Chapter 10 Application Layer - Closest layer to user (top layer) -

1. Chapter 10
2.  
3. Application Layer
4. - Closest layer to user (top layer)
5. - POP
6. ○ Post office protocol (app)
7. ○ Retrieve emails from server
8. ○ Downloaded from server to client then deleted from server
9. - IMAP
10. ○ Internet message access protocol (online)
11. ○ Copies are downloaded from server to client and not deleted from server
12. - DNS
13. ○ TCP, UDP 53
14. ○ Domain name service
15. ○ Resolve ip address from domain name
16. ○ Ipconfig /displaydns displays all cached DNS entries on windows
17. - BOOTP
18. ○ Bootstrap protocol
19. - DHCP
20. ○ Dynamic host configuration protocol
21. ○ Automatically sets up required IPV4 settings
22. - SMTP
23. ○ Simple mail transfer protocol
24. ○ Used to send email
25. - FTP
26. ○ File transfer protocol
27. ○ Ports 20 and 21
28. - TFTP
29. ○ Trivial file transfer protocol
30. - HTTP
31. ○ Port 80
32. ○ Web page request/response protocol
33. ○ GET (request), POST (upload data files), PUT (upload resources/content)
34. - HTTPS
35. ○ Encryption and authentication on top of HTTP
36. ○ Port 443
37. - SMB
38. ○ Server message block
39. Presentation layer
40. - Formatting, encryption and compression
41.  
42.  
43.  
44. DHCP DORA
45. - Discover
46. - Offer
47. - Request
48. - Ack
49.  
50.  
51.  
52. Chapter 11
53.  
54. Network Design
55. - Requirements for network planning
56. ○ Cost (capacity and features)
57. ○ Speed and types of ports/interfaces (number and types of ports on a router/switch)
58. ○ Expandability (fixed/modular physical configurations)
59. ○ Operating system features and services
60. - IP Addressing
61. ○ Must consider what and how many end devices and intermediary devices are present and will be needed
62. - Redundancy
63. ○ Ensure reliability
64. ○ Redundant
65. § Servers
66. § Links
67. § Switches
68. - Traffic Management
69. ○ QOS (quality of service)
70. ○ Understand what types and how much traffic is passing through the network
71. ○ Voice - high priority
72. ○ Video - high priority
73. ○ SMTP - medium priority
74. ○ Instant Messaging - Normal Priority
75. ○ FTP - Low Priority
76. ○ Network traffic should be classified according to priority in order to enhance productivity of employees and minimize network downtime
77. - Real time applications
78. ○ Network must be able to handle applications that require delay-sensitive delivery
79. ○ RTP
80. ○ RTCP
81. - Protocol analysis
82. ○ A protocol analyzer allows you to see all traffic on a network
83. § Wireshark is a free analyzer
84. - Threats
85. ○ Data loss/manipulation
86. § Virus/person causes changes or loss of data
87. ○ Identity
88. § Personal information is stolen
89. ○ Information theft
90. § Information directly stolen from computer
91. ○ Disruption of service
92. - Physical security
93. ○ Hardware threats
94. § Physical damage to devices/servers
95. ○ Environmental threats
96. § Temperature or humidity
97. ○ Electrical threats
98. § Voltage spikes/drops
99. § Unconditioned power
100. § Power outages
101. ○ Maintenance threats
102. § Poor handling of components/devices
103. § Lack of critical spare parts
104. § Poor labelling
105. - Vulnerability
106. ○ Technological
107. § Insecure protocols, operating systems or equipment
108. ○ Configuration
109. ○ Security policy
110. - Malware
111. ○ Malicious software intended to cause damage, disrupt, steal or damage data, hosts or networks
112. ○ Viruses
113. ○ Worms
114. ○ Trojan horses
115. - Reconnaissance attacks
116. ○ Intended for discovery and mapping of systems, services or vulnerabilities
117. ○ Can use nslookup, whois, fping
118. - Access attacks
119. ○ Unauthorized manipulation of data, system access or privileges
120. ○ Password attacks
121. ○ Trust Exploitation
122. ○ Port Redirection
123. ○ Man-in-the-Middle
124. - Denial of service
125. ○ Ping of death
126. § Malformed or very large ping packet
127. ○ SYN flood
128. § Sends multiple SYN requests to a web server, causes the server to become stuck handling too many incomplete SYN requests
129. ○ DDos
130. § Many intermediate hosts (zombies) to launch an attack on a server, usually running malware
131.  
