CISSP Domain 4 Review – Communication and Network Security

A. Boukar

This post serves as a review for the domain 4 of the CISSP. This domain covers communication and network security.

Before we start, here is a list that will help you navigate through the different sections of this domain review:

Secure Design Principles

OSI Model

The OSI Model is specified in ISO 7498. It defines 7 Layers : Physical, data-link, network, transport, session, presentation, and application.

A good mnemonic to remember these layers (From top down) : All People Seem To Need Data Processing.

TCP/IP Model is another model that defines 4 Layers : Network interface, Internet layer, Transport layer, and application layer.

Physical Layer

Topologies

There are four common topologies : Bus, ring, star and mesh.

Ethernet is an example of a logical bus topology, even though it is often deployed in a physical star topology.

FDDI is an example of a ring topology, but it uses two rings for redundancy.

Token ring uses a physical star topology, and a logical ring topology.

CSMA

CSMA/CD : Collision detection. It is used in Ethernet (IEEE 802.3)

CSMA/CA : Collision avoidance. It is used in wi-fi (IEEE 802.11)

Media

There are three types of media that are used in physical links:

  1. Twisted Pair: 4 pairs of wires twisted in pairs to reduce electromagnetic interference. Two types:
    • UTP : Unshielded Twisted Pair
      • It is not shielded, so it is susceptible to interference.
      • It costs less, and is more flexible
    • STP : Shielded Twisted Pair
      • It uses a shield that surrounds the wires, so it is less susceptible to interference.
      • It costs more, and is less flexible (So it is harder to bend than UTP)
  2. Coaxial
    • One thick wire protected by a non-conducting material.
    • It is expensive, and less flexible.
    • It is not used as often as the twisted pair cable.
  3. Fiber optic cable
    • It is made of a very thin tube of glass that transmits data in the form of light.
    • Two types:
      • Singlemode
        • It can cover long distances. Less attenuation.
        • The glass core has smaller diameter, which reduces the number of light reflections.
      • Multimode
        • It can cover shorter distances than singlemode.
        • The glass core has a larger diameter, so the transmitted light will have to go through a higher number of reflections. This reduces the distance that it can cover.

Internet access

Three common ways are used to provide internet access :

  1. DSL (Digital Subscriber Line)
    • ADSL : Asymmetric DSL
    • VDSL : Very-high DSL
    • HDSL : High-bit-rate DSL
    • SDSL : Symmetric DSL
    • RADSL : Rate-Adaptive DSL
  2. Cable Modem
    • Most cable modems comply with DOCSIS
      • DOCSIS 3.1 is the latest version. It can ensure up to 10 Gbps for both upload and download.
  3. BPL : Broadband over Powerline
    • Internet service delivery over electric power lines.
    • It can use existing electrical outlets.

Wireless

These are the most common wireless communication technologies:

  1. Wi-fi (IEEE 802.11)
    • IEEE 802.11a/b/g/n/ac.
    • Use 2.4GHz or 5GHz frequency, or both.
    • The latest is IEEE 802.11ac.
  2. Bluetooth (IEEE 802.15)
    • Known attacks
      • Bluejacking
      • Bluesnarfing
      • Blueborne
  3. WiMAX (IEEE 802.15)
  4. Cellular
    • 1G : Analog
    • 2G : GPRS, EDGE
    • 3G : HSDPA
    • 4G : LTE
    • 5G : SDNs
  5. Satellite

Data-Link Layer

The data-link layer can be further separated into two sublayers :

  • MAC (Media Access Control)
  • LLC (Logical Link Control)

Protocols

As for the protocols used in this layer, Ethernet is the most common one. Still, there are other protocols operating in this layer that you should know about:

  • MPLS (Multiprotocol Label Switching)
    • It assigns labels to packets indicating the entire path to facilitate routing, “Label switching”.
    • It operates at layer 2 and 3
    • Components :
      • Edge Node
      • Label Switching Router
      • Label Switch Path.
  • PPP (Point-to-Point Protocol)
    • LCP : Link Control Protocol, for establishing connections.
    • NCP : Network Control Protocol, For configuring network layer protocols.
    • Authentication using :
      • PAP : Password Authentication Protocol. Simple, 2-way handshake. Not recommended.
      • CHAP : Challenge-Handshake Authentication Protocol. Better security than PAP.
  • ARP (Address Resolution Protocol)
    • It is used for obtaining the MAC address of a given IP address.

