Networking and Security concepts are critical to assessing security policy in networked and cloud environments.

View this presentation full screen. 

To make it possible for people to search concepts, the slide outline is posted below.

Networking and Communications Security – Network Architecture Design Principles
CISSP Study Notes –
prepared by Robin Basham, CISSP, CISA, CRISC, CGEIT, CRP, VRP
Data Sources
All slides are a summary of information directly located in the study sources for the CISSP or CISCO, Windows certified online TechNet training; The majority is directly summarized
Remember the ISO Open System Interconnect OSI REFERENCE Model
OSI Conceptually explains movement of information
Process of moving information down the stack and up the stack
Each layer communicates with the corresponding layer just below in the stack.
Data encapsulation is the process in which information from one packet is wrapped around or attached to the data of another packet. 
OSI Layers - Encapsulation appends header footer across 7 layers
Protocols = data “language” managed generated here
Application: HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI, POP3, IMAP, SNMP, NNTP, S-RPC, and SET
Presentation: Encryption protocols and format types, such as ASCII, EBCDICM, TIFF, JPEG, MPEG, and MIDI
Session: NFS, SQL, and RPC
Transport: SPX, SSL, TLS, TCP, and UDP
Physical: EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET, V.24, and V.35
How do we hand off and what do we peel off?
Encapsulation appends header footer across 7 layers
OSI is the conceptual model, however, TCP/IP is the implementation model. 
TCP/IP DARPA or DOD model – example SSH
TCP/IP DARPA or DOD model = Internet protocol suite

Application layer includes protocols from the Application Layer of the Internet Protocol Suite as well as the protocols of OSI Layer 7. The Application Layer of the Internet Protocol Suite includes Session Layer protocols and Presentation Layer protocols from OSI.


Transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet Protocol Suite and the Open Systems Interconnection (OSI). The protocols of the layer provide host-to-host communication services for applications. It provides services such as connection-oriented data stream support, reliability, flow control, and multiplexing.

TCP/IP DARPA or DOD model = Internet protocol suite

Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport datagrams (packets) from the originating host across network boundaries, if necessary, to the destination host specified by a network address (IP address) which is defined for this purpose by the Internet Protocol (IP). The internet layer derives its name from internetworking, which is the concept of connecting multiple networks with each other through gateways.

Internet-layer protocols use IP-based packets. The internet layer does not include the protocols that define communication between local (on-link) network nodes which fulfill the purpose of maintaining link states between the local nodes, such as the local network topology, and that usually use protocols that are based on the framing of packets specific to the link types. Such protocols belong to the link layer.

A common design aspect in the internet layer is the robustness principle: "Be liberal in what you accept, and conservative in what you send“ as a misbehaving host can deny Internet service to many other users.


Link layer

Hardware changes across 7 layers
Application Data Stream – Application-specific protocols
Security: Confidentiality, authentication, data integrity, non-repudiation
Technology: gateways
Application-specific protocols LAYER 7 PROTOCOLS


Hypertext Transfer Protocol HTTP 80
SECURE Hypertext Transfer Protocol HTTPS 443
File Transfer Protocol FTP 20/21
Line Print Daemon LPD
Simple Mail Transfer Protocol SMTP 25
Telecommunications Network Protocol Telnet 23
Trivial File Transfer Protocol TFTP
Electronic Data Interchange EDI
Post Office Protocol V3 POP3
Internet Message Access Protocol IMAP
Simple Network Management Protocol SNMP
Network News Transport Protocol NNTP
Secure Remote Procedure Call S-RPC
Secure Electronic Transaction SET
Session Initiation Protocol SIP
Server Message Block Protocol SMB
Presentation Layer 6 - Machine Dependent 2 Machine Independent format – File and Data
Presentation Layer 6  - Takes Machine Dependent Info 2 Machine Independent format – file and data
Session layer 5 formats data for transfer
Session layer 5 formats data for transfer
Transport layer 4
Introduction to Transport Layer 4
TCPIP Joke –Syn Synack Ack 3 Way
Transport layer 4
Network Layer 3 - Packets
Network: Distance Vector DV and Link State LS Routing Protocols
Network Layer 3 Functions
Logical Addressing: a logical address, sometimes called a layer three address. On the Internet, the Internet Protocol (IP) is the network layer protocol and every machine has an IP address.
Addressing is done at the data link layer as well, but those addresses refer to local physical devices. In contrast, logical addresses are independent of particular hardware and must be unique across an entire internetwork. 
Routing: Moving data across a series of interconnected networks, it is the job of the devices and software routines that function at the network layer to handle incoming packets from various sources, determine their final destination, and figure out where they need to be sent to get them where they are supposed to go
Datagram Encapsulation: The network layer normally encapsulates messages received from higher layers by placing them into datagrams (also called packets) with a network layer header.
Fragmentation and Reassembly: The network layer must send messages down to the data link layer for transmission. Some data link layer technologies have limits on the length of any message that can be sent. If the packet that the network layer wants to send is too large, the network layer must split the packet up, send each piece to the data link layer, and then have pieces reassembled once they arrive at the network layer on the destination machine. A good example is how this is done by the Internet Protocol. 
Error Handling and Diagnostics: Special protocols are used at the network layer to allow devices that are logically connected, or that are trying to route traffic, to exchange information about the status of hosts on the network or the devices themselves.
Data Link Layer 2
Data Link Layer 2 - frames