132. ○ Smurf Attack
133. § ICMP based attack where attacker broadcasts a large number of ICMP packets using the victim's source IP address. The zombie hosts reply to the target victim in an attempt to overwhelm the WAN link to the destination
134. - Authentication, Authorization and Accounting
135. ○ Control who is permitted to access the network, what they have access to do and what they do while accessing the network
136. - Firewalls
137. ○ Network firewalls reside between networks in order to protect/control/manage traffic in and out of a network
138. ○ DMZ - demilitarized zone
139. ○ Packet Filtering
140. § Based on IP addresses, block or allow
141. ○ Application filtering
142. § Prevent or allow access by specific application types by port numbers
143. ○ Url filtering
144. § Prevent access to web sites by URL or keyword
145. ○ Stateful packet inspection (SPI)
146. § Track requests from hosts out of and back into a network
147. - Device Security
148. ○ Change default logins immediately
149. ○ Passwords
150. § C0mP13xity m3@ns 5trEngTh
151. ○ SSH
152. § Requires domain name to work
153. - Commands
154. ○ Common show commands
155. include:
156. • show running-config
157. • show interfaces
158. • show arp
159. • show ip route
160. • show protocols
161. • show version
162. ○ CDP (cisco discovery protocol)
163. § Show cdp neighbors
164.  
165. - Traceroute
166. ○ A trace returns a list of hops as a packet is routed through a network. The form of the command depends on where the command is issued. When performing the trace from a Windows computer, use tracert. When performing the trace from a router CLI, use traceroute
167. ○ Similar to ping, the Windows implementation of traceroute (tracert) sends ICMP Echo Requests. Unlike ping, the first IPv4 packet has a TTL value of one. Routers decrement TTL values by one before forwarding the packet. If the TTL value is decremented to zero, the router will drop the packet and return an ICMP Time Exceeded message back to the source. Each time the source of the traceroute receives an ICMP Time Exceeded message, it displays the source IPv4 address of the ICMP Time Exceeded message, increments the TTL by one and sends another ICMP Echo Request.
168. As each new ICMP Echo Request is sent, it makes it to one router more than the last Echo Request before receiving another ICMP Time Exceeded message.
169. Traceroute uses the returned ICMP Time Exceeded messages to display a list of routers that the IPv4 packets traverse on their way to the final destination, the destination IPv4 address of the traceroute. When the packet reaches the final destination, the source returns an ICMP Echo Reply.
170. Cisco IOS uses a slightly different approach with traceroute, which does not use ICMP Echo Requests. Instead, IOS sends out a sequence of UDP datagrams, each with incrementing TTL values and destination port numbers. The port number is an invalid port number (Cisco uses a default of 33434), and is incremented along with the TTL. Similar to the Windows implementation, when a router decrements the TTL to zero, it will return an ICMP Time Exceeded message back to the source. This informs the source of the IPv4 address of each router along the path.
171. When the packet reaches the final destination, because these datagrams tried to access an invalid port at the destination host, the host responds with an ICMP type 3, code 3 message that indicates the port was unreachable. This event signals to the source of the traceroute that the traceroute program has reached its destination.
172. Note: The user can interrupt the trace by invoking the escape sequence Ctrl+Shift+6. In Windows, the escape sequence is invoked by pressing Ctrl+C.
173. To use extended traceroute, simply type traceroute, without providing any parameters, and press ENTER. IOS will guide you through the command options by presenting a number of prompts related to the setting of all the different parameters. Figure 1 shows the IOS extended traceroute options and their respective descriptions.
174. While the Windows tracert command allows the input of several parameters, it is not guided and must be performed through options in the command line. Figure 2 shows the available options for tracert in Windows.
175. Note: Traceroute in IPv6 has similar implementations. The only difference in IPv6 the TTL field was renamed to Hop Limit. ICMPv6 Time Exceeded messages are sent by the router when this field is decremented to zero.