Devices

These are the devices that operate in the layer 2.

  • Switch
    • Layer 2.
    • Security :
      • Port Security
      • MAC filtering
      • Segmentation using VLANs
    • Attacks
      • MAC Flooding
      • VLAN hopping
        • Switch spoofing.
        • Double tagging.
  • Bridge
    • A switch with only two ports.

Network Layer

These are the protocols that operate on layer 3 (Network Layer):

  • IP
    • IPv4 : The address space is insufficient
    • IPv6 : Larger address space, plus other additional features.
      • IPSec can be included.
      • Better Quality of Service (QoS).
  • ICMP
    • Used for diagnostic.
    • Example : ping and traceroute use ICMP
    • Attack
      • Smurf
      • Ping of Death
      • Ping scanning
  • IGMP
    • Manage multicast groups.
    • Managed by local agents
  • Routing protocols
    • RIP
      • Type : Distance Vector
      • Count the number of hops to determine the best path.
      • Interior Gateway Protocol (IGP).
    • OSPF
      • Type : Link-State
      • Chooses the best path based on the state of the link : Availability, load, cost, bandwidth, so it is better than RIP.
      • Interior Gateway Protocol (IGP).
    • BGP
      • Type : Path-vector
      • The protocol used for routing in the Internet, and between ISP’s routers.
      • Exterior Gateway Protocol (EGP).

The router is the main device used in layer 3. It routes packets between networks. Security in routers is often enforced using ACLs : Access Control Lists.

Transport Layer

There are two types of protocols operating on layer 4 (Transport layer) :

  • TCP : Connection-oriented protocol.
    • Most common attacks :
      • SYN Flood
      • SYN Scan
  • UDP : Connectionless protocol.
    • Most common attack : Fraggle.

Ports are the equivalent to addresses within a host for applications. There are 65535 ports in total. Ports from 0 to 1023 are well-known ports.

Examples:

  • FTP 21
  • SSH 22
  • Telnet 23
  • SMTP 25
  • HTTP 80
  • HTTPS 443

Application Layer

Here is a list of the most common protocols used at the application layer:

  1. SNMP
    • It is used to manage network devices.
    • SNMP v1 and v2 are not secure, and should not be used.
    • SNMP v3 is the most secure version.
    • Community string : Password.
  2. DNS
    • It resolves domain names to IP addresses.
    • It operates on port 53
    • DNSSEC : A more secure extension of DNS.
      • It adds authenetication.
    • Most common attacks :
      • DNS Poisoning
      • DNS amplification
  3. LDAP
    • Lightweight Directory Access Protocol.
    • It operates on port 389.
    • LDAPS (LDAP over SSL) uses port 636.
    • Most common attack:
      • LDAP injection
  4. DHCP
    • It is used to assign IP addresses to hosts.
    • APIPA address : 169.254.x.x. The computer self-assigns an IP address in this range when it cannot see the network.
    • It operates on ports 67 and 68.
    • Most common attack:
      • DHCP Spoofing.

Secure Network Components

Firewall

There are four common types of firewalls:

  • Static packet filtering firewall.
    • The simplest, fastest, but it also provides the lowest protection.
    • It only checks the network header.
  • Circuit level firewall.
    • It ensures that the TCP handshake is complete.
  • Stateful inspection firewall.
    • It keeps track of the status of connections.
  • Next-gen Firewall
    • It adds new security features, such as IDS, IPS and malware prevention.

NAT

NAT (Network Address Translation) is used as a solution for the small IPv4 address space. It changes the source address of an outgoing packet to a different address.

NAT can be implemented in routers, proxies and firewalls. It also has another advantage of hiding internal IP addresses from external hosts.

IDS/IPS

IDS (Intrusion Detection System) detects suspicious activities, and sends an alert. It can be host-based (Monitors a host like a Server or a workstation), or it can be network-based (Monitors the traffic in a network).

