Wondershare EdrawMind
MindMap Gallery CISSP-4-Communications and Network Security
- 51
- 1
CISSP-4-Communications and Network Security
CISSP-Information System Security Professional Certification Mind Map, the main contents include basic network concepts, open Internet reference model OSI, TCP/IP model, Transmission types, LAN technologies, network and security equipment, remote access technologies.
Edited at 2021-11-10 12:03:27
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP-4-Communications and Network Security
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
![Establishment and implementation of safety management system of safety management elements [Practical version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715767013/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Establishment and implementation of safety management system of safety management elements [Practical version]
- 33
![Establishment and implementation of safety management system of safety management elements [Practical version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715772547/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Establishment and implementation of safety management system of safety management elements [Practical version]
- 24
![Rupture discs for safety facilities [Regulations Summary]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773286/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
![Safety facility safety valve [working principle version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773418/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
![Safety valves for safety facilities [Regulations Summary]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773446/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Communications and Network Security
Basic concepts of network
protocol
A set of rules and standards that determine how systems communicate in a network
Communication between peer layers must abide by certain rules, such as Communication content, communication method, this rule is called a protocol.
layered
Divide network interconnection tasks, protocols and services into different layers
Each layer has its own responsibilities; each layer has specific functions, and implemented by the services and protocols working within that layer
Each level has a special Interface that allows interaction with the other three layers
Communicate with the upper layer interface
Communicate with lower-layer interfaces
Interface with destination packet address The same person in the communication
encapsulation
Decapsulation
Open Internet Reference Model OSI
Application layer, layer 7
The place closest to users
Provides file transfer, message exchange, and terminal sessions and perform network requests for the application
Including: SMTP, HTTP, LPD, FTP, TELNET, TFTP, SFTP, RIP (UDP at the bottom), BGP (TCP at the bottom), SIP (Session Initiation Protocol)
Presentation layer, layer 6
Convert information into a format that can be understood by computers that follow the OSI model
The presentation layer cares about the format and syntax of the data and handles data compression and encryption.
Typical formats are: ASCII, ASN. JPEG, MPEG, etc.
Session layer, layer 5
Responsible for establishing connections between two applications
Manages session processes between hosts and is responsible for establishing, Manage and terminate inter-process sessions.
Typical protocols are: NETBIOS, PPTP (TCP is used at the bottom layer), L2TP (UDP is used at the bottom layer), RPC etc.
Transport layer, layer 4
The transport layer provides end-to-end data transmission services. and establish a connection between two communicating computers
The session layer establishes application connections, and the transport layer establishes connections between computer systems.
Typical protocols include: tcp, udp, spx, etc.
The data unit is segment (TCP segment, UDP datagram)
Network layer, layer 3
Responsible for routing data packets between subnets. Realize congestion control, Internet interconnection and other functions.
The data unit is a data packet (packet/packet)
Typical protocols include: ipx, ip, icmp, igmp, IPsec, etc.
Data link layer, layer 2
The data link layer provides reliable transmission over unreliable physical media.
The functions include: physical address addressing, data framing, flow control, data error detection, retransmission, etc.
Typical protocols: SDLC, PPP, STP, Frame Relay, ARP/RARP, etc.
The data unit is frame (frame)
Physical layer, layer 1
Specifies the mechanical characteristics for activating, maintaining, and closing communication endpoints, Electrical, functional and process characteristics
The data unit is bit (bit)
Typical specification representatives: EIA/TIA RS-232, RJ-45
TCP/IP model
TCP: Reliable connection-oriented protocol
UDP: non-connection-oriented protocol
IPv4 and IPv6 are 32-bit addresses and 128-bit addresses respectively
Socket: header information has source address and destination address There are also source ports and destination ports in (Port numbers of commonly used protocols: FTP: 20/21 SSH: 22 Telnet: 23 SMTP: 25 HTTP: 80)
Transmission type
Analog Vs Digital
Analog signal, that is, the amplitude, frequency, and phase of the signal It changes continuously and the transmission rate is low
Digital signal: that is, the signal is a discontinuous pulse, Not easy to be distorted, high transmission rate
Asynchronous vs Synchronous
Broadband and baseband
Add digital or analog signals directly to the cable for transmission without modulation. Using the entire channel of the cable, Ethernet is a baseband network
Multiple different signals are loaded onto the cable by modulating them to different "carrier" frequencies. That is, the bandwidth of the entire cable is divided into different channels, such as supporting voice and image at the same time. and data transmission, cable TV is a broadband-based network
