D315 Network Security and Foundations

What is Layer 1 (OSI) responsible for?

Transmitting raw bit stream over the physical medium

What does the Physical Layer include?

Only hardware-based components and no protocols

What are the devices for the Physical Layer?

Cables, Hubs, Repeaters, NICs

What is the main function of Layer 2 in the OSI model?

AKA Data Link Layer; Provides node-to-node data transfer; packages data into frames

What are some devices that operate at Layer 2?

Switches, bridges, NICs

Name some protocols associated with Layer 2.

Ethernet, PPP, HDLC, ARP

What is the Ethernet protocol?

A family of standard local networking protocols describing how data should be formatted for transmission between computers on the same network; AKA 802.3; inc the collision protocol CSMA/CD

What is the PPP protocol?

Point-to-Point Protocol: how routers communicate to each other in a P2P scenario; considered legacy; used for dial-up modems, DSL connections, and other point-to-point communication links.

What is the HDLC protocol?

High Data Link Control: used to frame data, controlling the flow of data across point-to-point and multipoint communication links; inc error detection and flow control; useful mainly in WANs

What is the ARP protocol?

Links IP addresses to MAC addresses; vulnerable to cyber attack (ARP Spoofing/Poisoning)

What is the main function of Layer 3 in the OSI model?

Network Layer: determined how data is sent to the receiving devices, routing and forwarding of packets

What are some devices that operate at Layer 3?

Routers, Layer 3 switches, Firewalls

Name some protocols associated with Layer 3.

IP, ICMP, IPSec, IGMP, IPX

What is the IP protocol?

The Internet Protocol (IP) is the fundamental communication protocol used for relaying data packets across networks, ensuring they reach the correct destination based on IP addresses. It defines the format of data packets and handles addressing, routing, and fragmentation to facilitate communication between devices on different networks.

What is the ICMP protocol?

The Internet Control Message Protocol (ICMP) is used for sending error messages and operational information, such as when a service is unavailable or a device cannot be reached. It's commonly used by tools like "ping" to test network connectivity and diagnose communication issues.

What is the IPSec protocol?

IPSec (Internet Protocol Security) is a protocol suite used to secure IP communications by authenticating and encrypting each IP packet in a data stream. It provides secure, private communication over IP networks, such as the internet, and is commonly used in Virtual Private Networks (VPNs).

What is the IGMP protocol?

The Internet Group Management Protocol (IGMP) is used by devices and routers on a network to manage membership in multicast groups, enabling efficient transmission of data to multiple recipients simultaneously. It helps optimize network traffic by ensuring that only devices interested in receiving multicast data are sent those transmissions.

What is the IPX protocol?

The Internetwork Packet Exchange (IPX) protocol was used primarily in Novell NetWare networks for routing data packets between devices. It provided fast, connectionless communication but has largely been replaced by the more universal TCP/IP protocol suite in modern networks.

What is layer 4 of the OSI model?

Transport Layer: provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end recovery and flow control

What are the protocols associated with the Transport Layer?

TCP, UDP

What is the TCP protocol?

communications standard that allows computing devices and application programs to exchange messages over a network. It's a transport protocol that works on top of Internet Protocol (IP) to ensure that packets are transmitted reliably.

What is the UDP protocol?

UDP is the User Datagram Protocol and is based on Datagrams. Mainly, it is used for multicasting and broadcasting. Its functionality is almost the same as TCP/IP Protocol except for the three ways of handshaking and error checking. It uses a simple transmission without any hand-shaking which makes it less reliable.

What is Layer 5 of the OSI model?

Session Layer: manages sessions between applications; establishes, manages, and terminates connections between applications

What are the protocols associated with the Session Layer

NetBIOS, PPTP, SMB, NFS

What is the NetBIOS protocol?

Network Basic Input/Output System is a legacy network protocol that enables communication between computers and devices within a local area network (LAN). Originally developed by IBM in the early 1980s, NETBIOS was widely used in earlier versions of Microsoft Windows operating systems and networks.; SUPERCEDED BY SMB AND DNS

What is the PPTP protocol?

