Professional Documents
Culture Documents
CompTIA Net+ Refresher From Linkdin
CompTIA Net+ Refresher From Linkdin
CompTIA Net+ Refresher From Linkdin
Net + Refresher
OSI Layers -1
1. Physical
• Anything that has to do with physical connections, electronic signals and bits also known as 1’s or 0’s,
as well as cable troubleshooting, and cable connections
2. Data Link
• Anything that has to do with MAC addressing / host identification through MAC frame headers and
trailers as well as switches and switch and NIC troubleshooting, includes destination and source MAC
addresses
3. Network
• Anything that has to do with IP addressing / host identification through IP, IP headers, Router
troubleshooting, routing protocols, anything that has to do with packet transfer, Includes Destination and
source IP addresses
4. Transport
1
OSI Model and TCP/IP Model
2
• Anything that has to do with TCP and UDP Header data, Port number destination and source,
sequencing numbers to make sure data is put together correctly once its received, makes sure data gets
sent to the correct service
5. Session
Anything that has to do with starting, restarting, and stopping an individual session, makes sure that only
you and the computer you want to communicate with are reading the communications between each other
and are in your own private session
6. Presentation
• Anything that has to do with encryption or character encoding or overall presentation of the data in a
way that the application layer can understand, pretty outdated layer doesn’t really get used all that much
anymore
7. Application
• Anything that has to do with the user endpoint, or what we actually see, HTTP, FTP, SSH, NFS
Frames -
- If there is a frame being sent that is less than 64 bytes a pad would be added to the frame to increase the
byte size to 64 bytes
3
- FCS - Frame Check Sequence - to assure the integrity of the data using math calculations at the
beginning of the frame transfer and at the destination of the frame transfer, if the calculation sum is not
the same, the data has to be resent.
- Devices on a network send and receive data in discreet chunks called frames (or packets)
- Frames are created and destroyed inside the network interface card (NIC)
MAC Addresses -
- EX. 4e : 3f : 0A : eF : 14 : fA
- First 3 bytes is the OUI or Organizational Unique Identifier this number is unique to the manufacturers
of the specific NIC
- Last 3 bytes is the personal serial number of the current device, every device number is going to be
different
- Ex. FF : FF : FF : FF : FF : FF
- Works on Layer 2 - Data Link - “Links the Data Using MAC Address”
- Data Link Layer adds Frame Header to the data packet being sent
- Unicast is when data is communicating to and meant for one single host from another single host
-A one-to-one connection that uses TCP (Transmission Control Protocol) for delivering streams over the
internet
- Broadcast is when data is sent in assuming reception from every device on the network or multiple host
- FF-FF-FF-FF-FF-FF
IP Addressing -
- IP Addressing comes into play when you’re trying to communicate with a host on another network
- For example if there was a network with a central switch connected to 5 computers if one computer on
this network wanted to communicate with another computer on the same network we would be able to
send a packet with a Frame Header including the MAC addresses and it would be delivered with no
problem
5
- Now if one computer from network 1 wants to talk to another computer on network 2 they would have
to use an IP address through a router to have that data delivered over the router to another network device
- Port numbers help direct packet traffic between the source and destination
- Packets have sequence numbers so the network software can reassemble the file correctly
- the Transport layer provides the TCP or UDP Header that has the Destination Port and the Source Port
inside so that the data knows what service its supposed to be sent to
Area Networks
● Local area network (LAN)
is a group of devices that are connected in one location, such as a home, office, or building
● Virtual local area network (VLAN)
is a virtualized connection that combines multiple devices and network nodes from different
LANs into one logical network.
● Personal area network (PAN)
is a computer network that connects electronic devices within a person's workspace. PANs are
typically within a range of 10 meters (33 feet).
● Wireless local area network (WLAN)
is a wireless computer network that connects two or more devices within a limited area. WLANs
are often used as extensions of wired LANs to improve user mobility.
● Campus area network (CAN)
is a computer network that connects multiple local area networks (LANs) within a specific
geographic area. CANs are larger than LANs but smaller than metropolitan area networks
(MANs) or wide area networks (WANs)
● Metropolitan area network (MAN)
is a computer network that connects computers within a metropolitan area. A metropolitan area
can be a single city, multiple cities, or any large area with multiple buildings.
● Wide area network (WAN)
is a large computer network that connects computers over long distances. WANs are often used
by large businesses to connect their office networks.
● Storage area network (SAN)
6
is a high-speed network that provides access to storage devices. SANs are made up of storage
devices that can be accessed by multiple computers or servers.
● Passive optical local area network (POLAN)
is a low-cost network that connects multiple locations to a central network. POLANs use a
point-to-multipoint architecture with unpowered fiber optic splitters to allow a single optical fiber
to serve multiple endpoints.
● Enterprise private network (EPN)
is a computer network that connects multiple locations in an organization. EPNs are used to share
computer resources and keep company data and communication confidential.
● System-area network (SAN)
is a high-performance network that connects clusters of computers. SANs can provide high
bandwidth (1 Gbps or more) with low latency. They are typically switched by hubs that support
eight or more nodes.
● A software-defined wide area network, or SD-WAN
for short, uses software and cloud-based technologies to simplify the delivery of WAN services
to branch offices.
Network Topologies -2
- Logical topologies are how the data flows from host to host
-A client-server architecture is a computer network architecture where many clients (remote processors)
request and receive services from a centralized server (host computer)3
2
Network Topology
3
Client-server architecture | Definition, Characteristics, & Advantages | Britannica
4
Peer-To-Peer Networks: Features, Pros, and Cons - Spiceworks
7
Cables5
Coaxial Cabling -
- Coaxial cable has two conductors; one center point, and a tubular conducting layer
- Radio grade (RG) specifies the thickness of the conductors, insulation, and shielding
RG-596 is a type of coaxial cable that is often used for low-power video and RF signal connections. It has
an Impedance of 75-Ohms/Ω, which matches a dipole antenna in free space.
5
Coax, Twinax and Triax Cables
6
What is the difference between RG59 and RG6? - Readytogocables
8
- RG-67 has 75-Ohms/Ω8 rating, is commonly used for cable networking, suitable for long-distance cable
runs, and uses a threaded F-type connector.
F-type connector
Bnc connector
7
Amazon.com: BlueRigger RG6 Coaxial Cable (20FT, Male F Type Connector Pin, Gold Plated, Triple Shielded) –
Digital Audio Video Coax Cable Cord for HDTV, CATV, Cable Modem, Satellite Receivers
8
Ohm - Wikipedia
9
-Twinaxial cabling, or twinax, is a type of cable similar to coaxial cable, but with two inner conductors in
a twisted pair instead of one. Suitable for long-distance cable runs.
- UTP Category (Cat) ratings define the speed and length of cables
9
Difference Between Fiber Optic Cable, Twisted Pair Cable and Coaxial Cable | FS Community
10
It can even have 25 pairs!
11
What is UTP (Unshield Twisted Pair Cable) - LEARNABHI.COM
10
UTP Categories
- TIA 568A and 568B are the standards used to connect wires to an RJ-45 connector12
12
See pg 12 for diagram
11
- Multimode cables:
● Carry LED signals
● Almost always orange (there are exceptions)
● Always has 2 connectors/duplex
- Single-mode cables:
● Carry laser signals
● Almost always yellow
● Designed to go really long distances
- For the test, be able to recognize the different types of fiber connections
4. LC connector
5. MT-RJ connector
There are many more connectors, but these are the most common ones.
Fiber optic polishing13 is the process of polishing the end faces of fiber optic products before attaching
them to the connectors.
Fire Ratings -
13
Understand dIfferent polish types in fiber optic connectors
14
Plenum vs. Non-Plenum Cable: Which Should You Use?
13
Ethernet
What is Ethernet? -
- Ethernet frame consists of a preamble, destination MAC, source MAC, data type, data, pad16, and FCS17
- A jumbo frame can carry 9000 bytes
- FCS is used for error detection
15
The Evolution of Ethernet Nomenclature
16
See pg 2
17
See pg 3
14
- Pay attention when crimping to follow the TIA 568A or 568B standards
18
See pg 7
15
Common Factors:
● - Both distribute network traffic.
● - Both are used in local area networks (LANs).
-Hub = Multiport repeater that repeats the frame to the whole network/host
- Hubs use CSMA/CD (Carrier-sense multiple access with collision detection) to avoid collisions
- A switch is also a multiport repeater but it forwards frames based on MAC addresses
- Switches create and use MAC address tables to map ports and host devices
-Switches provide a direct connection with each host connected to it, so each host has its own
collision domain19.
19
Each port on the router is a collision domain, each port on the switch is a collision domain, and all of the ports on
the hub make up a single collision domain.
17
-CSMA/CD is a technology used for devices to listen and see who is communicating
- Full-duplex is a communication mode where two devices can talk at the same time.
Connecting Switches -
- Auto-sensing ports allow the use of straight-through cables and are built into modern switches
- A switching loop occurs when multiple switches are connected in a circuit causing a loop
-Crossthrough cables have 568a on one side and 568b on the other.
18
Ethernet Standards20
Megabit Ethernet
Nodes 1,024 per hub 1,024 per hub 1,024 per hub
UTP pairs used 1st pair for transmission All 4 pairs 2 pairs N/A N/A
2nd is for reception
1000Base types
1000BaseCX 1000BaseSX 1000BaseLX 1000BaseT
Max Segment 25 meters 220-550 meters 5 kilometers on single mode 100 meters
(hub to node) 550 meters over multimode. (Uses all four pairs of wires in a
cable for data transmission)
20
Fast Ethernet - Wikipedia
21
A more cost effective version of 100Base-FX
22
See pg 10
23
See pg 11-12
24
See pg 8
25
See pg 11
26
See pg 11
27
Originally made to work with CAT5
19
10GBase types:
-These W versions have the exact same values as the original ones but they're designed to work on old
school SONET networks.
-W = SONET
40Gbase
Speed 40 Gbps
Cables UTP
Memory aid= "S is not single," which means that if the naming convention contains Base-S as part of its
name then it uses a multimode fiber cable.
THIS ENTIRE SECTION IS VERY IMPORTANT. MAKE SURE YOU KNOW IT PROPERLY.
28
See pg 13
29
1310 nanometer single-mode fiber
20
Transceivers - 30
- Fiber-optic cable supports multiple connection types from various vendor MSAs (Multisource
Agreement)
- SFP and SFP+31 are small form-factor transceivers that will work in any switches.
-SFP modules are interchangeable fiber optic connections that can be used to suit any fiber installation.
-SFPs support SFF (small form factor connectors) like LC and MT-RJ.32
-SFPs are hot-swappable and can be replaced, upgraded or repurposed within a network.33
-SFP supports only up to 4.25 Gbps while SFP+ that supports data rates up to 16 Gbps
30
What is an optical transceiver?.
31
What Is The Difference: SFP vs SFP+
32
See pg 12
33
Everything you Need to Know About SFPs - Blog.
21
- QSFP34 (quad small form factor pluggable) is designed for 4 Gbps Ethernet while QSFP+is designed
for 40 Gbps.
-GBIC (Gigabit Interface Converter) was an older modular (hot swappable) interface transceiver that
converted serial electric signals to optical ones.
-BiDi SFP (Bidirectional transceivers) are SFP transceivers that are able to send and receive data on the
same fiber using different color lasers to send and receive.
-The are commonly used with single-mode fibers and are the future of fiber optic.
-Without BiDi, data can only travel in one direction on a single fiber
34
Quickview about SFP, SFP+, SFP28, QSFP+, QSFP28, QSFP-DD and OSFP
How Much Do You Know About QSFP56? | FS Community
35
See pg 11
22
A media converter36 is an intermediary networking device that can convert Ethernet or other
communication protocols from one cable type to another.
-They can connect devices that are beyond 100 meters from the nearest available switch.
-They can also transmit data at higher speeds and to longer distances.
-They are required by a network link consisting of two dissimilar transmission medium types.
36
Introduction of Media Converter - Fiber Optic Solutions
23
A bridging loop, also known as a network loop or switching loop, occurs in computer networks when
there are multiple paths between network switches or bridges. This can cause network packets to circulate
endlessly, consuming network bandwidth and potentially leading to network congestion or even network
outages.
Spanning Tree Protocol (STP) is commonly used to prevent and manage bridging loops in Ethernet
networks.
STP37 (Spanning Tree Protocol) is a network protocol used to prevent loops in Ethernet networks.
When multiple paths exist between switches or bridges in a network, STP determines the most efficient
path and blocks redundant paths to prevent loops from forming.
37
Spanning Tree Protocol (STP) in Local Area Networks (LANs) – Simulation Exams Blog
24
A root switch, also known as the root bridge, is a designated switch in a spanning tree network topology
that serves as the reference point for all other switches in the network. It is the primary switch to which all
other switches aim to establish the shortest path.
- Match switch speeds to network speeds to avoid a slowdown due to speed mismatch
- Most current switches autodetect, eliminating crossover and uplink cable requirements
A flood guard is a network security feature built into smart switches that is designed to protect against
flooding attacks, like DNS attacks. When the switch detects an incoming flood like mac address flooding,
it will immediately block the said port.
