Jim’s CISSP Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

4: Communication & Network Security

OSI Model

Layer 1: Physical

  • simple: physical connectivity, electrical signals flowing
  • all hardware devices have a physical layer element

Devices on Layer 1

  • hubs are layer 1

Threats to Layer 1

  • theft
  • unauthorized access
  • vandalism
  • sniffing
  • interference
  • data emanation
  • only layer with sublayers
  • error control

MAC (media access control)

  • physical addressing

  • MAC address

    • physical address of the card
      • physically burned into the card
      • doesn’t change
        • can be spoofed
      • good for local addressing, not global addressing
  • ARP (address resolution protocol)

    • maps an IP address to a MAC address
    • ARP cache poisoning
      • changing the cached address to point to another address
  • RARP (reverse ARP)

    • predecessor to DHCP
  • CSMA/CD (carrier sense multiple address with collision detection)

    • IEEE standard
    • 802.3 Ethernet
  • CSMA/CD (carrier sense multiple address with collision avoidance)

    • IEEE standard
    • 802.11 Wireless
  • token passing

    • 24 bit control frame passed around the network to determine which system can transmit data
  • sniffer

    • a network card set to promiscuous mode. takes in all data it receives
  • Ethernet

Layer 3: Network

  • all protocols start with “I” (IMAP doesn’t go here — it’s internet mail application protocol)
    • IP
    • ICMP
    • IGMP
    • IGRP
    • IPSEC
    • IKE
    • ISAKMP


  • echoing utilities — ping, route, trace
  • weak and frequently exploited
    • ping flood
      • sending an overwhelming amount of ICMP echo requests
    • SMURF
      • using a spoofed source address (which is the target of the attack) and directing broadcasts to launch a DDoS
    • Loki attack
      • hiding data within ICMP messages

Layer 4: Transport


  • reliable, connection-oriented protocol
  • uses three-way handshake
  • SYN flooding


  • connectionless
  • unreliable
  • no handshaking
  • desirable when “realtime” transfer is needed
    • Netflix, gamer bois, hot tub Twitch streaming, etc.
    • TFTP uses UDP

Layer 5: Session

  • responsible for establishing connection between two applications
  • dialog control
  • release connections

Layer 6: Presentation

  • present data in a format that all computers can understand
  • only layer that has no protocols
  • concerned with compression, encryption and formatting
  • makes sure data is in universal format
  • file level compression
  • removing redundancy from file (compression)

Layer 7: Application

  • defines a protocol that different programs / applications understand
    • application proxies
    • non-repudiation
    • certs
    • integration with directory services
    • time awareness

TCP/IP Networking

TCP/IP intro

Internet Protocol (IP)

  • routing info across network
  • provides an addressing scheme
  • delivers packets from a source to a destination
  • serves as a network layer protocol

Transmission Control Protocol (TCP)

  • connection-oriented protocol

  • guarantees delivery via acknowledgement

  • widely used for critical applications

  • TCP flags

    • SYN opens a connection
    • FIN closes a connection
    • ACK acknowledges a SYN or FIN
  • TCP handshake

    • source sends SYN
    • destination replies w/ SYN/ACK
    • source replies w/ ACK

User Datagram Protocol (UDP)

  • lightweight connection-less protocol
  • doesn’t send acknowledgements
    • doesn’t guarantee delivery
  • used for voice and video applications

OSI model

Layer PDU Use
7 Application data user programs
6 Presentation data data translation, encryption
5 Session data exchanges between systems
4 Transport segment TCP, UDP
3 Network packet IP
2 Data Link frame data transfers between nodes
1 Physical bits wires, radios, optics
  • promotes interoperability between vendors
  • enables standardization
  • describes the encapsulation (packaging) of data to enable it to get from point A to point B
  • each layer adds a header to it
  • each header has instructions for where the data should go
    • sending - you go down the layers and add headers to the data
    • receiving - you go up the layers and remove headers from the data

TCP/IP model

4 Application
3 Transport
2 Internet
1 Network Access

OSI vs. TCP/IP model

Application Application
Presentation " "
Session " "
Transport Transport
Network Internet
Data Link Network Access
Physcical " "
  • pay attention to the question being asked
  • learn the OSI model
  • remember how TCP/IP aligns with OSI

IP addressing / DHCP

IP addresses

  • uniquely identifies systems on a network
  • follow dotted quad notation
    • four 8-bit numbers 0–255
  • 32-bit address (8 × 4 = 32)
  • must not be reused in internet-connected systems
  • may be reused on private networks


  • allow private networks to be divided
    • first portion is the network address
    • second portion is the host address
  • works by adjusting which portion of the address is the network and host

Source and destination

  • source

    • sender of data
  • destination

    • recipient of data
  • machines communicating switch places between the two constantly during communications


  • replaces IPv4 due to address exhaustion
  • use 128-bit addresses
  • consist of eight groups of four hexadecimal numbers

Static and dynamic addressing

  • static IP addresses

    • manually assigned to systems by admin
    • must be w/in network range
    • often used for servers
  • dynamic IP addresses

    • automatically assigned by DHCP (dynamic host configuration protocol) server
    • address comes from admin-configured pool
    • often used for workstations

Domain name system (DNS)

  • provides address resolution on the internet

  • DNS server

    • translates domain names into IP addresses
    • functions over UDP port 53
  • DNS resolution

    1. URL input into browser
    2. computer sends DNS query to local DNS server
    3. DNS server looks up URL, finds IP address and sends back to computer
    4. computer connects to web server via IP address
  • DNS is hierarchical

    • orgs designate servers that are authoritative for their domains
  • some content filters (i.e. Pi-hole, AdGuard Home) alter DNS query results


    • adds digital signatures to DNS replies
    • protects against DNS poisoning

Network ports

  • guide traffic to the correct final destination
    • think of them as apartment numbers (ports) associated with an apartment building address (IP address)
  • 16-bit number (65,536 ports)
  • 0–65535

Port ranges

  • well-known ports
    • 0–1023
    • used for common apps
    • web, mail, FTP, etc.
  • registered ports
    • 1024–49151
    • apps may register for a port number
  • dynamic ports
    • 49151–65535

