360 -

360


TELECOMMUNICATIONS AND NETWORK SEC
URITY

/ /

TCP/IP IPSec VPN.


A. IP IP
A.1 OSI TCP/IP
A.2 IP
A.3

B.
B.1
B.2
B.3
B.4

C. VPN TLS/SSL VLAN

C.1
C.2
C.3
C.4

POTS, PBX, VoIP

D. DDoS

OSI
TCP/IP
LAN WAN MAN

Internet

FTP, Telnet, HTTP, SNMP, SMTP, DNS

OSI

ASCII, MPEG, TIFF,GIF, JPEG

NFS SQL NetBIOS
RPC

TCP

MAC

PPP, HDLC, FR,
Ethernet, Token Ring, FDDI


LLC Logical Link Control
IEEE 802.2

MAC Media Access Contro

l
IEEE 802.3
ROM
48

100BaseT, OC-3, OC-12, DS1, DS3, E1, E3

OSI

FTP
TFTP
SNMP
SMTP
Telnet
HTTP

ASCII
EBCDIC
TIFF
JPEG
MPEG
MIDI

NFS
NetBIOS
SQL
RPC

OSI

TCP
UDP
SSL / TLS
SPX

Internet IP
Internet ICMP
Internet IGMP
RIP
OSPF
Novell IPX

ARP L2F
L2TP
RARP FDDI ISDN
PPP
Internet SLIP

HSSI
X.21
EIA/TIA-232 EIA/TIA-449

TCP/IP
ARPAN
ET
Application Layer HTML FTP SMTP
Transport Layer TCP UDP

Internet Layer IP ICMP IGMP

Data-Link Layer Ethernet
Token Ring X.25 Frame Relay

Physical Layer

TCP
Transmission Control Protocol TCP
Stream IP
Sequence Number 32 TCP

Acknowledgement Number
TCP Control Flags SYN ACK FIN
Flow Control Buffer Window
Size 0 TCP

TCP
Round-Trip
Time RTT

UDP
User Datagram Protocol
UDP TCP
Connectionless
Unix Network Fil
e System NFS

TCP/UDP

TCP

UDP
ACK

ACK

UDP

TCP

TCP

1 TCP

IP
IP Address
IPv4 32 IPv6 128
IP Network Address Ho
st Address A B C 8 16
24
Classless Inter-Domain Routing CID
R

Fragmentation

Time Out
IP Time-To-Live TTL
0

IP
IP
IP
ICMP
TCP
IP

IP
Internet datagram
Internet

TCP UDP ICMP IGMP IP

IP

0.0.0.0-127.255.255.255

128.0.0.0191.255.255.255

192.0.0.0223.255.255.255

D
E

224.0.0.0239.255.255.255
240.0.0.0255.255.255.255

Analog Communications
Analog Signal

Digital Communications
Digital Signal

Synchronous Communications

Asynchronous Communications
Bit

Baseband Communications

Broadband Communications

CATV


Network Topologies

Bus
Ring
Star
Tree
Mesh

 Ring

active topology

/IEEE 802.5 FDDI

 Bus
daisy-chain
segm
ent
contention
passive technology

 Star
10BASE-T

 Tree Mesh

FDDI

Intemet

CSMA
/CD

IEEE 802.3


Token Ring
IEEE 802.5

4Mbps
16Mbps

FDDI Fiber Distributed Data In

terface

100Mbps
LAN/MAN


LAN

FDDI

IEEE

802.3

CSMA/CD

10Mbps~1Gbps

802.5

4~16Mbps

802.8

100Mbps

CDDI UTP


Coaxial Cable

thin-net 10BASE-2 200 185

thick-net 10BASE-5 500

5-4-3 4 5 3

EMI

Twisted Pair
STP UTP
unshielded twisted pair UTP 4
3 10BASE-T 5 100BASE-TX
UTP 100 station 4

UTP EMI


Fiber-Optic Cable
multi-mode

single-mode

wireless media


Unicast

Broadcast

Multicast

(IGMP) TCP/IP


Polling

mainfra
me
Token Passing


Carrier-Sense Multiple Access CS
MA

Carrier-Sense Multipl
e Access with Collision Detection CSMA/CD

IEEE 802.3

Carrier-Sense Multipl
e Access with Collision Avoidance CSMA/CA
IEEE 802.11b


CSMA/CD

MAC 0xFF
FFFFFFFF

LAN
Address Resolution Protocol A
RP IP
Media Access Control MA
C
ARP Cache MAC
IP
IP MAC

ARP Reverse ARP RARP

RARP
Diskless IP

LAN
DHCP
UDP

DHCP
DHCP

DHCPDISCOVER- DHCP

DHCP

DHCP

DHCPOFFER-DHCP
IP
DHCPREQUEST-
DHCPPACK-DHCP
IP

LAN
Internet Control Messages Protocol
ICMP IP
Errors

Congestion Source Quen

ch Messages
Troubleshooting Echo Ping

Timeouts TTL 0
Traceroute

.
,


(RIP)
RIP
RIP

(OSPF)

(IGRP)
Cisco
IGRP
90 3 270
7
630 Cisco IOS


Repeater
,

Hub

Bridge
LAN LAN

MAC

LAN

RIP BGP OSPF

OSI

MAC

IP

MAC

IP


Switch

Virtual Local Area Network VLAN

VLAN

VLAN

VLAN
fabric

VLAN subnet
VLAN
VLAN
VLA
N
VLAN

OSI

MAC

LAN
IP

VLAN


Firewall

Desktop Firewall


Packet filtering
OSI Reference Model
Network Layer TCP/IP IP
Packet Header

IPV4


Stateful Inspection
OSI TCP/IP

State Table


Application proxy
OSI TCP/IP
Application Layer
Relay
Direct Routing


Circuit-level Gateways
OSI Session Laye
r TCP/IP TCP
TCP Rel
ay Direct Rout
ing
IP

