Shared Flashcard Set

Details

CompTIA Network+
Network+ Flashcards
837
Computer Networking
Not Applicable
12/26/2023

Additional Computer Networking Flashcards

 


 

Cards

Term
nodes
Definition
devices that send, receive, and forward data
Term
links
Definition
are the communications pathways between them
Term
physical layer (PHY)
(layer 1)
Definition
responsible for the transmission and receipt of the signals that represent bits of data from one node to another node.Different types of transmission media can be classified as cabled or wireless
Term
Physical topology
Definition
The layout of nodes and links as established by the transmission media. An area of a larger network is called a segment. A network is typically divided into segments to cope with the physical restrictions of the network media used, to improve performance, or to improve security. At the Physical layer, a segment is where all the nodes share access to the same media.
Term
Physical interface
Definition
Mechanical specifications for the network medium, such as cable specifications, the medium connector and pin-out details (the number and functions of the various pins in a network connector), or radio transceiver specifications.
Term
Transceiver
(Physical layer)
Definition
The part of a network interface that sends and receives signals over the network media.
Term
Repeater
(Physical layer)
Definition
A device that amplifies an electronic signal to extend the maximum allowable distance for a media type.
Term
Hub
(Physical layer)
Definition
A multiport repeater, deployed as the central point of connection for nodes.
Term
Media converter
(Physical layer)
Definition
A device that converts one media signaling type to another.
Term
Modem
(Physical layer)
Definition
A device that performs some type of signal modulation and demodulation, such as sending digital data over an analog line.
Term
data link layer (layer 2)
Definition
responsible for transferring data between nodes on the same logical segment. At the Data Link layer, a segment is one where all nodes can send traffic to one another using hardware addresses, regardless of whether they share
access to the same media. A layer 2 segment might include multiple physical segments.
This is referred to as a logical topology.
Term
Network adapter or network interface card (NICs)
(data link layer)
Definition
A NIC joins an end system host to network media (cabling or wireless) and enables it to communicate over the network by assembling and disassembling frames.
Term
Bridge (data link layer)
Definition
A bridge is a type of intermediate system that joins physical network segments while minimizing the performance reduction of having more nodes on the same network. A bridge has multiple ports, each of which functions as a network interface.

Analyzes source MAC addresses and makes intelligent forwarding decisions based on the destination MAC in the frames.
Term
Switch (data link layer)
Definition
An advanced type of bridge with many ports. A switch creates links between large numbers of nodes more efficiently. Increases scalability of a network by creating multiple collision domains. 
Switches make forwarding decisions just like a bridge.
Term
Wireless access point (AP) (data link layer)
Definition
An AP allows nodes with wireless network cards to communicate and creates a bridge between wireless networks and wired ones.
Term
network layer (layer 3)
Definition
responsible for moving data around a network of networks, known as an internetwork or the Internet.the network layer moves information around an internetwork by using logical network and host IDs. The networks are often heterogeneous; that is, they use a variety of physical layer media and data link protocols. The main appliance working at layer 3 is the router.
Term
transport layer (layer 4)
Definition
One of the functions of the transport layer is to identify each type of network application by assigning it a port number.
Term
session layer (layer 5)
Definition
represents functions that administer the process of establishing a dialog, managing data transfer, and then ending (or tearing down) the session.
Term
presentation layer (layer 6)
Definition
transforms data between the format required for the network and the format required for the application.The presentation layer can also be conceived as supporting data compression and encryption.
Term
application layer (layer 7)
Definition
An application-layer protocol doesn't encapsulate any other protocols or provide services to any protocol. Application-layer protocols provide an interface for software programs on network hosts that have established a communications channel through the lower-level protocols to exchange data.
Term
local area network (LAN)
Definition
A network in a single location is often described as a local area network (LAN).This definition encompasses many different sizes of networks with widely varying functions and capabilities. It can include both residential networks with a couple of computers, and enterprise networks with hundreds of servers and thousands of workstations.
Term
Small office/home office (SOHO)
Definition
is a category of LAN with a small number of computing hosts that typically rely on a single integrated appliance for local and Internet connectivity.
Term
wide area networks (WANs).
Definition
Networks such as the Internet that are located in different geographic regions but with shared links are called wide area networks (WANs).
Term
intermediate system
infrastructure node
Definition
A node that provides only a forwarding function is referred to as an intermediate system or infrastructure node.
Term
customer premises equipment (CPE)
Definition
this is any termination and routing equipment placed at the customer site. Some of this equipment may be owned or leased from the telecommunications company (or telco); some may be owned by the customer.
Term
demarcation point (demarc)
Definition
The point at which the telco's cabling enters the customer premises is referred to as the demarcation point (often shortened to demarc).
Term
Internet Assigned Numbers Authority (IANA) ( iana.org )
Definition
manages allocation of IP addresses and maintenance of the top-level domain space. IANA is currently run by Internet Corporation for Assigned Names and Numbers (ICANN). IANA allocates addresses to regional registries who then allocate them to local registries or ISPs.
Term
Internet Engineering Task Force (IETF)
Definition
focuses on solutions to Internet problems and the adoption of new standards, published as Requests for Comments (RFCs).
Term
HEXADECIMAL NOTATION
Definition
a convenient way of referring to the long sequences of bytes used in some other types of network addresses. Hex is base 16 with the possible values of each digit represented by the numerals 0 through 9 and the characters A, B, C, D, E, and F.
Term
Principal Functions of a Network Protocol?
Definition
Addressing & Encapsulation
Term
Copper Cable
Definition
There are two main types of copper cable: twisted pair and coaxial (coax).

