Add to collection(s) Add to saved
  1. No category
Uploaded by jellison83654

NET+ Study

advertisement 
By: Jacob Ellison
NET+ Study
SECTION 2
Network Models - Represent how networks function
1. OSI & TCP/IP
KNOW THE NAME AND NUMBERS OF LAYERS
OSI 7 Layer
1 - Physical: Cables, bits
2- Data Link: Network cards, switches, frames (MAC Addresses)
3- Network: (IP addresses) Logical addresses, routers
4 - Transport: assembly disassembly area
5 - Session: Actual connection between 2 systems
6 - Presentation: convert and encrypt/decrypt data into format the application can read
7 - Application: Network aware
TCP/IP Model
1 - Network Interface(Link Layer): Physical cabling, MAC addresses, Network Cards
2- Internet: IP Addresses
3 - Transport: Session too
4 - Application: Looks at actual application
Network card receives ethernet frame, verifies it belongs, strip to IP Packet, send out
Check IP addresses on Internet layer, send TCP segment
Transport assembles or disassembles data, sends to next layer
Application layer looks at source and destination port numbers, send to correct
application
MEET THE FRAME
Collection of 1s and 0s - Packetized data. Can be up to 1500 bytes long (8 bits to a byte).
Discreet beginning and end.
Frames are created and destroyed in the NIC
MAC ADDRESS(Media Access Control) 48-bit identifier
Ipconfig /all to find MAC/Physical address
xx-xx-xx-xx-xx-xx: First three pairs OEM(original equipment manufacturer). Last three
pairs are the Unique ID.
CRC(cycling redundancy check) checks for good data
BROADCAST vs UNICAST
Broadcast Domain - group of computers that can hear each other’s broadcast
Unicast: transmission to a single device on a network
Broadcast: transmission sent to every device in broadcast domain
Broadcast address looks like: FF-FF-FF-FF-FF-FF
By: Jacob Ellison
Introduction to IP Addressing
Logical Addressing: IP address most common. Not fixed with a network card. First three
numbers identify the network, 4th number is the device.
Routers are now usually also switches. Router can connect 2 or more networks.
IP Packet - Sits within frame, never changes
Default gateway is connection to router
Routing Table - tells where to send data
Packets and Ports
Port numbers: unique to individual applications over the internet.
TCP:(Connection Oriented) Transmission Control Protocol
-Sequence Number: helps software reassemble data correctly
UDP: Connectionless
SECTION 3
Network Topologies
1. Bus Topology - One cable bus runs through all computers. Mostly obsolete now
2. Ring Topology - Single ring of cable through all hosts
3. Star Topology - Individual hosts plugged into a middle section
4. Hybrid Topology - Star-Bus Topology. Physically looks like a star but works like a bus,
with a hub connecting in the center
5. Mesh Topology- Each host is connected to all other hosts. Most useful as a wireless
network. Fully meshed topology when all are connected to each other. Partially meshed
topology is when a host is connected to only one other host, while that host is connected
to all others.
Coaxial Cabling
Common Axis(coaxial)- has 2 conductors, center point and tube layer
Radio Grade (RG), OHMs(measurement of resistance)
1. RG-58/8: 50 OHM - BNC connector (old networking cable)
2. RG-59: 75 OHM - Threaded connector (F-Type)
3. RG-6: 75 OHM - Thicker, most common coax cable
4. RG-59/6 are used in modems
Twisted Pair - Most common cabling on networks
Unshielded Twisted Pair(UTP): No metal shielding, cheap vs alternative
In network environments, 4 pairs are most common.
568A Standard
568B Standard
Shielded Twisted Pair(STP)
By: Jacob Ellison
CAT Ratings
1. Cat 3 - 10mbps
2. Cat 5 - 100mbps @100 meters
3. Cat 5e - 1000mbps @100 meters
4. Cat 6 - 1Gbps @ 100 meters
5. Cat 6a - 10Gbps @ 100 Meters
6. Cat 7 - 10Gbps @ 100 meters shielded
Fiber Optic Cabling
Multimode & Single Mode
Multi sends LEDS, almost always orange
Single sends lasers, almost always yellow
Fiber Optics are generally duplex cables
ST Connector- Early, looks similar to BNC
SC Connector - Square, punch in and out
FC Connector - threaded
LC Connector - 2 in 1
MT-RJ Connector - Doesn't look it but has 2 connectors
PC Contact - Slightly round edges
UPC - More rounded
APC(angled physical contact) - Edge is angled and efficient
Fire Ratings
1. Plenum - space in drop ceiling or floor. Has the highest fire rating.
2. Riser- runs between floors. Does not have the same resistance of plenum
3. PVC- No protection, Cheaper.
By: Jacob Ellison
Legacy Network Connections
Serial Ports- Oldest I/O connections for computers. RS-232 language
DB-9 or DB-25
Parallel Ports - still DB, but Female. Typically used for printers
IEEE Standards- Feb 1980, 802 committee
Rollover/Yost connection- used for network configuration for a router or switch
SECTION 4
Ethernet Basics
What is Ethernet
IEEE 802.3 - Ethernet Standard
Ethernet Frames are all the same: No more than 1500 bytes.
10Base5- 10(speed)Base(channel)5(Length)
10BaseT- Twisted Pair
Ethernet Frames
1. PREAMBLE- Lets NIC know a frame is coming
2. Destination MAC
3. Source MAC
4. Data Type/Ether Type - What kind of data is moving
5. DATA- Min 64 bytes, Max 1522 bytes/octets
6. PAD - Pushes data to minimum side
7. Frame Check Sequence(FCS): Checks for correct data(Error Detection)
JUMBO FRAME - Push one frame to 9000 bytes (high speed network)
MTU: Maximum Transmission Unit
Early Ethernet
REQUIRES Terminating resistors at both ends
10Base5
CSMA/CD: Carrier Sense Multiple Access/Collision Detection. When the frame hits the end of
the bus you get a reflection, to avoid you install Terminating Resistors. Can’t have 2
computers talking at same time(CD), Random number chooses when the computers get to
talk with Collision Detection
10Base2- 185 meters
BNC connector, T connector has removable terminator to add devices. Up to 30 devices.
Daddy of the Internet 10BaseT
Token Ring-Competitor to ethernet. If cable broke the whole network did not go down
Bus in a box is the cornerstone of today's switch technology.
10BaseT- 10mbps @100 meters, 1024 nodes max, CAT 3 cable or better
By: Jacob Ellison
Terminating Twisted Pair
Straight through cables are most common
Strip, unwind, allocate wire order, insert into collar, insert into crimp, use crimper tool
8P8C - RJ45 connector
Hubs vs Switches
Hub: Multi-port repeater. Sees a signal and creates copies. Uses CSMA/CD
Collision is when 2 computers start talking at once, when the collision is detected a random
number is assigned to each computer to wait before talking.
Collision domain.
Switch: Very similar to hub, but looks at MAC addresses, reduces bandwidth. If
needed to send broadcast, a universal broadcast MAC is used (FF-FF-FF-FF-FF-FF)
Section 5: MODERN ETHERNET
100BaseT: 100Mbps
Half-Duplex: Only one end can talk
Full-Duplex: Both can listen and talk at the same time
100BaseT4: 100 meters cat 3, 1024 nodes, 100Mbps, 4 pairs
100BaseTX: 100Mbps 1024 nodes, 100m, Cat 5e, 2 pairs.
-Now known as 100BaseT
100BaseFX: Fiber Multimode, 2km
Connecting Switches
Patch cables: Straight through cable, crossover cable (568A to 568B)
InfiniBand (IB): Used in switches and storage systems for 200Gbps
Old days: used crossover cable to connect 2 switches. Any port on either switch.
Newer switches use “Uplink Port” the port allows straight through because the crossover has
been built into the port.
Auto Sensing ports: Newest switches use these to auto configure with straight through cables.
Gigabit Ethernet & 10Gb Ethernet
- 1000BaseCX: Twinax, 25 meters, copper
- 1000BaseSX: Multimode Fiber, 500 Meters
- 1000BaseLX: Single-mode Fiber 5KM or Multi-Mode 550 meters
- 1000BaseT: UTP, CAT6, 100 Meters
10Gb can work with Ethernet and Sonet
- 10GBaseT: CAT6 55 meters, CAT6a 100 Meters UTP
- 10GBaseSR/SW: Multimode Fiber 26-400 meters
- 10GBaseLR/LW: Single-Mode on 1310 nanometer Fiber up to 10KM
- 10GBaseER/EW: Single-Mode on 1550 nanometer Fiber up to 40KM
- ‘W’ is for the Sonet equivalent
Transceivers
By: Jacob Ellison
Multisource Agreement (MSA): Resulted in devices(adapters) to be able to connect different
fiber standards.