Common ports

Port Application
admin 21 FTP
22 SSH
53 DNS
137-139 NetBIOS
3389 RDP
email 25 SMTP
110 POP
143 IMAP
web 80 HTTP

Internet Control Message Protocol (ICMP)

  • housekeeping protocol of the internet


  • identifies live systems
  • source sends ICMP echo request to destination
  • destination replies with ICMP echo reply


  • identifies network paths

Other functions

  • destination unreachable
  • redirects
  • time exceeded
  • address mask requests and replies

Multilayer protocols

  • TCP/IP is the most common multilayer protocol suite


  • provides network connectivity for SCADA systems
    • allows for remote collection of data

Secure Network Design

Public and private addressing

Public IP addresses

  • assigned by a central authority

  • routable over the internet

  • ICANN (Internet Corporation for Assigned Names and Numbers)

    • distributes blocks of addresses to regional authorities for distribution
  • IP addresses are scarce

    • no large blocks are available
    • IPv4 allows for 4.3 billion possible addresses
      • currently estimate that there are 7.4 billion mobile devices in the world

Private IP addresses

  • available for anyone to use

  • not routable over the internet

  • private address ranges

    • –
    • –
    • –
  • orgs mix public and private addresses

    • possible through NAT and PAT


  • translates internal IP addresses of devices to external IP
    • advantages:
      • can use private addresses internally, don’t need to get a public IP address for each computer
      • allows for RFC 1918 IP addresses
        • 10.x.x.x
        • 172.16.x.x – 172.31.x.x
        • 192.168.x.x
      • hiding of internal network scheme
      • transparent, doesn’t require any special software
    • disadvantages:
      • single point of failure
      • performance bottleneck
      • doesn’t provide protection from bad content
    • NAT (network address translation)
      • provides translation between public and private addresses

      • security features/issues

        • hides internal address from the internet
        • limits direct access to systems
        • can be difficult to identify the origin of traffic
          • admins need to have good logging
      • requires a large pool of public IP addresses

        • internal IP addresses are mapped directly to internet IP addresses
    • PAT (port address translation)
      • allows multiple systems to share the same public IP address
      • assigns ports to each communication


  • subdivides large networks

  • subnet masks

    • identify the dividing line between the network and host address

    • remember that IP addresses are 32 bit (8-bit × 4)


      • first portion is the network address
      • second portion is the host address
    • looking at the address in binary: 11000000.10101000.00000001.01100100

    • the subnet mask is simply a representation of what bits are in the host address, in this case all of the first 16 bits, or

    • if you want to move the dividing line between network and host, you can do so

    • for example: 11000000.10101000.00000001.01100100

    • this subnet mask is

  • subnets can be represented in two ways:

    • subnet mask notation

      • lists the IP address and the subnet mask
      • IP address:
      • Subnet mask:
    • slash notation

      • lists the IP address and the number of bits in the subnet mask

Security zones

  • firewalls segment networks into security zones

  • network border firewall

    • is placed between internet and an orgs internal network

Security zones

  • Internet

    • public internet
    • outside of the org’s control
  • internal network

    • internal networks controlled by the org
    • may contain various network, servers, etc.
  • DMZ

    • demilitarized zone

Zero trust

  • systems gain no trust based on their network location

Other networks

  • extranet

    • intranet segments extended to business partners
    • example: vendor VPNs into network in intranet
  • honeynets

    • decoy networks set up to attract attackers
    • similar to honeypots
  • ad-hoc

    • temporary networks that bypass security controls


  • east-west traffic

    • traffic between systems w/in a data center
  • north-south traffic

    • traffic between systems in a data center and the internet

VLANs and network segmentation

  • separate systems on a network

  • often due to networks not being physically separated

    • example: accounting, purchasing, sales all on same floor
  • extend the broadcast domain

    • happens at layer 2
  • configuring VLAN

    • must enable VLAN trunking
    • must assign switchports to VLANs

Security device placement

  • exact placement depends on business requirements

Network traffic collectors

  • intrusion detection systems and intrusion prevention systems

  • network taps

  • port mirrors

  • must all be placed on the network segment that they’re designed to collect information from

    • example: an IDS placed in the DMZ will only see data from the DMZ
  • aggregation (or distribution) switches connect downstream switches to one another

    • note that a traffic collector placed on the aggregation switch may not be able to see traffic between downstream switches
  • SPAN ports receive a copy of all traffic seen on a switch

  • port mirroring allows monitoring of all traffic on a single port

SIEM (security information and event management)

  • systems that gather info using collectors

  • analyze info w/ a centralized aggregation and correlation engine

  • collectors should be placed near the systems generating records

  • correlation engine should be placed in a secure location

  • proxy servers and content filters

    • usually belong in the DMZ

VPN concentrators

  • aggregate user connections via VPN
  • often reside on their own VPN
    • more sophisticated designs might use multiple VLANs that separate users based on roles

SSL accelerators, load balancers

  • belong in the DMZ

  • SSL accelerators

    • handle cryptography work of setting up TLS connections
    • reduce load on web servers
  • load balancers

    • distribute connection loads on servers

DDoS mitigation tools

  • detect and prevent DDoS attempts

  • should be placed as close to the Internet as possible

  • DDoS mitigation services may also be purchased from ISPs

    • can be an ideal approach
    • prevent DDoS from reaching the org in the first place

Software defined networking (SDN)

  • treats network function and implementation as separate functions

  • reconfiguring traditional networks requires reconfiguring devices

  • control plane

    • responsible for making routing and switching decisions
  • data plane

    • responsible for carrying out the instructions of the control plane
  • SDN separates the control plane from the data plane

  • this makes a network programmable

  • encapsulation

    • allows one protocol to carry traffic that uses another protocol
  • VXLANs

    • build overlay networks that operate at layer 2 using layer 3 equipment
  • SD-WANs

    • connect larger areas
  • SDN security benefits

    • granular network configuration
    • facilitate faster responses to security incidents
      • can programmatically turn off ports during an incident
  • SDN security issues

    • increase network complexity
    • require strong access controls

Transmission media

  • layered approach to networking (OSI or TCP) allow us to abstract the physical layer
  • transmission media allows info to be transmitted over a distance

Transmission media types

  • Ethernet cable

    • transmits electricity over copper wires
    • electricity on line = 1, no electricity on line = 0
  • fiber optic cable

