# Network & Communications Security

Communications security is about data in motion - as it is going to and from the endpoints and the other elements or nodes of our systems, such as servers. It's not about data at rest or data in use, per se.

The key ingredients that we find in any communications system or process are:
* **Purpose or intent**. This intention should shape the whole communication process. With a clear statement of intent, the sender can better identify who the target audience is, and whether the intention can be achieved by exchanging one key idea or a whole series of ideas woven together into some kind of story or narrative.


* **Senders and recipients**. The actual people or groups on both ends of the conversation or the call; sometimes called the parties to the communication.


* **Protocols** that shape how the conversation or communication can start, how it is conducted, and how it is brought to a close. Protocols include a choice of language, character or symbol set, and maybe even a restricted domain of ideas to communicate about. Protocols provide for ways to detect errors in transmission or receipt, and ways to confirm that the recipient both received and understood the message as sent. Other protocols might also verify whether the true purpose of the communication got across as well.


* **Message Content**, which is the ideas we wish to exchange encoded or represented in the chosen language, character or symbol sets, and protocols.


* A physical **communications medium**, which is what makes transporting the message from one place to another possible. 

As we dig further into what information security entails, we'll have to add two additional and very important attributes to our **CIA** triad: **nonrepudiation** and **authentication**. Thus, **CIANA**: confidentiality, integrity, availability, nonrepudiation, and authentication.

To **repudiate** something means to attempt to deny an action that you've performed or something you said. You can also attempt to deny that you ever received a particular message or didn't see or notice that someone else performed an action. In most cases, we repudiate our own actions or the actions of others so as to attempt to deny responsibility for them. Thus, **nonrepudiation** is the characteristic of a communications system that prevents a user from claiming that they never sent or never received a particular message. This communications system characteristic sets limits on what senders or receivers can do by restricting or preventing any attempt by either party to repudiate a message, its content, or its meaning.

Authentication, in this context, also pertains to senders and receivers. **Authentication** is the verification that the sender or receiver is who they claim to be, and then the further validation that they have been granted permission to use that communications system. Authentication might also go further by validating that a particular sender has been granted the privilege of communicating with a particular sender.

## Understand & Apply Fundamental Concepts of Networking

A **protocol stack** is a document - a set of ideas or design standards. Designers and builders implement the protocol stack into the right set of hardware, software, and procedural tasks (done by people or others). These implementations present the features of the protocol stack as services that can be requested by subjects (people or software tasks).

A **datagram** is the unit of information used by a protocol layer or a function within it. It’s the unit of measure of information in each individual transfer. Each layer of the protocol stack takes the datagram it receives from the layers above it and repackages it as necessary to achieve the desired results. 

### OSI & TCP/IP Models

The below table explains the relationship between the TCP/IP protocol and the OSI 7-layer reference model.

| Types of Layers | Typical Protocols | OSI Layer | OSI Protocol Data Unit Name | TCP/IP Layer | TCP/IP Datagram Name |
| :---: | :---: | :---: | :---: | :---: | :---: |  
| Host Layers | HTTP, HTTPS, SMTP, IMAP, SNMP, POP3, FTP, ... | 7. Application | Data | (Outside of TCP/IP Model Scope) | Data |
| | Characters, MPEG, SSL/TLS, Compression, S/MIME, ... | 6. Presentation | | | |
| | NetBIOS, SAP, Session Handshaking Connections | 5. Session | | | |
| | TCP, UDP | 4. Transport | Segment, except: UDP : datagram | Transport | Segment |
| Media Layers | IPv4/IPv6 IP Address, ICMP, IPSec, ARP, MPLS, ... | 3. Network | Packet | Network (or Internetworking) | Packet |
| | Ethernet, 802.1, PPP, ATM, Fibre Channel, FDDI, MAC Address | 2. Link | Frame | Data Link | Frame |
| | Cables, Connectors, 10BaseT, 802.11X, ISDN, T1, ... | 1. Physical | Symbol | Physical | Bits |

**TCP/IP** is often thought of as the designer's and builder's choice for hardware and network systems, as a bottom-up set of standards (from Physical on up to Transport). The **OSI reference model** provides a more cohesive framework for analyzing and designing the total information flow that gets user-needed purposes implemented and carried out. SSCPs need to be fluent in both.

A **handshake** is a sequence of small, simple communications that we send and receive, such as hello and goodbye, ask and reply, or acknowledge or not-acknowledge, which control and carry out the communications we need. Handshakes are defined in the protocols we agree to use.

Each **packet** is sent across the Internet by itself (wrapped in header and trailer information that identifies the sender, recipient, and other important information we'll go into later). Breaking a large file into packets, rather than sent in one contiguous block of data, allows smarter trade-offs between actual throughput rate and error rates and recovery strategies. (Rather than resend the entire file because line noise corrupted one or two bytes, we might need to resend just the one corrupted packet.) However, since sending each packet requires a certain amount of handshake overhead to package, address, route, send, receive, unpack, and acknowledge, the smaller the packet size, the less efficient the overall communications system can be.

![Wrapping: Layer-by-Layer Encapsulation](images/wrapping-layer-by-layer-encapsulation.png)

The flow of wrapping, layer-by-layer **encapsulation**, as shown above, illustrates how a higher-layer protocol logically communicates with its opposite number in another system by having to first wrap and pass its datagrams to lower-layer protocols in its own stack. It's not until the Physical layer connections that signals actually move from one system to another.