Point-to-Point Tunneling Protocol enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks.

What is the SMB protocol?

The Server Message Block (SMB) protocol is a client-server communication protocol that is used for shared access to files, directories, printers, serial ports, and other resources on a network.

What is the NFS protocol?

The Network File System (NFS) protocol allows a user on a client computer to access files over a network in the same way they would access a local storage file; open source

What is Layer 6 of the OSI Model?

Presentation Layer: translates data between the application layer and the network format; data encryption and compression occurs here

What are the protocols associated with the Presentation Layer?

SSL, TLS, JPEG, MPEG

What is the SSL protocol?

Secure Sockets Layer (SSL) is a communication protocol that encrypts data and establishes a secure connection between two devices or applications on a network; often used to secure communications between a client and a server, such as a website and a browser, but it can also be used to secure email, VoIP, and other communications.; SUPERCEDED BY TLS

What is the TLS protocol?

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.; SUPERCEDED SSL

What is the JPEG protocol?

JPEG, which stands for Joint Photographic Experts Group, is a standardized file format for digital images that uses lossy compression to save space.

What is the MPEG protocol?

The MPEG protocol is a digital container format that can be used to transmit and store audio, video, and Program and System Information Protocol (PSIP) data. MPEG is a popular audio and video compression technique

What is Layer 7 of the OSI model?

Application Layer; serves as the window for users and application processes to access network services

What are devices considered at Layer 7 of the OSI model?

Gateways, Proxies

What are the protocols associated with the Application Layer?

HTTP, FTP, SMTP, DNS, DHCP, TELNET

What is the HTTP protocol?

Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide Web, and is used to load webpages using hypertext links. HTTP is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack.; vulnerable (unencrypted) so now people use HTTPS (HTTP running over TLS)

What is the FTP protocol?

(File Transfer Protocol) is a standard network protocol used for the transfer of files from one host to another over a TCP-based network, such as the Internet.; vulnerable (unencrypted) so now people use SFTP (FTP being used over SSH protocol)

What is the SMTP protocol?

Simple Mail Transfer Protocol (SMTP) is a communication protocol that allows users to send and receive email messages over the internet

What is the DNS protocol?

Domain Name System (DNS) protocol is a core network service that allows users to navigate the internet using domain names instead of IP addresses. DNS translates domain names into IP addresses so that web browsers can load internet resources

What is the DHCP protocol?

Dynamic Host Configuration Protocol (DHCP) is a networking protocol for dynamically assigning IP addresses to each host on your organization's network. DHCP also assigns Domain Name System (DNS) addresses, subnet masks, and default gateways.; VULNERABLE

Why does the DHCP protocol attract cyber attacks?

1. it can only assign a certain number of IP addreses -> attackers can overwhelm the DHCP server by attempting to connect multiple devices to connect to the network

2. automatically assigns IP address without checking the device requesting to connect to the network

3. unauthorized DHCP servers can provide wrong information to clients

4. Unauthorized clients can also intercept DHCP servers and gain information about resources

***More secure to disable DHCP and have a security admin allocate IP addresses to devices in the network

What is the TELNET protocol?

protocol that allows you to connect to remote computers (called hosts) over a TCP/IP network; manage devices remotely over the internet or other networks; SUPERCEDED BY SSH

What is the acronym to remember the OSI model?

APSTNDP; All People Seem To Need Data Processing

What is Layer 1 of the TCP/IP Model?

Link or Network Interface Layer; handles physical and logical connections to hardware; responsible for how data is physically transmitted over the network, including defining the electrical, mechanical, procedural, and functional specifications for activating, maintaining, and deactivating the physical link bw communicating network systems

What are the devices associated with the Link/Network Interface Layer?

NICs, Switches, Other networking hardware

What are the protocols associated with the Link/Network Interface Layer?

Ethernet, ARP, PPP

What is Layer 2 of the TCP/IP model?

Internet/Network Layer: provides internetworking, addressing and routing; responsible for sending packets from any network, and they can pass through multiple routers to reach any other network

What are the devices associated with the Internet/Network Layer?

