CISSP: Domain 4, Module 1
This course is the first module of Domain 4 of the CISSP, covering communication and network security.
The objectives of this course are to provide you with and understanding of:
- How to apply secure design principles and network architecture
- IP Version 6
- Network ports and protocols
- Network design patterns
- Network scaling
- Network segmentation
This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.
Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Welcome once again to the Cloud Academy presentation of the CISSP Exam Preparation Review Seminar. In this session, we're going to begin our discussion of CISSP DOMAIN4 titled Communication and Network Security.
So, in this particular domain we're going to look at structures, transmission methods, transport formats, and, of course, security measures used to provide the confidentiality, integrity, and availability for transmission, regardless of the kind of network that it may be, whether it's private or public. We want to be sure that a lot of what we talk about will focus on the risks and quantification and again, qualification, so that we're always focused on risks that are real and relevant, that have a measurable and significant impact on our operations.
So, our Domain Agenda. We're going to look at applying secure design principles to the architecture, securing the network components, designing and establishing secure communication channels, and then we're going to close out this particular domain by discussing how to prevent or mitigate network attacks. So, off to section one, we're going to apply secure design principles to the network architecture. So as we've discussed in previous modules, we want to institute a program in which we are layering our defenses. This is typically called Defense in Depth. We're gonna start by examining the OSI reference model and then we're going to compare it to what is commonly called, but it really is apocryphal, the Department of Defense model, or what we commonly know as TCP/IP.
So here we have a rather busy diagram, showing on the left the seven layers of the OSI model from final to initial, with application at the top and physical down at the bottom. And then across in the center of the diagram we have the different things that go on at each one of these layers. And there we have in the middle where packet filtration takes place across layers three and four, Network and Transport layers. Then as we near to the right, various kinds of devices and protocols that appeared at each given layer.
SMTP is an example there at the top, below which we have various kinds of encoding formats, below which we have ports and session protocols. Then, of course, we have TCP, SPX (if you're a NetWare fan), and UDP, Routers with IP, IPX (again for the NetWare fans), and ICMP. And then we have our layers two and one where we do switching, bridging, and our hubs.
Then we have a gateway which covers all seven layers, followed by the DOD version four model there on the far right, with Process at the top, below which is Host to Host, followed by Internet, and then the combination of OSI layers one and two, and the DOD Model Network.
So we're going to break each layer down a bit and talk about the kinds of things that go on there; sort of what can we expect to appear. Here at layer one going from bottom to top, we have the physical layer. In the pictures, you see a tower, Radio Frequency. You have an RJ-45 cable for copper wire, and then below that you have the orange fiber optic.
So we have the physical instrumentalities that make for the various types of connections, and then we have devices such as modems, such as repeaters, concentrators, and other kinds of non-intelligent devices that simply supply connections to get data, or, in this case, radio frequency, light, or electricity, through the RJ-45 from point A to point Z. And then we have the various protocols that work at this layer.
Moving up one, we're taking it from the raw media that it is, and fiber optic, copper, or radiofrequency, and we're transforming it from the electricity, light or radio waves into an actual container that contains information. So at the data link layer, layer two, we have the various things that prepare the packet to be broken down into frames so that it can be connected with the MAC address, which is assigned to every network access card. And on the right-hand side of this slide you see a list of the various protocols that work at this layer: 802.11 for Wi-Fi, 802.16 for WiMAX, just to pick a few, L2F for Layer Forwarding, Layer two Forwarding, and then a Tunneling Protocol that combines PPTP and Layer two Forwarding, L2TP, and a host of others.
Moving up yet another layer we have the Network Layer, layer three of OSI. Now the data-link layer relies on a hardware connection between the communicating medium - the wire, the fiber optic or radio frequency - to the actual physical device. Here we're going to create a packet, we're going to take those frames and reassemble them into a packet form. We have IPX, we have Network Address Translation, we have AppleTalk, and a host of other things. Of course, we have our much-beloved IP Internet Protocol, ICMP, and then ARP.
All of these take place at layer three. Now, the thing about layer three is it is about routing, but it's about establishing the best routes to take, it's not about delivery. The next layer up, layer four, is where we will worry about delivery. So at layer three we have IP, a connectionless protocol that does not guarantee error-free delivery. It has three primary functions, as I was just saying: route determination, addressing, and, where necessary, packet fragmentation.
Now, the protocols that we have at layer three include OSPF and a pair of versions, we have IGMP, we have IP version four and version six, we have DVMRP for Distance Vector Multicast Routing, and then IPsec, Internet Security Protocol.