LAN technology
Network topology
ring network
bus network
star network
mesh topology
Transmission medium
LAN implementation type
Ethernet
Defined by IEEE802.3 standard
Physically star, logically bus
Using broadcast domains and collision domains
Adopt CSMA/CD media access control technology
Ethernet/IEEE802.3 (10Mbps over coaxial cable), FastEthernet twisted pair (100Mbps), GigabitEthernet (1Gbps over fiber optic or twisted pair)
Token Ring
IEEE802.5 standard
Logical ring, usually physical star connection
Each node must regenerate the signal
Predictable load bandwidth, 4Mbps or 16Mbps
FDDI
Token passing network, using two opposite loops, Primary ring clockwise, secondary ring counterclockwise, using active monitoring and beacons
Speeds up to 100mbps
Typically used on LAN/WAN backbones
CDDI (Copper Distributed Data Interface) works over UTP
media access technology
token passing
Token Ring and FDDI technology adoption
Computers that own the token have the right to communicate
CSMA
CSMA/CD
Carrier Sense Multiple Access with Collision Detection
Used in Ethernet
CSMA/CA
Carrier Sense Multiple Access with Collision Avoidance
Used in wireless networks such as 802.11
conflict domain
broadcast domain
polling
Mainly used in mainframe system environment
wiring
concept
Data throughput rate is after compression and encoding The actual amount of data passing through the cable
Bandwidth can be viewed as a pipe
Data throughput is the actual amount of data passing through the pipe
coaxial cable
Coaxial cable has a copper core surrounded by shielding and ground wires
Coaxial cable is more resistant to electromagnetic interference
50 ohm cable users transmit digital signals
75 ohm cable users transmit high-speed digital signals and analog signals
Coaxial cable can utilize baseband method or bandwidth method
twisted pair
Shielded twisted pair, STP and unshielded twisted pair, UTP
Twisted pair cable has copper wires wrapped around each other to avoid radio frequency interference (crosstalk)
There is signal attenuation in twisted pairs
UTP is the most insecure network interconnect cable
optical fiber (highest security) (Compare FC SAN and IP SAN) (By detecting the attenuation of light - one of the ways to determine whether it is being eavesdropped)
Multimode fiber: short to medium distances
Single-mode fiber: long distance
wiring problem
noise
attenuation
crosstalk
Flame retardant rate of cable
Transmission method
Unicast
broadcast
multicast
Anycast
LAN protocol
Address Resolution Protocol, ARP
Complete the resolution of IP and MAC addresses
ARP table poisoning
Dynamic Host Configuration Protocol, DHCP
RARP-->BOOTP-->DHCP
Internet Control Message Protocol, ICMP
Routing Protocol (Routing protocols can be divided into dynamic and static. Dynamic routing protocols are able to discover routes and build a routing table of their own, Static routing tables require administrators to manually configure the router's routing table. )
Individual networks become autonomous systems AS
distance vector
RIP
IGRP
link status (Established a network topology database)
OSPF
The external routing protocol used by routers to connect different ASs, often called Extranet Gateway Protocol BGP
Network and security equipment
Network interconnection equipment
Repeaters and hubs
Working at the physical layer
The function is to accept and amplify the signal and send the signal to all ports
Multiple device connections on the same network segment increase conflicts and contention
Bridges and switches
Data link layer equipment
A switch combines hub and bridge technology
VLAN (logical network segmentation)
Reduce conflict
Improved network security
The switch receives the physical address information of the data. If the destination port is found, it will directly Sent to the destination port. If the port cannot be determined, it will be sent to all ports.
router
Network layer equipment
Routers divide the network into different collision domains and broadcast domains
gateway
Application layer equipment
Connect different types of networks and perform translations of protocols and formats
PBX
Digital switching equipment that controls analog and digital signals
PBX’s internal security management issues, such as eavesdropping, phone bills, etc.
CDN
content delivery network
A strategically deployed overall system including distributed storage, Four elements: load balancing, network request redirection and content management
SDN
software defined network
Separate control rights on network devices and manage them by a centralized controller. No need to rely on underlying network equipment (routers, switches, firewalls), shielding differences from underlying network equipment
Address Translation Protocol, NAT (NAT can not only solve the problem of insufficient IP addresses, but also effectively avoid attacks from outside the network, hide and protect computers inside the network, and implement it on routers and firewalls)
static mapping
dynamic mapping
Port Mapping
safety equipment
firewall
Packet filtering firewall (first generation)
Works at the network layer
Difficult to prevent attacks on upper layer protocols
Application proxy firewall (second generation)
Works at the application layer
Monitor application protocols and forward on their own behalf, There is no direct route between the communicating parties
second generation firewall
Circuit Level Gateway Firewall
Works at the session layer
A hybrid of packet filtering and application proxies
Stateful Inspection Firewall (Third Generation)
Works at the network layer, transport layer, and application layer
Maintain a status table to keep track of each communication channel
For tracking UDP or TCP packets
third generation firewall
Dynamic packet filtering firewall (Fourth Generation)
ACL is dynamic and is destroyed after the connection ends.
