M-209 cipher machine.

CISSP Domain 4 — Communication and Network Security

Domain 4 — Communication and Network Security

Yes, you need to know the OSI 7-layer model, or at least some of it. This should suffice:

Layer Device making decisions at this layer
Jobs software programs do
ALG, AV, Spam filter, DLP, WAF, etc
4 Transport
UDP: Messages to numbered ports
TCP: Connections to numbered ports
3 Network
Relay packets hop by hop to anywhere by IP address: [netid|hostid]
2 Data Link
Send frames to HW/MAC addresses
1 Physical
Send and receive 0 vs 1 bits
Repeater (point-to-point link) or hub (star)

Ancient History

This domain contains more ancient history than any other.

Network topologies: Know about Bus, Tree, and Ring in addition to the modern Star and impractical Mesh.

Collisions: Shouldn't be an issue with Ethernet switches (unless negotiation failed), but they want you to know about CSMA/CD.

FDDI: It was an attractive campus or metropolitan-area 100 Mbps backbone technology in the early to mid 1990s. Know that it has dual rings, so it can fail to a single ring if a link is cut. It can use copper or fiber.

Unexpected Layer 1 details

This wording is subtle, but know it:

Fiber types:

Fibre Channel over Ethernet or FCoE: It's a high-speed serial interface using fiber or copper.


Cable modems: Know that they use the DOCSIS protocols.

BPL or Broadband over Powerline: I think that this technology hasn't really caught on, due to the severe radio interference problems it causes. But know that it exists.

WiFi range extenders: Know that these exist.

Bluetooth: 802.15. Use Bluetooth 4.x and above, with FIPS approved AES.

Satellite: Useful for remote or sparsely populated areas.

Mobile telephony:

Unexpected Layer 2 details

Know a little about MPLS or Multiprotocol Label Switching: it's a WAN protocol, the first device inserts a label into the frame header, that's used for fast forwarding decisions at all subsequent hops. It lets you do traffic engineering, but it's being replaced by SD-WAN.

You might use PPPoE encapsulation on VPNs today.

Unexpected Layer 3 details

Know that the default gateway or default router might be called the gateway of last resort.

Ping of Death: This sounds ancient, it was an issue in the 1990s, but it was a Windows vulnerability again in 2013.

Unexpected Layer 4 details

Know that the Well-Known Ports are 0-1023.

Unexpected Layer 5 details

PPTP is used to encapsulate and tunnel, as over a VPN. (although its attempt at cryptography is flawed and shouldn't be used)

The modern way to run a VPN is to use L2TP to manage the tunnel and IPsec to encrypt the traffic.

RPC or Remote Procedure Call protocol: Does what it says.

Unexpected Layer 6 details

Systems use ASCII to represent Unicode. For example, ASCII Щ within an HTML file represents Unicode character 0x0429, the Cyrillic letter Щ.

UTF-8 is a character encoding that lets you represent arbitrary Unicode alphabets directly.

Browsers use Unicode internally, and convert other encodings into Unicode. So do search engines.

MP3 or MPEG-1 Audio Layer 3 is a standard audio encoding and compression algorithm. WAVE is another audio encoding standard.

Unexpected Layer 7 details

Know about X11 and the ancient commands rlogin, rcp, rsh, and ftp. You should have replaced them some time ago with the SSH versions: ssh, scp, and sftp.

Screen scrapers have been useful to automatically interact with mainframes over TN3270 or similarly old technology.

Application Protocols

DNS: Know about DNSSEC (validates zone transfers with digital signatures), and that you need A, NS, PTR, and MX records.


Active Directory: Microsoft's branding of a combination of 3 protocols using a shared backend database: DNS + LDAP + Kerberos.

SDN or Software-Defined Networking

Also called NFV or Network Function Virtualization. SD-WAN is replacing MPLS.

Network traffic is split into two classes: data traffic flowing from applications to other applications or storage, and control traffic flowing from network controller devices to switches and routers altering flows between devices in data centers. This is usually visualized as:

Management or Application Plane
Control Plane
Data Plane

Filling in some details but keeping the drawing and labels as general as possible:

Applications Orchestration
↑ ↓ ↑ ↓ northbound ↑ ↓ ↑ ↓
↑ ↓ ↑ ↓ southbound ↑ ↓ ↑ ↓
Switch Fabric
⎕ ↔ ⎕ ↔ ⎕ ↔ ⎕ devices ⎕ ↔ ⎕ ↔ ⎕ ↔ ⎕

Applications can request traffic flows of desired connectivity and performance. They may do this directly through the API (or Application Programming Interface) of the controller through the northbound traffic. There may also (or instead) be an orchestration engine on the northbound side, which might be considered the management plane.

The controller sends configuration commands to the Layer 2-4 switching fabric through the southbound traffic.

The below is far deeper than you need to know for the test, but cloud services like Google Cloud and AWS and Microsoft Azure and so on must use SDN. Here's what the AWS dashboard shows you of the orchestration parts of a multi-VM deployment with network orchestration. Amazon calls this "CloudFormation". Here we're starting multiple:

AWS dashboard view of SDN (or software-defined networking) orchestration

Many thanks to Carter Elmore for the screenshot!

Next-Generation Firewall or NGFW

Similar to UTM or Unified Threat management.

Whitelisting and Blacklisting

Blacklisting is default allow, maintain a growing list of known bad patterns to block.

Whitelisting is default deny, more powerful if you can make it work.

Voice over Internet Protocol or VoIP

Uses Session Initiation Protocol or SIP, so any SIP-capable device can talk to any other. SIP manages multimedia connections, including the codec selection.

Privacy extensions to SIP include encryption and caller ID suppression.

Internet Relay Chat or IRC

Unencrypted, and user identification is easy spoofed.

SOme IRC clients can execute scripts. This was intended to simplify administration, but as they're executed with the user's privileges with little to no protection, they're an attractive target for social engineering.

SPIM is Spam over instant messaging.


Know: AH, ESP, SA or Security Association, Transport Mode, Tunnel Mode, and IKE or Internet Key Exchange.