Ec-council certified network defender book pdf

The Certified Network Defender (CND) certification program focuses on generate Network Administrators who are upskill on protecting, detecting and responding to the threats on the network. Network administrators are usually familiar with network components, traffic, performance and utilization, network topology, location of each system, security policy, etc.

Table of Contents Show

Cargado por
Información del documento
Descripción:
Derechos de autor
Formatos disponibles
Compartir este documento
Compartir o incrustar documentos
Opciones para compartir
¿Le pareció útil este documento?
¿Este contenido es inapropiado?
Cargado por
Descripción:
Recompense su curiosidad
Compartir este documento
Compartir o incrustar documentos
Opciones para compartir
Navegación rápida
What is EC Council Certified network Defender?
What are the network defense priorities of the network defender?

Here we’ve brought 180+�Exam practice questions for you so that you can prepare well for this exam.

Unlike other online simulation practice tests, you get an eBook/Paperback version that is easy to read & remember these questions. You can simply rely on these questions for successfully certifying this exam.

Documentos
Computadoras
Seguridad

312 38 EC Council Certified Network Defender

Cargado por

Apollos_80

33%(3)33% encontró este documento útil (3 votos)

773 vistas5 páginas

Información del documento

hacer clic para expandir la información del documento

Descripción:

EC-Council-Certified-Network-Defender

Derechos de autor

Formatos disponibles

PDF, TXT o lea en línea desde Scribd

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

Compartir en Facebook, abre una nueva ventana
Facebook
Compartir en Twitter, abre una nueva ventana
Twitter
Compartir en Linkedin, abre una nueva ventana
LinkedIn
Compartir por correo electrónico, abre un cliente de correo electrónico
Correo electrónico
Copiar enlace
Copiar enlace

¿Le pareció útil este documento?

33%33% encontró este documento útil, Marcar este documento como útil

67%A un 67% le pareció que este documento no es útil, Marcar este documento como no útil

¿Este contenido es inapropiado?

Denunciar este documento

Descargar ahora

GuardarGuardar 312 38 EC Council Certified Network Defender para más tarde

33%(3)33% encontró este documento útil (3 votos)

773 vistas5 páginas

312 38 EC Council Certified Network Defender

Cargado por

Apollos_80

Descripción:

EC-Council-Certified-Network-Defender

Descripción completa

GuardarGuardar 312 38 EC Council Certified Network Defender para más tarde

33%33% encontró este documento útil, Marcar este documento como útil

67%A un 67% le pareció que este documento no es útil, Marcar este documento como no útil

Insertar

Imprimir

Descargar ahora

Saltar a página

Está en la página 1de 5

Buscar dentro del documento

You're Reading a Free Preview
Page 4 is not shown in this preview.

Buy the Full Version

Recompense su curiosidad

Todo lo que desea leer.

En cualquier momento. En cualquier lugar. Cualquier dispositivo.

Sin compromisos. Cancele cuando quiera.

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

Compartir en Facebook, abre una nueva ventana
Compartir en Twitter, abre una nueva ventana
Compartir en Linkedin, abre una nueva ventana
Compartir por correo electrónico, abre un cliente de correo electrónico
Copiar enlace

Navegación rápida

Inicio
Libros
Audiolibros
Documentos
, activo

Instructions for Downloading your CND Electronic Courseware, Lab Manuals, and Tools. Step 1: Visit: https://aspen.eccouncil.org. If you have an account already, skip to Step 4. Step 2: Click Register and fill out the registration form. Click the Register button. Step 3: Using the email you provided in Step 2, follow the instructions in the auto-generated email to activate your EC-Council Aspen Portal account. Step 4: Login using your Username and Password. Step 5: Once successfully logged in, click eBooks icon under the Learning Resources section. It will open the Academia page. Step 6: Enter the access code below in the Access Code field and click the Submit button.

Access Code: Step 7: If your Access Code is valid, scroll down and you will be able to view instructions on how to access the Electronic Courseware, Lab Manuals, and Tools.

Support: E-mail support is available at [email protected]

System Requirements: The Academia page contains details about system requirements and how to download the e-courseware.

Exam 312-38

Certified Network Defender

Instructions to Download Digital Copy of your Class Certificate of .Attendance

EC-Council THIS IS TO ACKNOWLEDGE THAT

HAS SUCCESSFULLY COMPLET ED A COURSE ON

AT AN EC-COUNCIL ACCREDITED TRAIN IN G CENTER

IN STRUCTOR NA.\(£

CERTIFICATE Nl.11\IBER

-~ Sanjay Bavisi, President

DATE

You can verify authenticity of this certificate by visiting https:/faspen.eccoundl.orgNerifyEval.aspx

Step 1: Complete the official training. Step 2: Visit: https://aspen.eccouncil.org. If you have an account already, skip to Step 5. Step 3: Click Register and fill out the registration form. Click the Register button. Step 4: Using the email you provided in Step 3, follow the instructions in the auto-generated

email to activate your EC-Council Aspen Portal account. Step 5: Login using your Username and Password. Step 6: Click the Class Eval icon in the Student Services section. Step 7: Enter the Evaluation Code (see the code below) in the Evaluation Code field and click

the Submit. Step 8: Fill in the Course Evaluation Form. *Note: All fields on this form are mandatory. Click

the Submit Classroom Evaluation button. Step 9: On the Course Evaluation Submission page, click the Download Certificate of Attendance button to download your certificate of attenda nee.

Exam 312-38

Certified Network Defender

EC-Council Copyright © 2016 by EC-Council. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Information has been obtained by EC-Council from sources believed to be reliable. EC-Council uses reasonable endeavors to ensure that the content is current and accurate, however, because of the possibility of human or mechanical error we do not guarantee the accuracy, adequacy, or completeness of any information and are not responsible for any errors or omissions or the accuracy of the results obtained from use of such information. The courseware is a result of extensive research and contributions from subject matter experts from the field from all over the world. Due credits for all such contributions and references are given in the courseware in the research endnotes. We are committed towards protecting intellectual property. If you are a copyright owner (an exclusive licensee or their agent), and if you believe that any part of the courseware constitutes an infringement of copyright, or a breach of an agreed licence or contract, you may notify us at [email protected] In the event of a justified complaint, EC-Council will remove the material in question and make necessary rectifications. The courseware may contain references to other information resources and security solutions, but such references should not be considered as an endorsement of or recommendation by EC-Council. Readers are encouraged to report errors, om1ss1ons and inaccuracies to EC-Council at [email protected] If you have any issues, please contact [email protected]

Certified Network Defender

Exam 312-38

Foreword The computer network has become more and more complex over the past few years and so has the threats to its security. The Certified Network Defender (CND) course has focused on helping the administrator to understand how to effectively deal with such issues that challenge the security of a network. This course presents a defensive stand to network security. It enhances the skills of a network administrator so as to analyze the internal and external network security threats, how to proactively minimize their effect by developing necessary security policies, designing a defense strategy, implementing the security mechanisms, and by responding to security incidents in a timely manner. The course covers all major domains in such a manner that the reader will be able to appreciate the way network security mechanisms have evolved over time; as well as gain insight into the fundamental workings relevant to each domain. It is a blend of academic and practical wisdom, supplemented with tools that the reader can readily access and obtain a hands-on experience. The emphasis is on understanding various network security elements, updating the already deployed security mechanisms, spotting any known or possible vulnerabilities, and hardening security implementations using various tools. You will read about the defense mechanisms that are most widely used such as the firewalls, IDS, digital signatures, the secure configuration of various every-day applications, and a comprehensive set of policies that are to be enforced in the network to secure it from network breaches. This courseware is a resource material. Any network administrator can tell you that there is no one straight methodology or sequence of steps that you can follow while securing a network. There is no one template that can meet all your needs. Your network defense strategy varies with the type of network, the security mechanisms you chose to deploy, and the resources at your disposal. However, for each stage you choose, be it training your staff on security awareness, identifying network threats, implementing packet filtering, deploying a honeypot, troubleshooting the network, configuring a digital signature, securing wireless networks, you will find something in this courseware that you can definitely use. Finally, this is not the end. This courseware is to be considered as a 'work-in-progress', as it is updated by adding value to it over time. You may find some aspects detailed, while others may be in brief. The yardstick that is used in this respect is simple- "does the content explain the point at hand?" It would be great to hear the views of the reader with respect to viewpoints and suggestions. You can send your feedback so that this courseware can be a more useful one.

Exam 312-38

Certified Network Defender

Table of Contents Module Number

Module Name

Page No.

Student Introduction

Computer Network and Defense Fundamentals

Network Securi!Y Threats. Vulnerabilities. and Attacks

102

Network Security Controls. Protocols. and Devices

152

Network Security Policy Design and Implementation

253

Physical Security

348

Host Security

418

Secure Firewall Configuration and Management

565

08 09

Secure IDS Confi2uration and Mana ement 647 '-----------'•-------' 757 Secure VPN Configuration and Management

Wireless Network Defense

823

Network Traffic Monitoring and Analysis

908

Network Risk and Vulnerability Management

976

Data Backup and Recovery

1051

Network Incident Res~onse and Mana ~e_ m_e_n_t _ _ ____..__ 11_3_4_ .....

::::=========: -

-----~

References

1207

Exam 312-38

Certified Network Defender Student Introduction

Welco111.e to Certified Network Defender Class! Student Introduction

Certified Network Defender Module 00: Welcome to Certified Network Defender Class! Exam 312-38

Module 00 Page I

Exam 312-38

Certified Network Defender Student Introduction

.J Name

.J Company Affiliation .J Title/ Function .J Job Responsibility

.J Networking related •

experience .J Expectations

'°' ~

=: 11111111

Student Courseware

Course Evaluation

Identity Card

Lab Manual/ Workbook

Reference Materials

Module 00 Page II

Exam 312-38

Certified Network Defender Student Introduction

I I

Computer Network and Defense Fundamentals

Secure IDS Configuration and Management

Network Security Threats, Vulnerabilities, and

Secure VPN Configuration and Management

Attacks

Network Security Controls, Protocols, and Devices

Wireless Network Defense

Network Security Policy Design and Implementation

Network Traffic Monitoring and Analysis

Physical Security

Network Risk and Vulnerability Management

Host Security

Data Backup and Recovery

Secure Firewall Configuration and Management

Network Incident Response and Management

EC-Council Certification Program

CND

There are several levels of ce rtification tracks und er t he EC-Council Accreditation body:

Certified Secure Computer User(CSCU)

EC-Council Disaster Recovery Professional (EDRP)

Certified e-Business Professional

EC-Council Certified Secure Programmer (ECSP)

EC-Council Certified Security Specialist (ECSS)

EC-Council Certified Security Analyst (ECSA)

Certified Network You are Defender(CND) ~-·· here

Licensed Penetration Tester (LPT)

Certified Ethical Hacker (CEH)

Computer Hacking Forensic Investigator {CHFI)

e=~ ~ •'

Certified Chief Information Security Officer (CCISO) Master of Security Science (MSS)

Module 00 Page Ill

Exam 312-38

Certified Network Defender Student Introduction

Certified Network Defender Track CND Certification Track Complete the following steps:

~-·

Start

Attend the Certified Network Defender Course

YI Attend Training

YI Prepare for 312-38Exam

Pass the CND Exam 312-38 (ECC Exam Portal)

YI Take Exam

,, ........ Fail

Pass : ../J

YI Y

CND

---

Certification Achieved

Exam Code: 312-38

Number of Questions: 100

Duration: 4 hours

Exam Title: Certified Network Defender

Availability: ECC Exam Portal

Passing Score: 70%

J J

The training center / instructor will advi.se you about the exam schedule and voucher details This is a difficult exam and requires extensive knowledge of CND M odules

Module 00 Page IV

Exam 312-38

Certified Network Defender Student Introduction

Building Hours

Class Hours

Phones

Restrooms

Parking

Meals

Smoking

Recycling

.:. .. .... . ...: .

: :.

... ... .. . ... .. . .. . .. . .. . .. . .. .

······························

~- -.

:....

:...

....._ _

.. . ..

'••···························

Please read the contents of the provided ECCouncirs CND NDA document

We will NOT start the class unless you sign this document

Sign this document and hand it over to the instructor

Pl1111 appraach

thelnsb-torl yaua19not

p,•1ntedwll1

this document

Module 00 Page V

Exam 312-38

Certified Network Defender Student Introduction

What Does CND Teach You? Network Security Technologies Physical security

Access control mechanism

Firewalls / IDS implementation

Proxy servers

OS hardening/ patching

Packet/ content filtering

Antivirus protection

Product evaluation based on common criteria

Encryption mechanism

Passwords security

Authentication mechanism

DMZ (demilitarized zones)

Configuration management

Network logs audit

Network Security Operations .,

Creating and enforcing security policies

Creating and enforcing standard network operating procedures

. , Planning business continuity .,

Configuration control management

Creating and implementing incident response processes

. , Planning data backup and recovery .,

Conducting forensics activities on incidents

. , Providing security awareness and training . , Enforcing security as culture

Module 00 Page VI

Exam 312-38

Certified Network Defender Student Introduction

There are tons of networking tools and technologies covered in the curriculum

Inst ructors WILL NOT be able to demonst rate ALL t he tools in this class

They will showcase only selected tools

The students are required t o practice with the tools not demonstrated in the class on their own

Lab Sessions are designed to reinforce the classroom sessions The sessio ns are intended to give a hands on experience on ly and does not guarantee proficie ncy

Module 00 Page VII

Exam 312-38

Certified Network Defender Student Introduction

•

Ubuntu Linux

Windows 10 A

1' !...........................................

Windows Serve):.2008

NST Machine A

OSSIM Machine

t. . . . . . . . . . . . . . . . . . . . . v..........................................J

Y.........................................

••••

__, Windows Server2012

Instructor M achine

Student Computer Checl(list

CND tcrtifi«t

leiw9r, ~e~itdc,

Check if your machine has the following OSes installed (Fully Patched)

••

OSSIM as VM

Module 00 Page VIII

EC-Cllllltil.

Exam 312-38

Certified Network Defender Student Introduction

•

Ubuntu Linux

Windows 10 A

1' !...........................................

Windows Serve):.2008

NST Machine A

OSSIM Machine

t. . . . . . . . . . . . . . . . . . . . . v..........................................J

Y.........................................

••••

__, Windows Server2012

Instructor M achine

Student Computer Checl(list

CND tcrtifi«t

leiw9r, ~e~itdc,

Check if your machine has the following OSes installed (Fully Patched)

••

OSSIM as VM

Module 00 Page VIII

EC-Cllllltil.

Computer Network and Defense Fundamentals Module 01

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Contputer Network and Defense Fundantentals Module 01

Certified Network Defender Module 01: Computer Network and Defense Fundamentals Exam 312-38

Module 01 Page 2

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Understanding computer networks Describing OSI and TCP/I P network Models

Explaining various protocols in TCP/IP protocol stack Explaining IP addressing concepts

Comparing OSI and TCP/I P network Models

Und erstanding Computer Network Defense(CND)

Understandingdifferenttypes of networks

Describing fundamental CND attributes

Describing various network topologies

Describing CN D elements

Understandingvarious network components

Describing CN D process and Approaches

The module briefs you on the basic concepts of computer network fundamentals, including t ypes of networks, network topologies, network models, and various protocols used in computer networking. This module will also introduce you to the fundamental concepts on computer network defense. The module introduces you to different concepts about Computer Network Defense (CND) including CND attributes, different layers of CND, CND process, etc. The aim of this module is to provide students a brief overview of basic networking concepts and help you understand w hat CND comprises. These CND fundamentals are addressed and th en elaborated on separately using subsequent modules to attain defense-in-depth (DID) network security.

Module 01 Page 3

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

A Computer Network is a group of computing systems connect ed together to allow electronic communication

The network model lays t he foundation for the successful esta blishment of communication between t wo computing systems, irrespective of their underlying internal structure and technology

V.• ..•• .

It allows users t o and info rmation between various resources such as comput er, mobile phone, printers, scanners, et c.

Standa rd Network Models: ~

Open System Interconnection (OSI) Model TCP/IP M odel

A computer network is a group of computers connected to each other for easy sharing of information and resources. The computers share information using a data path. A commonly known computer network is the internet. Features of computer networks include: •

Allows sharing of resources from one computer to another.

•

Allows storing files and oth er information in one computer and other computers accessing those files and information.

•

Any device conn ected to a computer can access the files and information stored 1n another computer via the network.

In many fields such as el ectrical engineering, t elecommunications, Computer science, Information technology make use of computer networking concepts. These allow for easy communication between the users by means of chat, email, instant messaging etc. The computer network allows sharing of data across the networks.

Module 01 Page 4

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Open System Interconnection (OSI) Model OSI model is t he standard reference model for communication bet ween t w o end users in a network OSI model comprises of seven layers, of which t he top 4 layers are used w hen a message transfers to or from a user and the lower t hree layers are used w hen a message passes t hrough the host computer

OSI MODEL Data Unit

Data

Layer 7. Application

Network process to application

6. Presentation

Data representation, encryption and decryption, convert machine dependent data to machine dependent data

5. Session

I nterhost communication, managing sessions between applications

4 . Transport

End-to-end connections, reliability, and flow control

3. Network

Path determination and logical addressing

2. Data Link

Physical addressing

1. Physical

Media, signal, and binary transmission

Host Layers

segments

Packet/Datagram

Media Layers

Frame Bit

Function

Open System Interconnection (OSI) is a reference model that defines the communication of data over the netw ork. It is a framework that portrays the flow of data from one device to another over th e network. The OSI model classifies the communication between two end points into seven different groups of layers. The logic behind this division is that the communicating user provides functions of each of the seven layers. The communication between t w o users occurs as a downw ard flow of data through the layers of the source computer. Then, it tra verses across the network and flows upwards through the layers of the destination computer. Features of OSI model include :

•

Provides a clear understanding regarding the communication over the netw ork .

•

Displays th e working of software and hardware.

•

Helps the users in understanding newer technologies.

•

Easy compari son between the functional relationships bet ween differ ent netw orks.

The OSI model has a set of protocols that allows th e object on one host to communi cate w ith the corresponding object on another host.