fourth generation firewall
Kernel proxy firewall (Fifth Generation)
fifth generation firewall
Evaluating packets, the firewall builds dynamic, Customized TCP/IP protocol stack
Firewall architecture
Dual home firewall
Blocked host
Shielded subnet (forming DMZ with high security)
UTM Unified Threat Management
NGFW next generation firewall
SIEM Security Incident Management
remote access technology
AAA service, Authentication verification, Authorization authorization, Accounting accountability/Auditing audit)
RADIUS
Remote Authentication Dial In User Service, remote user dial-in authentication system,
Use UDP protocol
TACACS
Terminal Access Controller Access-Control System, terminal access controller access control system
Use UDP protocol
TACACS
Two-factor password authentication (Allow dynamic passwords)
Use TCP protocol
diameter
Identity authentication protocol Authentication
Password Authentication Protocol, PAP
Send username and password in clear text format. (unsafe)
The PAP authentication process is very simple, two-way handshake mechanism
The authenticated party is the initiator and can make unlimited attempts (brute force cracking)
PAP verification is only performed during the link establishment phase. Once the link is successfully established, verification testing will no longer be performed. Currently, it is more commonly used in PPPOE dial-up environments.
Challenge Handshake Authentication Protocol, CHAP
Challenge-response mechanism for authentication
CHAP is used to periodically verify the identity of the peer using a 3-way handshake.
This is done during link establishment initialization, and verification can be repeated any time after link establishment.
CHAP avoids replay attacks by incrementally changing the identity and "challenge-value" values.
(is an extensible authentication framework) Extensible Authentication Protocol, EAP
EAP-MD5
Weak authentication based on hash value
client authentication
One-way authentication
PEAP
Used TLS
EAP-TLS
Use digital certificates for authentication
Identity authentication method
call-back (Call back)
In a callback, the host system disconnects the caller and then dials the authorized telephone number of the remote terminal in order to reestablish the connection. Synonymous with dialback.
Integrated Services Digital Network, ISDN
Integrate multiple technologies, including circuit switching, dedicated lines and packet switching, Implement voice, commentary and data transmission services on a single network
Basic Rate Interface, BRI basic rate interface 2B D, that is, 2 64Kbps data channels and 1 16Kbps control channel
Primary Rate Interface, PRI base group rate interface 23B D, that is, 23 64Kbps data channels and 1 64Kbps control channel
dedicated line
Safety
Expensive
Digital Subscriber Line, DSL
Symmetric DSL, SDSL
Data goes up and down at the same rate, Suitable for bidirectional high-speed transmission services
High bit rate DSL, HDSL
Two pairs of twisted pairs are required to provide T1 speed on conventional telephone lines.
Asymmetric DSL, ADSL
Data goes down faster than it goes up. Suitable for home users
IDSL
Used by users far away from the exchange center, 128Kbps symmetrical speed
(VPN)
protocol
Point-to-Point Tunneling Protocol, PPTP
Works in the session layer 5 and serves the second layer
point-to-point connection
Designed for client/server connections
Encapsulate PPP frames for tunnel transmission
Use MPPE encryption
L2F
Created by cisco before L2TP
Merged with PPTP to form L2TP
Provide mutual authentication
no encryption
L2TP
A mix of L2F and PPTP
Point-to-point connection between two computers
Works at the session layer and serves the second layer
To improve security combined with IPSEC
L2TP only defines the encrypted transmission method of control messages and does not encrypt the data transmitted in the tunnel.
IPSec
Ability to handle multiple connections simultaneously
Provides secure authentication and encryption
Works at the network layer
Two modes: tunnel mode and transmission mode
Important protocols such as AH/ESP/ISAKMP/IKE
AH (Authentication Header)
provide integrity
ESP (Encapsulating Security Payload)
Provide confidentiality and integrity
SA (security association)
One-way, security association, stores VPN parameters
IKE (Internet Key Exchange)
Key exchange protocol
ISAKMP
Secure connection and key exchange negotiation framework
SSL/TLS
Provide application layer security
Works at the transport layer
Formerly known as TLS (TLS 1.0 is the successor to SSL 3.0, also known as SSL 3.1)
Easy to implement and maintain, - IPSEC VPN is implemented at the network layer, which is relatively complex, while TLS VPN is implemented at the transport layer, which is simple and flexible to implement. - Relatively speaking, IPSEC VPN transmission efficiency is higher, and TLS VPN transmission efficiency is lower.