**Routing** is the process of determining what path or set of paths to use to send a set of data from one endpoint device through the network to another. **Switching** is the process used by one node to receive data on one of its input ports and choose which output port to send the data to. A simple switch depends on the incoming data stream to explicitly state which path to send the data out on; a router, by contrast, uses routing information and routing algorithms to decide what to tell its built-in switch to properly route each incoming packet.

The **DNS (Domain Name System)** consists of a set of servers that resolve domain names into IP addresses, registrars that assign and issue both IP addresses and the domain names associated with them to parties who want them, and the regulatory processes that administer all of that.

| System Components | OSI Layer | TCP/IP, Protocols & Services (Examples) | Key Address Element | Datagrams are called... | Role in the Information Architecture |
| :---: | :---: | :---: | :---: | :---: | :---: |
| People | | | Name, Building & Room, email Address, Phone Number, ... | Files, Reports, Memos, Conversations, ... | Company Data, Information Assets |
| Application Software + People Processes, Gateways | 7 - Application | HTTP, email, FTP, ... | URL, IP Address + Port | Upper-Layer Data | Implement Business Logic & Processes |
| | 6 - Presentation | SSL/TSL, MIME, MPEG, Compression | | | |
| | 5 - Session | | | | |
| Load Balancers, Gateways | 4 - Transport | TCP, UDP | IP Address + Port | Segments | Implement Connectivity with Clients, Partners, Suppliers, ... |
| Routers, OS Software | 3 - Network | IPv4, IPv6, IPSec, ICMP, ... | IP Address + Port | Packets | |
| Switches, Hubs, Routers | 2 - Data Link | 802.1X, PPP, ... | MAC Address | Frames | |
| Cables, Antenna, ... | 1 - Physical | | Physical Connection | Bits | | 

#### Layer 1: The Physical Layer 

It's also worth pointing out that the physical domain defines both the collision domain and the physical segment. A **collision domain** is the physical or electronic space in which multiple devices are competing for each other's attention; if their signals out-shout each other, some kind of collision detection and avoidance is needed to keep things working properly.

| Vulnerabilities | Countermeasure Options | Residual Risk |
| :--- | :--- | :--- |
| We need to consider two kinds of physical transmission: **conduction** and **radiation**. <br><br> Conducted and radiated signals are easy prey to a few problems: <br><br> * Spoofing happens when another transmitter acts in ways to get a receiver to mistake it as the anticipated sender. This can happen accidentally, such as when the RFI (radio frequency interference) from a lightning strike is misinterpreted by an electronic device as some kind of command or data input. More often, spoofing is deliberate. <br><br> * Large electrical motors, and electric power systems, can generate electromagnetic interference (EMI); this tends to be very low frequency but can still disrupt some Layer $1$ activities. <br><br> * Interception happens when a third party is able to covertly receive and decode the signals being sent, without interrupting the flow from sender to receiver. <br><br> * Jamming occurs when a stronger signal (generated deliberately, accidentally, or naturally) drowns out the signal from the transmitter. <br><br> For hostile (deliberate) threat actors, the common attack tools at Layer 1 start with physical access to your systems: <br><br> * Cable taps (passive or with active repeaters). <br><br> * Cables plugged into unused jacks on your switches, routers, or modems. <br><br> * Tampering with your local electrical power supply system. <br><br> Wi-Fi reconnaissance can be easily conducted from a smartphone app, and this can reveal exploitable weaknesses in your systems at Layer $1$ and above. This can aid an attacker in tuning their own Wi-Fi attack equipment to the right channel and pointing it in the right spots in your Wi-Fi coverage patterns, to find potential attack vectors. | The basics of the medium should provide some degree of protection against some source of interference, disruption, or interception. Signal cables can be contained in rigid pipes, and these are buried in the ground or embedded in concrete walls. This reduces the effect of RFI while also reducing the chance of the cable being cut or tapped into. Radio communications systems can be designed to use frequency bands, encoding techniques, and other measures that reduce accidental or deliberate interference or disruption. Placing Layer $1$ (and other) communications systems elements within physically secured, environmentally stabilized physical spaces should always be part of your risk mitigation thinking. <br><br> This also is part of placing your physical infrastructure under effective configuration management and change control. <br><br> Power conditioning equipment can also alleviate many hard-to-identify problems. Not every electronic device behaves well when its AC power comes with bursts of noise, or with voltage drops or spikes that aren't severe enough to cause a shutdown (or a blown surge suppressor). Some consumer or SOHO routers, and some cable or fiber modems provided by ISPs to end users, can suffer from such problems. Overheating can also cause such equipment to perform erratically. <br><br> Note that most IPS and IDS products and approaches don't have any real way to reach down into Layer $1$ to detect an intrusion. What you're left with is the old-fashioned approach of inspection and audit of the physical systems against a controlled, well-documented baseline. | In general terms, the untreated Layer $1$ risks end up being passed on to Layer $2$ and above in the protocol stacks, either as interruptions of service, datagram errors, faulty address and control information, or increased retry rates leading to decreased throughput. Monitoring and analysis of monitoring data may help you identify an incipient problem, especially if you're getting a lot of red flags from higher layers in the protocol stack. <br><br> Perhaps the worst residual risk at Layer $1$ is that you won't detect trespass at this level. Internet-empowered systems can lull us into complacency; they can let us stop caring about where a particular Cat $5$ or Cat $6$ cable actually goes, because we're too worried about authorized users doing the wrong thing or unauthorized users hacking into our systems or our apps. True, the vast majority of attacks happen remotely and involve no physical access to your Layer $1$ systems or activities. |

#### Layer 2: The Data Link Layer

The MAC (Media Access Control) address is a $48$-bit address, typically written (for humans) as six octets—six $8$-bit binary numbers, usually written as two-digit hexadecimal numbers separated by dashes, colons, or no separator at all. For example, $3A-7C-FF-29-01-05$ is the same $48$-bit address as $3A7CFF290105$.

