11 - Secure Network Architecture and Components Flashcards
What is the OSI Model?
7 Distinct Layers
-
Physical Layer: Accepts the frame from the Data Link layer and converts it into bits for transmission over the physical connection medium.
- NICs
- Hubs
- Repeaters
- Amplifiers
-
Data Link Layer: Responsible for formatting the packet from the Network layer into a properly formatted frame for transmission. A common technology in use is Ethernet (IEEE 802.3). The MAC (Media Access Control) Address is also used at this layer which is a 6-byte (48-bit) binary address written in hex. The Organizationally Unique Identifier is the first 3 bytes of a MAC address that identifies the vendor.
- Protocols
- Address Resolution Protocol (ARP): Used to resolve IP addresses into MAC addresses
- Layer 2 Forwarding (L2F)
- Layer 2 Tunneling Protocol (L2TP)
- Point-to-Point Tunneling Protocol (PPTP)
-
Layers
- Logical Link Control (LLC)
- MAC
- Devices
- Switches
- Bridges
- Protocols
-
Network Layer: Responsible for adding the routing and addressing info to the data known as a packet at this level.
- Protocols
- Internet Control Message Protocol (ICMP)
- Routing Information Protocol (RIP)
- Internet Protocol (IP)
- Internet Protocol Security (IPSec)
- Network Address Translation (NAT)
- Devices
- Routers
- Protocols
-
Transport Layer: Responsible for managing the integrity and control of a session. Uses segments at this level. Establishes (end-to-end) communication and defines the rules.
- Protocols
- Transmission Control Protocol (TCP)
- User Datagram Protocol (UDP)
- Secure Sockets Layer (SSL)
- Transport Layer Security (TLS)
- Protocols
-
Session Layer: Responsible for establishing, maintaining, and terminating communication sessions between 2 computers. Uses PDUs at this level (Protocol/Packet/Payload Data Unit).
- Protocols
- Network File System (NFS)
- Structured Query Language (SQL)
- Remote Procedure Call (RPC)
- Modes
- Simplex: One way
- Half-Duplex: 2-way but only one direction sends data at a time
- Full-Duplex: 2-way, data can flow in both directions at a time.
- Protocols
-
Presentation Layer: Transforms data from the Application layer into a form that can be understood.
- Standards
- ASCII
- JPEG
- MIDI
- MPEG
- Standards
-
Application Layer: Responsible for interfacing user apps, services, and OS with the protocol stack. Ensures resources are available for communication.
- Protocols
- HTTP
- FTP
- SMTP
- SNMP
- RPC
- Protocols
What is the TCP/IP Model?
4 distinct layers:
- Application (OSI: 5,6,7)
- Transport (OSI: 4)
- Internet (OSI: 3)
- Link (OSI: 1 and 2)
What protocols are mainly part of the Transport Layer in the TCP/IP Model?
- Transmission Control Protocol (TCP): Full-duplex connection-based protocol.
- User Datagram Protocol (UDP): Simplex connection-less protocol.
What are ports? Why are they used and how many are there generally?
A port is an address number that 2 systems agree to use to communicate (the IP is like the building and the port is the room #).
A port and IP address number together are called a socket.
Ports are 16-digit binary numbers that total up to 65,536. The first 1,024 ports are called well-known/service ports. Ports 1,024 to 49,151 are known as registered software ports that have software products registered with IANA. Ports 49,152 to 65,535 are known as random, dynamic, and ephemeral ports because they are often used randomly or temporarily.
What is the TCP 3-way Handshake?
- Client sends a SYN flagged packet to the server
- Server responds with SYN/ACK flagged packet back to the client.
- The client responds with an ACK flagged packet back to the server.
What are 2 methods for disconnecting a TCP session?
- Each side sends a FIN flag which gets an ACK flag in return (4 flags total)
- An RST flag causes an immediate and abrupt tear down of the session
What is a TCP Transmission Window?
It controls how many packets can be sent followed by an Acknowledgment from the receiver to the sender. Then the next window begins. If no acknowledgment has been received the sender will resend everything again.
What is the TCP Header composed of?
20 to 60 bytes long:
- Source Port
- Destination Port
- Sequence Number
- Data Offset
- Reserved for Future Use space
- Flags
- Window Size
- Checksum
- Urgent Pointer
What are the TCP Header Flags?
- URG (Urgent)
- ACK (Acknowledgement)
- PSH (Push)
- RST (Reset)
- SYN (Synchronization)
- FIN (Finish)
What are some characteristics of UDP?
User Datagram Protocol (UDP):
- No error detection
- No flow control mechanisms
- Unreliable
Often employed for streaming activities
What is IP?
Provides route addressing for data packets. IP is connectionless and unreliable so TCP is generally employed with IP to gain reliability.
What is the difference between IPv4 v. IPv6?
IPv4 uses a 32-bit addressing scheme while IPv6 uses 128-bits.
IPv6 also has scoped addresses, autoconfiguration (in place of DHCP), and QoS priority values.
What are the IP classes?
- A: 1-126 (16M hosts)
- B: 128-191 (65,534 hosts)
- C: 192-223 (254 hosts)
- D: 224-239 (Multicasting)
- E: 240-255 (Reserved)
What is CIDR?
Classless Inter-Domain Routing notation:
- Uses mask bits instead of full dotted-decimal notation subnet mask.
- A: 255.0.0.0 - /8
- B: 255.255.0.0 - /16
- C: 255.255.255.0 - /24
What is ICMP?
Internet Control Message Protocol:
Used to determine the health of a network or a specific link (includes commands such ping, traceroute, pathping)
Can be used maliciously to tie up systems so some networks really limit the use of this protocol.
IP Header protocol field value is: 1
The type field of ICMP determines the purpose of the message:
- 0: Echo reply
- 3: Destination unreachable
- 5: Redirect
- 8: Echo request
- 9: Router advertisement
- 10: Router solicitation
- 11: Time exceeded
What is IGMP?
Internet Group Management Protocol:
Allows systems to support multicasting which is the transmission of data to multiple recipients.
IP header protocol field value is 2
What is ARP?
Address Resolution Protocol:
Used to resolve IP addresses into MAC addresses. Uses caching and broadcasting to perform its operations.
What are some Application Layer Protocols (TCP/IP model)?
- Telnet (Port 23): Remote connectivity for executing commands and running apps.
- File Transfer Protocol FTP (Port 20/21): Supports the exchange of files that requires anonymous or specific authentication.
- Trivial File Transfer Protocol TFTP (Port 69): Supports the exchange of files that does not require authentication.
- Simple Mail Transfer Protocol SMTP (Port 25): Used to transmit email messages.
- Post Office Protocol POP3 (Port 110): Used to pull messages from an email server to an email client.
- Internet Message Access Protocol IMAP (Port 143): Used to pull messages from an email server to an email client. MOre secure than POP3.
- Dynamic Host Configuration Protocol DHCP (Ports 67 and 68): Used to assign TCP/IP config settings to systems upon bootup. 67 is the destination port on the server to receive client communications and port 68 is the source port of the requesting client.
- Hypertext Transfer Protocol HTTP (Port 80): Used to transmit web page elements from a web server to a client.
- Secure Sockets Layer SSL [HTTPS SSL/TLS Encryption] (Port 443): Originally designed to support secured web communications (HTTPS) but is capable of securing any App layer protocol communications.
- Line Print Daemon LPD (Port 515): Service used to spool print jobs and to send to the printer.
- Network File System NFS (Port 2049): Used to support file sharing between dissimilar systems.
- Simple Network Management Protocol SNMP (Port 161/162): Used to collect network health and status information by polling monitoring devices from a central station.
What is Encapsulation?
The process of adding headers and footers to the data received from the previous layer so it can be handed off to the next layer for additional encapsulation.
The reverse process is de-encapsulation.
Multilayer protocols such as TCP/IP can layer different protocols including adding encryption to data. What could be the drawbacks of this setup?
- Covert channels: Hide blocked protocols within allowed protocol tunnels.
- Filters can be bypassed: Using techniques like covert channels
- Logical Network Segment Boundaries Can Be Overstepped: VLAN’s can be navigated by layering protocols.
What is the Domain Name System (DNS)?
The DNS links IP addresses to human-friendly Fully Qualified Domain Names (FQDN’s).
At a higher level, the DNS works with ARP to resolve domain names to IP’s then IPs to MAC addresses (and vice versa).
Port 53 is used.
What does an FQDN consist of?
It consists of 3 parts:
- Top-Level Domain (TLD): www.google.com
- Registered Domain Name: www.google.com
- Subdomain or Hostname: www.google.com
TLD’s can also be country codes as well as: com, org, edu, mil, gov, net, etc.
FQDN can’t exceed 253 characters.
What are the name servers called?
They are called Primary and Secondary Authoritative Name Servers. They host the zone files which is the collection of resource records.
Resource Records are usually:
- A: Address Record (IPv4)
- AAAA: Address Record (IPv6)
- PTR: Pointer Record (Links IP to FQDN)
- CNAME: Canonical Name (Links FQDN alias to another FQDN)
- MX: Mail Exchange
- NS: Name Server Record (FQDN and IP of authorized name server)
- SOA: Start of Authority Record (Specifies authoritative info about zone file )
What is DNSSEC (Domain Name System Security Extensions)?
Each server is issued a digital certificate (public/private key pair). Any DNS data issued by that server can then be authenticated by the requester using the public key of that server.