MPLS
(Multiprotocol Label Switching) MPLS distributes corporate offices and equipment in different locations Connected through a safe, reliable and efficient virtual private network, Realize data, voice, video transmission or Other important network applications, It also has quality of service (QOS) guarantee.
MPLS VPN relies on forwarding tables and packet labels to create a secure VPN, rather than relying on encapsulation and encryption technology.
VPNs use tunneling protocols to ensure the confidentiality and integrity of data during transmission.
Wan
switching technology
circuit switched connection (circuit switching)
Based on traditional telephone networks, is a physical, permanent connection
An example of a telephone switching system is an everyday telephone application
Typically dial-up modems and ISDM are used, Suitable for low bandwidth and backup applications with low resource efficiency
Program-controlled switch
Packet switched connection (packet switching)
Store and forward mode
Shared by multiple systems, transmitted in packets, switching equipment Route it, reassemble it at the destination, and use it efficiently
Traditional packet switching: frame relay, X.25, internet
cell switched connection (cell switching)
Asynchronous transfer mode (ATM)
Voice and video transmission carriers
Data fragment size is fixed at 53 bytes of cells
dedicated link
T-carriers are dedicated lines that carry voice and data information
T1 line up to 1.544Mbps
T3 lines up to 45Mbps
Time Division Multiplexing (TDM)
T1 and T3 are gradually being replaced by fiber optics
CSU/DSU
Channel Service Unit/Data Service Unit
Digital signal conversion between LAN and WAN
DSU converts digital signals from routers, bridges, etc. into A signal that can be transmitted over a telephone company's digital lines
CSU connects the network directly to telephone company lines
WAN virtual circuit (Virtual circuit)
Frame Relay and X.25 forward data frames over virtual circuits
The switched virtual circuit works like a dedicated line with the available bandwidth agreed with the customer in advance. Permanent connection, persistent transmission of user data
Switched virtual circuits require dialing and connecting steps, There are three stages: circuit establishment, data transmission, and circuit interruption.
frame relay
WAN protocol that works at the data link layer
There are two main types of devices connected by User Frame Relay:
data terminal equipment, DTE
Typically customer-owned equipment, such as the providing company's own Routers and switches for connectivity between networks and Frame Relay networks
Data circuit terminal equipment, DCE
Service provider equipment or telecommunications company equipment, He completes the actual data transmission and exchange in the Frame Relay cloud
X.25
Defines how devices and networks are established and maintained
Switched Megabit Data Service SMDC
A high-speed packet switching technology
no connection protocol
Synchronous data link control, SDLC
Based on the use of dedicated leased connections and Permanently physically connected network
Suitable for large host remote communication, Provide rotation media access technology
Advanced Data Link Control, HDLC
bit-oriented link layer protocol
For transmission on synchronized lines
High speed serial interface, HSSI
Talk about multiplexers and routers linking to high speed Interfaces for communication services (ATM and Frame Relay)
Working at the physical layer
Multi-service access technology
The telephone system is based on circuit switching and voice center network. The Public Switched Telephone Network (PSTN)
Signaling No. 7 system controls the establishment of connections, control instructions, and cancels replies.
Session Initiation Protocol SIP, establishing and tearing down call sessions, Protocols capable of working over TCP or UDP
VoIP Voice does not go through a telecom operator's traditional phone network (voice network) for transmission, Instead, it converts voice into IP packets, Technology based on IP network transmission
H.323 gateway
ITU-T recommendations include a large number of multi-US communication services
H323 is designed to handle video, audio and packet transmission
SIP gateway
VoIP security issues and countermeasures
Legal Compliance
Guarantee of business continuity
IP phone
WAN multiplexing technology
Time division multiplexing STDM
Frequency Division Multiplexing FDM
Wavelength division taking, WDM
Dense wavelength division multiplexing, DWDM
wireless technology
WAP
wireless application protocol
Based on WML Infinite Markup Language, based on XML
WAP has its own session and transport protocols and Wireless Transport Layer Security (WTLS) transport layer security protocol
Anonymous authentication: The wireless device and server do not authenticate each other
Server Authentication: The server authenticates the wireless device
Bidirectional client and server authentication: The wireless device and server authenticate each other
802.11
802.11a
Up to 54Mbps speed
5GHz frequency range
802.11b
Speed up to 11Mbps
2.4Ghz
802.11n
QoS
802.11g
20--54Mbps
2.4GHz frequency band
802.11i
Inherited Extensible Authentication Protocol EAP
Inherited message integrity code, MIC
Temporal Key Integrity Protocol, TKIP (WPA)
Each data frame has a different IV value
Uses standard AES Advanced Encryption Standard (WPA2)
The Wi-Fi Alliance calls this version using pre-shared keys "WPA-Personal or WPA2-Personal". The version certified with 802.1X is called "WPA-Enterprise" or "WPA2-Enterprise" (WPA-Enterprise or WPA2-Enterprise).