A speed mismatch occurs when the data transfer rates of interconnected network devices are not
compatible. For example, if one switch is capable of transmitting data at a higher speed than another
device it's connected to, the faster device may experience congestion or have to wait for the slower device
to catch up, leading to inefficiencies in data transmission.
Structured Cabling -
There are three areas in the structured cabling system
- Patch panels38 are simple device consisting of multiple connector blocks and ports used for cable
management
- Patch cables connect switches to patch panels and computers to wall outlets
38
Punch-down block - Wikipedia
39
Horizontal and Backbone Cabling Explained
26
Equipment Rooms -
- The primary equipment room is called the main distribution frame (MDF)
- Any other room that also has equipment is called incremental distribution frame (IDF)
- Rack-mounted equipment is standardized at 19” wide and a multiple of 1 3/4” or 1.75 inches tall (called
a U or unit)
- The demarc separates the telecom company’s property from your responsibility
-The demarc marks the boundary between the service provider's network and the customer's network.
-The demarc extension refers to the extension of this boundary beyond its original location within the
customer's premises to accommodate specific networking requirements.
-Demarc extensions are common in larger buildings or complexes where the demarcation point provided
by the service provider may not be conveniently located for the customer's networking needs.
- A 66-punchdown block is a very old patch panel, typically used in non-VOIP telephone systems
- A 110-punchdown block patch panel is the way to distribute copper wired networks
27
Testing Cable -
- Wire-map - Making sure the cables are wired and mapped to the right spots on the RJ-45
- Continuity - Making sure the cables are actually punched in and are working
- Understand how to read and interpret the wiremap feature of a cable tester
- A time domain reflectometer (TDR) will show the length of the cable and help pinpoint mid-cable
breaks
40
Krone LSA-PLUS - Wikipedia
28
- Patch cables and wall outlets are the most common part of structured cabling to fail
- Loopback adapters test the networks card’s ability to send and receive
- First check the physical cable, then check the device manager network adapter, and then ping the
loopback address with a loopback adapter connected
- Remember on the exam read the question carefully because if the question says all users go down
it could be a different problem than if a single user goes down
- Keep an eye out for questions that mention a particular time the answer might be interference
- Multimeters test a variety of metrics such as voltage, current, resistance, and frequency
- Voltage monitors track and record drops in voltage which can show problems with power
- Time domain reflectometers (TDRs) are great tools to check for breaks in horizontal runs
- Tone generators and tone probes are used to locate cables and connections
-To avoid attenuation you should adhere to the very strict limitations on how long a cable run can be from
the switch to the individual nodes.
41
Monoprice - 115961 Tone Generator with Probe Kit, Red: Amazon.com
30
-It's the difference in the time it takes for packets to reach their destination, caused by various factors such
as network congestion, routing changes, or differing transmission paths for packets.
-Jitter is particularly important in real-time communication applications such as VoIP (Voice over Internet
Protocol) calls and video conferencing, where consistent and predictable latency is crucial for maintaining
a smooth and uninterrupted user experience.
- For jitters in VOIP and video streaming, consider buffering or increasing speed
3. Incorrect cable type: using a cat 5e patch cable for a network pulled with 6a.
- Make sure the patch cable specification is up-to-date with the network speed.
No connection issues42:
1. Bad ports
-If you have a bad port on a switch, it's a sure sign that that switch is about ready to die
- If switch lights are not blinking, try different ports or check if it’s an uplink port
3. Bent Pins
4. Open or a short
In networking, "open" and "short" are terms used to describe the status of a circuit or connection:
Open: An "open" circuit refers to a circuit that is incomplete or broken, meaning there is a gap or
interruption in the pathway through which electricity or signals can flow. This typically occurs when there
is a physical break in a wire.
Short: A "short" circuit, on the other hand, occurs when there is an unintended connection between two
points in a circuit, resulting in a low resistance path for current flow.
42
-The first thing to check when you cannot access anything at all is the link light. This light will verify that
you have a connection. The horizontal runs are one of the later things to check because most problems
occur in the work area. Checking the router is too premature because the question mentions unsuccessful
pings to hosts on the same subnet. While checking for an IP address is an earlier step, it isn’t the MOST
logical one based on the problem.
31
-By breaking them into groups of eight or octets, we can have different combinations anywhere from all
zeros to all ones
To convert binary into numbers, divide 128 in half until you reach 1 and use it for each binary octet.
Then add each of of these if there is a 1 in its place and skip if there is a zero
Or to make it easier you can write out : 128 | 64|32|16| 8| 4 |2 |1 and write the binary right underneath
each value: 1 | 1 | 0 | 0 |0 | 0 |0| 0
Now simply add 128 + 64 and you get the value of 192.
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
Following this method you can find that the decimal equivalent of the binary IP address
11000000.10101000.00000001.00000010 is 192.168.1.2.
32
To convert numbers into binary, we will still use 128 64 32 16 8 4 2 1 but this time we will use the
powers of 2 (specifically mentioning the value 128) or (128 64 32 16 8 4 2 1) and subtraction.
The process described involves finding the largest power of 2 that can be subtracted from a decimal value
(starting with 128 in this case), then subtracting the rest, and repeating this process with the remainder
until reaching 1.
We will see that the vale of 174 converted to binary looks something like this :
128 64 32 16 8 4 2 1
1 0 1 0 1 1 1 0
If the value of any of the (128 64 32 16 8 4 2 1) is bigger than our decimal then it is assigned a zero.
So if we take 50 for example we find that 128 is larger than it and therefore “it can’t fit into it” so it is
assigned a value of 0,
64 has the same story but 32 is smaller and it fits into 50 once so its value will be one with a remainder of
18. Using this method we can determine that the value of 50 in binary will look similar to the following :
128 64 32 16 8 4 2 1
0 0 1 1 0 0 1 0
Using this method we can determine that the binary value of the ip 174.50.2.0 is
10101110.00110010.00000010.00000000.
33
-ARPing involves broadcasting a message onto a network, querying, "Do you have this IP address? If so,
please reply."
-An ARP cache is a table or database maintained by a computer's operating system that stores mappings
between IP addresses and MAC (Media Access Control) addresses on a local network.
- ARP is what a computer uses when it knows the IP address, but needs the MAC address
Subnetting43
Subnet mask-
- Each host needs a subnet mask
-A subnet mask tells us how large our network is and how many addresses are there…etc
- The host uses the subnet mask to know if the destination is on the local network or a
remote network
-Each host knows the default gateway so that it can forward traffic to remote networks
✅ ❌
-No computer can have just a zero as part of its numbering system,because it's reserved for network ID.
232.25.208.14 232.25.208.0.
A subnet mask is a contiguous44 pattern of ones followed by zeros. Wherever there's one, the numbers in
the IP address must remain the same to identify the network. Wherever there's a zero, you can change the
numbers to represent different devices/hosts within that network.
43
I highly recommend you to watch the subnetting series by Network Chuck on this topic. Link to playlist:
https://youtube.com/playlist?list=PLIhvC56v63IKrRHh3gvZZBAGvsvOhwrRF&si=4KYU4hc1cdl0C3z-
44
Meaning that all ones will come together and then the zeros.so it will always look like
11111111.11111111.11111111.00000000 and NEVER like 1010110..etc.
34
Think of a subnet mask45 like a fence that separates your backyard from your neighbor's backyard. It tells
your computer which part of an IP address belongs to your local network and which part identifies
specific devices within that network.
Imagine you have an IP address, say 192.168.1.100, and a subnet mask of 255.255.255.0. The subnet
mask is like a guide that says, "The first three numbers (192.168.1) represent the neighborhood, and the
last number (100) identifies the house within that neighborhood."
So, if another device has an IP address like 192.168.1.50, your computer knows it's in the same
neighborhood because the first three numbers match. Therefore, your computer can talk directly to it
without needing any special routing instructions.
But if it has an ip of 192.89.4 your computer immediately knows that this is a long distance call and will
route it to your default gateway/router.
In simpler terms, a subnet mask helps computers figure out which devices are nearby and which ones are
farther away on the internet.
46
Common subnet details to know
Addresses Hosts Netmask
/ 26 64 62 255.255.255.240
/ 27 32 30 255.255.255.224
/ 28 16 14 255.255.255.192
/ 29 8 6 255.255.255.248
/ 30 4 2 255.255.255.252
-Remember the ones are reserved for the network portion and the zeros for hosts
To calculate the number of hosts on a network with a subnet mask of /24 for example, you can use the
formula: Number of Hosts=2(Number of Host Bits)−2
But first we need to find the number of host bits. To do that we can employ two methods.
In a /24 subnet, there are 32 bits in total for an IPv4 address. That is because we have 4 octets in an ipv4
address and each octet is 8 so 4 x 8 = 32.
So, in a /24 subnet, the subnet mask reserves the first 24 bits or ones for the network portion. Therefore,
the remaining 8 bits are available for addressing hosts within the network.
OR
We can get the same result by counting the zeros in the binary of 255.255.255.0:
11111111.11111111.11111111.00000000
Therefore, there are 254 usable hosts on a /24 subnet. The reason we subtract 2 is because the first and
last addresses in the subnet are reserved for network address and broadcast address respectively48,
leaving 254 usable addresses for hosts.
47
Use the method I taught you on pg 31
48
First IP Address: reserved as the network address. It represents the network itself and is not
assignable to any device. For example, if you have a subnet with IP range 192.168.1.0/24, the IP address
192.168.1.0 would be the network address.
Last IP Address: This is reserved as the broadcast address. It is used to send data to all devices within
the subnet
36
Classful subnetting-
IANA➡ RIR➡ ISP ➡ customer (for a network id)
Class A 0-126 /8
Class B 128-191 /16
Class C 192-223 /24
CLASS Range Subnet Mask
Classless subnetting-
Classless subnetting is a method of IP addressing and routing that allows for more flexible allocation of IP
addresses than the traditional class-based addressing scheme (Class A, B, and C).
49
A multicast allows a computer to take on a second IP address that starts with 224
50
Subnet Mask Cheat Sheet | DNS Made Easy
37
• Subnet masks have all 1s on the left and all 0s on the right
• The more subnets you have the less hosts are available
Subnetting a network51
To subnet a network like 192.68.1.0/2452 into 4 subnets we need to follow the following process.
1. Calculate how many host-bits you need to hack
Which means that we’re simply going to be converting the host-bits(the 0s) into network-bits (1s).
And because we are trying to get more subNETS, we need to have more NETwork-bits at the cost of
“stealing” them from the host bits.
For this step we are going to use the (128 64 32 16 8 4 2 1) method we used earlier53 but we are going to
double each value. So we get (256 128 64 32 16 8 4 2).
⬅
Now starting from right to left we will see how many values from these 8 we need to reach our goal of 4
subnets. We can clearly see that 2 isn't enough but 4 is exactly what I’m looking for.
That totals to 2 values and that is the amount of host-bits I will be converting into network-bits
This brings us to the second step.
*Now if I needed 7 subnets I would be forced to use the value 16 because I can't use the value 4 and
16 is the next best thing.
To do this we will take the original binary of /2454 which is 11111111.11111111.11111111.00000000 and
take two of the host-bits(0s) from left to right and convert them into network-bits(1s):
➡
11111111.11111111.11111111.|00|000000
11
Now we have a binary that looks like this 11111111.11111111.11111111.11000000 which converted to
decimal55 is 255.255.255.192
To find out our new subnet mask we will use the method we used earlier on pg 34 , which is as simple
as counting the 1s in the binary. We had 24 and we added 2 more so we have 26 1s.
51
Credit to Network Chuck for these steps.
52
Which as we have seen earlier has 256-2=254 hosts
53
See pg 31-32
54
See pg 34
55
See pg 31
38
To find out how many hosts we have available on each subnet we will use the formula we used earlier
in classful subnetting Number of Hosts=2(Number of Host Bits)−2 which in this case is 26 or 64− 2=62
So we have a total of 64 hosts (62 usable56) per subnet.
On to step 3!
To do this is really simple. Our increment is simply the last network bit in our new binary.
11111111.11111111.11111111.11000000
1 1 0 0 0 0 0 0
192.68.1.0 ➡ 192.68.1.6357
192.68.1.64 ➡ 192.68.1.127
192.68.1.128 ➡ 192.68.1.191
192.68.1.192 ➡ 192.68.1.255
Now if you wanted to subnet a network based on how many hosts per subnet you need and you don't care
how many subnets it takes you to achieve that goal, you would repeat steps 1 through 4 again but with a
few important changes.
Let’s say we need to have a subnet that can host up to 50 hosts on our 198.68.1.0/24
56
See pg 35
57
The number 0 counts as a value so till 63 we actually have 64 increments
39
Now starting from right to left we will see how many values from these 8 we need to reach our goal of
50 hosts. We can determine that the smallest number that can host 50 is 64 and that it took us exactly 6
bits. (256 128 64 32 16 8 4 2)
6 5 4 321
That totals to 6 values and that is the amount of host-bits I will be saving.
This brings us to the second step.
11111111.11111111.1111111.00(000000)
11
This reversal method is the only difference between network and host requirements. The rest of the steps
are EXACTLY the same.
VLSM, or Variable Length Subnet Masking, is a technique for subnetting that allows for more efficient
allocation of IP addresses by using different subnet mask lengths for different subnets within the same
network, reducing wasted addresses and optimizing address space utilization.
