices. It aims to be as secure as a dedicated leased line like a T1.

  • Protocols:

  • PPTP-old technology

  • L2TP – provides authentication but has no encryption by itself, and therefore no confidentiality. Almost always uses IPSec for this purpose

  • IPSEC – adds encryption to L2TP. It has a ton of moving parts, so SSL/TLS is more popular


Remote Connectivity

  • rlogin and rsh are old unix remote access systems. Cleartext, use TCP 513 and 514 respectively

  • VNC (TCP 5900) and RDP (3389) are used more commonly today

Featured Posts
Recent Posts
bottom of page