    • transmits light over strands of glass
    • light = 1, dark = 0
  • wi-fi

    • transmits data over radio waves
  • Li-fi

    • replaces radio waves with light
    • light = 1, dark = 0
  • all media types need to be protected against eavesdropping

Network Security Devices

Hubs, switches, routers and bridges

building blocks of computer networks


  • operate on layer 1
  • cheap and dumb
  • all devices connected to it are on the same collision domain
  • sniffer on a hub → can gather up all data from hub traffic


  • connect devices to a network
  • reside in wiring closets
  • ethernet jack on other end of cable from switch
  • WAPs connect to switches and create wifi networks
  • by default, operate on layer 2
    • data transfer between nodes
  • use MAC addresses to direct traffic
  • isolates traffic into collision domains
    • one domain per port
  • doesn’t isolate broadcasts natively


  • operates on layer 3
  • isolates traffic into broadcast domains
  • uses IP addresses to direct traffic
  • connect networks together
  • make intelligent packet routing decisions
  • offer some security
    • ACLs provide stateless inspection

VLANs and Layer 3 Switches

  • routers are $$$
  • to get broadcast isolation on a switch, a VLAN is necessary
  • not all switches support VLANs
  • layer 2 switches (even on VLANs) don’t understand layer 3 IP addressing
  • a layer 3 switch is needed for inter-VLAN communications


  • connect two networks together
  • use simple forwarding


  • act like a security guard at the perimeter of a network
  • often sit on the perimeter of a network (but not always)
    • can see all inbound and outbound connections
  • connect three networks
    • Internet
    • internal network
    • DMZ


  • demilitarized zone
  • contain systems that must accept external connections
    • web servers
  • isolates systems due to risk of compromise
  • protects internal network from compromised systems in the DMZ

Stateless and stateful firewalls

  • stateless firewalls
    • evaluation each connection independently
    • are very inefficient
  • stateful firewalls
    • tracks open connections
    • keeps track of connections. knows which conversations are active, who is involved, etc.
    • allows return traffic, where a packet filter would have to have a specific rule defining return traffic
    • more complex. can launch a DoS by trying to fill up all entries in the state table (use up all memory)
    • reboots can disrupt traffic
    • provides context dependent access control
    • example: user connects to website, firewall allows back and forth communications until connection is no longer needed

Firewall rules contents

  • source address
  • destination address
  • destination port and protocol
  • action (allow or deny)
    • allows all traffic into web server
      Source ANY
      Destination Port 443
      Destination Protocol HTTPS
      Action ALLOW

Implicit deny

  • if a firewall receives traffic not explicitly defined in a rule, it’s blocked

    exam tip
    important to know and understand how implicit deny works and the importance of the order of firewall rules.

Next-gen firewalls (NGFW)

  • incorporate contextual info into decision making
  • info from threat sources, IP address origin, etc.

Other firewall roles

  • NAT gateway
  • content / URL filtering
  • web application firewall

Firewall deployment options

  • network hardware vs. host-based software firewall
    • will it be a physical device or software running on a server?
  • open source vs. proprietary
  • hardware appliance vs. virtual machine
    • will it be a physical device or a virtual machine?

Firewall Best Practices

  • block unneccessary ICMP packets
  • use simple ACLs
  • use implicit deny
  • disallow source routed packets
  • use least privilege
  • block directed IP broadcasts
  • perform ingress and egress filtering
    • block outbound traffic from non-internal addresses
      • sign that something inside that network is acting as a zombie for a DDoS attack
    • block inbound traffic from internal addresses
      • sign of a potential spoofing attack
  • enable logging
  • drop or reassemble fragments

Proxy servers

  • connect to a website on a user’s behalf

  • connection proxying

    • user ↔︎ proxy server ↔︎ web server

    • benefits

      • anonymization

        • web server doesn’t know anything about the user, just about the proxy server
      • performance

        • proxy server can cache frequently visited websites
      • content filtering

        • allows orgs to block employee access to certain websites and services
  • forward proxy

    • works on behalf of clients
    • w/out server knowledge
  • reverse proxy

    • works on behalf of servers
    • w/out user knowledge
  • tranparent proxy

    • works w/out client’s or server’s knowledge
  • can handle many different apps, not just web traffic

Load balancers

  • distribute load amongst servers

  • DNS server points to a load balancer instead of a server

    • makes this a virtual IP address
    • load balancer sends traffic to servers
  • allows for autoscaling

    • automatically adding and removing severs as needed
  • security functions

    • SSL cert manangement
    • URL filtering
    • other web security applications
  • load balancing techniques

    • round-robin balancing

      • each server gets an equal number of requests
    • other scheduling algortithms may be used based on performance, available capacity, session persistance, etc.

    • session persistance

      • routing individual users’ requests to the same server based on previous use

Load balancing modes

  • load balancers can be a single point of failure

    • if the load balancer dies, none of the servers are available
  • active-active

    • two or more load balancers actively run on the network
    • if one dies, other(s) continue to function
      • capacity is decreased
  • active-passive

    • active load balancer handles all traffic
    • passive load balancer monitors all traffic
    • if the active load balancer dies, the passive load balancer takes over
      • no capacity is lost, just redundancy
    • big negative is that the passive load balancer is a lazy boy 99.9% of the time

VPNs and VPN concentrators

  • use encryption to create a virtual tunnel

  • everything is encryted when entering the tunnel and decrypted on the other end

  • protects against eavedropping

  • site-to-site VPNs

    • connect remote offices to each other and main office
  • remote access VPNs

    • gives remote access to org network to mobile users, WFH employees, etc.
  • VPN endpoints

    • normal network equipment
      • firewall, server, router
      • not dedicated systems
        • can stuggle with bandwidth, encryption/decryption requirements, etc.
  • VPN concentrators

    • dedicated piece of equipment
    • good for high use, high volume
  • IPsec VPN

    • works at network layer (2)
    • supports L2TP (layer 2 tunneling protocol)
    • provide secure transport
    • can be difficult to use and set up
    • usually used for static site-to-site connections

    • work at application layer (7)
    • work over TCP port 443
      • same port as HTTPS
      • useful for bypassing firewalls that block other ports

    • run entirely w/in a browser
  • full tunnel

    • all traffic routes through the VPN
  • split tunnel

    • some traffic routes through the VPN
    • other traffic routes through the Internet
    • can provide users w/ a false sense of securiy
  • always-on VPN

    • connect automatically

Generic Routing Encapsulation (GRE)

  • point-to-point link between two networks

  • adds an additional IP header to original packet

    • frequently used in the psat to encapsulate older protocols like AppleTalk, IPX, etc.
  • data encapsulation

    • packets are encapsulated to allow them to travel over an incompatible network
    • ex. routing IPv4 packets over an IPv6-only network
  • simplicity

    • lacks flow-control and security
    • can ease in configuration
    • GRE tunnels can be supplemented by IPSec
  • multicast traffic forwarding

    • can forward multicast traffic (VPNs cannot)
    • multicast traffic (ex. advertisements sent by routing protocols) can be transferred between remote sites
    exam tip
    GRE doesn’t automatically mean that communicatations are encrypted.
    think about a car on a ferry. the car is encapsulated on the boat, but it isn’t encrypted by the boat.

Network intrusion detection and prevention

  • systems that monitor network traffic for signs of potentially malicious traffic
    • SQL injection, malformed packets, unusual logins, botnet traffic, DoS attempts, etc.

Intrusion detection systems (IDS)

  • alert admins of suspicious activity
  • require monitoring
    • require a strong understanding of systems, logs, meaning of alerts, etc.
  • require action from admins
  • can be tedious to administer

Intrusion prevention systems (IPS)

  • perform actions of IDS, but then block malicious activity automatically

False positive / negative errors

  • false positive errors
    • alerts when an attack didn’t take place
  • false negative errors
    • attack takes place and system doesn’t alert

Detection methods

  • signature detection systems
    • contains a database w/ rules describing malicious activity
    • alerts admins to matching signatures
    • fails to detect brand new attacks
    • reduces false positives
  • anomoly detection systems
    • aka: behavior-based detection system, heuristic detection system
    • build a model of “normal” activity
    • alert admins for activity that doesn’t match the model
    • often application aware
    • can detect previously unknown attacks
    • increased false positive rate

Deployment modes

  • in-band (inline)
    • device sits in path of network traffic
    • device can block suspicious traffic entering the network
    • can be a problem if device shuts down all traffic due to a false positive
  • out-of-band (passive)
    • device connects to SPAN port on a switch
    • device can react after suspicious has entered the network

Protocol analyzers

  • allow for deep traffic inspection

  • uses

    • troubleshooting networking issues
    • investigating security events
  • must be used carefully

    • can eavesdrop on confidential communications
    • access to tools should be tightly controlled
  • examples

    • Wireshark

      • open source GUI-based packet inspector
    • tcpdump

      • open source command line packet inspector
    • Wireshark and tcpdump are both built using the libpcap library

    • tcpreplay

      • command line tool
      • takes in packet captures from Wireshark or tcpdump
      • can edit or replay traffic

Unified threat management

  • solutions combine multiple security functions into a single device

  • basic functions

    • protect against network attacks
    • block unsolicited traffic
    • route traffic to/from the Internet
  • additional functions

    • VPN

    • IDS/IPS

    • small business functions

      • URL filter
      • content inspection
      • malware inspection
      • email and spam filter
  • still require regular monitoring and management

Content distribution networks (CDNs)

  • content delivery networks or content distribution networks

  • provide scalability and security

  • provide a shared web infrastructure

  • 10s to 100s of locations around the world

  • cache website data

    • users can get cached data from the nearest CDN server
  • benefits:

    • on-demand
    • cost effective
    • place content closer to users
    • security enhancements
      • can filter out DDoS attacks
      • can provide web application firewall
        • filter out SQL injection, XSS, other attacks before traffic reached org’s web servers

Network Security Technique

Restricting network access

  • perimeter security

    • stop unwanted remote users
    • uses firewalls and other controls
  • network access control

    • limit physical network access to authorized individuals and devices
  • policies

    • rule-based

      • limit access based on business logic
    • role-based

      • limit access based on identity of an individual
    • time-based

      • limit access based on time of day
    • location-based

      • limit access based on physical location

Network access control

  • intercepts network traffic coming from unknown devices
  • verify that that a system/user is authorized before allowing communications on the network
  • often use 802.1x authentication


  • supplicant

    • software on end user’s machine that performs NAC steps
  • authenticator

    • receives credentials from user’s machine
  • authentication server

    • provides all authentication for authenticators

NAC roles

  • user and device authentication

  • role-based access

    • authentication server provides additional user info to the authentictor
    • authenticator places the device/user in an appropriate network based on the user’s role
  • posture checking

    • user’s device can be checked for multiple security controls
      • antivirus software
      • current antivirus definitions
      • proper firewall configuration
      • security patches
    • failing devices can be placed onto a quarantine VLAN
      • VLAN can have access to patches, antivirus definitions, etc.
      • once patched, user can attempt to authenticate again

NAC implementation

  • agent-based
  • agentless
  • in-line
  • out-of-band

Firewall rule management

  • firewall rules define how a firewall should act when it sees a new connection request
  • rules are applied in order
    • will follow the first matching rule
  • last rule is usually a “deny all”

Firewall rule configuration errors

admins need to watch out for these

  • shadowed rule

    • a rule that will never be applied due to the rules before it
    • it’s generally best to have more specific rules first
  • promiscuous rule

    • a rule that allow more access than intended or necessary
  • orphaned rule

    • a rule that allows access to decommed systems or services
    • can be dangerous if ports or IP addresses of decommed systems are reused in the future

Router configuration security

  • routers can be configured to perform basic filtering
    • this can reduce load on firewalls

Router access control lists

restrict network traffic

  • standard ACLs

    • filter based on source IP address
  • extended ACLs

    • filter based on more advanced criteria
      • source/destination IP addresses
      • source/destination ports
      • source/destination protocols
  • so why not just use a router as a firewall?

