0% found this document useful (0 votes)

23 views

Ebook - CISSP - Domain - 04 - Communication and Network Security

Uploaded by

Ab Parvize

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

23 views

Ebook - CISSP - Domain - 04 - Communication and Network Security

Uploaded by

Ab Parvize

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 160

Certified Information Systems Security Professional

(CISSP) Certification Training Course

CISSP® is a registered trademark of (ISC)² ®

Domain 04: Communications and Network Security
Learning Objectives

By the end of this lesson, you will be able to:

Analyze OSI, TCP/IP, and UDP communication protocols

Explain the concepts of Software Defined Networking (SDN)

and Software Defined Wide Area Networking(SD-WAN)

Recognize and compare different transmission media

List the features of endpoint security

Explain VPN and different types of VPN protocols

Analyze different types of network attacks

Introduction to Communications and Network Security
Case Study: Communications and Network Security

Kevin, who is preparing for his CISSP exam, read an internal case file on a
recent spam attack on Nutri Worldwide Inc.

At the Minnesota plant, a vendor who had visited the plant used his laptop to
complete a few transactions. He connected to the wireless after taking approvals.
He used his flash drive to backup the transactions. The flash drive had viruses,
and these entered the network through his laptop, causing the local server to
crash. This had far-reaching effects.
Cyber Kill Chain Activities

Cyber Kill Chain Activities

Planning the Attack Compromising the Target Executing the Attack

Develop Delivery of the Command and Achieve the

Reconnaissance Exploitation Installation
Weapon(s) Weapon(s) Control Objectives

Deliver the Penetrate and Collect or

Identify the targe Create / select Install the Establish
malicious gain execution corrupt data; use
and its attack vectors to malware on communication
payload-using privileges into the lateral
weaknesses to penetrate the infected SWIFT with external
weapon into the SWIFT movement into
penetration. target. Infrastructure. servers owned
SWIFT Infrastructure. the network
by the hacker
Infrastructure.

Source: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Assess and Implement Secure Design Principles in
Network Architecture
Introduction to Secure Network Architecture and Design

Various communication protocols define communication.

• The protocols can be grouped into stacks, family, or suite.
• OSI and TCP/IP models are the most popular models.
• Communication is divided into different layers by both the models.
• Security can be addressed more efficiently using the layered approach.
Open Systems Interconnection

OSI Model

Application 7 HTTP, FTP, DNS, SNMP, Telnet

• Open Systems Interconnection (OSI), a standard
model for network communications, allows Presentation 6 SSL, TLS
dissimilar networks to communicate.
Session 5 Netbios, PPTP, PAP
• OSI describes how data and network information
Transport TCP, UDP
are communicated from one computer to 4

another. Network 3 IP, ARP, ICMP, IPsec

• Each layer communicates with the same layer’s
Data Link 2 PPP, ATM, Ethernet
software or hardware on other computers.
Physical 1 Ethernet, USB
Open Systems Interconnection

OSI Model

Data Application
7 7
• The four lower layers (transport, network, data
Presentation
link, and physical) are concerned with the flow of Data 6 6

data from end to end through the network. Session

Data 5 5
• The three upper layers of the OSI model
Transport
(application, presentation, and session) are more Segments 4 4

oriented toward services to the applications. Network

Packets 3 3

• Data is encapsulated with the necessary protocol

Frames Data Link
information as it moves down the layers before
2 2

network transit. Bits 1 1 Physical

Open Systems Interconnection

The seven layers in the OSI model and their functions are as follows:

• Provides specific services for applications such as file transfer

7 Application
• Allows access to network’s resources

6 Presentation • Translates, encrypts, and compresses data

• Establishes, maintains, and manages sessions

5 Session
• Example: Synchronization of data flow

4 Transport • Provides end-to-end data transmission integrity

• Switches and routes information units

3 Network
• Provides internetworking
• Provides transfer of units of information to the other end of the physical link
2 Data Link
• Organizes bits into frames
• Transmits bit stream on physical medium
1 Physical
• Provides mechanical and electrical specifications
Working of the OSI Model

Data is sent from a source computer

to a destination computer.

• Each protocol operates in a specific layer.

• Each protocol in the source computer has a job
allocated.
• When the data packet reaches the destination
computer, it moves up the model.
• Each protocol detaches and examines only the data
that was attached by its protocol counterpart at the
source computer.
• Each layer at the individual destination sees and
deals only with the data that was packaged by its
counterpart on the sending side.
Working of the OSI Model

The following illustration explains how data travels in the OSI model:

1. Data travels 3. Then up the

down the stack Host A Host B receiving stack
7 Application 7 Application
6 Presentation 6 Presentation
5 Session 5 Session
4 Transport 4 Transport
3 Network 3 Network
2 Data Link 2 Data Link
1 Physical 1 Physical
2. Through
the network
Physical Layer

• Physical layer defines the physical connection

between a computer and network.

• It converts the bits into voltages or light

impulses for transmission.

• It defines rules by which bits are passed from

one system to another on a physical
communication medium.

• It defines types of signaling, such as analog or

digital, electrical or optical characteristics of
signals, asynchronous or synchronous, simplex,
full, or half duplex.
Physical Layer

• It defines the topology (Star, bus, and ring).

• The physical layer has only two responsibilities:
o Sending and receiving bits
o Defining standard interfaces

Example: EIA-232 (RS-232), Synchronous Optical

NETwork (SONET), ISDN, DSL, and SONET are
some of the standard interfaces at this layer.

• The physical layer provides services to the data

link layer.
Network Topologies

Network topology defines the way the network devices are organized to facilitate communications.

All transmissions The network

The nodes of a
of the network nodes are It is a bus-type
network are All the nodes are
nodes travel the connected by topology where
connected connected to
full length of the unidirectional branches with
directly to a every other node
cable and are transmission multiple nodes
central LAN in a network.
received by all links to form a are possible.
device.
other stations. closed loop.
Data Link Layer

Data link layer defines the protocol that computers

must follow to access the network for transmitting
and receiving messages.
• This layer establishes the communication link
between individual devices over a physical link
or channel.
• The data link layer defines hardware (physical or
MAC) addresses as well as the communication
process that occurs within a media type.
• It also formats the message into data frames
and adds a customized header containing the
hardware destination and source address.
Data Link Layer

The data link layer has two sub layers:

• Media access control (MAC) layer: It controls the way a system on the network gains access to the
data and gets permission to transmit it.

• Logical link control (LLC) layer: It controls frame synchronization, error check, and flow.

Example: Address Resolution Protocol (ARP), Serial Line Internet Protocol (SLIP),
and Point-to-Point Protocol (PPP)

• The data link layer provides services to the network layer.