Packet-filtering routers
Dual homed host firewall
Screened host
Screened subnet

boundary perimeter

IP IP f
orwarding

Bastion Host

Demilitarized Zone
DMZ

OSI

ACL


DNS

IP
DNS Cache

X.500
LDAP

LDAP
/ X.500


Network Address Translation NAT

NAT
NAT
NAT
NAT

NAT IP

IPSec NAT NAT

NAT


LAN LAN LAN WAN Internet


WAN

WAN

WAN

SVC PVC

X.25

SVC PVC

SMDS

ATM

53

SDLC

HDLC

SDLC

HSSI

DTE/DCE WAN

VoIP

IP

Leased Lines T

T1 1.544Mbps Time Division

24 64Kbps
T2 6.312Mbps 96 64Kbps
T3 44.736Mbps 672 64Kbps
T4 274.176Mbps 4032 64Kbps

circuit-switched

connection

asynchronous serial connectio

n modem ISDN

packet-switched connection
pack
et

frame relay X.25

56Kbps 2.048Mbps


Virtual Circuit

Switched Virtual Circuit SVC

Permanent Virtual Circuit PV

C


Asynchronous Transfer Mod
e ATM
53

ATM SONET T3 E3


QoS Quality of Service

QoS

Qos
Best-effort Service
Integrated Service
Differentiated Service

VoIP4
IP

H.323

SIP VoIP
UAC
UAS

SIP

SIP

SIP

VoIP
TCP/IP

SIP
DoS


Network mapping ICM
P SYN

Operating system fingerprint

ing

Port scanning


Vulnerability scanning tool
s

Security Administrator Tool for Analyzing Networ

k (SATAN)
Nessus
Internet Security Scanner (ISS)
Retina


Sniffers Netw
ork analyzer Protocol analyze
r

Promiscuous mode


Session hijacking

IP IP spoofing

Man-in-the-middle

Mutual authentication
IPSec


DOS
CPU


Reflector attacks I
P echo
UDP DNS


Amplifier attacks
IP IC
MP UDP

smurf
ICMP


Distributed Denial-Of-Service
DDOS
agents

SYN
SYN Synfloods

TCP

IP


Modem Dial-up
Dial-on-Demand Routing
DDR
Dial Backup


Integrated Services Digital Network
ISDN
Private Line

Basic Rate Interface BRI 2B+D

2 64Kbps 1 16Kbps
Primary Rate Interface BRI 23B+
D 23 64Kbps 1 64Kbps

Digital Subscriber Line DSL

Asynchronous Digital Subscriber Line ADS
L DSL


(Cable Modem)

VPN

PPP

IP
IP

VPN
PPTP

IP X.25 ATM
L2TP
IP IPSec

VPN

PPTP

IP

L2F

Cisco L2TP
PPTP L2TP

L2TP

L2F PPTP

IPSec

IPSec

IP

VPN

PAP
PPP

CHAP
/


1G

2G

4G

2GHz

40GHz
60GHz

CDMA

OFDM

900MHz

FDMA TDMA

ID

IPv6

114.4Kbps

2Mbps

100Mpbs

2.4Kbps

9.6Kbps

64Kbps

1980-1994

1800MHz

3G

RS232 IEEE 802.11

1995-2001

2006-2010

2002-2005

(Frequency-Hopping

Spread Spectrum FHSS):

( )

(Direct

Sequence Spread Spectrum DS

SS) 1 0 10 C
hips 1 0

WLAN
Infrastructure Networking Mod
el Access Point A
P Basic Service Set BSS
Service Set Identifier SSID
BSS
AP Beacon Frame
SSID SSID
Authentication
Open Authentication Mode
Shared Secret Mode

WLAN
Encryption
Wired Equivalent Privacy WEP
24
Initialization Vector IV 6
4 40 IV

MAC MAC Address Checking

MAC AP MAC
MAC
SSID
WEP

WLAN
WEP Dynamic WEP keys

802.11i
WEP
Robust Security Network RSN
802.1x
Extensible Authentication Protocol EA
P AES

WLAN

War Driving
GPS

War walking

Warchalking

RootKit

Rootkit Rootkit

CSMA / CD
CSU/ DSU
TCP/ IP
FIFO

Which of the following

access methods is us
ed by Ethernet?

CSMA/CD.
CSU/DSU.
TCP/IP.
FIFO.



TCP

TCP
TCP
TCP
TCP

What is the proper ter

m to refer to a single
unit of TCP data at th
e transport layer?

TCP segment.
TCP datagram.
TCP frame.
TCP packet.

Which of the followin

g is not a common fu
nction of a firewall?
Log Internet activity
Enforce organization's
security policy
Protect against viruses
Limit security exposur
es

Which of the following is tru

e about link encryption?
Each entity has a common k
ey with the destination node.
Encrypted messages are onl
y decrypted by the final node.
This mode does not provide
protection if the nodes along
the transmission path can be
compromised.
Only secure nodes are used i
n this type of transmission.



IDS

DMZ

DM
Z

D
MZ

If an organization were to deploy o

nly one Intrusion Detection System
(IDS) sensor to protect its informati
on system from the Internet:
It should be host-based and installed
on the most critical system in the DM
Z, between the external router and th
e firewall.
It should be network-based and instal
led in the DMZ, between the external
router and the firewall.
It should be network-based and instal
led between the firewall to the DMZ a
nd the intranet.
It should be host-based and installed
between the external router and the I
nternet.