course 2

tcp/ip model

transmission control/ internet protocol and is a set of protocols used to connect network devices to each other. practical application

APPLICATION LAYER

TRANSPORT LAYER

NETWORK LAYER

NETWORK INTERFACE LAYER

Application Layer (TCP/IP)

This layer is responsible for the communication protocols between nodes. The protocols: HTTP/HTTPS, SSH, NTP

Transport Layer (TCP/IP)

This layer is responsible for the end-to-end transport of data. The protocols: TCP, UDP

Network Layer (TCP/IP)

This layer defines the logical transmission protocols for the whole network. protocols: IP, ICMP, ARP

Network Interface Layer (TCP/IP)

This layer establishes how data should be physically sent through the network.

OSI Model

seven-layer architecture that organizes the sending of data from hosts across a network. provide greater granularity of networking assignments within the model.

Physical Layer (OSI)

This layer is responsible for the physical connections of the devices in the network. This layer is implemented through the use of devices such as hubs, repeaters, modem devices, and physical cabling

\
bits

Data Link Layer (OSI)

This layer is responsible for the error-free delivery of data to the receiving device or node. This layer is implemented through the use of devices such as switches and bridge devices, as well as anything with a network interface, like wireless or wired network cards, MAC addresses

\
frames

Network Layer (OSI)

This layer is responsible for the transmission of data between hosts in different networks as well as routing of data packets. This layer is implemented through the use of devices such as routers and some switches.

packets

Transport Layer (OSI)

This layer provides services to the application layer and receives services from the network layer. It is responsible for the reliable delivery of data. It segments and reassembles data in the correct order for it to be sent to the receiving device. It may also handle the reliable delivery of data and any retries of data that are lost or corrupted (for example, TCP does this). This layer is often called the heart of OSI.

\
segments/datagrams

Session Layer (OSI)

This layer is responsible for connection establishment, session maintenance, and authentication.

\
data

Presentation Layer (OSI)

his layer is responsible for translating data from the application layer into the format required to transmit the data over the network as well as encrypting the data for security if encryption is used.

data

Application Layer (OSI)

This layer is responsible for network applications (like HTTP or FTP) and their production of data to be transferred over the network.

\
data

osi layers

**Layer 7** \n You open a web browser on your laptop and type www.wgu.edu into the search bar.

\
**Layer 6** \n The command is then sent to Layer 6 to be encrypted as it is sent (and decrypted when received by the webserver).

**Layer 5**

Establishes the connection between your laptop and WGU’s server and maintains it while you accomplish your tasks on the website.

**Layer 4**

Data is transferred and is then segmented and numbered to send the data across the network in sizes the network can handle (typically around 1,500 bytes maximum) and to reassemble it in the correct order by the webserver.

**Layer 3**

Receives the segments and transmits them across the network as packets. As you are accessing the website, Layer 3 adds the source and destination IP addresses to each individual data packet. The destination IP address will be the router on the network that will move data off the local network. The series of routers between that router and the destination server will determine how the packet is moved across various networks between them.

**Layer 2**

Receives the packets and adds physical addressing by adding sender and receiver MAC addresses to each data packet. This information forms a unit called a frame.

**Layer 1**

Receives the frames and data and sends them via the local media (copper wires, fiber-optic cables, etc.) to the switches, routers, etc., along the network path. All of this takes a matter of microseconds to achieve.

modem

is a device necessary for sending and receiving data. Modems allowcomputers to transport digital information over analog lines, such as phone or cable lines. Types of modems include cable modems, DSL modems, and satellite modems.

router

point of connection between two or more networks that forwards data packets between networks. To have internet in your home, you need an internet router that connects the networks on the internet to the network of your home. You can access the internet’s network either through a wired Ethernet port of via Wi-Fi.

switch

used to connect devices in a specific network and allows them to communicate efficiently within the network. A switch is a more complex version of a hub, in that switches have the capability to add security measures and function far more intelligently, sending traffic directly from the sender to the receiver without the other devices being aware of the communication. Thus, a switch is less chatty and allows for more simultaneous conversations between devices. Most internet routers include a switch in the form of wired or wireless Ethernet connections.