The following figure illustrates what each frame consists of:

![Frame](images/frame.png)

| Vulnerabilities & Assessment | Countermeasure Options | Residual Risk |
| :--- | :--- | :--- |
| * MAC address-related attacks, MAC spoofing (command line accessible), CAM (content addressable memory) table overflow <br><br> * DHCP lease-based denial of service attack (also called IP pool starvation attack) <br><br> * ARP attacks, attacker sending IP/MAC pairs to falsify IP address for known MAC, or vice versa <br><br> * VLAN attacks: VLAN hopping via falsified (spoofed) VLAN IDs in packets <br><br> * Denial of service by looping packets, as a spanning tree protocol (STP) attack <br><br> * Reconnaissance attacks against Data Link layer discovery protocols <br><br> * SSID spoofing as part of man-in-the-middle attacks <br><br> These may lead to denial or disruption of service or degraded service (if your network systems have to spend a lot of time and resources detecting such attacks and preventing them). They may also provide an avenue for the attacker to further penetrate your systems and achieve a Layer $3$ access. Attacks at this layer can also enable an attacker to reach out through your network's nodes and attack other systems. | * Secure your network against external sniffers via encryption. <br><br> * Use SSH instead of unsecure remote login, remote shell, etc. <br><br> * Ensure maximum use of SSL/TLS. <br><br> * Use secured versions of email protocols, such as S/MIME or PGP. <br><br> * Use network switching techniques, such as dynamic ARP inspection or rate limiting of ARP packets. <br><br> * Control when networks are operating in promiscuous mode. <br><br> * Use whitelisting of known, trusted MAC addresses. <br><br> * Use blacklisting of suspected hostile MAC addresses. <br><br> * Use honeynets to spot potential DNS snooping. <br><br> * Do latency checks, which may reveal that a potential or suspect attacker is in fact monitoring your network. <br><br> * Monitor what processes and users are actually using network monitoring tools, such as Netmon, on your systems; when in doubt, one of those might be serving an intruder! | Probably the most worrisome residual risk of an unresolved Layer $2$ vulnerability is that an intruder has now found a way to gain Layer $3$ access or beyond on your network. |

#### Layer 3: The Network Layer

The Network layer is defined in the OSI model as the place where variable-length sequences of fixed-length packets (that make up what the user or higher protocols want sent and received) are transmitted (or received). Routing and switching happens here. Logical paths between two hosts are created; data packets are routed and forwarded to destinations; packet sequencing, congestion control, and error handling occur here. 

The following figure is the IPv4 packet format.

![IPv4 Packet](images/ipv4-packet.png)

| Vulnerabilities & Assessment | Countermeasure Options | Residual Risk |
| :--- | :--- | :--- |
| * IP spoofing. <br><br> * Routing (RIP) attacks. <br><br> * ICMP attacks, including Smurf attacks, which use ICMP packets in a DDoS attack against the victim’s spoofed IP address. <br><br> * Ping flood. <br><br> * Ping of Death attack (ICMP datagram exceeding maximum size: if the system is vulnerable to this, it will crash); most modern OSs are no longer vulnerable. <br><br> * Teardrop attack (false offset information into fragmented packets: causes empty or overlapping spots during reassembly, leading to receive system/app instability). <br><br> * Packet sniffing reconnaissance. | First on your list of countermeasure strategies should be to implement IPSec if you've not already done so for your IPv4 networks. Whether you deploy IPSec in tunnel mode or transport mode (or both) should be driven by your organization's impact assessment and CIANA needs. <br><br> * Securing ICMP <br><br> * Securing routers and routing protocols with packet filtering (and the ACLs this requires) <br><br> * Provide ACL protection against address spoofing | For the most part, strong protection via router ACLs and firewall rules, combined with a solid IPSec implementation, should leave you pretty secure at this layer. You'll need to do a fair bit of ongoing traffic analysis yourself, combined with monitoring and analysis of the event logs from this layer of your defense, to make sure. <br><br> The other thing to keep in mind is that attacks at higher levels of the protocol stack could wend their way down to surreptitious manipulation, misuse, or outright disruption of your Layer $3$ systems. |

#### Layer 4: The Transport Layer

Transport layer protocols primarily work with ports. **Ports** are software-defined labels for the connections between two processes, usually ones that are running on two different computers. The source and destination port, plus the protocol identification and other protocol-related information, are contained in that protocol’s header. Each protocol defines what fields are needed in its header and prescribes required and optional actions that receiving nodes should take based on header information, errors in transmission, or other conditions. Ports are typically bidirectional, using the same port number on sender and receiver to establish the connection.

Most of the protocols that use this layer either use TCP/IP as a stateful or connection-oriented way of transferring data or use UDP, which is stateless and not connection oriented. TCP bundles its data and headers into segments (not to be confused with segments at Layer $1$), whereas UDP and some other Transport layer protocols call their bundles datagrams:

* **Stateful** communications processes have sender and receiver go through a sequence of steps, and sender and receiver have to keep track of which step the other has initiated, successfully completed, or asked for a retry on. Each of those steps is often called the state of the process at the sender or receiver. Stateful processes require an unambiguous identification of sender and recipient, and some kind of protocols for error detection and requests for retransmission, which a connection provides.


