Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Chapter 10
- Application Layer
- - Closest layer to user (top layer)
- - POP
- ○ Post office protocol (app)
- ○ Retrieve emails from server
- ○ Downloaded from server to client then deleted from server
- - IMAP
- ○ Internet message access protocol (online)
- ○ Copies are downloaded from server to client and not deleted from server
- - DNS
- ○ TCP, UDP 53
- ○ Domain name service
- ○ Resolve ip address from domain name
- ○ Ipconfig /displaydns displays all cached DNS entries on windows
- - BOOTP
- ○ Bootstrap protocol
- - DHCP
- ○ Dynamic host configuration protocol
- ○ Automatically sets up required IPV4 settings
- - SMTP
- ○ Simple mail transfer protocol
- ○ Used to send email
- - FTP
- ○ File transfer protocol
- ○ Ports 20 and 21
- - TFTP
- ○ Trivial file transfer protocol
- - HTTP
- ○ Port 80
- ○ Web page request/response protocol
- ○ GET (request), POST (upload data files), PUT (upload resources/content)
- - HTTPS
- ○ Encryption and authentication on top of HTTP
- ○ Port 443
- - SMB
- ○ Server message block
- Presentation layer
- - Formatting, encryption and compression
- DHCP DORA
- - Discover
- - Offer
- - Request
- - Ack
- Chapter 11
- Network Design
- - Requirements for network planning
- ○ Cost (capacity and features)
- ○ Speed and types of ports/interfaces (number and types of ports on a router/switch)
- ○ Expandability (fixed/modular physical configurations)
- ○ Operating system features and services
- - IP Addressing
- ○ Must consider what and how many end devices and intermediary devices are present and will be needed
- - Redundancy
- ○ Ensure reliability
- ○ Redundant
- § Servers
- § Links
- § Switches
- - Traffic Management
- ○ QOS (quality of service)
- ○ Understand what types and how much traffic is passing through the network
- ○ Voice - high priority
- ○ Video - high priority
- ○ SMTP - medium priority
- ○ Instant Messaging - Normal Priority
- ○ FTP - Low Priority
- ○ Network traffic should be classified according to priority in order to enhance productivity of employees and minimize network downtime
- - Real time applications
- ○ Network must be able to handle applications that require delay-sensitive delivery
- ○ RTP
- ○ RTCP
- - Protocol analysis
- ○ A protocol analyzer allows you to see all traffic on a network
- § Wireshark is a free analyzer
- - Threats
- ○ Data loss/manipulation
- § Virus/person causes changes or loss of data
- ○ Identity
- § Personal information is stolen
- ○ Information theft
- § Information directly stolen from computer
- ○ Disruption of service
- - Physical security
- ○ Hardware threats
- § Physical damage to devices/servers
- ○ Environmental threats
- § Temperature or humidity
- ○ Electrical threats
- § Voltage spikes/drops
- § Unconditioned power
- § Power outages
- ○ Maintenance threats
- § Poor handling of components/devices
- § Lack of critical spare parts
- § Poor labelling
- - Vulnerability
- ○ Technological
- § Insecure protocols, operating systems or equipment
- ○ Configuration
- ○ Security policy
- - Malware
- ○ Malicious software intended to cause damage, disrupt, steal or damage data, hosts or networks
- ○ Viruses
- ○ Worms
- ○ Trojan horses
- - Reconnaissance attacks
- ○ Intended for discovery and mapping of systems, services or vulnerabilities
- ○ Can use nslookup, whois, fping
- - Access attacks
- ○ Unauthorized manipulation of data, system access or privileges
- ○ Password attacks
- ○ Trust Exploitation
- ○ Port Redirection
- ○ Man-in-the-Middle
- - Denial of service
- ○ Ping of death
- § Malformed or very large ping packet
- ○ SYN flood
- § Sends multiple SYN requests to a web server, causes the server to become stuck handling too many incomplete SYN requests
- ○ DDos
- § Many intermediate hosts (zombies) to launch an attack on a server, usually running malware
- ○ Smurf Attack
- § ICMP based attack where attacker broadcasts a large number of ICMP packets using the victim's source IP address. The zombie hosts reply to the target victim in an attempt to overwhelm the WAN link to the destination
- - Authentication, Authorization and Accounting