IDS, do not prevent. They only detect. For prevention, IPS are used (Intrusion Prevention Systems).

SIEM

A SIEM centralizes logs from all security devices and applications. It provides intelligent inspection and analysis.

UTM

UTM (Unified Threat Management) integrates functions from multiple security devices into one solution.

Proxies

Proxies operate in between the internal network and the untrusted network, and establish connections with untrusted hosts on behalf of internal systems.

VPN Concentrators

VPN Concentrators are special devices that establish VPN connections between VPN nodes.

Wireless

Before we move on to the next section, let’s address a few concepts related to wireless communications.

There are multiple techniques of using the frequency spectrum:

  • DSSS : Data is divided and transmitted across multiple frequencies.
  • FHSS : Frequency Hopping.
  • OFDM : Orthogonal Frequency. Carriers are overlapped, but this is not a problem, since they are orthogonal.

These are some methods for securing wireless communications:

  • WEP: The less secure.
  • WPA : It uses LEAP and TKIP. Still not secure.
  • WPA2 : Secure.
    • It uses CCMP (CounterMode with Cipher Block Chaining Message Authentication Code Protocol)
    • Two-types : Personal and Enterprise.

EAP (Extensible authentication protocol) is an authentication framework. many methods are based on EAP (Ex: PEAP, LEAP, EAP-TLS,…).

LEAP is a Cisco Proprietary alternative to TKIP. But it is still not secure.

EAP-TLS is the most secure.

Secure Communication Channels

VoIP

VoIP uses SIP (Session Initiation Protocol).

There are multiple attacks that target VoIP systems:

  • Vishing : Voice Phishing.
  • SPIT : Spam over IP Telephony.
  • MITM : Man-In-The-Middle.

Other problems related to VoIP include:

  • Jitter: Packets arrive at various times.
  • Packet loss : It can be mitigated using PLC (Packet Loss Concealment). PLC can either use zero subtitution for portions that were lost; or it can interpolate the gaps. The latter provides better quality than the former.

Multimedia collaboration

Instant Messaging (IM)

Problems related to IM include:

  • SPIM (Spam over IM).
  • IM traffic is often not detectable by firewalls, since it is embedded within application protocols, like HTTP for example.

Email

  • Communication between mail servers is done using SMTP.
  • Communication between mail servers and clients is done using POP3 or IMAP.
  • Open mail relays are SMTP Servers that are used to forward spam.
  • Security solutions for email:
    • S/MIME, PGP, MOSS, PEM, and DKIM.

Remote access/VPN

Remote access can be achieved using many protocols. The most common ones are:

  • Telnet : Not secure, lack of encryption.
  • SSH: An alternative to Telnet. Better security.

VPN can use software or hardware devices (VPN Concentrators). Examples of protocols used in VPN include:

  • PPTP : Tunnel protocol. It is based on PPP.
  • L2TP : Tunnel protocol. It provides authentication, but not encryption. It relies on IPSec.
  • IPSec :
    • The most common.
    • Not a protocol, but a suite of protocols :
      • AH : Authentication Header.
      • ESP : Encapsulating Security Payload.
      • IKE : Internet Key Exchange.
    • Two modes of operation :
      • Tunnel mode.
      • Transport mode.
    • NAT is incompatible with IPSec. For this, NAT-T is used.
  • SSL/TLS are also used for VPN.
    • SSL is becoming less and less secure. Use TLS instead.

Virtualized networks

SDN

Software-Defined Networks (SDN) separate the network functions from the hardware. It distinguish between three planes:

  • Infrastructure plane (Data plane) : It includes switches and routers.
  • Control plane.
  • Application plane.

SD-WAN

SD-WAN is th extension of SDN to the Internet.

CDNs

CDNs (Content Distribution Networks) consists of multiple servers deployed in multiple locations to deliver content to end-users rapidly, and with a high availability.

Converged networks

Examples of converged networks include :

  • FCoE
  • iSCSI
  • MPLS

We have now gone through all items that are covered in the domain 4 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *