CISSP Domain 4
Domain 4 of this certification exam covers Communications and Network security and here we will discuss some important concepts you will need to know to Pass the CISSP exam.
Software-defined networking (SDN) is an approach to IT infrastructure that abstracts networking resources into a virtualized system. SDN separates network forwarding functions from network control functions with the goal of creating a network that is centrally manageable and programmable.
The primary function of SDN is to address the architecture of a traditional, complex, decentralized network. Current networks require more flexibility and quick troubleshooting.
It’s important to know about the control plane and data plane to understand how SDN works.
- Control plane: The functions and processes determining which path you need to consider to transfer data packets.
- Data plane: The set of functions and processes that forward packets from one interface to another.
The role of SDN is to centralize the network by decoupling the data plane and control plane. This helps to program and control the entire network through a centralized system.
Wi-Fi is a wireless networking protocol that devices use to communicate without direct cable connections. It’s an industry term that represents a type of wireless local area network (LAN) protocol based on the 802.11 IEEE network standard.
|Year||Generation||802.11 Protocol||Modulation||Frequency||Data Stream Rate|
|1999||First Generation||a||OFDM||5 GHz||Up to 54 Mbps|
|1999||Second Generation||b||DSSS||2.4 GHz||Up to 11 Mbps|
|2003||Third Generation||g||OFDM||2.4 GHz||Up to 54 Mbps|
|2009||Fourth Generation||n||OFDM||2.4 – 5 GHz||Up to 600 Mbps|
|2014||Fifth Generation||ac||QAM||5 GHz||Up to 3466 Mbps|
|2019||6th Generation||ax||–||2.4, 5 and 6 GHz||600 to 9608 Mbps|
Wireless Security Standards
WEP is a security option that uses the RC4 cipher algorithm to encrypt every frame so that eavesdroppers can’t read the contents.
- 802.11a and 802.11b
- 64-bit to 256-bit keys with weak stream cipher
- Deprecated in 2004 in favor of WPA and WPA2, avoid
- WEP supports two WiFi security authentication modes:
– Open Authentication – The wireless client doesn’t provide any credentials and only uses WEP encryption to encrypt data frames.
– Shared Key Authentication – WEP key is used for both authentication and encryption.
WPA this wireless security standard uses Temporal Key Integrity Protocol (TKIP), which recycled some items from WEP, and it still uses the RC4 algorithm. TKIP uses 256-bit keys instead of the 64 and 128-bit keys in WEP.
- 128-bit per packet key
- Pre-shared key (PSK) with TKIP for encryption
- Vulnerable to password cracking from packet spoofing on network
- Message Integrity Check is a feature of WPA to prevent MITM attack
- WPA Enterprise uses certificate authentication or an authentication server such as RADIUS
WP2 the most significant upgrade in WPA2 is that it uses AES-CCMP encryption instead of the old RC4 encryption. For backward compatibility reasons, you can still use TKIP as a fallback mechanism for WPA clients. It also introduced Wi-Fi Protected Setup (WPS). If you want to connect to a network that uses a pre-shared key, then you need to know the SSID and the pre-shared key
WPA3 – still uses AES but replaced CCMP with the Galois/Counter Mode Protocol (GCMP). The key length for AES has increased.
Another new feature of WPA3 is Simultaneous Authentication of Equals or SAE. Instead of a four-way handshake authentication, SAE improves the security of the initial key exchange and offers better protection against offline dictionary-based attacks.
WPA3 Uses Either of These Two WiFi Security Modes:
- WPA3-Personal mode – offers 128-bit encryption, and it uses WPA-PSK/pre-shared key.
- WPA3–Enterprise – offers 192-bit encryption, and it uses AAA/RADIUS authentication server.
Bluetooth is a wireless technology that uses a radio frequency to share data over a short distance, eliminating the need for wires. The simplicity of its technology leads to several flaws, which is why Bluetooth can’t be named a very secure standard. Bluetooth uses FHSS, the implementation is named AFH. The cipher used is named E0. It can use a key up to 128 bits, but it has a major problem – the key length doesn’t improve security as some attacks have shown that it can be cracked like the key is only 32 bits long. Bluetooth attacks to know about:
- Bluebugging: the process to infect a device and allow the attacker to listen in.
- Bluejacking: the sending of unsolicited messages via Bluetooth.
- Bluesnarfing: the unauthorized access of information from a device through.
Network Port scanning is a common method used by hackers to determine which ports on a network are open and could be open to receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities. A Port scanner is an application designed to be used in such reconnaissance missions to find out these vulnerabilities on a system and to identify network services running on a host and exploit vulnerabilities.
A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. This process in and of itself is not nefarious.
