3. Exam Essentials for Secure Network Architecture and Network Components

Know the OSI model layers AND the protocols under each.

Application: http, ftp, lpd, smtp, telnet, tftp, edi, pop3, imap, snmp, nntp, s-rpc, set

Presentation: ascii, ebcdicm, tiff, jpeg, mpeg, midi

Session: nfs, sql, rpc

Transport: spx, ssl, tls, tcp, udp

Network: icmp, rip, ospf, bgp, igmp, ip, ipsec, ipx, nat, skip

Data Link: slip, ppp, arp, rarp, l2f, l2tp, pptp, fddi, isdn

Physical: eia/tia-232, eia/tia-449, x.21, hssi, sonet, v.24, v.35

Know TCP/IP completely

What is the difference between tcp and udp? tcp is connection oriented and udp is connectionless

Know that the OSI model and the TCP/IP model.

Know well known ports

ports under 1023.

Know different cabling types and their lengths and max throughput rates.

stp: shielded twisted pair

10base-t utp

10base2 thinnet

10base5 thicknet

100base-t

1000base-t

fiber-optic

utp categories 1-7

Everything for this question can be answered by going here.

Be familiar with common LAN technologies

Ethernet: A system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems

Token Ring: A local area network in which a node can transmit only when in possession of a sequence of bits (called the token) that is passed to each node in turn

FDDI: Fiber-distributed data interface, a communications, cabling, and hardware standard for high-speed optical-fiber networks

Analog vs digital

Analog Versus Digital Transmission

Feature Analog Characteristics Digital Characteristics
Signal Continuously variable, in both amplitude and frequency Discrete signal, represented as either changes in voltage or changes in light levels
Traffic measurement Hz (for example, a telephone channel is 4KHz) Bits per second (for example, a T-1 line carries 1.544Mbps, and an E-1 line transports 2.048Mbps)
Bandwidth Low bandwidth (4KHz), which means low data transmission rates (up to 33.6Kbps) because of limited channel bandwidth High bandwidth that can support high-speed data and emerging applications that involve video and multimedia
Network capacity Low; one conversation per telephone channel High; multiplexers enable multiple conversations to share a communications channel and hence to achieve greater transmission efficiencies
Network manageability Poor; a lot of labor is needed for network maintenance and control because dumb analog devices do not provide management information streams that allow the device to be remotely managed Good; smart devices produce alerts, alarms, traffic statistics, and performance measurements, and technicians at a network control center (NCC) or network operations center (NOC) can remotely monitor and manage the various network elements
Power requirement High because the signal contains a wide range of frequencies and amplitudes Low because only two discrete signals—the one and the zero—need to be transmitted
Security Poor; when you tap into an analog circuit, you hear the voice stream in its native form, and it is difficult to detect an intrusion Good; encryption can be used
Error rates High; 10–5 bits (that is, 1 in 100,000 bits) is guaranteed to have an error Low; with twisted-pair, 10–7 (that, is 1 in 10 million bits per second) will have an error, with satellite, 10–9 (that is, 1 in 1 billion per second) will have an error, and with fiber, 10–11 (that is only 1 in 10 trillion bits per second) will have an error 

synchronous vs asynchronous

Asynchronous means “not synchronous”.Synchronous means “agreed timing for the sending of ones and zeroes (bits)”–that is, the transmit and receive sides of the communications circuit have bothered to coordinate (synchronize) their signal and have agreed just what a digital bit encoded into the signal looks like. All communications paths have carrier signals, the signals have a frequency, and encoding bits into the signal involves spacing them out at regular intervals, and carving out just how long it takes to transmit a bit

baseband vs broadband

broadcast

multicast

unicast

csma

csma/ca

csma/cd

token passing

polling

2. Exam Essentials for Access Control Attacks and Monitoring

Understand basic risk elements

Risk is the likelihood that a threat can exploit a vulnerability and cause damage to assets.

Asset valuation identifies the value of assets

Threat modeling identifies threats against these assets

Vulnerability analysis identifies weaknesses in an organization’s valuable assets.