Address Resolution Protocol

A
1 ARP cache is checked
Address resolution protocol helps match an IP ARP entry is checked 5
2 ARP request is sent
address to a Media Access Control (MAC) address. IP packet is sent 6

• Interrogates the network by sending out a

broadcast seeking a network node that has a
particular IP address
3 ARP entry is added
• Maintains a dynamic table, known as the ARP 4 ARP reply is sent
cache, of the translations between IP and MAC
addresses B C
VLANs

Virtual Local Area Networks (VLANs) allow the ports on

the same or different switches to be grouped so that the
traffic is confined to the members of that group.
• VLAN restricts broadcast, unicast, and multicast traffic.
• A VLAN creates an isolated broadcast domain and a
switch with multiple broadcast domains, like a router.
• It aids in isolating segments, reduces routing
broadcasts, and segregates department functions.
• It can be segmented logically.
Network Layer

Network layer defines how the small packets of data are routed and relayed between end systems on
the same network or on interconnected networks. Network layer:
• Defines the most optimal path the packet should take from the source to the destination
• Defines logical addressing so that any endpoint can be identified
• Handles congestion in the network
• Defines how to fragment a packet into smaller packets to accommodate different media
• Manages message routing, error detection, and control of node data traffic
• Is primarily responsible for routing
Examples: IP, OSPF, ICMP, and RIP
• Provides services to the transport layer
Types of IP Addressing

The Internet layer provides different addressing types, resulting in messages

sent to one or more destination nodes.

Packet sent to
Packet sent to Packet sent Packet sent to
a group of
a single IP only to the a network’s
nodes on
address nearest group broadcast
different
destination of nodes address
networks
Internet Control Message Protocol (ICMP)

ICMP is a management protocol and

messaging service provider for IP.

• Its primary function is to send messages

between network devices.

• It can inform hosts on a better route to a

destination.

• PING is an ICMP utility used to check the

physical connectivity of machines on a
network.
Internet Control Message Protocol (ICMP)

ICMP is illustrated below:

Internet Protocol

Internet protocol is a network layer protocol which handles addressing and routing.

IP specifies the packet The two types of IP versions are

format or datagrams and IPv4 (32-bit address) and IPv6
the addressing scheme. (128-bit address).
Internet Protocol

Working of internet protocol is shown below:

Hierarchy of Routing Protocols

Hierarchy of different routing protocols is illustrated in the figure below:

Dynamic Routing
Protocols

Interior Gateway Exterior Gateway

Protocols Protocols

Distance Vector Hybrid Routing Link-State Path-Vector

Routing Protocols Protocols Routing Protocols Routing Protocols

RIPv1 RIPv2 IGRP EIGRP OSPF IS-IS BGP

Transport Layer

Transport layer defines how to address the physical locations and devices on the network, how to
make connections between nodes, and how to handle the networking of messages.

From Session Layer To Session Layer

Segments Segments

Data H4 Data H4 Data H4 Data H4 Data H4 Data H4

Transport Transport
Layer Layer
To network Layer From network Layer
Transport Layer

The transport layer:

• Establishes a logical connection between the sending host

and destination host on a network
• Ensures that the data units are delivered free of errors
• Ensures that data units are delivered in sequence
• Ensures that there is no loss or duplication of data units
• Provides connectionless or connection-oriented service
• Is responsible for providing mechanisms for multiplexing
upper-layer applications, session establishment, and the
teardown of virtual circuits
Example: Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP)
• Provides services to the session layer
Transmission Control Protocol (TCP)

TCP provides a complete duplex and reliable connection. It is costly in terms of

network overhead and is slower than UDP.
Transmission Control Protocol (TCP): Goals

Reliable data transport is addressed by TCP to ensure

the following goals are achieved:
• An acknowledgment is sent back to the sender.
• Any unacknowledged segments are retransmitted.
• Segments are sequenced back in their proper order.
• A manageable data flow is maintained.
• Port types are reserved or well-known ports (0 to
1023), registered ports (1024 to 49151), and dynamic
ports (49152 to 65535).

Example: HTTP, FTP, and Telnet

TCP Handshake Process

A TCP three-way handshake is used to create a connection between a local host or client and server.

SYN
Send SYN SYN received
SEQ=100, CTL = SYN

SYN/ACK
SYN received Send SYN, ACK
SEQ=300, ACK=101, CTL = SYN, ACK

ACK
Established
SEQ=101, ACK=301, CTL = ACK

Connection Established

CTL = Which control bits in the TCP header are set to 1 Server
Client
User Datagram Protocol (UDP)

UDP is like TCP.

• It gives only best effort delivery.
• It is referred to as an unreliable protocol.
• It is considered a connectionless protocol.
Example: DNS, TFTP, and VoIP
User Datagram Protocol (UDP)

User Datagram Protocol(UDP) is illustrated below:

TCP Vs. UDP

TCP UDP

Sends data directly to the destination

Establishes connection between the
computer without checking whether the
computers before transmitting data
system is ready to receive or not

Connection Connection-oriented protocol Connectionless protocol

Speed Slow Fast

Reliability Highly reliable Unreliable

Header size 20 Bytes 8 Bytes

Takes acknowledgement of data and Neither takes acknowledgement nor

Acknowledgement
can retransmit if the user requests retransmits the lost data
Session Layer

From Presentation Layer To Presentation Layer

Data Data
Session layer makes the initial contact with other
computers and sets up the lines of communication.
• The session layer offers three different modes: Session Session
layer layer
o Simplex
Syn Syn Syn Syn Syn Syn
o Half duplex
o Full duplex

To Transport Layer From Transport Layer

Session Layer

• This layer splits up a communication session into

three different phases:
o Connection establishment
o Data transfer
o Connection release

Example: NFS, SQL, and RPC

• The session layer provides services to the
presentation layer.
Presentation Layer

• Presentation layer presents data and provides services to the application layer.
• It is responsible for defining how information is presented to the user in the interface (application layer)
that they are using.
• This layer provides a common means of representing data.
• It acts as a translator, no protocols work in this layer
• It is not concerned with the meaning of the data but with the syntax and format of the data.

Example: ASCII, BMP, GIF, JPEG, WAV, AVI, and MPEG

From application layer To application layer

L7 data L7 data

Presentation Presentation
layer layer
Encoded, encrypted Decoded, decrypted and
and compressed data
H6 H6
decompressed data

L6 data L6 data

To session layer From session layer

Presentation Layer

From application layer To application layer

L7 data L7 data
Its functions are:

• Protocol conversion
Presentation Presentation
• Data translation layer layer
Encoded, encrypted and Decoded, decrypted and
• Compression compressed data
H6
decompressed data
H6

• Encryption
• Character set conversion
L6 data L6 data
To session layer From session layer
Application Layer

• Application layer supports the components that deal with the communication aspects of an application.
• It is at this point that the data is in a visual form a user can truly understand rather than binary zeros
and ones.
• It does not include applications, rather only protocols that support the applications.
• It deals with properly processing and formatting the data before it moves to the layer below.