A port sweep is the process of checking one port but on multiple targets. The result of a port scan fall in one of the three following categories:
- Open, Accepted: the host sent a reply indicating that a service is listening on the port.
- Closed, Denied, Not Listening: the host sent a reply indicating that connections will be denied to the port.
- Filtered, Dropped, Blocked: there was no reply from the host.
TCP and UDP are generally the protocols used in port scanning. The most commonly used method of TCP scanning is SYN scans. This involves creating a partial connection to the host on the target port by sending a SYN packet and then evaluating the response from the host. If the request packet is not filtered or blocked by a firewall, then the host will reply by sending a SYN/ACK packet if the port is open or a RST packet if the port is closed.
Different scanning methods:
- TCP Scanning or connect scan, is a check to see if a port is open by trying to open a complete connection. It’s slow but doesn’t require root or admin rights.
- SYN Scanning is a mode that needs root or admin rights because the scanner forges its packets. This scan doesn’t use the OS full network stack. The scanner sends a SYN packet and the target will reply with a SYN/ACK if the port is open. The scanner will reply directly with a RST packet, closing the connection before the end of the three-way handshake. The target will reply with a RST is the port is open. To recap:
- Scan sends SYN to target
- Target replies SYN/ACK to scan
- Scan closes with RST
- Target confirms close with RST
- UDP Scanning has no session (connectionless). A target that receives a packet on a UDP port doesn’t need to reply. A syslog port (UDP 514) just receives logs, nothing is sent. Some applications like TFTP may reply if the server receives a packet.
- ACK scanning is used to check if there is a firewall between the scanner and the target. A stateful firewall will block this scan while a TCP scan should be accepted if allowed.
- FIN scanning aims to bypass the firewall while they are waiting for a SYN. If the target’s port is closed, the target will reply with a RST, unless it doesn’t reply at all.
Types of Ports
- Ports 0 to 1023 are system-ports, or well known ports.
- Ports 1024 to 49151 are registered ports, or user ports.
- Ports 49152 to 65535 are dynamic ports.
- Ports are assigned by IANA but doesn’t require escalated system privilege to be used.
A DDoS attack is where an attacker aims to overload the resources of a targeted system, usually by sending a flood of requests foir data packets well above its processing capabilities. Such an attack is often the result of multiple compromised systems, like a botnet.
SYN Floods attacks are a type of DDOS attack whereby the attacker sends TCP requests to the target that do not require completion of the TCP three-way handshake. Attempts to exhaust the destination SYN queue or the server bandwidth. Can be from a single source or multiple different sources.
Smurf Attacks are another type of DDOS attack where the attacker spoofs the IP of the target and send a large number of ICMP packets to a broadcast address. By default, the network device will reply to spoofed ICMP packets and result in overloading the target with reply ICMP messages. This is an older attack that is no longer as big of a threat.
Fraggle Attacks is basically a smurf attacks but using UDP.
Teardrop Attacks is a DDOS attack that exploits a bug in TCP/IP fragmentation reassembly by sending large amount of fragmented TCP packets with an overlapping payload. It can crash the TCP stack of a remote OS. It’s not necessarily a distributed attack. It’s an older attack that is no longer as big of a threat.
Land Attack – caused by sending a packet that has the same source and destination address.
Pharming is a DNS attack that tries to send a lot of bad entries to a DNS server. If a bad record, one that is under attack, is requested by a user, the DNS server may think the attacker packets are in fact a reply to the users request.
- 1st generation are referred to as Packet Filter Firewalls that allow packets through without inspection. The static packet filtering firewall examines each packet based on the following criteria:
- Source IP address
- Destination IP address
- TCP/UDP source port
- TCP/UDP destination port
- 2nd generation are referred to as Proxy or Application level firewalls. These are stateful filters that can read L4 (TCP/UDP or other) to maintain a session table. The firewall will allow packets from both directions of the session, until the FIN/ACK.
- 3rd generation are also application layer firewalls that work at, you guessed it, the application layer. Packets that don’t fall in line are dropped. They also track the content of packets to verify the integrity of data transmission. For example, they use state tables to enumerate the data being sent. Afterwards, flag values allow authentic packets to be paired with their appropriate sessions, while spoofed packets are filtered out.
- 4th generation called dynamic packet filters, guards against incoming traffic by developing ACLs for new sessions. Firewalls using this scheme work on the network layer to enable connections through particular ports.
- 5th generation firewalls are local. It checks everything at the OS level.
- NGFW – Next Generation Firewalls go to the next level and include Deep packet inspection and will often include multiple services such as IPS and IDS.