Bridge

A bridge is similar to a router in that it connects two or more networks. The difference is that the router analyzes data packets to determine where to send the packet next, whereas a bridge simply forwards the data to the next network without analysis. This make for fast data transfer that lacks versatility. Bridges are not widely used in modern networks, as routers and switches are the favored devices.

repeater

device used to strengthen, replicate, and regenerate signals that are weakened (for example, because of distance) during transmission. In many large homes, the Wi-Fi signal does not extend to the end of the house farthest from the router. A range extender is a form or repeater that takes the distorted Wi-Fi signal and transmits is to the formerly dead zone.

Hub

connects the router to the network, takes the data packets from the router, and sends them to all of the devices connected on the network. An example is a USB hub. By connecting a USB hub to your computer, data packets are able to be transferred to multiple devices connected to your computer; each device then looks at only the traffic destined for it and ignores the rest.

UTP (unshielded twisted pair)

pairs of wires are twisted around each other to protect and cancel out interference from each other and outside sources.

invented by Alexander Graham Bell in 1881 for phones and are still used today

cat cables

cat3

10 Mbps (Megabits per second) for up to 100 meters and is commonly used for phone lines today.

Cat4

supports 16 Mbps for up to 100 meters and is not commonly used today.

Cat5

used in Ethernet LANs containing two twisted pairs allowing for up to 100 Mbps up to 100 meters between the device and the switch, hub, or router. This has been practically replaced by the Cat5e specification.

cat5e

doubles the number of twisted pairs to four for up to 1 Gbps (Gigabits per second) over up to 100 meters.

cat 6

used in Ethernet LANs and data centers.

made up of four tightly woven twisted pairs

supports 1 Gbps for up to 100 meters or 10 Gbps for up to 55 meters.

cat 6a

used in Ethernet LANs and data centers.

made up of four tightly woven twisted pairs

10 Gbps over 100 meters

rj11

utp connector that supports two pairs of wires (four total); typically used in telephones.

rj45

utp end connector typically used with Ethernet cables and supports four pairs (eight wires).

coax cable

analog cables made of copper but specifically engineered with a metal shield intended to block signal interference. cable tv.

fiber optic cable

use glass or plastic threads within cables to transfer the data using light (lasers or LEDs) as opposed to traditional metal cables using electricity. carry more data. transfer data digitally instead of needing to convert data between binary and analog and back using metal cables. more protected for outdoors

single mode cable

made up of one single glass or plastic fiber. ability to carry higher bandwidth for 50 times the distance of a multimode cable. requires higher cost electronics to create the light and thus is typically used for longer distances (hundreds or thousands of kilometers) and higher bandwidth applications.

multimode cable

wider in diameter due to light modes being sent across the cable. highly effective over medium distances (500 meters or less at higher speeds) and are generally used within a LAN. They are also less expensive due to the potential for use with LEDs and other lower-cost options for creating the light.

st connector (straight tip)

most commonly used connector with multimode fiber until the mid-2000s. It was used on campuses, corporate networks, and for military purposes. not as popular anymore

lc connector (lucent connector)

smaller version of the (SC). This supports more ports to be used in the same space. This is probably the most common type used in corporate data centers today and is usually used with SFP (small form-factor pluggable) transceivers.

**Crossover cable**

used to connect two computing devices of the same type directly to each other. In computers, this is accomplished via their network interface controllers (NIC) or switches.

the transmit connector on one end of the wire is connected to the receive connector on the other. These cables are used much less today, as many standards have the built-in capability to try straight through and then crossover if communication does not take place.

patch cable

used to connect a device to a wall outlet, for example. The wall outlet is wired to another patch panel in the networking closet, and that networking panel is wired into a switch. These cables can also be used to wire servers in a rack to the top-of-rack (ToR) switch. Patch cables look similar to crossover and UTP cables.