GBIC: Gigabit interface converter
SFP: Small Form factor Pluggable - for smaller fiber form factor like LC (SFP+)
QSFP: Quad small form-factor pluggable- designed for 40Gb ethernet.
Fiber optics will be full duplex, why you see two cables, one sends one receives.
Bidirectional (bidi): sending 2 signals through one cable.
Connecting Ethernet Scenarios
Loop Issues: Bridging loop will crash broadcast domain. Spanning Tree Protocol (STP)
prevents this with BPDU Guard. Root switch will turn off the port with the bridging loop. Layer 2
attack requires local connection to the network. Flood Guard also turns off ports.
RSTP (Rapid Spanning Tree Protocol): RSTP prevents network loops when using
multiple switches by blocking redundant paths on a network.
Mismatched Switch Issues: Rare, but speed mismatch can occur with a very old switch
connecting to a new one.
Dedicated High-Speed ports: Less common, trick is wiring them properly.
Auto Sensing is built into most switches today.
Duplex Mismatch: connecting 2 computers together could require half duplex.
Chapter 6: Installing a physical Network
Introduction to Structured Cabling
1. Telecom closet/equipment
2. Horizontal runs
3. Work area
Patch panel: one end of a horizontal run
TIA Standards: rules for wiring
110 - Punchdown - Terminates cables from horizontal runs distributes copper wired
networks
RJ-45 crimps are used only on patch cables, Patch panels and RJ-45 connectors also have cat
ratings
Equipment Room
MDF- Main distribution frame, Rack mount standardized at 19” wide and 13/4” units
IDF - Intermediate distribution frame
U(unit) is a standard height for components in a rack. 1 inch and ¾
Demarc - separates the telecom company property from yours
Alternative Distribution Panels
66-Punch Down block: Used mainly for phone lines.
If on a Fiber Optic network you won't use 110 or 66 punch downs. You will use a Fiber
Distribution Panel
By: Jacob Ellison
Testing Cable
Wiremap - checking all of the wire arrangements in a cable
Continuity - connection breaks
TDR - Time Domain Reflectometer, checking length. TIA standards rule that horizontal runs
must be less than 90 meters
OTDR- Optical TDR
Crosstalk
Troubleshooting Structured Cabling
Check ‘Work Area’ first
Without 2 link lights from both sides the connection will be bad.
Loopback: 127.0.0.1
Check patch cable: notorious for breaking
Wall Plug/Port
Equipment Room
Electricity: Test voltage with Voltmeter. Voltage Monitor: Will watch voltage over a period
of time.
Environmental/Temp monitors.
TDR to check the horizontal run
Interference
Multi-mode fiber optic is susceptible to Modal Distortion - Light distortion. Single
Mode does not suffer from this.
Using a Toner and a Probe
Tone Generator creates a tone, the probe finds the tone through a certain cable.
FEXT (Far End CrossTalk): If detecting excessive FEXT, you have interference on the far side
from the transmitter.
Wired Connection Scenarios
Slow or Poor connectivity issues
- Attenuation: Over a distance a signal will begin to degrade.
- Jitter: VoIP and Video streaming has issues with dropped packets. Solve by buffering or
increasing speed/throughput
- Incorrect Cable: Patch cables can cause speed issues.
No Connections
- Bad Ports: can be shorted, try different port
- TX/RX Reverse: Crossover instead of straight, Vice versa. Incorrect crimp.
- Bent Pins: Can happen after frequent usage on switches
- Open/Short: Used a bad cable, two pins stuck together
Chapter 7 TCP/IP Basics
Introduction to IP Addressing and Binary
By: Jacob Ellison
IP address broken into four sections of 8 one’s or zeros.
2^8 (256) Combinations possible. Each octet is from 0 - 255
128 64 32 16 8 4 2 1
1 1 0 0 0 1 0 1 = 197
1 0 1 0 1 0 1 0 = 170
171 = 10101011
224 = 11100000
95 = 01011111
Introduction to ARP - Address Resolution Protocol
ARP is a broadcast and the destination has to reply with their MAC
In cmd “arp -a” looks at stored IP’s and MAC addresses in the ARP cache
Classful Addressing
Iana - internet assigned numbers authority. They pass out IP’s to RIR (Regional Internet
Registry) then to ISPs, then to consumers.
Class Licenses
- Class A: 0 to 126 /8
- Class B: 128 to 191 /16
- Class C: 192 to 223 /24
Subnetting divides Network IDs into two or more networks
Subnet Masks
Host can not use 0 or 255. 0 is for Network ID and 255 is for broadcast.
The mask is only used by the computer, it is never sent out.
The host uses the subnet mask to know if the destination is on the local network or a remote
network.
When a host needs to connect with another host outside of the network ID the default gateway
will figure out where to forward the information.
Subnetting with CIDR (Classless Inter-Domain Routing)
Subnetting is most commonly done by internet service providers
Using more 1’s than normal subnet masks.
Ex: 255.255.255.128 /25 = 11111111.11111111.11111111.10000000
The more subnets you create the less hosts you have per subnet.
More CIDR Subnetting Practice
Need a static address for a server that needs to be reached by many people.
/24 = 254 hosts. 255.255.255.0 mask
/25 = 125 hosts. 255.255.255.128 mask
/26 = 62 hosts. 255.255.255.192 mask
/27 = 30 hosts. 255.255.255.224 mask
/28 = 14 hosts. 255.255.255.240 mask
By: Jacob Ellison
/29 = 6 hosts. 255.255.255.248 mask
/30= 2 hosts. 255.255.255.252 mask
/31 = 0 hosts
Dynamic and Static IP Addressing
Static: manual IP entry
DHCP (Dynamic Host Configuration Protocol) or BootP(linux)
DHCP server can be software on a computer, but most often is built into the router. Your PC
needs to be a DHCP client.
Client sends a DHCP Discover broadcast onto the network. The DHCP server sees it and
responds with a unicast DHCP Offer. Client sends back a DHCP request saying yes I'll take
this.DHCP Server sends Acknowledgement. Each broadcast domain must only have one
DHCP Server. DHCP Server has to be run within the broadcast domain.
In cmd “ipconfig /all” command shows ethernet connection and DHCP server
When you set up DHCP server you have to create a “scope”. Enters range for IP addresses.
Add exclusions, set lease time(quicker time for places like coffee shops), DNS.
Rogue DHCP Servers
APIPA: fallback when DHCP server fails. APIPA is always 169.254 addresses
If IP address looks normal but is not the correct one, you could have 2 DHCP servers, and they
will compete.
Special IP Addresses
Private IP: 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x used by NAT device.
Loopback IP: 127.0.0.1, Ping yourself to test
IPv6 Loopback is ::1
APIPA (Automatic Private IP Addressing) 169.254.x.x
IP Addressing Scenarios
Duplicate IP Address: Rogue DHCP could send duplicates, or they were input statically. Use
ipconfig/ifconfig to see addresses.
Duplicate MAC Addresses: Virtual machines.
Incorrect Gateway: Can't get out of the local network. Man in the Middle attack. Could type them
in statically.
Incorrect Subnet Mask: All computers in the same broadcast domain should have the same
subnet mask.
Expired IP Address: DHCP could be dead, means no new lease on IP
Chapter 8: Routing
Router - box that connects network IDs. Filter and forward based on IP address.
Built into every router is a Routing Table - usually configured automatically.
By: Jacob Ellison
Default Route - ISP has an Upstream Router. If the route does not have defined criteria it goes
into the default route, all zeros on the address and subnet. If the router see’s all zeros on the
DEFAULT GATEWAY then the router is directly connected to the destination network.
When sending information to the upstream router, an ARP is sent out for the MAC address.
Gateway Routers - not as many connections and basically acts as a gateway to the internet for
your devices.
What happens when you have 2 default routes? - A “ Metric” table is used to prioritize traffic.