Medium Access Control Protocol MAC
Ethernet, Token Ring, StarLan
Spanning Tree Protocol STP using BPDU
Fiber Distributed Data Interface FDDI
Layer 2 Forwarding Protocol L2F
Point to Point Tunneling Protocol PPTP
Layer 2 Tunneling Protocol L2TP
Link Control Protocol LCP forms part PPP
Point to Point Protocol PPP
Address Resolution Protocol ARP
Reverse Address Resolution Protocol RARP
Serial Line Address Resolution Protocol SLARP
Protocol IARP
Protocol SNAP
Protocol BAP
Challenge handshake authentication Protocol CHAP RFC 1994
LZS-DCP Compression Protocol LZS
Integrated Services Digital Network Protocol ISDN
Asynchronous Transfer Mode ATM
Protocol Frame Relay
High-Level Data Link Control HDLC
Synchronous Data Link Control SDLC
Link Access Procedures, D channel Protocol LAPD
Protocol ISL
How 802.1x authentication works
Three-component architecture features a supplicant, access device (switch, access point) and authentication server (RADIUS). This architecture leverages the decentralized access devices to provide scalable, but computationally expensive, encryption to many supplicants while at the same time centralizing the control of access to a few authentication servers. This latter feature makes 802.1x authentication manageable in large installations.
When EAP is run over a LAN, EAP packets are encapsulated by EAP over LAN (EAPOL) messages. The format of EAPOL packets is defined in the 802.1x specification. EAPOL communication occurs between the end-user station (supplicant) and the wireless access point (authenticator). The RADIUS protocol is used for communication between the authenticator and the RADIUS server.
The authentication process begins when the end user attempts to connect to the WLAN. The authenticator receives the request and creates a virtual port with the supplicant. The authenticator acts as a proxy for the end user passing authentication information to and from the authentication server on its behalf. The authenticator limits traffic to authentication data to the server.
What are the steps in negotiation?
1.The client may send an EAP-start message.
2.The access point sends an EAP-request identity message.
3.The client's EAP-response packet with the client's identity is "proxied" to the authentication server by the authenticator.
4.The authentication server challenges the client to prove themselves and may send its credentials to prove itself to the client (if using mutual authentication).
5.The client checks the server's credentials (if using mutual authentication) and then sends its credentials to the server to prove itself.
6.The authentication server accepts or rejects the client's request for connection.
7.If the end user was accepted, the authenticator changes the virtual port with the end user to an authorized state allowing full network access to that end user.
8.At logoff, the client virtual port is changed back to the unauthorized state.
Physical Layer 1
Physical Layer 1 Protocols


The Physical Layer receives data from the data link Layer and transmits it to the wire. The physical layer controls the electrical and mechanical functions related to the transmission and receipt of a communications signal including encoding and decoding of data contained within the modulated signal.

Note that for two devices to communicate, they must be connected to the same type of physical medium (wiring).  802.3 Ethernet  to  802.3 Ethernet,  FDDI to FDDI,  serial to serial etc.