Module 01 Page 5

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Host

••

◄••································ • •

•

• Presentation

◄••······························•

••

◄••······························•

•

Transport

::::,

••

• T

Session

Presentation ••

0 I m

::::,

Session

•••

◄••······························•

-------.---- .-~ Transport

••

Node

•

.......

••••

~-----'-----~• •• ••

~--··• ◄•

...

n~ \••

-· ::::, Q,)

(I)

••

Physical

Q. I r+

••

Physical

• • • ■•

Physical

••• ~•••••

Protocol

Interface

FIGURE 1.1: OSI Reference Model

Each layer in the OSI model has different levels of generalization and performs a distinct function. The principle involved in developing the seven layers of OSI model is as follows: •

Each layer needs to meet a different concept or overview. Thus creating each layer depends on the level of abstraction.

•

Each layer needs to have a disti net functionality.

•

The function performed by each layer needs to be 1n accorda nee with the standard protocols at each layer.

•

All the functions should not be present in the same layer. Selection of layers depends on the number of functions performed.

Module 01 Page 6

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

.J TCP/ IP model is a fra mew ork fo r the Intern et Protocol suite of computer network protocols that define the communication in an IP-based network

Functions Handles high-level protocols, issues of representation, encod ing, and dialog control

Constitutes a logical connection between the endpoi nts and provides t ransport services from the sou rce to t he destination host

Selects the best path through the network for packets to travel

Defines how to transmit an IP datagram to the other devices on a directly attached network

Layers

Application Layer

Transport Layer

Internet Layer

Network Access Layer

Protocols Fil e Transfer (TFTP, FTP, NFS), Em ail (SMTP), Rem ote Login (Telnet, rlogin), Network Managem ent (SNMP), Name Managem ent (DNS)

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)

Internet Protocol (IP), Internet Control Message Protocol (ICM P), Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP)

Ethernet, Fast Ethernet, SLIP, PPP, FOOi, ATM, Frame Relay, SMDS, ARP, Proxy ARP, RARP

The TCP/ IP protocol is a four-layered protocol developed by the Department of Defense (DOD). Each layer in this model performs a different function and the flow of data occurs from layer 4 to 1 (from the sending machine) and from layer 1 to 4 (in the destination machine). The TCP/ IP model describes the end-to- end communication between two machines and thereby determining the addressing, routing and transmission of the data. The four layers in the TCP/ IP model include: •

Application layer (Layer 4): Provides data access to applications.

•

Transport layer (Layer 3): Manages host-to-host interactions .

•

Internet layer (La yer 2): Provid es internetworking.

•

Network Access layer (Layer 1): Provides communication of data present 1n the same netw ork.

Network Access Layer- Layer 1 The Network Access layer is the low est layer in the TCP/ IP model. It handles the flow of data to the Internet layer between two hosts in the same netw ork. The network -to-host layer adds a packet header to the data frame and sends it over a physical medium. The layer consists of functions such as modulation, bit and frame sy nchronization and error detection. Th e protocols used in this layer are: Ethernet, Token Ring, FDDI, X.25, Frame Relay, RS-232, v.35.

Internet Layer - Layer 2 The Internet layer mainly deals with the communication of packets over the netw ork.

Module 01 Page 7

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

It performs internetworking by sending data from the source network to the destination network. The functions performed by the Internet layer are as follows: •

Host addressing and identification

•

Packet routing

The Internet layer is wholly responsible for managing the TCP/IP protocol framework. In this protocol, the sequence of the packets received at the destination network differs from the sequence of the packets sent from the source network. IP, ICMP, ARP, RARP are the protocols used in this layer.

Transport Layer - Layer 3 The Transport layer determines the status of the data communicating between the source and the destination. The functionalities of the Transport layer include end-to-end communication, error control, segmentation, flow control and application addressing. The end-to-end communication is of two types: connection oriented and connectionless oriented. TCP implements the connection oriented communication, whereas UDP initiates connectionless communication. The TCP layer determines whether the data transmission occurs in a parallel path or in a single path. The layer enables the application to read and write to the transport layer by adding the header information to the data. The transport layer sends the data in small units in order for the network layer to handle the data more efficiently. TCP, UDP, RTP are the protocols used in the Transport layer.

Application Layer - Layer 4 The Application layer consists of the protocols used by the applications. These applications provide user services and data over the network connections recognized by the lower layer protocols. The application layer protocols deal with the client-server applications and other services which have well-known port numbers earmarked by the Internet Assigned Numbers Authority (IANA). HTTP, Telnet, FTP, TFTP, SNMP, DNS, SMTP, X Windows, and other application protocols are the protocols used in the application layer. •

•

Advantages of TCP/IP model:

•

It serves as a client-server architecture.

•

It functions independently.

•

It consists of many routing protocols.

•

Initiates a connection between two computers.

Disadvantages of TCP /IP model:

•

Complex to setup.

•

No assurance of packet delivery in the transport layer.

•

Not an easy task to replace protocols.

•

No visible parting between the services, protocols and interfaces.

Module 01 Page 8

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Coll'lparing OSI and TCP/IP

OSI MODEL

TCP/IP MODEL TCP/IP model is based on the practical implementat ion of protocols around which the Internet has developed, whereas t he OSI model, o ften referred to as a reference model, is a generic protocol-independent standard

APPLICATION LAYER PRESENTATION LAYER

C ND

APPLICATION LAYER

SESSION LAYER

Both connectionless and connection-oriented communication

Only connection-oriented communication NEIW«- IAYER

IN'liMIEl' IAYER

DUA LINK &AYER

Plff5ICAL &AYER

NEIWORK ACCESS IA1Bl

OSI model defines services, intervals and protocols, whereas TCP/IP does not provide a clear distinction between these

OSI Model The main aim behind implementing the OSI model is to standardize and ease the communication between the communicating parties using certain standard protocols. It generalizes the communication between the computers in terms of layers. The OSI model has seven layers. In this model, a layer serves the layer above it that brings to a conclusion the working of each layer depends on the layers below it.

TCP/IP Model TCP/ IP remains as the basic protocol for communication. The TCP/ IP protocol finds its application either in an intranet or in an extranet. TCP/ IP consists of four layers, out of which the upper layers manage the assembling of the packets in the original message and the lower layers manage the address part of each packet and forwards it to the right destination.

Module 01 Page 9

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Classification of networks based on the physical location or the geographical boundaries

LocalArea Network (LAN)

Usua lly possessed by private organizations and connects the nodes of a single organization, or premises

Designed to facil itate t he sharing of resources between PCs or workstations

Wide Area Network (WAN)

Metropolltan Area Network (MAN)

Provides transmission solutions for companies or groups who need to exchange information between multiple remote locations which may be in different countries or even continents

Provides trustworthy, quick, and secure communication between two or more places with short delays and at low costs

fl Huge computer networks covering a whole city

A MAN can be completely owned and monitored by a private organization or it can be provided as a service by any public organization such as a telecommunications company

These networks may differ in many ways. For example: by size, by functions, by the geographical distance. The services provided by th e networks differ according to the layout of the networks. The networks that differ by size depend on the area occupied by the network and the number of computers present in the network. The computers in a netw ork can vary from one single computer to millions of computers. The different networks are based on the size of the area they cover: •

Local Area Network (LAN)

•

Wide Area Network (WAN)

•

Metropolitan Area Network (MAN)

•

Personal Area Network (PAN)

•

Campus Area Network (CAN)

■

Global Area Network (GAN)

Local Area Network (LAN) The LAN consists of computers and its related devices that share information over the same communication line. The LAN may extend only within an office building or home. The LAN can handle hundreds of users. The two commonly used LAN technologies are Ethernet and Wi -Fi. There are virtual LANs that enable the network administrators to provide a netw ork connection to a group of nodes. LAN enables the use of many application programs and the users can

Module 01 Page 10

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

achieve those applications by simply downloading it from the LAN. Wireless LANs are becoming much more popular. This is due to more flexibility and a cost which is less when compared to wired-LANs. Computer

•• •• •

••• • • • • •

Computer

••••

•• ••

••••

•• • •••

•• ••

Computer

••

Computer

FIG URE 1.2: LAN (Local Area Network)

•

Advantages:

•

Allows sharing of printers between the computers at home or office.

•

LAN provides the users the privilege to work from any system in the LAN.

•

Allows storage of files in a single folder and sharing it between the users on the network.

Disadvantages:

•

As it provides file sharing facility, it requires separate security measures to restrict access to certain files and folders.

•

Any small issue in the file server can affect all the users on the server machine.

Wide Area Network {WAN) The WAN is spread over a larger geographical area and is more far-reaching than a LAN. WANs usually connect the nodes in the network using leased telecommunication lines. These lines assist in carrying the information efficiently across the various computers in the network. WANs can connect different LANs in a network. Most often, public networks are connected to the wide-area network. The LANs connect to WANs for quick and secure transfer of data. However, WANs requires a group of authorities to manage. •

Features of WAN:

•

WAN networks generally provide larger and dedicated network services. It always tries to meet the services according to business requirements.

•

The WANs has a lower data transfer rate when compared to the transfer rate of LAN.

Module 01 Page 11

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

••

..••

···-~ •••

•••

WAN

• •••

····· _

FIGURE 1.3: WAN (Wide Area Network)

•

Advantages:

• •

A WAN connects places that are geographically apart from each other without a high cost and a difficulty in implementation.

Disadvantages:

•

Very complex in structure.

•

Provides only lower bandwidth and has a higher risk of losing the connections.

Metropolitan Area Network (MAN} A MAN stretches for an even larger geographical area than a LAN, but less than that of a WAN. It refers to the interconnection of networks spread across a city or town. Several LANs grouped together form MANs. MANs provide secure, efficient communication by making use of fiber optic cables. The MAN provides shared network connections to its users.

MAN

FIGURE 1.4: MAN (Metropolitan Area Network)

•

Advantages:

•

The links connecting the computers in a MAN have a much higher bandwidth allowing for the easy sharing of data.

•

Allows multiple users to share the data at the same speed.

Disadvantages:

•

Requires the need of installation before deploying it for the first time.

•

Costly when compared to LANs.

Module 01 Page 12

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Types of Networlts (Cont'd)

Personal Area Network (PAN)

e e

Wireless communication t hat uses both radio and optical signals Covers individual's work area or w ork group and is also known as a room-size network

Campus Area Network (CAN)

e e

Covers on ly limited geographical area This kind of network is applicable for a university campus

Global Area Network (GAN)

e e

Combination of different interconnected computer networks

The Internet is an example of a GAN

Covers an un lim ited geographical area

~-_____'!===

Personal Area Network (PAN) A Personal Area Network refers to the interconnection of devices within a certain range of distance. For example, a person can connect a laptop, mobile, tabl et etc. to the wireless netw ork within a certain distance w ithout having to physically plug in anything to the devices. This allows for file and information sharing within the devices connect ed to that network.

...... tlf?:fflM\\\\ • : •

Transmission of data through : short-range radio waves

....••...•........••...•.,• ..•....•...••...••...•• • ••

••■

• ••

Wireless enabled

devices

·-=::a..

FE I

FIGURE 1.5: PAN (Personal Area Network)

Module 01 Page 13

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Campus Area Network (CAN} A campus area network consists of multiple connected local area networks within a certain geographical area. Most government organizations and universities make use of the campus area network. The size of the campus area network is much smaller than a MAN or a WAN. It uses optical fiber in order to connect the nodes in a campus network. For example, different buildings in a campus can use campus area network for interconnection and thereby allows the sharing of information within different departments. The implementation of a CAN requires less cost, is highly beneficial and economical due to high speed data transfer from any section of the network. •

Features:

•

Cost-effective.

•

Allows interconnection between various departments in a campus.

•

It provides a single shared data transfer rate.

•

Resistant to failure.

•

The campus area network is highly flexible to the changes of an evolving network.

•

CAN offers a highly secure network by implementing authentication of the users accessing the network.

Global Area Network (GAN} The Global Area Network consists of different interconnected networks extending over an unlimited geographical area. The GAN covers a more geographical area than a LAN and a WAN. A GAN enables transfer of data from one point to another even when they do not connect directly with each together. The points can connect using a central server or each point can pass the data from one point to another till it reaches the destined point. The GAN supports mobile communication for a number of wireless LAN's. Broadband GAN is the most commonly used GAN. The BGAN uses portable terminals to connect the computers located at different locations to the internet. •

Advantages of GAN:

•

GAN allows the interconnection of multiple networks and it enables proper sharing of data without tampering with it.

•

Enables the storage of files in a central server, thereby allowing easy access of files across different networks.

•

GAN enforces security towards accessing of these files by imposing access restrictions.

Module 01 Page 14

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

U Network topology is a specification that deals with a network's overall design and flow of data in it

Types of Topology e Physical Topology - Physical layout of nodes, workstations and cables in the network e Loglcal Topology -The way information flows between d ifferent components

Physlcal Network Topologles Bus Topology

Star Topology

Network devices are connected to the central cable, called a bus, by the help of interface connectors

Network devices are connected to a central com put er called hub which functions as a router to send messages

Ring Topology

Mesh Topology Network devices are connected in a way such that every device has a point-to-poi nt link to every other device on the network

Network devices are connected in a closed loop. Data travels from node to node, with each node along the way handling every packet

Tree Topology

Hybrid Topology

It is a hybrid of bus and star topologies, in which groups of star-configured networks are connected to a linear bus backbone cable

Combination of any two or more different topologies. Star-Bus or Star-Ring topologies are widely used

N etworlt Topologies (Cont'd) r

~ ::;ver

iii Iii

rj..I ,. . . . . ,. . ...~ . ..........,. ..1..........~ .........,..... ~ iii

Nooes

Iii

.....•····~ ··•...... c:: :{ ·· / . ._ ·•.....

~ ·········· .:.......\...........'ii

\j !·. ..: \,1. ......................

Unear Bus

Mesh Topology

'ii ..._.... "-··· - ·······~ j ··········"-

liji·· =

....•····~

iii

---......

···w1

Star Topology

..r:::::=======------:=======~"" "'-:;;==========::·-.:'":::::=========~· r "

.. lj•• ij ··········~

Router

•••• •· Se

·•••••••

·········• ~ ._

Internet

Ner

Ii) . . . .'-l. . . . . a · . ~

Printer

Ring Topology

Tree Topology ~

Module 01 Page 15

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

The logic of connecting computers over the network is possible using topologies. The topology defines the structure of a network and determines the physical or logical layout of the network. The physical topology defines the structure of the components of the computer systems, whereas the logical topology defines the method of the flow of data in the network between the computers. Various topologies available are:

Star Topology Star topology consists of a central node (hub) connected to other computers in the network using a cable. Each node or computer in the network connects individually to the central node. Adding nodes to the star network is an easy task. Any damage to the connection between any node and the central node does not affect the working of the other nodes in the network. But, any damage to th e hub can affect the star structure. Here, the central node or hub acts as the server and the attached computers act as the clients. All data to the respective nodes passes through the central node or hub. The hub acts as the intersection for connecting all nodes present in the star network. The hub can connect to the hubs of other networks and act as a repeater or a signal booster. The computer nodes connect to the hub using unshielded twisted pair Ethernet cable. The following factors determine whether the hub is active or passive: •

The central node or hub performing processes like data amplification, regeneration, etc.

•

The central node regulates the movement of the data.

•

The network requiring electrical power resources. Node

Node

5l••

. $l

••

Node

- ~--··· ,r

•• •• •

~ ( ~

Node

• • ••

...... n

• •• •

•• • ••

•• • •

• ••

•• ••

••

•

i:,

Node

FIGURE 1.6: Star Topology

•

Advantages:

•

Enables centralized management of the network through the central node or hub.

•

Enables easy addition and removal of other computer nodes to the star network.

•

Failure of one computer node does not make any impact on the rest of the nodes in the network.

•

Enable easy detection of failures and errors in the network. This allows for finding better methods to sol ve the issue.

Module 01 Page 16

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

•

Disadvantages:

•

Any failure on the central node affects the whole network.

•

Usi ng routers or switches as the central node increases the cost of implementing the network.

•

The addition of new nodes to the network depends on the capacity of the central node.

Bus Topology Here, a single cable handles all the computers in the network. The si ngle cable carries all the information intended for all nodes in the network. Any damage to the connection between any node and the main cable can affect the passage of data over the cable. In the bus topology, the network broadcasts the signal sent by any node. The broadcasting of the signal allows the signal to reach all the nodes attached to the cable. The node having an IP and MAC address the sa me as given in the signal accepts those, while the other nodes reject those signals. Every cable in the bus network has a terminator attached to the both ends of the cable. Th e t erminator helps in preventing the signals from bouncing. They capture th e signals reaching the end of the cable. Signal bouncing can cause the signals to bounce back in the direction from where it came. If two signals bounce back at the same time from opposite directions, this can ca use the col Iision of the signals. There are two t ypes of bus topologies: Linear and Distributed bus topology. In linear bus topology, there is only a single line attached to the two end points. In a distributed bus topology, it can have more than one linear pattern attached to the network. Node

Node

.>l

•• • • •••••••••••• • •••

••

•• ••••••••••••• ••

•

Node

-~•• ~ •

•• •• •

•• • • • ••••••••••• •• •

•

•• ••

•

•• •• • ••

Node

•• •••••••••••

Node

•• -

Node

FIGURE 1.7: Bus Topology

•

Advantages:

•

Easy to add new nodes to th e bus network.

•

Low cost for implementation.

•

Works better in small networks.

•

Requires less cabling than a star network.

Module 01 Page 17

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

•

Disadvantages:

•

Addition of computer nodes depend on the length of the cable.

•

Any issue in the main cable can affect the whole network.

•

Terminators at both ends of the cable is a must.

•

Very high maintenance cost.

•

Not suitable for networks with very high traffic.

•

As all nodes receive the signal sent from the source, it affects the security of the network.

Ring Topology A Ring topology connects all nodes in the network. The data circulates in the network until the intended recipient accepts the data. Any damage to any of the nodes can affect the whole ring network. The data travels on the network in one direction. The sending and receiving of data takes place with the help of a TOKEN. In the concept of a TOKEN, the data are sent from the source and includes another piece of information and then passes the TOKEN to the next node. Each node checks if the signal is for itself. If yes, it receives the signal and passes the empty TOKEN to the network. Or else, the node passes the TOKEN to the next node. Only those nodes having the TOKEN can send data. Other nodes need to wait until they receive the empty TOKEN. Usually, schools, offices, small buildings make use of RING topology. Node

•• ••

•••

Node

,~.... ~

•

••••

.• ~

- f~ r~

( ~

• •••

Node

•• •

·-♦8 •

..•• -~••..

••

•••

Node

FIGURE 1.8: Ring Topology

•

Advantages:

•

Unidirectional flow of traffic.

•

Every node can send data after receiving the empty token.

•

No need of any centralized network server in order to manage the computer nodes.

•

Better performance than Bus topology in scenarios where the traffic load increases.

•

Every computer node has the same level of access to the resources.

•

Adding new components to the system does not affect the performance of the whole network.

Module 01 Page 18

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

•

Disadvantages:

•

Slow process as the signals need to pass through each node in the network.

•

Any issue in any one of the nodes can affect the entire network.

•

Needs a high amount of wired environment for connecting the network nodes, which increase the cost of implementation.

•

Sharing of bandwidth with all the nodes.

Mesh Topology All the nodes or computers in the network connect with each other. The design confirms the passage of data between every computer even in the failure of any one computer. Each node in the network sends data to other nodes as well as passes the data from other nodes. However, the mesh topology does not find much use in organizations due to its huge cost for implementation and widely used in wireless networks.

Node

-~ -....................... ~ >} ••• •

•• • •••

•• •• •

• ••

•• •••

•••

•• •

j~•• •;

•••

••• •

•• • •••

~ ...................... -~ (~

Node

'Aclaress

Options (if any)

Data

The protocol field in the IP header determines the services available in the next higher levels in the protocol stack. The protocol field is eight bits in length and includes 256 protocols. Multiple higher layer protocols can use IP (multiplexing). "Assigned Numbers" specifies the values for various protocols. Protocol and some common values (1 octet) are as follows: •

0 (0x00) IPv6 Hop-by-Hop Option

•

1 (0x0l} ICMP protocol

•

2 (0x02} IGMP protocol

•

4 (0x04) IP over IP

•

6 (0x06} TCP protocol

•

17 (0xll} UDP protocol

•

41 (0x29} IPv6 protocol

Module 01 Page 46

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

What is Internet Protocol v6 (1Pv6)?

I Pv6, also called IPng or next generation protocol, provides a base for enhanced Internet functionalities

The most important feature of I Pv6 is that it can store larger address space in comparison to I Pv4 I Pv6 contains both addressing and controlling data or information to route packets for next-generation Internet

• ,. , ..

■

I Pv6 features t hat provide a platform for growth of IT development: :

Expandable address space (large and diverse) and routing capabilities

Scalable to new users and services

Auto configuration ability (plug-n-play)

Mobility (improves mobility model)

;

End-to-end security (high comfort factor)

Extension headers (offer enormous potential)

;

Better Authentication and privacy checks

;

Support for source demand routing protocol

Improved Quality of Service (QoS)

Internet protocol version 6 is the most recent version of the internet protocol. The internet protocol version 6 provides a mechanism for identifying the computers in the network and performs routing of the traffic across the internet. To meet the increasing requirements, Internet Engineering Task Force (IETF) started a working group called Internet Protocol next generation (IPng) to make research, experiments and recommendations for finding a new generation protocol for IP. It eventually found the specification for internet protocol, version 6 (1Pv6) described in Internet standard document RFC 2460. Experts consider IPv6 as a replacement to IPv4. The IPv6 uses a source and destination address in order to carry data packets over the network, which is the same as in IPv4. IPv6 has a very large address space and consists of 128 bits as compared to 32 bits in IPv4.

The features of 1Pv6 include •

IPv6 internet layer protocol is for packet-switched internetworking, it provides end-to-end transmission of data across multiple IP networks.

•

IPv6 is capable of providing large address space for increasing demands of internet users.

•

It has a new format for packet header to minimize packet-processing problems with overhead routing entries. Routers can efficiently and easily process IPv6 headers.

•

IPv6 have globally identified unique addresses with efficient, hierarchal and routing infrastructure that relies on prefix length rather than address classes. This allows the backbone routers to create small routing tables.

Module 01 Page 47

Certified Network Defender Computer Network and Defense Fundamentals

Exam 312-38

•

1Pv6 simplifies host configuration with stateless and stateful address configuration for network interfaces.

•

In 1Pv6, hosts on a link are capable of automatically configuring themselves with a link called link-local addresses by responding to the prefixes mentioned by the local routers. When the host sends a link local address request to a local router for connecting to that network, it then responds to the request by sending its configuration parameters. This lets the host to configure automatically with the available router. 1Pv6 is even capable of configuring itself, even though there are no routers.

•

1Pv6 has an inbuilt security feature called integrated internet protocol security (IPsec). It is a set of internet standards based on cryptographic security services providing confidentiality, data integrity and authentication.

•

1Pv6 supports unicast and multicast communication along with a new communication type called anycast. In the anycast communication method, only the specific associated address in a network receives the messages.

•

1Pv6 provides better support for quality of service (QoS) with proper management of network traffic.

Module 01 Page 48

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

1Pv6 Header ..............................................................................................................................................................................................................

Flow Label

Traffic Class . . . . • · - · · · · · - · · · · •••••••••••••••••••••••••• ,I'. . . . . . . . . . . . . . . . . . . . . . -·. - •••••••• -· ·-·. · · · - ·

·-··-·-···i Next Header

Payload Length

Hop Limit

Source IP Address

................... "' ... '" ... '"

"' '" "' '" "' '" "' '" "'

...................... ,...................... ,

"' "' "' '" "' '" "' "' "' "' "' '"

... '" ............. ,.................................. ,'

Destination IP Address

·- .. -.. -.. -.. -.. -..... -.. -.. -.. -.. -.. -.. -.. -............................................. ···- .. -··· .. -..... -··· .. -..... -..... -..... -.......................................... '' .......... -··- .. -..... -.. 0 -31 Bits

The 1Pv6 is four times larger than 1Pv4. However, the header of 1Pv6 is only two times larger than the 1Pv4. The 1Pv6 header consists of one fixed header and zero or more extension headers. The extension headers consist of information that assists the routers in determining the flow of a packet. The 1Pv6 is 40 bits long and the fields in the fixed header consist of: •

Version (4 bits): Specifies the version of the internet protocol.

•

Traffic class (8 bits): identifies the data packets that belong to the same traffic class and distinguishes the packets with different priorities.

•

Flow label (20 bits): This field avoids reordering of data packets and maintains the sequential flow of data packets belonging to the communication.

•

Payload length (16 bits): It informs the router about the length of the data which is present for a particular packet in its payload.

•

Next header (8 bits): Identifies the type of header following the 1Pv6 header and located

at the beginning of the data field (payload) of the 1Pv6 packet. •

Hop limits (8 bits): Replacement of time-to-live field in 1Pv4. Identifies and discards the packets that are stuck in an indefinite loop due to any routing information errors. When

the counter reaches zero, it discards the packet. •

Source IP address (128 bits): 1Pv6 address of the sending host.

•

Destination IP address (128 bits): 1Pv6 address of the receiving host (Destination).

Module 01 Page 49

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Extension Header The fixed header consists of only required information. The information that is rarely used or is not required is always put between the fixed header and the upper layers of the extension header. Each extension header requires the need of a distinct value in order to identify the extension headers. The 1Pv6 header points to the first extension header. Now, consider there are more than one extension header. Then, the extension header points to the next extension header. The last extension header points to the upper layer header. The sequence of the extension headers are as follows:

IPv6 header Hop-by-Hop Options header Destination Options header1 Routing header Fragment header Authentication header Encapsulating Security Payload header Destination Options header2 Upper-layer header FIGURE 1.21: Sequence of IP header

The extension headers are arranged in a linked list manner represented using one header after the other.

Module 01 Page 50

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

TCP/IP Protocol Stack: Internet Control Message Protocol (ICMP) ~

IP is an unreliable protocol w hich does not guarantee t he successfu l delivery of t he netw ork packet

IP reports to the sender w hen data transmission fails

Internet Control Message Protocol (ICMP) overcomes this basic limitation of IP

ICMP is an error-reporting protocol used for diagnostic purposes, generating error messages when there is problem in the delivery of IP packets

■

ICMP does not overcome t he unreliabil ity issues of IP instead, it reports the fai lure of data transmission to sender

ICMP is an error reporting protocol used by networking devices like routers in order to send error messages. ICMP relays query messages by locating its application. ICMP is not a transport protocol that sends data between two communicating systems. Network administrators troubleshooting internet connections mainly use th ese. ICMP transmits messages as datagrams and consists of an IP header that encapsulates the ICMP data. The IP packets contain ICMP in the IP data field. The ICMP messages can also contain the IP header of the original message that assists the end system in understanding why and which packet failed. The 1Pv4 or 1Pv6 is followed by the ICMP header and id entifies itself as protocol number 1. The ICMP protocol consists of three fields: •

The major type identifi es the ICMP message.

•

The minor code that contains more information regarding the type field.

•

The checksum that identifies the errors originated during tran smission.

The ICMP data and th e IP header follow the three fields in th e ICMP protocol.

Module 01 Page 51

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Format of an ICMP Message Code Field 0 Echo Reply

Type 3: Destination Unreachable

1 Un.assigned

Codes

2 Un.assigned 3 Destination Unreachable

0 1

Net Unreachabl e Host Unreachabl e

4 Source Quench

Protocol Unreachable

5 Redirect

6 Alternate Host Address 7 Unassigned 8 Echo

Port Unreachabl e Fragmentation Needed and Don •t Fragment was Set

5 6

9 Router Advertisement 10 Router Solicitation 11 Time Exceeded 12 Parameter Probl em 13 Timestamp 14 Timestamp Reply 15 Infoi::mation Request 16 Information Reply 17 Address Mask Request 18 Address Mask Repl y 19 Reserved (for Security) 20-29 Reserved (for Robustness Experiment) 30 Traceroute 31 Datagram conversion Error 32 Mobile Host Redirect 33 IPv6 Where-Are-You 34 IPv6 I-Am-Here 35 Mobile Registration Request 36 Mobile Registration Reply 37 Domain Name Request 38 Domain Name Reply 39 SKIP 40 Photuris 41-255 Reserved

Source Route Failed Destination Network Unknown 7 Destination Bost unknown 8 Source Host Isolated 9 Conmunication with Destination Network is Administrativel y Prohibited 10 CommJ.nication with Destination Bost is Administratively Prohibited 11 Destination Network Unreachable for Type of Service 12 Destination Host Unreachabl e for Type of Service 13 CommJ.nication Administratively Prohibited 14 Bost Precedence Viol ation 15 Precedence cutoff in effect

Type(8 bits) :. Code(8 bits) .;

Cllecksum(16 bits)

............ ...................................................................... ,

Parameters Data .....

ICMP messages consist of an IP header that encapsulates the ICMP data. ICMP transmits the data as datagrams. ICMP packets are IP packets with ICMP in the IP data portion. ICMP messages also contain the entire IP header from th e original message, so th e end system knows which packet fail ed. The structure of an ICMP message consists of three fields that have the same size and the same meaning in all ICMP messages. The va lues in the fields are not the same for each ICMP message type. The unique part contains fields that are specific to each type of message. The common message format is the same for ICMPv4 and ICMPv6.

Module 01 Page 52

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

•

Type: This field identifies the ICMP message type. For ICM Pv6, values from O to 127 are error messages and values 128 to 255 are informational messages. The length of this field is 1 byte. The types are defined as: Type

Name

Echo Reply

Unassigned

Destination Unreachab l e

Source Quench

Redirect

Alternate Host Address

Unassigned

Echo

Router Advertisement

Router So l icitation

Time Exceeded

Parameter Problem

Times tamp

Timestamp Reply

Information Request

I nformation Repl y

Address Mask Request

Address Mask Reply

Reserved ( for Security)

20-29

Reserved (for Robustness Experiment)

Traceroute

Datagram Conversion Error

Mobile Host Redirect

Pv6 Where- Are - You

IPv 6 I - Am- Here

Mobile Registration Request

Mobile Registration Reply

Domain Name Request

Domain Name Reply

SK I P

Photuris

255 Reserved TABLE 1.1: ICMP types

Module 01 Page 53

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

•

Code: This field identifies the subtype of message within each ICMP message Type value. For each message, the field allows defining of up to 256 subtypes. The length of this field is 1 byte. The t ypes are defined as: Code

Name

Net Unreachable

Host Unreachable

Protoco l Unreachable

Por t Unreachable

Fragmentation Needed and Don ' t

Source Route Fail ed

Destination Network Unknown

Destination Host Unknown

Source Host I so l ated

Communication with Des tination Network is Administrative l y Prohibited

Fragment was Set

Communication with Destination Host is Administratively Prohibited

Destination Network Unreachable for Type of Service

Destination Host Unreachab l e for Typ e of Service

Communication Administratively Prohibited

Host Precedence Violation

Precedence cutoff in effect TABLE 1.2: ICMP codes

•

Checksum: The length of this field is 2 bytes. This 16-bit checksum field is calculated in a manner similar to the IP header checksum in 1Pv4. It provides error detection coverage for the entire ICMP message.

•

Data: This field includes the specific fields used to implement each message type. The size of this field is variable. .

Type (8 bits)

Code (8 bits)

Checksum (16 bits)

Parameters

.•........................•........•...•.•....•..•...•....•........................... Data ..... I•

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

•

.•• -------······································································: FIGURE 1.22: ICMP message format

Module 01 Page 54

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

TCP/IP Protocol Stack: Address Resolution Protocol (ARP) .J ARP is a stateless protocol used for translating IP addresses to machine addresses (MAC) ~

ARP request is broadcast over the network, whereas the response is a unicast message to the requester

.J The IP address and MAC pair is stored in the system, switch, and/or router's ARP cache, through which the ARP reply passes

ARP_REQUEST Hello, I need the MAC address of 192.168.168.3

f·································································>

I wantto connectto 192.168.168.3, but I need MAC address

i -- ---

IP 10: 192.168.168.1

'=.' 1'.

; :

MAC: 00-14-20-01-23-45

.. ➔

....> . . . . .......L~.~!~:.'. ~.~.~~~.~t;~;~~;~!.~~~~.~~.~~~

IP 10 : 194.54.67.10 MAC: OO:lb:48:64:42:e4

ARP Cache Table

~~t

IP 10: 192.168.168.2 MAC: 00-14-20-01-23-46 ARP_REQUEST

L..~~1.,~'.!.~~~.~.~~.~.~.~~.~.~~.~~~~~~~.~:~~~:~.~~~·.. ·>

! (.__ARP_REPLY I am.192.168.168.3. MACaddress is 00-14-2 Connectio n Established

IP 10: 192.168.168.3 MAC: 00-14-20-01-23-47

The address resolution protocol deals with converting the IP address to a physical address (Mac address). The component address resolution refers to identifying the IP address of a computer in a network. ARP is RFC 826 and its Internet Standard is STD 37. The protocol operates below the network layer as a part of the interface between the OSI network and OSI link layer. 1Pv4 supports ARP when it is used over Ethernet. The address resolution protocols are mainly a request and reply protocol and captured by the line protocol. The address resolution protocol links only within the limits of the boundaries and does not perform any communication across the internetwork nodes. The ARP maintains a table known as ARP cache that keeps track of the Mac addresses and its corresponding IP address. However, there are certain rules in maintaining the MAC addresses and IP addresses in the table that enables the conversion from one form to another.

Working of ARP The term address resolution refers to the process of finding an address of a computer 1n a network. The process of ARP is as follows: •

A client process sends a request to the server process to find a physical host or MAC address that matches with the IP address.

•

The server sends the message to all connected computers on the network to identify the network system for which the address was required.

Module 01 Page 55

Certified Network Defender Computer Network and Defense Fundamentals

•

Exam 312-38

After finding the requested MAC address, the server sends a response to the client process with the requested MAC address.

ARP Cache Table ARP cache table stores the matched sets of IP addresses and the corresponding MAC addresses of systems frequently communicating on the network. Each device on the network manages its own ARP cache table. There are two different ways to store cache entries into the ARP cache table: •

Static ARP Cache: These address resolutions are manually added to the cache table for a

device and they are kept in the cache on a permanent basis. To manage static entries, use tools such as the ARP software utility. •

Dynamic ARP Cache: These hardware/ IP address pairs are added to th e cache by the

software itself because of successfully completed past ARP resolutions. They are kept in the cach e only for a specific period and are then removed.

Module 01 Page 56

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Hardware Type: Byte 1

Byt e 0

Byte 3

Byt e2

1 = Et hernet

Hardware Type

Hardwa re Length

2 = Experimental Ethernet

Protocol Type

4 = Protean ProN ET Token Ring

Operation (1 for Request, 2for Re ply)

Protocol Lengt h

= Amateur Rad io AX.25

5 = Chaos 6 = IEEE 802 Ne tworks, etc.

Sender's Hardware Address (First 4 Bytes of Ethe rne t Add ress)

Protocol Type: ,,

Sender's Hardware Address (last 2 Bytes of Ethe rne t Add ress)

Sender's Proto colAddress(First 2 Bytes of IP Add ress)

1Pv4 = Ox0800 I Pv6

= 0x86DD

Hardware Length: Target's Hardware Address (2 Bytes of Ethernet Address, Null in ARP Request)

Sender's Protocol Address (Las t 2 Bytes of IP Add ress)

Target's Hardware Address (Last4 Bytes of Ethernet Address, Null in ARP Request)

6 for Ethernet Protocol Length: 4 for 1Pv4 Operation Code:

Sender's Protoco lAdd ress (4-byte IP Add ress)

1 For Request

2 For Reply -

The standard ARP packet has the following fields: •

Hardware Type: This field identifies the type of hardware used for the local network transmitting the ARP message. The size of this field is 2 octets and the value of this field for Ethernet is 1.

•

Protocol Type: This field specifies the network protocol for the intended ARP request. The value of the field for 1Pv4 is 0x0800 and I Pv6 is 0x86DD. The permitted length of this field

is 2 octets. •

Hardware Length: This field specifies the length (in octets) of a MAC address in fields 5 and 7 of the ARP packet. For Ethernet, the value of this field is 6.

•

Protocol Length: This field specifies the length (in octets) of the protocol addresses 1n fields 6 and 8 of the ARP packet. The address length for 1Pv4 is 4.

•

Operation: This field specifies the operation that the sender is performing. The value for ARP request is 1 and for ARP reply is 2.

•

Sender's Hardware Address: This field contains the MAC address of the device sending the message such as the IP datagram source device on a request and the IP datagram destination on a reply.

•

Sender's Protocol Address: This field contains the IP address of the device sending this message.

Module 01 Page 57

Certified Network Defender Computer Network and Defense Fundamentals

Exam 312-38

•

Target Hardware Address: This field contains the MAC address of the intended receiver. In an ARP request, this field is ignored (zero). In an ARP reply, this field indicates the address of the host that originated the ARP request.

•

Target protocol address: This field contains the IP address of the device of the intended destination.

Module 01 Page 58

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

TCP/IP Protocol Stack: Ethernet A LAN protocol that uses star or bus topology

Various form of Ethernet

lOBa.se-T: Transfers data at the

speed of l0Mbps

Support data transfer speed of l00Mbps

IEEE 802.3 is the specified standard

lOOBase-T (Fa.st Ethernet):

Ethernet

Gigabit Ethernet: support data

transfer rates of lGbps (l000Mbps)

Monitors network traffic using CSMA/CD (carrier sense multiple access / collision detection)

Defines network hardware and how to handle data

Ethernet is the most commonly used LAN technology. It is a link layer protocol that determines the data transmission between the network devices present in the same network. It uses a bus or star topology and 10 BASE-T maintains a data transfer rate of 10 Mbps. Ethernet formed the basis for the IEEE 802.3 standard that determines the physical and lower software layers. The data transmission occurs in two units: packets and frames. The frame includes information like payload of the data and the physical or Mac address of the sender and the receiver. Every frame wraps itself in a packet that contains several bytes of information required for establishing the connection. It is preferred mostly since, it is easy to install, less expensive and allows high-speed data transfers. It monitors network traffic using CSMA/CD (carrier sense multiple access / collision detection). Ethernet most commonly uses 100 BASE-T that provides transmission speed up to 100 megabits per second. The Gigabit Ethernet provides a transmission speed of about 1000 Mbps and GigaBit Ethernet provides a transmission speed of about 1 Gbps. Other common LAN types include: •

Fast Ethernet

•

Token Ring

•

Fiber Distributed Data Interface (FDDI)

•

Asynchronous Transfer Mode (ATM)

•

LocalTalk

Module 01 Page 59

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Features of LAN include: •

Enables easy handling, management and maintenance.

•

Enables low-cost implementations.

•

Allow a topological reliability for the network installation.

The Ethernet LANs consist of the following network nodes and connecting media. There are two types of classification of the network nodes: •

Data terminal equipment (DTE): The DTE represents the source or the destination of the data frames. The DTE's are devices like: workstations, file servers, print servers, etc.

•

Data communication equipment (DCE): The network device that is responsible for receiving and passing the frames across the network. The DCE includes devices like repeaters, switches and routers.

The Ethernet finds its main application in wired networking, although the wireless networking seems to take the place of the wired network. Experts say that the 802.11 ac provides more internet speed than 1Gb Ethernet. The important thing about wired networking is that it has less impact due to interference and is more secure than wireless networking.

Module 01 Page 60

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

TCP/IP Protocol Stack: Fiber Distributed Data Interface (FDDI)

FDDl-2 supports voice and multimedia communication to extensive geographical areas Optical standard for transferring data by means of fiber optics lines in a LAN up to 200km

FOOi

Comprises of two fiber optic rings

e e

Primary ring: Works in the network Secondary ring: Acts as backup and takes the position of

Transfers data at the rate of 100Mbps

primary ring in case of network failure

FDDI is an optical standard used for transferring data by means of fiber optic lines in a LAN up to 200km. The data transmission occurs at the speed of l00Mbps through a fiber optic cable and uses a token ring to determine which workstation can transfer data at the specified time. FDDI uses a fiber optic cable wired in a ring topology. It uses a token passing access method (Please refer "token ring" topic) that provides equal responsibilities and privileges to all the computers connected to the network. A normally operating FDDI ring passes the token to all the network devices, whereas an abnormal operating FDDI ring circulating the token to the devices connected to the ring becomes invisible abruptly after a certain period, indicating a network issue. Furthermore, you can set the priority levels using FDDI i.e., server is allowed to send a huge volume of data frequently compared to the client systems. It consists of two rings, one is primary and the other is secondary. Primary ring carries data between the systems, whereas secondary ring acts as a backup to the primary ring. When this primary ring fails to operate in the network, the secondary ring comes into picture and performs all the operations usually carried out by the primary ring. This method transmits data at high speed, but with Fast Ethernet allows transfer of huge amounts of data at l00Mbps, all at a very low cost. However, organizations a re now using Gigabit Ethernet, which transfers data at the rate of l000Mbps. The latest version of FDDI is FDDl-2, which supports voice and multimedia communication to extensive geographical areas.

Module 01 Page 61

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

TCP/IP Protocol Stack: Token Ring

Local area network that connects multiple computers using a transmission link eith er in a ring topology or star topology

Data flow is always unidirectional

A local area network that consists of computers connected in a ring or bus topology and uses a token to manage the transmission of data between the two computers. The presence of a token can avoid the chances of a collision between the data transferred between the computers. The possession of the token will allow the network nodes the right to transmit the data, if any node receives the token, it captures the data and alters it with 1 bit of token, thus adding the data packets that it wants to transmit to th e next node. Token ring allows the users to send the data only after arrival of token to their respective location, thus, preventing data collision between the workstations who want to send messages at th e same time. The maximum size of token ring packet is 4500 bytes.

How a token ring functions: •

Pass th e empty frames across the network.

•

The computers ready to send information to any other computer can insert a token into the frame including th e data and the destination identifier .

•

Inserting a token to a frame changes the token bit from Oto 1 in th e frame.

•

Each computer checks with the frame and examines whether the destination address matches. If it does, then that computer simply copies the message and changes the token bit to 0.

•

The frame deletes the information after computer with the destination address copies the information.

Module 01 Page 62

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

•

The frame passes through the network as empty frame and 1s now ready to accept another data.

The components of a token ring frame are as follows:

Frame Field

Description

Start delimiter

Represents th e start of the frame

Access control

Represents the priority of the frame and checks if it is a token or a data frame

Frame control

Includes Mac access control information for all the computers and end station information for onl y one computer

Destination address

Specifies the destination address

Source address

Specifies the address of the computer that sends the frame

Information or data

Contains the information to be sent

Frame check sequence

Includes the CRC error-checking

End delimiter

Specifies the end of the frame

Frame status

Includes the current status like if information copied etc. TABLE 1.3: Components of token ring

Module 01 Page 63

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

IP Address is a unique numeric value assigned to a node or a network connection

e e

32-bit binary number

Set of fou r numbers or octet s ra nging between O t o 255

Numbers are separated by periods

Known as dot ted-decimal notation

IP Addressing

----

168.192.0.1

23.255.0.23 192.165.7.7

/J.~1.11

.111

IP address refers to a number assigned to the computers transmitting data over the network and uses internet protocol for data transmission. The IP addresses consist of the following: host identification and location addressing. The assigned addresses make it easier to identify the computers in the network. The address normally consists of 32 binary bits divided into two parts: host part and the network part. The format of an IP address consists of the 32 bit numeric address written as four numbers separated by periods. Each number can range from 0 to 255. An example of an IP address is as follows: 1.160.10.240. The IP address can be either static or dynamic. The static IP address does not change and is permanent. The dy namic IP address changes every time a computer accesses the internet.

Important terms in IP addressing •

Default Network: In the default network, the default IP address is 0.0.0.0.

•

Loopback Address: Loopback address is a unique IP address (127.0.0.1) designed for

network testing where a network administrator sends packets to the device to identify problems during transmission. •

Broadcast Address: Broadcast address is a unique IP address (255.255.255.255) designed

for sending messages to all the nodes in a network. A network administrator uses this address to send a common message to all the hosts residing in a network. •

Internet Corporation for Assigned Names and Numbers (ICANN) is the authority that manages the assignment of IP addresses, IP address spaces, and Protocol Identifier Assignments. The Internet Corporation

Module 01 Page 64

for Assigned

Names and

Numbers (ICANN): The

Certified Network Defender Computer Network and Defense Fundamentals

Exam 312-38

aim of ICANN is to ensure that all the users have valid addresses. ICANN does not look after Internet content control, data protection, or unsolicited mail, but ICANN Is responsible for the management of the new gTLDS (generic Top Level Domains). •

Making the Address Space Friendly: In order to make the address space friendly, it is necessary to make the address familiar and short. The information in the Internet includes of only two symbols: "1" and "0 11 • These describe the two possible states: On/Off. The basel0 number system is user-friendly. Imagine that a computer's address is 4,27,28,123,12. It is easier to remember the binary equivalent of that address in the Base2 system: 10010000, 11111010, 01010101, and 10111011.

•

Purpose of Dots: It can be difficult to remember a particular decimal number address. To make it easier to remember, the decimal divides it into four parts. With the logical classification of the address, it is easier to identify a particular host on the network. The scheme depends on the decimal number and the address space used is binary. Certain schemes use the binary numbers, whereas others use the decimal numbers directly.

Therefore, the 32-bit address space has four equal components of 8 bits each, such as 202.53.13.138.

Module 01 Page 65

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Classful IP Addressing ll (j IP addresses is divided into 5 major classes in classful IP addressing scheme

NOTE: All the hosts residing on a network can share same network prefix but should have a unique host number Hosts residing on different networks can have same host number but should have different network prefixes

It was the first addressing scheme of Internet that managed addressing through classes A, B, C, D, and E

Two-Level Internet Address Structure:

An IP address can be broken down in two parts:

e e

Network Number

First part represents network

Host Number

Second part represents a

~--------~~--------~

specific host on the network

[

~(j -

Network Prefix

Host Number

]

'--------------"-......__________,

Classful IP addressing is the Internet's first addressing scheme that managed addressing through classes, primarily A, B, and C. First standardized in September 1981, the Internet protocol (IP) specifies that each computer should have a unique, 32 -bit address number to use the IP-based internet. Systems conn ected to more than one network interface would require a unique IP address for each network. Classful addressing divides the IP address into two parts. The first part identifies the network on which the host resides and the second part identifies the specific node or host on a network. Classes of an address determine parts belonging to the network address and parts belonging to the node address.

[

Network Number

Host Number

[

Network Prefix

FIGURE 1.23: Two-Level Internet address structure

From the past few years, network number segment refers network prefix because the major part of each IP address determin es the network number. All the hosts residing on a network can share the same network prefix, but should have a unique host number. Hosts residing on different networks can have a same host number, but should have different network prefixes.

Module 01 Page 66

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Has an 8-bit network prefix Starts with binary address 0, decimal number can be anywhere between 1-126 First 8 bits (one octet) identify the network, remaining 24 bits specify hosts residing in the network

Has a 16-bit network prefix Starts with binary address 10, decimal number can be anywhere between 128-191 First 16 bits (two octets) identify the network, remaining 16 bits specify hosts residing in the network

Has a 24-bit network prefix Starts with binary address 110, decimal number can be anywhere between 192-223 First 24 bits (three octets) identify the network, remaining 8 bits specify hosts residing in the network

Starts with binary address 1110, decimal number can be anywhere between 224-239 Supports multicasting

Starts with binary address 1111, decimal number can be anywhere between 240-255 Reserved for experimental use

Address Classes (Cont'd) Table showing number of Networks and Hosts: Size of Host Number Bit Field

Class

Leading Bits

Size of Network Number Bit Field

Number of Networks

aas.s A

126

16,277,214

Clas.s B

16,384

65,534

Clas.s C

110

2,097,152

254

Class D (Multi cast)

1110

1,048,576

254

Clas.s E (Reserved)

1111

1,048,576

254

Addresses Per Network

IP Address Classes and class characteristics and uses IP Address Class

Fraction of Total IP Address Space

Number of Network ID Bits

Number of Host ID Bits

Clas.s A

1/2

Used for Unicast addressing for very la rge size organizations

Clas.s B

1/4

Used for Unicast addressing for medium or large size organizations

Clas.s C

1/8

Used for Unicast addressing for small size organizations

Clas.s D

1/16

N/A

Used for IP multicasting

Clas.s E

1/16

N/A

Reserved

Intended Use

Module 01 Page 67

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Address classes play an important role in Internet routing. Internet designers have divided the IP address space into different address classes to provide support for network requirements and size such as class A, class B, class C, class D and class E.

Class A IP address class defines IP address for large networks. The binary address starts with 0. The decimal number is in between 0-127 and mostly used by international companies. From the 32bit address, the Class A address uses the leftmost 8-bits for identifying networks. The first 8 bits identify the network and the remaining 24 bits specify hosts residing in the network. In the recent years, class A networks are referred as "/S's" or "S's". Total of 126 (27-2)/8 networks can be defined in Class A network. Two classes are less because in the "class A" network as mentioned 0.0.0.0 is the default IP address and 127.0.0.0 is a loop back address. This network supports a maximum of 16,777,214 networks in a host and 231 (2,147,483,648) individual addresses. It contains 232 {4,294,967,296) addresses of IPv4 address space, which amounts to 50% of the total IPv4 unicast address space.

RouterA

10.10.0.0 I

r______________ JI ______________ , I

v Switch

10.10.0.1

10.10.0.2

I I

... 10.10.0.3 FIGURE 1.24 : Class A net w ork

Class B Use class B addresses in medium-scale networks. It uses the leftmost 16-bits of this class and the binary address starts with 10. The decimal number is from 128 to 191. The first 16 bits (two octets) identify the network and the remaining 16 bits specify the hosts residing in the network.

RouterB

128.28.0.0 I I I

r-----------------------------, I

...,_,."switch

128.28.0 .1

Switch

128.28.0 .2

I I

... 128.28.0.3 FIGURE 1.25: Class B net w ork

Module 01 Page 68

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

In the recent years, class B networks are referred as "/16s" as they have 16 bits network prefix. About 16,384 (214) / 16 networks can be defined in class B network where 65,534 (216 -2) hosts are created per network and 230 (1,073,741,824) individual addresses. When calculated this amounts to 25% of the total IPv4 unicast address space.

Class C Class C addresses have a 24-bit network prefix. The binary address of Class C starts from 110. The decimal number can be anywhere between 192 and 223. Class C addresses represent small businesses. It uses the first 24 bits (three octets) for identifying the network, while the rest of the 8 bits help in identification of the host on the network.

RouterC

192.28.0 .0 I I I

,-----------------------------, I

-} Switch

Switch

192.28.0.2 I I

... FIGURE 1.26: Class C netw ork

Class D and Class E In addition to the primary address classes, there are two other classes defined by the internet designers such as class D and class E. These are special classes designed for specific purposes wh ere users do not even know they exist. Class D starts with binary address 1-1-1-0 and its decimal number can be anywhere from 224 to 239. Its main function is to support multicasting. Class E starts with binary address 1-1-1-1, and its decimal number can be anywhere from 240 to 255. It serves experimental purposes.

Module 01 Page 69

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Subnet Mask lvides the IP address of the host into netw,ork and host number

Variable length subnet mask (VLSM) allows two or more subnet masks in the same network

Subnet allows division of Class A, 8, and C network numbers into smaller segments

VLSM effectively uses IP address space in a network

Default Subnet Masks for Class A, Class B and Class C Networks

IP Address Class

Total # bits for Network ID/Host ID

Default Subnet Mask Fi rst Octet

Second Octet

Th ird Octet

Fourth Octet

Class A

8/24

11111111

00000000

Class B

16/16

11111111

00000000

Class C

24/8

11111111

00000000

Subnet mask provides information about the division of bits between subnet ID and host ID as well as the host ID containing the routing traffic. It is a 32-bit binary number. Subnet mask separates the IP address into two components, namely network address and host address. Use subnet calculator to retrieve the subnet mask information. The Subnet mask performs bitwise AND operation on the netmask to identify the network address of a particular IP address. Subnet mask bits was defined by setting network bits to all "l"s and setting host bits to all "O"s. Subnet masks are expressed using dot-decimal notation like an address. Every host on the TCP/ IP network requires a Subnet mask. Use a default subnet mask for the class based network ID's and use custom subnet masks when subnetting and supernetting 1s configured.

Module 01 Page 70

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

It Subnet Mask IP. Address Class

Total # bits for Network 10/.Host ID

First Octet

Second Octet

Third Octet

Fou rth Octet

Class A

8/24

11111111

00000000

Class B

16/16

11111111

00000000

Class C

24/8

11111111

00000000

TABLE 1.4: Default subnet masks for Class A, Class Band Class C networks

Host IP address: 159.100.9.18 Binary format: 10011111.01100100.00001001.00010010 Class B network mask: 255.255.0.0 Binary format: llllllll.llllllll.00000000.00000000 Class B address with 5 bits allocated to subnet ID and remaining 11 left for host ID Subnet mask= / 21 Prefix length notation: llllllll.llllllll.11111000.00000000 Subnet mask in dot decimal notation: 255.255.248.0 Network ID= 159.100.0.0 Binary format: 10011111.01100100.00001000.00000000 Extended network address (net ID+ subnet ID) = 159.100.8.0/ 21

Module 01 Page 71

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Subnetting allows you to divide a Class A, B, or C network into different logical

For example, Consider class C Address

subnets

IP Address: 192.168.1.12 11000000.10101000.00000001.00001010

To subnet a network, use some of the bits from the host ID portion, in order to extend natural mask

Subnet mask: 255.255.255.0

11111111.11111111.11111111.00000000 Sub netting: 255. 255. 255. 224

11111111.11111111.11111111. ~11poooo ........

Two-Level Classful Hierarchy

[

Network Prefix

Three-Level Subnet Hierarchy

---,

Network Prefix

Host Number

, ,,

Subnet Number

,, , '

'''

......................................................................

...~

These three extra bits from host ID portion allows you to create eight subnets

Host Number

Subnet Address Hierarchy

The traditional internet designers have not foreseen the rapid growth of the internet and the change it has brought in as a communication system. Today, organizations are facing many problems with allocation of IP addresses, as the IP address space, especially 1Pv4 as it is in the depletion stage. This problem has occurred due to early decisions made by the internet designers in the formative stage. In the early evolution stage of internet, organizations were allocated address space based on their request rather than on their requirements. This has led to eventual depletion of IP address space. Many organizations that predicted the future of networking had invested in the internet, but organizations, which ignored the significance of the internet, later realized and obtained addresses but had to face problems with address shortage issues. Emerging organizations that are in the evolving stage have to face address storage problems due to premature depletion of 1Pv4 address space. In order to overcome the problems of IP address space depletion, one can perform IP subnetting. Subnetting allows organization's network divided into two level structure, hosts and subnets. An organization's system administrator divides the host network, specifically the internal network, into two segments in order to make it unavailable to the external networks. The main advantage of subnetting to the organization is that they can divide the classful host number into a subnet id and host id based on their preferences and requirements.

Module 01 Page 72

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Two-Level Classful Hierarchy Network Prefix

Host Number

, '' , , '' , '' ,,

Three-Level Subnet Hierarchy

Subnet Number

Network Prefix

Host Number

FIGURE 1.27: Subnet address hierarchy

Two-Level Hierarchy without Subnetting

141 -

,;.

•

192

NetlD

•

2 =

HostlD

Three-Level Hierarchy with Subnetting

141

•

14 JI

Size

•

192

•

SubnetlD

2 HostlD

FIGURE 1.28: Tw o-level and Three-level subnetting

•

Net address: 141.14.0.0

•

Subnet address: 141.14.192.0

•

Host address: 141.14.192.2

Routers use an extended network prefix to transmit the traffic between subnet devices. Extended network prefixes include the network prefix number and subnet ID. In classful IP addressing, the router uses the first octet of an IP address to determine the address class, related network number and host number. In subnetting, as the division of address is arbitrary in nature, it becomes difficult for the router to determine the process of dividing it into subnet and host ID. Subnet mask provides information about the division of bits between subnet ID and host ID as well as the host ID containing the routing traffic. It is a 32-bit binary number. Subnetting allows the division of Class A, B, and C network numbers into smaller segments. Variable length subnet mask (VLSM) allows two or more subnet masks in the same network. VLSM effectively uses IP address space in a network. VLSM provides flexibility to a network administrator to divide a network as per the requirement and preference of the organization and create subnets, sub-subnets and sub-sub-subnets.

Module 01 Page 73

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Net ID (14 bit)

L";, a,;cc==~-•-:;~==~-'=~== ;: :

Subnet ID

(8 bit)

Host ID (8 bit) =~~

FIGURE 1.29: Example of subnetting

Class B address = / 16 network prefix Network address= 131.175.0.0 Natural mask= 255.255.0.0 Subnetted w ith / 24 network prefix Subnet ID= third number in dotted notation 131.175.21.0

Module 01 Page 74

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Class A and B addresses are in depletion stage

Supernetting combines various Class C addresses and creates a

Also known as Classless Inter-Domain Routing (Cl DR), invented to keep IP addresses from exhaustion

••

•••

g ... .·

II Class C provides only 256 hosts in a network out of which 254 are available for use

..........•····

Subnet Mask

Default Mask

Supernet Mask

It applies to Class C addresses

Supernet mask is reverse of subnet mask

•••

••••••

•••

••

l___1_11_1_1_1_1_1_1_1_1_1_1_1_11_ 1_1_1_11_1_1_1_1_1_1_ o_oo_o_o_ _j 11111111111111111111111100000000

Supernetting Class C Example:

.. ..

Suppose we use 2m consecutive blocks

Class C address:

----->

Default mask: 255.255.255.0

~--------------

Net ID

Supernet mask: 255.255.(28-m1)* 2m.0 = 255.255.252.0

----->

--------------► Host ID

M Zero bits Supernet address:

Module 01 Page 75

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

With the growth of internet, classful addressing is a big problem for many organizations. Problems with classful addressing are a lack of flexibility in dividing addresses for an internal network, improper distribution of allocated address space that requires a router to create more and more routing table entries. Subnetting solves these problems to a certain extent, but IPv6 addressing brought 128-bit addressing system to eliminate addressing issues appropriately. This new system eliminates the need for address classes and creates a new addressing scheme to match the growing demand of internet users. This system advocates on creating a new classless addressing scheme known as Classless Inter-Domain Routing (CIDR). This system uses a concept of subnetting as a base and takes it a step further. Subnetting divides a single network into subnets whereas CIDR applies the subnetting principle to large networks. It aggregates networks into larger supernets with a concept known as supernetting. •

Advantages of CIDR:

With CIDR, organizations can allocate address space efficiently as per their requirement and preference. In classful addressing, there are class A, B, and C networks. Class A network has around 16,277,214 addresses per network, class B network has 65,534 and class Chas only 254 addresses. There is disproportion of address classes in this addressing system. CIDR eliminates the problem with class imbalances and routing entries by creating small entries for large networks. Network prefixes based on CIDR helps the router in determining the dividing point between net ID and host ID. Subnetting requires a subnet mask to determine the network ID and host ID. CIDR does not support a 32-bit binary subnet mask. Instead, CIDR uses "/" slash notation known as CIDR notation along with prefix length to show the network size. Subnet Mask

111111111111111111111111

Default Mask

111111111111111111111111 000 00000

Supernet Mask

111111111111111111111

00000

000 00000

FIGURE 1.30: Supernetting

•

Supernetting Example:

Example showing a 4 Class C addresses in a network appear as a single network from outside 4 address-contiguous networks: 213.2.96.0: 11010101.00000010.01100000.00000000 213.2.97.0: 11010101.00000010.01100001.00000000 213.2.98.0: 11010101.00000010.01100010.00000000 213.2.99.0: 11010101.00000010.01100011.00000000

Module 01 Page 76

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Supernetmas k: 255.255.252.0 Supe rnetaddress: 213.2.96.0/ 22 11010101.00000010.01100000.00000000

Class C address:

-c::e---------------

Net ID

---------------> Host ID \

M Zero bits

Supernet address:

xxxxxxxx . xxxxxxxx . xxxxoooo . 00000000 \

JThis byte is divisible by 2m

FIGURE 1.31: Supernetting with Class C address

Module 01 Page 77

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Based on the standard specified by the RFC 4291 Allows multilevel subnetting Supports unicast, anycast, and multicast addresses I Pv6 address space is organized in hierarchical structure

1Pv6: Format prefix allocation Allocation

Format Prefix

Start of address range (hex)

Mask length (bits)

Fraction of address space

Reserved

00000000

0:: 8/

1/256

Reserved for Network Service Al location Point (NSAP)

0000001

200:: /7

1/128

Reserved for IPX

0000010

400::/7

1/128

Aggregatable global unicast addresses

001

2000::/3

1/8

Link-local unicast

11111110 10

FE80: : /10

1/1024

Site-local unicast

11111110 11

FEC0:: /10

1/1024

Multicast

11111111

FF00:: /8

1/256

1Pv6 is capable of providing a large address space of 128 bits for increasing demands of internet users. It has a new format for packet header to minimize problems with overhead routing entries. 1Pv6 has globally identified unique addresses with efficient, hierarchal and routing infrastructure that relies on prefix length rather than address classes. This allows the backbone routers to create small routing tables. 1Pv6 simplifies host configuration with stateless and stateful address configuration for network interfaces. In 1Pv6, hosts on a link are capable of automatically configuring themselves with a link called link-local addresses by responding to the prefixes mentioned by the local routers. The host sends a link local address request to a local router for connecting to that network, which then responds to the request by sending its configuration parameters. This lets the host configure automatically with the available router. 1Pv6 is capabl e of configuring itself, even though th ere are no routers. 1Pv6 supports unicast and multicast communication along with a new communication t ype called anycast. •

Unicast Address: It is used to identify a single node in the network. The four different

categories of Unicast address are: •

Global unicast addresses is globally unique in the internet.

•

Link-local addresses not meant for routing, but confined to a single network segment.

•

Unique local addresses. These assist in private addressing and also avoids the chances

of collision betwee n t wo subnets.

Module 01 Page 78

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

•

Anycast Address: In anycast communication method, only specific associated address in a

network receives the messages. IPv6 provides better support for quality of service (QoS) with proper management of network traffic. •

Multicast Address: IPv6 packets sent to a multicast address identifies the group of

interfaces, usually on different nodes. Only those hosts which are members of the multicast group can receive the multi-cast packets. The IPv6 multicast is a routable address and the routers forward these multicast packets to all the members of the multicast groups. Allocation

Format Prefix

Start of address range (hex)

Mask length

(bits)

Fraction of address space

Reserved

00000000

0:: 8/

1/256

Reserved for Network Service Al location Point (NSAP)

0000001

200:: /7

1/128

Reserved for IPX

0000010

400:: /7

1/128

Aggregatable global unicast addresses

001

2000::/3

1/8

Link-local unicast

1111111010

FE80:: /10

1/1024

Site-l ocal unicast

11111110 11

FEC0:: /10

1/1024

Multicast

11111111

FF00: : /8

1/256

TABLE 1.5: 1Pv6 format prefix allocation

The IPv6 notation includes eight groups of hexadecimal quartets separated by colons. An example for IPv6 is: 2001:cdba:0000:0000:0000 :0000:3257:9652. The groups of zeroes in IPv6 address may be reduced to zero or removed. For example: •

2001:cdba:0000:0000:0000:0000:3257:9652

•

2001:cdba:0:0:0:0:3257:9652

•

2001:cdba::3257:9652

The IPv6 addresses use Classless Inter Domain Routing (CIDR) notation. The subnet using the IPv6 protocol consists of a group of IPv6 addresses having the size value in the power of two. The initial bits in the IPv6 address forms the network prefix. The bits in the network prefix uses a forward slash ('/ '). For example: 2001:cdba:9abc:5678::/ 64 represents the address 2001:cdba:9abc:5678.

Module 01 Page 79

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Difference between 1Pv4 and 1Pv6

Internet Protocol version 4 (1Pv4)

Internet Protocol version 6 (1Pv6)

Deployed

In the year 1981

In the year 1999

Size

32-bit addresses

128-bit source and destination addresses

Format

Dotted-decimal notation (separated by periods)

Hexadecimal notation (separated by colon)

Example

192.168.0. 77

3ffe: 1900:4545 :ABOO: 0123:4567:8901:ABCD

Prefix Notation

192.168.0. 7/74

3FFE:F200:0234::/77

Total Number of Addresses

2"32 = ~4,294,967,296

2"128 = ~340,282,366, 920,938,463,463,374,607,431,768,211,456

Configuration

Manually perform static or dynamic configuration

Auto-configuration of addresses is available

Security

I PSec is optional

Inbuilt support for I PSec

Internet Protocol Version 4 {1Pv4) The fourth version of the internet protocol that identifies devices on a network through the technique of addressing. IPv4 mainly works in the packet-switched link layer networks. It uses a 32-bit address sch eme, thereby permitting 2/\32 addresses. Th e sender and the forwarding routers perform the fragmentation. Th ere is no method to identify the method of packet flow. Checksum fields and option fields are available in IPv4. The IPv4 address uses IGMP to manage multicast . It is possible to broadcast messages. Configuration of IPv4 requires either manual configuration of IPv4 addresses or DHCP configuration.

Internet Protocol Version 6 {1Pv6) Also know n as IPng (Internet Protocol Next Generation) is the advanced version of IPv4 and replaces IPv4. The IPv6 protocol allow s better handling of hosts and data flowing on the internet. Th e main advantage of using IPv6 is that it reduces the exhaustion of IP addresses. Th e IPv6 addresses are 128-bit long and represented using hexadecimal. Th e send er performs the fragm entation part. Th e flow label fi eld in the packet head er of th e IPv6 address format assists in identifying th e flow of the packet. Th e lpv6 address head ers do not con sist of an y ch ecksum or options fi eld. Th e IPv6 con sist s of an auto-configuration mode that eliminates th e need for ma nu al configuration as in IPv4.

Advantages of 1Pv6 over 1Pv4: •

IPv6 provides a simplified method for th e router task w hen compared w ith IPv4.

•

IPv6 is more reliable to use than IPv4 and IPv6 can handle more payloads.

•

IPv6 is more compatible for use in mobile networks than IPv4.

Module 01 Page 80

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

1Pv4 Compatible 1Pv6 Address

CND

1Pv6 addresses, with inserted 1Pv4 addresses, are universal Unicast addresses that have the binary prefix000 One of the changeover techniques to 1Pv6 permits a means for nodes and routers to dynam ically create 1Pv6 tun nels, allowing broadcast of 1Pv6 packets over an 1Pv4 infrastructu re Nodes that implement t his method are allocated an unusual 1Pv6 address, w hich transports an 1Pv4 address in its 32 least major bits. This type of address is called an 1Pv4-compatible 1Pv6 address; its format is shown below :

0 Prefix

0000

: 0000 : 0000 : 0000

143.23.234.211

: 0000 :

The 1Pv4 address used inside an 1Pv4-compatible 1Pv6 address must be a public, globally routable 1Pv4 address

1Pv4 compatible addresses obtained from 1Pv4 public addresses allow connecting 1Pv6 hosts over th e 1Pv4 internet infrastructure. The 1Pv6 address encapsulates within the I Pv4 header that eliminates the use or addition of 1Pv6 routers. The 1Pv4 compatible 1Pv6 allows the 1Pv6 devices to insert 1Pv4 addresses in the 1Pv6 address through the 1Pv4 connect ed network. Th e 1Pv4 compatible 1Pv6 has a different address format with th e first 96 bits set to all zeroes, followed by a dotted decimal 1Pv4 address.

0 (

Prefix

0000

: 0000

)

: 0000 : 0000 : 0000

: 0000

143.23.234.211

FIGURE 1.32: 1Pv4 address

They can be w ritten as 0:0:0:0:0:0:A.B.C.D or ::A.B.C.D, where "A.B.C.D" represents the embedded 1Pv4 address. The host or router at each end of an 1Pv4-compatibl e tunnel must support both the 1Pv4 and 1Pv6 protocol stacks . 1Pv4-compatible tunnel s must configure between border-routers or between a border-router and a host . Using 1Pv4 -compatible tunn els is an easy method to create tunn els for 1Pv6 over 1Pv4, but the techniqu e does not scal e for large netw orks.

Module 01 Page 81

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

Understanding Computer Network Defense(CND)

.J Computer Network Defense(CND) is part of the network operations which involves protecting, detecting, and respondingto unauthorized activities on the network .J It includes set of processes and protective measures carried out to defend a network against service/network denial, degradation, and disruptions

.J CND is NOT limited to just deploying firewall or multiple firewalls on network

Computer Network Defense

Protection

.J CND is the implementation of a defense in depth (DID) strategy on a network

CNDTRIAD

Computer network defense (CND) involves protecting, monitoring, analyzing, detecting and responding to unauthorized activities on the network and confirms the overall (Defense-indepth) security of the network. Different types of unauthorized or illegal activities may include interrupting, damaging, exploiting or restricting access to networks or computing resources and stealing data and information from them. Most of the organization considers network defense as involving the implementation of security measures which protect their network from attacks. Deploying a firewall or multiple firewalls on the network is enough to protect their infrastructure from a variety of threats. However, it alone does not ensure network defense. Even though firewalls are considered one of the security measures, it does not ensure defense in depth network security. CND enables network administrators to defend and act against network attacks performed by malicious or adversarial computer systems or networks. CND is part of Computer Network Operations (CNO) which deals with the overall network security achieved through detection, prevention, analysis, and response to various network attacks.

Module 01 Page 82

Exam 312-38

Certified Network Defender Computer Network and Defense Fundamentals

i ~ . . . . 9.'.~.~~!.~?.~!* ~.:.i.~!~~.~~·····>I

Integrity:

Authori zed User

Ensures information is not modified or tampered by unauthorized parties

~ :

Server

Ma n i n the Mi ddle

Mliiil . . 7.~~.~?.~~:~~~~.?~.~~~~.'.~.~?~.~'.'.?~.► 1

Confidentiality:

Authori zed User

Ensures information is not disclosed to unauthorized parties

~ ,1

Server

Ma i the Mi ddle

Availability:

f':. liiiiiServi ces unavailable to authorized use~

Ensures information is available to authorized parties without any disruption

Authori zed User

Server

~~·········:~~~.~~~'.?.~~~~'.~~~~?~~~........... ,

Non-repudiation:

Ensures that a party in a communication cannot deny sending the message

User denies transaction User

Authentication: Ensures the identity of an individual is verified by the system or service

Server

.A\)seoctls.ttet

172800S (2.00:00:00)

Po ints to domain's mail se rve r

yahOo.co,n

lt4

1'1Sl .vahoo.com

172800s (2.00:00:00)

Po ints to hos e 's name server

yahoo.com yahoo.oom

0$1.Yahoo.com

172800S (2.00:00:00)

Canoni ca l naming allows aliases co a host

109. 253.138.98.in-adcll'.a rpa

PTR in .fp.vip.ne 1.vahoo.com

253.138.98.iB-adcl'.a rpa

ns4,yahoo.com

172800; ( 2.00:00:00)

253.13$.9$.in-addr..a,w

1'1$1.y,lhOQ.COtn

172$00$ (2.00:00:00)

2.53.138.9S.khl d4'.a rpa

2:S3,138.9'8.iB-ad4',a rpa

Ml.yahoo.com nsS.vahoo.com

1'2$00$ (2.00,00,00)

25 3.13$.9$.m-JlddU'Ul),)

lt4

1'1$2.vahoo.com

172800s (2.00:00:00)

2 53.138.9SJn-adel'.a rp.3

TXT c onta« for this domain Is Ya hoo! t{OC, + 1 408 349 5555

253,133.98.in-addr.aiw

SCA server:

CNAME SOA

Indicate aut hor ity f or domain

SRV

Se rvice records

PTR

Maps IP a ddress to a hos cname

RP HINFO

TXT

·-

hidde-o-master.yaOOo.com

Respon s i ble pe r son

email: serial:

2014101602

Host i n formati on record i ncludes CPU cype and OS

re.fresh:

3600

Unstructured t e xt r ecords

(00,30,00)

!SOOS (00:30:00)

172800S {2.00:00:00)

1800S (00:30:00)

600s (OOa 0,00)

hostmaster~ ahoo-lnc,com

re-try: 600 e:icpire: 5184000 mirim...,, UI: 1$00

DNS footprinting reveals information about DNS zone. DNS zone data includes the DNS domain names, computer names, IP addresses, and much more about a particular network. An attacker uses the DNS information to determine key hosts in the network, and then performs social engineering attacks to gather even more information. When the attacker queries the DNS server using the DNS interrogation tool, the server responds with a record structure that contains information about the target DNS. DNS records provide important information about the location and t ype of servers.

Module 02 Page 123

Certified Network Defender Network Security Threats, Vulnerabilities, and Attacks

Exam 312-38

Reconnaissance Attacks: Network Information Extraction using Nmap Scan An attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions

1- ICI~

Zenmap Sc!n ! ools

Comm.!lnd:

Hosls

t!.clp

' 192, 168.o.89

Target:

f rofile

Profile-:

1 Int~ seal\, all TCP ports

__B lxan] lcanceal

◄ lio$1

I-

nmop · p 1·6S53S •T4 ·A · v 192. 16&089

Starting Ntlap 6.40 ( http: //nMaD,or a ) at 2816-98-30 16 : 58 India Standard Tillll!

ttSf.i. Loa~cd 118 scri pts for scannine, NSE:. s cr i pt Pr e-scaMing.

Details

OS '

192.168.o.89

Ho,t

nmap ·p 1·6SS3S · T4 •A ·v 192.168.!),89

Not Jhqwn: 65523 closed POrtS

192. 168.0,!9

.... ............

hosts)

lni tiatina Par allel ONS r esolution Of 1 host. a t 16:59

.::.-

Fifttr Hosts

•

'-'

v ~

Intense seal\, all TCP ports

__B lixanj

Con«II

Nmap OutpU1 Ports/ Hosts I Topology I HostOetailsl Scans 1

lnitiotine ARP Pine Scan at 16 :S9

e .e5s elaosed Ini tiating SYN Stealth Scan at 16:59 Scannine 192.168.8.89 [65535 por-tsJ Discover ed open por t 445/ tcp on 192. 168.0.89 Oiscoverc-d open port 21/ tcp on 192 .168.t.89 Discover ed open por t 135/ tcp on 192.168.0.89 Discovered open port 139/ tcp on 192. 168.0.89 Discovered open por t 88/ t cp on 192.168. 0 .89 Discover i!d open port 49414/ tcp on 192 . 168 .0. 89 Discovered open port 49411/tcp on 191 . 168 .t . 89 Discovered open por t 49409/ tcp on 192.168 .0.89 Discovered open port 49413/ tcp on 192 . 168 .0 . 89 Discovered open por t 49412/ tcp on 192.168.0.89 Discover td open port 49418/ tcp on 192.168 .0. 89 Oiscoverc-d open port 49498/ tcp on 191.168 .t . 89

Scan ning 192 . 168, 0 . 89 [l port] Completed ARP P ing Seen a t 16:59, 8.33s elapsed ( 1 total

Completed Porollcl ONS rc$olution ol 1 host . ot 16:59,

Profile:

nmap ·p 1-6SS3S· T4 •A ·v 192.168.0.~

I Hosls II S.~e

Nmap OutpUI Ports/ Hosul Topology HostOetaitsl Suns~

Target:

Comm.!lnd:

n~p ·p 1-6SS3S • T4 •A ·v 192.168.0.~

S.~e

1- ICIJIIIII

Zenmap Sc!n !ools f rofile t!_elp

Filter Hosts

El IOet.,1lsl

POOT SlATE SfAVICf VERSION open tcpwritpped 21/tcp 80/tcp http Nicrosoft HTTPAPI httpd 2., (5SOP/UPnP) I http·mcthods: OPTIONS TRACE GET HEAO POST I Potentiall y ~isky methOds: TRACE I_See http://nmap.org/ nsedoc/ scripts/ http•methods . html l _http•tit le : 115 Windo~s U'1)< 135/tcp ftiCl"OSOft NindOWS RPC H9/tcp ncu,ios·nn 445/tcp netbioS•SSl'I 49488/tcp open asrpc Nicrosoft Nindows RPC 49489/tcp open Nicrosoft "indows APC 49418/tcp open H'1)< KiCl"OSOft NindOWS RPC 49411/tcp open • srpc Nicrosoft "indows AP( 49412/tcp open Nicrosoft Nindows RPC 49413/tcp open urpc Nicrosoft Nindows RPC 49414/tcp open OS'1>< Nicrosoft "indows APC M,C Address; 80:15:50:88:.38:02 (Hicr osoft) Uo exact OS m.atches for hon (If you know wnet OS is runnine on i t, see http ://nftap .ore/ subllit / ). TCP/ I P f i nger print: .Qii.SCAtl (V• 6 •48'XE •4M>• 8/ 39XOT• 21'5CT• 1"'1.J• 31129'PV• "'°5• 1.'5 DC:~:v»i:001550$1 OS :M•57CS6E901P• i686·oc·windo~s-windows)SEOCSP•1•6fliGCO•l'5

.....,, .....,,

http://nmap.org

Nmap is a network discovery and security-auditing tool and is one of the most popular tool s attackers use for network discovery. An attacker mostly uses the Nmap utility to extract all the necessary information from the target. Attackers use Nmap to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Network administrators also find this tool useful for security auditing ta sks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Source: http://nmap.org

Module 02 Page 124

Exam 312-38

Certified Network Defender Network Security Threats, Vulnerabilities, and Attacks

Reconnaissance Attacks: Port Scanning Attackers may use various techniques to find o pen po rts o n the t arget Attackers use NMAP to perform port sca nning

TCP Port Scanning

0--

·]

- ... .

,......

Sc!n ! ools trofdt

~ Ip

E"P19Z.168-0.97 Command: I••sX •vnmap 192.163.0.97 ] NmapOutpul I Ho$ts I l,11rgct

01 • Htll

• al ,.._19:' 1. . .11

.. ,~161.0m ,t.,tl ... " - f •• (

l•nlnvc.,. .,,,,.

1ou,,1,- • ..., ) •t k.,. n 1,,n

,.__u,r ,., . ..... .., u --· •i"C ...... _. M.J)

' - 1 ~ ... """

, ...ui.u,..

C:-1•1. . --•ll•I , _ ""•1••0... H I ""' . " ,.,_;:i1,o1 i.n. · ND

...-·::::>·········..................................

.J Sniffing is a process of monitoring and

Router Co

...1 ·

Send DNS response with IP of a fake website

Attacker

Rogue DNS

The DNS system uses cache memory to hold the recently resolved domain names. It is populated with recently used domain names and respective IP address entries. When the user request is received, the DNS resolver first checks the DNS cache; if the domain name that the user requested is found in the cache, then the resolver sends its respective IP address quickly. Reducing the traffic and time of for DNS resolving. Attackers target the DNS cache and make changes or add entries to it. The attacker replaces the user-requested IP address with the fake IP address. Then, when the user requests the domain name, the DNS resolver checks the entry in the DNS cache and picks the matched (poisoned) entry. The victim is redirected to the attacker's fake server instead of the authorized server.

Module 02 Page 137

Exam 312-38

Certified Network Defender Network Security Threats, Vulnerabilities, and Attacks

Address Resolution Protocol (ARP) is a protocol used for mapping an IP address to a physical machine address wh ich is recognized in the local network ARP spoofing/poisoning involves sending a large number of forged entries to the target machine's ARP cache or overloading a switch

When a user A initiates a session with user B in the same Layer 2 broadcast domain, an ARP request is broadcasted using the user B's IP addresses and the user A waits for the user B to respond with a MAC add ress

Hey 10.1.1.1 are you there?

Uslf B Switch broadcasts ARP request onto the w ire

~ - --- - .~~~.s.~.~ ~!9~.';~♦..•

~;:;;-·---s.~•...... ~/)~

(10. 1.1.0)

If?. s 1,:r ·•...

·e

'AleqO',"'a4c, ·•• O'rei, tolls ss

The legitimate user responds to the ARP request

-• -•- •_,J_,.;:.'_ "~ "~ . _~·-".."►;.....--•--.;:..·_.._.._.._.._.._..►;.......;:._._.._.._.._.._.._...:;.'►-•-·~

j:e

Switch

•

j Malicious user eavesdrops on •

: the ARP request and

•• ,_ , - ---No, I' am 10.1.1.1 and my MAC Malicious user eavesd rops on this unprotected Layer 2 broadcast domain and can respond to broadcast ARP r equest and reply to the user A by spoofing the user B's MAC address

: :

address is 9:8:7:6:5:4

: responses, and spoofs as the

,,: legitimate user

d erO

~~.:, 0l

Informati on for IP address 10.1.1.1 is now being sent to MAC address 9:8:7:6:5:4

ARP poisoning is an attack in which the attacker tries to associate their own MAC address with the victim's IP address so that the traffic meant for that IP address is sent to the attacker. ARP (Address Resolution Protocol) is a TCP/ IP protocol that maps IP network addresses to the addresses (hardware addresses) used by the data link protocol. Using this protocol, you can easily get the MAC address of any device within a network. Apart from the switch, the host machines also use the ARP protocol for getting MAC addresses. ARP is used by the host machine when a machine wants to send a packet to another device and it has to mention the destination MAC address in the packet sent. In order to write the destination MAC address in the packet the host machine should know the MAC address of the destination machine. The MAC address table (ARP table) is maintained in several places even in the operating system. ARP resolves IP addresses to the MAC (hardware) address of the interface to send data. If the machine sends an ARP request, it normally considers that the ARP reply comes from the right machine. ARP provides no means to verify the authenticity of the responding device. In fact, many operating systems implement ARP so trustingly that devices that have not made an ARP request still accept ARP replies from other devices. An attacker can craft a malicious ARP reply that contains an arbitrary IP and MAC address. Since the victim's computer blindly accepts the ARP entry into its ARP table, an attacker can force the victim's computer to think that the IP is related to the MAC address they want. An attacker can then broadcast their fake ARP reply to the victim's entire network.

Module 02 Page 138

Exam 312-38

Certified Network Defender Network Security Threats, Vulnerabilities, and Attacks

Access Attacks: DHCP Starvation Attacks Dynamic Host Configuration Protocol (DHCP) is a configuration protocol that assigns valid IP addresses to the host systems out of a pre-assigned DHCP pool DHCP starvation attack is a process of inundating DHCP servers with fake DHCP requests and using all the available IP addresses This results in a denial-of-service attack, where the DHCP server cannot issue new IP addresses to genuine host requests New clients cannot get access to the network, resulting in a DHCP starvation attack

............................

, ••

?,I';.

~ --

.:e~ .,~•

? ·.

'P- •.

"" • "'- ■

:;, •

,t,.__•♦

. .,o.. .,. ..

-~ -.

~.~-.

=o·. ~ -•

'fo:,0~♦ •

.,,· ••

10.10.10.4

Serverruns out oflP add resses to aIIocate

10.10.10.5

~. -~,l.

..>...

'i•.

DHCP Server

~·

& • -v•.

to valid users ••

•

"'~ •• ~: :t •.

Proxy Workbench is a proxy server utility that displays the passage of data in real time. It allows getting details like saving data, viewing history and viewing socket diagram of a socket connection for a particular TCP/ IP connection. Socket connection diagram displays the graphical history of all the previous events that took place in that socket connection. •

•

Advantages:

•

Displays an animated view of the socket connection.

•

Handles POP3 and HTTPS (Secure sockets).

•

Displays real time logging of data.

Proxy workbench is mainly used by:

•

People interested in Web browsing, sending and receiving e-mails etc.

•

Programmers

•

IT training industry

•

Internet security practitioners

Source: http://proxyworkbench.com

Module 03 Page 199

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

SocksChain

Fiddler

http://ufasoft.com

http://www.telerik.com

Burp Proxy

Proxy

http://www.portswigger.net

http://www.anologx.com

Proxifier

Protoport Proxy Chain

https://www.proxifier.com

http://www.protoport.com

WinGate

ProxyCap

http://www.wingate.com

http://www.proxycap.com

Charles

CCProxy

http://www.charlesproxy.com

http://www.youngzsoft.net

Socks Chain Source: http://ufasoft.com Socks Chain is a program that allows working with any Internet service through a chain of SOCKS or HTTP proxies to hide the real IP-address. Socks Chain functions as a usual SOCKSserver that transmits queries through a chain of proxies. It allows using with client programs that do not support the SOCKS protocol, but work with one TCP -connection, such as TELNET, HTTP, IRC, etc. Burp Proxy

Source: http://www.portswigger.net Burp Suite Burp Proxy is an intercepting proxy server that operates as a man -in-the-middle between your browser and the target application, allowing you to intercept and modify all HTTP/ S traffic passing in both directions. Proxifier

Source: https://www.proxifier.com Proxifier allows network applications that do not support working through proxy servers to operate through a SOCKS or HTTPS proxy and chains.

Module 03 Page 200

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

WinGate Source: http://www.wingate.com WinGate Proxy Server is an integrated Internet gateway and communications server which meets the control, security, and communications needs of today's businesses. It provides the flexibility to match the company's budget, irrespective of the size of the organization.

Charles Source: http://www.charlesproxy.com Charles is an HTTP proxy/ HTTP monitor/ Reverse Proxy that enables developers to view all HTTP and SSL/ HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).

Fiddler Source: http://www.telerik.com Fiddler is a proxy server that is compatible with any browser, system or platform. Key features of Fiddler include: •

Web Debugging

•

Performance Testing

•

Security Testing

•

Web session manipulation

•

HTTP/HTTPS traffic recording

•

Customizing Fiddler

AnalogX Proxy Source: http://www.analoqx.com AnalogX Proxy is a server that allows any other machine on the local network to route its requests through a central machine. The protocols supported by proxy are HTTP (web), HTTPS (secure web), POP3 (receive mail), SMTP (send mail), NNTP (newsgroups), FTP (file transfer), and Socks4/4a and partial SocksS.

Protoport Proxy chain Source: http://www.protoport.com Protoport Proxy Chain software enables users to build a chain of proxy servers from different countries. The proxy server tool enables them to surf the internet anonymously.

ProxyCap Source: http://www.proxycap.com ProxyCap redirects computer's network connections through proxy servers. ProxyCap determines the applications that can connect to the Internet through a proxy. ProxyCap supports the SSH protocol, allowing the user to specify an SSH server as the proxy server. Module 03 Page 201

Certified Network Defender

Exam 312-38

Network Security Controls, Protocols, and Devices

CCProxy Source: http://www.youngzsoft.net CCProxy is a windows proxy server that assists users to build their own proxy server and to share the Internet connection within the LAN. CCProxy can support broadband, DSL, dial -up, optical fiber, satellite, ISDN, and DDN connections. CC Proxy Server can act as an HTTP, mail, FTP, SOCKS, news, Telnet, and HTTPS proxy server. The functions provided by the CCProxy are: Internet access control, bandwidth control, Internet web filtering, content filtering and time control, web caching, online access monitoring, access logging and bandwidth usage statistics functions.

Module 03 Page 202

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

Network Security Devices: Honeypot A honeypot is an information system resource that is explicitly set up to attract and trap people who attempt to penetrate an organization's network It has no authorized activity, does not have any production value, and any traffic to it is likely a probe or an attack A honeypot can log port access attempts, or monitor an attacker's keystrokes. These could be early warnings of a more concerted attack Honeypot

DMZ

Internal Network

........

••

..• .

• • • • • • • • • • • • ••

■

••••••••••••

■■

••

• •••••

[C i

Packet Filter

Firewall

A honeypot is a computer system on the Internet intended to attract and trap people who try unauthorized or illicit utilization of the host system. It is a fake proxy run in an attempt to frame attackers by logging traffic through it, and then sending complaints to victim ISPs. Whenever there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with many different security applications. Some honeypots help in preventing attacks, others can be used to detect attacks, while others can be used for information gathering and research. It requires a considerable amount of attention to maintain a honeypot. •

To set up a honey pot: •

Install a system on the network with no particular purpose other than to log all attempted access.

•

Install an older, unpatched operating system on a network. For example, the default installation of WinNT 4 with 115 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the system and further track what the intruder attempts to do with the system once it is compromised. Install special software designed for this purpose, which will have the advantage of making it appear that the intruder is successful without really allowing them access to the network.

•

Ensure that the attacker cannot easily delete system data intended to be 1n the honey pot.

Module 03 Page 203

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

•

The main intention of implementing a honeypot is to: •

Track the activities performed by the attackers, thereby allowing the network administrators to build countermeasures for those attacks.

•

Collect forensic information that can be used for the further investigation of the attack.

There are two types of honeypots classified based on their deployment: •

Production Honeypot: Normally placed inside a production network along with the other production servers, thereby giving a notion to the attackers that it contains real and valuable data. The organization evaluating the traffic through the honeypot can now understand the activities performed by an attacker. Honeypots also allow the organization to identify the attackers and bring them behind bars.

•

Research Honeypot: The research honeypots enable an organization to closely evaluate each step taken by the attackers while attacking the network. Enabling the organization to understand each step carefully and thereby developing the measures required for each attack. The use of honeypot also enables the organization to easily track the data stolen by the attackers.

The further classification of honeypots available based on their design: •

Pure Honeypots: The presence of pure honeypots makes it possible to track the activities of an attacker in a complete manner. It places a small tap in between the honeypot's link to the network.

•

Low-interaction Honeypots: As the name suggests, low-interaction honeypots generally fake those services frequently asked by the attacker. They are essentially a single machine with multiple virtual machines.

•

High-Interaction Honeypots: The high-interaction honeypots stage a lot of services and activities performed by the real production systems, tricking the attackers into believing that they are accessing a real production system. Multiple honeypots on a single machine is possible by implementing a virtual machine. The high-interaction honeypots are highly secure and examine each activity of the attacker. But, the disadvantage with the honeypot is that they are very costly to maintain and implement.

Honeypots implemented need to look as genuine as any other original production system. It should contain information that can attract the attackers and persuade them to perform activities.

Module 03 Page 204

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

Advantages of using Honeypots

CND

It is difficult t o identify an int ernal at tack attempted within the organization's Firewall monitoring space. Honeypots can resolve this

Honeypot s appear to be easy to compromise, so the attackers focus on the honeypots first

Honeypots provide high value and limited data compared to Firewalls, System logs, and IDS

The sole purpose of Honeypots is to t rack the attacks, so they can easily identify any newly created viruses and worms )

Due to limited data monitoring feature7 Honeypots rarely face a resource exhaustion problem

Honeypots are easy to deploy, configure and maintain Honeypots need less equipment, sot ~ investment in them is less Honeypots can be used to identify zero-day attacks Honeypots confuse attackers and keeps keep them occupied

The following are some security benefits of implementing Honeypots in the network:

•

Simplicity: Honeypots are simple to implement as they do not contain complex algorithms.

•

Detect Inside attacks: Honeypots help detect insiders (Employees) misusing the system.

•

Reduce False Positive: Any connection to a honeypot is considered a hostile attack. Any information sent from the honeypot represents an intrusion.

•

Identify False Negatives: Since any activity with the honeypot 1s considered abnormal, they help capture new attacks or activity against them easily.

•

Data Collection: Honeypots collect little high value data. This little information 1s the exact information presented in an easy to understand format.

•

Resources: As honeypots capture less activity, they do not come across a resource exhaustion issue.

•

Encryption: Honeypots capture the activity even if they are encrypted.

•

1Pv6: Honeypots are capable to detect, capture, and log all IP activity.

•

Incident response: Allows the organization to detect and prevent attacks by taking the necessary steps

•

Warning system: Provides alerts regarding threats in th e network.

Module 03 Page 205

Certified Network Defender

Exam 312-38

Network Security Controls, Protocols, and Devices

•

Ability to mislead: Easy to mislead attackers.

•

Stores information: Information collected by honeypots is considered highly beneficial.

Module 03 Page 206

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

Kojoney

HIHAT

http://kojoney.sourcejorge.net

http://hihat.sourceforge.net

Glastopf

HONEYBOT

http://glastopf.org

http://www.atomicsoftwaresolutions.com

Canary

HONEYD

https://canary.tools

http://www.citi.umich.edu

Thug

T-POT

http://bu/fer. github. io

http://dtag-dev-sec.github.io

ARGOS

Conpot

http://www.few.vu.nl

https://pypi.python.org

Kojoney

Source: http://koioney.sourceforqe.net Kojoney is a low level interaction honeypot that emulates an SSH server. The prerequisites required for Kojoney are: ■

OpenSSL

•

Python

•

Sh or Bash (Bourne Again SHell)

•

lope-Interfaces (included in the package)

•

Twisted (included in the package)

•

Twisted Conch (included in the package)

Glastopf

Source: http://glastopforg Glastopf is a honeypot, which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. Glastopf follows a very simple principle: Send the correct response to the attacker exploiting the web application.

Module 03 Page 207

Certified Network Defender

Exam 312-38

Network Security Controls, Protocols, and Devices

Canary Source: https:1/canary. tools Canary honeypot mimics a production system when deployed. It helps an organization in the early detection of network breaches.

Thug Source: http://buffer.github.io Thug is a low interaction honeyclient. The main aim behind Thug is to mimic the behavior of a web browser in order to detect and emulate malicious contents. A honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker's content.

Argos Source: http://www.few.vu.nl Argos's honeypot uses dynamic taint analysis to detect and analyze control flow attacks.

HIHAT Source: http://hihat.sourceforge.net The High Interaction Honeypot Analysis Toolkit (HIHAT) transforms arbitrary PHP applications into web-based high-interaction honeypots. It provides a graphical user interface which performs the process of monitoring the Honeypot and analyzing the acquired data.

HoneyBot Source: http://www.atomicsoftwaresolutions.com HoneyBot is a medium interaction honeypot for windows. A honeypot creates a safe environment to capture and interact with unsolicited traffic on a network. HoneyBOT is an ideal tool for network security research or as part of an early warning IDS.

HoneyD Source: http://www.citi.umich.edu HoneyD creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. HoneyD enables a single host to claim multiple addresses.

T-POT Source: http://dtag-dev-sec.github.io The main aim of implementing a T-POT is to create a system, whose entire TCP network range as well as some important UDP services act as a honeypot, and to forward all incoming attack traffic to the best-suited honeypot daemons in order to respond and process it.

Conpot Source: https:1/ovpi.pvthon.orq Conpot is an ICS honeypot that collect intelligence about the motives and methods of adversaries targeting industrial control systems. Module 03 Page 208

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

Network Security Devices: Intrusion Detection System (IDS) An intrusion detection system (IDS) is a network security appliance t hat inspects all inbound and outbound network traffic for suspicious patterns that may indicate a net w ork or system security breach If found, t he IDS w ill alert t he netw ork admin istrator about the suspicious activities IDS checks traffic for signatures that match known intrusion patterns, and t riggers an alarm when a match is found

•••••••••••••••••• ·>: Internet

111 Ill Ill Ill ..................... ·>

Router

·········~

n . . . . . . . . . ~r.-4~~ ...._ :)>

DMZ

IDS

i i i

User

Intranet

..............

. '

Access-Accept/ Access-Reject(User Service, Framed Protocol)

Access Server

RADIUS Server

RADIUS Client

Radius Accounting Steps: Client sends the AccountingRequest to the server to specify accounting information for a connection that was accepted.

RADIUS Server

RADIUS: Accounting- Request [acct_status_type =start] .......... ~ ....................................................•

RADIUS: Accounting-Response

•···················································· RADIUS: Accounting- Request [acct_status_type=i nterim update] •••••••••••••••••••••••••••••••••••••••••••••••••••• +:i

The server receives the Accounting-Request message and sends back the AccountingResponse message which states the successful establishment of network

RADIUS: Accounting-Response

•···················································· RADIUS: Accounting- Request [ acct_status_type=stop) ....................................................•

RADIUS: Accounting-Response

• ····················································

Module 03 Page 239

Certified Network Defender

Exam 312-38

Network Security Controls, Protocols, and Devices

RADIUS stands for Remote Authentication Dial -In User Service. It was developed by Livingston Enterprises as a networking protocol, which provides centralized authentication, authorization, and accounting for remote access servers to communicate with a central server. RADIUS has a client server model, which works on the application layer of the OSI model by using UDP or TCP as a transport protocol. The RADIUS protocol is the de facto standard for remote user authentication and it is documented in RFC 2865 and RFC 2866. The RADIUS protocol is an AAA protocol that works on both, mobile and local networks. It uses PAP, CHAP, or EAP in order to authenticate the users communicating with servers. The components of a RADIUS AAA protocol are as follows: •

Access clients

•

Access servers

•

RADIUS proxies

•

RADIUS servers

•

User account databases

RADIUS messages are sent as UDP messages and allow only one RADIUS message in the UDP payload section of the RADIUS packet. RADIUS messages consist of a RADIUS header and other RADIUS attributes.

Module 03 Page 240

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

.J Terminal Access Controller AccessControl System Plus is a network security protocol used for authentication, authorization, and accounting for a network devices like switches, routers and firewalls through one or more centralized servers J TACACS+ encrypts the entire communication between the client and server including the user's password which protects from sniffing attacks

.J It Is a client server model approach where the client (user or network device) requests for connection to the server, then the server authenticates the user by examining the credentials

Remote User

PSTN/ ISDN

TACACS+ Client

....... . . . . ...... ..

Router

Remote User

/=\

.. ...... .

1....... . .

1--:--i

Corporate Netwak

TACACS+ Server

AAAOient

······································ I I 1. The AAA client receives the r esource request from the user. This is assuming that authentication has already taken place

2. REQUEST issent to AAA server for service shell

3. RESPONSE is r eturned to the AAA client indicating a pass or fail 4. AAA client may grant or deny access to the service shell

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco. It is deri ved from the TACACS protocol. It performs authentication, authorization, and accounting separately unlike RADIUS. It is primarily used for device administration.

Authentication of TACACS+ Consider the following example of authentication where a laptop user is conn ecting to a NAS (router). The TACACS+ authentication involves following steps:

•

Step 1: User initiates the connection for authentication.

•

Step 2: Router and user exchange authentication parameters.

•

Step 3: Now, the router sends the parameters to the server for authentication purpose.

•

Step 4: Server responds with the REPLY message based on the provided information .

Module 03 Page 241

Exam 312-38

Certified Network Defender Network Security Controls, Protocols, and Devices

Difference between RADIUS and TACACS+

USER

TACACS+ Authentication

RADIUS Authentication

Authentication req uest .......................................................... 1--1 .i

fl Account Policies fl Local Policies I> ~ ~

Q Audit Policy Q User Rights Assignment 4 Security Options

~ □ Windows Fi r=all w ith Advanced Sec, □ Network List Manager Policies

I> [j Public Key Policies 1> □ Software Restri ctior> Policies

Policy

Security Setting

~ Accounts: Administr~tor account status

Enabled

~ Ac count5;: Block Microsoft ~ccounts IQ Accounts: Guest account status

Not Defined

~ Accounts: limit local account use of blank passwords t o co ...

Enabled

~ Accounts: Rename administrator account

Administrator

l:,;;J Accounts: Rename guest account

Guest

~ Audit: Audit the access of global system objects

Disabled

~ Audit: Audit the use of Backup and Restore priv ilege

Disabled

~ Audit: Force audit policy subcategory settings (Windows Vis.., Not Defined

I> □ Application Control Policies ~ Audit: Shut down system immediately if unable to log secur.., Disabled I> {!, IP Security Policies on Local Computi I> ...:I Adv anced Audit Policy Configuration ~ DCOM: Mac hi n e Access Restrictions in Security Descriptor D, .. Not Defined ~ DCOM: Machine Launch Restrictions in Security Descriptor ... Not Defined

~ Devices; Al low und ock without hav ing to log on ~ Devices: Allowed to format and eject removable media

Enabled Not Defined

~ Devices: Prevent users from i nst~l ling printer driv ers ~ Devices: Restrict CO-ROM access to locally logged-on user ... ~ Devices: Restrict floppy ~ccess to local ly logged-on user only

~ Domain controller. Allow server operators to scheduletasks ~ Domain controller. LDAP server signing requirements

Enabled Not Defined Not Defined Not Defined Not Defined

~ Dom ain controller. Refuse machine account password chan .. , Not Defined ~ Domain member: Digitally encrypt or sign secure channel d ... Enabled

Ill

~ Dom ain member: Digitally encrypt secure channel data (wh.., Enabled ~ Domain member: Digitally sign secure channel data (when ... Enabled

FIGURE 6.3: Disabling Unwanted Accounts

An alternative method for the above mentioned step is as follows: 1. Go to Control Panel ➔ User Accounts ➔ Manage Accounts 2. Turn Off the Guest Account if it is On I- l e. .

Manage Accounts

I~«

..., C,

All Control Panel Items • User Accounts • Manage Accounts

I I Search Control Panel

Choose the user you would like to change

Administrator Local Account Administrator Password protected

Guest Guest account is off

Add a user account

FIGURE 6.4 Managing Accounts

Module 06 Page 442

Exam 312-38

Certified Network Defender Host Security

Configuring User Authentication

_!J

Change names and passwords for default accounts

Disable inactive accounts

__:!J

Assign rights to groups not individual users

Don't permit shared accounts, if possible

Enforce an appropriate strong password policy

CND

]

Authentication validates and identifies the users accessing the application. It defines whether the user trying to access the system has user permissions to access and to perform actions. •

Change names and passwords for default accounts: Systems which have multiple

accounts should maintain different usernames and passwords. •

Disable inactive accounts: If an employee leaves the company it is the role of the

administrator to disable/delete all the accounts of the employee. Timely action can save the resources of the system from intrusion. •

Assign rights to groups not individual users: Administrators should deploy and implement

group policy in the organization. Group policies allow the administrators to assign rights to specific users. Implementation of group policies makes it easy for administrators to monitor the user activities. •

Do not permit shared accounts: Avoid shared accounts in a network. Accounts shared by

users act as an open invitation to intruders. •

Enforce appropriate strong password policy: Administrators should encourage users to

create strong passwords for their accounts. Easy passwords are more vulnerable to threats.

Module 06 Page 443

Exam 312-38

Certified Network Defender Host Security

Patch M anagement ensures appropriate and updated patches are installed on the system

Patches are the small programs which apply a fix to a specific type of vulnerability

It involves applying patches, Service Packs and/or upgrading Windows to a newer version

Service Packs can fix vulnerabilities along with some functionality improvements

Use Patch M anagement tools to identify the missing patches and install them on the system

Version upgrades fix vulnerabilities and come with improved security featu res

.J Patch Management Activities:

e e

Choosing, verifying, testing and applying patches Updating previous version of patches to current ones Recording repositories or depots of patches for easy selection Assigning and deploying applied patches

Patch management is an integral part of OS security. Patch management enhances the security of the system with regular updates. In an IT infrastructure, patch management needs to be efficient in order to maintain the security of the system. Patch management involves applying patches, service packs or upgrading the OS to a newer version. Patch management facilitates a consistent configured environment that is secure against the v ulnerabilities and threats on an operating system. •

Patch Management Process: •

Detect: Install tool s that can automatically detect updates and initiate the patch management process.

•

Assess: Id entify the severity of the v ulnerabilities and the amount of patch required to remove the error.

•

Acquire: Take the patch for t esting if proper security measures are not taken for the detected vulnerabiliti es.

•

Test: Conduct a patch on a test system.

•

Deploy: Deployment of all the patches to other systems.

•

Maintain: Maintain all other syst ems by sending notifications regarding the detected vulnerabilities.

Module 06 Page 444

Exam 312-38

Certified Network Defender Host Security

•

The patch management process can be implemented in two ways on the user machines: •

Distribute a written process among the employees that can be implemented on their host machines.

•

Implement an auto patch management system that allows the administrators to control the deployment of the patches on host machines.

Patch Management Processes: •

Written Process: In this process, the organization trusts their employees by allowing them to install patches and keep their system updated. In such scenarios, organizations randomly check the systems of the users to make sure, if employees adhere to the patch management policy. However, following this process 1n an organization is not safe and can easily expose the IT infrastructure to intrusions.

•

Automated Process: Automated process is more reliable in terms of keeping the security of the organization. Once the vendors release the security updates, it becomes the responsibility of the administrators to apply those patches in time. These updates can fix the security vulnerabilities of the system that may occur in the systems or in the network. Installation of security patches reduces the risk of data loss.

Patch Management Principles:

•

Every patch management strategy should have a service pack.

•

Product lifecycle can be a key element in the patch management strategy.

•

Perform risk assessment.

•

Use mitigating factors for determining applicability and priority.

•

Use only workarounds for deployment.

•

Use only methods available for the detection and deployment.

Administrators should be aware of the security requirements of their organization and ensure that patch management is based on those requirements. They can also inform other users regarding the security patch and updates. Several scheduling and prioritizing is required in performing patch management in windows. Every patch management needs to have a patch cycle that provides a standard application for the patches and updates.

Module 06 Page 445

Exam 312-38

Certified Network Defender Host Security

Configuring an Update Method for Installing Patches

Change senings

1. Go to Start ➔ Control Panel ➔ System and click Windows Updates and select option Install update automatically

• t IID «

All Cont,ol Panel Item$ > WindOW5 Upd.1~e ► Ch.:i~ e $citing$

I I Se.uch Control P.:ind

Choose your Windom Update settings When your PC is onllne,. Windows can automatiu lty check for impo11ant updates and i.nsu ll them using these settings. When new updates art av,1il,\IJl!fV.111...--l,V)J!>l,\.)I,..-----

,-•

_ _ _. . ,

..-....,

-.--: I_.. ,...,. ~ · t.,...

_,,...

r-. c_1_.,.

~-~-...... ..... ...

Of;';,_ ,..,... ,.,...

...,,,_ ...oci,...,. ,.,..

~ 1...... ,....

~r-.c..--

~•-

----·_ ...-.~----.. _ .,._ ,.._ ,.,.

,.._ --·-

Conduct a Windows Event log review based on the Event ID, source, date and time of events and its severity levels ~-----------------------------♦

Some log entries for suspicious behavior can be:

Consecutive login failure attempts

e e

attempts

Account unlocked/password reset attempts

l,\'»lUUOUM

,.u...,..,."""'

Module 06 Page 474

Exam 312-38

Certified Network Defender Host Security

Windows Log review and Audit involve monitoring and analyzing the log entries for suspicious behavior. Administrators find the log review and audit helpful in troubleshooting problems with Windows and other programs as well as detecting signs of the malicious activities or attempts such as unauthorized login attempts made on the computer. All the activities of a user on a Windows computer is recorded and stored in a file called Windows Event Log. Administrators can view these log entries with the help of Event Viewer. Event Viewer tracks information in several different logs. •

Event Viewer:

1. Go to Control Panel ➔ Administrative Tools 2. In the Administrative Tools window, double click on Event Viewer Control Panel

►

All Control Panel Items

►

Administrative Tools

...

