Table 1-2 Protocols at Each Layer of the TCP/IP Model
|
TCP/IP Layer |
Protocols |
|
Link |
Ethernet, Point-to-Point (PPP) |
|
Internet |
IP |
|
Transport |
TCP/UDP |
|
Application |
HTTP, SMTP, FTP |
Table 1-3 Message Unit Naming at Each Layer of the TCP/IP Model
|
TCP/IP Layer |
Protocols |
|
Link |
Frame |
|
Internet |
Packet |
|
Transport |
Segment |
|
Application |
Application data |
Table 1-4 Protocols and Devices Mapping to the OSI Layer Model and the TCP/IP Model
|
OSI Layer Model |
TCP/IP Model |
Protocols |
Devices |
|
Application |
Application |
FTP, HTTP, SMTP |
Host, servers |
|
Presentation |
|||
|
Session |
|||
|
Transport |
Transport |
TCP, UDP |
Stateful firewalls |
|
Network |
IP |
IP |
Router |
|
Data Link |
Link |
Ethernet, PPP, ATM |
Switches |
|
Physical |
Ethernet (physical layer), cable, optical |
Repeater |
Table 1-5 Popular Ethernet Physical Layer Standards
|
Name |
IEEE standard |
Speed |
Media |
Maximum Distance |
|
10BASE-T |
802.3 (Ethernet) |
10 Mbps |
Twisted pair (copper) |
100 m |
|
100BASE-T |
802.3u (FastEthernet) |
100 Mbps |
Twisted pair (copper) |
100 m |
|
1000BASE-T |
802.3ab (GigaEthernet) |
1000 Mbps |
Twisted pair (copper) |
100 m |
|
1000BASE-LX |
802.3z (GigaEthernet) |
1000 Mbps |
Long wavelength (single-mode fiber) |
5 km |
|
10GBASE-T |
802.3an (10 Gigabit Ethernet) |
10 GBps |
Twisted pair (copper) |
100 m |
Table 1-6 Spanning Tree Port Costs
|
Port Speed |
Recommended Cost |
|
<=100 Kbps |
200000000 |
|
1 Mbps |
20000000 |
|
10 Mbps |
2000000 |
|
100 Mbps |
200000 |
|
1 Gbps |
20000 |
|
10 Gbps |
2000 |
|
100 Gbps |
200 |
|
1 Tbps |
20 |
|
10 Tbps |
2 |
|
Service |
Description |
|
Multiplexing |
Allows multiple transport layer connections between the same hosts. Sockets are used to distinguish to which application a connection belongs. |
|
Connection establishment and termination |
A connection is established before data is sent. This ensures that the other host is ready to receive data. The connection is also terminated through a formal data exchange. |
|
Reliability |
Data lost due to error or from the underlying datagram can be recovered by asking the remote device to send the information again. |
|
Flow control |
TCP uses a windowing system to adjust the speed of transmission. |
Table 2-1 RFC 1918 Private Address Ranges
|
Class |
IP Address Range |
Networks |
Number of Hosts |
|
Class A |
10.0.0.0 to 10.255.255.255 |
1 |
16,777,214 |
|
Class B |
172.16.0.0 to 172.31.255.255 |
16 |
65,534 |
|
Class C |
192.168.0.0 to 192.168.255.255 |
256 |
254 |
Table 4-2 Authentication Methods
|
Authentication Method |
Description |
Examples |
|
Authentication by knowledge |
Something the user knows |
Password, PIN |
|
Authentication by ownership |
Something the user owns |
Smart card, badge, token |
|
Authentication by characteristic |
Something the user is or does |
Fingerprint, hand geometry, keystroke dynamic |
Table 4-3 Access Control Process Phases
|
Phase |
Questions It Answers |
Examples |
|
Identification |
Who are you? |
User ID, IP address. |
|
Authentication |
Can you prove you are who you claim to be? |
Password, badge, fingerprint. |
|
Authorization |
Can you access a resource? What can you do with that resource? |
User A can access Resource B in read and write mode. |
|
Accounting |
What have you done with that resource? |
User A has modified Resource B on August 31, 2016. |
Table 4-5 Mapping Access Controls to Access Control Types
|
Administrative |
Physical |
Technical |
|
|
Preventive |
Firewall |
||
|
Deterrent |
Fence |
||
|
Detective |
Intrusion detection system |
||
|
Corrective |
Employee termination policy |
||
|
Recovery |
Data backup |
||
|
Compensating |
Manual user screening |
Table 4-6 Overview of Access Control Models
|
Access Control Model |
Access Decision |
Reference |
|
DAC |
Access decisions and permissions are decided by the object owner. |
DoD – Trusted Computer System Evaluation Criteria |
|
MAC |
Access decision is enforced by the access policy enforcer (for example, the operating system). It uses security labels. |
DoD – Trusted Computer System Evaluation Criteria |
|
RBAC |
Access decisions are based on the role or function of the subject. |
ANSI INCITS 359-2004 |
|
ABAC |
Access decisions are based on the attributes or characteristics of the subject, object, and environment. |