If the lower number fails it will move to the next default route in the metric table. Routers do not
care where packets come from, only where it's going. Routers are not specifically
exclusive to ethernet connections. Could be DSL, Optical, etc.
Understanding Ports
Any time you have a TCP packet, it has a destination Port and Source Port. The port number is
set by the type of application you are using. The computer generates an ephemeral port number
as the source. Number is past 1024.
Network Address Translation
NAT - “Port Address Translation” (PAT) built into routers. Takes a private IP address from an
outgoing packet and replaces it with the router’s public IP. When the packets return NAT looks at
the packet and remembers which device sent the packet, puts back the private IP and sends it
to the proper device.
Static NAT (SNAT) - Assigns one IP address, like port forwarding, to all go to one place
Dynamic NAT (DNAT) - has more than one IP address to give out to devices trying to send
information over the internet. The downside is that there is only a fixed number of addresses
available at one given time.
Implementing NAT
Most home routers have NAT turned on by default. Big businesses usually never have ANT
turned on. NAT can be disabled from the routers configuration, some older routers call this
setting “gateway/router mode”
Forwarding Ports
Port Forwarding - EX:(router IP is 1.1.1.1) If a security camera is connected to your network
and functions off a web server with the IP of 192.16.5.13 you remote into the camera by simply
typing the IP address of the camera. But what if you are far away and not connected to your
network? This is where port forwarding comes into play. With port forwarding you can type in
“RouterIP:Port” - and if the settings are configured you will have access to the camera. When
applying port forwarding settings: “Application” field can be the name of device or anything.
“Protocol” field can be UDP/TCP/Both. “Source” field lets you specify a specific IP that can
access the port, if left empty any device will have access.”Port from” 8181 is an example port.
“IP address of camera” then “Port to” camera is using port 80.
When you have many ports that need forwarding, like a game server. You can use Port Range
Forwarding -can set start and end port numbers.
By: Jacob Ellison
Port Triggering - opens an alternative assigned port when the initial port is contacted.EX: FTP
listens on port 21 but sends back on port 20. The trigger sets the NAT to listen to 20 when a file
is sent through 21.
SOHO DMZ - Forward ALL ports to a specific place. Used to expose one computer to the evils
of the internet.
Tour of a SOHO Router
- Default IP Address
- Default Username and password
- Status/information home page
- Basic Setup menu: WAN and LAN settings
- Router WAN connections are commonly DHCP Clients by default
- Router username/password
- ACL (Access Control List)
- Firmware Updates
- Hard reset button is on router
SOHO vs Enterprise
SOHO routers will mostly come with a switch, Wireless access point, DHCP server, etc. built
in.
Enterprise Router - designed for more robust situations. Has many more connections. Not
going to have wireless. No switch built in. 100x more bandwidth than a SOHO router.
Features that you don’t see on a SOHO.
Some SOHO will have extra features like customizable firewalls. SOHO have a web interface.
Enterprise tend to not have web interfaces. PuTTY is for using functions on a router. CISCO
IOS - its own language and nomenclature.
Static Routes
Static Route is a fixed route - earliest type of route.
Routing Tables - in cmd type “route print” shows info on destination, subnet mask, gateway,
and NIC
By: Jacob Ellison
Network Destination - 0s dont care where its going
Netmask - 0s Dont care what the subnet is
Gateway - send it out on this IP
Interface - using my network card
If starts with 224. It stands for multicast/class D - allows computer to have a 2nd IP address
Command “netsat -r” = route print
Private “Intranet” Route - not on the internet, accessing networks from other networks, use a
static route from one router to another router. Routers can use default gateways even though it
also acts as a default gateway.
Static routes are used on little networks
Dynamic Routing
Handle dynamic problems with routing to get information to destination
Dynamic routing is letting the routers rewrite their own routing tables to overcome
problems
Convergence - all router tables reflect all routes
If we have more than one route to get somewhere the lowest metric value will be used first in
early dynamic routing protocols.Metric was based on Hop Count - the amount of routers used
to get to destination.
MTU (Maximum Transmission Unit) - in a particular frame how much data can you haul.
Bandwidth
Cost
Latency - reaction time (think satellites)
Distance Vector - sending their entire routing tables to all of their neighbors, then the neighbors
compare routing tables to find the route. Issue is they lean on Hop Count, and they send at a
time interval.
Link State - more modern. Send out link state advertisements: if differences are detected they
will update routing tables. Takes place on the fly, gets back to convergence much faster.
Dynamic Routing Protocols are either IGP or EGP
EGP - Autonomous system: one organization controlling all routers uses an EGP
By: Jacob Ellison
BGP(Border Gateway Protocol) is the only EGP and is a Hybrid Routing Protocol. Uses
ASN (autonomous system number)
What to know: All of these will use either Link State or Distance Vector, Metrics, BGP(only
EGP), or IGP(Interior Gateway Protocol)
RIP
Version 1 used only Classful Networks. Version 2 took advantage of CIDR
Routing Information Protocol - one of the oldest routing protocols around. IGP and Distance
Vector Protocol
RIP uses Hop Count as part of the metric. Downside to RIP is it takes a while to get
convergence because it takes a fixed amount of time to compare routing tables.
RIP uses a maximum Hop Count of 15. So anything above simply wouldn't work.
OSPF - Open Shortest Path First
Number one dynamic routing protocol. Hard to configure. It is IGP, and uses Link State
Protocol
Sends Link State Advertisements. Has to be set up with a designated router and a backup
router.
Area ID - look like IP address, once the network knows the are IDs they can begin to send
advertisements. Big reason people like to use it is because it converges very quickly. And
uses BGP
BGP (Border Gateway Protocol)
Hybrid Protocol - aspects of distance vector and link state.
Cornerstone of the internet. OSPF isn't designed to handle routing tables with millions of
entries
BGP breaks the internet into just over 20,000 Autonomous systems(AS) - a group of 1 or
more router networks under control of an ISP/Government/etc. Every AS on the internet has a
32 bit ASN(AS Number). When these AS connect they must use BGP. BGP is a heavy duty
routing protocol that is designed from the ground up to route AS.
Chapter 9: TCP/IP Applications
TCP and UDP
Ethernet Frame - used by switches and routers
IP Packet sits within the frame
PDU (Protocol Data Units) - information used by the different protocols provided in frame
segments
TCP Segment - connection based
UDP Datagram - connectionless
In UDP a frame is sent, no verification. TFTP (Trivial file Transfer Protocol) uses UDP
Internet uses TCP. TCP has a “handshake process” - TCP 3-way handshake. SYN packet
goes to server, server sends back SYN/ACK, client send ACK to server. Once these three
things take place you have a TCP connection. TCP ends a connection with a “FIN”
message
By: Jacob Ellison
ICMP and IGMP
ICMP (Internet Control Message Protocol) - Works at IP layer not at the transport layer. No
port numbers. Ping is ICMP, no data. ARP is ICMP.
IGMP (Internet Group Management Protocol) - Has a group and source address. Multicast
(224.x.x.x). Used in video streaming.
Both work on the Internet layer (2) in the TCP/IP Model, Network Layer (3) in the OSI
Model
Handy Tools
Command tracert (windows)/traceroute (linux) - traces all the hops from a router
“Tracert ‘ip/website/etc/’” command. Trace route helps to make sure home routers are okay.
Alternative tool to tracert is “pathping” - variant of the ping command.
Bandwidth Speedtester - Are you getting what you paid for? Ex: speedtest.net
- Can expose ISP or home routers
Introduction to Wireshark
Wireshark is a Protocol Analyzer - Displays the traffic flow of Ethernet frames. Comes with a
separate capture tool (grabs frames), creates capture file. Wireshark allows us to dig into frame
data. Wireshark sees DHCP as BootP.
Alternative capture tool - “tcpdump” command.
Introduction to netstat
netstat- lists all the open ports and connections on your computer
Command “netstat”. “Netstat -n” presents the information numerically.
Netstat -b shows the executable for every connection. Netstat -o shows the PID (process ID)
Netstat -a shows all the active ports. Netstat -r shows the local routing table
Web Servers
HTTP(hypertext transfer protocol) - basis of WWW. Uses port 80
A web server is just software:
Microsoft IIS and Apache (open source). Is there a web server running on a system? Run a
netstat -a command and see if the machine is listening on port 80.
Internet Explorer is the NET+ focus. In IE Tools > Internet Options takes you to the most
needed settings in explorer.