* **Stateless** communication processes do not require sender and receiver to know where the other is in the process. This means that the sender does not need a connection, does not need to service retransmission requests, and may not even need to validate who the listeners are. Broadcast traffic is typically both stateless and connectionless.

| Vulnerabilities & Assessment | Countermeasure Options | Residual Risk |
| :--- | :--- | :--- |
| * SYN flood (can defend with SYN cookies) <br><br> * Injection attacks (guessing/forcing reset of sequence numbers to jump your packet in ahead of a legitimate one); also called TCP hijacking <br><br> * Opt-Ack attack (attacker convinces target to send quickly, in essence a self-inflicted DoS) <br><br> * TLS attacks (tend to be attacks on compression, cryptographics, etc.) <br><br> * Bypass of proper certificate use for mobile apps <br><br> * TCP port scans, host sweeps, or other network mapping as part of reconnaissance <br><br> * OS and application fingerprinting, as part of reconnaissance | Most of your countermeasure options at Layer $4$ involve better identity management and access control, along with improved traffic inspection and filtering. <br><br> * TCP intercept and filtering (routers, firewalls) <br><br> * DoS prevention services (such as Cloudflare, Prolexic, and many others) <br><br> * Blacklisting of attackers' IP addresses <br><br> * Whitelisting of known, trusted IP addresses <br><br> * Better use of SSL/TLS and SSH <br><br> * Fingerprint scrubbing techniques | One vulnerability that may remain, after taking all of the countermeasures that you can, is that your traffic itself is still open to being monitored and subjected to traffic analysis. **Traffic analysis** looks for patterns in sender and recipient address information, protocols or packet types, volumes and timing, and just plain coincidences. Even if your data payloads are well encrypted, someone willing to put the time and effort into capturing and analyzing your traffic may find something worthwhile. |

#### Layer 5: The Session Layer

The Session layer is where the overall dialogue or flow of handshakes is controlled in order to support a logically related series of tasks that require data exchange. Sessions typically require initiation, ongoing operation, adjournment, and termination; many require checkpointing to allow for graceful fallback and recovery to earlier points within the session.

Think of logging onto your bank's webpages to do some online banking; from the moment you start to log on, you're initiating a session; a session can contain many transactions as steps you seek to perform; finally, you log off (or time out or disconnect) and end the session. Sessions may be also need **full-duplex** (simultaneous activity in both directions), **half-duplex** (activity from one party to the other, a formal turnaround, and then activity in the other way), or **simplex** (activity in one direction only). Making a bank deposit requires half-duplex operation: the bank has to completely process the deposit steps, then update your account balance, before it can turn the dialogue around and update the display of account information on your endpoint.

| Vulnerabilities & Assessment | Countermeasure Options | Residual Risk |
| :--- | :--- | :--- |
| * Session hijacking. <br><br> * Man-in-the-middle (MITM). <br><br> * ARP poisoning. <br><br> * DNS poisoning. <br><br> * Local system hosts file corruption or poisoning. <br><br> * Blind hijacking (attacker injects commands into the communications stream but cannot see results, such as error messages or system response directly). <br><br> * Man-in-the-browser attacks, which are similar to MITM but via a Trojan horse that manipulates calls to/from stack and browser. Browser helper objects, extensions, API hooking, and Ajax worms can inadvertently facilitate these types of attacks. <br><br> * Session sniffing to gain a legitimate session ID and then spoof it. <br><br> * SSH downgrade attack. | As with the Transport layer, most of the countermeasures available to you at the Session layer require some substantial sleuthing around in your system. Problems with inconsistent applications or systems behavior, such as not being able to consistently connect to websites or hosts you frequently use, might be caused by errors in your local hosts file (containing your ARP and DNS cache). Finding and fixing those errors is one thing; investigating whether they were the result of user error, applications or systems errors, or deliberate enemy action is quite another set of investigative tasks to take on! <br><br> Also, remember that your threat modeling should have divided the world into those networks you can trust, and those that you cannot. Many of your DoS prevention strategies therefore need to focus on that outside, hostile world — or, rather, on its (hopefully) limited connection points with your trusted networks. <br><br> * Replace weak password authentication protocols such as PAP, CHAP, and NT LAN Manager (NTLM), which are often enabled as a default to support backward compatibility, with much stronger authentication protocols. <br><br> * Migrate to strong systems for identity management and access control. <br><br> * Use PKI as part of your identity management, access control, and authentication systems. <br><br> * Verify correct settings of DNS servers on your network and disable known attack methods, such as allowing recursive DNS queries from external hosts. <br><br> * Use tools such as SNORT at the Session layer as part of an active monitoring and alarm system. <br><br> * Implementation and use of more robust IDSs or IPSs. | As you lock down your Session layer defenses, you may find situations where some sessions and the systems that support them need a further layer of defense (or just a greater level of assurance that you've done all that can be done). This may dictate setting up proxies as an additional boundary layer between your internal systems and potential attackers. |

#### Layer 6: The Presentation Layer

The Presentation layer supports the mapping of data in terms and formats used by applications into terms and formats needed by the lower-level protocols in the stack. It handles protocol-level encryption and decryption of data (protecting data in motion), translates data from representational formats that applications use into formats better suited to protocol use, and can interpret semantical or metadata about applications data into terms and formats that can be sent via the Internet.