Access aggregation is a type of attack that combines, or aggregates, nonsensitive information to learn sensitive information that is used in reconnaissance attacks.

Brute vs dictionary attacks.

brute force uses keyboard combinations, dictionary uses a list.

Strong Passwords

Password policies ensure users make complex passwords, which make password crackers less successful.

Increase strength by adding one of the factors (see authentication factors here).

Spoofing

Spoofing is pretending to be someone or something else. Spoofing attacks can include email, phone, IP.

Sniffing

A packet capturing program reads and stores data that is sent over a network medium in cleartext.

Social Engineering

Convince someone to do something they wouldn’t normally do, usually by pretending to be someone else and asking for help.

Phishing

Trying to get a user to give up personal information, spear phishing targets specific groups of users and whaling targets high-level executives. Vishing uses VoIP.

Log Types

Security Logs, System Logs, Application Logs, Firewall Logs, Proxy Logs and Change Management Logs. Logs should be protected and should be read only.

Monitoring

Basically, monitoring is a form of auditing that focuses on active review of log file data. It holds subjects accountable for their actions, and detects abnormal or malicious activities. IDSs and SIEMs automate monitoring and provide real-time analysis of events.

Accountability

Accountability is maintained by auditing subjects. This promotes good user behavior and compliance.

Audit trails

Records created by recording information about events and occurrences into logs are used to reconstruct an event.

Sampling

Sampling or data extraction, is extracting elements from a large body of data to construct a meaningful representation or summary of the whole. Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data.

Clipping is a form of nonstatistical sampling that only records events that exceed a threshold. e.g. bad login attempts over 10 times.

 

 

1. Exam Essentials for Access Control

Know the difference between subject and objects and know common subject labels.

Subjects are active entities, like users.
Objects are passive, like files.

Labels:

  • A user is a subject who accesses objects in the course of performing some action or accomplishing a work task.
  • An owner is the subject responsible for classifying and labeling objects and for protecting and storing data on any system.
  • A custodian has day to day responsibilities for protecting and storing objects.

Know types of access control.

Preventative: to stop unwanted or unauthorized activity from occurring.

Detective: to discover unwanted or unauthorized activity.

Corrective: to restore systems to normal after an unwanted or unauthorized activity occurred.

Deterrent: to discourage violation of security policy.

Recovery: to repair or restore resources, functions and capabilities after a violation of security policy has occurred.

Directive: to direct, confine, or control the action of subjects to force or encourage compliance with security policy.

Compensation: to provide various options to other existing controls to aid in enforcement and support of security policy.

Controls can be; administrative, policies or procedures to implement and enforce overall access control; logical/technical, hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems; and physical, barriers deployed to prevent direct contact with systems or areas within a facility.

Know the difference between identification, authentication, and authorization.

Subjects claim an identity, subjects prove their identity  by providing authentication credentials. Subjects are then granted authorization to objects based on their proven identity.

Understand the details of the three authentication factors.

  1. Something you know
  2. Something you have
  3. Something you are

Biometrics have Type 1 (false rejection rate) and Type 2 (false acceptance rate) errors.

Know the details about each of the access control techniques.

Discretionary: all objects have owners and the owners can modify permissions.

Non-discretionary: centrally managed, like a firewall.

Mandatory: use labels for subjects and objects and match the two.

Role-based: access controls use task based roles and users gain privileges when their accounts are placed within that role.

Identify common mechanisms, like implicit deny, access control matrices, access control lists, constrained interfaces, content/context dependent controls.

Know SSO

a subject can authenticate once and access multiple objects without authenticating again. Kerberos is most common and uses symmetric cryptography and tickets to prove id and auth. SPML is commonly used to share federated id info.

Other SSO methods are scripted access, sesame and kryptoknight.

Understand the purpose of AAA (authentication, authorization, accounting) protocols.

Radius uses udp and encrypts the password only.

Tacacs+ uses tcp and encrypts the entire session.

Diameter is based on radius.

Understand ID and access provisioning lifecycle.