Firewalls vs. routers

  • firewalls are purpose-specific and efficient, routers are not
  • firewalls have much more advanced rule capabilities, routers do not
  • firewalls have more advanced security functions, routers do not

Switch configuration security

  • need to maintain physical security on switches and other networking equipment
    • attackers w/ physical access to a switch has physical access to the network

Port security

  • attackers w/ physical access can disconnect a legitimate device and replace it w/ a malicous one

  • switchports should limit devices attached to them via MAC address

  • static port security

    • admin manually configures the MAC address allowed for each switchport
    • secure, be can be tedious
  • dynamic port security

    • switch memorizes the MAC address connected to each switchport, then only allows access to that device
    • more convenient for the admin
    • can be dangerous w/ unused ports

DHCP snooping

  • inspects DHCP messages
    • looks for malformed messages
    • checks if DHCP messages are from authorized DHCP servers
  • blocks malicious DHCP traffic

VLAN security

  • disable automatic trunk negotiation

    • prevents VLAN hopping attacks
  • VLAN pruning

    • limit the number of switches where VLANs are switched
      • especially important for sensitive VLANs
  • VLAN trunk negotiation

    • deny automatic VLAN trunk negotiation
    • limits the effectiveness of VLAN hopping
    • only allow explicitly set up VLAN trunk negotiation

Maintaining network availability

Flooding attacks

many DoS attacks rely on flooding a network w/ traffic until it’s overwhelmed

  • SYN flood

    • attacker created thousands of SYN packets
      • don’t reply to SYN/ACK packets
    • fills connection state tables of firewalls w/ half-open entries
  • MAC flood

    • sends out large numbers of MAC addresses
    • hope to overflow MAC address table on a switch
      • switch may flood traffic out to all ports
        • attacker can eavesdrop
  • flood guard technology

    • protect network devices against flood attacks
    • control the open number of connections that a system can have

Routing loops

  • occur when there are multiple paths between two devices

    • devices mistakenly route broadcast messages
    • network fills to capacity with those messages
      • known as a broadcast storm
  • spanning tree protocol

    • includes loop protection to protect against broadcast storms

    • uses BPDUs

    • BPDU bridge protocol data units

      • routing status messages that allow recomputation of network paths

      • if exploited, can cripple network with spanning tree attacks

      • BDPU guard

        • blocks against spanning tree attacks

Network monitoring

  • firewalls and routers have logs that are a rich source of security info

Firewall logs

  • logs of every connection

    • details about each attempted connection
    • timestamps
    • firewall rules applied to the attempt
  • uses:

    • security incident investigations
    • network issue troubleshooting
    • anomalous activity detection
  • ingress filtering

    • filtering of traffic entering the network
  • egress filtering

    • filtering of traffic exiting the network

Net flow data

  • full packet inspection requires a large amount of storage capacity
  • net flow data captures most details of connections
    • source/destination systems
    • source/destination ports
    • timestamp
    • amount of data
  • very useful information
    • doesn’t capture what, but does capture who, when and how much


security information and event management system

  • facilitate rapid analysis of data
  • log sources
    • firewalls
    • network devices
    • servers
    • application

SNMP (simple network management protocol)

  • automates network monitoring and maintenance tasks

SNMP components

  • managed devices

    • routers, firewall, APs
  • agent

    • software package that runs on devices
  • network management system

    • communicates with agents
    • manages the network

SNMP communications

  • SNMP requests

    • allow the network management system to get information from agents
      • network management system → GetRequest → agent
      • network management system ← response ← agent
  • SNMP configuration

    • allows the network management system to configure agents
      • network management system → SetRequest → agent
      • network management system ← response ← agent
  • SNMP traps

    • if something critical is needed, an agent can send information to the network management system
      • network management system ← SNMPtrap ← agent
  • should always use SNMPv3

    • earlier versions have critical security flaws

Isolating sensitive systems

Network segmentation

  • separates systems of differing security levels
  • sensitive systems may be places in their own isolated security zones


AKA jump box, jump server, jump host

  • allow connections between differing security zones
  • must be carefully secured
    • can be used to bypass network segmentation

Deception technologies

  • it can be difficult to distinguish attacks from legitimate traffic

  • fake networks, systems, files can be used to tell if traffic is malicious

  • darknet

    • unused but monitored address space on a network
    • if being used or scanned, likely an attacker
  • honeyfile

    • a false store of sensitive-looking data
  • honeypot

    • systems designed to attract and trap attackers
    • may contain honeyfiles on them
  • honeynet

    • a network designed to attrack attackers
    • may contain honeypots and honeyfiles
  • DNS sinkhole

    • altered DNS records to reroute notnet traffic
    • intentionally route traffic away from a botnet
      • usually to a webpage letting a user know that their system is compromised
    • effectively a beneficial self-inflicted DNS poisoning attack

Network support

  • use redundant power supplies
  • vendors provide crucial services
    • understand response times in support contracts
    • understand that support contracts provide access to security updates and patches
    • warranties provide repair and replacement of defective equipment

Specialized Networking

Circuit Switching and Packet Switching

  • circuit switching — plain old telephone system (POTS)

    • PSTN
    • ISDN
    • DSL
    • T-carriers
  • packet switching — IP

    • X.25
    • frame relay
    • ATM
    • VoIP
    • MPLS
  • MPLS (multiprotocol labelled system)

    • used to create a cost-effective private WAN that is faster and more secure than a regular one routed through public networks (the Internet)
    • more secure because a private network can be custom built for your organization
    • because it is private, don’t have to maintain and use traditional VPN equipment
      • can reduce delay and latency caused by VPN software
    • provides QoS for VoIP and other priority traffic
    • purely layer 3 technology


converged networks now carry voice and data services

VoIP (voice-over-IP)

  • carries voice communications over data networks
  • converts analog voice to digital data
  • transmits over IP protocol

VoIP devices

  • VoIP phones
  • softphones
  • bridge devices
    • convert analog systems to VoIP

VoIP security

  • encryption

    • protects traffic
    • can degrade voice quality
  • network segmentation

    • separated data VLAN from voice VLAN
  • security issues

    • eavesdropping
    • toll fraud
    • vishing
    • SPIT

VoIP performance issues

  • latency
  • jitter

Multimedia collaboration

supports communcations w/ teams, partners, clients, vendors, etc.