| Vulnerabilities & Assessment | Countermeasure Options | Residual Risk |
| :--- | :--- | :--- |
| Vulnerabilities at this layer can be grouped broadly into two big categories: attacks on encryption or authentication, and attacks on the apps and control logic that support Presentation layer activities. <br><br> * Attacks on encryption used, or on weak protection schemes <br><br> * Attacks on Kerberos or other access control at this layer <br><br> * Attacks on known NetBIOS and SMB vulnerabilities | Building on the countermeasures you've taken at Layer $5$, you'll need to look at the specifics of how you're using protocols and apps at this layer. Consider replacing insecure apps, such as FTP or email, with more secure versions. | Much of what you can't address at Layer $6$ or below will flow naturally up to Layer $7$, so let's just press on! |

####  Layer 7: The Application Layer

Applications such as Web browsers, VOIP or video streaming clients, email clients, and games use their internal logic to translate user actions - data input field-by-field or selection and action commands click-by-click into application-specific sets of data to transfer via the rest of the protocol stack to a designated recipient address. Multiple protocols, such as FTP and HTTP, are in use at the Application layer, yet the logic that must determine what data to pass from user to distant endpoint and back to user all resides in the application programs themselves. None of the protocols, by themselves, make those decisions for us.

| Vulnerabilities & Assessment | Countermeasure Options | Residual Risk |
| :--- | :--- | :--- |
| Many of these attacks are often part of a protracted series of intrusions taken by more sophisticated attackers. Such **advanced persistent threats** may spend months, even a year or more, in their efforts to crack open and exploit the systems of a target business or organization in ways that will meet the attacker's needs. As a result, constant vigilance may be your best strategy. <br><br> * SQL or other injection <br><br> * Cross-site scripting (XSS) <br><br> * Remote code execution (RCE) <br><br> * Format string vulnerabilities <br><br> * Username enumeration <br><br> * HTTP floods <br><br> * HTTP server resource pool exhaustion (Slowloris, for example) <br><br> * Low-and-slow attacks <br><br> * Get/post floods <br><br> * DoS/DDoS attacks on known server vulnerabilities <br><br> * NTP amplification <br><br> * App-layer DoS/DDoS <br><br> * Device, app, or user hijacking. | It's difficult to avoid falling into a self-imposed logic trap and see applications security separate and distinct from network security. These two parts of your organization’s information security team have to work closely together to be able to spot, and possibly control, vulnerabilities and attacks. <br><br> * Monitor website visitor behavior. <br><br> * Block known bad bots. <br><br> * Challenge suspicious/unrecognized entities with a cross-platform JavaScript tester such as jstest (at http://jstest.jcoglan.com); for cookies, use privacy-verifying cookie test Web tools, such as https://www.cookiebot.com/en/gdpr-cookies. Add challenges such as CAPTCHAs to determine if the entity is a human or a robot trying to be one. <br><br> * Use two-factor/multifactor authentication. <br><br> * Use Application layer IDS and IPS. <br><br> * Provide more effective user training and education focused on attentiveness to unusual systems or applications behavior. <br><br> * Establish strong data quality programs and procedures. | Most of what you've dealt with in Layers $1$ through $7$ depends on having trustworthy users, administrators, and software and systems suppliers and maintainers. Trusting, helpful people, willing to go the extra mile to solve a problem, are perhaps more important to a modern organization than their network infrastructure and IT systems are. But these same people are prone to manipulation by attackers. |

#### Cross-Layer Protocols & Services

Both TCP/IP and the OSI reference model are **models**, models that define and describe in varying degrees of specificity and generality. There are some cross-layer exceptions: 

* **Dynamic Host Configuration Protocol (DHCP)** assigns IPv4 (and later IPv6) addresses to new devices as they join the network. This set of handshakes allows DHCP to accept or reject new devices based on a variety of rules and conditions that administrators can use to restrict a network. DHCP servers allow subscriber devices to lease an IP address, for a specific period of time (or indefinitely); as the expiration time reaches its half-life, the subscribing device requests a renewal.


* **Address Resolution Protocol (ARP)** is a discovery protocol, by which a network device determines the corresponding IP address for a given MAC address by (quite literally) asking other network devices for it. On each device, ARP maintains in its cache a list of IP address and MAC address pairs. Failing to find the address there, ARP seeks to find either the DHCP that assigned that IP address, or some other network device whose ARP cache knows the desired address.


* **Domain Name Service (DNS)** works at Layer $4$ and Layer $7$ by attempting to resolve a domain name into its IP address. The search starts with the requesting device's local DNS cache, then seeks "up the chain" to find either a device that knows of the requested domain, or a domain name server that has that information. Layer $3$ has no connection to DNS.


* **Network management functions** have to cut across every layer of the protocol stacks, providing configuration, inspection, and control functions. These functions provide the services that allow user programs like `ipconfig` to instantiate, initiate, terminate, or monitor communications devices and activities. Simple Network Management Protocol (SNMP) is quite prevalent in the TCP/IP community; Common Management Information Protocol (CMIP) and its associated Common Management Information Service (CMIS) are more recognized in OSI communities.


* **Cross MAC and PHY (or physical) scheduling** is vital when dealing with wireless networks. Since timing of wireless data exchanges can vary considerably (mobile devices are often moving), being able to schedule packets and frames can help make such networks achieve better throughput and be more energy-efficient.


* **Network Address Translation (NAT)**, sometimes known as Port Address Translation (PAT), IP masquerading, NAT overload, and many-to-one NAT, all provide ways of allowing a routing function to edit a packet to change (translate) one set of IP addresses for another. Originally, this was thought to make it easier to move a device from one part of your network to another without having to change its IP address. As we became more aware of the IPv4 address space being exhausted, NAT became an incredibly popular workaround, a way to sidestep running out of IP addresses. Although it lives at Layer $3$, NAT won't work right if it cannot reach into the other layers of the stack (and the traffic) as it needs to.

An IPv4 address is a $32$-bit number, which is defined as four $8$-bit portions, or octets. These addresses in human-readable form look like $192.168.2.11$, with the four octets expressed as their base $10$ values (or as two hexadecimal digits), separated by dots. In the packet headers, each IP address (for sender and recipient) occupies one $32$-bit field. The address is defined to consist of two parts: the network address and the address of a node on that network.

Large organizations (such as Google) might need tens of thousands of node addresses on their network; small organizations might only need a few. This has given rise to address classes: Class A uses the first octet for organization and the other three for node. Class B uses two octets each for organization and node. Class C uses three octets for organization and the fourth for node on the Internet; Class D and E are reserved for special purposes. 

| Class | Leading Bits | Size of Network Number Field | Size of Node Number Field | Number of Networks | Number pf Nodes per Network | Start Address | End Address |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| A | 0 | 8 | 24 | 128 | 16,777,216 | 0.0.0.0 | 127.255.255.255 |
| B | 10 | 16 | 16 | 16,384 | 65,536 | 128.0.0.0 | 191.255.255.255 |
| C | 110 | 24 | 8 | 2,097,152 | 256 | 192.0.0.0 | 223.255.255.255 |

$127.0.0.1$ is commonly known as the loopback address, which apps can use for testing the local IP protocol stack. $169.254.0.0$ is called the link local address, which is used to auto-assign an IP address when there is no DHCP server that responds.

The node address of $255$ is reserved for broadcast use. **Broadcast messages** go to all nodes on the specified network; thus, sending a message to $192.168.2.255$ sends it to all nodes on the $192.168.2$ network, and sending it to $192.168.255.255$ sends it to a lot more nodes. Broadcast messages are blocked by routers from traveling out onto their WAN side. By contrast, **multicasting** can provide ways to allow a router to send messages to other nodes beyond a router, using the address range of $224.255.255.255$ to $239.255.255.255$. **Unicasting** is what happens when we do not use $255$ as part of the node address field - the message goes only to the specific address.

Subnetting allows an organization's network designers to break a network into segments by logically grouping addresses: the first four devices in one group, the next four in another, and so on. This effectively breaks the node portion of the address into a subnet portion and a node-on-the-subnet portion. 

A subnet mask is a $32$-bit number in four-octet IP address format, with $0$s in the rightmost bit positions that indicate bits used to assign node numbers: $255.255.255.240$ shows the last $4$ bits ($240 = 11110000$) are available to support $16$ subnet addresses ($2^{4}$). But since all networks reserve address $0$ and "all bits on" for special purposes, that's really only $14$ node addresses available on this subnet. 

**Classless Inter-Domain Routing (CIDR)** simplifies the subnetting process and the way we write it: that same address would be $255.255.255.240/28$, showing that $28$ bits of the total address specify the network address.

| Class | Number of Network Bits | Number of Node Bits | Subnet Mask | CIDR Notation |
| :---: | :---: | :---: | :---: | :---: | 
| A | 9 | 23 | 255.128.0.0 | /9 |
| B | 17 | 15 | 255.255.128.0 | /17 |
| C | 28 | 4 | 255.255.255.240 | /28 |

Users of IPv4 encountered a growing number of problems, including limited address space, which needed the somewhat cumbersome use of Network Address Translation (NAT) as a workaround, the lack of built-in security capabilities and quality of service features. 

IPv6 resolves these issues, but it essentially is a completely different network. Its packet structures are just not compatible with each other - you need to provide a gateway - like function to translate IPv4 packet streams into IPv6 ones, and vice versa. Using both systems requires one of several alternative approaches: tunneling, "dual-stack" simultaneous use, address and packet translation, or Application layer gateways. Many large systems operators run both in parallel, employ tunneling approaches (to package one protocol inside the other, packet by packet), or look to Application layer gateways as part of their transition strategy. 

![IPv6 vs IPv4 Packet](images/ipv6-vs-ipv4-packet.png)

IPv4's use of a $32$-bit address field meant that you had to assign bits from the address itself to designate a node on a subnet. IPv6 uses a much larger address field of $128$ bits, which for unicast packets is broken into a $48$-bit host or network field, $16$ bits for subnet number, and $64$ bits for the node address on that network segment. No more borrowing bits.

### Network Topographies (e.g., Ring, Star, Bus, Mesh, Tree)
Compare and contrast the basic network topologies. 

A network **topology** is the shape or pattern of the way nodes on the network are connected with each other. The basic topologies include:

* **Point-to-point** is the simplest topology: two nodes, with one link between them. This is sometimes called **peer-to-peer** if the two nodes have relatively the same set of privileges and responsibilities with respect to each other (that is, neither node is in control of the other).


* **Bus** topologies or networks connect multiple nodes together, one after the other, in series. The bus provides the infrastructure for sending signals to all of the nodes, and for sending addressing information (sometimes called device select) that allows each node to know when to listen to the data and when to ignore it.