Application letter

User User

SMTP Telnet SMTP Telnet HTTP

HTTP

Data H5 Message Data H5 Message

Application Application
layer layer From Presentation layer
To Presentation layer
Application Layer

• This layer interfaces with the operating system and

other applications.
• It communicates data between files, messages, and
other network activities.
• It handles file transfer, virtual terminals, network
management, and fulfilling network requests of
applications.
Examples: Telnet, FTP, web browsers, Email, and DNS
Transmission Control Protocol or Internet Protocol (TCP/IP) Model

TCP/IP is the common name for the suite of protocols originally developed by
the Department of Defense (DoD).

Application Represents data to user plus encoding and dialog control

Host-to-Host Supports communication between diverse devices across diverse networks

Internet Determines the best path through the network

Network
Controls the hardware devices and media that make up the network
Access
Network Access Layer

• The host and the network data exchange are monitored by this layer.
• OSI layer’s physical and data link layers match this layer.
Network Access
Layer • It defines protocols for the physical transmission of data and oversees
hardware addressing.
Example: Ethernet and Point-to-Point Protocol (PPP)
Internet Layer

Internet layer designates the protocols related to the logical transmission of

packets over the network. The OSI network layer matches the internet layer.
The functions of Internet Layer:
Internet Layer • Giving node IP address
• Handling routing of packets
• Controlling communication flows between hosts
Example: Internet Protocol (IP) and Address Resolution Protocol (ARP)
Host-to-Host Layer

Host-to-host layer defines protocols for setting up the level of transmission

service.
The functions of host-to-host layer:
• End-to-end communications
Host-to-host Layer • Error-free delivery of the data
• Data packet sequencing
• Data integrity
Example: Transmission Control Protocol and User Datagram Protocol
Application Layer

• Application layer is user data created by the application that is

communicated to other processes or applications on it or another host.

• The OSI application, presentation, and session layers match with this
Application Layer
layer.

Examples: HTTP and FTP

Comparison of OSI and TCP/IP Models

The TCP/IP model is very similar to the OSI model, however with fewer layers.

OSL Model Layers TCP/IP Protocol TCP/IP Protocol Suite

Architecture Layers

Application Layer

Presentation Layer
Application Layer Telne SNM
FTP SMTP DNS RIP
t P
Session Layer

Transport Layer
TCP UDP
Host-to-Host
Network Layer
Transport Layer
IGMP ICMP
ARP IP
Data-Link Layer Internet Layer

Token Frame
Network Interface Ethernet ATM
Physical Layer Ring Relay
Layer
Introduction to IP Addressing

All hosts on the Internet have a logical and numerical ID

called an Internet Protocol (IP) address.
• Each data packet is assigned an IP address of the sender
and the recipient.
• Each device receives the packet and makes routing
decisions based on the packet’s destination IP address.
• IP addressing provides an unreliable datagram service.
• IP address includes network and host.
IP ADDRESS
IPv4 and IPv6

There are two versions of IP in use, IP Version 4 (IPV4) and IP Version 6 (IPV6).

• IPv6 address space is 128-bit.

• IPV4 version provides best effort packet
delivery. • The new address space provides the potential
for a maximum of 2128, or about 3.403×1038
• Network addresses in IPv4 are 32 bits in length
addresses.
and are expressed as a dot-decimal.
• IPv6 addresses are represented as eight
Example: 192.168.0.100
groups of four hexadecimal digits separated by
colons.
Example:
FE80:0000:0000:0000:0202:B3FF:FE1E:8329
IPv4

There are two versions of IP in use: IP version 4 (IPv4)

and IP version 6 (IPv6).
IPv4 version provides best effort packet delivery.
• Network addresses in IPv4 are 32 bits in length and
are expressed as dot-decimal.

Example: 192.168.0.100
Classful IP Addressing

The entire available IP address space is divided into two parts:

• The network number: first 8 bits of an IP address
• The host address: the remaining 24 bits of an IP address

Network Host Number of Hosts per Start CIDR

Class Subnet mask End address
bit field bit field networks network address notation

Class A 255.0.0.0 8 24 128 16 million 0.0.0.0 127.255.255.255 /8

Class B 255.255.0.0 16 6 16,000 65,000 128.0.0.0 191.255.255.255 /16

Class C 255.255.255.0 24 8 2 million 254 192.0.0.0 223.255.255.255 /24

Class D Reserved for multicast group 224.0.0.0 239.255.255.255

Class E Reserved for future use, research, or development purpose 240.0.0.0 255.255.255.255
Class A

Subnet Number of Hosts per Start

Class End address
Class A is an 8-bit network address. mask networks network address
• Has 24-bit host address Class A 255.0.0.0 128 16 million 0.0.0.0 127.255.255.255
• IP ranges from 1.0.0.0 to
Class B 255.255.0.0 16,000 65,000 128.0.0.0 191.255.255.255
126.255.255.255
Class C 255.255.255.0 2 million 254 192.0.0.0 223.255.255.255
• Implied net mask of 255.0.0.0
• Contains 16,777,214 nodes Class D Reserved for multicast group 224.0.0.0 239.255.255.255

• 126 networks created Class E

Reserved for future use, research, or
240.0.0.0 255.255.255.255
developmental purposes
Class B

Subnet Numberofof
Number Hostsper
Hosts per Start
Start
Class Subnet mask
Class End
End address
address
Class B is a 16-bit network address. mask networks
networks network address
network address
• Has 16-bit host address Class A 255.0.0.0 128 16 million 0.0.0.0 127.255.255.255
Class A 255.0.0.0 128 16 million 0.0.0.0 127.255.255.255
• IP ranges from 128.0.0.0 to
Class B 255.255.0.0 16,000 65,000 128.0.0.0 191.255.255.255
191.255.255.255 Class B 255.255.0.0 16,000 65,000 128.0.0.0 191.255.255.255
Class C 255.255.255.0 2 million 254 192.0.0.0 223.255.255.255
• Implied net mask is 255.255.0.0 Class C 255.255.255.0 2 million 254 192.0.0.0 223.255.255.255

• Contains 65,534 nodes Class D Reserved for multicast group 224.0.0.0 239.255.255.255
Class D Reserved for multicast group 224.0.0.0 239.255.255.255
• 16,382 networks created ClassEE
Reservedfor
Reserved forfuture
futureuse,
use,research,
research,or
or
240.0.0.0 255.255.255.255
255.255.255.255
Class developmentalpurposes
purposes 240.0.0.0
developmental
Class C

