Notes

Requirements to Communicate on Layer 2
• Internet Protocol (IP) Address aka Logical Address
• Subnet Mask (Required to identify which network the device belongs to)
• Media Access Control (MAC) Address aka Ethernet Address. Contains unique identifier tied to the Network Interface Card (NIC)

Common Terms
• Broadcast Domain: Logical division of a computer network which nodes can reach each other via broadcast or data link layer, aka, LAN. Routers form boundaries between broadcast domains.
• Autonomous Systems (AS): A collection of routers whose prefixes and routing policies are under common administrative control. Could be an ISP, a large company, university, a division of a company, or a group of companies.
• IP = 192.168.1.238 - Network ID = 192.168.1.0 - Host ID = 238

Protocol Data Unit (PDU)
A single unit of information transmitted among peer entities of a computer network. A PDU is composed of protocol specific control information and user data. In the layered architectures of communication protocol stacks, each layer implements protocols tailored to the specific type or mode of data exchange.
• PDU Encapsulation
○ Layer 1 = Bits
○ Layer 2 = Frames
○ Layer 3 = Packets
○ Layer 4 = Segments
○ Layers 5-7 = Data

LAN Collision
• Carrier Sense Multiple Access
○ CSMA/CA - Collision Avoidance
§ Must be used if technology is Half-Duplex (e.g., Wireless networks). Avoiding collisions is necessary since detecting collisions while sending data is not an option.
○ CSMA/CD - Collision Detection
§ Requires Full-Duplex, such as modern ethernet connections, which can send and receive simultaneously. This allows the detection of collisions while sending data.

Hardware Key Terms
• Hub - Layer 2 - Single collision domain (all other devices on the chassis can hear all traffic)
• Switch - Layer 2 - Micro-segments (other devices only hear broadcasts, each port only receives traffic for the appropriate hosts)
• Router - Layer 3 - Forwards and drops traffic based only on IP address
• Firewall - Layer 3/4+ - Adds to router by forwarding or dropping traffic based on available services

Virtual LAN (VLAN)
• Manages micro-segments in switch software (allowing for greater security within a switch chassis)
• A method of tagging. Once a frame gets to the other end of the switch, the switch knows it belongs on x vlan and re-tags it. This continues for each switch the frame enters until it reaches its destination. VLAN tagging is at the hardware level.

Types of VLANs
• Default VLAN
○ After initial boot up, all switch ports become a member of the default VLAN, which is VLAN 1. Management and Native VLAN is set to 1 by default. Best practice is to separate Management and Native VLAN to a different VLAN and do not use VLAN 1.
• Data VLAN
○ Aka user VLAN. This is configured to carry only user-generated traffic. It's important to separate the Data VLAN from other VLANs for proper switch management and control.
• Native VLAN
○ Assigned to an 802.1Q trunk port. The 802.1Q trunk port places untagged traffic (traffic that has not come from a VLAN) on the Native VLAN. The Native VLAN observes and identifies traffic coming from each end of a trunk link.
• Management VLAN
○ Any VLAN you configure to access the management capabilities of a switch.
• Voice or VoIP VLAN
○ Configured to carry voice traffic. Voice VLANs are typically given transmission priority over other types of network traffic to ensure quality.
• Black Hole VLAN
○ Term used for a VLAN configured for unused ports. This is a security practice where you create a VLAN that has no route or default gateway to other networks within your organization or to the Internet.