Special IP Addresses -
- The loopback address for IPv4 is 127.0.0.1 and for IPv6 is ::1
-Automatic Private IP Addressing (APIPA) is a feature in Microsoft Windows operating systems that
allows devices to automatically assign IP addresses when they are unable to get an IP address from a
DHCP server.
DHCP
A DHCP (Dynamic Host Configuration Protocol) server is a network service that automatically assigns IP
addresses and other network configuration parameters to devices on a TCP/IP network.
1. Request for IP Configuration: When a device (client) joins a network, it sends out a broadcast
message requesting IP configuration information.
58
See pg 34
59
This the opposite direction from earlier
40
2. DHCP Discover Message: The DHCP client broadcasts60 a DHCP Discover message to find
available DHCP servers on the network. This message contains information such as the client's
MAC address and the network ID.
3. DHCP Offer Message: DHCP servers on the network receive the DHCP Discover message and
respond with a DHCP Offer message. This message contains an available IP address, subnet
mask, default gateway, DNS server(s), lease duration, and other configuration parameters.
4. DHCP Request Message: The DHCP client selects one of the DHCP server's offers and sends a
DHCP Request message to accept the offered IP configuration.
5. DHCP Acknowledgment Message: The DHCP server acknowledges the client's request by
sending a DHCP Acknowledgment message, confirming the IP configuration details. The client
can now use the provided IP address and other network settings.
6. Lease Management: The DHCP server assigns a lease duration for the IP address. During this
lease period, the client can use the assigned IP address. When the lease expires, the client must
renew its lease by sending a DHCP Request message to the DHCP server.
A DHCP relay/IP helper is an agent that acts as a mediator between devices on different subnets
(neighborhoods) and the DHCP server (kitchen), ensuring that all devices, regardless of their location, can
receive the IP addresses they need to connect to the internet (enjoy the party).
IP Addressing Scenarios -
- Duplicate IPs -
- Incorrect gateway -
- All computers within the same broadcast domain will always have the same subnet mask
- If two guys can’t talk have them ping each other if one can communicate but the other can’t then
consider that you typed the wrong subnet mask
- Expired IP address
-Either it will continue to work or it will go APIPA on you and give you a 169 .254 address
60
Your computer for example
41
Introducing Routers -
-A router is a box that is designed to interconnect Network IDs
-The metric is a relative value that gives your router an idea.If it has more than one choice to do
something,which way does it go?
Ports
Understanding Ports -
-A port is a communication endpoint that enables applications and services to exchange data over a
network.
-Ports are essential for facilitating communication between devices and ensuring that data packets are
delivered to the correct destination.
-Service Differentiation: Ports help differentiate between different network services running on a single
device.
-Firewalls can be configured to allow or block traffic based on specific port numbers, helping to protect
networks from unauthorized access and potential security threats.
-Port Numbers: Ports are identified by numbers, known as port numbers, which range from 0 to 65,535
● -Port numbers from 0 to 1023 are reserved for well-known services and protocols
● Clients generate ephemeral numbers that are always between 1024 and 65535
61
See pg 47
42
● Ports numbered from 1024 to 49,151 are registered with the Internet
● Ports numbered from 49,152 to 65,535 are available for dynamic and private use.
TCP Ports
Port#
20(sending)/ FTP
21(administering a session) (File Transfer Protocol)
23 Telnet
80 HTTP
(Hypertext Transfer Protocol)
3389 RDP
(Remote Desktop Protocol)
49 TACACS+
5900 (TightVNC)
UDP Ports
53 DNS
(Domain Name System)
5355 LLMNR
43
67/68 DHCP
(Dynamic Host Configuration Protocol)
69 TFTP
(Trivial File Transfer Protocol)
123 NTP/SNTP(simple)
(Network Time Protocol)
161(Agent)/ SNMP
162(management station) (Simple Network Management Protocol)
10161 (on TLS)
1723 PPTP
(Point-to-Point Tunneling Protocol) - Used for VPNs
389 LDAP
(Lightweight Directory Access Protocol)
636 LDAPS
(Lightweight Directory Access Protocol Secure )
5060/5061 SIP
(Session Initiation Protocol)
1541 SQLne
465(old)587 STARTTLS
44
NAT allows multiple devices on a private network to share a single public IP address when accessing the
internet. It translates private IP addresses to a public IP address and vice versa, enabling communication
between devices on the private network and external networks like the internet.
-NAT allows us to have lots of devices that are on the internet without using legitimate IP addresses
- All incoming addresses from one particular ip address go to one particular device
- The router sets a set number of addresses within itself but that's the problem if there's two addresses set
and there are 4 hosts only two hosts can get out because of the sent number of addresses
- PAT translates internal IP addresses to an Internal address and tracks the packets
- DNAT has a limited pool of internet addresses to give to a number of internal devices
62
What Is NAT and What Are the Benefits of NAT Firewalls? | FS Community
45
Implementing NAT -
- NAT on a SOHO router can be disabled from the router’s configuration page
Forwarding Ports -
-It's typical for a SOHO-based firewall to prevent incoming data unless it was requested from within the
network.
1. - Port forwarding64 allows external devices to have internal communication through a router65.
2. Port range triggering will open an alternative assigned port when the initial port is contacted
(e.g., FTP)
63
A.K.A. home or small office/home office router
64
What is Port Forwarding? What is it Used For? | Cybernews
65
Port range forwarding is just port forwarding, but it allows for a bunch of ports to be forwarded at once.
46
3. A DMZ (Demilitarized Zone)66 is a network segment that sits between an organization's internal
network (LAN) and an external network, typically the internet. It's often used to host services that
need to be accessible from both internal and external networks while keeping internal resources
protected.
Enabling SOHO DMZ when setting up port forwarding places that device outside the protection of that
router (exposing to the internet)
In a home analogy, the DMZ is like the backyard, a neutral zone accessible from both the internet (front
yard) and internal network (house), hosting less critical resources such as web servers.
Just as you might have a fence or gate between your front yard and backyard for added security, a DMZ
employs various security measures to protect both the external-facing services and the internal network.
Routers
Tour of a SOHO Router -
66
What is Demiltarized Zone? - GeeksforGeeks
67
Enterprise Router VS Home Router: What are their differences | FS Community
47
- SOHO routers are for small groups (5-6 devices) and can have built-in capabilities for switches,
firewalls, and WAPs
- Enterprise routers have expanded connection capability to other devices (i.e., routers switches, and
WAPs)
- SOHO routers often have Web-based interfaces; enterprise routers typically have their own OS interface.
Routing
-To look at the routing table use the command route print.
-Zeros, that means we don't care.A 0.0.0.0 network destination means you don't care where its going,
a 0.0.0.0 subnet mask means you don't care what it is. It will send it out on the gateway using the network
card.
-Computers get to their router through the default gateway, similarly routers get to the next router through
default gateways as well.
Static Routes -
- A static route is a fixed route that is manually configured and persistent
- Use route print or netstat -r/route print to display current known routes from the routing table
- Routing tables contain address information for destination, subnet mask, gateway, and NIC
Dynamic Routing -
-The internet for what it truly represents: numerous routers facilitating vast amounts of data transmission
across countless computers.
-Dynamic routing is essentially enhancing routers with intelligence, allowing them to autonomously
update their routing tables in real-time to adapt to network changes and ensure all routers synchronize
effectively, achieving convergence.68
-Dynamic routing protocols utilize metrics to choose routes and can be categorized as either distance
vector or link state.
In distance vector protocols(RIP), routers exchange complete routing tables with their neighbors for
comparison, whereas in link state protocols, routers periodically exchange incremental updates to check
neighbor status and update routing tables over time by communicating with the main router through link
state information.
68
Convergence is where all router tables reflect all routes.
48
Metric value: refers to an arbitrary numerical measurement used by routing protocols to determine the
best path or route for data to travel between network devices.
-The lower the metric value, the better the path is considered by the routing protocol.
-These metrics can include factors such as bandwidth, delay, cost, or reliability.
MTU stands for Maximum Transmission Unit, representing the maximum amount of data that can be
carried within a single frame.69
Bandwidth70 is the capacity of a network connection to transfer data within a specific time frame.
Ex: kilobits per second (kbps), megabits per second (Mbps), or gigabits per second (Gbps).
Latency71 is the time it takes for data to travel from one point to another in a network.
Ex: Satellite
-Various dynamic routing protocols utilize metric values differently to reach their intended destinations.
- Dynamic routing protocols are either IGP (Interior Gateway Protocol) or EGP (Exterior Gateway
Protocol)
● IGP (Interior Gateway Protocol) is used to exchange routing information within a single
autonomous system, such as within a corporate network or an internet service provider's network.
It helps routers within the same network communicate and make routing decisions.
● EGP (Exterior Gateway Protocol) is used to exchange routing information between different
autonomous systems, such as between different internet service providers or large corporate
networks. It helps routers from different networks communicate and determine optimal paths for
data to travel between them.
Types of IGPs:
EGP:
- BGP (Border Gateway Protocol) is the EGP protocol used for Inter-Autonomous System routing
-BGP (Border Gateway Protocol) is a robust routing protocol specifically engineered to excel at one task:
efficiently routing data between autonomous systems.
-BGP can be used for some large organizations as an internal gateway protocol.
-BGP divides the internet into approximately 20,000 autonomous systems, commonly referred to as AS.
● An autonomous system is a network managed by a single entity, such as a large internet service
provider (ISP), a government branch, or a major university system.
● It can consist of one or more interconnected routers.
● Every AS on the internet has a 32-bit (ASN73) autonomous systems number.
● The majority of active Autonomous System Numbers (ASNs) currently range from about one to
approximately 50,000.
73
An example of an Autonomous System Number (ASN) is ASN 15169, which is assigned to Google.
50
TCP/IP Apps
Mnemonic: Armadillos Take In New Ants
TCP vs OSI layers74
- PDU is the information used by the different protocols provided in frame segments
- UDP is NOT a connection-oriented protocol, and has low overhead with one-way communication
74
Comparison of TCP/IP vs OSI Models in Networking
51
- ICMP helps diagnose and report network problems, like when a website is unreachable.
Ex ping, arp
Icmp packet
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| |
+ Data (optional) +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
- IGMP lets routers know which devices want to receive special types of data, like streaming video or
audio.
Igmp packet
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Max Resp | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Group Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Source Address (optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
- ICMP works at the Internet (2) layer in the TCP/IP model and the network (3) in the OSI model
Handy Tools -
- pathping (Windows)
- Both tracert (Windows) and traceroute (Linux) commands display the hops77 through a router to reach a
destination
75
ICMP vs IGMP » Network Interview
76
See pg 36
77
See footnote #70 on pg 48
52
- Using the alternative command pathping can get a quicker ping response from the routers
- Bandwidth speed testing helps verify the upload and download speed to an individual computer
Wireshark78
Introduction to Wireshark -
- Protocol Analyzer
- Wireshark displays the traffic flow of Ethernet frames, and can drill down into the frame-viewing
various protocols, ports, timelines, and services
- Wireshark can segment and organize the data into consumable information to help in troubleshooting
-TCPdump is an alternative tool to wireshark’s native file capturer, used to capture and analyze network
traffic in real-time. It shows the packets being sent and received on a network, helping with network
troubleshooting and analysis.
Netsat
-Netstat is a text based command-line79 tool that lets you view active connections between your computer
and others at any time.
-Netstat tells you about connections, ports, and other networking details on your computer.
78
I highly suggest you to do the wireshark training by TryHackMe (not sponsored)
link:https://tryhackme.com/hacktivities?tab=search&page=1&free=all&order=most-popular&difficulty=all&type=al
l&searchTxt=wireshark
79
Run netstat at the command prompt
53
Web Servers -
- Web servers host Web sites: Web clients access Web servers
HTTP
HTTP (Hypertext Transfer Protocol) is the basis of what we call the worldwide web.
-The best way to figure that out if there is a web server running on a particular system
is to run a netstat -a and see if it's listening on port 80.
FTP -
- FTP servers listen on port 21 and send data back to the clients on port 20
- FTP is NOT encrypted so all passwords and data are sent in the clear
Securing E-mail -
-All email server tools can efficiently manage encrypted email messages, provided they are correctly
configured.
- Implementing unencrypted e-mail protocols with TLS has complex port assignments
- The STARTTLS extension uses only one port (587) for encrypted communication
80
See pg 42
54
● TLS (Transport Layer Security): Think of TLS like a secure tunnel for your internet connection.
It's like when you visit a website and see "HTTPS" in the address bar, indicating that the
connection is encrypted with TLS.
● STARTTLS: STARTTLS is like upgrading a regular phone call to a secure, encrypted one. For
example, with email, STARTTLS allows your email server to say, "Hey, let's switch to a secure
connection," before sending your email. It's a way to add security to an existing communication
channel.
Telnet: Telnet is like sending postcards through the mail without an envelope. It's a protocol that allows
you to remotely access and manage devices over a network, but it does so in plain text, meaning anyone
can potentially see the information being transmitted, including sensitive data like passwords.