802.1X IEEE 802.1X is an authentication standard for user access networks developed by IEEE. 802.1X protocol when users/devices access the network (can be LAN or WLAN) before verifying, Runs at the MAC layer in the network.
Same authentication architecture and a method for dynamically distributing encryption keys
Composed of three parts: supplicant (wireless device), authenticator (AP), authentication server (RADIUS) (The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols)
Use EAP authentication
Bluetooth, Bluetooth
Bluejacking
Actively initiate a message to a Bluetooth device
bluesnarfing
spread spectrum technology
Frequency Hopping Spread Spectrum, FHSS
Use the FHSS algorithm to decide on the different frequencies to use and their order
Direct sequence spread spectrum, DSSS
Orthogonal frequency division multiplexing, OFDM
Wireless Local Area Network (WLAN) Security/Two-Method Wireless Authentication
Open Systems Authentication (OSA)
Just provide the correct SSID
Securing your WLAN
Requires wireless device to prove possession of key
WEP protocol (Wired Equivalent Privacy)
Using RC4 encryption (insecure)
IV initial vector size 24bit, easy to break
WPA
TKIP (TKIP: Temporal Key Integrity Protocol is responsible for handling the encryption part of wireless security issues. to address security issues encountered in WEP-protected networks)
IV 128bit, safer
WPA2 (Wi-Fi Protected Access 2)
CCMP replaces TKIP
safest
wireless attack
war walking/driving/chalking
AP (Access Point)
Anti-theft, antenna power Anti rouge AP, Access without permission from the company Wireless routers (wi-fi APs) in corporate networks
Wireless Communication Technology
Satellite Communications
One-way networks, such as digital television
Satellite connection to the internet, two-way transmission
Mobile Communication Technology
1G
900MHz
Analog FDMA
Basic telephone service
2G
1800MHz
TDMA
Caller ID and voicemail
circuit switching
text only
3G
2GHz
CDMA
2Mbps (3.5G10Mbps)
Conference calls and low-quality video
Graphics and formatted text
packet switching
4G
40GHz and 60Ghz
OFDM
Telepresence and HD video
Complete Unified Messaging
Local IPv6
100Mbps
SIM Card Subscriber Identity Module (3G/4G USIM: universal SIM)
Network interconnection services and protocols
Domain name service, DNS
threaten
DNS cache poisoning
DNS cache poisoning attacks mainly target recursive resolution methods. DNS server that also caches resolution results for non-local domains.
DNS security
DNSSEC, strengthens the authentication mechanism of DNS
One of the purposes of developing DNSSEC technology is to ensure integrity by "digitally signing" data
Industrial control system SCADA
Data collection and monitoring
ModBus, FieldBus protocol
facing threats
mobile phone security
Phones have cameras and store sensitive information
Authentication, there may be fake base stations
Mobile phone cloning
WLAN war driving attack
Used to sniff AP and crack passwords
Spyware and adware
instant messaging (The biggest risk is information leakage)
Impersonation, authentication and other attacks
denial of service attack (DOS)
Attack using tcp protocol
SYN Flood
Principle of attack process
TCP three-way handshake is under attack
Attack using icmp protocol
ping of death
Send malformed icmp packet (>64K)
smuff
Sending massive broadcast packets causing crashes (Smurf attacks work by flooding the victim host with ICMP reply request (ping) packets with the reply address set to the broadcast address of the victim network, eventually causing all hosts on the network to reply to the ICMP reply request, causing network congestion. .)
Attack using upd protocol
fraggle
Send massive udp echo packets
teardrop
Overlapping during UDP packet reassembly causes crash
Distributed Denial of Service DDOS
Reflector, Amplifier Attack
Traffic traction, cleaning, and return
Black hole (traffic is abandoned) /Sewer routing (sinkhole) (traffic is drawn to a certain point for further analysis) How to deal with DDOS attacks