HTTPS (HTTP Secure) - Port 443 TCP. uses 2 different protocols, SSL(old) and TLS(new) sets encryption.
FTP
File Transfer Protocol - Common way to transfer files. Uses ports 20, 21.
Filezilla sets up a file directory: Anonymous accounts enable public access to FTP servers.
Once you have a server, you need an FTP client. Web browsers can act as FTP clients
By: Jacob Ellison
Command prompt has built in FTP client “ftp” the “get” command downloads and the
“put” command uploads.
FTP is not an encrypted protocol
SFTP (Secure SFT)
TFPT (Trivial File Transfer Protocol) - uses port 69
Email Servers and Clients
Sending:
SMTP(Simple Mail Transport Protocol) - port 25
Receiving:
POP3(Post-Office Protocol) - port 110
IMAPv4 (Internet Message Access Protocol v4) - port 143
Difference between POP and IMAP, POP3 is old and downloads copies to client
IMAP keeps things online
SMTP, POP3, and IMAP are not encrypted
Securing E-mail
Traditional TLS
- IMAP 143 > 993 encrypted
- POP3 110 > 995 encrypted
- SMTP 25 > 465 encrypted
STARTTLS
- IMAP, POP3, SMTP - 465
- TLS/STARTTLS conflicted with port 465
- STARTTLS ended with port 587
Understand STARTTLS came after TLS to solve port complexity and used to run on port
465 but now is 587.
Telnet and SSH
Telnet enables you to remote into another computer. Text based. Runs on port 23
PuTTY is a free, robust telnet/SSH client. Telnet was the original remote connectivity tool.
Downside is no encryption. Telnet and SSH are both terminal emulators.
SSH(Secure Shell) is an encrypted version of Telnet.
SSH runs on port 22 - uses an encryption key
Rlogin is not secure - uses port 513, replaced by SSH
Network Time Protocol (NTP)
Port 123 - syncs with an NTP server.
Network Service Scenarios
DHCP Issues
- IP Reservation: keep a scope for certain machines that shouldn’t change their IP often
By: Jacob Ellison
-
Exhausted the DHCP scope, need to adjust the scope to add more. Really long leases
could lead to this issue.
IPAM (IP Address Management): keeps systems running automatically
Chapter 10: Network Naming
DNS(Domain Name System) - Resolve IP addresses based on Fully Qualified Domain
Names(FQDN)
Host(www.)Secondary Domain(google)top level domain(.com)
DNS servers do 2 things. Respond to DNS queries and create DNS queries. Ipconfig /all will
show DNS server information.
Computers and DNS Servers cache IP address information for a time to enable faster
resolution.
Applying DNS
DNS server is software, free built in.
Interior DNS server
Authoritative DNS Server
Lookup Zone
Start of Authority (SOA) - Primary DNS server for the Zone
Name Server (NS)
A Record - IPv4, AAAA Record - IPv6
Canonical Name (CNAME or Alias)
MX Record - Mail exchange
Reverse Lookup Zone - reduces spam, basically required for mail servers. Resolve IP address
to FQDN
PTR (pointer record)
SRV record - used by VoIP
TXT Record - were for techs coming in after. DKIM and SPF records
*Know definitions*
The Hosts File
Every computer that runs TCP/IP has a hosts file
Contains IP addresses and their names. From the early internet. Still take precedence over
DNS. Personal shortcuts for IP addresses can be made in hosts file.
Net Command
Predates windows. “Net view” - what computers can I see within my work group
“Net user” - user details
“Net view” shows everything that is on the network
“Net use ‘drive’”- assigns a drive letter in local computer to a shared folder
“Net share”
“Net accounts” - account details
“Net start” - services to turn off with “net stop”
By: Jacob Ellison
Windows Name Resolution
NetBIOS - ports 137, 138, 139 - old name resolving service
(LLMNR) Link Local Multicast Name Resolution - UDP 53, 55
- New name resolve is better than NetBIOS
Nbtstat - alone brings up a help screen on cmd prompt.
Nbtstat -n: local name table
Nbtstat -c: shows remote cache name table
Nbtstat -a (system name): A different computer’s information
You can broadcast your information to the group. You can clear the cache
Nbtstat -R clears the cache
Nbtstat -RR re-establishes information and rebroadcast
Dynamic DNS
DDNS - method of automatically updating a name server in the Domain Name System (DNS), often
in real time, with the active DDNS configuration of its configured hostnames, addresses or other
information.
DDNS enables you to use a DHCP assigned IP address for a connection
DDNS providers can update IP information
DNS Troubleshooting
If you can access a web page with the IP but not the DNS name, it's an obvious DNS problem.
Ipconfig /all to find DNS information.
Because DNS goes out so often it is standard to have 2 DNS servers. If a DNS moves to a new IP
you need to clear the cached DNS addresses.
Ipconfig /displaydns - all stored DNS names.
Ipconfig /flushdns - wipes out cache.
Nslookup - primary DNS server
Server (DNS server IP) - checks to resolve.
DIG(Domain Information Groper) - also checks for DNS server status
Ping will check for FQDN.
Chapter 11: Securing TCP/IP
Making TCP/IP Secure
CIA: Confidentiality, Integrity, Availability
Encryption, Non-repudiation, balance availability
Authorization and Authentication
Symmetric Encryption
Caesar Cypher
Algorithms - Have a key, cyphertext is post-algorithm.
Same key encrypts and decrypts in symmetric encryption
Asymmetric Encryption
You have 2 keys. Public and private key
Public keys only encrypt, Private keys only decrypt.
By: Jacob Ellison
Elliptic Curve Cryptography (ECC) and Rivest-Shamir-Adleman (RSA) are both examples of
asymmetric encryptions
A private key and its associated public key is a key pair. Public keys are distributed so others can
send you encrypted data. Key exchange - for two people to communicate they must exchange
public keys.
Cryptographic Hashes
Hash - algorithm to create a string of text, a fixed-size hash value. They are used to verify data
integrity, not encrypt data. If just one bit has changed a hash will be able to notice the change.
MD5 and SHA-1. Two most common hash types.
Identification, Authorization, Authentication
- Identification just proves who the user is, Authentication is proving you have rights to
a system, Authorization is what rights do you have after being authenticated.
Authentication factors: Something you know, Something you have, Something about you
(biometrics).
Captcha is considered something you know, as are security questions.
Something you do: ex is typing rhythm
Somewhere you are: ex is zip code
Multi Factor authentication - 2 or more different factors
Federated System Trust is inherited from a different trusted system.
Access Control
Access Control List - exists everywhere. Broad term defining authentication and authorization
Mandatory Access Control(MAC) - Label on the resource itself (ex: top secret)
Discretionary Access Control (DAC) - Owner that creates permissions, reader, writer (more
flexible)
Role Based Access control (RBAC) - Groups, assign rights and permissions to groups
Users -> groups -> rights and permissions (most flexibility)
AAA
Radius Server - authentication software, can authenticate against a radius database(does not
have to be on the server)
Radius Client - handles authentication requests from supplicant
Radius Supplicant - user requesting authentication (laptop, or any connected device)
Radius - UDP port 1812, 1813 or UDP 1645, 1646. Radius is AAA so runs authorize authenticate
accounting
TACACS+ is a proprietary cisco product to alleviate problems for large networks. Uses TCP
port 49
TACACS+ and Radius are both AAA
Kerberos/EAP (for wired networks)
Kerberos is designed to do authentication for local area networks.
Key Distribution Center (KDC) - Authentication Service (AS) and Ticket-Granting Service
(TGS) built in. When the KDC receives a user's hash with username and password and
authenticates it, it sends back a Ticket-Granting Ticket(TGT), then when it comes back to TGS a
By: Jacob Ellison
token is issued based on timestamp. Now when that computer wants to access any other computer
on the local area network it will use that token to have immediate access.
Downsides: Have to buy copy of windows server. Relies heavily on timestamps
Extensible Authentication Protocol (EAP) - Allows transactional based authentication
mechanisms to talk to each other.
- EAP-PSK (Pre-Shared Key): Common key that everyone uses to log in
- Protected EAP (PEAP): Standard username and password
- EAP-MD5: uses a hash
- EAP-TLS: single certificate
- EAP-TTLS: Requires multiple certificates
Single Sign-On
LDAP(s) (Lightweight Directory Access Protocol): UDP 389, 636 for LDAPS
LAN uses Windows Active Directory (AD). Group of computers added to a domain. Federated
Systems (trust).