Intrusion Detection Systems are devices or software that can monitor network traffic and scan the network or behavior of a system to detect malware or forbidden activities. Most IDS solutions simply monitor and report suspicious activity and traffic when they detect an anomaly. However, some can go a step further by taking action when it detects anomalous activity, such as blocking malicious or suspicious traffic. There are different types of IDS setups:
- Network Based, Network Intrusion Detection Systems (NIDS) are placed at strategic points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alerts can be sent.
- Host Based, Host Intrusion Detection Systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert if suspicious activities are detected.
- Protocol-based IDS (PIDS) – Organizations set up a Protocol-based Intrusion Detection System at the front end of the server. It interprets the protocols between the server and the user. PIDS monitors the HTTPS server regularly to secure the web. Similarly, it allows the HTTP server which is related to the protocol.
- Application Protocol-based IDS (APIDS) – As we have seen that PIDS is set up at the front end of the server. Similarly, APIDS is set up within a group of servers. It interprets communication with the applications within the server to detect the intrusion.
IDS can use different detection methods, but it’s not uncommon to see the use of both of the following methods:
- Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware. This terminology originates from anti-virus software, which refers to these detected patterns as signatures. Signature based IDS suffer from the same downfall as the Signature based Aanti Virus solutions as they can only detect known attacks, and fail to detect new attacks, as new patterns are not yet available.
- Anomaly-based intrusion detection systems help solve the major issue with Signature Based IDS and can be used to detect unknown attacks. The basic approach is to use machine learning to create a model of trustworthy activity and then compare new behavior against this model. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives. False positives are time-consuming during the detection process and degrades the performance of IDS.
- SPIT (Spam Over IP Technology) is like spam but with VoIP.Also known as “robocalls,” these calls or voicemails carry potential risks, such as viruses and malware.
- Caller ID falsification.
- Packet Sniffing – Packet sniffing was originally developed to examine the quality of telephone lines carrying internet data and detect packet data flowing across a network. However, cybercriminals soon discovered how to manipulate the technology to carry out their attacks on small and medium-sized businesses. Today, packet sniffing is one of the most common VoIP attacks that enables hackers to record and steal unencrypted information in voice data packets while in transit.
- Vishing is trying to scam user by using VoIP. The scammer uses a caller ID that appears from a legitimate source. This is done with the intent to convince the caller to provide sensitive information, such as passwords, internet IP network, or bank details.
- Phreaking is a portmanteau of the words “phone” and “freak,” which refers to the use of audio frequencies to manipulate phone systems. It is a type of fraud where cybercriminals infiltrate your VoIP system to change call plans, add account credits, and make long-distance calls, while passing all the costs into your account. Additionally, phreaking aims to steal billing information, access voice mail, and reconfigure call routing strategies.
- Remote dialing (hoteling) is the vulnerability of a PBX system that allows an external entity to piggyback onto the PBX system and make long-distance calls without being charged for tolls.
10 Base – T: 10 stands for the maximum speed of the cable which in for this cable is 10mbps. Base stands for Baseband Transmission. T stand for twisted pair cabling.
10 Base – 2: Also referred to Thin Ethernet is a version of Ethernet that uses coaxial cables as opposed to twisted pair cabling. Again this has a maximum speed of 10mbps using Baseband Transmission. It also has a maximum length of 200 meters.
100 Base – T: Known as fast Ethernet. Has a speed of 100 Mbps. Uses a cat. 5 UTP cable or higher. The max length is 100 meters.
100 Base – FX: Uses fiber optic cable to deliver a speed of 100 Mbps. Has two different modes with two different maximum lengths. Half duplex mode allows for a max length of 400 meters while full duplex mode allows for 2 kilometers.
1000 Base – T: Speed of 1000 mbps utilizing cat. 5 UTP cabling or higher with a maximum length of 100 meters.
1000 Base – TX: Similar to 1000 Base – T with the difference being in how they are setup. 1000 Base – TX uses 2 unidirectional pairs of wires for communication whereas 1000 Base – TX uses 4 bidirectional pairs of wires. It was supposed to be easier to set up but it never caught on and is known as a failure in commercial implementation.
10G Base – T: Speed of 10,000 Mbps. Uses both shielded and unshielded twisted pair cabling. It has a max distance of 55 meters when using cat. 6 cabling or 100 meters when using cat. 6a cabling.
10G Base – SR: SR stands for short range. This is a commonly used multi mode fiber specification. It has a maximum length of 300 meters.
10G Base – ER: ER stands for extended reach. This has a range of 40 kilometers using single mode fiber optics.
10G Base – SW: Similar to 10G Base – SR but specifically used to operate over SONET (synchronous optical networks).
|T1||1.544 Mbps||2 pair of shielded copper wire|
|E1||2.084 Mbps||2 pair of shielded copper wire|