SSH (Secure Shell): SSH is like sending letters in sealed envelopes. It's a protocol that provides a secure,
encrypted connection between two devices over a network. With SSH, all communication, including
passwords and commands, is encrypted, providing a higher level of security compared to Telnet. It's
commonly used for remote access and administration of servers and other network devices.
-PuTTY is a client side program that lets you securely connect to other computers over the internet. It's
commonly used to access servers and network devices from a Windows computer.
- Network Time Protocol (NTP) and Simple Network Time Protocol (SNTP) use UDP to allow devices to
synchronize their clocks
NTP is like a school bell that keeps all the clocks in a school synchronized. It makes sure every computer
or device shows the exact same time by asking a super accurate clock for the correct time and then
adjusting itself if it's off. This way, everything stays on schedule together.
Imagine you're participating in an online exam where every student must start and submit their answers at
specific times. Here's how NTP helps:
1.Before the Exam: Each student's computer uses NTP to check the time with a reliable time server,
which is accurate to atomic clock standards.
2.Adjusting Time: If a student's computer clock is a few minutes fast or slow, NTP adjusts it to match the
accurate time provided by the time server.
3. During the Exam: When the exam starts at, say, 9:00 AM, everyone's computer shows the exact same
time, ensuring all students start simultaneously, no matter where they are in the world.
4. Submitting Answers: Similarly, if the deadline to submit answers is at 10:00 AM, NTP ensures that
everyone's computer agrees on when 10:00 AM actually is, preventing any disputes about late
submissions.
SNTP (Simple Network Time Protocol) is a simpler version of NTP (Network Time Protocol). It's used to
synchronize the clocks of computers and devices but is designed to be easier and less complex.
It's like using a basic wristwatch instead of a high-precision atomic clock to keep track of time; it's not as
accurate, but it's simpler and still gets the job done for most everyday needs.
- DHCP scope ranges need to consider gateway, printers, and other types of hosts to provide for IP
reservations
- MAC reservations can be used to define devices that have top priority for address assignment
- IPAM tools track and manage allotted UP addresses, keeping address requirement available for server
and VM farms
DNS
Understanding DNS -
- The Domain Name System (DNS) resolves fully qualified domain names (FQDNs) to IP addresses
Let's say you want to visit the website "www.example.com" in your web browser:
1. You type "www.example.com" into your browser's address bar and hit Enter.
2. Your computer sends a request to a DNS server, asking for the IP address associated with
"www.example.com".
3.
4. The DNS server looks up "www.example.com" in its records and finds the corresponding IP
address, such as "192.0.2.1".
6. Your computer then uses the IP address to connect to the server hosting "www.example.com" and
fetches the website content.
7. Finally, your web browser displays the website content for you to view.
8. Your DNS server and your host will store this info in a cache for future use.
So, DNS is what allows you to use easy-to-remember website names like "www.example.com" instead of
having to remember and type in their numerical IP addresses.
Applying DNS -
- CNAME record creation makes an alias name, or “known name”, often created for user interfacing
- A reverse lookup will resolve an IP address to an FQDN81, and are used by mail servers
- TXT records, DKIM, and SPF are used to identify e-mail users and reduce spam
AAAA Record Similar to an A record but maps a domain name to an IPv6 address.
(IPv6 Address Record)
81
Fully Qualified Domain Name. It represents the complete domain name for a specific host, including both its
hostname and its domain name. For example, "www.example.com" is a FQDN, where "www" is the hostname and
"example.com" is the domain name.
57
MX Record (Mail Exchange Specifies the mail servers responsible for receiving email on behalf
Record) of a domain. It points to the domain name of the email server. For
example, "mail.example.com".
TXT Record (Text Record) Stores text information, such as SPF and DKIM records used to
authenticate email senders, or arbitrary text data
SPF Record (Sender Policy Specifies which IP addresses are allowed to send emails on behalf of
Framework) a domain. It helps prevent email spoofing and improves email
deliverability by verifying the sender's identity.
DKIM Record (DomainKeys Stores public keys used to verify the digital signatures added to
Identified Mail) email messages. It helps ensure the authenticity of email messages
and prevents email tampering.
PTR Record (Pointer Record) Used for reverse DNS lookups. It maps an IP address to a domain
name, which is the opposite of an A record.
CNAME Record (Canonical Creates an alias for a domain name. It points one domain name to
Name Record) another, allowing you to use multiple domain names for the same IP
address. For example, "www.example.com" could be a CNAME for
"example.com".
SRV Record (Service Record) Specifies the location of a service offered by a domain. It's
commonly used for services like SIP (Session Initiation Protocol),
XMPP (Extensible Messaging and Presence Protocol), and LDAP
(Lightweight Directory Access Protocol).
NS Record (Name Server Specifies the authoritative DNS servers for a domain. It indicates
Record) which servers are responsible for providing DNS information about
the domain.
SOA record(Start of Holds key administrative details for a zone, like the primary name
Authority) server, responsible person's email, and parameters for zone
maintenance and replication..
net Command
- The net command is a very old command that helps manage a network
- The net command has many different options to manage a network (net use, net share, etc.)
net user Manages user accounts, including creating, modifying, and deleting user accounts.
For example:
● net user username password /add creates a new user account.
● net user username /delete deletes a user account.
net group Manages groups, including creating, modifying, and deleting groups.
58
For example:
● net group groupname /add creates a new group.
● net group groupname /delete deletes a group.
net Manages local groups on the computer. Similar to net group but specific to local
localgroup groups.
net accounts Configures the user account database settings, such as password policies and account
lockout settings.
net share Manages shared resources on the computer, such as folders or printers.
net use Connects or disconnects a computer from a shared resource or displays information
about active connections.
net view shows everything that is on the network, such as computers or shared folders, that are
visible on the network
LLMNR (Local Multicast Name Resolution) is a modern protocol used for resolving local network
hostnames to IP addresses when DNS fails. It's lightweight and decentralized, operating at Layer 3 with
UDP port 5355.
NetBIOS, on the other hand, is an older protocol for local network communication, operating at Layer 5
with various ports. It provides services like name resolution and session establishment, but it's less secure
and more prone to security vulnerabilities compared to LLMNR.
Let's say you have two computers, A and B, connected to the same local network. Computer A wants to
access a file on computer B using its hostname "computerB". Here's how LLMNR and NetBIOS would
handle this scenario:
LLMNR:
1. Computer A sends an LLMNR query asking, "Who has the IP address for the hostname
'computerB'?" to the local network.
2. Computer B, which knows its own IP address and hostname, responds to the query with its IP
address.
3. Computer A receives the response and can now communicate directly with computer B using its
IP address.
NetBIOS:
1. Computer A sends a NetBIOS name query asking, "Who has the IP address for the NetBIOS
name 'computerB'?" to the local network.
2. The NetBIOS Name Service (NBNS) on the network (typically a Windows server or router)
responds with the IP address associated with the NetBIOS name "computerB".
3. Computer A receives the response and can now communicate directly with computer B using its
IP address.
59
- nbtstat is a diagnostic command that can be useful, but has some issues with LLMNR
nbtstat -r Displays the NetBIOS name cache, showing mappings of NetBIOS names to IP
nbtstat -a Displays the NetBIOS name table of a remote computer, showing names and
associated IP addresses of resources.
nbtstat -n Displays the local NetBIOS name table, showing names registered with the local
computer's NetBIOS name server.
nbtstat -c Displays the NetBIOS name cache, which contains mappings of NetBIOS
nbtstat -R Purges and reloads the NetBIOS name cache, forcing the system to reload names from
the network.
nbtstat -RR Releases and refreshes NetBIOS names, useful for troubleshooting NetBIOS name
resolution issues.
Imagine you're hosting a dinner party at a restaurant. Each guest needs a seat at the table and a menu to
order from. You're in charge of assigning seats and menus to each guest.
1. Guest Arrival: As guests arrive at the restaurant, they come to you (the DHCP server) and ask for
a seat and a menu. (DHCP Request)
2. Seat Assignment (IP Address): You look at the available seats in the restaurant (IP addresses in
the DHCP pool a.k.a. DHCP Server Response) and assign one to each guest. Each seat has a
number (like table numbers), which identifies where the guest will sit. You make sure no two
guests have the same seat. (IP Address Assignment)
3. Menu Assignment (Network Configuration): Along with the seat assignment, you give each
guest a menu (network configuration settings). The menu includes the list of dishes they can order
(like internet access), the chef's special recommendations (like DNS server addresses), and the
restaurant's address (like the default gateway). (Additional Configuration)
60
4. Lease Duration: You tell each guest how long they can stay at the table (lease duration). For
example, you might say they can stay for two hours (lease time) before they need to ask for
another menu. After two hours, their seat might be given to someone else.
5. Guest Renewal: As the dinner party progresses, you keep an eye on the guests' tables. If a guest
wants to stay longer, they can ask you for another two-hour lease (lease renewal). You might give
them the same seat (IP address) or assign a different one if needed.
● Sometimes a guest might let you know from before that they'd like the same seat/table (ip
address etc) for a longer time so you automatically renew their lease at the same table.
(Automatic Renewal)
6. Guest Departure: When a guest leaves the restaurant (disconnects from the network), you clean
up their table (release their IP address) and make the seat available for another guest (return it to
the DHCP pool).
In this analogy, you (the DHCP server) dynamically assign seats (IP addresses) and menus (network
configuration settings) to guests (devices) as they arrive at the restaurant (connect to the network). This
process makes it easy to manage the network and ensures that each guest (device) gets what they need to
enjoy the dinner party (network communication) without having to worry about seating arrangements.
DNS Troubleshooting -
-If you can access a webpage by its IP address but not by its DNS name,then you've got a DNS problem.
- Security can be broken into three areas: confidentiality, integrity, and availability
Symmetric Encryption -
- An algorithm that uses the same key to encrypt and decrypt is symmetric encryption
61
Asymmetric Encryption -
Cryptographic Hashes -
Identification -
● Are: You are biometrically authenticated, such as through fingerprint or facial recognition.
Example: You are authenticated using your fingerprint to unlock your smartphone or access a
secure facility.
- Authentication attributes include something you do, exhibit, know, or somewhere you are
● Do: You perform an action to authenticate, such as entering a PIN or clicking a button on a
device.
62
Example: You enter a PIN code sent to your mobile phone to verify your identity during an online
transaction.
● Exhibit: You exhibit something you possess, such as a physical security key or a digital
certificate.
Example: You plug in a physical security key into your computer's USB port to authenticate your
login.
● Somewhere You Are: You authenticate based on your geographic location or network
information.
Example: You attempt to log in to your work account from a recognized office location, and
authentication is granted based on the known network location.
Access Control -
DAC (Discretionary Access Control) gives the creators control over permissions:
Example: Think of a personal diary where you decide who can read it. You can choose to share it with
your closest friends but keep it private from others.
In short, MAC is like strict security rules set by the system, DAC is like having control over your own
possessions, and RBAC is like assigning different levels of access based on job roles.
AAA -
Authentication: Making sure you are who you say you are before letting you in.
Authorization: Deciding what you're allowed to do once you're in.
Accounting: Keeping track of what you did while you were there.
In short, AAA is the concept of managing who gets access to what and keeping track of their actions,
while RADIUS is a specific technology that helps manage this process, especially for remote access to
networks.
1. RADIUS Client:
This is like a door that lets you into a club. When you try to enter, it checks your ID (credentials) and
asks the bouncer (RADIUS server) if you're allowed in.
2. RADIUS Server:
The bouncer at the club. It decides if you're allowed in based on your ID (credentials) and keeps track of
who's inside and what they're doing.
3. RADIUS Database:
Think of this as a guest list. It's where all the names and permissions are stored. When the bouncer
(RADIUS server) needs to check if you're allowed in, it looks at the guest list (database) to find your
name and decide if you can come in.
In short, the RADIUS client asks permission to enter (authenticates) from the RADIUS server, which
checks a list of allowed guests (database) to decide if access is granted.
- RADIUS used UDP ports 1812-1813 or UDP ports 1645-1645, and TACACS+ uses TCP port 49
TACACS+ Client:
Similar to the RADIUS client, the TACACS+ client is like a door that checks your ID (credentials) before
letting you into a club (network). It sends authentication requests to the TACACS+ server.
TACACS+ Server:
Just like the bouncer at the club, the TACACS+ server decides if you're allowed in based on your ID
(credentials). It also keeps track of who's inside and what they're doing on the network.
TACACS+ Database:
This is like the guest list at the club. It stores all the names and permissions. When the bouncer
(TACACS+ server) needs to check if you're allowed in, it looks at the guest list (database) to find your
name and decide if access is granted.
In summary, TACACS+ works similarly to RADIUS, but it provides additional features such as
separating authentication, authorization, and accounting into different processes for added security and
flexibility in managing network access.
you will need to use 802.1x with the switch for RADIUS/TACACS+
Kerberos/EAP -
1. Kerberos Authentication:
Imagine you (Kerberos Client) want to enter a secret club. Before you're allowed in, you need a special
ticket (ticket-granting ticket) from the club's security desk.
When you approach the security desk (Domain controller = Kerberos authentication server and KDC
- Key Distribution Center) and request a ticket, you provide your ID (username) and secret password.
The security desk checks your credentials and, if everything's correct, gives you a special ticket
(ticket-granting ticket) valid for a certain time (approx 8 hrs).
This ticket allows you to enter different areas of the club without having to repeatedly show your ID and
password.
2. Ticket Granting Service (TGS):
Now, let's say you want to enter the VIP lounge within the club. You approach the entrance and show
your special ticket (ticket-granting ticket) from the security desk.
The bouncer at the VIP lounge (Ticket Granting Service) checks your ticket, sees that it's valid, and
gives you another ticket (service ticket) specifically for the VIP lounge.
With this service ticket, you're allowed access to the VIP lounge without needing to provide your ID or
password again.
3. Kerberos Database:
Think of this as the guest list at the club's security desk. It contains all the usernames and secret
passwords of club members.
When you provide your ID and password at the security desk, they check the guest list (Kerberos
database) to verify your identity and grant you access.
In summary, Kerberos is like getting special tickets to enter different areas of a club without repeatedly
showing your ID and password. You authenticate once to get a ticket-granting ticket, which allows you to
obtain service tickets for specific areas within the club without needing to re-authenticate each time.
● Imagine you're trying to access a secure Wi-Fi network at a coffee shop. Before you can connect,
you need to prove who you are.
● EAP is like a menu of different ways you can prove your identity to the Wi-Fi network. It offers
flexibility for different authentication methods.
● For example, you might choose to authenticate using a username and password, a digital
certificate, or a one-time code sent to your phone.
65
EAP types
EAP-TLS Mutual authentication using digital Employees connecting to a corporate Wi-Fi network
certificates, establishing a secure TLS exchange digital certificates for authentication.
tunnel.
EAP-PEAP EAP messages encapsulated within a TLS Users securely enter credentials within the TLS tunnel
tunnel for secure authentication. when connecting to an enterprise Wi-Fi network.
EAP-TTLS Secure tunneling with flexible inner Students securely enter login credentials for access to a
authentication methods. university Wi-Fi network using EAP-TTLS
authentication.
EAP-SIM Authentication using SIM card capabilities Phones authenticate with mobile networks using SIM
for mobile devices. card credentials through EAP-SIM authentication.
PSK (Pre-Shared Key) Authentication with a shared passphrase for Users connect to a home Wi-Fi network by entering a
access to Wi-Fi networks. passphrase known during network configuration.
MD5 Basic authentication using a one-way Legacy systems may use MD5 authentication for
hashing algorithm with a shared secret key. password verification, though it's less secure.
In summary, EAP is a flexible framework that allows you to authenticate yourself using various methods
when connecting to secure networks like Wi-Fi. It's like choosing from a menu of options to prove your
identity and gain access.
Single Sign-On -
- For local area networks, use Windows Active Directory for single sign-on
LAN SSO
Imagine you have a bunch of rooms (federated system) in your house (domain), each with its own key.
Without SSO, every time you want to move between rooms, you need to unlock each door with its
specific key.
But with SSO, you have a magical master key that unlocks all the doors in your house.
66
In the digital world, SSO works similarly. Instead of needing separate login credentials for each system or
application you use (each "room" in your digital house), SSO allows you to use one set of credentials (the
"master key") to access multiple systems and applications.
Once you log in to one system or application, you're automatically logged in to others without needing to
re-enter your credentials.
SSO makes life easier for users by reducing the number of passwords they need to remember and
streamlining the login process.
In summary, Single Sign-On (SSO) is like having a master key that grants access to multiple systems and
applications with just one set of credentials, making it more convenient and secure
Imagine you're planning to attend a party hosted by a friend, but you need to get a special entry pass from
them.
Instead of going to your friend's house to get the pass, they send it to you digitally (idp or identity service
provider).
The pass contains all the information needed to prove you're invited to the party, like your name and
RSVP status.
When you arrive at the party, you show the pass at the entrance, and the bouncer (or party host) checks it
to confirm your invitation.
In the digital world, SAML SSO works similarly. When you want to access a website or application,
you're redirected to a central authentication service.
You provide your credentials to this service, which creates a special "entry pass" (SAML token)
containing information about you.
You're then redirected back to the website or application with the SAML token, which serves as proof of
your authentication.
The website or application verifies the token with the central authentication service to confirm your
identity and grants you access to different parts of the website or application (service providers).
In summary, SAML SSO (Security Assertion Markup Language Single Sign-On) allows users to
access multiple websites and applications with one set of credentials by exchanging authentication
information through a special "entry pass" (SAML token), making the login process more convenient and
secure.
67
- Public key infrastructure (PKI) uses a hierarchical structure with root servers
- A self-signed certificate can throw a 443 error, as the certificate has not been issued by a certificate
authority
- An expired certificate can be viewed, then fixed either by getting a new certificate from its issuer or
accepting the certificate in its current state
- The setting to query OCSP to confirm the current validity of certificates is a good security setting
Switch Features
Switch Management -
- In order to manage a switch based on IP address, the computer must be on the same subnet as the switch
Introduction to VLANs -
VLAN or Virtual Local Area Network is a technology used in computer networking to logically divide
a single physical network into multiple separate broadcast domains.
VLANs are like separating rooms in a building. They keep different groups of devices apart on the same
network, reducing clutter and improving security. It's like creating virtual networks within a physical one.
Imagine you have a big office building with lots of rooms, and each room has its own group of people
doing different tasks. But instead of physical rooms, think of these as virtual rooms called VLANs.
82
A digital signature is like a unique stamp that proves the authenticity and integrity of digital documents or
messages. It's created using mathematical techniques and the sender's private key, ensuring that the data hasn't been
tampered with and comes from the claimed sender. It's a crucial tool for verifying the security and trustworthiness of
online communication and transactions.
68
Separate Spaces: VLANs help split the building into virtual rooms. People in one room can't directly talk
to people in another unless they go through a special door (like a router).
Less Noise: Just like in a real building, if everyone shouts, it gets noisy. VLANs help keep the noise
down by making sure only people in the same room hear each other's shouts.
Security Guards: VLANs act like security guards. They make sure people from one room don't wander
into another room without permission (or without going through a security checkpoint).
Easy Rearranging: You can rearrange these virtual rooms however you want without needing to change
the actual building layout. This makes it easier to manage and organize who's where.
Smooth Traffic Flow: By organizing people into different rooms, it's like creating lanes in a traffic
system. This helps the flow of people (or data) move more smoothly and prevents jams.
Setup with Switches: Just like a building has doors and corridors, a network has switches. These
switches help set up and manage the virtual rooms (VLANs) so that data goes where it needs to.
- Ubiquiti and Netgear are two among many different brands of switches
InterVLAN Routing -
InterVLAN routing lets devices in different VLANs talk to each other by using a router or Layer 3 switch
to guide the traffic between them, breaking down the barriers between VLANs for communication.
- Broadcast domains can be connected with virtual routers using InterVLAN routing
Trunking -
802.1q Trunking combines traffic from multiple VLANs onto a single network link, simplifying network
setup and maximizing bandwidth usage.
- VLAN Trunking Protocol (VTP) is Cisco’s proprietary protocol to update multiple VLAN switches
Cisco Commands -
- The show config command displays the running configuration (DHCP snooping)
69
- The show interface command displays the interface for all the ports
- The show route command displays the routing table on a layer 3 switch
-The enable command in Cisco devices grants access to privileged EXEC mode.
- Runts are packets that are smaller than the required ethernet standard
- Giants are packets that are larger than the required Ethernet standard
Switch port protection is a security feature on Cisco switches that controls which devices can connect to a
switch port based on their MAC addresses. It sets a limit on the number of allowed MAC addresses and
takes action if unauthorized devices try to connect, helping to keep the network safe from unwanted
access.
- Switch interconnections use STP to detect looping by deactivating the port, if necessary
- BPDU (Bridge Protocol Data Units) guard is a Cisco method allowing only non-switch devices to
connect to the switch
BPDUs are message switches used to talk to each other and prevent network problems like loops. They
help switches decide which ports should be active or inactive to keep the network stable.
-DHCP snooping is a security feature that ensures only authorized DHCP servers can assign IP addresses
by monitoring DHCP traffic and maintaining a table of valid IP-MAC address pairs, preventing rogue
DHCP servers and network attacks.
Port Bonding -
Port bonding combines multiple network ports into one to make the connection faster and more reliable.
It's like merging several lanes on a highway into one big lane to handle more traffic and avoid problems if
one lane has issues.
- Use Link Aggregation Control Protocol (LACP) for the trunking protocol
83
See pg 23 & 24
70
Port Mirroring -
Port mirroring copies network traffic from one port to another for analysis without disrupting normal
network operations.
Port mirroring is like copying a conversation from one phone line to another so you can listen in without
anyone knowing. It lets you monitor network traffic without disrupting it.
- Port mirroring enables the traffic flowing through one port to be monitored on another port
- This feature enables administrators to inspect traffic remotely from a suspect machine
- Port mirroring is configured on a switch by providing a source port and destination port.
Quality of Service -
● Traffic shaping is a network management technique used to control the flow of data by enforcing
bandwidth limits, prioritizing certain types of traffic, and managing network congestion.
- Simple QoS on SOHO routers allows you to set priorities for different protocols.
- An intrusion detection system (IDS) detects and reports possible attacks to the administrators
- An intrusion prevention system (IPS) runs inline with the network and acts to stop detected attacks
A Unified Threat Management (UTM) appliance consolidates multiple security functionalities, including
firewall enforcement, malware scanning, and intrusion detection/prevention, into a single system.
Proxy Servers -
Proxy servers are intermediaries between clients and the internet, offering features like anonymity,
caching, and access control. They help improve privacy, speed up access, and enforce internet usage
policies.
Imagine you're in an office building, and there's a receptionist (the proxy server) at the entrance.
Whenever someone from the office (the client) wants to go out and visit a store (a website), they have to
tell the receptionist where they're going.
71
The receptionist checks a list of approved places (access control rules) to make sure the store is allowed.
If it's okay, the receptionist then goes to the store and brings back whatever the person from the office
wanted.
In this analogy:
- Forward proxy servers hide the clients from the server by forwarding the message to the server
- Forward proxy servers can be configured for caching, content filtering, and firewall capability
- Reverse proxy servers hide the server, and can provide load balancing and caching for high activity
pages.
A forward proxy acts on behalf of clients, forwarding requests from clients to servers on the internet. In
contrast, a reverse proxy acts on behalf of servers, receiving requests from clients and routing them to the
appropriate servers within an internal network or data center.
Analogy
Forward Proxy: Imagine you're at a large banquet hall (the internet), and you have a personal assistant
(the forward proxy) who goes to different food stations (websites) on your behalf to bring back the
dishes you want. You tell your assistant what you'd like to eat, and they navigate the banquet hall,
collecting the food and bringing it back to you.
Reverse Proxy: Now, imagine you're the head chef at a busy restaurant (the server), and there's a
receptionist (the reverse proxy) at the entrance. Customers (clients) come in and place their orders with
the receptionist. The receptionist then directs each order to the appropriate chef station (server) in the
kitchen, where the dishes are prepared and sent back out to the customers.
In both cases, there's an intermediary (the proxy) involved in managing the communication between the
person making the request (client) and the source providing the requested service (server).
Load Balancing -
- Load balancing can be configured as client-side or server-side and provides high availability
- Load balancing can route the most available server, either by a configured list (round robin) or by least
response time
- Server-side load balancing uses a sophisticated hardware device that is located within the server
72
- DMZs are used to protect public-facing servers by creating an isolated area for those devices
- Two firewalls are used in a DMZ: one allowing unsolicited traffic to public service, and second
maintaining isolation of the private network
- Internal firewalls can be used to block specific access for areas that may need additional restrictions but,
still function within the main domain
Introduction to IPv6 -
- IPv6 addresses are 128 bits and have a much larger address space than IPv4
SLAAC (Stateless Address Autoconfiguration) is an IPv6 network configuration method where devices
generate their IPv6 addresses using Router Advertisement messages and their MAC addresses. This
eliminates the need for manual configuration or DHCP servers, making address assignment automatic and
efficient.
IPv6 Addressing -
- IPv6 addresses can be shortened by removing leading zeros, but be familiar with the rules
- IPv6 addresses have two IP addresses: a link-local address and an Internet address
- The second part of the IPv6 address using EU1-64 is generated from the MAC address
73
IPv6 in Action -
- EUI-64 uses the MAC address to generate a unique 64-bit ID to automatically configure a host address
- Applications sometimes request temporary IP addresses; this is easily supported by IPv6 stateless auto
configuration
- If you are on IPv4 you need a tunneling protocol to get to the IPv6 internet
WAN Connectivity
Understanding IP Tunneling -
IP tunneling encapsulates data from one network protocol within another, allowing communication
between networks with different protocols.
Imagine you have two friends who live in different countries, and each country has its own postal service
with different rules and delivery methods.
IP tunneling is like putting a letter inside another envelope before sending it through the mail. The outer
envelope represents the postal service of one country (the outer network protocol), while the inner
envelope represents the postal service of the other country (the inner network protocol).
When the letter reaches the destination country, the outer envelope is removed, revealing the original
letter inside, which can then be delivered to the recipient.