Subnet Number of Hosts per Start

Class End address
Class C is a 24-bit network address. mask networks network address
• Has 8-bit host address Class A 255.0.0.0 128 16 million 0.0.0.0 127.255.255.255
• IP ranges from 192.0.0.0 to
Class B 255.255.0.0 16,000 65,000 128.0.0.0 191.255.255.255
223.255.255.255
Class C 255.255.255.0 2 million 254 192.0.0.0 223.255.255.255
• Implied net mask is 255.255.255.0
• Contains 254 nodes Class D Reserved for multicast group 224.0.0.0 239.255.255.255

• Over 2 million networks created Class E

Reserved for future use, research, or
240.0.0.0 255.255.255.255
developmental purposes
Class D and Class E

Subnet Number of Hosts per Start

Class End address
Class D is reserved for multicast. mask networks network address
• IP ranges from 224.0.0.0 to Class A 255.0.0.0 128 16 million 0.0.0.0 127.255.255.255
239.255.255.255
Class B 255.255.0.0 16,000 65,000 128.0.0.0 191.255.255.255
Class E is reserved for research
Class C 255.255.255.0 2 million 254 192.0.0.0 223.255.255.255
purposes.
• IP ranges from 240.0.0.0 to Class D Reserved for multicast group 224.0.0.0 239.255.255.255

255.255.255.255 Class E
Reserved for future use, research, or
240.0.0.0 255.255.255.255
developmental purposes
Classless Inter-Domain Routing

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing
Internet Protocol packets.
• CIDR intends to slow the growth of routing tables on routers across the Internet and to
help slow the rapid exhaustion of IPv4 addresses.
• CIDR disposes the rigid scheme of class A, B, and C networks.
• CIDR permits the creation of variable length subnet mask from 8 bits to 31 bits.
• CIDR leads to an efficient allocation of the available IP addresses on Internet.
• CIDR notation is a syntax for specifying IP addresses and their associated routing prefixes.
Example: 192.168.1.3/23
Private Networks and Loopback Address

• All network addresses are not available for general use.

• Private networks allow access to a guest machine by an address that is not publicly accessible.
• Organizations are encouraged to assign private network IP addresses to nodes in their internal networks.
• The address blocks reserved for private network are:
o 10.0.0.0 to 10.255.255.255
o 172.16.0.0 to 172.31.255.255
o 192.168.0.0 to 192.168.255.255
Private/Public IP Address
Translation Point

Public
Public
Address
Address

Public Public
Internet
Address Address

Public
Boundary Isolated network
Address

Public
Address
Private Networks and Loopback Address

• A loopback address is a special address used to signify a node’s address.

• Loopback addresses 127.0.0.1 point back to the issuing computer.

Loopback Ethernet Interface

Interface
IPv6

• IPv6 address space is 128 bit.

• The new address space provides the potential for a maximum of 2128 or about 3.403×1038 addresses.
• IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons.
Example: FE80:0000:0000:0000:0202:B3FF:FE1E:8329
• It allows scoped addresses, end-to-end secure transmission, and authentication.
• It has more flexibility, routing capabilities, and allows QoS.

Search
IPv6
Hexadecimal Format

Decimal Binary Hexadecimal

0 0000 0
1 0001 1
2 0010 2
3 0011 3
4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8
9 1001 9
10 1010 A
11 1011 B
12 1100 C
13 1101 D
14 1110 E
15 1111 F
IPv6 Address Structure

• An IPv6 address is made of 128 bits divided into eight 16 bit blocks.
• Each block is then converted into 4 digit hexadecimal numbers separated by colon symbols.
• For example, given below is a 128-bit IPv6 address represented in the binary format and
divided into eight 16-bit blocks:
o 0010000000000001 0000000000000000 0011001000111000 1101111111100001
0000000001100011 0000000000000000 0000000000000000 1111111011111011
• Hexadecimal equivalent of an IPv6 above 128 bits is
2001:0000:3238:DFE1:0063:0000:0000:FEFB.
• Even after converting into the hexadecimal format, IPv6 address remains long.
IPv6 Address Structure

• IPv6 provides some rules to shorten the address.

o Rule 1: Discard leading zero(s):
In Block 5, 0063, the leading two zeros can be omitted:
2001:0000:3238:DFE1:63:0000:0000:FEFB
o Rule 2: If two or more blocks contain consecutive zeros, omit them all and replace them
with double colon sign (::) as shown:
2001:0000:3238:DFE1:63::FEFB
• Consecutive blocks of zeros can be replaced only once by ::.
• If there are still blocks of zeros in the address, they can be shrunk down to a single zero:
2001:0:3238:DFE1:63::FEFB
IPv6 Address Terminology

Prefix Prefix length

• The prefix is the network • The prefix length is the

portion of an IPv6 address. number of the most
significant or leftmost bits
• In an IPv4 address, this is
that define the prefix.
sometimes called the
network portion of the IPv6 • This is equivalent to the
address, or the network subnet mask in IPv4.
prefix. • IPv6 addresses are 128
bits, so the prefix length
can be /0 to /128.
IPv6 Address Terminologies

• The interface ID is equivalent to the host portion of an

IPv4 address.
• IPv6 uses the term interface ID because any type of
device can have an IP address, not just a host
computer.
• A device with an IPv6 interface may range anywhere
from a common server or client computer to an
espresso machine or a biomedical sensor.
• The term interface is used because an IP address (IPv4
or IPv6) is assigned to an interface and a device may Interface ID
have multiple interfaces.
IPv6 Address Terminologies

An IPv6 node or device is anything that can have an IPv6

address, including traditional devices such as computers and
printers along with other types of devices, such as webcams,
embedded devices, and Internet of Things (IoT) devices.