  • IM (instant messaging)

    • AIM, ICQ, MSN, etc.
    • was popular, but created security issues
      • outside of IT control
      • unencrypted, open to eavedropping
      • replaced with on-prem or cloud-based solutions
        • Skype, Teams, etc.
  • XMPP (extensible messaging and prescence protocol)

    • originally called Jabber
    • open-source standards-based
    • alternative to proprietary protocols
  • SMS (short message service)

    • sends messages and images over wireless carrier networks
    • convenient and popular
    • significant security flaws
      • no encryption
      • no authentication
        • SMS numbers can easily be spoofed

Storage networks

demand lots of dedicated bandwidth for moving large files

NAS (network attached storage)

  • simple
  • self-contained
  • commonly uses CIFS or NFS
  • appears as a file system on the network

SAN (storage area network)

  • complex
  • massive storage systems with dedicated networks
  • present storage to devices
  • connect to devices with dedicated networks

SAN connection types

  • fiberchannel

    • uses a direct fiberoptic connection between SAN and devices
  • fiberchannel-over-Ethernet

    • replaces fiberoptic cabling w/ Ethernet cables
    • a bit slower
  • iSCSI

    • runs SCSI connections over network connections

SAN security

  • SANs carry sensitive info
    • often unencrypted for speed purposes
  • storage traffic should be on a dedicated network, separate infrastructure or a VLAN
    • storage VLANs should be carefully trunked

Transport Encryption


digital certs allow for exchange of public keys over untrusted networks


  • encrypts network communications

  • depends on pairings of encryption and hashing functions known as cipher suites

    • TLS is not an cryptographic algorithm
  • steps

    1. client sends a request w/supported cipher suite to server
    2. server sends back a message w/ the selected best matching cipher suite to use and the server’s digital cert
    3. client checks server’s digital cert w/CA
    4. client creates a random encryption key called a session key
      • session key is also known as an ephemeral key
    5. client uses the public key to encrypt the session key and sends it to the server
    6. server decrypts the session key w/ the server’s private key


  • insecure predecessor to TLS
  • has known security flaws
  • often incorrectly used to describe TLS


  • open source TLS project
  • Heartbleed vulnerability
    • allows attackers to retrieve info from servers using OpenTLS

SSL inspection

  • performs “friendly” man-in-the-middle attack to inspect network traffic


original implementation of TCP/IP didn’t consider security

  • secures entire packet payload

ESP and AH

  • ESP (encapsulating security payload)
    • provides confidentiality and integrity protection for packet payload
    • encrypts payload
  • AH (authentication header)
    • provides integrity for packet header and payload
    • ensures that no changes were made to the header of payload
  • ESP and AH can be used in combination

Security association (SA)

  • process that
    • identifies cryptograhy algorithms a system can support
    • each system lists the cryptography and hashing functions
    • they find and agree upon the strongest matching functions in common

IPSec VPN types

  • site-to-site VPN tunnel mode
    • encryption tunnel connecting two sites together
    • invisible to users
    • usually used to connect branch offices and main offices
  • end-user VPN transport mode
    • encrypted remote access for individual systems
    • once common
      • being phased out for TLS-based VPNs

Remote network access

Remote shells

provide command line access to a remote system

  • telnet
    • used by older Unix systems in the past
    • insecure
      • doesn’t provide any encryption
  • ssh
    • provides secure remote shell alternative to telnet
    • secure encrypted connection
    • authentication modes
      • password
      • certificate-based

Remote desktop

provides graphical access to a remote system

  • RDP
    • encrypted desktop access to Windows servers and machines

Securing common protocols

many common protocols don’t include built-in encryption


    • adds TLS to web browsing
  • telnet → SSH

    • same functionality of telnet, but w/ encryption
  • FTP → FTPS

    • adds TLS to FTP
  • FTP → SFTP

    • transfers files over SSH
  • FTP → SCP

    • uses SSH to securely copy files
  • TFTP trivial FTP

    • insecure
    • may be on exam in an attempt to trip you up
  • NTP → NTPSec network time protocol


    • adds digital signatures to DNS replies
  • DHCP

    • in Windows, turn off DHCP services on machines not acting as a DHCP server

  • voice and video services

    • should use TLS

      • may need to be turned on in application settings
    • RTP-based VoIP should use SRTP

  • email

    • use encrypted versions and ports
    • can encrypt emails using S/MIME protocol
    mail protocol unencrypted port encrypted port
    POP 110 995
    IMAP 143 993
    SMTP 25 465

Wireless Networking

Wireless networking basics

  • wifi standards govern communication on many wireless networks

  • replaces cables w/ radio transmitters and receivers

  • WAPs connect wireless networks to wired networks and the Internet

  • subject to undetectable interception

    • needs to be secured w/ encryption

Wifi standards

Standard Year Max Speed
802.11 1997 2 Mbps
802.11b 1999 11 Mbps
802.11g 2003 22 Mbps
802.11n 2009 600 Mbps
802.11ac 2014 1 Gbps

Wireless encryption

WEP (wired equivalent privacy)

  • original wireless encryption standard
  • serious security vulnerabilities
    • shared authentication passwords
    • weak initialization vector (24 bit)
    • initialization vector transmitted in plaintext
    • uses RC-4 cipher
    • easily crackable
  • only option for 802.11b
  • no longer secure
exam tip
although outdated this is testable as a default for most routers for compatibility reasons.

WPA (wi-fi protected access)

  • replaced WEP in 2003
    • backwards compatible with WEP
  • stronger initialization vector (48 bit)
  • uses TKIP (temporal key integrity protocol) to rapidly rotate encryption keys
  • contains vulnerabilities
    • still uses RC-4
  • no longer secure


  • upgrade to WPA introduced in 2004
  • encrypts using AES
  • uses CCMP
    • provides additional encryption strength
  • some potential security issues
  • not backwards compatible with WEP or WPA
  • considered secure


  • implemented in 2020+
  • supports CCMP
  • uses SAE
    • SAE (simultaneous authentication of equals)
      • used for key exchange
      • similar to Diffie-Hellman

Wireless authentication

  • most wireless netowrks limit access to authorized users

Pre-shared keys

  • simple form of authentication

  • use a 256-bit encryption key in one of two ways

    • hexadecimal string
      • 64 hex characters that encode a 256-bit encryption key
    • password
      • 8-13 ASCII characters converted to a 156-bit encryption key using PBKDF2
  • limitations

    • changing the key is a pain in the ass
    • identifying individual users and revoking their access is impossible

Enterprise authentication

  • use some form of EAP

  • EAP extensible authentication protocol

    • authentication framework

      • not a specific authentication mechanism
    • many variants, some secure, some not

    • variants

      • LEAP lightweight EAP

        • relies on MS-CHAP
        • insecure
      • PEAP protected EAP

        • tunnels EAP inside a TLS session
      • EAP-TLS

        • secure
      • EAP-TTLS EAP - tunneled TLS

        • secure
      • EAP-FAST EAP - flexible authentication via secure tunneling

        • replacement for LEAP by Cisco
      • EAP-MD5

        • insecure
exam tip
know which EAP variants are secure.