NIST SP 800-162 |
Table 4-7 Pros and Cons of Access Control Models
|
Access Control Model |
Pros |
Cons |
|
DAC |
Simpler than the other models |
Security policy can be bypassed. No centralized control. |
|
MAC |
Strict control over information flow |
Complex administration. |
|
RBAC |
Scalable and easy to manage |
Increase in role definition. |
|
ABAC |
Flexible |
More complex compared to DAC or RBAC. |
Table 4-8 RADIUS vs. TACACS+ Comparison
|
RADIUS |
TACACS+ |
|
|
Transport protocol |
UDP. |
TCP. |
|
Security |
Encrypts user password in ACCESS-REQUEST packets. |
Can optionally encrypt the full payload. |
|
AAA phases |
Authentication and authorization are performed with the same exchange. Accounting is done with a separate exchange. |
Authentication, authorization, and accounting are performed with separate exchanges. |
|
Command authorization |
There is no support for granular command authorization. |
Allows command authorization. |
|
Accounting |
Implements strong accounting capabilities. |
Provides basic accounting capabilities. |
|
Standard |
RFC 2865 (authentication and authorization) and RFC 2866 (accounting) |
Cisco proprietary. |
Table 4-9 IDS vs. IPS Comparison
|
IDS |
IPS |
|
Works on a copy of the packet (promiscuous mode). |
Intercepts and processes real traffic (inline mode). |
|
No latency added. |
Adds latency due to packet processing. |
|
Cannot stop malicious packets directly. Can work together with other devices. |
Can stop malicious packets. |
|
Some malicious packets may pass through (for example, the first packet). |
Malicious packets always can be dropped. |
Table 4-10 Network-Based Vs. Host-Based Detection/Prevention Systems
|
NIDS/NIPS |
HIDS/HIPS |
|
Software is deployed on a dedicated machine. |
Software is installed on top of the host (end user) operating system (OS). It may require support for several OSs. |
|
Easy to maintain and update. |
May require an update of several endpoints. |
|
Have visibility on all network traffic; therefore, can offer better event correlation. |
Have visibility only on traffic hitting the host. |
|
Can introduce delay due to packet processing. |
Can slow down the operating system of the host. |
|
Do not have visibility into whether an attack was successful. |
Can verify whether an attack has been successful on a host. |
|
Do not have visibility into encrypted packets. |
Have visibility after encryption and can block an attack delivered via encrypted packets. |
|
Can block an attack at the entry point. |
The attacker is able to reach the target before being blocked. |
Table 4-11 Network-Based Vs. Host-Based Antivirus/Antimalware Systems
|
Network-based Antivirus/Antimalware |
Host-based Antivirus/Antimalware |
|
Software is deployed on a dedicated machine. |
Software is installed on top of the host (end user) operating system (OS). It may require support for several OSs. |
|
Easier to maintain and update. |
May require updating of several endpoints. |
|
Have visibility into all network traffic; therefore, can offer better event correlation. |
Have visibility only into traffic hitting the host. |
|
Can introduce delay due to packet processing. |
Can slow down the operating system of the host. |
|
Do not have visibility into whether an attack was successful. |
Can verify whether an attack has been successful on a host. |
|
Do not have visibility into encrypted packets. |
Have visibility after encryption and can block an attack delivered via encrypted packets. |
|
Can block an attack at the entry point. |
The attacker is able to reach the target before being blocked. |
Table 5-2 Summary of Password-Generation Methods
|
Method |
Description |
Pros |
Cons |
|
User-generated password |
The user generates the password himself. |
Simple to remember. |
Usually leads to an easily guessable password. Users may reuse the same password on multiple systems. |
|
System-generated Password |
The password is generated by the system. |
Strong password. Compliant with security policy. |
Difficult to remember. Users tend to write down the password, thus defeating the purpose. |
|
OTP and token |
The password is generated by an external entity (such as hardware or software) that is synchronized with internal resources. The device is usually protected by a user-generated password. |