Node or device
IPv6 Address Types

Global Unicast Address (GUA) Link-Local Unicast Address

• An IPv6 global unicast address (GUA) is a • A unicast address that is local only on that
globally unique and routable IPv6 address link. The term link refers to a logical network
segment or a subnet
• Equivalent to a public IPv4 address
• Limited to the link and are not routable
• Begins with either a hexadecimal 2 or 3.
beyond the local subnet
• GUA can be either a source or destination
• Typically created automatically by the host
IPv6 address
operating system
• Example of a global unicast address:
• Can be either source or destination IPv6
2001:db8:cafe:1::100
addresses
• Usually begin with fe80. Example:
fe80::a299:9bff:fe18:50d1
6to4 Tunneling Method

• It is a system that allows IPv6 packets to be transmitted over an IPv4 network without the
need to configure explicit tunnels.
• 6to4 is simply a transparent mechanism used as a transport layer between IPv6 nodes.
• 6to4 does not facilitate interoperation between IPv4-only hosts and IPv6-only hosts.
• 6to4 performs three functions:
o Assigns a block of IPv6 address space to any host or network that has a global IPv4
address
o Encapsulates IPv6 packets inside IPv4 packets for transmission over an IPv4 network
using 6in4
o Routes traffic between 6to4 and native IPv6 networks
IPv6 Vs. IPv4

IPv6
IPv6 IPv4
IPv4

• IP address size of 128 bits • IP address size of 32 bits

• Has a total range of 340 undecillion • Has a total range of 4.3 billion possible
possible addresses addresses
o 20021:db8::ff00:42:8329 o 123.45.67.89
• The scalability of multicast routing is • No options of scalability
improved by adding a scope field to the
• No options of anycast
multicast address
• No extensions available for support
• Anycast address is used to send a packet
to any one node in a group of nodes
• Extensions to support authentication,
data integrity, and data confidentiality
Discussion
Discussion

What are the main responsibilities of the Internet Assigned Numbers

Authority (IANA)?
Internet Security Protocol (IPsec)

Internet Protocol Security (IPsec) is a protocol suite used Network Data

for securing Internet Protocol (IP) communications. VPN Tunnel Internet

• The protocols mutually authenticate agents at the

Alice’s
beginning of the session and negotiate cryptographic Network1
Bob’s
keys to be used during the session. Network

• A cryptographic layer to both IPv4 and IPv6 using a

suite of protocols is added. Encrypted
text

• Each IP packet of a communication session is

authenticated and encrypted. ?
Eavesdropper
?
• It provides virtual private networks (VPN) and is used
Typical IPSEC Tunnel
for creating a secure connection between client and
server and between networks.
IPsec Modes: Transport Mode

Transport Mode

In transport mode, It is designed for

only the data is peer-to-peer
encrypted. communication.
IPsec Modes: Transport Mode

IP TCP
IP Data Payload
Packet Header Header

Authentication Header IP AH TCP

Payload
(AH) Header Header Header

Encapsulating Security Payload IP ESP TCP ESP ESP

Payload
(ESP) Header Header Header Trailer Auth

Encrypted
Authenticated
IPsec Modes: Tunnel Mode

Tunnel Mode

In tunnel mode, the

It is designed for
entire data packet
gateway-to-gateway
including the header is
communication.
encrypted.
IPsec Modes: Tunnel Mode

IP TCP
IP Data Payload
Packet Header Header

Authentication Header New IP AH IP TCP

Payload
(AH) Header Header Header Header

Encapsulating Security Payload New IP ESP IP TCP ESP ESP

Payload
(ESP) Header Header Header Header Trailer Auth

Encrypted
Authenticated
IPsec Security Protocols: Authentication Header (AH)

AH is an authentication protocol.
• It provides authentication and integrity for every Original IP Packet
packet of network data. IP header IP Data
• It acts as a digital signature for the data.
AH in transport mode
• Confidentiality is not offered. IP header AH header IP Data

• It authenticates the IP packet data and parts of Authenticated

the IP header.
AH in tunnel mode
• In transport mode, after the original IP header,
IP header AH header IP header IP Data
the AH protocol inserts an AH header.
• In tunnel mode, the AH header is inserted before Authenticated
the original, inner and IP header but after the
outer header.
IPsec Security Protocols: Encapsulating Security Payload (ESP)

ESP is an authentication and encryption protocol.

Original IP Packet
• It provides confidentiality by encryption of data
IP header IP Data
packets.

• Authentication and integrity are provided ESP in transport mode

optionally. IP header IP header IP Data ESP Trailer ESP auth

• In transport mode, the ESP protocol, an ESP Encrypted

header, is inserted after the original IP header. Authenticated

• In tunnel mode, the ESP header is inserted before AH in tunnel mode

the original, inner IP header but after the outer Outer IP hdr ESP hdr IP hdr IP data ESP trailer ESP auth

header.
Encrypted
• All data is encrypted and or or authenticated after
Authenticated
the ESP header.
Components of IPsec Process: SA and ISAKMP

• Used for negotiating ESP or AH parameters

• One-way or simplex connection
Security
Association (SA) • Two SAs: One for each direction are used if two systems communicate
via ESP or AH
• The security parameter index (SPI) is a unique 32-bit number that
identifies each simplex SA connection

Internet Security
Association and • Manages the SA process
Key Management • Provides a key exchange framework
Protocol (ISAKMP)
Components of the IPsec Process: IKE

Internet Key Exchange (IKE)

• Has a variety of encryption algorithms like AES, DES, MD%, and

SHA-1 can be employed by IPsec
• Negotiates the algorithm selection process
• Eliminates the need to manually specify all the IPsec security
parameters
• Allows specifying a lifetime for the IPsec security association
• Allows encryption keys to change during IPsec sessions
• Allows IPsec to provide anti-replay services
• Permits Certification Authority (CA) support for a manageable,
scalable IPsec implementation
• Allows dynamic authentication of peers
IPsec Process

The steps in the IPsec process are as follows:

Host A Router A Router B Host B

Step 1 : “Interesting
traffic” initiates the
IPSec Process

Step 2 : IKE phase 1 IKE SA IKE phase 1 IKE SA

Step 3 : IKE phase 1 IPSec SA IKE phase 2 IPSec SA

Step 4 : Data Transfer IPSec Tunnel

Step 5 : IPSec tunnel termination

Secure Access Protocols: PGP

• A freeware for securing e-mail communication

• Mainly uses RSA public key encryption and key management
• Uses IDEA symmetric bulk encryption and MD5 hashing
• Supports conventional and PGP public key certificates
Secure Access Protocols: S-HTTP

• S-HTTP (Secure Hypertext Transport Protocol) is used to

protect individual messages encrypted with a symmetric
session key at the application layer (HTTP).

• The web server creates a session key which is sent to the

client after encrypting with the client’s public key.
Secure Access Protocols: HTTPS

HTTPS (Hypertext Transport Unlike S-HTTP, SSL can be

Protocol over SSL) encrypts all applied to non-HTTP traffic.
information that passes over the
connection at the session layer.
Secure Access Protocols: SSL

• Mostly used for e-commerce

• The digital certificate is sent by the server to the client
• The server's public key is verified by CA
• The client generates a symmetric session key
• Using the server’s public key, the session key is encrypted
and sent to the server
• Supports asymmetric RSA, symmetric DES, 3DES, & IDEA,
and MD5 hashing
Business Scenario

To improve the security of the communication channels, Hilda Jacobs was asked
to provide suggestions for securing communication. Kevin worked with Hilda on
this assignment, and they produced their report.