SAML (Security Assertion Markup Language): designed mainly for web apps. Has an Identity
Provider (IdP): provides a token to log in to everything.
Active Directory for most, local networks. SAML for more widespread and web apps.
Certificates and Trust
Problem with asymmetric encryption is the public key in the key exchange.Either key in a
public/private key pair can be the public key.
Public key also sends a hash of the web page, digital signature (hash). Basically verifies you
have the right public key. Now you have to figure out if the source is who they say they are. Use third
party to guarantee with another digital signature. Digital Certificate - contains public key, and
both digital signatures. Certificate is how you move public keys.
Generate own certificates - unsigned certificate (no third party vouching)
Web of Trust - is other users signing your certificate saying you are trusted. Requires a lot of
maintenance. Hasn’t really taken off.
Public Key Infrastructure (PKI) - Based on a hierarchy. At the top is Certificate Authority (CA):
organization that issues certificates. Intermediate certificate authorities take load off of CA from
users requesting certificates. Most common today.
Certificate Error Scenarios
Self Sign Certificate - no trusted or intermediary signed. Doesn’t stop you from using the website but
is just added protection in a warning.
Certificate expires
Invalid SSL certificate
Chapter 12: Advanced Networking Devices
Understanding IP Tunneling
Microsoft's RDP has built in encryption. If you don’t have built in encryption you can piggyback
on a protocol that’s already encrypted. SSH can take data from the client, encrypts to the
other end of the SSH to decrypt. That is the basic concept of a tunnel. A tunnel starts by making
an encrypted connection between 2 computers. Primary reason for tunneling is to provide
By: Jacob Ellison
encryption when normally there isn't any. Tunneling is often used in remote access
connections.
Virtual Private Networks
Challenges:
- LAN often uses private IP addressing
- Remote Device needs private and public address
- Public address to get to the network
- Private IP to reach the LAN
(L2TP) Layer 2 tunneling Protocol: VPN creates a tunnel connection for remote computers to
get to a designated endpoint
Client-to-site VPN: Connects a remote computer to a local network.
VPN concentrators can be a dedicated device that acts as an endpoint for the network.
Site-to-Site VPN: connects distant networks into a single network
The type of VPN you use generally depends on the equipment you buy that is already provided.
Introduction to VLANS
VLAN takes one broadcast domain and breaks it up into multiple, smaller broadcast domains.
Types of Switches
- Unmanaged: simple devices, only do switching
- Managed Switches: extra features like VLANs (requires configuration)
Switches run at layer 2 using MAC. so we give them an IP address to be able to configure them.
Use Cisco Network Assistant (CNA) to configure. All switches are preset to use VLAN1. Static
access is setting VLAN ports manually.
VLAN Trunk Protocol (VTP): advertise to other switches that there are other VLANs out there.
Trunk Ports move traffic from all VLANs between switches. Trunking allows VLANs to be on more
than one switch.
InterVLAN Routing
A router can connect 2 VLANs. (physical)
Higher-end switches offer interVLAN routing: acts like one or more virtual routers
Interfacing with Managed Switches
Lines between switches and routers become blurred. Use a switch’s IP address to connect to it.
Console ports are used to connect to, and manage a switch or router. Uses a rollover(yost)
cable. Downside is serial connection is slow.
Cisco IOS - All cisco switches and routers run on
Some switches offer a web interface to access via IP.
Switch Port Protection
Switch Ports do not have IP addresses, so they do not support layer 3 directly. Spanning Tree
Protocol (STP) will detect the bridging loop and turn off the correct port.
Root Bridge (root Switch) with a Root guard (verifies root by MAC address)
BPDU (Bridge Protocol Data Units Guard): expresses that a certain port can only connect to ex:
computers. So if a different type of device (ex: switch) is connected instead it will shut down the port.
DHCP Snooping: guards from someone adding another DHCP server.
By: Jacob Ellison
Port Bonding - linking switch ports to increase bandwidth
(Port Aggregation)
When bonding you make the group first in the IOS and then assign switch ports to the group
Group = Port Channel
For trunking use Link Aggregation Control Protocol (LACP) - can set ports to active or passive.
Active-Active and Active-Passive both work. Passive-Passive will not work
Port Mirroring
Used for sniffing session and monitoring. Simple setup in Cisco IOS. configured on a switch by
providing a source port and a destination port.
Quality of Service (QoS)
Traffic Shaping - control traffic based on certain criteria
QoS is a mechanism to enable traffic shaping.
Simple QoS on SOHO routers allows priority settings for different protocols.
IDS vs IPS
IDS (Intrusion Detection System): out-of-band does monitoring and alerts.
- Active IDS is now called Intrusion Prevention (IPS)
- IPS operates like IDS but does something to stop the intrusion. IPS inband actively
stops or rejects
By: Jacob Ellison
Proxy Servers
Proxy is an intermediary between client and server
Forward Proxy Server - usually a dedicated box or software inside an organization (ie schools,
organization) block URLs, parts of websites, etc. Proxy Servers are by definition Application Specific
(web, FTP, VoIP proxy). client is generally aware of proxy. Transparent proxy has to be in the line,
makes it easier to configure.
By: Jacob Ellison
-
Modern Forward Proxy puts the proxy in line on the internet. Needs a VPN to proxy
connection.
- TOR group lets you connect to a group of computers randomly connecting in a line, then a
random computer in the group takes the connection outward. TOR proxy is used to make
sure the trail does not lead back to source computer.
Reverse Proxy Server - Proxy server represents the server, not the client.
- High Security
- Handle DDos attacks
- Load Balancing
- Caching
- Encryption acceleration
Understand forward vs reverse: Forward hides the client, reverse hides the server.
Load Balancing
Can be configured client side or server side.
Multiple servers sending out the exact same information. DNS server Round Robin sends requests
in sequence to each different server, not used anymore. Issues arise from caching, browsers now
cache the IP information and circumvent the round robin. Delegation: set up another zone with
reverse lookup. Based on time (which servers responds quicker)
Server-side load balancing: Runs powerful software and uses clustering. Cluster is when the
servers on the backen are all talking to each other. Load balancing is now mostly on the cloud and
even the load balancer is virtual.
Understand difference between DNS solution and Server side solution
Device Placement Scenarios
DMZ - A proper DMZ adds equipment. Edge Firewall and Interior Firewall. Today can be set up
virtually. TWO firewalls are used in a DMV: one allowing unsolicited traffic to the public service, and
the second maintaining isolation of the private network.
IDS vs IPS placement
Firewall - Edge firewall is easy, but sometimes you need an internal firewall if you have public
computers. Internal Firewalls can be used to block specific access for areas that may need
additional restrictions but still function within the main domain.
Proxy Server placement
Chapter 13: IPv6
Introduction to IPv6
8 segments separated by 7 colons.
IPv4 has a total address space of around 4 billion. We’ve run out of IPv4, so IPv6 is now becoming
the new standard.
128 bit address - 2^128.
Aggregation is being able to use identical IP addresses, but you need a larger amount of addresses
available. IPv6 gives us that, and we can't come back to aggregation.
Self Configuration: with IPv6 NAT, ARP, DHCP are rendered inferior to a new protocol, the
Neighbor Discovery Protocol (NDP): multicast based protocol. All the machines on the internet
start talking to each other and configure themselves.
IPv6 allows data to move much faster through the internet
By: Jacob Ellison
IPv6 Addressing
8 groups of 4 hexadecimal values, separated by colon.
You can shorten Ipv6 addresses by removing leading 0s from segments. Further shorten by
grouping the total 0s into colons.
With IPv6 you now have at least 2 addresses
In IPv6 the smallest and only subnet mask you can have is /64. As such, subnet mask is no
longer typed in because its always the same. (unless on a high back end enterprise level)
- Link local: always starts with “fe80:0000:0000:0000” or “fe80::”, the next 4 segments are
generated by your MAC address. EUI-64 standard takes the 48 bit MAC address and turns
it into a 4 segment hexadecimal by adding ff-fe in the middle of the MAC address and flipping
the 7th bit. With a MAC of 2a-3b-4f-09-45-01 the Link Local address becomes
fe80::2a3b:4fff:fe09:4501
- Internet address
Dual Stack - Running both IPv4 and IPv6.
Understand: how IPv6 is structured and how they use EUI-65 to generate the 2nd half of the
address based on MAC address.
IPv6 in Action
All IPv6 addresses are public, no more NAT. So the address now is traceable. So all operating
systems will use a randomizer instead of EUI-64 to generate the IPv6 address.
- Neighbor Solicitation: A multicast (NOT broadcast) message from the computer to the
network using ICMP v6. Says “this is who I am, is anyone else out there”
- Neighbor Advertisement: all of the other computers on the network then send out a
neighbor advertisement that says “this is who I am”
- This is all on the local level. The router will also send out a Neighbor advertisement.
- Router Solicitation: When all of the devices need to get out of the network they send an RS
because they need their internet address, default gateway, DNS info, etc.
- Router Advertisement: Routers respond back with an RA to assign everything needed to
get on the internet.
- Stateless Auto Configuration is what the router uses to deliver the information for all of the
devices.
Router Prefix: uses DHCPv6 from ISP to determine the network ID, DHCPv6 is for when you have
an internal DNS server, so that the DNS server from the ISP does not interfere.
IPv6 makes configuration easy and almost leaves nothing to do unless using an upstream router or
internal DNS.
IPv4 and IPv6 Tunneling
Microsoft built in tunneling protocols for IPv6 internet. Most people use 3rd party software.
By: Jacob Ellison
Gogo6 client is popular. Once set up, it creates a virtual NIC to use an IPv4 connection to reach IPv6
box. When everything is running right, nothing changes.
Chapter 14: Remote Connectivity
Telephony Technologies
Central Office
Frequency Division Multiplexing
During the digital age 64 Kbps sampling rate for phone conversations came onto the scene.
Time division multiplexing T1 at 1.5 Mbps
Memorize These:
- T1, 24 channels, 1.544 Mbps
- T3, 672 channels, 44.736 Mbps
- E1, 32 channels, 2.048 Mbps
- E3, 512 channels, 34.368 Mbps
At the end of the line is a CSU/DSU - acts as endpoint (Circuit ID labeled)
BERT (Bit error rate test) - Connection test
T1 Crossover cable
Understand Frequency division multiplexing vs Time division Multiplexing
Optical Carriers
SONET (Synchronous Optical Networking): OC lines. OC1 51.85 Mbps
By: Jacob Ellison
Know: OC1 OC3 and OC12
If you know OC1 is 51.85 Mbps, to get OC3 or 12, just multiply it by the OC#.
DWDM (dense wavelength division multiplexing): multiplies throughput.
Packet Switching
Frame Relay: didn't care about errors but it was very quick. Oldest
ATM (asynchronous transfer mode): used on SONET lines. Fading out.
MPLS(Multiprotocol Label Switching): designed for IP networks. Used now.
All old telephone technology will eventually fade away.
Connecting with Dial-up
External Modem - telephone connections and serial connection
Internal Modem
Runs at 56 Kbps with Point to Point protocol and a purchased connection.
Digital Subscriber Line (DSL)
DSL line: same as phone line. RJ-11 connection from wall to modem. RJ-45 connection to router.
By: Jacob Ellison
Symmetric DSL
Asymmetric DSL: the primary way we see it
DSL Filter: needed to filter out DSL noise when someone used the telephone.
VDSL (very-high-bit-rate-DSL): combination of fiber and DSL.
Connecting with Cable Modems
Coaxial F type connector
Faster than DSL
Cable almost never uses PPoe like DSL does.
Connecting with Satellites
Asynchronous, Transceiver uses RG-6
Satellite Latency - slow response time
ISDN and BPL
ISDN (Integrated Digital Services Network): Older, Last Mile dial up connections. Digital, with
telephone number. Uses Terminal Adapter. 128Kbps.
BPL (broadband over power lines): using power lines to support electricity and internet.
Remote Desktop Connectivity
TightVNC - Port 5900
Microsoft Remote Desktop Tools - RDP port 3389
Remember the port numbers
Advance Remote Control Systems
Industrial Control System (ICS): Machine, Controller (ICS Server) connects to sensors and has
actuators (ie lights), interface (where humans use ICS to talk to the machine)
DCS - extension of ICS. Hierarchy of ICS systems. Still have an interface.
SCADA - Still ICS, but for long distances. The controllers have to be more autonomous.
ICS device itself is a programmable logical controller. (PLC)
Human Machine Interface (HMI)
Supervisory control and Data Acquisition System (SCADA) - Remote Terminal Unit. Handles
ICS over a large area.
Chapter 15: Wireless Networking
Introduction to 802.11
802.11 uses radio waves, and a WAP (Wireless access point).
Wireless bridge into ethernet network. RJ-45 connection.
Home Router is a WAP, but it's also a switch and takes on other responsibilities.
SSID (service set identifier): Names of computers, or WAPs.
Infrastructure mode - using a wireless access point
Ad hoc mode - temporary network of only peer computers
BSSID (Basic Service set Identifier)
ESSID (Extended Service Set Identifier):
2.4 or 5 Ghz band.
- Wireless Network Card (there are also USB based wireless NIC)
By: Jacob Ellison
- Phones, tablets, etc.
CSMA/CA (Carrier Sense Multiple access/Collision avoidance): Prevents wireless collisons
DSSS (Direct sequence spread spectrum)
OFDM (Orthogonal frequency-division multiplexing): wider range and variance
802.11 Standards
802.11b - 11 Mbps, 2.4 Ghz, DSSS, 14 channels (11 in the US)
- The channels would overlap
802.11a - 5.0 Ghz, 54 Mbps, shorter range, OFDM. channel problems minimal
802.11g - 2.4 Ghz, 54 Mbps, OFDM, back to channel limitations.
802.11n - 2.4 / 5.0 Ghz, 108 - 300 Mbps, MIMO (multiple channel usage), OFDM, greenfield mode.
802.11ac - 2.4 / 5.0 Ghz, 1 Gbps +, the more channels you add the more speed you get. Builds on
MIMO for MU-MIMO (multiple users)
Early standards were b and a.
First widely used standard was 802.11g
Current fastest standards are 802.11n and 802.11ac
Power over Ethernet (PoE)
PoE Injector - Used if you don’t have a PoE switch. AC wall adapter to send power over ethernet.
PoE 802.3af - First PoE standard, 15.4 watts
PoE+ 802.3at - 30 watts, runs any device.
Antennas
- Omni - radiation pattern shaped like a sphere
- Dipole - flat doughnut shaped pattern, most common
- Patch - half of a sphere, common in enterprise environments, regularly used on exterior
walls
- directional (yagi) - very directional, aimed.
- Directional (parabolic) - like yagi, but more accurate
SMA (SubMinature Version A) connector: connector for most antennas.
dBi - measured gain of the radio patterns, can be adjusted.
Wireless Security Standards
Passphrase - original standard
Open/shared, or closed
WEP (Wired Equivalent Privacy): Authentication, encryption. The encryption used RC4
protocol. Disaster standard.
802.11i - supposed to fix WEP, but never came out
WPA - improvement on WEP, fixed the first issue with WEP + TKIP (temporal key integrity protocol)
WPA2 with AES (block cypher) - CCMP-AES
WEP: Easily crackable, 68 and 128 bit key
WPA: TKIP
WPA2: CCMP standard
Implementing Wireless Security
By: Jacob Ellison
-
SSID Broadcast: Can be turned off, require you to manually configure devices
MAC ACL: Access control list based on MAC addresses.
Multiple SSID: set different encryptions, VLANs, etc.
DHCP issue limiting
Change default username and password
Remote Management: keep off for more security
Client Isolation: can connect to WAP but can’t see other devices.
Threats to Your Wireless Network
- Rogue Access Points: Someone plugs a router into a wired network
- Evil Twin: Acts like an access point to get people onto a network
- 802.11 Jammer: illegal in the US.
- Deauthentication attack: sends deauth commands to leave the network and reconnect to
own source.
Retro Threats
War Driving: driving around and mapping the location and state of wireless access points
War Chalking: Drawing a symbol on the sidewalk indicating the current state of a present WAP
Wi-Fi Protected Setup (WPS)
Press a button on a router and device to connect wirelessly. Works fine, but is incredibly vulnerable
to hacking.
Enterprise Wireless
Wireless controller: multiple WAPs can be used by one wireless controller. could be a switch or
software to make all of the configurations.
Installing a Wireless Network
By: Jacob Ellison
Interference: Walls and other objects/devices can cause interference.
Reflection
Absorption
Attenuation: the reduction of the amplitude of a signal, electric current, or other oscillation
Spectrum Analyzer: Used for measuring amplitude vs frequency
Wi-Fi analyzer: Use to look for potential dead spots
Match your 802.11 standard to requirements
Dipole Placement
Highly Directional Antennas
Signal-to-Noise ratio: relative gauge of strength.
Wireless range extender: Self standing device that serves as a wireless repeater.
Mesh Networks: Wireless mesh topology where multiple devices talk to each other to cover more
ground.
Wireless Scenarios
- Interference: Can only kill the interference or get away from it (manually changing wifi
channel)
- Use Windows utilities to check wireless speeds.
- Don’t use the wrong WAP password
- Changes to WAP settings will no longer match client profiles
More Wireless Scenarios
- Slow Wireless Network: Over Capacity
- Jitter: a big problem for real time usage. VoIP phone, video stream, etc. No simple fix to jitter.
Need to increase capacity with better equipment.
- Antenna Problems: Incorrect antenna types, incorrect antenna placement. You can lose gain
from your antennas because of long cables.
Chapter 16: Virtualization and Cloud Computing
Virtualization Basics
- Emulation: uses software to imitate hardware. Not virtualization.
- Virtualization uses a system's actual hardware. Saves power.
- Virtualization consolidates hardware
- Virtualization makes system recovery easier.
- Handy for IT research
- Hypervisor - Virtual Machine Monitor (VMM): Type 2 runs on top of host OS. Type 1
hypervisor runs directly on top of hardware, independent of host OS. Type 1 (bare), Type 2
(hosted)
Cloud Ownership
- Private cloud, public cloud, hybrid cloud (private and public), community cloud
(multi-organizational)
By: Jacob Ellison
Cloud Implementation
- Virtual Private Cloud (VPC)
- Connection Methods
- AWS Elastic Beanstalk
- VPC services are very flexible
Your First Virtual Machine
- A newly created virtual machine requires an OS
- Most hypervisors can read an ISO image or optical disc
- Snapshot: storing exact snapshot of the VM as it is in that moment
- You can change virtualized hardware
- Downloaded pre-made virtual machines are common
NAS and SAN
Network Attached Storage (NAS): File based sharing protocol
- Runs over a standard network
- Shows up as normal shares on network
Storage Area Networks (SAN): SAN provides block level storage.
- Ran on Fiber Channel(FC) with a Host Bus Adapter(HBA)
- iSCI
Platform as a Service (PaaS)
- PaaS: Enables access to a software development platform without the need to personally
host it.
- A PaaS allowed very quick access to software running live on the internet.
- The advantages of PaaS are primarily that it allows for higher-level programming with
dramatically reduced complexity
Software as a Service (SaaS)
- SaaS: Does away with optical media. Ex: Microsoft Office 365, Adobe Creative Cloud, etc.
Infrastructure as a Service (IaaS)
- IaaS: type of cloud computing service that offers essential compute, storage, and
-
networking resources on demand
Servers, storage, firewalls, datacenter, etc.
Chapter 17: Mobile Networking
Cellular Technologies
- WiMax: based on 802.16 standard, broader range (17) miles.
- HSPA(+) : Basically 3G
- LTE: runs in 10s of Mbps range
- Tethering: sharing connection
REMEMBER: HSPA/HSPA+ and LTE
By: Jacob Ellison
Mobile Connectivity
- Home Automation Technologies
- Z-Wave: 900 Mhz, 30 Meters, 9600 bps
- ZigBee: 2.4 Ghz, 10 meters, 250 Kbps
- ANT/ANT+
- heart rate monitors
- watches
- workout equipment
2.4 Ghz, 30 Meters, 20Kbps
- Bluetooth
- 2.4, 100 meters, 3 Mbps
- NFC(Near Field communication): 13.56 Mhz, 4 cm, 424 Kbps
- RFID(Radio-Frequency Identification)
- Passive device uses radio power to turn it on
- Packaging, luggage, tracking, etc.
- Range is very wide, and speed doesn’t matter because it only sends tiny bits of
data.
- Infrared: uses light. 1+ meter, 1 Gbps, line-of-sight usage
Deploying Mobile Devices
- Mobile Device Management Tools: Configure mobile devices in detail
- Mobile Application Management: Controls applications used on device.
- Corporate Owned, Business Only (COBO): Company owned, controls all
aspects of phone
- Corporate Owned, Personally Enabled(COPE): Everyone has same device,
but issue is learning curve for android/iphone
- Choose your Own Device (CYOD): Lets employee choose from a selection of
devices.
- Bring your Own Device (BYOD): Users choose based on their own experience.
Heavy device and application management.
Mobile Access Control
- Network Access Control (NAC): Process by which we allow mobile devices on
a network. Enterprise routers with On-Boarding. Captive Portal - used for
authentication to access a network. Anti-Malware, Geofencing: deny devices
based on location.
- Allow access via MAC addresses. Whitelisting, Blacklisting.
By: Jacob Ellison
Chapter 18: Building a Real-World Network
Network Types
- Campus Area Network (CAN): Multiple buildings being connected to each other
- Metropolitan Area Network (MAN): Metro area like Houston.
- Wireless Local Area Network (WLAN): Local network with multiple WAPs
- Personal Area Network (PAN): 2 or more bluetooth devices that connect to make
a very small network.
Network Design
- Network design starts with assessing what the customer needs
- Assess current network infrastructure
- Incorporate security considerations early in the design process
- Analyze existing documentation
- Check for compatibility with existing hardware
- Check Operating system compatibility
- Assess wireless needs
Power Management
- UPS (uninterruptible power supply): battery source power supply in case of
power outage.
- Power Generator: Power solution if the problem is more long term.
- Dual Power Supply: Hot swappable, but connected into the same circuit.
- Redundant Circuitry: common in the enterprise world.
Unified Communications
- Voice over IP (VoIP)
- UC Device: has microphone, camera, display
- UC Server: cornerstone of local UC
- UC Gateway: Interconnection between offices far away from each other.
- Medianet: make sure that voice and video data get to each place in a timely
manner
- Ports:RTP(5004,5005), SIP(5060, 5061), H.323(TCP 1720), MGCP(2427, 2727)
Network Documentation
- Inventory Management
- Physical vs Logical documentation
- Physical: Wiring Diagram, IDF/MDF diagram, Rack Diagram, SOP/Work
Instructions
Cisco Icons: for use with diagrams
- Logical: IP Based, circles for Network IDs
By: Jacob Ellison
Contingency Planning
- Disaster Recovery: distance and location, internet requirements, legal issues
- Cold Site: It takes weeks to bring online, basic office space. Cheapest
recovery site
- Warm Site: Days to come online, operational equipment, little to no data
ready.
- Hot Site: Hours to bring online, real-time synchronization, almost all data
is ready to go. Very expensive.
- Business Continuity
- Order of Restoration: Check power, LAN, ISP, servers, workstations
Predicting Hardware Failure
- MTTF(Mean Time to Failure), MTTR(Mean Time to Repair), MTBF(Mean Time
Between Failure)
- SLA (Service Level Agreement) with a third party can be used on equipment to
define expected downtime and offline periods
Backups
- Differential Backup: backup all of the changes since the last full backup
- Incremental backup: only backs up changes made from the last backup
- Snapshots: Copy of something that happened in the past.
- Local backups: Hard drives, tapes, close by
- Offsite backup: downside is they are far away
- Cloud backup: takes a while to make an initial backup.
Chapter 19: Managing Risk
What is Risk Management
- Security policies incorporate practices required by laws and standards. NIST
(National institute of Standards and Technology), best practices
- Security Policies are documents, overview statement
- Security controls are generated from security policies, specific rules. Lead to
procedures
- Procedures detail how to implement controls on systems
Security Policies
- Acceptable use Policy(AUP): Define ownership, web site access, access time
- Remote Access policy: VPN, Authentication
- Password Policy: Complexity, Age, Lockout
- IT Safety Policy: lifting equipment, equipment handling, spills, procedures
- NDA: Non Disclosure Agreement
By: Jacob Ellison
- License Restriction: Usage, transfer of license, license renewal
-International Export control: Military information, Nuclear information, License keys
Change Management
- Strategic Change: Massive change that affects the business (NOT up to change
management team)
- Infrastructure Change: small scale changes (change management team)
- Documentation is the last step in change management process
User Training
- Many answers on NET+ come down to good user training.