In this analogy, IP tunneling allows you to send a letter (data packets) from one country to another by
encapsulating it within another envelope (outer protocol), enabling communication between different
postal services (networks) with different rules and delivery methods.
74
WAN Technologies -
WDM Combines multiple optical Transmitting both voice and Regional WDM is like having
(Wavelength signals onto a single optical data signals over a single different-colored cars driving
Division fiber by using different fiber optic cable Up to on separate lanes of a highway.
Multiplexing) wavelengths of light for Hundreds of
each signal. Kilometers
DWDM Packs more channels into Transmitting multiple Long-haul DWDM is like fitting more
(Dense the same fiber by using channels of data over a cars on a highway by reducing
WDM) narrower channel spacing, single fiber optic cable for Hundreds to the distance between them.
typically 0.8 nm or less. long-haul communication Thousands of
networks. Kilometers
CWDM Utilizes wider channel Extending the reach of Metropolitan/ CWDM is like having fewer
(Coarse spacing, typically 20 nm, metropolitan area networks Campus but larger trucks carrying cargo
WDM) allowing for fewer channels (MANs) or connecting on a city road.
compared to DWDM. multiple buildings in a Up to 80
campus network. Kilometers
MPLS MPLS is a method that speeds up Establishing secure, MPLS is like a dedicated express
(Multiprotocol Label and secures data traffic between high-performance connections lane on a highway, providing fast
Switching) different locations in a network. between multiple office locations and reliable connectivity between
within an enterprise network. locations.
SD-WAN SD-WAN is a technology that Optimizing network performance SD-WAN is like using a GPS
(Software-Defined Wide uses software to find the fastest and reducing costs by navigation system that
Area Network) and most efficient way to send dynamically routing traffic over dynamically selects the best route
data between different places. the most efficient path between based on real-time traffic
branch offices and data centers. conditions.
Metro Ethernet/ Metro Ethernet extends Ethernet Connecting multiple office Metro Ethernet is like having a
Metro optical connectivity beyond the local buildings or data centers within a network of interconnected roads
area network (LAN) to create a city to a shared Ethernet network within a city, allowing fast and
wide area network (WAN) for for fast and reliable data direct travel between different
connecting multiple locations transmission. locations.
within a metropolitan area.
75
MPLS packet84
- DSL (Digital Subscriber Line) is a type of internet connection that uses regular phone lines to provide
fast internet access. It lets you use the internet and make phone calls at the same time, and it's commonly
used in homes and small businesses where available.
ADSL (Asymmetric Digital Subscriber Line): ADSL is the most common type of DSL. It offers faster
download speeds than upload speeds, making it suitable for activities like streaming videos, browsing
websites, and downloading files. ADSL is asymmetrical because it prioritizes downstream traffic (from
the internet to the user) over upstream traffic (from the user to the internet).
SDSL (Symmetric Digital Subscriber Line): SDSL provides equal upload and download speeds,
making it suitable for activities that require significant upload bandwidth, such as video conferencing,
online gaming, and uploading large files. SDSL is symmetrical because it treats upstream and
downstream traffic equally.
VDSL (Very High Bit Rate Digital Subscriber Line) is a fast internet technology that provides
high-speed download and upload speeds over existing telephone lines, ideal for bandwidth-intensive
activities like streaming and gaming.
Analogy time!
ADSL (Asymmetric Digital Subscriber Line): Imagine a road where one lane is wider than the other. The
wider lane allows for faster traffic flow in one direction, while the narrower lane handles slower traffic in
the opposite direction. This is similar to ADSL, where the download lane (wider lane) allows for faster
data transfer from the internet to the user, while the upload lane (narrower lane) handles slower data
transfer from the user to the internet.
84
A Complete Guide to Multiprotocol Label Switching (MPLS)
76
SDSL (Symmetric Digital Subscriber Line): Now, picture a road with two lanes of equal width. Both
lanes allow for the same speed of traffic flow in both directions. This is like SDSL, where both the
download and upload speeds are the same, providing equal bandwidth for data transfer in both directions.
VDSL: Imagine a traditional DSL as a regular train that travels at moderate speeds, providing decent
transportation for passengers and cargo. Now, picture VDSL as a sleek, high-speed bullet train that zooms
along the tracks much faster than the regular train. Just like the bullet train offers rapid transportation for
passengers, VDSL offers swift internet speeds for online activities like streaming videos and gaming.
● PPPoE (Point-to-Point Protocol over Ethernet) is a protocol that allows devices to connect to
the internet through an Ethernet connection provided by an ISP, handling authentication, IP
assignment, and connection management.
-MAC Address Clone: MAC cloning allows a device to copy the MAC address of another device on the
network. This can be useful in situations where the network requires a specific MAC address to grant
access, such as when connecting to certain internet service providers.
Usage: Users might employ MAC cloning when setting up a new router or modem to replace an old one,
ensuring that the new device appears on the network with the same MAC address as the old one to avoid
any compatibility issues or service disruptions.
85
See pg 8
77
● Satellite latency refers to the delay or lag in communication that occurs when data travels
between a ground-based location and a satellite in orbit. This delay is primarily due to the
physical distance that the data must travel between the Earth's surface and the satellite.
- Modern satellites offer asynchronous download speeds of approximately 12 megabits per second, along
with upload speeds of around three megabits per second.
Cellular Technologies -
- The G stands for generation, and currently 5G is the fastest cellular technology.
-Global System for Mobile Communications (GSM) is the oldest cellular technology and uses
time-division multiple access (TDMA).
GSM (Global System for Standard for digital TDMA for time slot division. - Like trains sharing tracks with
Mobile Communications cellular networks. Supports voice and text messaging. different departure times.
TDMA (Time Division Method for dividing Efficient use of radio spectrum. Like students taking turns speaking
Multiple Access) frequency channels in class.
into time slots.
CDMA (Code Division Method for encoding Increased capacity and security. Like books in a library with unique
Multiple Access) signals with unique covers for multiple readers.
codes.
LTE (Long-Term Standard for OFDMA86 for multiple sub-carriers. Like a highway with multiple lanes
Evolution) high-speed wireless for fast traffic.
broadband. Higher data rates.
5G (Fifth Generation) Latest standard for Advanced technologies for speed Like a futuristic city with
ultra-fast mobile and connectivity. lightning-fast trains connecting
communication. everything seamlessly.
Supports various applications.
86
OFDMA (Orthogonal Frequency Division Multiple Access) divides the frequency spectrum into orthogonal
sub-carriers, allowing multiple users to transmit data simultaneously over the same frequency band with high
efficiency and flexibility, commonly used in 4G LTE and 5G networks.
78
Remote Desktop Connectivity enables users to access and control their computer's desktop interface from
a remote location over a network connection, facilitating tasks and accessing files as if they were
physically present at the computer.
-A VPN (Virtual Private Network) creates a secure and encrypted connection over the internet, allowing
users to access private networks remotely, bypass restrictions, and protect their online privacy and
security.
-Think of a VPN like a secure tunnel that connects your device to a private network over the internet. Just
as a tunnel shields you from outside visibility and keeps your movements private, a VPN encrypts your
internet traffic, keeping your data safe from prying eyes while you access resources or browse the web.
87
2. VPN client software creates a virtual NIC (vNIC) on your local computer (endpoint 1)
3. Then it makes a connection with the VPN server at the office (endpoint 2)
4. Then it makes a virtual direct cable from the vNIC to the office
Client-to-site VPN Type of VPN where individual users connect to a Client-to-site VPN is like accessing a secure
central VPN server to access resources on a private vault from your home, allowing you to retrieve
network securely. valuable resources remotely.
Site-to-site VPN Type of VPN connecting multiple remote networks or Site-to-site VPN is like building virtual bridges
branch offices securely over the internet, enabling seamless between different offices, allowing them to
communication. communicate as if they were in the same
location.
(PPTP) VPN protocol creating secure connection PPTP is like a private tunnel between your
Point-to-Point Tunneling Protocol between user's device and VPN server, for device and a secure server, ensuring your data
remote access to private networks. travels safely over the internet.
(L2TP/IPsec)88 Combination of L2TP and IPsec protocols for L2TP/IPsec is like a double-layered shield
Layer 2 Tunneling Protocol over secure communication over the internet, often protecting your communication online,
IPsec used with VPNs for enhanced security. providing extra security against threats.
(SSTP) VPN protocol using SSL encryption for SSTP is like wrapping your data in a secure
SSL Tunneling Protocol secure communication between device and envelope before sending it over the internet,
VPN server, commonly used for remote keeping it safe from prying eyes.
access.
(ESP) Protocol within IPsec VPNs providing data ESP is like a security seal placed on your data,
Encapsulating Security Payload confidentiality, integrity, and authentication ensuring it remains intact and protected from
during transmission. tampering during transit.
VPN concentrator/headend Device or server managing multiple VPN VPN concentrator is like a hub that connects
connections, providing centralized access to multiple branches of a company, providing a
private networks. central gateway to access resources.
OpenVPN and SSH Open-source VPN protocol for secure OpenVPN and SSH are like two trusted guards
(Secure Shell) communication, and secure protocol for ensuring the safety of your data and access to
remote access to systems, respectively. your systems over the internet.
88
Cisco commonly utilizes L2TP and IPSec protocols. PPTP is primarily associated with Microsoft, along with
EAP. SSTP, which employs TLS (SSL), is not a proprietary protocol of Cisco.
80
IKEv2 VPN protocol establishing security IKEv2 is like a secret handshake between your
associations and negotiating encryption keys device and a secure server, establishing a
between devices, commonly used in mobile secure connection before communication
VPN applications. begins.
(GRE) Tunneling protocol used to encapsulate and GRE is like a protective shield around your
Generic Routing Encapsulation route various types of network traffic between data packets, ensuring they travel securely
devices, enhancing security of VPN between different points on the internet.
connections.
-Use common tools like ping, netstat and ipconfig, and check to ensure cables are properly connected
-Check the LAN interface
- Check the modem interface
● Interference is usually on the consumer end unless natural disasters occur which would
cause a failure
- Check DNS server connection
- Most problems that occur within WAN technologies are rarely the ISP's fault
802.11
Introduction to 802.11
802.11 refers to a series of IEEE standards for wireless networking, commonly known as Wi-Fi, with
various versions denoted by letters (such as "b", "a", "g", "n", "ac", etc.), each offering different features
and capabilities
-802.11 utilizes radio waves to transmit network information between wireless nodes..
-Ad hoc mode enables wireless devices to communicate directly with each other, forming a temporary
network without the need for a central access point or infrastructure.
- A WAP is a bridging device that connects into an Ethernet network and communicates via radio waves
to wireless clients
- A WAP has an SSID (Service Set Identifier), a word or phrase used to connect wireless devices to the
WAP device
- CSMA/CA (carrier-sense multiple access with collision avoidance) is the method used to prevent
wireless collisions
Wi-Fi Gen Standard Frequency Release Maximum Modulation Features Channel Bandwidth
Band Date Data Rate
Wi-Fi 4 802.11n89 2.4/5.0 GHz 2009 600 Mbps MIMO, OFDM - 20 MHz, 40 MHz, 80 MHz
Wi-Fi 5 802.11ac 5.0 GHz 2013 1 - 6.9 Gbps MU-MIMO - 20, 40, 80, 160 MHz
Wi-Fi 6 802.11ax 2.4 / 5 GHz 2019 Up to 9.6 Gbps 1024-QAM - 20, 40, 80, 160 MHz
- 2.4 GHz band offers longer range but lower throughput and is more susceptible to interference and up to
14 channels , while the 5 GHz band provides higher throughput, less interference, and better performance
in crowded environments, albeit with shorter range and 23 channels.
PoE (Power over Ethernet) is a technology that sends power and data over the same Ethernet cable,
making it possible to power devices like cameras and phones without needing separate power cables.
- A Power over Ethernet (PoE) WAP needs to use a PoE-enabled switch or a PoE injector but does not
need a directly-connected 110 plug
- PoE used 802.3af originally but has been replaced with PoE+ using the 802.3at standard that
supports up to 30 watts on newer WAPs
-A PoE injector is a device that adds power to Ethernet cables, allowing non-PoE network equipment to
power PoE-compatible devices like IP cameras and wireless access points.
89
Most Common
82
802.1p Quality of Service (QoS) Defines prioritization of traffic within Ethernet networks
802.1AB Link Layer Discovery Protocol (LLDP) Defines a vendor-neutral link layer protocol for network discovery
and topology detection
802.3ad Link Aggregation (LAG) Defines standards for the bundling of multiple Ethernet links into a
single logical link
802.1X Port-based Network Access Control (PNAC) Provides port-based authentication for network access control.
802.2 Logical Link Control (LLC) Defines data link layer protocols.
802.3af Power over Ethernet (PoE) Delivers power over Ethernet cables.
802.3at Power over Ethernet Plus (PoE+) Extends PoE for higher power devices.
802.3bt Power over Ethernet (PoE) - Type 4 Further enhances PoE for higher power needs.
802.3bz 2.5GBASE-T and 5GBASE-T Ethernet Provides Ethernet over twisted pair at 2.5 and 5 Gb/s.
802.3x Ethernet Flow Control Specifies flow control mechanisms for Ethernet.