802\.3

IEEE Standards for Wired Ethernet Networks

802\.11

IEEE Standards for Wireless Networks

ping

one of the most basic tools for testing connectivity to other hosts useful in troubleshooting connectivity with other devices

traceroute(linux)/tracert(windows)

used to trace the route an IP packet takes to a destination displays each hop (next router) in a numerical list. can be useful in determining where a ping fails, troubleshooting performance issues, and other aspects regarding connectivity.

tracepath

is similar to traceroute or tracert in that it displays the path taken by a packet from its source to its destination. This command is useful because it can be used by any user instead of needing superuser privileges. It is primarily used in Linux.

ipconfig

windows. provides the user with the IP, subnet mask, and default gateway for each network adapter by default with the /all option information, such as MAC address, DHCP status, and lease information.

ifconfig

linux. used to configure the kernel network interfaces. It is implemented at the time of booting to configure the necessary interfaces. Once the interfaces are configured, it is used for debugging or tuning the system.

arp

displays the IP to physical (MAC) address mappings for hosts that have been discovered in the ARP cache. ARP can be used to add, remove, or modify entries in the ARP cache.

netstat

displays information about active ports and their state and can be useful in troubleshooting and capacity management. It is available in Windows, MacOS, and Linux.

nslookup

displays information for displaying DNS information and troubleshooting DNS problems. It is useful in displaying names to IP address mappings.

dig

is a command used to query the DNS name servers. It is helpful in troubleshooting DNS problems. It is also used for lookups and will display answers from the query. It is a replacement for nslookup.

whois

linux. a tool most often used to look up who owns a domain or block of IP addresses on the internet, including name, email address, and physical address. However, there are many privacy options that hide this information from being returned.

route

used to display the current route tables on a host. Can also be used to add or remove routes. This is used by the local host to determine where to send traffic (0.0.0.0 means the default gateway, where the router sends things if it is not otherwise defined in the routing table).

scp (secure copy protocol)

command is used to securely copy files between servers, leveraging SSH (secure shell) for authentication and encryption.

ftp

data is unencrypted copies the file from one host to another host

ftps (file transfer protocol secure)

___________encryption is needed uses SSL/TLS (Secure Sockets Layer, replaced by Transport Layer Security

tftp

transfers a file from either a client to a server or from a server to a client using UDP (user datagram protocol) instead of TCP, and so it is usually used on reliable (local) networks.

finger

displays information about a user or users on a remote system, including things such as last log-in time and username. It is primarily used in Linux.

nmap

scans networks to see what it can find in terms of hosts and open ports commonly used to determine what is deployed on a network for vulnerability analysis, security scans, and related activities. is not native to either Linux or Windows but can be downloaded for free and used with both.

tcpdump

displays TCP/IP packets and other network packets that are being transmitted over the network system. It is a form of protocol analyzer (sometimes called a sniffer) and is designed to show the contents of network packets in human-readable form for troubleshooting, security analysis,

telnet/ssh

allow a user to manage accounts and devices remotely. The main difference between the two is that SSH is encrypted, and thus all data is secure from eavesdropping, while telnet is unencrypted.

pan

a network that is centered around a person and their devices.

LAN

consists of computers connected within a limited area

wlan

A wireless local area network. Users and devices can be placed anywhere and move anywhere in the coverage area. This is a popular choice for small businesses, as it is easy and inexpensive to install and allows guests to use the network as well with a hotspot service.

SAN

storage area network. a network that allows access to storage devices specifically instead of the more general networking that can be used for any purpose.

can

\n provides networking of multiple LANs across a limited area, like a university campus or a group of buildings owned by a company.

man

\n provides networking across a larger area than a CAN, but smaller than a WAN, such as a whole city or the equivalent of a metropolitan area (hence the name), though it is not necessarily limited by city boundaries.

wan

is similar to a LAN, except that it covers a large geographical area within its network.

Peer-to-Peer

\n there is no individually designated server or client. Each machine on the network can act as both server and client, sometimes requesting data from other nodes and sometimes answering requests from others.

