Exam Essentials: Chapter 11

Posted byChrisPosted inUncategorized

Chapter 11: Secure Network Architecture & Securing Network Components

Know the OSI model layers and which protocols are found in each

  • The seven layers, and the protocols supported by each, are as follows:
    • Application: HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI, POP3, IMAP, SNMP, NNTP, S-RPC and SET
    • Presentation: Encryption protocols & format types, such as ASCII, EBCDIC, TIFF, JPEG, MPEG and MIDI.
    • Session: NFS, SQL and RPC.
    • Transport: SPX, SSL, TLS, TCP and UDP
    • Network: ICMP, RIP, OSPF, BGP, IGMP, IP, IPSec, IPX, NAT and SKIP.
    • Data Link: SLIP, PPP, ARP, L2F, L2TP, PPTP, FDDI, ISDN.
    • Physical: EIA/TIA-232, EIA-TIA-449, X.21, HSSI, SONET, V.24 and V.35.
  • Mnemonics: All People Seem To Need Domino’s Pizza (7-1), Please Do Not Throw Sausage Pizza Away (1-7)

Have a thorough knowledge of TCP/IP

  • Know the difference between TCP & UDP.
  • Be familiar with the four TCP/IP layers and how they correspond to the OSI model:
    • Application (OSI Layers 5-7: Session, Presentation & Application)
    • Transport (OSI Layer 4: Transport)
    • Internet (OSI Layer 3: Network)
    • Link (OSI Layers 1-2: Physical & Data Link)

Know the different cabling types, their lengths and maximum throughput rates (TODO)

  • This includes:
    • STP
    • 10BaseT (UTP)
    • 10Base2 (thinnet)
    • 10Base5 (thicknet)
    • 100BaseT
    • 1000BaseT
    • Fibre-optic
  • You should also be familiar with UTP categories 1 to 7.

Be familiar with the common LAN technologies [TODO]

  • The most common LAN technology is Ethernet
  • Also be familiar with:
    • analog vs digital comms
    • synchronous vs asynchronous comms
    • baseband vs broadband comms
    • broadcast, multicast & unicast comms
    • CSMA, CSMA/CA and CSMA/CD [TODO]
    • token passing [TODO]
    • polling [TODO]

Understand secure network architecture & design

  • Network security should take into account:
    • IP and non-IP protocols
    • network access control
    • using security services & devices
    • managing multilayer protocols
    • implementing endpoint security

Understand the various types & purposes of network segmentation

  • Network segmentation can be used to manage traffic, improve performance and enforce security.
  • Examples of network segmentations or sub-networks include intranet, extranet & DMZ.

Understand the different wireless technologies

  • Mobile phones, Bluetooth (802.15) and Wi-Fi (802.11) are all called wireless technologies, even though they are very different. Be aware of their differences, strengths & weaknesses.
  • Understand 802.11, a, b, g, n and ac:
    • Original 802.11 (2 Mbps)
    • 802.11a (54 Mbps)
    • 802.11b (11 Mbps)
    • 802.11g (54 Mbps)
    • 802.11n (600 Mbps)
    • 802.11ac (1+ Gbps)
  • The 802.11 standard also defines WEP.
  • TKIP (Temporal Key Integrity Protocol) was designed as the replacement for WEP without requiring replacement of legacy wireless hardware. TKIP was implemented as WPA (Wi-Fi Protected Access).
  • 802.11i defines WPA2: a new encryption scheme known as the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which uses AES-128 encryption.
  • A captive portal is an authentication technique that redirects a newly-connected wireless Web client to a portal access control page.
  • Understand the basics of securing 802.11 networking
    • disabling SSID broadcast and/or changing the SSID to something unique
    • enabling MAC filtering
    • considering the use of static IPs or DHCP reservations
    • enabling the highest supported version of encryption
    • treating wireless as remote access and employing 802.1x, RADIUS or TACACS
    • separating WAPs from the LAN with firewalls
    • monitoring all wireless activity with an IDS
    • consider requiring wireless clients to connect with a VPN to gain LAN access

Understand Fibre Channel

  • Fibre Channel is a form of network data storage solution – i.e. SAN (storage area network)/NAS (network-attached storage) – that allows for high-speed file transfers.
  • FCoE (Fibre Channel over Ethernet) is used to encapsulate Fibre Channel communications over Ethernet networks.

Understand iSCSI

  • iSCSI (Internet Small Computer System Interface) is a network storage standard based on IP.

Understand EAP, PEAP & LEAP

  • EAP (Extensible Authentication Protocol) is an authentication framework rather than a specific mechanism of authentication.
  • Effectively, EAP allows for new authentication technologies to be compatible with existing wireless or point-to-point connection techniques.
  • PEAP (Protected EAP) encapsulates EAP methods within a TLS tunnel that provides authentication and potentially encryption.
  • LEAP (Lightweight EAP) is a Cisco proprietary alternative to TKIP for WPA. This was developed to address deficiences in TKIP before the 802.11i (WPA2) system was ratified as a standard.

Understand MAC filtering

  • A MAC filter is a list of authorised wireless client interface MAC addreses that is used by a WAP to block access to all non-authorised devices.

Understand SSID broadcast

  • Wireless networks traditionally announce their SSID on a regular basis within a special packet known as the beacon frame.
  • When the SSID is broadcast, any device with an automatic detect & connect feature is not only able to see the network, but can also initiate a connection with it.

Understand antenna types

  • A wide variety of antenna types can be used for wireless clients and base antennas.
  • These include:
    • omni-directional pole antennas
    • directional antennas such as Yagi, cantenna, panel & parabolic

Know the standard network topologies

  • These are:
    • ring
    • bus
    • star
    • mesh.

Know the common network devices

  • Common network devices are:
    • firewalls
    • routers
    • bridges
    • modems
    • repeaters
    • switches
    • gateways
    • proxies.

Understand the different types of firewalls

  • There are several types of firewalls:
    • Static packet filtering: First-gen. Operates at L3.
    • Application-level gateway: Second-gen. Operates at L7.
    • Circuit-level gateway: Also second-gen. Operates at L5. Example: SOCKS proxy
    • Stateful inspection (aka dynamic packet filtering): Third gen. Operates at L3 & L4.
    • Deep packet inspection: Typically operates at Application layer (L7). Often integrated with app-layer and/or stateful inspection firewalls
    • Next-gen: Multi-function device which can include IDS/IPS, TLS/SSL proxy, web filtering, QoS, NAT, VPN anchoring etc.

Know the protocol services used to connect to LAN & WAN communication technologies (TODO)

  • These are:
    • Frame Relay
    • SMDS
    • X.25
    • ATM
    • HSSI
    • SDLC
    • HDLC
    • ISDN

Understand problems with cabling, and their countermeasures

  • Attentuation: ensure that you don’t exceed length recommendations (otherwise use repeaters)
  • Using the wrong category of cable: check the cable specifications against throughput requirements, and err on the side of caution
  • Crosstalk: use shielded cables, place cables in separate conduits, or use cables of higher twists per inch
  • Cable breaks: avoid running cables in locations where movement occurs
  • Interference: use cable shielding, cables with higher twists per inch, or switch to fibre-optic.
  • Eavesdropping: maintain physical security over all cable runs

TODO: OFDM, DSSS etc

  • Frequency Hopping Spread Spectrum (FHSS)
  • Direct Sequence Spread Spectrum (DSSS)
  • Orthogonal Frequency-Division Multiplexing (OFDM(

Leave a comment

Design a site like this with WordPress.com
Get started