Users do not need to remember a difficult password. |
More complicated infrastructure. It makes use of hardware or software to generate the token, which increases maintenance and deployment costs. |
Table 5-6 Comparing Cloud-Based MDM and On-Premises MDM
|
Cloud-Based MDM Characteristics |
On-Premises MDM Characteristics |
|
Deployed as a service and operated by a third party from the cloud |
Deployed and managed within the organization |
|
Lower cost of the solution and deployment |
Higher level of control |
|
Flexibility |
Intellectual property retention |
|
Fast deployment |
Regulatory compliance |
|
Scalability |
|
|
Easier to maintain |
Table 5-7 Comparing Vulnerability Scan and Penetration Assessment
|
Vulnerability Scan |
Penetration Assessment |
|
Works by assessing known vulnerabilities. |
Can find unknown vulnerabilities. |
|
Can be fully automated. |
Mixture of automated and manual process. |
|
Minimal impact on the system. |
May completely disable the system. |
|
Main goal is to report any hits on known vulnerabilities. |
Main goal is to compromise the system. |
|
Attribute |
Possible Values |
|
Encryption |
None, DES, 3DES, AES128, AES192, AES256 |
|
Hashing |
MD5, SHA, null |
|
Identity information |
Network, protocol, port number |
|
Lifetime |
120–2,147,483,647 seconds 10–2,147,483,647 kilobytes |
|
Mode |
Tunnel or transport |
|
Perfect Forward Secrecy (PFS) group |
None, 1, 2, or 5 |
Table 7-3 Contrasting Cisco VPN Client and SSL VPN
|
Feature |
Cisco VPN Client |
Clientless SSL VPN |
|
VPN client |
Uses Cisco VPN client software for complete network access. |
Uses a standard web browser to access limited corporate network resources. Eliminates the need for separate client software. |
|
Management |
You must install and configure Cisco VPN client. |
You do not need to install a VPN client. No configuration is required on the client machine. |
|
Encryption |
Uses a variety of encryption and hashing algorithms. |
Uses SSL encryption native to web browsers. |
|
Connectivity |
Establishes a seamless connection to the network. |
Supports application connectivity through a browser portal. |
|
Applications |
Encapsulates all IP protocols, including TCP, UDP, and ICMP. |
Supports limited TCP-based client/server applications. |
Table 9-2 List of Permission Values
|
Column Value |
Permissions |
Represented By |
|
0 |
None |
--- |
|
1 |
Execution-only |
--x |
|
2 |
Write |
-w- |
|
3 |
Execution and write |
-wx |
|
4 |
Read-only |
r-- |
|
5 |
Read and execution |
r-x |
|
6 |
Read and write |
rw- |
|
7 |
Read, write, and execution |
rwx |
|
Facility |
Description |
|
auth |
For requesting name and password activity |
|
authpriv |
Same as auth but data is sent to a more secured file |
|
console |
Messages directed at the system console |
|
cron |
Cron system scheduler messages |
|
daemon |
Daemon catch-all messages |
|
ftp |
FTP daemon messages |
|
kern |
Kernel-related messages |
|
local0.local7 |
Local facilities defined per site |
|
lpr |
Line printing system messages |
|
|
Mail system messages |
|
mark |
Pseudo event used to generate timestamps in log files |
|
news |
Network News Protocol messages |
|
ntp |
Network Time Protocol messages |
|
user |
Regular user processes |
|
uucp |
UUCP subsystem |
Table 9-4 UNIX Message Priorities
|
Priority |
Description |
|
emerg |
Emergency condition, such as a system crashing |
|
alert |
Condition that should be dealt with immediately, such as a corrupted database |
|
crit |
Critical condition, such as a hardware failure |
|
err |
Standard error |
|
warning |
Standard warning |
|
notice |
No error condition but attention may be needed |
|
info |
Information message |
|
debug |
Messages used for debugging errors or programs |
|
none |
Specifies not to log messages |
Table 11-2 Syslog Severity Logging Levels
|
Level |
System |
Description |
|
Emergency |
0 |
System unusable messages |
|
Alert |
1 |
Immediate action required messages |
|
Critical |
2 |
Critical condition messages |
|
Error |
3 |
Error condition messages |
|
Warning |
4 |
Warning condition messages |
|
Notification |
5 |
Normal but significant messages |
|
Information |
6 |
Informational messages |
|
Debugging |
7 |
Debugging messages |