Captive portals

  • redirect users to an authorization webpage

Wireless signal propagation

  • many factors affect the ability of radio waves to reach users

  • omnidirectional antennas

    • send signals in all directions
  • directional antennas

    • direct signals in a single direction
    • useful for site-to-site communication
  • beamforming

    • 802.11ac feature
    • steers signal towards clients
  • optimal AP placement depends on building characteristics

    • walls, building materials, pipes, vents, etc.
  • site survey

    • determines optimal AP placement
    • creates heatmaps to help w/ placement
  • other tips

    • avoid overlapping channels w/ neighboring networks
    • power levels can be manipulated to modify range and signal strength

Wireless networking equipment

Fat access points

  • contain all of the hardware and software needed to operate a wireless router

Thin access points

  • minimal equipment
    • just the radio and chipset
  • rely on wireless controllers for configuration and to run the network

Wireless controllers

  • run the network
  • manage configurations
    • optimize AP performance
    • reduce interference w/ other APs

Wireless analyzers

  • search for rogue networks
  • test wireless security
  • Aircrack-ng is a popular security testing tool

Mobile Device Security

Mobile connection methods


  • in urban, suburban and rural areas
  • can cover distances of 20+ miles
    • terrain dependent
  • rated according to generation of service


  • cover shorter distances w/higher bandwidth

  • point-to-multipoint

    • single basestation to many clients
  • point-to-point

    • connects two fixed basestations


  • usable almost anywhere

  • slow and expensive

  • GPS

    • provides exact location anywhere on earth

NFC (near-field communication)

  • uses electromagnetic induction for communications
  • covers distances measured in cms
  • used for Apple Pay, Google Pay


  • range of ~30 feet
  • used by headphones, speakers, smart watches, etc.
  • used to create a PAN (personal area network)
  • modes
    • discovery mode
    • automatic pairing mode
  • threats
    • bluejacking
      • sending spam to nearby bluetooth devices
    • bluesnarfing
      • copying information off of remote devices
    • bluebugging
      • more serious
      • allows for full use of the phone
      • allows attacker to remotely make calls
      • allows attacker to eavesdrop on calls as well

IR (infrared)

  • require a clear path between the transmitter and receiver


  • allows for a wired connection
  • may be used for tethering

Mobile device security

Passcodes, passwords, biometric authentication

  • four-digit passcodes don’t provide strong security
    • should use complex passwords
    • biometric authentication offers a convenient alternative access method
      • FaceID, TouchID

Full device encryption

  • protects sensitive info
  • enabled by default on modern iOS and Android devices

Remote wiping

  • removes data from lost/stolen devices
  • only available of the device is connected to a network to receive remote wipe command

Other considerations

  • auto screen locking
  • push notifications for two-factor authentication
  • MicroSD HSMs
    • provide secure key management
  • SELinux on Android

Mobile device management

  • manage settings across many mobile devices
  • powerful tool
    • ensures that devices used on an org’s network have security settings that match the org’s security policy
    • prevents users from modifying security settings
    • controls data stored on devices
      • remote wiping
      • revoking access
      • disabling removable storage
    • management of apps installed on devices
      • app blacklist
      • app whitelist
    • storage segmentation
      • separated sensitive info
    • content filtering and management

Mobile device tracking

  • orgs need to track mobile devices just like they do all other org assets
  • lost devices introduce confidentiality and financial risks
    • confidentiality: devices contain sensitive org info
    • financial: devices are expensive, upwards of $1,500

Asset tracking software

  • manage device inventories
  • should manage throughout the entire lifecycle
    1. request for device
    2. ordering and recieving device
    3. initial configuration of device
    4. device assignment (and reassignment)
    5. device decomm


  • allows orgs to locate lost/stolen devices

  • can provide historical location details

  • geofencing

    • alerts when a device leaves a predefined area
  • GPS use limits

    • limit who has access to data
    • ability of the monitored user to disable tracking
    • consider auto-disabling after work hours
    • clear disclosure is needed

Mobile application security


  • use strong credential management
  • should rely on central authentication
  • using external authentication places a great amount of trust in external providers

Sensitive info encryption

  • encrypt info in transit
  • encrypt info at rest on the device
  • practice strong key management


  • may disclose sensitive org locations
    • ex. photos, map apps
  • should apply location settings in apps as necessary

Mobile security enforcement

  • MDM solutions allow lockdown of mobile device configurations

  • third party app stores may contain unsafe code

    • sideloading

      • installing software outside of normal app stores
    • jailbreaking

      • installs custom firmware and OS on mobile device
    • rooting

      • installs software that allows root access to mobile device
    • all three add security risks to devices

  • mobile devices must be patched w/ current patches and OS updates

    • often done through OTA (over-the-air) updates
  • device unlocking allows for portability amongst service providers

    • less common, devices are usually bought at full price in an unlocked state
  • restrictions on device feature

    • many different security policies on devices
    • feature use needs to align w/ org’s business purpose and security needs
    • examples:
      • camera use
      • messaging
      • external media use
      • microphone use
      • GPS / geotagging
      • Wi-fi usage
      • device tethering / hotspots
      • mobile payments

BYOD (bring your own device)

  • some employees want to use personal devices for business purposes
    • not this guy!
  • marks a radical shift in philosophy

BYOD policy issues

  • who, what and how?

    • who can bring and use devices?
    • what devices will they bring?
    • how will the devices be securely used?
  • ownership?