Routers, Layer 3 switches

What are the protocols associated with the Internet/Network Layer?

IP, ICMP, IPSec, IGMP

What is Layer 3 of the TCP/IP Model?

Transport Layer; responsible for end-to-end communication services for applications; provides services like connection-oriented communication, reliability, flow control, and multiplexing

What are the protocols associated with the Transport Layer of the TCP/IP model?

same as the ones in the OSI model: TCP and UDP

What is Layer 4 of the TCP/IP model?

Application Layer: closest to end user; both end-user and application layer processes interact with the transport layer to send and receive data; provides application services for file transfers, e-mail, and other network software services

What are the protocols associated with the Application Layer of the TCP/IP Model?

HTTP, FTP, SMTP, DNS, DHCP, SNMP

What is the SNMP protocol?

Simple Network Management Protocol (SNMP) is an internet standard protocol used to monitor and manage network devices connected over an IP. SNMP is used for communication between routers, switches, firewalls, load balancers, servers, CCTV cameras, and wireless devices; considered layer 7 of OSI and layer 4 of the TCP/IP models

What is the ping command?

Windows/Linux; sends an ICMP echo request and listens for a reply; if reply received it will display time it took and Time To Live (TTL) left; useful for troubleshooting network performance issues

What is the traceroute command?

Linux; trace route an IP packet takes to destination; displays each hop (next router) in numerical list with hop address and time to receive packet; useful for troubleshooting; STALKER

What is the tracert command?

Windows version of the traceroute; STALKER

What is the tracepath command?

Linux; similar to traceroute but it is available for every user instead of just the superuser; STALKER RATED E FOR EVERYONE

What is the ipconfig command?

Windows

• It provides the user with the IP, subnet masks, and default gateway for each network adapter.

• identifies misconfigured network settings or discrepancies among the IP, DNS, or default gateway addresses

• examine DNS cache as evidence of possible communication to malicious domains, and can clear DNS cache

• It can be used to replace all connections and renew all adapters via the /release command

• can use ping or tracert commands by finding the IP address from this command

What is the ifconfig command?

Linux; similar to ipconfig

• implemented at time of boot to configure kernel network interfaces; also used in debugging or tuning

What is the arp command?

Windows & Linux; Address Resolution Protocol; displays the IP to MAC address mapping for hosts discovered in ARP cache; used to add, remove, modify entries in ARP cache

What is the netstat command?

Windows & Linux

-an, -b, and -e

displays info about network adapters, active ports and their state; useful for troubleshooting

What is the netstat - an command?

displays all the connections and their states

What is the netstat - b command?

see all the executable files that are involved in the connections; can use this information to look for connections that use ports that are not associated with any known service or application

What is the netstat - e command?

you can see all the number of failed or discarded network packets -> can indicate a network problem or an attack

What is the dig command?

Linux & Windows pre 10 (otherwise must install)

used to query DNS name servers, looks up and displays answers from query; provides more thorough information than nslookup

What is the nslookup command?

Windows & Linux

displays and troubleshoots DNS info/problems; displays names to UP address mapping

What is the whois command?

Windows & Linux

look up who owns domain or block of IP addresses; shows name, email, physical address but info may be private

What is the route command?

Windows & Linux

display current route tables on host, or add or remove routes; determines where to send traffic (0.0.0.0 is default gateway, where router sends things if not defined in routing table); can be used to manually enter default gateway for a computer; GPS for network traffic

What is the scp command?

Linux; Secure Copy Protocol; used to securely copy files between servers, using SSH (Secure Shell) for auth and encryption; simpler than FTP (for local and remote hosts)

What is the ftp command?

Windows & Linux; copies file(s) from one host to another; data is unencrypted, but FTPS uses SSL/TLS if need encryption; uses TCP for reliability

What is the tftp command?

Windows (if enabled) & Linux

Trivial File Transfer Protocol: transfers a file either way between a client and a server using UDP (User Data Protocol); only used on reliable (local) networks; only ability is to upload and download files without the ability to see which files exist or manage them; no authentication procedures; uses port 69/UDP

What is the finger command?

