Domain 4 Flashcards
Network Architectures
VXLAN - Virtual Extensible LAN
Network virtualization enabling network segmentation at high scale.
Overcomes VLAN scale limitations - limit is 4096 VLANs versus millions of VXLANs
Tunneling protocol that encapsulates an Ethernet frame (layer 2) in a UDP packet
Network Architectures
Software Defined Networks (SDNs)
A network architecture approach that enables the network to be intelligently and centrally controlled, or programmed using software
- Has the capacity to reprogram the data plane aat any time
- Use case include SD-LAN and SD-WAN
- Separating control plane and data plane opens a number of security challenges
- Vulnerable to attacks like MITM and DoS
Secured with TLS
Network Architectures
Software Defined Wide Area Networks (SD-WAN)
Enables users in branch offices to remotely connect to an enterprises’ network.
Enables use of many network services like MPLS, LTE, and broadband internet to securely connect users to apps
Security is based mostly on IPsec, VPN Tunnels, next gen firewalls (NGFWs), and the micro-segmentation of app traffic
Uses a centralized control function for intelligent routing and Secure Access Service Edge (SASE) to decentralize connectivity
Network Architectures
Light Fidelity (Li-Fi)
Uses the modulation of light intensity to transmit data (uses LED)
can safely function in areas otherwise succeptible to electromagnetic interference
Can theoretically transmit at speeds of up to 100 Gbit/s
- LiFi only requires working LED lights
- Visible light is that is cant penetrate opaque walls
Network Architectures
Zigbee - Personal Area Network (PAN)
Short range wireless
Developed to support automation, machine to machine comms, remote control, and monitoring of IoT devices
Supports bot centralized and distributed security models and mesh topology
Assumes that symmetric keys used are transmitted securely (encrypted in transit)
NOTE
- During pre-configuration of a new device, in which a single key may be sent unprotected, created brief vulnerability
IoT Smart Home Hub
Cellular Networking
5th Gen Cellular 5G
Faster speeds and lower latency
- Unlike 4G, 5G does
NOT
ID each user through their SIM card. Instead can assign IDs to each device - Some air interface threats such as session hijacking are dealt with in 5G
-
NOTE
NSA anchors the control signing of 5G networks to the 4G Core - Diameter protocol: provides AuthN and AuthZ and accounting (AAA) with be a target
- Old vulns of 3G/4G are still a threat bc 5G relies on them
- DDoS is a concern bc IoT endpoint counts on 5G are exponentially greater
Content Delivery Networks (CDN)
Geographically distributed network of proxy servers and their data centers
- Goal is fast and highly availible content delivery by distributing content spatially relative users
- CDNs serving JavaScript have been targeted to inject malicious content into pages
- Vendors in CDN offer DDoS protection and Web Application Firewalls (WAF)
- Ex) video streaming, software download, audio streaming
OSI Model
- Application
- Presentation
- Session
- Transport
- Network
- Data Link
- Physical
All People Seem To Need Data Processing
Standard Network Topologies
STAR
Employs a centralized connection device
- Can be a simple hub or switch
- Each system is connected to the central hub by a dedicated segment
Standard Network Topologies
MESH
Connects systems to all other systems using numerous paths
- A partial mesh is possible
-
BENEFIT
provides redundant connections to systems, allowing multiple segment failures without seriously affecting connectivity
Standard Network Topologies
RING
Connects each system as points on a circle
- The connection medium acts as a unidirectional transmission loop
- Only one system can transmit data at a time. Traffic management is performed by a token
`NOTE token ring network is a ring-based network
Standard Network Topologies
BUS
Connects each system to a trunk or backbone cable
- All systems on the bus can transmit data simultaneously which can result in collisions
- collision occurs when two systems transmit data at the same time; the signals interfere with each other
NOTE
ethernet is a bus network
Analog Signals
Communications occur with a continous signal that varies in frequency
- Variances occur in a wave shape
- Communication is altered / corrupted over long distances due to interference
Digital Signals
Comms occur through the use of a discontinuous electrical signal and a state change or on / off pulses
1s and 0s
- More reliable than analog
- Uses current voltage where voltage ON is 1 and voltage OFF is 0
Synchronous Communication
Rely on a timing or clocking mechanism based on either an independent clock or time stamp embedded in the data stream
- Typically support high rates of data transfer. Example networking
Asynchronous Communication
Rely on a Stop and start delimeter bit to manage the transmission of data
- Best suited for smaller amounts of data
- EX) Public switched telephone network (PSTN) modems
Baseband
Supports only a single communication channel
- It uses a direct current applied to the cable. A current that is at a higher level reps the binary signal of 1 and a lower level is 0
- is a form of digital signal
- EX) ethernet
Broadband
Can support multiple simultaneous signals uses frequency modulation to support numerous channels
- Each supporting a distinct communication session. Suitable for high throughput rates especially when several channels are multiplexed
- Is a form of analog signal
- EX) TV, Cable modem, ISDN, DSL, T1, T3
Broadcast
Technology supports somms to ALL possible recipients
Multicast
Technology supports comms to multiple specific recipients
Unicast
Technology support only a single comm to a specific recipient
Carrier Sense Multiple Access (CSMA)
Developed to decrease the chances of collisions when 2+ stations start sending their signals over the datalink layer. Requires that each station first check the state of the medium before sending
CSMA variations and collisions
CSMA/CA (collision avoidance)
Attempts to avoid collisions by granting only a single permision to comm at any given time
CSMA variations and collisions
CSMA/CD (collision detection)
Responds to collisions by having each member of the collision domain wait for a short but random period of time before starting the process over.
