OSI Model and TCP/IP
OSI, Open System Interconnect
OSI Model is conceptual model that define communication protocol between computing systems without regarding underlying structure and technology.
TCP/IP: Transmission Control Protocol, Internet Protocol, Layers
- 7- Application Layer
- 6- Presentation Layer
- 5- Session Layer
- 4- Transport Layer, data is in the form of segments, datagram
- 3- Network Layer, data is in the form of packets
- 2- Data Link Layer, data is in the form of Frames
- 1- Physical Layer, data is binary
Wireshark is TCP/IP protocol analyzer.
Network Components
Devices and protocols in OSI Model.
Layer 1: Physical Layer
Network Interface Card, NIC
Cables and connectors
Hub: Hub works as repeater, broadcast packet on all directions.
Layer 2: Data Link Layer
Switch, Bridge
MAC address
Layer 3: Network Layer
IPv4, IPv6 Address
Router: router works on layer 3.
IP Addressing
What is IP address? A unique address composed of numbers separated by full stops, assigned to computers.
There are 4 octets.
Decimal to binary and binary to decimal conversion of IP address.
Routing and Switching
What is routing?
A routing protocol specifies how routers communicate with each other, distributing information that enables them to select routes between any two nodes on a computer network. Routing algorithms determine the specific choice of route. Each router has a prior knowledge only of networks attached to it directly
Static vs Dynamic Routing
Static routing is when you statically configure a router to send traffic for particular destinations in preconfigured directions. Dynamic routing is when you use a routing protocol such as OSPF, ISIS, EIGRP, and/or BGP to figure out what paths traffic should take.
Routing Tables
A routing table is a set of rules, often viewed in table format, that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. All IP-enabled devices, including routers and switches, use routing tables.
IGP vs EGP
Interior Gateway Protocol (IGP) is a Routing Protocol which is used to find network path information within an Autonomous System. Exterior Gateway Protocol (EGP) is a Routing Protocol which is used to find network path information between different Autonomous Systems.
What is switching at Layer 2?
Switch memorize MAC Address.
Collision and broadcast domains (CSMA, CDMA)
CSMA
Carrier-sense multiple access (CSMA) is a media access control (MAC) protocol in which a node verifies the absence of other traffic before transmitting on a shared transmission medium, such as an electrical bus or a band of the electromagnetic spectrum.
CSMA/CD
Carrier-sense multiple access with collision detection (CSMA/CD) is a media access control method used most notably in early Ethernet technology for local area networking. It uses carrier-sensing to defer transmissions until no other stations are transmitting. This is used in combination with collision detection in which a transmitting station detects collisions by sensing transmissions from other stations while it is transmitting a frame. When this collision condition is detected, the station stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame.
CSMA/CD is a modification of pure carrier-sense multiple access (CSMA). CSMA/CD is used to improve CSMA performance by terminating transmission as soon as a collision is detected, thus shortening the time required before a retry can be attempted
CSMA/CA
Carrier-sense multiple access with collision avoidance (CSMA/CA) in computer networking, is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by transmitting only when the channel is sensed to be “idle”.
Broadcast Domain
A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments.
Collision Domain
Collision domain would be all nodes on the same set of inter-connected repeaters, divided by switches and learning bridges. Collision domains are generally smaller than, and contained within, broadcast domains.
Spanning Tree Protocol
The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them.
What is VLAN?
A VLAN (virtual LAN) abstracts the idea of the local area network (LAN) by providing data link connectivity for a subnet. One or more network switches may support multiple, independent VLANs, creating Layer 2 (data link) implementations of subnets. A VLAN is associated with a broadcast domain. It is usually composed of one or more Ethernet switches.
What is VLAN Trunking Protocol?
The VLAN trunking protocol (VTP) is the protocol that switches use to communicate among themselves about VLAN configuration.
In the image above, each switch has two VLANs. On the first switch, VLAN A and VLAN B are sent through a single port (trunked) to the router and through another port to the second switch. VLAN C and VLAN D are trunked from the second switch to the first switch, and through the first switch to the router. This trunk can carry traffic from all four VLANs. The trunk link from the first switch to the router can also carry all four VLANs. In fact, this one connection to the router allows the router to appear on all four VLANs, as if it had four different physical ports connected to the switch.
802.1q, analysis with Wireshark.
Link state vs Distance Vector VS Hybrid protocols
Routers contain a routing table and other information which allows them identify the best path to take and transporting a packet to get to its destination.
Distance Vector routing uses RIP (Routing Information Protocol) or RIP2 routing protocol. Both of these protocols use the hop count as their routing metric. RIP allows a maximum of 15 hops from source to a destination. This prevents routing loops. Distance vector routers exchange routing table information with other routers on a regular schedule.
Since Link State routing needs to exchange routing table information only when there is a change in the network, it requires less transmission overhead to achieve convergence. However, it requires more processing and more powerful routers.
Hybrid routing has the advantages of both distance vector and link state protocols. It uses distance vector protocol to reduce the processing power requirement, but exchanges routing table information only when their tables change to reduce transmission overhead.
Ports
Analyze protocols traffic with wireshark.
NTP, HTTPS, SMTP, POP3, Telnet, SSH, FTP, RDP, NTP UDP, DHCP, DNS, TFTP
Common Protocols
DHCP, RDP, DNS, ARP, IGMP, SIP, RTP, VOIP, SNMP, OSPF, analysis with Wireshark
Layer 4 Protocols:
- TCP
- UDP
- EGP, Exterior Gateway Protocol
- EIGRP, Enhanced Interior Gateway Routing Protocol
- ICMP, Internet Control Message Protocol
- IGMP, Internet Group Management Protocol
- IPsec, Internet Protocol Security
- OSPF, Open Shortest Path First
- RIP, Routing Information Protocol
DNS
Domain Name System, it is called system because more than 1 Systems are involved.
DNS Servers, DNS Records, dynamic DNS (ddns).
Nslookup, for dns name resolution.
wireshark analysis of DNS traffic.
nslookup for ipv6 addresses use set type=AAAA.
Using Methodology for Troubleshooting
Bob cannot get to google, solve problem with tools:
ipconfig, ping, nslookup
Virtualization
How virtualization is possible?
What can be virtualized?
Servers, Desktops, Clients, routers, Switches, Firewalls, Phone Systems(PBX)
Virtualization software:
- GNS3
- VSphere
- vmWare
- Hyper-V
- VirtualBox
Installing and configuring Routers and Switches
NIC Router-Switch
Routers:
Half Duplex:
Half-duplex data transmission means that data can be transmitted in both directions on a signal carrier, but not at the same time. For example, on a local area network using a technology that has half-duplex transmission, one workstation can send data on the line and then immediately receive data on the line from the same direction in which data was just transmitted.
Full Duplex:
Full-duplex data transmission means that data can be transmitted in both directions on a signal carrier at the same time. For example, on a local area network with a technology that has full-duplex transmission, one workstation can be sending data on the line while another workstation is receiving data. Full-duplex transmission necessarily implies a bidirectional line (one that can move data in both directions).
GNS3 Lab, configure interface with IP address, speed, full duplex
Routing Protocols:
- Routing Information Protocols(RIP)
- Interior Gateway Protocol (IGRP)
- Open Shortest Path First (OSPF)
- Exterior Gateway Protocol (EGP)
- Enhanced interior gateway routing protocol (EIGRP)
- Border Gateway Protocol (BGP)
NAT/PAT
In a nutshell Network Address Translation (NAT) provides a one-to-one translation from IP Address to IP address.
In a Port Address Translation (PAT) there is a many-to-one relationship. This is commonly used on a firewall when a corporation wants all IP addresses in its internal network to use a single IP address.
SNAT vs DNAT
Network Address Translation (NAT) occurs when one of the IP addresses in an IP packet header is changed. In a SNAT, the destination IP address is maintained and the source IP address is changed. Most commonly, a SNAT allows a host on the “inside” of the NAT, in an RFC 1918 IP address space, to initiate a connection to a host on the “outside” of the NAT. A DNAT, by way of contrast, occurs when the destination address is changed and the source IP address is maintained. A DNAT allows a host on the “outside” to connect to a host on the “inside”. In both cases, the NAT has to maintain a connection table which tells the NAT where to route returning packets. An important difference between a SNAT and a DNAT is that a SNAT allows multiple hosts on the “inside” to get to any host on the “outside”.
Quality of Service:
Quality of service refers to traffic prioritization and resource reservation control mechanisms rather than the achieved service quality. Quality of service is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow.
Wireless Concepts
Install and configure a wireless network.
802.11 group, 802.11b, a, g, n rate band modulation.
Bands/Channels, 1-12
WAP, Wireless Access Point
Antenna Types: Omni directional (all directional), unidirectional is one directional
Service Set Identifier, SSID, name of AP, BSSID is mac address of AP, ESSID is more AP having same name, and user connect to AP with strongest signals.
Never use WEP, WPA for security. Always use WPA2 personal, or enterprise.
Wireless Configuration
Check with inSSIDer, for available channels.
Use wireless wizard for setting up connection.
Any verify with inSSIDer for overlapping channels.
DHCP
Analysis with Wireshark.
Dynamic Host Configuration Protocol
Static vs Dynamic Addressing
Reservations, MAC address to IP address static IP address.
Scopes, ranges of IP addresses
Leases, 24 hours
DHCP Options
IP Helper-> Single DHCP Server with multiple scopes requests coming from different routers.
Tshoot common wifi problems
SSID mismatch
Encryption Type
Interference
Signal strength
Incorrect Channel
why wireless is half duplex?
Wireless use CSMA/CA to detect usage on the frequency to see if it is safe to transmit data. There are a large number of factors that can affect a wireless signal and interfere with it which results in lower throughput.
Troubleshoot route and Switch
Switching loop
bad cables/improper cables
Port configuration
VLAN assignment
Mismatched MTU
Wrong IP
Duplicate IP address
Plan and implement small network
List of requirements
Cable Length
Device types/ requirements
Environment limitations
Equipment limitations
Compatibility requirements
Copper and fiber media
Copper: UTP/STP,
Cat”X,
Fiber: Single mode/Multimode
Multimode cable is made of glass fibers, with a common diameter in the 50-to-100 micron range for the light carry component (the most common size is 62.5).
Single-mode fiber has a small light carrying core of 8 to 10 microns in diameter. It is normally used for long distance transmissions with laser diode based fiber optic transmission equipment
Connectors
Fiber:
ST, SC, LC, MTRJ
Copper:
RJ-45, RJ-11, BNC, F-connector, DB-9(RS-232 printer)
Patch Panels:
110 block.
Compare 802.11 Standards
802.11 a,b,g,n standards
MIMO, multiple in, multiple out, more than one antenna.
What is signal attenuation?
Attenuation is a general term that refers to any reduction in the strength of a signal. Attenuation occurs with any type of signal, whether digital or analog. Sometimes called loss, attenuation is a natural consequence of signal transmission over long distances.
setup wireless AP and with inSSIDer analyze
Wans
Wide Area Networks.
Types:
T1, E1, T3, E3, DS3, OCx, SONET, SDH, DWDM
Satellite, ISDN, Cable, DSL, Cellular, WiMax, LTE,
HSPA+, Fiber, Dialup, PON, Frame Relay(virtual dedicated network), ATM
Properties:
Circuit, packet switched, speed, distance, media.
Lan Wan Topology
Bus
A bus network is a network topology in which nodes are directly connected to a common linear (or branched) half-duplex link called a bus.
Ring
A ring network is a network topology in which each node connects to exactly two other nodes, forming a single continuous pathway for signals through each node – a ring.
Star
A Star network is one of the most common computer network topologies. In its simplest form, a star network consists of one central hub which acts as a conduit to transmit messages. In star topology, every host is connected to a central hub.
Mesh
A mesh network is a local network topology in which the infrastructure nodes connect directly, dynamically and non-hierarchically to as many other nodes as possible and cooperate with one another to efficiently route data from/to clients.
Point to Point
The simplest topology with a dedicated link between two endpoints. Easiest to understand, of the variations of point-to-point topology, is a point-to-point communication channel that appears, to the user, to be permanently associated with the two endpoints. A child’s tin can telephone is one example of a physical dedicated channel.
Using circuit-switching or packet-switching technologies, a point-to-point circuit can be set up dynamically and dropped when no longer needed. Switched point-to-point topologies are the basic model of conventional telephony.
The value of a permanent point-to-point network is unimpeded communications between the two endpoints.
Point to multipoint
Point-to-Multipoint Wireless. The Point-to-Multipoint topology (also called star topology or simply P2MP) is a common network architecture for outdoor wireless networks to connect multiple locations to one single central location.
Tshoot Cable problems
Bad connectors
Bad wiring
open, short, split cables
DB Loss
TXRX reversed
cable placement
EMI/Interference
Distance
Cross talk.
Cable plant // identify wiring and distribution components
Demarcation Point
In telephony, the demarcation point is the point at which the public switched telephone network ends and connects with the customer’s on-premises wiring. It is the dividing line which determines who is responsible for installation and maintenance of wiring and equipment—customer/subscriber, or telephone company/provider.
CSU/DSU
A CSU/DSU (Channel Service Unit/Data Service Unit) is a digital-interface device used to connect data terminal equipment (DTE), such as a router, to a digital circuit, such as a Digital Signal 1 (DS1) T1 line. The CSU/DSU implements two different functions.
Network Appliances
Describing Network appliances?
Load balancer
Proxy server
Content filter
VPN concentrator (VPN Server).
Hardware Tools, used to troubleshoot connectivity issues
Cable Tester/certifier
Crimper
Toner probe
Punch Down tool
Protocol analyzer, wireshark
loop back plug
TDR/OTDR, (TDR distance at which problem in cable) OTDR Optical Time DR
Multimeter(measure multiple things, current, voltage, continuety, battery testing)
Environmental monitor.(make sure does not get too warm)
Software Tools for troubleshooting
connectivity software, remote desktop rdp, vnc.
protocol analyzer, wireshark
throughput tester, LAB speed test tool
ping, tracert/traceroute
dig, nslookup
ipconfig, ifconfig
arp
netstat, nbtstat
route
Network Monitoring
SNMP v1/2/3
Syslog
System Logs
History Logs
General logs
Traffic Analysis
Network Sniffer
Documentation
Wire schemes
Network Maps
Documentation
Cable Management
Asset Management
Baseline
Change management
Optimizing the network
Methods:
What is IP Precedence? Type of Service ToS. DSCP, Differentiated Service Code point
QoS, Traffic Shapping(Rate limiting, traffic policing), Load Balancing,
Caching engines, Cache videos or any content
High Availability HA, HSRP is cisco high standup routing protocol.
Fault Tolerance, CARP common address redundency protocol, 2 gateways with same ip address.
Reasons:
Latency sensitivity applications, ( VoIP, Video)
uptime
jitter, latency in packets consecutively
Securing Network Access, Securing our communications
Access/Technical Controls, ACL Access Control list, allow from ip, port, L2, L3, L4
Tunneling: VPNs (IPSec (IKE phase 1 for control messages, IKE phase 2 for data,) (Site to site vs remote access), SSL, PPTP, L2TP)
Remote Access: SSH, RAS (remote access server, IPSec or SSL vpn server), PPP (chap vs pap, vs mschap), PPPoE, RDP (or vnc,), ICA(independent computing architecture) protocol used by citrix.
Wireless Security
Encryption protocols: WEP, WPA, WPA2 PSK/ENT, (active directory vs radius)
MAC Address filtering
Device Placement
Signal Strength
User Authentication
CHAT, / MS-CHAT
AAA(authentication, authorization, accounting (record) )(RADIUS, TACACS+)
Network Access control (802.1x, EAP, Posture assessment (service packs must be installed on user systems))
Two factor/ multifactor authentication, (know, has, is(biological) )
kerberos, TGT
Single Sign-on
PKI, symmetric vs asymmetric, https->ssl, tlsv1, tlsv2, brower verify certificate of websites.
PKI is use to third part Certificate Authority to verify certificate authenticity.
Threats, Vulnerabilities and mitigation
Wireless:
War driving, chalking, WEP/WPA cracking, Rogue AP/Evil Twin.
Attacks:
DoS/DDoS, Man in the middle,
Social Enigneering,
Virus, trojans, worms, buffer overflow
packet sniffing
Smurf: The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim’s computer will be flooded with traffic. This can slow down the victim’s computer to the point where it becomes impossible to work on.
Mitigation techniques:
Training and awareness,
Patch management
Policies and procedures,
Incident response.
Firewalls
Types of firewall, HW/SW
Stateful inspection, packet filtering.
Firewall Rules, ACLs, NAT/PAT
DMZ,
Port Security
Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port
DHCP Snooping
DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.
IDS-IPS, Network Security Appliances
IDS/IPS, based on:
Behavior, signature, network or host.
Vulnerability Scanners:
Nessus, & nmap
Methods:
Honeypots, Honeynets
Zeeshan Sahi's blog 