Domain 4 — Communication and Network Security
Yes, you need to know the OSI 7-layer model, or at least some of it. This should suffice:
|Layer||Device making decisions at this layer|
Jobs software programs do
|ALG, AV, Spam filter, DLP, WAF, etc|
UDP: Messages to numbered ports
TCP: Connections to numbered ports
Relay packets hop by hop to anywhere by IP address: [netid|hostid]
Send frames to HW/MAC addresses
Send and receive 0 vs 1 bits
|Repeater (point-to-point link) or hub (star)|
This domain contains more ancient history than any other.
Network topologies: Know about Bus, Tree, and Ring in addition to the modern Star and impractical Mesh.
Collisions: Shouldn't be an issue with Ethernet switches (unless negotiation failed), but they want you to know about CSMA/CD.
FDDI: It was an attractive campus or metropolitan-area 100 Mbps backbone technology in the early to mid 1990s. Know that it has dual rings, so it can fail to a single ring if a link is cut. It can use copper or fiber.
Unexpected Layer 1 details
This wording is subtle, but know it:
- Concentrators multiplex connected devices into one signal for transmission.
- Multiplexors combine multiple signals into one signal for transmission.
- Single mode: greater transmission distance
- Multimode: typically up to 400 meters
- POF or Plastic Optical Fiber: significantly shorter range, about 100 meters
Fibre Channel over Ethernet or FCoE: It's a high-speed serial interface using fiber or copper.
- ADSL or Asymmetric Digital Subscriber Line: downstream transmission rates are much greater than upstream, typically up to 8 Mbps vs 384 kbps.
- VDSL or Very High Bit Rate DSL: much higher rates, maybe 52 Mbps downstream and 2 Mbps upstream, but limited to a much shorter distance from the CO or Central Office to the customer.
Cable modems: Know that they use the DOCSIS protocols.
BPL or Broadband over Powerline: I think that this technology hasn't really caught on, due to the severe radio interference problems it causes. But know that it exists.
WiFi range extenders: Know that these exist.
Bluetooth: 802.15. Use Bluetooth 4.x and above, with FIPS approved AES.
Satellite: Useful for remote or sparsely populated areas.
- CDMA or Code-Division Multiple Access: Signal is multiplied by a higher-speed bit stream, this is like DS-SS or Direct-Sequence Spread Spectrum.
- GSM or Global System for Mobiles: Calls get a channel and a time slot, so both time and frequency multiplexing.
- Generations: 1G, 2G, etc., just know that it's evolving, bandwidth is growing, and become more IP-based.
Unexpected Layer 2 details
Know a little about MPLS or Multiprotocol Label Switching: it's a WAN protocol, the first device inserts a label into the frame header, that's used for fast forwarding decisions at all subsequent hops. It lets you do traffic engineering, but it's being replaced by SD-WAN.
You might use PPPoE encapsulation on VPNs today.
Unexpected Layer 3 details
Know that the default gateway or default router might be called the gateway of last resort.
Ping of Death: This sounds ancient, it was an issue in the 1990s, but it was a Windows vulnerability again in 2013.
Unexpected Layer 4 details
Know that the Well-Known Ports are 0-1023.
Unexpected Layer 5 details
PPTP is used to encapsulate and tunnel, as over a VPN. (although its attempt at cryptography is flawed and shouldn't be used)
The modern way to run a VPN is to use L2TP to manage the tunnel and IPsec to encrypt the traffic.
RPC or Remote Procedure Call protocol: Does what it says.
Unexpected Layer 6 details
Systems use ASCII to represent Unicode.
For example, ASCII
Щ within an
HTML file represents Unicode character 0x0429,
the Cyrillic letter Щ.
UTF-8 is a character encoding that lets you represent arbitrary Unicode alphabets directly.
Browsers use Unicode internally, and convert other encodings into Unicode. So do search engines.
MP3 or MPEG-1 Audio Layer 3 is a standard audio encoding and compression algorithm. WAVE is another audio encoding standard.
Unexpected Layer 7 details
Know about X11 and the ancient commands
You should have replaced them some time ago with
the SSH versions:
Screen scrapers have been useful to automatically interact with mainframes over TN3270 or similarly old technology.
DNS: Know about DNSSEC (validates zone transfers with digital signatures), and that you need A, NS, PTR, and MX records.
- Its verbs are simple, "get" and "set"
- Passwords are called "community strings"
- SNMPv2 had no encryption, community strings were cleartext. SNMPv3 encrypts them.
Active Directory: Microsoft's branding of a combination of 3 protocols using a shared backend database: DNS + LDAP + Kerberos.
SDN or Software-Defined Networking
Also called NFV or Network Function Virtualization. SD-WAN is replacing MPLS.
Network traffic is split into two classes: data traffic flowing from applications to other applications or storage, and control traffic flowing from network controller devices to switches and routers altering flows between devices in data centers. This is usually visualized as:
|Management or Application Plane|
Filling in some details but keeping the drawing and labels as general as possible:
|↑ ↓ ↑ ↓ northbound ↑ ↓ ↑ ↓|
|↑ ↓ ↑ ↓ southbound ↑ ↓ ↑ ↓|
|⎕ ↔ ⎕ ↔ ⎕ ↔ ⎕||devices||⎕ ↔ ⎕ ↔ ⎕ ↔ ⎕|
Applications can request traffic flows of desired connectivity and performance. They may do this directly through the API (or Application Programming Interface) of the controller through the northbound traffic. There may also (or instead) be an orchestration engine on the northbound side, which might be considered the management plane.
The controller sends configuration commands to the Layer 2-4 switching fabric through the southbound traffic.
The below is far deeper than you need to know for the test, but cloud services like Google Cloud and AWS and Microsoft Azure and so on must use SDN. Here's what the AWS dashboard shows you of the orchestration parts of a multi-VM deployment with network orchestration. Amazon calls this "CloudFormation". Here we're starting multiple:
- Database instances
- Security groups (firewall rulesets)
- Load balancers
Next-Generation Firewall or NGFW
Similar to UTM or Unified Threat management.
Whitelisting and Blacklisting
Blacklisting is default allow, maintain a growing list of known bad patterns to block.
Whitelisting is default deny, more powerful if you can make it work.
Voice over Internet Protocol or VoIP
Uses Session Initiation Protocol or SIP, so any SIP-capable device can talk to any other. SIP manages multimedia connections, including the codec selection.
Privacy extensions to SIP include encryption and caller ID suppression.
Internet Relay Chat or IRC
Unencrypted, and user identification is easy spoofed.
SOme IRC clients can execute scripts. This was intended to simplify administration, but as they're executed with the user's privileges with little to no protection, they're an attractive target for social engineering.
SPIM is Spam over instant messaging.
Know: AH, ESP, SA or Security Association, Transport Mode, Tunnel Mode, and IKE or Internet Key Exchange.