Ports
• Numbers 0 - 1023 are called system or well-known ports
• Numbers 1024 - 49151 are called user or registered ports
• Numbers 49152 - 65535 are called dynamic and/or private ports
Protocol TCP/UDP Port Number Description
File Transfer Protocol (FTP) TCP 20/21 FTP is one of the most commonly used file transfer protocols on the Internet and within private networks. An FTP server can easily be set up with little networking knowledge and provides the ability to easily relocate files from one system to another. FTP control is handled on TCP port 21 and its data transfer can use TCP port 20 as well as dynamic ports depending on the specific configuration.
(RFC 959)
Secure Shell (SSH) TCP 22 SSH is the primary method used to manage network devices securely at the command level. It is typically used as a secure alternative to Telnet which does not support secure connections.
(RFC 4250-4256)
Telnet TCP 23 Telnet is the primary method used to manage network devices at the command level. Unlike SSH which provides a secure connection, Telnet does not, it simply provides a basic unsecured connection. Many lower level network devices support Telnet and not SSH as it required some additional processing. Caution should be used when connecting to a device using Telnet over a public network as the login credentials will be transmitted in the clear.
(RFC 854)
Simple Mail Transfer Protocol (SMTP) TCP 25 SMTP is used for two primary functions, it is used to transfer mail (email) from source to destination between mail servers and it is used by end users to send email to a mail system.
(RFC 5321)
Domain Name System (DNS) TCP/UDP 53 The DNS is used widely on the public internet and on private networks to translate domain names into IP addresses, typically for network routing. DNS is hieratical with main root servers that contain databases that list the managers of high level Top Level Domains (TLD) (such as .com). These different TLD managers then contain information for the second level domains that are typically used by individual users (for example, cisco.com). A DNS server can also be set up within a private network to private naming services between the hosts of the internal network without being part of the global system.
(RFC 1034-1035)
Dynamic Host Configuration Protocol (DHCP) UDP 67/68 DHCP is used on networks that do not use static IP address assignment (almost all of them). A DHCP server can be set up by an administrator or engineer with a poll of addresses that are available for assignment. When a client device is turned on it can request an IP address from the local DHCP server, if there is an available address in the pool it can be assigned to the device. This assignment is not permanent and expires at a configurable interval; if an address renewal is not requested and the lease expires the address will be put back into the poll for assignment.
(RFC 2131)
Trivial File Transfer Protocol (TFTP) UDP 69 TFTP offers a method of file transfer without the session establishment requirements that FTP uses. Because TFTP uses UDP instead of TCP it has no way of ensuring the file has been properly transferred, the end device must be able to check the file to ensure proper transfer. TFTP is typically used by devices to upgrade software and firmware; this includes Cisco and other network vendors’ equipment.
(RFC 1350)
Hypertext Transfer Protocol (HTTP) TCP 80 HTTP is one of the most commonly used protocols on most networks. HTTP is the main protocol that is used by web browsers and is thus used by any client that uses files located on these servers.
(RFC 2616)
Post Office Protocol (POP) version 3 TCP 110 POP version 3 is one of the two main protocols used to retrieve mail from a server. POP was designed to be very simple by allowing a client to retrieve the complete contents of a server mailbox and then deleting the contents from the server.
(RFC 1939)
Network Time Protocol (NTP) UDP 123 One of the most overlooked protocols is NTP. NTP is used to synchronize the devices on the Internet. Even most modern operating systems support NTP as a basis for keeping an accurate clock. The use of NTP is vital on networking systems as it provides an ability to easily interrelate troubles from one device to another as the clocks are precisely accurate.
(RFC 5905)
NetBIOS TCP/UDP 137/138/139 NetBIOS itself is not a protocol but is typically used in combination with IP with the NetBIOS over TCP/IP (NBT) protocol. NBT has long been the central protocol used to interconnect Microsoft Windows machines.
(RFC 1001-1002)
Internet Message Access Protocol (IMAP) TCP 143 IMAP version3 is the second of the main protocols used to retrieve mail from a server. While POP has wider support, IMAP supports a wider array of remote mailbox operations which can be helpful to users.
(RFC 3501)
Simple Network Management Protocol (SNMP) TCP/UDP 161/162 SNMP is used by network administrators as a method of network management. SNMP has a number of different abilities including the ability to monitor, configure and control network devices. SNMP traps can also be configured on network devices to notify a central server when specific actions are occurring. Typically, these are configured to be used when an alerting condition is happening. In this situation, the device will send a trap to network management stating that an event has occurred and that the device should be looked at further for a source to the event.
(RFC 1901-1908, 3411-3418)
Border Gateway Protocol (BGP) TCP 179 BGP version 4 is widely used on the public internet and by Internet Service Providers (ISP) to maintain very large routing tables and traffic processing. BGP is one of the few protocols that have been designed to deal with the astronomically large routing tables that must exist on the public Internet.
(RFC 4271)
Lightweight Directory Access Protocol (LDAP) TCP/UDP 389 LDAP provides a mechanism of accessing and maintaining distributed directory information. LDAP is based on the ITU-T X.500 standard but has been simplified and altered to work over TCP/IP networks.
(RFC 4510)
Hypertext Transfer Protocol over SSL/TLS (HTTPS) TCP 443 HTTPS is used in conjunction with HTTP to provide the same services but doing it using a secure connection which is provided by either SSL or TLS.
(RFC 2818)
Lightweight Directory Access Protocol over TLS/SSL (LDAPS) TCP/UDP 636 Just like HTTPS, LDAPS provides the same function as LDAP but over a secure connection which is provided by either SSL or TLS.
(RFC 4513)
FTP over TLS/SSL TCP 989/990 Again, just like the previous two entries, FTP over TLS/SSL uses the FTP protocol which is then secured using either SSL or TLS.
(RFC 4217)


Benefit of using a HUB
• Connect the hub to an infected machine and then connect it to the network. The hub is going to send information out all ports, which would be beneficial for listening to traffic to diagnose malicious behavior.
• Switch Port Analyzer (SPAN) allows you to configure a switch to perform like a hub

Network Security Design Basics (3-tier architecture)
• Presentation Tier: Occupies the top level and displays information related to services available on a website. This tier communicates with other tiers by sending results to the browser and other tiers in the network.
• Application Tier: This tier is pulled from the presentation tier. It controls application functionality by performing detailed processing.
• Data Tier: Houses database servers where information is stored and retrieved. Data in this tier is kept independent of application servers or business logic.
• 3-tier / N-tier Application Design
○ Segment services and data based on security trust levels
○ But Garmin publishes data through the web…
§ Internet Trust level = 0 | Public Web Servers - Trust level = 0 | Oracle Database - Trust level = 10
○ Let's build in some security with the firewall…
§ Internet Trust level = 0 | Public Web Servers - Trust level = 5 | Oracle Database - Trust level = 10
○ Even better…
§ Internet Trust level = 0 | Public Web Servers - Trust level = 2 | Trusted Web Servers - Trust Level = 7 | Oracle Database - Trust level = 10

Network Protocols
• An agreement or set of rules on how computer networks will communicate
• Exchanging messages in hardware or software
• Often implemented in a stack of nested protocols

OSI Model
• Application
• Presentation
• Session (Encryption happens at Session layer)
• Transport
• Network
• Data Link
• Physical

TCP/IP
• Application
• Transport (TCP)
• Internet (IP)
• Network



Wireless
• Like a hub without a chassis
• Sends out all traffic so those around can listen in

IEEE 802 Standards
• IEEE 802.3 Ethernet
• IEEE 802.11 Wireless LAN (WLAN) & Mesh (Wi-Fi certification)


Interior Gateway Protocols (IGP):

Routing Information Protocol (RIP)
• Distance-vector routing protocol
• Dynamic protocol which uses hop count as a rating metric to find best path between source and destination
• Time to converge and scalability are poor compared to EIGRP, OSPF, and IS-IS
• Limits to 15 hop counts to prevent loops
• Operates on Layer 4

Intermediate System to Intermediate System (IS-IS)
• Uses link state routing (LSR)
• Operates on Layer 2, making it more secure than IP protocols like OSPF & EIGRP
• IPV4 and IPV6 supported on same protocol
• Less strict requirements for forming neighbor adjacencies in comparison to OSPF

Open Shortest Path First (OSPF)
• Open standard - uses link state routing (LSR) routing protocol
• Can be used on non-Cisco routers
• Used to find the best path for a packet when inside a LAN
• OSPF v2 for IPV4 and OSPF v3 for IPV6
• Requires optimization to be as fast as EIGRP
• Operates on Layer 3

Enhanced Interior Gateway Routing Protocol (EIGRP)
• Converted to open standard in 2013 - uses distance-vector routing protocol
• Routing protocol used to find best path for packet inside LAN
• Similar to OSPF, but developed and proprietary to Cisco routers
• Faster than non-optimized OSPF
• Operates on Layer 3

Border Gateway Protocols (BGP):

iBGP
• Use case: Can handle thousands of routes in BGP tables. Other IGP protocols such as OSPF & EIGRP would break the network.
• Operates on Layer 4

eBGP
• For WAN. For huge routes in BGP tables
• Operates on Layer 4


IPV4
32 bits
Network Address = Lowest number in its class, e.g., a class C network address: 192.168.16.0
Broadcast Address = Highest number in its class, e.g., a class C broadcast address: 192.168.16.255
3 Major Classes
If Network Address uses:
First 8 bits = Class A
First 16 bits = Class B
First 24 bits = Class C

IPV6
128 bits

Classful and Classless Addressing
The main difference between classful and classless addressing is that classless addressing allows allocating IP addresses more efficiently than classful addressing.

By reading the first octet, we can determine the class of an address to which it belongs.
1 – 126 – Class A address
128 – 191 – Class B address
192 – 223 – Class C address
224 – 239 – Class D address
240 – 254 – Class E address
The IP address 0.0.0.0 is used for broadcasting while 127.0.0.1 is used as a loopback address.