* **Ring** networks are a series of point-to-point-to-point connections, with the last node on the chain looped back to connect to the first. Rings are designed to provide either a unidirectional or bidirectional flow of control and data.


* **Star** networks have one central node that is connected to multiple other nodes via point-to-point connections. Unlike a point-to-point network, the node in the center has to provide (at least some) services to control and administer the network. The central node is therefore a server (since it provides services to others on the star network), and the other nodes are all clients of that server.


* **Mesh** networks in general provide multiple point-to-point connections between some or all of the nodes in the mesh. Mesh designs can be uniform (all nodes have point-to-point connections to all other nodes), or contain subsets of nodes with different degrees of interconnection. As a result, mesh designs can have a variety of client-server, server-to-server, or peer-to-peer relationships built into them. 

### Network Relationships (e.g., Peer to Peer, Client Server)
Explain the different network roles of peer, client, and server. Each node on a network interacts with other nodes on the network, and in doing so they provide services to each other. All such interactions are governed by or facilitated by the use of handshake protocols. If two interconnected nodes have essentially equal roles in those handshakes—one node does not control the other or have more control over the conversation—then each node is a peer, or equal, of the other. Simple peer-to-peer service provision models are used for file, printer, or other device sharing, and they are quite common. When the service being provided requires more control and management, or the enforcement of greater security measures (such as identity authentication or access control), then the relationship is more appropriately a client-server relationship. Here, the requesting client node has to make a request to the server node (the one providing the requested services); the server has to recognize the request, permit it to proceed, perform the service, and then manage the termination of the service request. Note that even in simple file or print sharing, the sharing may be peer-to-peer, but the actual use of the shared resource almost always involves a service running on the node that possesses that file or printer, which carries out the sharing of the file or the printing of the requesting node’s data.

### Transmission Media Types (e.g., Fiber, Wired, Wireless)

Let's look at wireless security protocols:

* **Wired Equivalency Protocol (WEP)** was the first attempt at securing Wi-Fi. As the name suggests, it was a compromise intended to make some security easier to achieve, but it proved to have far too many security flaws and was easily circumvented by attackers. Its encryption was vulnerable to passive attacks, such as traffic analysis. Unauthorized mobile stations could easily use a known plaintext attack or other means to trick the WEP access point, leading to decrypting the traffic. Perhaps more seriously, it was demonstrated that about a day's worth of intercepted traffic could build a dictionary (or rainbow table) with which real-time automated decryption could be done by the attacker. Avoid its use altogether if you can.


* **Wi-Fi Protected Access (WPA)** was an interim replacement while the IEEE 802.11i standard was in development. It used preshared encryption keys (PSKs, sometimes called "WPA Personal") while providing Temporal Key Integrity Protocol (TKIP, pronounced "tee-kip") for encryption. WPA Enterprise uses more robust encryption, an authentication server, or PKI certificates in the process.


* **Wi-Fi Protected Access Version 2 (WPA2)** took this the next step when IEEE 802.11i was released in 2004. Among other improvements, WPA2 brings Advanced Encryption Standard (AES) algorithms into use.

### Commonly Used Ports & Protocols

Using software-defined port numbers (from $0$ to $65535$) allows protocol designers to add additional control over routing service requests: the IP packets are routed by the network between sender and recipient, but adding a port number to a Transport layer or higher payload header ensures that the receiving system knows which set of services to connect (route) that payload to. The definition of ports is mentioned in the transport layer section.

Common TCP/IP ports and protocols:

| Protocol | TCP/IP | Port Number | Description |
| :---: | :---: | :---: | :---: |

## Understand Network Attacks & Countermeasures (e.g., DDoS, Man-in-the-Middle, DNS Poisoning)
Describe the man-in-the-middle attack, its impacts, and applicable countermeasures. In general terms, the man-in-the-middle (MITM) attack can happen when a third party can place themselves between the two nodes and either insert their own false traffic or modify traffic being exchanged between the two nodes, in order to fool one or both nodes into mistaking the third party for the other (legitimate) node. This can lead to falsified data entering company communications and files, the unauthorized disclosure of confidential information, or disruption of services and business processes. Protection at every layer of the protocol stack can reduce or eliminate the exposure to MITM attacks. Strong Wi-Fi encryption, well-configured and enforced identity management and access control, and use of secure protocols as much as possible are all important parts of a countermeasure strategy.

Describe cache poisoning and applicable countermeasures. Every node in the network maintains a local memory or cache of address information (MAC addresses, IP addresses, URLs, etc.) to speed up communications—it takes far less time and effort to look it up in a local cache than it does to re-ask other nodes on the network to re-resolve an address, for example. Cache poisoning attacks attempt to replace legitimate information in a device cache with information that could redirect traffic to an attacker, or fool other elements of the system into mistaking an attacker for an otherwise legitimate node. This sets the system up for a man-in-the-middle attack, for example. Two favorite targets of attackers are ARP and DNS caches. A wide variety of countermeasure techniques and software tools are available; in essence, they boil down to protecting and controlling the server and using whitelisting and blacklisting techniques, but these tend not to be well suited for networks undergoing rapid growth or change.