    • user owns the device
    • user owns their personal data
    • org owns their data
    • org owns their network and IT support
  • users should understand monitoring that will be used
    • will be unlikely to accept intrusive monitoring
  • orgs should consult w/ their legal team
    • review local, state, federal laws about privacy

BYOD onboarding and offboarding

  • onboarding

    • ensure that device meets security requirements
  • offboarding

    • ensure that all sensitive org data is removed from the device

Technical issues

  • consider the impact of BYOD on the org’s technical infrastructure
  • MDM use
  • patching and AV management
  • camera use
  • forensic procedures

Mobile deployment models


  • limits org control of devices

Choose your own device

  • users select their device which the org purchases
    • size preference: mini, phablet, etc.
    • OS prefernce: iOS, Android, etc.
  • may provide users w/ a menu of devices to choose from

Corporate-owned, personally enabled

  • allows for personal use of org-owned devices

  • MDM solutions provide policy enforcement for all of the above models


  • desktop OS is in the cloud or the org’s data center
  • employee uses their own device to access remote desktop

Host Security

Operating system security

  • admins should config endpoint OSes to meet org security requirements
    • attackers that can exploit a vulnerability in one endpoint to attack the entire network
  • admins should limit admin access to systems
    • can be acheived with Group Policy management

Patch management

  • corrects security issues in applications and OSes
  • user configuration management tools to patch
  • patches should go through change management process!

System hardening

  • lockdown of configurations
  • remove unneccessary software and OS components
    • reduces attack surface
  • lock down host firewalls
  • disable default accounts and passwords
  • verify that configurations match industry best practices
    • Windows registry
    • Unix/Linux/OSX confguration files

Malware prevention

malicious software


  • viruses

    • spread by human actions
  • worms

    • spread by themselves
  • trojan horses

    • disguise themselves in other software
  • spyware

    • gathers info
    • uses many techniques to spread

Antimalware software

  • protects against many threats

  • types

    • signature detection
    • behavior detection

Endpoint detection and response (EDR)

  • advanced real-time protection

  • uses sandboxing

  • sandboxing

    • isolated malicious content


  • spam filtering

    • blocks unwanted email
  • malware logs on endpoints should be sent to a centralized system (SIEM) for storage and analysis

Application management

Application control

  • restricts software that can run on a system

  • Applocker: example of Windows application control technology

  • application control logs should be sent to SIEM or central log storage repo

  • whitelisting

    • admins create a list of all applications that may run on a system
  • blacklisting

    • admins create a list of applications that are prohibited from running on a system

Host software baselining

  • baseline identifies expected system software
  • reports deviations from baseline

Host-based network security controls

Host firewalls

  • software component of an OS that limits connections to the system
  • restricts network traffic
  • uses default deny rule
  • granting network access requires configuring the host firewall and network firewall


  • IDS (intrusion detection system)

    • alerts administrators to suspicious network activity
  • IPS (intrusion prevention system)

    • takes actions to block suspicious network activity
  • are also found in third party security solutions

  • usually are not part of an OS

  • logs should be sent to SIEM or central logs repo

File integrity monitoring

  • watches for unexpected file modifications
  • uses hashing functions
  • periodically verifies hash values of critical files
  • tuning is crucial
    • need to adjust FIM system to meet org needs
  • often a compliance requirement
  • Tripwire: example of Unix-based FIM software
  • analyzing output of FIM is testable on the exam

Data loss prevention (DLP)

Data loss prevention software

  • tech solutions the search systems and networks for sensitive info

  • have the ability to remove, block or encrypt the found sensitive info

  • these controls to ensure that certain data (SSNs, account numbers, birthdays, etc.) are controlled and don’t leave the organization

  • two types:

    • host-based DLP

      • software agent on a single system
      • looks for sensitive info on the system
      • can also look for use of external media (USB thumbdrives, hard drives, CD-/DVD-Rs) that could be used to remove sensitive data
    • network-based DLP

      • scan network transmissions for sensitive info
      • may block traffic when sensitive info is found
      • may also automatically encrypt traffic that is found
        • common in email systems
  • scanning methods:

    • pattern matching

      • recognizes known patterns of sensitive info
        • ex. 123-45-6789 is a SSN, 1-234-567-8910 is a phone number
    • watermarking

      • sensitive info is identified by electronic tags attached to files
  • cloud-based DLP systems are available that operate as an MSSP


  • provide isolaton and separation

  • create zones based on trust

  • hardware vs. software

  • use rule based access control (RBAC)

  • enforce network policy

  • usually on the perimeter of a network

Layer 3 (Network) Firewalls

  • fast, cheap, first line of defense
  • packet filtering
  • screening router — act as first level of screening network traffic
  • inspect layer 3 and 4 headers
    • source and destination IPs
    • source and destination ports
    • protocols (TCP or UDP)

Layer 4 (Session) Firewalls

  • stateful filtering
    • is aware of initiation of sessions and their states
    • can block unsolicited replies
    • can understand the syntax of lower layer protocols and block “misbehaving” traffic

Layer 7 (Application) Firewalls

  • slower and more expensive
  • aka application proxies or application firewalls
  • deep packet inspection
  • forward proxy inspects traffic from inside the network going out
  • reverse proxy inspects traffic from outside the network coming in
  • can inspect content, time, application-awareness, certificates, etc.
  • specific to the application layer

Packet Filters

  • use access control lists (ACLs)
    • rules applied to each packet the firewall recieves
  • not stateful, can only look at the network and transport layer packets (IP address, port, “flags”)
    • can’t look at application layer, look for viruses, etc.
    • usually aren’t advanced or customizable

Proxy Firewalls

  • two types
    • circuit level
    • application
  • both types hide internal hosts/addressing from the outside world

Application Proxies

  • advantages
    • understand the protocol and can add extra security based on that understanding
    • can have advanced logging/auditing
    • can have advanced access control
      • ex:
        • restricting website access
        • inspecting data for protocol violations
        • inspecting data for malware, viruses, etc.
  • disadvantages
    • slower. extra CPU power needed for extra processing and inspection of data
    • proxies only understand the protocol that they were written for
      • usually need a separate proxy for each protocol that you want to proxy
      • Jim says: BlueCoat only handles HTTP


  • LAN: local area network
    • high speed
    • small physical area
  • WAN: wide area network
    • used to connect LANs
    • usually slow, using serial links
  • MAN: metropolitan area network
    • connect sites together in a smaller geographic region (like a city… hence the metropolitan)