And here's where we start to worry about delivery. Layer four, the transport layer, creates an end-to-end transport of this information in this packetized form between the hosts, and as you see there we have the well-known three-way handshake. It sets up this three-way handshake beginning with a SYN to synchronize. The receiving system responds with an acknowledgement, "Yes, I've got your SYN," and supplies its own SYN. SYN to synchronize because now both sessions, both stations, have said they want to synchronize, and thus set up, a session between them. And then the closure and the completion of the setup is done by the last ACK there at the bottom.
So the primary protocols we have at layer four are TCP, Transmission Control, and this provides a connection-oriented session with management capabilities and reliable data transfer. A companion is UDP, the User Datagram Protocol, which doesn't have any of them. UDP does not ensure the transmissions are received without errors or indeed at all, and therefore is classified as a connection and unreliable protocol. There's no flow control with UDP, but as you'll see, the kinds of things that UDP is used for are generally not the kind that depend greatly on those kinds of things, whereas TCP does.
So, some examples of other protocols. we have Authentication Layer, associated with IPSec, we have Encapsulating Security Payload, also associated with IPSec, the Fiber Channel Protocol, NetBIOS for file sharing and name resolution, ISCSI, and a host of others, including one again for NetWare fans, SPX.
Above layer four we now start thinking about how this information is going to be formatted so that it can be interpreted and properly displayed when we get to the final layer. Establishing a session means that there is a persistent connection between the hosts, and protocols here are responsible for creating, maintaining, tearing down, and then, when called upon, setting the session back up. So, protocols that exist here: PAP, the Password Authentication Protocol, the VPN Protocol, PPTP and its colleagues, other VPN protocols, and then RPC for Remote Procedure Protocol.
On top of player five is layer six, the Presentation Layer. Now, here is where we start doing encoding, the data that's been passed up through the five layers that precede this are going to hand us something, and the encoding that has come to this layer is going to be interpreted so that the information that it carries is going to be translated so that it ends up in the protocol that the program that will provide the use of the data will be able to interpret it and properly display it.
So we have ASCII, in the case of most terminals. We have EBCDIC, which comes from the IBM World, Extended Binary Coded Decimal Interchange Code. We have JPEG, MPEG, AVI, MP4. We have other audio formats WMA, MP2 and 3. We have the various document formats such as PPTP, DOC, XLS, PDF, TXT, and then other graphical formats such as 3PG, GFX, and VSD. Now, as the packets carrying these protocols move higher up, this is going to change from the jumble that it would appear to be here, into the displayable characters at layer seven.
Here, this is the application's portal to the stack. When the application or the operating system transmits or receives data over a network, it uses all the underlying services from layers one through six to get it to this point. And here, the application layer contains the program interfaces or, as we know them, the APIs.
Now, layer seven is not your desktop. Layer seven rests right on top of your computer screen with a GUI that layers over it, sort of like the frosting on a cake. And the GUI provides a configured, graphical user interface to facilitate an ease of use. So seven is not your desktop, it's just beneath the GUI that is your desktop. The layer seven protocols that pass the traffic up through that GUI include these so that we are able to interact with the underlying data and the underlying programs. We have DHCP for establishing addressing on our systems, we have domain name systems to resolve addresses, HTTP for browsers, LDAP for directory services, SMTP to service our mail, and Routing Information Protocol, and these handle all the traffic just beneath the GUI.
Now the networks, as we use them today, have a different kind of addressing scheme than what you might start being accustomed to with IP version six. In these we have A, B, C, D, and then the reserved E ranges. A is one through 126, B 128 to 191, C 192 to 223, D 224 to 239, and E the 240 to 255 range. And looking at the Class ABC, we see there the number of hosts that are possible in each one of these ranges. Now, doing the math, this number ends up being something in the neighborhood of 4.3 billion directly addressable devices on a single IP network.
Now, this was a limit of IP version four given the 32-bit addressing scheme, the dotted-decimal format there we're used to. But that served to be a very strong incentive to get something better actually designed. History seems to record that IP version four was more of a congealed standard than it was an actually well-designed standard, but it certainly seems to have served its purpose, being somewhat fussy, but very easy to fix, and very resilient after all is said and done. But we needed something better so we have IP version six.
Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years. He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant. His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International. A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center. From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.
Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004. During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide. He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004. Mr. leo is an ISC2 Certified Instructor.