## Manage Network Access Controls

### Network Access Control & Monitoring (e.g., Remediation, Quarantine, Admission)

### Network Access Control Standards & Protocols (e.g., IEEE 802.1X, Radius, TACACS)

### Remote Access Operation & Configuration (e.g., Thin Client, SSL VPN, IPSec VPN, Telework)

## Manage Network Security

### Logical & Physical Placement of Network Devices (e.g., Inline, Passive)
Explain the need for IPSec, and briefly describe its key components. The original design of the Internet assumed that nodes connecting to the net were trustworthy; any security provisions had to be provided by user-level processes or procedures. For the 1960s, this was reasonable; by the 1980s, this was no longer acceptable. Multiple approaches, such as access control and encryption techniques, were being developed, but these did not lead to a comprehensive Internet security solution. By the early 1990s, IPSec was created to provide an open and extensible architecture that consists of a number of protocols and features used to provide greater levels of message confidentiality, integrity, authentication, and nonrepudiation protection. It does this first by creating security associations, which are sets of protocols, services, and data that provide encryption key management and distribution services. Then, using the IP Security Authentication Header (AH), it establishes secure, connectionless integrity. The Encapsulating Security Payloads (ESP) protocol uses these to provide confidentiality, connectionless integrity, and anti-replay protection, and authenticates the originator of the data (thus providing a degree of nonrepudiation).

Explain how physical placement of security devices affects overall network information security. Physical device placement of security components determines the way network traffic at Layer 1 can be scanned, filtered, blocked, modified, or allowed to pass unchanged. It also directly affects what traffic can be monitored by the security system as a whole. For wired and fiber connections, devices can be placed inline—that is, on the connection from a secured to a non-secured environment. All traffic therefore flows through the security device. Placement of the device in a central segment of the network (or anywhere else) not only limits its direct ability to inspect and control traffic as it attempts to flow through, but may also limit how well it can handle or inspect traffic for various subnets in your overall LAN. This is similar to host-based versus LAN-based antimalware protection. Actual placement decisions need to be made based on security requirements, risk tolerance, affordability, and operability considerations.

### Segmentation (e.g., Physical/Logical, Data/Control Plane, VLAN, ACLs)

* The **data plane** is the set of functions, processes, and protocols that move or forward frames and packets from one interface to another.


* The **control plane** provides all of the processes, functions, and protocols for switching, routing, address resolution, and related activities.


* The **management plane** contains all of the processes, functions, and protocols that administrators use to manage, configure, and control the network.

All networks exist to move data from node to node; this requires a control function to handle routing, error recovery, and so forth, as well as an overall network management function that monitors the status, state, and health of network devices and the system as a whole. Management functions can direct devices in the network to change their operational characteristics, isolate them from some or all of the network, or take other maintenance actions on them. These three sets of functions can easily be visualized as three map overlays, which you can place over the diagram of the network devices themselves. 

Each plane (or overlay) provides a way to focus design, operation, troubleshooting, incident detection, containment, and recovery in ways best suited to the task at hand. This is not just a logical set of ideas - physical devices on our networks, and the software and firmware that run them, are built with this concept in mind.

### Secure Device Management

**NOCs (network operations centers)** perform valuable roles in maintaining the day-to-day operation of the network infrastructure; in conjunction with the IT support help desk, they investigate problems that users report, and respond to service requests to install new systems, configure network access for new users, or ensure updates to servers and server-based applications get done correctly. You might say that the NOC focuses on getting the network to work, keeping it working, and modifying and maintaining it to meet changing organizational needs.

The **security operations center (SOC)** has an entirely different focus. The SOC focuses on deterring, preventing, detecting, and responding to network security events. 

* Real-time command and control.
* Management tools.
* Recognize, characterize, and contain.
* Integrated.
* Keep management informed.
* Notify and request support from local emergency responders.

## Operate & Configure Network-Based Security Devices
Describe the role that network traffic shaping and load balancing can play in information security. Traffic shaping and load balancing systems attempt to look at network traffic (and the connections it wants to make to systems resources) and avoid overloading one set of links or resources while leaving others unused or under-utilized. They may use static parameters, preset by systems administrators, or dynamically compute the parameters they need to accomplish their tasks. Traffic shaping is primarily a bandwidth management approach, allocating more bandwidth for higher-priority traffic. Load balancing tries to spread workloads across multiple servers. This trending and current monitoring information could be useful in detecting anomalous system usage, such as a distributed denial-of-service attack or a data exfiltration taking place. It may also provide a statistical basis for what is “normal” and what is “abnormal” loading on the system, as another indication of a potential security event of interest in the making. Such systems can generate alarms for out-of-limits conditions, which may also be useful indicators of something going wrong.
### Firewalls & Proxies (e.g., Filtering Methods)

### Network Intrusion Detection/Prevention Systems

### Routers & Switches

### Traffic-Shaping Devices (e.g., WAN Optimization, Load Balancing)

## Operate & Configure Wireless Technologies (e.g., Bluetooth, NFC, WiFi)
Describe the key security challenges with wireless systems and control strategies to use to limit their risk. Wireless data communication currently comes in three basic sets of capabilities: Wi-Fi, Bluetooth, and near-field communication (NFC). All share some common vulnerabilities. First, wireless devices of any type must make a connection to some type of access point, and then be granted access to your network, to affect your own system’s security. Second, they can be vulnerable to spoofing attacks in which a hostile wireless device can act as a man-in-the-middle to create a fake access point or directly attack other users’ wireless devices. Third, the wireless device itself is very vulnerable to loss or theft, allowing attackers to exploit everything stored on the device. Mobile device management (MDM) solutions can help in many of these regards, as can effective use of identity management and access control to restrict access to authorized users and devices only.
### Transmission Security

### Wireless Security Devices (e.g., WIPS, WIDS)