- ○ Control who is permitted to access the network, what they have access to do and what they do while accessing the network
- - Firewalls
- ○ Network firewalls reside between networks in order to protect/control/manage traffic in and out of a network
- ○ DMZ - demilitarized zone
- ○ Packet Filtering
- § Based on IP addresses, block or allow
- ○ Application filtering
- § Prevent or allow access by specific application types by port numbers
- ○ Url filtering
- § Prevent access to web sites by URL or keyword
- ○ Stateful packet inspection (SPI)
- § Track requests from hosts out of and back into a network
- - Device Security
- ○ Change default logins immediately
- ○ Passwords
- § C0mP13xity m3@ns 5trEngTh
- ○ SSH
- § Requires domain name to work
- - Commands
- ○ Common show commands
- include:
- • show running-config
- • show interfaces
- • show arp
- • show ip route
- • show protocols
- • show version
- ○ CDP (cisco discovery protocol)
- § Show cdp neighbors
- - Traceroute
- ○ A trace returns a list of hops as a packet is routed through a network. The form of the command depends on where the command is issued. When performing the trace from a Windows computer, use tracert. When performing the trace from a router CLI, use traceroute
- ○ Similar to ping, the Windows implementation of traceroute (tracert) sends ICMP Echo Requests. Unlike ping, the first IPv4 packet has a TTL value of one. Routers decrement TTL values by one before forwarding the packet. If the TTL value is decremented to zero, the router will drop the packet and return an ICMP Time Exceeded message back to the source. Each time the source of the traceroute receives an ICMP Time Exceeded message, it displays the source IPv4 address of the ICMP Time Exceeded message, increments the TTL by one and sends another ICMP Echo Request.
- As each new ICMP Echo Request is sent, it makes it to one router more than the last Echo Request before receiving another ICMP Time Exceeded message.
- Traceroute uses the returned ICMP Time Exceeded messages to display a list of routers that the IPv4 packets traverse on their way to the final destination, the destination IPv4 address of the traceroute. When the packet reaches the final destination, the source returns an ICMP Echo Reply.
- Cisco IOS uses a slightly different approach with traceroute, which does not use ICMP Echo Requests. Instead, IOS sends out a sequence of UDP datagrams, each with incrementing TTL values and destination port numbers. The port number is an invalid port number (Cisco uses a default of 33434), and is incremented along with the TTL. Similar to the Windows implementation, when a router decrements the TTL to zero, it will return an ICMP Time Exceeded message back to the source. This informs the source of the IPv4 address of each router along the path.
- When the packet reaches the final destination, because these datagrams tried to access an invalid port at the destination host, the host responds with an ICMP type 3, code 3 message that indicates the port was unreachable. This event signals to the source of the traceroute that the traceroute program has reached its destination.
- Note: The user can interrupt the trace by invoking the escape sequence Ctrl+Shift+6. In Windows, the escape sequence is invoked by pressing Ctrl+C.
- To use extended traceroute, simply type traceroute, without providing any parameters, and press ENTER. IOS will guide you through the command options by presenting a number of prompts related to the setting of all the different parameters. Figure 1 shows the IOS extended traceroute options and their respective descriptions.
- While the Windows tracert command allows the input of several parameters, it is not guided and must be performed through options in the command line. Figure 2 shows the available options for tracert in Windows.
- Note: Traceroute in IPv6 has similar implementations. The only difference in IPv6 the TTL field was renamed to Hop Limit. ICMPv6 Time Exceeded messages are sent by the router when this field is decremented to zero.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement