ARP
Address Resolution Protocol (ARP) is a protocol or procedure that connects an ever-changing Internet Protocol (IP) address to a
fixed physical machine address, also known as a media access control (MAC) address, in a local-area network (LAN).
Proxy ARP
Proxy ARP is a technique by which a proxy device on a given network answers the ARP request for an IP address that is not on
that network. The proxy is aware of the location of the traffic's destination and offers its own MAC address as the destination.
Gratuitous ARP
Gratuitous ARP is almost like an administrative procedure, carried out as a way for a host on a network to simply announce or
update its IP-to-MAC address. Gratuitous ARP is not prompted by an ARP request to translate an IP address to a MAC address.
Reverse ARP (RARP)
Host machines that do not know their own IP address can use the Reverse Address Resolution Protocol (RARP) for discovery.
Inverse ARP (IARP)
Whereas ARP uses an IP address to find a MAC address, IARP uses a MAC address to find an IP address.
The MTU, or ‘Maximum Transmission Unit’, is the largest block of data that can be handled at layer-3 of the OSI
model. This is usually IP, so the MTU usually refers to the maximum size a packet can be.
he MSS is the maximum size that the payload can be, after subtracting space for the IP, TCP, and other headers. So,
if the MTU is 1500 bytes, and the IP and TCP headers are 20 bytes each, the MSS is 1460 bytes
TCP is a connection-oriented protocol, whereas UDP is a connectionless protocol. A key difference between TCP and UDP is
speed, as TCP is comparatively slower than UDP. Overall, UDP is a much faster, simpler, and efficient protocol, however,
retransmission of lost data packets is only possible with TCP.
What Is TCP Windowing?
"TCP windowing" is what we call it when the Transmission Control Protocol (TCP) uses a sliding window protocol to
mitigate problems with clients and servers trying to share segments of data that are too large or small, and therefore
cannot transmit effectively.
The 8 steps in a DNS lookup:
1.
2.
3.
4.
5.
6.
A user types ‘example.com’ into a web browser and the query travels into the Internet and is received by a
DNS recursive resolver.
The resolver then queries a DNS root nameserver (.).
The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such
as .com or .net), which stores the information for its domains. When searching for example.com, our request
is pointed toward the .com TLD.
The resolver then makes a request to the .com TLD.
The TLD server then responds with the IP address of the domain’s nameserver, example.com.
Lastly, the recursive resolver sends a query to the domain’s nameserver.
7.
8.
The IP address for example.com is then returned to the resolver from the nameserver.
The DNS resolver then responds to the web browser with the IP address of the domain requested initially.
a.
Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser is
able to make the request for the web page:
9. The browser makes a HTTP request to the IP address.
10. The server at that IP returns the webpage to be rendered in the browser (step 10).
Next Generation Firewall (NGFW)
A next generation firewall (NGFW) provides capabilities beyond that of a stateful network firewall, technology that
was first pioneered in 1994 by Check Point Software Technologies. A stateful firewall is a network security device that
filters incoming and outgoing network traffic based upon Internet Protocol (IP) port and IP addresses. By intelligently
inspecting the payload of some packets, new connection requests can be associated with existing legitimate
connections. A next generation firewall adds additional features such as application control, integrated intrusion
prevention (IPS) and often more advanced threat prevention capabilities like sandboxing.
What is a stateful firewall?
Stateful firewalls monitor all aspects of the traffic streams, their characteristics and communication channels. These
firewalls can integrate encryption or tunnels, identify TCP connection stages, packet state and other key status updates.
What is a stateless firewall?
Stateless firewalls use clues from the destination address, source and other key values to assess whether threats are
present, then block or restrict those deemed untrusted. Preset rules enforce whether traffic is permitted or denied, but
the system is typically unable to determine the difference between truly desired communications and sophisticated
attempts to disguise unauthorized communications as trusted ones. As one of the earlier iterations of firewalls, stateless
firewalls don't look beyond the header of packet contents to determine if traffic is authorized.
NAT types –
There are 3 types of NAT:
1. Static NAT –
In this, a single private IP address is mapped with a single Public IP address, i.e., a private IP address is
translated to a public IP address. It is used in Web hosting.
2. Dynamic NAT –
In this type of NAT, multiple private IP addresses are mapped to a pool of public IP addresses. It is used when we
know the number of fixed users who want to access the Internet at a given point in time.
3. Port Address Translation (PAT) –
This is also known as NAT overload. In this, many local (private) IP addresses can be translated to a single public
IP address. Port numbers are used to distinguish the traffic, i.e., which traffic belongs to which IP address. This is
most frequently used as it is cost-effective as thousands of users can be connected to the Internet by using only
one real global (public) IP address.
How NAT protect you:-It hides the IP address of any devices on your network from the outside world giving them all a single address.
-It requires every incoming packet of information to have been asked for by a device. if a malicious data packet
isn’t on the list of expected communications it gets rejected.
-Some firewalls can use whitelisting to block unauthorized outgoing traffic so if you do contract a piece of malware
your firewall may prevent it from communicating with your device.
IPSEC MESSAGES
MM #1 : initiator It includes the SA Proposal
MM #2 : responder SA proposal that it chose
MM #3 : initiator Diffie-Hellman exchange, beginning of the key exchange
MM #4 : responder will send it's own key, encryption should be established
MM #5 : initiator Send this message to authenticate the session
MM #6 : responder will send back a similar packet and authenticate the session
AM #1 : initiator SEND information that was contained in MM #1-3 SOME MM #5
AM #2 : information contained in MM # 2, 4, and 6 key generation, identity and authentication.
AM #3 authentication and identity FROM MM #5
IPSEC QUESTIONS
1- What is IPSEC
Suite of protocos, standards and algorithm to secure traffic over an untrusted network.
2- At which layer IPSEC works
At layer 3
3- Why AH will work through a NATED device?
NAT changes the IP of the packet but the has value is not changed. Packets seems altered.
4- IPSEC PORT?
500 FOR isakmp, Eps 50 and AH51
5- WHAT is IKE?
Protocol used to setup a secure, authenticated communication, negotiate SAs
6- Advantages of IKEV2 over IKEV1
Requires less bandwidth , support EAP auth, build-in Nat, Asymetric authen
7- What is ISAKMP?
Defines how to establish, negotiate, modify and delete SAs
8- What is DH?
Public key crypto protocol, allows 2 partis to establish a shared secret over the insec network
9- What are SAs?
Defines the algorithms to be applied to sensitive packets, unidirectional
10- What is a transform set?
A combination of individual IPsec transform design to enact a specific security policy for traffic
11- IPSEC peers can authenticate with 2 methods?
Pre-shared key and certificate
12- What is HMAC?
Used to perform hashing function. Uses a secret key.
13- How ESP and AH provide Anti-replay
Uses a sequence number