The report suggested that all site-to-site communication over the public network or
internet should use IPSec. Administrators will have to use SSH instead of Telnet for
the administration of network devices or servers over the network. SSH provides
more a secure communication channel as compared to Telnet.

Question: What is the major disadvantage of using Telnet?

Business Scenario

Question: What is the major disadvantage of using Telnet?

Answer: Telnet communication is unencrypted, and an attacker can easily sniff the data including
passwords.
Multi-Protocol Label Switching

Multi-protocol label switching (MPLS) is a

mechanism that directs data from one network node
to the next based on the short path labels.

• The labels identify virtual links or paths between

distant nodes rather than endpoints.

• MPLS can encapsulate packets of various network

protocols.

• MPLS operates at a layer 2.5.

Fiber Channel over Ethernet and Internet Small Computer System Interface
Fiber Channel over Ethernet (FCoE) is a computer network technology that enables Fiber
Channel communications to run directly over Ethernet.

LAN
Server

Fibre Channel
Lossless
Driver
Ethernet
CNA

Networking With FCoE

Driver FCoE SAN
Switch
Fiber Channel over Ethernet and Internet Small Computer System Interface

Internet Small Computer System

It converges storage and IP protocols
Interface (iSCSI) is a transport layer
on a single cable transport and
protocol that defines how Small
interface by moving Fiber Channel
Computer System Interface (SCSI)
traffic across existing high-speed
packets should be transported over a
Ethernet infrastructure.
TCP/IP network.
Implications of Multi-Layer Protocols

TCP/IP protocol suite consists of various layers with many individual protocols
and is also known as Multi-layer protocol.

Following are the advantages and disadvantages of Multi-layer protocol:

Advantages Disadvantages

• Encryption can be incorporated on • Filters can be evaded

various layers • Unauthorized access to the system
• Higher layers support wide range of due to issues of covert channels
protocols
Micro-Segmentation

Micro-segmentation is a network technique to

create distinct security zones in data centers
and cloud environments to isolate workloads
from one another and then define security
controls to secure them individually.
Micro-Segmentation

Benefits of micro-segmentation:

Reduce network attack Improve breach

surface containment

By limiting attackers movement By blocking unsanctioned

from one potentially activities and drastically improving
compromised workload to threat detection and response
another times with real-time alerts

Strengthen regulatory Achieve zero trust with

compliance micro-segmentation

By isolating segments that

By creating and enforcing
specifically store regulated data
granular policies
such as PII and PHI
Software-Defined Networking (SDN)

• Software-Defined Networking(SDN) allows network

administrators to programmatically initialize,
control, change, and manage network behavior
dynamically via open interfaces and abstraction of
lower-level functionality.

• SDN aims at separating the infrastructure layer

(i.e., hardware and hardware-based settings) from
the control layer (i.e., network services of data
transmission management).
Software-Defined Networking (SDN)

The SDN architecture is illustrated below :

Application Layer

Business Applications

API API API

Control Layer
SDN Control
Software Network Services

Control Data Plan Interface

Infrastructure Layer
(Such as OpenFlow)

Network Device Network Device Network Device

Network Device Network Device

Software-Defined Networking (SDN)

The SDN architecture concept is given below :

Application Layer

Applications, running on physical

or virtual hosts

Northbound
APIs
Control Layer

Network Controller

Southbound
Infrastructure Layer API

Programmable Switches
Software-Defined Wide Area Network (SD-WAN)

• SD-WAN combines Software-Defined Network

(SDN) and a Wide-Area Network (WAN).

• SD-WAN simplifies the management and

operation of a WAN by decoupling the
networking hardware from its control
mechanism.

Source: https://www.gartner.com/imagesrv/media-products/pdf/cisco/Cisco-1-5W2DWHZ.pdf
Software-Defined Wide Area Network (SD-WAN)

Characteristics

• The ability to support multiple connection types,

such as MPLS, Last Mile Fiber Optic Network or
through high speed cellular networks e.g. 4G LTE
and 5G wireless technologies

• The ability to do dynamic path selection for load

sharing and resiliency purposes

• The ability to easily configure and manage with

help of a simple interface
• The ability to support VPNs, and third party
services such as WAN optimization controllers,
firewalls, and web gateways
SD-WAN

REMOTE RETAIL
LOCATION STORE

DATA CENTER
HEADQUATERS

Fibre SD-WAN Fibre

Source: https://www.bboxservices.com/resources/blog/bbns/2019/05/24/what-is-sd-wan-and-why-is-it-so-important
Wireless Technologies

Wireless technology is the fastest-growing area of network connectivity.

The various types of wireless technologies are given below.

Wireless Standards WLAN Operational Spread-Spectrum

Modes Technologies
IEEE Wireless Standards and Spread-Spectrum Technologies

IEEE Wireless Standards: Spread-Spectrum Technologies:

• IEEE 802.11 refers to a family of

specifications for WLANs developed by a
working group of the IEEE. Spread spectrum uses a radio
transmission mode that broadcasts
• It also generically refers to the IEEE signals over a range of frequencies.
Committee responsible for setting various
wireless LAN standards.
IEEE Wireless Standards and Spread-Spectrum Technologies

The two different spread spectrum technologies for 2.4 GHz wireless LANs are:

Frequency-Hopping Direct Sequence

Spread Spectrum Spread Spectrum
(FHSS) (DSSS)
Wireless Standards

Standard Year Introduced Band Frequency Max Data Transfer Modulation

802.11a 1999 5 GHz 54 Mbps DSSS, FHSS

802.11b 1999 2.4 GHz 11 Mbps OFDM

802.11g 2003 2.4 GHz 54 Mbps DSSS

802.11n 2009 2.4 & 5 GHz 600 Mbps OFDM

802.11ac 2013 5 GHz 1.3 Gbps MIMO-OFDM

2.4, 5 (Wi-Fi 6) 6 GHz

802.11ax 2021 10 Gbps OFDMA, MU-MIMO
(Wi-Fi 6E)
Cellular Network

A cell uses a different set of

A cellular network or mobile
frequencies from neighboring
network is a radio network
cells to avoid interference and
distributed over land areas
provide guaranteed bandwidth
called cells
within each cell.

Each cell is served by at least

one fixed-location transceiver
known as a cell site or base
station.
Cellular Network

A topology of a cellular network is shown below:

B2
m2

Base Station R2

Relay Station

Cell Phone

Source: https://arxiv.org/pdf/1406.5258.pdf
Cellular Wireless Technologies

Generation 1G 2G 3G 4G 5G

Launch 1979 1991 2001 2009 2019

Technology Analog GSM WCDMA LTE, WiMAX SDN

Switching Circuit Circuit, Packet Packet All Packet All Packet

Data rate 14.4 Kbps 64 Kbps 2 Mbps 100-300 Mbps 1-10 Gbps

HD video, web
Purpose Voice calls SMS, MMS Video calls IoT
conferencing
Content Delivery Network (CDN)

A Content Delivery Network (CDN) is a large, geographically distributed network of specialized servers that
accelerate the delivery of web content and rich media to internet-connected devices.
Content Delivery Network (CDN)

Benefits of CDN :

Performance Availability

• Requests are always routed to the

• Shorter distance to users will not only
nearest available location.
reduce latency but also minimize
packet loss resulting in a much better
• If one server is not available,
performance.
requests are automatically sent to
the next available server.
Content Delivery Network (CDN)

Benefits of CDN :

Security Intelligence

• Most CDNs should protect content • CDN can also offer valuable analytical
providers and users by mitigating against information to discover trends about end
a wide array of attacks including DDoS user connectivity, device types, and
attacks and web-based exploits (SQL browsing experiences across the globe.
injection, cross-site scripting, and local or
remote file-inclusion attacks). • This data can give critical, actionable
insights, and intelligence into their user
base.
Without CDN

• No matter where a user is based

geographically, information must be
requested from the origin server which can
be a great distance away from the user.

• This could severely impact the performance

of the application.

Source: https://img-medianova.mncdn.com/wp-content/uploads/sites/8/2020/05/cdn3.png
With CDN

• When using a CDN, edge servers distribute static website data to visitors that are close to
their geographic region.
• The connection is fast because it’s between Internet nodes that are close together.
• This means fewer hops and a faster flow of data.

Source: https://img-medianova.mncdn.com/wp-content/uploads/sites/8/2020/05/cdn3.png
Secure Network Components
Root of Trust

The security of the

Security starts with hardware
applications depends on the
and the creation of a Root of
layer below. Each layer has to
Trust (RoT) in each device.
trust the layer below.

Source: https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/
Root of Trust

The TPM is often used as the

The RoT is ideally based on a
basis for a hardware Root of
hardware-validated boot
Trust which contains the keys
process to ensure the system
used for cryptographic
can only be started using code
functions and enables a
from an immutable source.
secure boot process.

Source: https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/
List of Networking Devices

The different types of networking devices that coexist on the internetwork are:

Hubs and Repeaters Bridges

• Operate in OSI physical • Operate in OSI data link

layer layer

• Amplify the data signal • Amplify the data signals

to extend the length of a and make intelligent
network segment decisions as to where to
forward the data
List of Networking Devices

Wireless Access
Switches Routers
Points
• Operate in the data link • Operate at the network • Operate at the data link
layer, OSI layer 2, and layer, layer 3, of the OSI layer, OSI layer 2, and
network layer, OSI layer 3 model network layer, layer 3

• Sends the data packet only • Add more intelligence to • Allow wireless devices to
to the specific port where the process of forwarding connect to a wired
the destination MAC packets network using Wi-Fi,
address is located bluetooth, or related
standards
WAN Switching and Devices

Here are some of the devices related to WAN switching:

Circuit-switched Packet-switched Router Multiplexer WAN switches

networks: networks
Example: Examples: Frame
Telephone Relay and Voice
over IP (VoIP)
Transmission Media

Transmission media is used for transmitting data from a source to destination.

Following are the classes and types of transmission media:

Transmission media is used for transmitting data from a

source to destination.

Following are the classes and types of transmission media:

• Unshielded twisted pair
• Shielded twisted pair
• Coaxial cable
• Fiber-optic cable
Twisted Pair

Twisted pair consists of two insulated wires that are arranged in a regular spiral pattern.

Wires can be shielded (STP) or unshielded (UTP).

• Category 1: Used for telephone communications and
not suitable for transmitting data
• Category 2: Specified in the EIA or TIA-586 standard to
be capable of handling data rates of up to 4 million bits
per second (Mbps)
• Category 3: Used in 10Base-T networks and specified to
be capable of handling data rates of up to 10 Mbps
• Category 4: Used in Token Ring networks and able to
transmit data at speeds of up to 16 Mbps
Twisted Pair

Twisted pair consists of two insulated wires that are arranged in a regular spiral pattern.

Wires can be shielded (STP) or unshielded (UTP).

• Category 5: Consists of four twisted pairs in a single
jacket
• Category 6: Backward compatible with Category 5 and 5e
• Category 7: More stringent than Category 6 cabling
Coaxial Cable Box

Coaxial cable box consists of a hollow outer cylindrical conductor.

• It is expensive and resistant to

Electromagnetic Interference (EMI).
• Two types of coaxial cables are
currently used in LAN: 50-ohm cable
and 75-ohm cable.
• Coax can come in two types for LANs:
thinnet and thicknet.
• There are two common types of coaxial
cable transmission methods: baseband
and broadband.
Fiber-Optic Cable Box

Fiber-optic cable box is a physical medium that can conduct modulated light transmission.

There are two types of light sources:

• Light-Emitting Diodes (LEDs)
• Diode lasers

There are two types of optical fibers:

• Multimode fiber
• Single-mode fiber
Fiber-Optic Cable Box

Fiber-optic cable box is a physical medium that can conduct modulated light transmission.

Fiber-optic cable has three basic physical

elements:
• Core
• Cladding
• Jacket
Network Access Control (NAC) Devices

• Network Access Control (NAC) solutions ensure

that only endpoint devices in compliance with
security policy can access specific network
resources.
• IEEE 802.1X is a standard for Port-based Network
Access Control (PNAC) that defines how devices
provide authentication to connect with other
devices on Local Area Networks (LANs).
• Instead of network switches and access points,
the authentication duties are performed by
specialized authentication server, like a RADIUS
server.
• This allows for devices to be managed and
updated centrally, rather than distributed across
multiple pieces of networking hardware.
802.1x NAC

• Supplicant: The client device (such as laptop)

that wants to be authenticated to LAN or WLAN
• Authentication server: The trusted server that
authenticates the supplicant, typically a RADIUS
server
• Authenticator: The device that provides a data Supplicant (Clients)
link between the supplicant and the Switch
authentication server and allows or blocks Authenticator

traffic between the two

Authentication
Example: wireless access point or an Server

Ethernet switch

Source: https://www.tp-link.com/us/configuration-guides/configuring_802_1x/?configurationId=18220
802.1x Architecture

Supplicants Authenticators Authentication Server Identity Sources

EAP

Computers
Microsoft AD
Wired Access
Switches
EAP

Mobile Policy Service

Node
Devices

Wireless LAN Microsoft PKI

Controllers
MAB

Non-Supplicant’s
Devices (Printers)
Source: https://sudonull.com/post/31574-Configuring-8021X-on-Cisco-Switches-Using-Failover-NPS-Windows-RADIUS-with-AD
Endpoint Security

Endpoint security is the practice of securing endpoints of user devices such as desktops, laptops, and
mobile devices from cyberattacks.