RS-232 (Recommend Standard number 232) is standard communication protocol for linking computer and its peripheral devices to allow serial data exchange RS232
Synchronous Optical Network SONET
High-Speed Serial Interface HSSI used between devices that are within fifty feet of each other and achieves data rates up to 52 Mbps
Interface specification for differential communications, X.21 a 15-pin D-Sub connector running full-duplex data transmissions.  X.21
Digital subscriber line DSL
Integrated Services Digital Network (ISDN)
EIA-422, EIA-423, RS-449, RS-485
10BASE-T, 10BASE2, 10BASE5, 100BASE-TX, 100BASE-FX, 100BASE-T, 1000BASE-T, 1000BASE-SX
OSI Security - 6 Security Services

A security service is a collection of security mechanisms, files, and procedures that help protect the network.

Access control
Data confidentiality
Data integrity
Logging and monitoring
OSI Security - 8 Security Mechanisms

A security mechanism is a control that is implemented in order to provide the 6 basic security services.

Digital signature
Access Control
Data Integrity
Traffic Padding
Routing Control
Insecure TCP/IP Protocols Telnet, FTP, TFTP, SMTP
File Transfer Protocol – FTP Port 20/21
Trivial File Transfer Protocol
Simple Mail Transfer Protocol - SMTP
Multi-layer Protocol
DNP3 Distributed Network Protocol – open protocol that supports the Smart Grid computing
Provides interoperability between vendor SCADA systems
IEEE standard 2010
IEEE 1815-2012 is current standard and supports PKI
Software Defined Networks SDN
Isolates control plane from data plane
Control plane: data sent to/from a router such as protocol updates OSPF BGP
Data plane: data sent through router, such as routed packets
Routing decisions are made remotely
The open source OpenFlow protocol is used for remote management of data plane in Software Defined Networks
OpenFlow is a TCP protocol that uses TLS encryption
Content Distribution Networks

Improves performance and availability by bringing data closer to users

Also called Content Delivery Networks
Uses a series of distributed caching servers
Determines servers closest to end user

Notable CDNs include Akamai, Amazon CoudFront and CloudFlare

Many ISPs are also CDNs
Circuit vs. Packet Switching
transport segment from sending to receiving host
on sending side encapsulates segments into datagrams
on receiving side, delivers segments to transport layer
network layer protocols in every host, router
Router examines header fields in all IP datagrams passing through it
Remote Access and Secure Communications Channels
IPSec IETF open standard RFC 2401 (Layer 3)
Enables encrypted communication between users and devices
Implemented transparently into network infrastructure
Commonly implemented (most VPN are IPSec compliant)
Type of VPN 
Client to site VPN (Transport) Encrypts the DATA
Example: Laptop dial-up connection to remote access server at HQ
Site to site VPN (Tunnel) Encrypts the entire packet
Example: L.A. office connection to D.C. office location
Encryption can stop us from seeing our adversary
Bypassing firewalls, IDS, virus scanners, web filters
Trusting the other end – home and bad actors
Encrypted content prevents eavesdropping but prevents Intrusion Detection Systems IDS from seeing outbound malicious content.
Types of IPSec Headers
IPSec site between Layer 3 and 4
Layer 4 and higher is encrypted
ESP in transport mode impacts the firewall
You can only do layer 3 filtering
In tunnel mode, source and destination are private addresses, so are un-routable – has to be tunneled over the internet
Remote Access Security Management
Securing external connections VPNs SSL SSH
Data Access, screen scrapers, virtual desktops
Remote-access authentication systems (Radius and TACACS)
Remote node authentication protocols such as PAP and CHAP
A password authentication protocol (PAP) is an authentication protocol that uses a password. 
PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP.
BAGN – 802.11 Wireless
802.11 supports infrared and Radio Frequency (FHSS and DSSS)
B + G only 2.4 GHZ
B approved first was only 11 Mbps, then everything else is 54 till n at 144
Only N can have either 2.4 or 5 and is what is see today
Digital Signal Level 0 (DS-0)                 Partial T1; 64 Kbps up to 1.544 Mbps
Digital Signal Level 1 (DS-1)                             T1; 1.544 Mbps
Digital Signal Level 3 (DS-3)                          T3; 44.736 Mbps
European digital transmission format 1         El; 2.108 Mbps
European digital transmission format 3         E3; 34.368 Mbps
Cable modem or cable routers                       10+ Mbps
Packet filtering
Next Generation Firewalls (NGFW)
Firewall Topologies-
 "Where should the firewall be placed?"
Bastion host
Screened subnet
Dual-firewall architectures

The next decision to be made, after the topology chosen, is where to place individual firewall systems in it. At this point, there are several types to consider, such as bastion host, screened subnet, and multi-homed firewalls.