IaaS

refers to the physical servers, storage, and networking that is required to exist before you can create any virtual servers or install any applications.

PaaS

a platform on which to deploy your application or you simply need a database without the hassle of managing the server the cloud provider is responsible for the virtual servers and, in some cases, the services that run on top of them, such as a database engine, and provides you with a platform on which you can run your code or store your data.

SaaS

represent nearly anything you consume over the internet. A few examples include social media (Facebook), word processing (Office 365), and a line of business applications (Salesforce). Even now, you are using this solution to view this course and read this text. This allows consumers to store and potentially publish information without the need to manage the underlying applications or infrastructure.

asset

\n A person, device, location, or information that SecOps aims to protect from attack.

attack

An action taken by a threat that exploits a vulnerability that attempts to either block authorized access to an asset, or to gain unauthorized access to an asset.

risk

The potential of a threat to exploit a vulnerability via an attack

secops

IT security operations; a discipline within IT responsible for protecting assets by reducing the risk of attacks.threat

threat

Something or someone that can exploit a vulnerability to attack an asset.

vulnerability

A weakness in software, hardware, facilities, or humans that can be exploited by a threat.

spoofing

This is a man-in-the-middle attack where the attacker impersonates the sender and receiver of the traffic.

wiretapping

This form of attack can include putting special taps in-line with a computer's network cable and then using a packet sniffer to listen and record the traffic on the network.

Social Engineering

This is the act of manipulating human trust to gain access or information. Examples include impersonation and phishing.

Smurf attack

An attack that broadcasts a ping request to all computers on the network yet changes the address from which the request came to that of the target.

Honeypot

a server or device that is configured to look very authentic, potentially containing data that appears to be legitimate user data, or configuration files that seem authentic. Sometimes known as a "tar pit"

brute force attack

the password cracker tries every possible combination of characters

zero-day attack

Attack that exploits previously unknown vulnerabilities, so victims have no time (zero days) to prepare for or defend against the attack.

Vulnerability Testers

is responsible for scanning servers and network devices for known vulnerabilities. There are a variety of vulnerability scanning tools on the market. Some are open source, such as Nessus, whereas most are commercial products.

red team

attempts to compromise the security,

blue team

defends

purple team

the red and blue team engage, and then when certain success criteria are met, the teams debrief, cross-train each other, and repeat.

White hat

IT professionals who specialize in penetrating or compromising network security but only to help an organization improve its own security posture.

black hat

may or may not be IT professionals but possess the knowledge and will to breach systems for profit. That profit may be monetary, street credibility, or just a source of entertainment.

gray hat

a group of people who may or may not be IT professionals and may or may not choose to break laws in pursuit of their hacking goals.

Script Kiddies

are the copycat criminals of the hacking community. They typically hack out of pure curiosity or entertainment and often use poorly documented tools or scripts written by much more advanced hackers.

port scanning

can systematically check each of these ports by sending thousands of TCP/IP packets to the victim's computer, each packet on a different TCP port.

ARP poisoning

which is a method attackers use to cause an Ethernet switch to flood all traffic to every port on the switch, including the attacker's computer.

denial of service

they deny someone access to a service, usually by overwhelming the victim with enormous amounts of useless traffic.

ping flood attack

overwhelms a victim's computer with an immense volume of ICMP echo-request packets, all containing a forged, randomized source address.

Phishing

\n a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail

CIA

confidentiality, integrity, availibility

firewalls

hardware, software, or both designed to prevent unauthorized persons from accessing electronic information.

**Packet Filter Firewalls**

operates at Layers 3 and 4 of the OSI network model: network and transport. These firewalls inspect incoming (ingress) and outgoing (egress) traffic and compare the following attributes to a database of packet filter rules that determine if the firewall will forward (allow) or drop (deny) the traffic:

Stateful Inspection

Automatically creates rules to permit traffic based on communication type. Operates at OSI layer 3-5

IDS (Intrusion Detection System)

Monitors the network to detect threats. Listens passively on the network. Alerts network admin of any detected suspicious behavior.