- Policies signed
- Passwords
- Training on systems
- Social engineering
- Avoid malware
Standard Business Documentation
- SLA: Service Level Agreement between customer and service provider, scope,
quality.
- Memorandum of Understanding (MOU): defines agreement between 2 parties.
Used where a legally binding contract is inappropriate
- MSA (Multisource agreement): agreement to make same part for workplace
efficiency
- Statement of Work (SOW): Legal contract between vendor and customer
Mitigating Network Threats
- Training and awareness
- Patch management
- Policies and procedures
- Incident response
High Availability
- Redundancy (raid array)
- Fault Tolerance
- NIC Teaming (link aggregation): allows you to group between one and 32 physical
Ethernet network adapters into one or more software-based virtual network adapters.
-
Clustering, UPS, etc.
By: Jacob Ellison
Chapter 20: Protecting Your Network
Denial of Service
- Volume Attack: sending a lot of requests like pings
- Protocol attack: attacks the underlying protocol (syn flood/ TCP SYN
Attack)(most common)
- Application Attack: works in the application itself.
- Amplification Attack: Smurf attack sends ICMP attack spoofs IP address
- Distributed Denial of Service (DDoS): attacks with many computers called a
BotNet
Malware
- Virus: Software that attached itself onto files then propagate, spread to other
devices.
- Adware: Programs that try to put ads up
- Spyware: malware hiding from user and tracking information
- Trojan: Software on a system that seems nice at first.
- Remote Access Trojan (RAT): Doesn’t do anything bad until activated
remotely.
- Ransomware: locks system until you pay money to get it back
- Logic bomb: program on computer, triggered by an event.
- RootKit: software that grabs admin privileges
- Backdoor: entrance made on purpose
- Polymorphic Malware: Changes itself to confuse anti malware
- Armored Virus
- Keylogger: malware characteristic.
Social Engineering
- Shoulder Surfing
- Phishing
- Shred documents to protect against dumpster diving
Access Control
- Stateless Firewall: Just turn on, looks at packets coming in and makes
decisions on it
- Stateful Firewall: Looking at the state of every packet
- IP Based ACL and Internet Access Policy
Man-in-the-Middle
- Third party interception between a two-party conversation
- Wireless man-in-the-middle, bluetooth, NFC
By: Jacob Ellison
-
Wired man-in-the-middle using spoofing. Convincing devices on the network that
your device has a friendly MAC, IP, DNS
Main purpose is to gather data
ARP Poisoning: very noisy, sends out many ARP packets
DHCP spoofing: redirecting DNS names
Typosquatting: create an internet source/website that is misspelled
Domain hijacking: holding a domain for ransom
Replay attack
Downgrade attack
Session hijacking
Introduction to Firewalls
- Firewalls: filter traffic based on specific criteria
- Typical firewall placement is edge of network (think built into router)
- Network firewall, dedicated box is called hardware firewall
- Host based software firewall on individual stations
- Unified Threat Management (UTM): Firewall, VPN, etc. multiple types of
protection built in
Firewalls
- Stateless Firewall: original type of firewall. Filtering traffic based primarily on IP
and ports. Problem is the job gets hard to filter all traffic. Using an ACL helps
alleviate.
- Stateful Firewall: Actually inspects the connection between devices.
- Most firewalls can be configured as stateful and/or stateless
- Can have context and application aware(layer 7) firewalls. Deep Packet
Inspection (DPI)
DMZ
- Put exposed computers in the DMZ
- Router open to internet traffic is called a bastion host
- Honeypot: invite attacks to capture information. Draw attacks away from other
hosts. Honeynets are decoy network sites used to attract attackers
Hardening Devices
- User accounts
- Privileged user accounts
- Role separation, use a hierarchy of roles and permissions
- Everything has some form of ACL.
- Patching/Updated Firmware
By: Jacob Ellison
-
Driver Updates: Rollback reverts to last driver
Upgrade OS
Port Management: Disable unused or ports that aren’t needed. Turn off physical
ports that aren’t needed.
Signature/Credential management
Vulnerability Assessment
Penetration Testing: done outside of infrastructure, paid to poke into networks
Physical Security Controls
- Deterrent Physical Control: well lit exterior, signage, security guards
- Physical Preventative Control: Fences, barricades. K ratings: strong fences
designed to stop vehicles.Man trap- entry system with 2 doors. Cabling systems,
air gaps. Safe, locked cabinets, faraday cages, locks(key management). On
workstations consider cable locks and screen filters.
- Alarms, cameras, detection systems.
- Log Files
Testing Network Security
- Open Ports: software installs, firmware update, etc. could open ports
- Nessus and nmap vulnerability scanners
- Honeypot/honeynet
Network protection scenarios
- If you can't get to someone on a network the first thing you need to consider is
blocked TCP/UDP ports
- Host based firewall: Exceptions. Watch traffic flow
- When someone can’t get onto the network think ACL: is there a
username/password they need? Does this device have a MAC address/ IP
blacklisted or whitelisted
Chapter 21: Network Monitoring
SNMP
- Simple Network Management Protocol (SNMP): Need a managed
device(listening ports UDP 161 and TLS 10161) and an SNMP Manager: runs
an SNMP tool, Network Management Station (NMS) using listening ports
UDP 162 and TLS 10162
- Built into every managed device is an MIB (management information Base).
Different devices have different MIB’s. Different command sets require
these different MIBs. Sends a “get” and receives a “response”
- Walk: batch process of get called SNMPWalk
By: Jacob Ellison
-
SNMP v1 does not support encryption. V2 added encryption. SNMP v3 added
TLS encryption, much more robust
An SNMP Community is an organization of managed devices
Documenting Logs
- System logs or general logs: keeping track of events that have happened.
- Application logs, security logs, setup logs(windows installation and
updates), system logs (bootup)
- SNMP(Simple Network Management Protocol), although is mainly for
performance monitoring can also use syslog
- Syslog: Closest to logging standard. Has a Hierarchy of errors from 0 to 7 (o
being the worst case)
- Windows DOES NOT log Network Events
What is a history log? A log of what has been changed or edited over time
System Monitoring
- Error Rate: Frames or packets that are malfunctioned or incorrect
- Utilization: CPU load
- Bandwidth: How much data is being moved per second.
- File Integrity: database monitoring
Abnormal warnings of high error rate or utilization might signify security breaches or
broken equipment.
By: Jacob Ellison
SIEM (Security Information and Event Management)
- Aggregation: grabbing data from different locations and storing it
- Logs: SIEM helps put these logs together. Logs are generally Write Once
Read Many(WORM)
- Normalization: makes data more efficient
- Correlation: Analyze data and report in a way that is understood
- Alerts: For notification if something goes bad
- Triggering: Exceeding thresholds
SIEM overview: SIEM grabs data and represents it in a usable way. SIEMs have alerts
and the ability to notify based on a configurable trigger.
Chapter 22: Network Troubleshooting
Network Troubleshooting Theory
- To find the problem, gather information, identify the symptoms, questions
users and see if changes have been made.
- Establish the theory of probable cause, use the OSI model to help identify
location and problem, and consider future prevention methods
- Test the theory, isolate variables, establish a plan of action, plan out steps,
implement, verify, and test.
- Layer to Layer (OSI) troubleshooting method is not an element of the
standard troubleshooting model, but is added for Network troubleshooting.
By: Jacob Ellison
SFTP and SSH share TCP 22
LDAP uses TCP 389, LDAPS TCP 636
In FTP TCP 21 establishes connection, 20 sends data
H.323 is for real time connections and uses TCP 1720
SIP is for real time connections and uses TCP 5060, 5061
SMB/CIFS is windows file sharing and uses TCP 445
Related documents
CIS204 U1 LabAssignment
CIS204 U1 LabAssignment
Across 2. HTTP 4. TCP 10. ports used for specific applications like
Across 2. HTTP 4. TCP 10. ports used for specific applications like
Network Switch Diagnostic Chart
Network Switch Diagnostic Chart
Chapter 5: Networking Components Overview
Chapter 5: Networking Components Overview
Download
advertisement