Token Passing
Performs Comms using a digital token, Once it s transmission is complete it releases the token to the next system
NOTE
Prevents collisions in ring networks
Polling
Performs comms using a master-slave configuration The primary system polls each secondary system in turn whether they have a need to transmit data.
NOTE
used by Synchronous Data Link Control (SDLC) (layer 2 protocol used by IBM)
Network Segmentation
Intranet
A private network that is designed to host the same information services found on the internet.
Network Segmentation
Extranet
A section of an orgs network that has been sectioned off to act as an intranet for the private network but also serves information to the public internet
NOTE
A cross between Internet and Intranet
Network Segmentation
DMZ
An extranet for public consumption is typically labeled a perimeter network
Network Segmentation
Reasons for segmentation
- Boosting Performance where systems that often communicate are in the same segment
- Reducing comm problems: reduces congestion and contains problems into each segment
- Providing Security: isolates traffic and user access to those segments where they are authorized
Bluetooth (IEEE 802.15)
is a Personal Area Network
- Pairing has the primary device scan for 2.4 GHz radio frequencies for avilable devices
- Pairings with 4 digit code help with accidental pairings but not secure
Mobile System Attacks
Bluejacking
Annoyance
- Pushing unsolicited messages to nearby bluetooth devices using a loophole in the technologies messaging options
Mobile System Attacks
Bluesnarfing
Data Theft
- Wirelessly connect to early bluetooth enable mobile devices without owners consent to steal data
Mobile System Attacks
Bluebugging
Grants hackers remote control over the features / functions of a Bluetooth device. Includes ability to turn on device mic and use it as a bug
Service Set Identifier ( SSID ) Broadcast
Wireless networks traditionally announce their SSID on a regular basis with a beacon frame
- When the SSID is broadcast, any device with automatic detect and connect to the network
- Hiding the SSID is considered security through obscurity - its detectable through client traffic
Temporal Key Integrity Protocol (TKIP)
Was designed as the replacement for WEP without the need to replace legacy hardware.
- Implemented into 802.11 wireless networking under the name WPA (Wi-Fi Protected Access)
CCMP
Counter Mode with Cipher Block Chaining Message Authenticartion Code Protocol
- Created to **replace WEP and TKIP/WPA
- Uses AES (Advanced Encryption Standard) with a 128-bit key
Fibre Channel
A form of *network data storage** solution like Storage Area Network or Network-Attached Storage that allows for high-speed file transfers
Fibre Channel over Ethernet (FCoE)
Used to encapsulate Fibre Channel comms over ethernet networks
Internet Small Computer System Interface (iSCSI)
a networking storage standard based on IP
Site Survey
The process of investigating the presence, strength and reach of wireless access points deployed in an environment
Extensible Authentication Protocol (EAP)
Authentication framework allows for new authentication technologies to be compatible with existing wireless or point-to-point connection technologies
Protected EAP (PEAP)
Encapsulates EAP method within a TLS tunnel that provides authentication and potentially encryption
Lightweight EAP (LEAP)
Cisco proprietary alternative to TKIP for WPA. Developed to address deficiencies in TKIP before the 802,11i/WPA2 system was ratified as a standard