Features:

• Centralized endpoint management platform

• Advanced anti-malware and antivirus protection
• Proactive web security to ensure safe browsing on the Internet
• Data classification and data loss prevention to prevent data exfiltration
• Integrated firewall to block hostile network attacks
• Email gateway to block phishing and social engineering attacks
• Insightful and actionable threat forensics to allow administrators to quickly isolate infected devices
• Insider threat protection to safeguard against unintentional or malicious actions
Endpoint Security

Mobile Device Management (MDM)

BYOD device management

2011

Enterprise Mobility
Management (EMM)
Unified Endpoint
• App management
Management (UEM)
• Managed configurations 2014 2018
All business devices
• Email management
including IoT
• Secure content
management
Unified Endpoint Management

Unified Endpoint Management (UEM) is an approach to securing and controlling mobile devices, such
as smartphones, tablets, and laptops, in a connected, cohesive manner from a single console.

Network Configuration
Management

BYOD Application
Containers Management

UEM

Security
Content
Management
Management

Identity and Access

Management

Source: https://www.hexnode.com/blogs/what-is-unified-endpoint-management-uem/
Network Address Translation

Network Address Translation (NAT) converts a private IP address of the inside, trusted
network to a registered real IP address seen by the outside, untrusted network.

The Internet Assigned Numbers Authority (IANA) has reserved three blocks of
the IP address space for private Internet addresses:

10.0.0.0 through 10.255.255.255 192.168.0.0 through 192.168.255.255

172.16.0.0 through 172.31.255.255

Implement Secure Communication Channels According to Design
Voice over IP

Voice over IP (VoIP) is a category of hardware and software that enables people to use the Internet
as the transmission medium for telephone calls by sending voice data in packets using IP.

VoIP combines many types of data, such as voice, audio, and video, into a single IP packet
Session Initiation Protocol (SIP)

Session Initiation Protocol (SIP) is an application layer protocol used for initiating, maintaining, and
terminating real-time sessions that include voice, video, and messaging applications.

Some of the risks of using SIP are

• Denial of Service (DoS) attacks

• Vishing

• Viruses and malware

• Eavesdropping

• Spam over Internet Technology (SPIT)

Firewall Architectures

The four types of firewall architectures are:

Packet-Filtering
Routers Packet-Filtering Screened Server
Routers
Internet Internet

Packet-Filtering Routers Screened-Host Firewalls

Packet-Filtering Packet-Filtering Internal Network

Routers Logging
Packet-Filtering Internal Machines
Routers
Internet
Internet
Open
Subnet

Dual-Homed Host Firewalls Screened-Subnet Firewalls

Packet Filtering Firewall

Packet filtering firewall examines the source and destination address of the
incoming data packet. A packet-filtering router:

Allows or denies access Can be configured to

to specific applications allow access to only
or services based on the authorized application
access control lists port or service numbers

Operates at the Network

Layer of the OSI model
Application-Level Gateway

Application-level gateway usually is a host computer that runs proxy server software.

Controls the services a

workstation uses on the
Inspects the packet up through
Internet, and it aids in
the application layer and can
protecting the network from
make access decisions based on
outsiders who may be trying to
the content of the packets.
get information about the
network’s design.
Circuit-Level Gateway

Circuit-level gateway creates a virtual circuit between the workstation client

(destination) and the server (host).

• Works at the session layer of the OSI model and

does not carry out deep-packet inspection

• Takes decisions based upon protocol header and

session information

Example: Socket Secure (SOCKS) creates a circuit

between the client and server without requiring
knowledge about the internetworking service, i.e.,
it does not have any application specific controls.
Stateful Inspection Firewall

Stateful inspection or dynamic packet filtering firewall intercepts the incoming packets at the
network layer and uses an inspection engine to extract state-related information from upper layers.

Packets are queued

Low-protocol records and analyzed at all
are kept at the IP OSI layers against the
level. state table.

By examining the state and

context of the incoming data
packets, the connectionless
protocols can be tracked easily.
Network Security Terms

Some important network security terms are given below:

DMZ Bastion host Endpoint security

Physical controls
It is any computer fully
It is an information security
It is a buffer zone between exposed to attack by being
concept, which assumes that
an unprotected network and on the public side of the
each device is responsible
a protected network that DMZ, unprotected by a
for its own security. It also
allows for the monitoring firewall or filtering router.
includes the protection of a
and regulation of traffic Anything that provides
business’s network from
between the two. perimeter access-control
employee memory devices
security is considered
that may unknowingly
bastion host. Examples are
contain malware.
firewalls and routers, web,
mail, DNS, and FTP servers.
Introduction to Remote Access

Remote access technologies can be defined as the data networking technologies that are uniquely focused
on providing access to the remote user into a network.

Advantages of remote access technologies:

Reduce Provide flexible

Build efficient ties
networking costs work styles
Virtual Private Network

A Virtual Private Network (VPN) is a private network that uses a public network (usually the
Internet) to connect remote sites or users together.

Internet
Regional
Office Head Office

Regional
Office

Remote / Roaming users

VPN Security

VPN security has the following components:

Authentication: Ensuring that the data originates at

the source that it claims

Access control: Restricting unauthorized users from

gaining admission to the network

Confidentiality: Preventing anyone from reading or

copying data as it travels across the internet

Integrity: Ensuring that no one tampers with data as it

travels across the internet
VPN Tunnel

• VPN is the tunnel that connects the user to the VPN server.
• To keep each data packet secure, it gets wrapped in an outer packet which is encrypted through a
process known as encapsulation.

• This outer packet keeps the data secure during the transfer.
• At the VPN server, the outer packet is removed, to access the data of the inner packet.

3 1 3 1
2 2
3 1 3 1
2 2

Source Decryption
Encryption

Destination
VPN Tunnel
Types of VPN: Site-to-Site

Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the corporate
backbone securely over a public medium like the Internet.

VPN VPN
Lan Gateway Internet Gateway Lan
VPN Tunnel
Types of VPN: Host-to-Host

A host-to-host VPN is somewhat like a site-to-site in concept except that the endpoints of the tunnel
are two individual hosts.

Lan Router Internet Router Lan

VPN Tunnel
Types of VPN: Host-to-Site

Host-to-site or remote-access VPNs allow remote users like telecommuters to securely access the
corporate network wherever and whenever they need to.