Linux

displays info about user(s) on remote system, including log in time and username

What is the nmap command?

Linux & Windows

Network Mapper; scans networks to find hosts and open ports

What is the tcpdump command?

Linux; displays TCP/IP and other packets transmitted over network system; form of protocol analyzer (sniffer), designed to show contents of network packets in a human readable form for troubleshooting, security, etc

What is the telnet/ssh command?

allow user to manage accounts and devices remotely; main difference is that SSH is encrypted (more secure)

What is the cat command?

allows you to create single or multiple files, view content of a file, concatenate files and redirect output in terminals or files

What is Wireshark?

tool used to capture packets as they go across the network; can help with troubleshooting networks that have performance issues

What is SQL injection?

Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application; Layer 7

What is the mitigation against SQL injection?

• Review source code & validate all user-entered data

• Firewall: use reverse proxy system and scan incoming packets for malicious behavior

• Enable NX-bit (no-execute) functionality on physical computer

• Firewall: use reverse proxy system and scan incoming packets for malicious behavior

What is Buffer Overflow?

Layer 7

• similar to SQL injection

• enter too much information into the input box which causes the app to crash or other damage; Layer 7

What is the mitigation to Buffer Overflow?

• Coding to prevent too much input

• Firewall: prevents suspicious data from being sent

• Enable NX-bit (no execute) functionality on physical computer

What is the MITM attack?

A MITM or Man-in-the-Middle is a type of attack where an attacker intercepts communication between two persons. The main intention of MITM is to access confidential information.

What is the mitigation for a MITM attack?

uses IP spoofing at its base but gains control by choosing sessions from one or more layers to be hijacked

• IPS or IPSec protocol can help

What is ARP Spoofing/Poisoning?

Attacker sends fake ARP messages to a network; tricks devices into sending data to the wrong MAC address

How to mitigate against ARP Spoofing/Poisoning?

• Use packet-filtering with web application firewalls

• Monitor network traffic for unusual ARP messages

• Use a VPN

What is VLAN Hopping?

method of attacking networked resources on a virtual LAN (VLAN); attacking host on a VLAN gains access to traffic on other VLANs that would normally not be accessible; occurs at Layer 2 of the OSI model

How to mitigate against VLAN Hopping?

Configure the switch Access Control File

What is a DoS attack?

A denial of service attack; a form of active attack where a hacker tries to stop users from accessing a part of a network or a website. They often involve flooding the network with useless traffic making it slow or inaccessible.; usually with TCP or UDP packets

How to mitigate against a DoS/DDoS attack?

DDoS attack blocking AKA blackholing

• method used by ISPs to stop a DDoS attack on one of its customers

• method used by ISPs to stop a DDoS attack on one of its customers

What is a DDoS attack?

Distributed Denial of Service; An attacker recruits zombie systems ahead of time to simultaneously release a flood of traffic at a specific target; targeted network is then bombarded with packets from multiple locations

What is the Ping of Death?

attacker pings the target & sends a ICMP packet over the max of 65,535 bytes and causes the victim's system to crash or stop functioning; causes buffer overflow and crashes; occurs at Layer 3

How to mitigate against Ping of Death?

• Update Operating Systems

• Configure Web Application Firewall to drop malformed packets

What is the Ping Flood?

Starts with Ping Sweep***

Attacker overwhelms the victim's computer with a large amount of ICMP echo requests (pings)

What is the Ping Sweep?

information gathering technique used by attackers to ID live hosts by pinging them***usually followed by Ping Flood

How to mitigate against Ping Sweep/Flood?

• Configure firewall to disallow pings (stops outside attacks not inside)

• Use intrusion prevention systems at network and hosts levels

What is a SMURF attack?

Spoofs the source address. Use direct broadcast to launch attacks through amplifying network

How to mitigate against SMURF attack?

• Disable IP-directed broadcasts on your router

• Reconfigure your operating system to disallow ICMP responses to IP broadcast requests

• Reconfigure the perimeter firewall to disallow pings originating from outside your network