Packet Filtering Firewalls - physical, data-link, and network 
Examines each packet independently and determines whether packets should pass or be dropped
Has no idea of what traffic came before it
Very fast, but not very secure
Referred to as access control lists (ACL) on some devices
Several types of attacks can be used to bypass these firewalls. Packet filtering firewalls complement detailed defense in depth policies
Effective at layer 3, ineffective at layer 4
Because they treat each packet in isolation, this makes them vulnerable to spoofing attacks and also limits their ability to make more complex decisions based on what stage communications between hosts are at.
NGFW Next Gen Firewall
Replacing Stateful Inspection SI at each hardware refresh cycle
They should compliment, not replace
Network layer firewalls
Makes decisions based on the source address, destination address, and ports in individual IP packets. A simple router is the traditional network layer firewall, since it is not able to make particularly complicated decisions about what a packet is actually talking to or where it actually came from.
One important distinction many network layer firewalls possess is that they route traffic directly through them, which means in order to use one, you either need to have a validly assigned IP address block or a private Internet address block. Network layer firewalls tend to be very fast and almost transparent to their users.
Proxy Firewall - Application layer firewalls
Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between networks, and they perform elaborate logging and examination of traffic passing through them. Since proxy applications are simply software running on the firewall, it is a good place to do logging and access control. Application layer firewalls can be used as network address translators since traffic goes in one side and out the other after having passed through an application that effectively masks the origin of the initiating connection.
Application layer firewalls offer Layer 7 security on a more granular level, and may even help organizations get more out of existing network devices. 
Host-Based Firewalls
Host-Based Firewalls are software that runs on protected host
Additional defense in depth layer when combined with network firewalls
Examples include:
Windows Firewall
IPtables (Linux/Unix)
Application Firewall (Mac OS X)
McAfee Personal Firewall (Mac OS X)
ZoneAlarm (Windows)
Stateful Packet Inspection Firewall
Keeps a state table of all traffic going across the network
Uses the state table to determine whether a packet should pass or be dropped
More secure, but slower than a packet filtering firewall
Network Intrusion Protection System NIPS and Network Intrusion Detection System NIDS
NIPS hardware and software systems that protect computer networks from unauthorized access and malicious activity. 
-hardware: dedicated Network Intrusion Detection System (NIDS) device, an Intrusion Prevention System (IPS), or a combination of the two such as an Intrusion Prevention and Detection System (IPDS).
NIDS can only detect intrusions
IPS can pro-actively stop an attack by following established rules, such as changing firewall settings, blocking particular Internet protocol (IP) addresses or dropping certain packets entirely.
Network Intrusion Protection System NIPS and Network Intrusion Detection System NIDS
The software firewall, sniffer and antivirus tools, dashboards and other data visualization tools.
NIPS continually monitors networks for abnormal traffic patterns, generate event logs, alerting system administrators to significant events and stopping potential intrusions when possible.
NIPS are useful for internal security auditing and provide documentation for compliance regulations. 
NIPS is part of a layered combination of security systems working together is necessary to protect computer networks from compromise.
A NIPS in some form is vital for any computer network that can be accessed by unauthorized persons.
Computers holding sensitive data always need protection; however, even seemingly insignificant networks can be hijacked for use in botnet attacks.
Kerberos Ticket authentication mechanism
Kerberos offers a single sign-on solution for users and provides protection for login credentials. The current version, Kerberos 5, relies on symmetric-key cryptography (also known as secret-key cryptography) using the Advanced Encryption Standard (AES) symmetric encryption protocol. Kerberos provides confidentiality and integrity for authentication traffic using end-to-end security and helps prevent against eavesdropping and replay attacks. It uses several different elements that are important to understanding:
Key Distribution Center The key distribution center (KDC) is the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the KDC, and it maintains the secret keys for all network members.
Kerberos Ticket authentication mechanism
Kerberos Authentication Server The authentication server hosts the functions of the KDC:
a ticket-granting service (TGS), and an authentication service (AS). However, it is possible to host the ticket-granting service on another server. The authentication service verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.