802.11i Wi-Fi Protected Access 2 (WPA2) Defines security enhancements for Wi-Fi networks
802.15 Wireless Personal Area Networks (WPAN) Defines short-range wireless networks.
802.15.4 Low-Rate Wireless Personal Area Networks Defines low-power wireless communication.
(LR-WPANs)
802.15.6 Body Area Networks (BAN) Focuses on wireless communication for medical devices.
802.22 Wireless Regional Area Networks (WRAN) Utilizes TV white space for long-range wireless.
802.24 Smart Grid Communications Focuses on communication for smart grid networks.
Antennas -
- Different types of antennas have different radiation patterns and can be placed to provide a radiation
pattern to meet wireless requirements
- Antenna placement and gain should be considered when selecting antenna types, locations, and security
boundaries
SMA connectors
Omni Provides 360-degree Covers a wide area horizontally but Radiation pattern resembles a doughnut, with
coverage in all directions. has limited vertical coverage. equal coverage in all directions around the
antenna
Dipole Consists of two conductive Offers moderate coverage in all Radiation pattern is roughly spherical, with
elements, often used in directions. equal coverage in all directions perpendicular to
Wi-Fi routers and antennas. the antenna.
Yagi Directional antenna with Provides narrow, focused coverage Radiation pattern is highly directional, with
high gain, commonly used in a specific direction, ideal for maximum gain in the direction the antenna is
for long-distance point-to-point communication over pointing and reduced gain in other directions.
communication. long distances.
Patch Compact antenna with a flat, Provides moderate coverage in a Radiation pattern is generally directional, with
rectangular shape, often specific direction, suitable for indoor maximum gain perpendicular to the antenna's
used in indoor Wi-Fi environments with limited space. surface and reduced gain in other directions.
applications.
Parabellum Directional antenna with a Offers highly focused coverage in a Radiation pattern is highly directional, with
parabolic reflector, offering specific direction, ideal for maximum gain in the direction the reflector is
high gain and long-distance long-distance communication with facing and minimal gain in other directions.
coverage. minimal interference.
84
- The 802.11 standards are used on both SOHO routers and enterprise routers
- 802.11i was slow to release, so Wi-Fi Protected Access (WPA) was created using Temporal Key
Integrity Protocol (TKIP) encryption protocol
- Rogue91 access points can be accidental, but evil twins are intentional
- Rogue access points and evil twins92 can cause a lot of headaches.
Enterprise Wireless -
- Enterprise wireless systems have multiple WAPs that can have the same wireless controller
configuration setup
- The wireless controller can monitor traffic set up various zones or access areas, and define services’
access to specific WAP destinations
- The 802.11 standards are used on both SOHO routers and enterprise routers
90
1. AES (Advanced Encryption Standard)
2. CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
91
A rogue router is an unauthorized device connected to a network without proper authorization, posing security
risks and potential disruptions to network operations.
92
An Evil Twin is a rogue Wi-Fi access point set up by attackers to mimic a legitimate network, aiming to intercept
communications and steal sensitive information from unsuspecting users.
85
- Interference, reflections, and absorption are all environmental issues that can affect the wireless signal
- A Wi-Fi signal is different on various devices; match radiation patterns and 802.11 specifications to the
signal requirement
- Pay attention to the bandwidths and use channels with the least amount of congestion
-A WiFi analyzer is a tool used to scan and analyze wireless networks, providing information on signal
strength, channel usage, and potential sources of interference to optimize WiFi performance.
Wireless Scenarios -
- Sources of interference can include other WAPs, wireless mice and keyboards, and microwaves
- Remove sources of interference or change the WAP’s frequency to avoid channel interference
Interference Unwanted signals Signal drops, erratic Other electronic Bluetooth devices, Change
disrupting connection behavior devices, competing WAPs, and microwave frequency/channel,
wireless signals interfering with Wi-Fi use shielding, or
communication signals distance devices
Reflection Signal bouncing Ghost signals, signal Smooth surfaces, Echoes in a room, Use directional
off surfaces echoes, multipath metal objects signals bouncing off antennas, adjust
interference buildings placement of devices
Refraction Signal bending as Signal bending, Changes in medium Light passing through Adjust antenna
it passes through distorted signals density water or glass orientation, minimize
materials obstructions
86
Absorption Signal weakening Weakened signal Dense or absorbent Walls, trees, and other Use higher-powered
as it's absorbed by strength, signal loss materials obstacles attenuating transmitters,
materials signals minimize distance
Attenuation Signal loss over Decreasing signal Distance traveled, Weaker Wi-Fi signal Use signal boosters,
distance strength over distance obstacles in the strength further from relocate devices
path the router closer to the source
Congestion Network overload Slow internet speeds, High number of Slow internet speeds Upgrade network
leading to reduced latency issues connected devices, during peak usage infrastructure,
performance excessive traffic times prioritize traffic, limit
devices
Throttling Deliberate Sudden speed reduction, Bandwidth Reduced speed after Choose an ISP with
slowing of consistent management reaching data cap no throttling policies,
internet speed by lower-than-expected policies, network use VPNs or proxies
the ISP speeds congestion
Jitter Variability in Network congestion, Voice or video calls Choppy audio/video, Use quality of service
packet arrival route changes with inconsistent lag in real-time (QoS), improve
times audio/video quality applications network stability, or
increase capacity
Incorrect Use of Wrong antenna type or Using an omni Weak signal strength, Choose appropriate
Antennas inappropriate placement for intended antenna for poor coverage, antennas, conduct
antenna types or coverage long-distance interference site surveys
placements point-to-point links
Antenna Strategic Building layout, Placing antennas to Uneven coverage, Conduct site surveys,
Placement positioning of obstructions, signal maximize signal dead zones, signal adjust placement
antennas for propagation coverage and interference based on signal
optimal coverage characteristics strength propagation
Virtualization
Virtualization Basics -
- The benefits of virtualization include saving power, hardware consolidation, and system recovery
- There are two types of hypervisors: type 1 (bare metal) and type 2 (hosted)
Type 1 (Bare Metal) Installs directly on hardware, VMware vSphere/ESXi, Like a construction foreman building houses directly
manages resources and VMs Microsoft Hyper-V on a plot of land without any existing structure.
Server, Xen
87
Type 2 (Hosted) Installs as an application on an VMware Workstation, Similar to renting an apartment within a building
existing OS, creates VMs Oracle VirtualBox, already established. The apartment (VM) exists within
within it Parallels Desktop the building (host OS).
- Before installing a virtual machine, be sure to check your available hard drive space
Cloud Basics -
- Scalability enables quickly increasing resources without the investment of more on-site hardware by
utilizing the cloud’s resources
- Elasticity is the ability to increase or decrease resources based on the demand of your application,
service, etc.
- Multitenancy refers to a cloud provider’s ability to host multiple tenants on the same infrastructure
Cloud Services -
(IaaS) Sets up IT infrastructures without Amazon Web Services Like renting a fully equipped office
Infrastructure as a Service on-site resources, allowing users to (AWS), Microsoft space where tenants are responsible for
manage applications and data. Azure, Google Cloud furnishing and managing their
Platform (GCP) equipment and resources.
(PaaS) Offers a comprehensive deployment Heroku, Google App Similar to renting a workspace in a
Platform as a Service and management environment, Engine, Microsoft co-working space where amenities and
enabling developers to build, deploy, Azure App Service infrastructure (like internet and utilities)
and manage applications without are provided, allowing focus on work
worrying about infrastructure. development.
88
(SaaS) Provides subscription-based access to Salesforce, Google Like subscribing to a streaming service
Software as a Service software applications hosted in the Workspace (formerly G where users can access and use software
cloud, eliminating the need for Suite), Microsoft Office applications without needing to own or
installation, maintenance, and 365 install them locally
updates.
(DaaS) Facilitates moving users' desktop Amazon WorkSpaces, Similar to renting a furnished apartment
Desktop as a Service environments to the cloud, allowing VMware Horizon where tenants have access to the entire
access to virtual desktops and Cloud, Microsoft living environment remotely, without
applications from any device with an Windows Virtual the need for physical ownership or
internet connection. Desktop maintenance.
(IaC ) Manage infrastructure using code and Writing code to Similar to writing a recipe to automate
Infrastructure as Code automation provision servers, cooking tasks
networks, and storage
Cloud Ownership -
Public Cloud Hosted by third-party providers, accessible AWS, Azure, GCP Like renting an apartment where
over the internet. Resources shared among tenants share common resources.
users for scalability and cost-efficiency.
Private Cloud Operated for a single organization, offering VMware, Azure Stack, Similar to owning a private house for
control and security. Managed internally or OpenStack exclusive use.
by a third-party.
Community Shared among a specific community or GovCloud, Health Like co-living in a gated community
Cloud industry, providing collaborative resources Cloud, EGI Federated with shared amenities.
and compliance. Cloud
Hybrid Cloud Combines public and private environments, AWS Outposts, Azure Like owning a house with access to
offering flexibility and scalability. Data Hybrid, Google Anthos shared amenities.
shared between them.
- Infrastructure as Code (IaC) is the management of infrastructure in a descriptive model, using the same
versioning as developers use for source code
- Automation is using code to set up (provision) and maintain systems in a consistent manner without
having to make manual changes
Heroku Demo -
89
- PaaS enables access to a software development platform without the need to personally host it
- A PaaS allows very quick access to software running live on the internet
Enterprise Virtualization -
- Distributed switching is the centralized installation, configuration, and handling of every switch in the
network
Management Manages network devices, configurations, and Administrative staff overseeing operations and
Plane policies.Handles tasks like device setup, updates, and resources.
monitoring.
Control Plane Handles routing decisions and updates network topology. Air traffic control managing flight routes and
Determines the best path for data packets. traffic.
Data Forwarding Forwards data packets between devices based on routing Courier service transporting packages based on
Plane decisions. Performs packet switching and forwarding. Ensures instructions
packets reach their destination.
Cloud Implementation -
- VPC (virtual private cloud) depends on the services requested, including IaaS and PaaS
- VPC services are very flexible, expandable, and can provide many types of services
- Building Web servers on cloud applications is very easy, but there can be costs associated with the
service
90
Data Centers
93
- Pods consist of one rack with multiple servers connected to one top-of-rack switch (or two for
redundancy)
- Traffic flows describe how traffic moves in and out of a data center North is to the internet South is
into the datacenter East and West are within the data center
- A storage area network (SAN) is used in data centers to connect individual systems to a central bank of
mass storage
Core Layer Backbone of the network, providing high-speed connectivity Main structural support of a building,
between different parts of the network. Ensures efficient routing ensuring stability and connectivity
of traffic and high availability. between different floors and sections.
93
Network Topology Architectures ⋆ IpCisco
91
Distribution/ Aggregates traffic from the access layer and routes it towards the Elevator system in a building,
Aggregation Layer core layer. Provides services like VLAN segmentation, policy aggregating people from different floors
enforcement, and access control. and directing them efficiently to their
desired destinations.
Access/Edge Layer Connects end devices such as computers, servers, and network Entry points and corridors in a building,
devices to the network. Provides access to network resources and providing access for individuals to enter
enforces security policies. and exit the building and access
different rooms and offices.
- Virtualization and software-defined networking (SDN) has helped data centers move from three-tiered to
spine-and-leaf architecture
-With spine-and-leaf architecture, each top of-rack switch is connected to the layer three switches on the
spine layer
High Availability
- High availability means that services aren’t lost, not how fast they are recovered
Documentation
-Floor plans include information about the rooms where the equipment resides, as well as details about
the racks, servers, aisles, outlets, etc. that are in each room
- Rack diagrams focus on each individual rack and what is mounted to each
- Logical network diagrams show how devices communicate with each other and the flow of information
through the network
Networked Devices
IoT
IoT, or the Internet of Things, is a network of physical objects embedded with sensors and connected to
the internet, allowing them to exchange data and interact with each other. This includes everyday items
like smart home devices, industrial machinery, and more. IoT enables smarter, more connected
environments and drives innovation across industries.
VoIP
VoIP stands for Voice over Internet Protocol. It's a technology that allows you to make voice calls using
the internet instead of traditional telephone lines.
VoIP converts analog voice signals into digital data packets that can be transmitted over the internet. This
enables cost-effective and feature-rich communication, including voice calls, video calls, and messaging,
often with additional functionalities like call forwarding, voicemail, and conferencing.
VoIP is commonly used in businesses and homes as it offers flexibility, scalability, and often lower costs
compared to traditional phone systems.
- Unified communication combines VoIP phones, video, fax, chat, and more into a single system
- Ports: RTP [5004, 5005 (TCP)], SIP [5060, 5061 (TCP)] H.323 (1720 (TCP)]. MGP [2427 (Both)]
An Industrial Control System (ICS) is a specialized setup used in industries to automate and regulate
processes. It comprises hardware like sensors and actuators, programmable logic controllers (PLCs),
supervisory control and data acquisition (SCADA) systems, and human-machine interfaces (HMIs). ICS
93
enables real-time monitoring and control of industrial processes, but it also poses security challenges due
to its interconnected nature.
SCADA
SCADA stands for Supervisory Control and Data Acquisition. It's a type of industrial control system used
to monitor and control processes in manufacturing, energy, transportation, and other industries.
SCADA systems collect data from sensors and devices, display it to operators, and allow them to control
processes remotely. They provide real-time monitoring, alarming, and data visualization capabilities to
improve efficiency and safety in industrial operations.
Imagine a SCADA system as the control center of a large amusement park. The control center oversees
various attractions and facilities throughout the park, such as roller coasters, water slides, and food stands.
It collects data from sensors placed throughout the park, monitoring factors like ride speed, water levels,
and temperature. Operators in the control center can view this data on screens and make decisions in
real-time, such as adjusting ride speeds or closing attractions in case of emergencies. Just as a SCADA
system ensures the smooth operation and safety of an amusement park, it does the same for industrial
processes in factories, power plants, and other facilities.
Network Operations
- Network operations is a broad term that describes the actions needed to be taken to protect the network
and organization.
Security Policies
-Security policies document to users how to access system resources and what is allowable and
acceptable.
- NDAs, software licensing, and data restrictions need to be considered to protect an organization
Defines acceptable and unacceptable Prohibiting unauthorized Like rules in a library, ensuring
AUP behavior for using company resources, software downloads, specifying respectful and responsible use of
Acceptable outlining guidelines and consequences internet usage guidelines. facilities.
Use Policy for violations.
ACP Establishes rules for controlling access Only authorized personnel have It's like having different levels of access
Access based on user roles and privileges, access to sensitive data. cards that grant entry to different areas
Control restricting access to sensitive data. of a building, based on the user's role
Policy and clearance level.
RAP Establishes rules for securely accessing Requiring multi-factor Similar to granting limited access keys
Remote company networks remotely, specifying authentication, outlining data for entering a secure facility after hours.
Access Policy authorized methods and security encryption requirements.
measures.
Password Sets guidelines for creating and Requiring strong passwords, Like setting a combination lock on a
Policy managing secure passwords, including regular changes, and prohibiting gym locker for security.
complexity requirements, expiration sharing.
periods, and sharing rules.
BYODP Addresses the use of personal devices, Personal devices used for work BYODP is like the "guest policy" at a
(Bring Your requiring security measures like must meet security requirements. party, where guests are welcome but
Own Device) antivirus software and password must follow certain rules to ensure a
Policy complexity. pleasant experience for everyone.
Safety Policy Outlines procedures for ensuring Conducting safety training, Similar to safety guidelines at a
workplace safety, covering topics such implementing fire evacuation construction site, ensuring accident
as emergency procedures, hazard procedures. prevention and well-being.
mitigation, and safety equipment.
Policies vs Procedures
Non-Disclosure Agreement (NDA): A legal contract that keeps confidential information private. It's used
to protect secrets when sharing them with others.
95
License Restrictions: These are rules that limit how you can use, share, or change software or content.
They're usually found in agreements you agree to when you use a product, like not sharing software with
others or not changing how it works.
International Export Control: These are rules about sending goods, technology, or software from one
country to another. They're in place to keep certain items from getting into the wrong hands and to follow
trade agreements between countries. These rules might mean needing permission to send certain things to
certain places or facing consequences if you break these rules.
Change Management
- The change process includes requests, types of changes, configuration procedures, rollback and more
Points of Failure
- A single point of failure is one system that, if it fails, will bring down an entire process, workflow, or the
whole organization
- The key to maintaining production on the network is to avoid a single point of failure.
Fault Tolerance: Systems that keep working even if something goes wrong.
Clusters: Groups of computers working together to do tasks, so if one computer fails, the others can keep
going.
96
SLA Agreement defining expected SLA between a cloud Like a contract with a car rental
Service Level Agreement service level and metrics. provider and a company for company guaranteeing service
uptime and support. availability and breakdown assistance.
MSA Comprehensive contract MSA between a software Like signing a long-term lease
Master Service governing long-term relations. vendor and a client for agreement with a landlord.
Agreement ongoing services.
SOW Document outlining project SOW for a website Similar to a blueprint provided by an
Statement of Work scope, deliverables, and development project detailing architect for building a house.
timeline. requirements
Incident Response
-The first responder is the person who must report an incident as soon as it happens
-If the first responder faces a serious threat, they must escalate it to the proper people
Disaster Recovery
97
RPO Maximum tolerable data loss RPO of 1 hour means data Like taking a snapshot of a document every
Recovery Point Objective in a disaster scenario. can be recovered up to 1 hour to ensure you don't lose more than an
hour before the disaster. hour's worth of work in case of a computer
crash.
RTO Maximum acceptable RTO of 4 hours means Similar to setting a deadline for fixing a
Recovery Time Objective downtime to recover after a systems should be up and broken appliance in your house, ensuring it's
disaster. running within 4 hours after repaired and functional within a specified
the disaster. time frame to minimize inconvenience.
Types of Backups
Full Backup A complete copy of all data and files, regardless of whether they have Like taking a complete snapshot of your
changed since the last backup. computer's hard drive, capturing everything
in one go.
Incremental Backup Only backs up data that has changed since the last backup, whether it's a Similar to adding new chapters to a book
full or incremental backup. It relies on a previous full backup and since the last time you made a copy, only
subsequent incremental backups to restore data. capturing the changes.
Differential Backup Similar to incremental backup but backs up all data that has changed since Imagine taking a snapshot of your garden
the last full backup.It does not rely on previous backups to restore data, each day, but instead of just capturing what's
making restoration faster than with incremental backups but requiring changed since yesterday, you capture
more storage space. everything that's changed since the last time
you took a full picture.
Mirror Backup An exact copy of the entire system or selected files, usually stored on a It's like having an identical twin of your
separate physical or cloud-based storage device. It provides redundancy computer stored in a different location,
and is often used for disaster recovery purposes. ensuring you have a backup if something
happens to the original.
Snapshot Backup An instantaneous copy of the entire state of a system, often taken while the Like taking a Polaroid photo of your
system is running. It allows for quick restoration to a specific point in time, computer's current state, freezing it in time
preserving data consistency and integrity. so you can revert back to it if needed.
Cloud Backup Data is backed up and stored in a remote, off-site location using It's akin to storing important documents in a
cloud-based storage services. It offers scalability, accessibility, and disaster safe deposit box at the bank, ensuring they're
recovery capabilities without the need for physical hardware. protected and accessible even if something
happens to your home or office.
Synthetic Backup Combines full and incremental backups into a single, cohesive backup file Think of it as creating a mixtape from your
or set. It reduces the time and resources needed to create and manage favorite songs, combining full backups and
backups while ensuring efficient data restoration. incremental backups into one cohesive
collection.
98
BYOD
Onboarding: The process of integrating an employee's personal device into the organization's network
and systems. This includes setting up security configurations, installing necessary applications, and
providing access to company resources.
Offboarding: The process of removing an employee's personal device from the organization's network
and systems when they leave the company. This involves revoking access to company data and
applications, wiping sensitive information from the device, and ensuring compliance with security
policies.
Protecting Network
-Be sure to disable any unused ports so an attacker cannot plug into the network
-If the IP address is outside of the network ID, then you have a rogue DHCP server
DoS (Denial Attacks that aim to Distribute - Sudden network Implement ingress and egress Similar to a traffic
of Service) disrupt or disable d Denial slowdowns or outages filtering to mitigate spoofed IP jam on a highway
network resources, of Service - Unresponsive servers address attacks - Deploy dedicated caused by a group
making them (DDoS) or services - Unusual DoS mitigation tools or services to of vehicles driving
unavailable to spikes in network detect and block malicious traffic in slowly in multiple
99
Spoofing Impersonation of IP - Suspicious login - Implement network access controls Like someone
legitimate network Spoofing, attempts from such as MAC address filtering or using a stolen ID
devices or users by MAC unfamiliar locations or 802.1X authentication - Use badge to gain
attackers to gain Spoofing, devices - Anomalies in cryptographic protocols like IPsec to access to a
unauthorized access Email network traffic or secure communication channels and restricted area by
or manipulate data. Spoofing device behavior - prevent data tampering pretending to be
Unexpected access to an authorized
sensitive data employee.
Password Attempts by Brute - Multiple failed login - Enforce strong password policies Similar to an
Attacks unauthorized users Force, attempts - Suspicious with regular expiration and intruder trying
to gain access to Dictionary login activity outside complexity requirements - different
network resources , of regular business Implement multi-factor combinations on a
by guessing or Credential hours - Unusual authentication (MFA) to add an combination lock
cracking passwords Stuffing account lockouts or extra layer of security to guess the
changes correct sequence
and gain entry
into a secure
room.
VLAN Exploiting Double - VLAN hopping - Implement VLAN access control Like someone
Hopping vulnerabilities in Tagging, attacks observed in lists (VACLs) to restrict inter-VLAN using an
network switch Switch network logs or traffic communication - Enable port employee's
configurations to Spoofing captures - Unexplained security features such as dynamic security badge to
gain unauthorized changes in VLAN ARP inspection (DAI) to prevent bypass locked
access to traffic on configurations - MAC address spoofing doors and access
different VLANs. Unauthorized access to different areas of a
sensitive VLANs building without
authorization.
Malware Malicious Ransomw - Unexplained system - Install and regularly update Similar to a virus
software designed are, slowdowns or crashes - antivirus software on all devices - spreading through
to disrupt, damage, Trojan, Unexpected changes in Educate users about safe browsing a community,
or gain Spyware file sizes or habits and the dangers of infecting people
unauthorized access permissions - Unusual downloading or opening suspicious and causing
to computer systems network traffic patterns attachments illness without
or networks. their knowledge
or consent.
Social Manipulating Phishing, - Requests for sensitive - Provide security awareness Like someone
Engineering individuals to Pretexting information through training to employees to recognize using charm and
divulge sensitive , email or phone calls - and resist social engineering tactics - persuasion to trick
information or Tailgating Attempts to bypass Implement strict policies for their way into a
perform actions that security controls handling sensitive information and secured building
compromise through persuasion or verify requests through established by pretending to
100
Attack Description
SYN Flood Exploits the TCP three-way handshake process by sending a flood of SYN packets to a target server,
Attack overwhelming it with half-open connections.
UDP Flood Floods a target server with UDP (User Datagram Protocol) packets, causing it to expend resources processing and
Attack responding to each packet.
ICMP Flood Floods a target server with ICMP (Internet Control Message Protocol) packets, often using ping requests, to
Attack exhaust its resources and disrupt communication.
DNS Abuses vulnerable DNS servers by sending small requests with spoofed source IP addresses, causing the servers
Amplification to respond with large amounts of data to the victim.
Attack
Fragmentation Sends fragmented packets to a target device, exploiting the device's inability to reassemble the packets and
Attack causing it to crash or become unresponsive.
Application Targets specific applications or services on a server, such as HTTP, HTTPS, DNS, or SMTP, by sending
Layer Attack legitimate-looking but malicious requests.
Volumetric Overwhelms a network or server with a massive volume of traffic, consuming all available bandwidth and
Attack resources.
Protocol Attack Exploits weaknesses in network protocols (e.g., TCP, UDP, ICMP) to consume server resources or disrupt
communication between devices.
Types of Spoofing
IP Spoofing Manipulates the source IP address in packet headers to make it appear as if the packets are coming from a trusted
source.
101
MAC Alters the Media Access Control (MAC) address of a network interface to impersonate another device on the network.
Spoofing
Email Forges an email header to make it appear as if the email originated from a different sender or domain, commonly used
Spoofing in phishing attacks to deceive recipients.
VLAN Hopping
-VLAN hopping happens when an attacker is able to move from one VLAN to another
-Private VLANs (port isolation) is a way of controlling which ports can communicate with
other ports
-Ports in a VLAN can be either community ports (ports that communicate with everyone) or isolated
ports (ports cannot communicate with anyone even in their own VLAN)
Double Tagging Exploits a vulnerability in some network switches where an attacker sends a specially crafted frame with multiple
VLAN tags, allowing them to bypass VLAN segmentation and gain unauthorized access to other VLANs.
Switch Involves an attacker sending forged or manipulated frames to a switch, tricking it into believing that the attacker's
Spoofing device
-Devices need to be properly disposed of in order to keep sensitive information from being found.
-Wiping, or sanitizing, the devices includes removing the data in secure ways.
-Devices that don’t contain sensitive data can be reset to factory defaults.
Network Hardening
-A Router Advertisement (RA) guard will protect your network against rogue advertisements
102
Firewalls
● Stateless firewalls operate based on predefined rules without considering the state of connections,
offering faster performance but potentially less effective security.
● Stateful firewalls, on the other hand, keep track of active connections and make decisions based
on the context of traffic flows, providing enhanced security but with potentially higher resource
utilization.
● Context-aware firewalls focus on understanding the broader context of network traffic to make
security decisions.
● Application-aware firewalls prioritize identifying and controlling specific applications or
protocols within the traffic.
Both approaches contribute to enhancing network security, but they differ in their focus and methods of
analysis.
Network Monitoring
-Networks must be monitored in a number of ways including performance, traffic, and environmental
- Various network management systems (NMS) include Zabbix, LibreNMS, Grafana, and SolarWinds
Documenting Logs
-Abnormal warnings of high error rate or utilization might signify security breaches or broken equipment
Error Conditions
2 Critical - Indicates a failure in the system's primary application, requiring immediate attention.
The End