Name

►

Date modifi ed

Type

Terminal SeNices

7/26/2012 6:05 PM

File folder

iii• Component Services

7/26/2012 6:22 AM

Shortcut

r}r Computer Management

7/26/2012 6:19 AM

Shortcut

~ Defragment and Optimize Drives

7/26/2012 6:18 AM

Shortcut

[email protected] Event Viewer

7/26/2012 6:20 AM

Shortcut

~ iSCSI Initiator

7/26/2012 6:22 AM

Shortcut

IA Local Security Policy

7/26/2012 6:19 AM

Shortcut

f; ODBC Data Sources (32-bit)

7/26/2012 6:29 AM

Shortcut

~ ODBC Data Sources (64-bit)

7/26/2012 6:25 AM

Shortcut

@ Performance Monitor

7/26/2012 6:17 AM

Shortcut

FIGURE 6.23: Event Viewer

•

The main screen of the Event Viewer is divided into three parts: •

Navigation Pane: It displays the various types of logs and their related features. Q Event Vitwer (Local) I • Q Custom Views

'f' Administrative Events

•

_ Windows Logs ~ Application ~ Security ~ Setup ~ System ~ Forwarded Events !:c\ Applications and Services Logs ~ Hardware Events ~ Internet Explorer ~ Key Management Service ~ ~ Microsoft ~ Microsoft Office Alerts ~ Windows PowerShell ~ Subscriptions

FIGURE 6.24 : Navigation Pane in Event Viewer

Module 06 Page 475

Exam 312-38

Certified Network Defender Host Security

•

Detail Pane: In the detail pane, event entries are listed in chronological order.

Clicking on any event entry will show the event's detailed information in the bottom half of the pane. Each of these events also includes a level which indicates its severity. There are three levels: 1. Information messages: These are shown with icons with an "i" in a white circle, which depicts the system performed the task successfully. 2. Warning messages: These are shown with a yellow triangular icon, which depicts that an event occurred which, might create a problem later. 3. Error and critical messages: These are shown with an exclamation mark inside a red circle, which depicts that a significant problem occurred. Event Viewer llocaO

------------------------

Oveiviewand Summary

Last refreshed: 5/11/20164:50!36 PM

Overview

•

To view events that have occurred on your com puter, select the appropriate sou re e, log or custom view node in the console tree. The Administrative Events custom view contains all the administrative events, regardless of source. An aggregate view of all

Summary of Administrative Events Event ID

Eventlvi:>e

Source

• Loci

Last hour

Recent ly Viewed Nodes Description

Name

Modified

Created

-I

Log Summa,y Size (Curr...

LoQ Name

Modified

Enabled

FIGURE 6.25: Summary w indow of an Event

•

Action Pane: The action menu items on the right pane include many of the options available

from the main menu bar. This includes saving event entries to a file, opening a saved event file, exporting or filtering events, etc. Actions

Event Viewer Local) ~

Open Saved Log .. ,

Create Cust om View.., Import Custom View...

Connect to Another Computer... View

►

IQ) Refresh

►

Help

FIGURE 6.26: Action Pane in Event Viewer

Module 06 Page 476

Exam 312-38

Certified Network Defender Host Security

•

Windows Event Logs consists of five types of logs:

1. Application Log: It stores logs of applications installed on the computer. 2. Security Log: It stores information related to login attempts, user account privileges, etc. 3. Setup Log: It stores the information captured during the time of OS installation. 4. System Log: It stores the information of the messages sent by the OS. 5. Forwarded Events: Other host machines in the network send these events when the local machine is acting as a central domain for them. •

Each event in a log contains the following information:

•

Date: The date of the occurrence of the event.

•

Time: The time of the occurrence of the event.

•

User: The name of the user logged in at the time of the occurrence of the event.

•

Computer: Na me of the computer.

•

Event ID: The identification number that states the event type.

•

Source: The source for the occurrence of the event.

•

Type: The type of event occurred.

•

Level: Represents the severity of the events. The different levels are as follows: o

Information: Informs regarding the change in the application.

Warning: Informs that an issue occurred can impact the services of the system.

Error: Informs that an error has occurred.

Critical: Informs that an error that occurred in the application cannot be rectified.

•

Keywords: Used to search for events.

•

Log: The name of the log where the event was created.

In an organization, an administrator should have the practice of monitoring and auditing the log files. Example of some of the suspicious activities on the computer may include: •

Log entries for suspicious behavior can be: •

Consecutive login failure attempts.

•

Authority change, addition and removal attempts.

•

Account unlocked/password reset attempts.

Module 06 Page 477

Exam 312-38

Certified Network Defender Host Security

Install and configure a Host -based IDS/IPS solution to detect intrusion attempts on a single host system

It can detect intrusion attempts such as syst em compromise, rootkits, malicious processes and modifications of critical configuration files such as registry settings, /etc/passwd, etc.

It monitors and reports on the system configuration and application activity

It is an effective solution for detecting computer misuse f rom trusted insiders

The host-based IDS analyzes and identifies the presence of any malicious activity in a computer system on which the IDS works. It analyzes all the parts of the computer system, especially the resources used by each application, the current state of the system, the storage information that includes RAM, log files, file system, and checks for any changes in the application.

The host-based IDS detects for: •

System compromise.

•

Unwanted or unused applications.

•

Any kind of modification in the critical configuration files like registry settings.

•

Malware.

•

Rootkits.

•

Rogue processes.

•

Any important services that paused in between.

•

User access to systems and applications.

The host-based IDS analyze the internal and external of a computer system and checks whether all applications and programs in the computing system follow the security policies. The hostbased IDS can work in combination with NIDS, which means that host-based IDS can detect any malfunction missed by network-based IDS. The administrator can compare the analysis done by

Module 06 Page 478

Exam 312-38

Certified Network Defender Host Security

host-based IDS and network-based IDS in order to confirm the presence of any changes in the system performed by the intruders. However, the network administrator should consider implementing both network-based IDS and host-based IDS to secure their network. Certain differences between the NIDS and HIDS are: Difference

Host-based IDS

Network-based IDS

Analysis

Analyze the log files and contains all information regarding the status of the system

Network based network traffic

analyze

Protection

Protects even when LAN is off

Protects only when LAN is ON

Versatility

More Versatile

Less versatile

Affordability

More affordable

Cheaper to implement needs less administration

the

and

TABLE 6.1: NIDS vs HIDS

Advantages of host-based IDS: •

Very low false positives: The host-based IDS perform analysis directly on the host, thereby analyzing all the log files. This reduces the number of false positives.

•

Narrow operating system focus: Host-based IDS function only on certain operating systems which in turn minimizes the number of drawbacks.

•

Non-network based attacks: Identifies the attacks on the physical machine as well.

Module 06 Page 479

Exam 312-38

Certified Network Defender Host Security

OSSEC is a free, open-source host-based

intrusion detection system (HIDS)

It can perform log an alysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response

It provides intrusion detection for most operating systems, incl uding Linux, Open BSD, Free BSD, OS X, Solaris and Windows http://ossec.github.io

OSSEC is a platform to monitor and control your systems. It mixes together all the aspects of HIDS (host -based intrusion detection); log monitoring, Security Incident Management (SIM)/Security Information and Event Management {SIEM). It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

Key Features: •

File Integrity checking: The goal of file integrity checking (or FIM - file integrity monitoring) is to detect these changes and alert you when they happen. It can be an attack, or a misuse by an employee or even a typo by an admin, any file, directory or registry change will be alerted to you.

•

Log Monitoring: Every operating system, application, and device on your network generates logs (events) to let you know what is happening. OSSEC collects, analyzes and correlates these logs to let you know if something suspicious is happening (attack, misuse, errors, etc.).

•

Rootkit Detection: Criminal hackers want to hide their actions, but when using rootkit detection you can be notified when the system is modified in a way common to rootkits.

•

Active Response: Active response allows OSSEC to take immediate action when specified alerts are triggered. This may prevent an incident from spreading before an administrator can take action.

Source:

http://ossec.qithub.io

Module 06 Page 480

Exam 312-38

Certified Network Defender Host Security

Host-based IDS: AlienVault Unified Security Management (USM) ~

USM can be used fo r both, host based intrusion det ection (HIDS) and network based intrusion detection(NIDS)

System compromises

Unwanted applications

Malware

Rogue processes

Privilege escalations

5 USM detects intrusions such as:

2 Rootkits

Critical services that have been stopped

Modification of critical configuration files (e.g. registry settings,/etc/password )

User access to systems and applications

AlienVault's Unified Security Management™ (USM™) platform accelerates and simplifies threat detection, incident response and compliance management for IT teams with limited resources. With essential security controls and integrated threat intelligence built-in, AlienVault USM puts complete security visibility of threats affecting your network and how to mitigate them within fast and easy reach. •

Its intrusion detection capability includes: •

Network IDS

•

Host IDS

•

File Integrity Monitoring (FIM)

Source: https://www.alienvault.com

Module 06 Page 481

Exam 312-38

Certified Network Defender Host Security

Tripwire is a host-based IDS for monitoring hosts across Windows, Linux, Solaris, AIX and HP-UX platforms

It provid es real-time detection of anomalies, change, and threat indicators

It ensures the integrity of critical system f iles and directories of system

Tripwire software can help to ensure the integrity of critical system files and directories by identifying all changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track of system changes and can speed the recovery from a break-in by reducing the number of files you must restore to repair the system. Tripwire compares files and directories against a baseline data base of file locations, dates modified, and other data. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. (For maximum security, Tripwire should be installed and the baseline created before the system is at risk from intrusion.) After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions.

Source: http://www.tripwire.com

Module 06 Page 482

Exam 312-38

Certified Network Defender Host Security

File System Security: Setting Access Controls and Permission Use Access Control List (ACLs) and Permissions t o control access to Files and fold ers

Access Control Entry(ACE)

Allow/deny access to file or directories for user or group of users

It is a collection of ACEs for accessing specific files or directories

Access Control Ust(ACL)

Access control on specific file or folder is achieved by enforcing certain permissions on it

Permissions

Two types of permissions

1. NTFS permissions (Security Perm issions)

2. Share permissions

Access controls can provide the authority to users, groups and computers to access files and folders in the computer. When a user or an application requests for an access to the operating system resources, they need to submit their credentials to the operating system. The credentials are access tokens created every time a user or an application tries to log in. The operating system verifies whether the access token created as the permission to access the objects before permitting the user or the application to access the objects. Here, the OS compares the details contained in the access tokens with the Access Control Entries (ACE) for verification. The ACE's can block or permit the services depending on the t ype of the object. For example, the ACE's available for a Printer are Print, Manage Printing and Manage Documents. The ACL's contain a combination of the ACE's of an object. •

Access Control Principles:

•

Least amount of access of objects to users or user groups, thereby allowing them to perform only needed functions.

•

The owner of an object is the one who created that object.

•

Proper permissions are set up for files and folders while installing the operating system. Upgrade the level of permissions from least privilege to the desired level during installation itself.

•

The files and other documents included in a folder can inherit the permitted privileges assigned to that folder.

Module 06 Page 483

Exam 312-38

Certified Network Defender Host Security

•

Appropriate tools can help in managing the permissions of any folders.

•

Event viewer helps in viewing the security logs associated with any object.

•

Access Control Entries: An ACL can have zero or more ACE's wherein each ACE has the access to an object. Overall, there are six types of ACE's out of which securable objects support three (Generic types) and the other three are directory service objects (Objectspecified types).

•

The three generic types of ACE's are:

•

Access denied ACE: Used in the discretionary access control list in order to prevent access to any user.

•

Access allowed ACE: Used in the discretionary access control list in order to allow access to any user.

•

System Audit ACE: Used in the system-access control list in order to create an audit log for each attempt by a user while accessing the objects.

The three types of object-specified types are: •

Access denied, object specific: Used in the discretionary access control I ist to block access to a property or property set. It can even stop the inheritance level of a specified type of a child object.

•

Access allowed, object specific: Used in the discretionary access control list to permit access to a property or property set. It can even stop the inheritance level of a specified type of a child object.

•

System audit, object specific: Used in the system-access control list in order to create an audit log when a user attempts to access the child object.

The object-specific types and generic types differ only in the design of the inheritance level.

•

Access Control Lists: An access control list is a table that provides a detailed description of the access rights of the users towards accessing objects. Every object has an access control list that contains the details of the user rights and privileges for accessing that object. Each OS system has specific ACL's. The ACL's has one or more ACE's that contains the details of the users.

•

Permissions: Each container or object has a security descriptor attached to itself. This security descriptor contains a detailed description regarding the user access rights. The security descriptor is created along with the container or object. An ACE represents the permission to users or user groups and the whole list or set of permissions is contained in an access control list (ACL). There are two types of permissions: •

Explicit permission: Permissions that set by default upon creation.

•

Inherited permission: These are permissions achieved from the parent object to the child object.

Module 06 Page 484

Exam 312-38

Certified Network Defender Host Security

For example, any files and folders in a folder can inherit the permissions applicable to that particular parent folder. Here, the parent folder has explicit permission, whereas the files and folders have inherited permissions. •

There are two sets of permission entries for accessing a folder on a file server: •

Share Permission on a folder: Used for files and folders shared across the network or many user accounts. The permissions can be either denied or allowed depending on the users or user accounts. The most commonly used shared permissions are: Full control, Change and Read.

•

NTFS permission on a folder: Controls the perm1ss1ons over network and local computers. The most commonly used NTFS permissions are: Full control, Modify, read and execute, Read, Write.

Each are independent of each other, however, the final decision on confirming the access permission depends on either of the two.

Module 06 Page 485

Exam 312-38

Certified Network Defender Host Security

File System Security: Setting Access Controls and Permission to Files and Folders Special permissions associat ed with each of NTFS file permissions: Special Permissions

Applying NTFS permissions

Traverse folder/ Execute File

• 0 .J Typical file permissions allowed

on NTFS file system are: ~

Full Control

... ...

Modify

Read & Execute

Read

Write

Execute

Read

Write

Rea d Attr ibutes

Rea d Ex tended Attri butes

Create Fi I es/\Nrite Data

Create Folders/ Append Data

Wri te Attributes

W ri te Extended Attri butes

Del eteSubfolders and Fi les

Rea d Permission Cha nge Permi ssion

includes a logical group of special permissions

Read and

List Folder/ Rea d Data

Delete

.J Each of these permissions

Modify

Take Ownership

Synchronise

~ ~ ~ ~ ~ https://technet. microsoft. com

File System Security: Setting Access Controls and Permission to Files and Folders (Cont'd) Typical folder permissions allowed on NTFS file system are

e e e e e e

Full Control Modify Read & Execute List Folder Contents Read Writ e

Each of these permissions include a logical group of special permissions

Special Permissions Traverse Folder/ Execute File

associated with each of NTFS folder permissions

List Folder Contents

Read

Write

Li st Fol der/ Read Data

Read Attri butes

Read Extended Attri butes

Create Fi I es/Write Data

Cr eat e Folders/ Append Data

Wri te Attri butes

Wri te Extended Attri butes

Delete Subfoldersand Fil es

Read Permi ssion

-v

Read and Execute

Delete

Special permissions

Modify

Change Permi ssion Take Owner ship Synchr onise

~ ~ ~ ~ ~ h

ech

Module 06 Page 486

Exam 312-38

Certified Network Defender Host Security

File System Security: Setting Access Controls and Permission to Files and Folders (Cont'd)

Properties General

Sharing

Ol>ject name :

To set, view, ed it, or remove special permissions : 1. Go to specific file or folder on which you want to set special perm 1ss1on

D:\CND new\ Research

Group or user names:

Authenticated Users ~SYSTEM ~ Administrators {WIN-BMCH3JBIUGO\Administrators) ~ Users (WIN-'BMCH3JB IUGO\Users) To change permissions. dick EdH.

EdL

f ennissiorns for /Uhenticated Users

2. Right-click the file or folder, click Properties, and then click the Security tab

l'Jlow

Deny

Full control Modify Read & execute List folder ,\ File Sharing

Applying Share Permissions Choose people to share with

Sha re permissions are applied when you need to provide access to a shared folder over the network With Share permission, you can restrict access to share folders 1. Go to the specific file or folder on which you want to set Share Permissions

Ty pe a name and then click Add, or click t he arrow to f ind som eone,

vi[ Nam e

Permission level

& Administrator

Read/Write • Owner Read/Write •

~ Administrators

ioEvvyon•

AdU

I'm having t rouble sharing

2. Right-click the folder, and click Share with option

~ Sha,•

C,ncol

3. Select specific user or group to whom you want to assign share permission such as Read, Read/Write

Applying Share Permissions to Folders The Shared folders can be accessed over the network. Only users with access permission to any particular folder have the rights to access folders over the network. The shared folders can contain personal information, application, etc. Hence, configuring shared permission depends on the t ype of data contained in a particular folder. •

The principals involved in a shared folder are as follows: •

Shared folder permissions are applicable only to folders and not individual files.

•

Shared folders do not ask for access permission to users accessing the folder from the system where the folder is stored. The access permission is asked for those users who access the folder over the internet.

Module 06 Page 489

Exam 312-38

Certified Network Defender Host Security

Creating and Securing a Windows File Share ...

Creating New File Share

Browse For Folder

• .. '1 ~ 4

-" Wt l HCTci

(ompUUJM ~ ~ $)1ttMfOOIJ lfflScNd-""

fJ •0

• II lwftt\~e.a ,. 11,,

... a) W:"

Go to Computer Management •

1. Click System Tools, rightclick Shares and click New Share 2. Browse t he fol der that you to share

S/l,111~foldcts

a o~ ~ t.oul u

►

•

C."\

illJ C&l•looli

lk\C&l•Tools

Of\

;':) This PC

I>\

~ :-'l Desktop

Ne,,o,21,t-

r_.

vRdrnh t.pc,,tlilt...

• •

Pick a folder you would like to share. To add a new folder, cid< Make New Folder.

_.cs

•t2Sw~

fo!Nrl>lllh C.-\W_._,

ei)O

9 ,.110,,. Or,r,,,l,cc

..,

: St\wl fl Mlt ~ ~ ACMIH$

~w.....----·...,

iii Documents

,:i Downloads

Vt,ndo,,

(If Oid,Mf

1-ftlp

S-.u .-rd Appl,c.rbOm

Music

']I Pictures

Cte,ne A S~red folder

3. Enter the [Share Name]

,..-., °""°""'.iWI. .. Sd1infe

Soeo..,hQof~-...:1..-N!tlno-"lt"I:~

Create A Shared Folder Wizard 511-irtd Fokkr Pc::rml:sslOns Pef'IM~ons l!'t you

4 . Select Customize permissions and click Custom to customize the Share Folder Permissions 5. Add the correct Active Directory User(s) &/or Group(s)

What is EC Council Certified network Defender?

The Certified Network Defender (CND) certification program focuses on creating Network Administrators who are trained on protecting, detecting and responding to the threats on the network.