Ticket-Granting Ticket (TGT) provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects.
A TGT is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present the TGT when requesting tickets to access objects.
Ticket A ticket is an encrypted message that provides proof that a subject is authorized to access an object. It is sometimes called a service ticket (ST).
Subjects request tickets to access objects, and if they have authenticated and are authorized to access the object, Kerberos issues them a ticket. Kerberos tickets have specific lifetimes and usage parameters. Once a ticket expires, a client must request a renewal or a new ticket to continue communications with any server.
The Kerberos login process works as follows:
1.The user types a username and password into the client.  
2.The client encrypts the username with AES for transmission to the KDC.
3.The KDC verifies the username against a database of known credentials.  
4.The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user’s password. The KDC also generates an encrypted time-stamped TGT.  
5.The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client. 
6.The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password.
Kerberos is a versatile authentication mechanism that works over local LANs, remote access, and client-server resource requests. However, Kerberos presents a single point of failure—the KDC. If the KDC is compromised, the secret key for every system on the network is also compromised. Also, if a KDC goes offline, no subject authentication can occur.
Client wants to access an object, such as a resource hosted on the network, it must request a ticket through the Kerberos server
1.The client sends its TGT back to the KDC with a request for access to the resource.
2.The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource.
3.The KDC generates a service ticket and sends it to the client.
4.The client sends the ticket to the server or service hosting the resource.
5.The server or service hosting the resource verifies the validity of the ticket with the KDC.
6.Once identity and authorization is verified, Kerberos activity is complete. The server or service host then opens a session with the client and begins communications or data transmission.
Ports that are important to spot visually as their number
Telnet, TCP Port 23 This is a terminal emulation network application that supports remote connectivity for executing commands and running applications but does not support transfer of files.
File Transfer Protocol (FTP), TCP Ports 20 and 21 This is a network application that supports an exchange of files that requires anonymous or specific authentication.
Trivial File Transfer Protocol (TFTP), UDP Port 69 This is a network application that supports an exchange of files that does not require authentication.
Simple Mail Transfer Protocol (SMTP), TCP Port 25 This is a protocol used to transmit email messages from a client to an email server and from one email server to another.
Post Office Protocol (POP3), TCP Port 110 This is a protocol used to pull email messages from an inbox on an email server down to an email client.
Internet Message Access Protocol (IMAP), TCP Port 143 This is a protocol used to pull email messages from an inbox on an email server down to an email client. IMAP is more secure than POP3 and offers the ability to pull headers down from the email server as well as to delete messages directly off the email server without having to download to the local client first.
Dynamic Host Configuration Protocol (DHCP), UDP Ports 67 and 68 DHCP uses port 67 for server point-to-point response and port 68 for client request broadcasts. It is used to assign TCP/IP configuration settings to systems upon bootup. DHCP enables centralized control of network addressing.
Ports that are important to spot visually as their number
Hypertext Transport Protocol (HTTP), TCP Port 80 This is the protocol used to transmit web page elements from a web server to web browsers.
Secure Sockets Layer (SSL), TCP Port 443 (for HTTP Encryption) This is a VPN-like security protocol that operates at the Transport layer. SSL was originally designed to support secured web communications (HTTPS) but is capable of securing any Application layer protocol communications.
Line Print Daemon (LPD), TCP Port 515 This is a network service that is used to spool print jobs and to send print jobs to printers.
X Window, TCP Ports 6000–6063 This is a GUI API for command-line operating systems.
Bootstrap Protocol (BootP)/Dynamic Host Configuration Protocol (DHCP), UDP Ports 67 and 68 This is a protocol used to connect diskless workstations to a network through the auto assignment of IP configuration and download of basic OS elements. BootP is the forerunner to Dynamic Host Configuration Protocol (DHCP).
Network File System (NFS), TCP Port 2049 This is a network service used to support file sharing between dissimilar systems.
Simple Network Management Protocol (SNMP), UDP Port 161 (UDP Port 162 for Trap Messages) This is a network service used to collect network health and status information by polling monitoring devices from a central monitoring station.