Copper cable is used to transmit electrical signals
Term
Fiber Optic Cable
Definition
Fiber optic cable carries very high frequency radiation in the infrared light part of the electromagnetic spectrum. The light signals are also not susceptible to interference or noise from other sources and less affected by attenuation.Consequently, fiber optic cable supports higher bandwidth over longer links than copper cable.
Term
xBASE-y
Definition
The bit rate in megabits per second (Mbps) or gigabits per second (Gbps).
 The signal mode (baseband or broadband). All mainstream types of Ethernet use baseband transmissions, so you will only see specifications of the form xBASE-y.
A designator for the media type.
Term
Institute of Electrical and Electronics Engineers (IEEE) 802.3
Definition
ETHERNET STANDARDS
Term
Media access control (MAC)
Definition
refers to the methods a network technology uses to determine when nodes can communicate on shared media and to deal with possible problems, such as two devices attempting to communicate simultaneously.
Term
Carrier Sense Multiple Access with Collision Detection (CSMA/CD)

Prevents collisions by using carrier-sensing to defer transmissions until no other stations are transmitting. 
Definition
). A collision is the state when a signal is present on an interface's transmit and receive lines simultaneously. On detecting a collision, the node broadcasts a jam signal. Each node that was attempting to use the media then waits for a random period (backoff) before attempting to transmit again.


Term
100BASE-TX
Definition
refers to Fast Ethernet working over Cat 5 (or better) twisted pair copper cable with a maximum supported link length of 100 meters (328 feet).
Term
10GBASE-T
Definition
UTP (Cat 6) - 55 m (180 feet)
F/UTP (Cat 6A) - 100 m (328 feet)
S/FTP (Cat 7) - 100 m (328 feet)
Term
40GBASE-T
Definition
S/FTP (Cat 8) - 30 m (100 feet)
Term
screened twisted pair (ScTP)
Definition

[image]

Shielded cable is less susceptible to interference and crosstalk. This type of cable is required for some Ethernet standards and may also be a requirement in environments with high levels of interference.

Term
Shielded/Foiled Twisted Pair (S/FTP)
Definition
[image]
Term

 The attenuation of stranded cable is higher than solid cable.

Definition
[image]
Term
Quad small form-factor pluggable (QSFP) 
Definition
is a transceiver form factor that supports 4 x 1 Gbps links, typically aggregated to a single 4 Gbps channel
Term
Enhanced quad small form-factor pluggable (QSFP+) 
Definition

support 40 GbE by provisioning 4 x 10 Gbps links. QSFP+ is typically used with parallel fiber and multi-fiber push-on (MPO) termination. 

QSFP+ can also be used with Wavelength Division Multiplexing (WDM) Ethernet standards.

Term
multi-fiber push-on (MPO) 
Definition
. An MPO backbone ribbon cable bundles 12 or more strands with a single compact terminator (the cables are all manufactured and cannot be field terminated).

When used with QSFP+, four strands transmit a full-duplex 40 Gbps link, four strands receive, and the other four strands are unused. 
Term
Wavelength Division Multiplexing (WDM)
Definition
is a means of using a strand to transmit and/or receive more than one channel at a time.
Term
Coarse Wavelength Division Multiplexing (CWDM) 
Definition
supports up to 16 wavelengths and is typically used to deploy four or eight bidirectional channels over a single fiber strand. 
Term
Small Form Factor Pluggable (SFP)
Definition
also known as mini-GBIC.Gigabit Interface Converter (GBIC) 
SFP uses LC connectors and is also designed for Gigabit Ethernet. Enhanced SFP (SFP+) is an updated specification to support 10 GbE but still uses the LC form factor. There are different modules to support the various Ethernet standards and fiber mode type (10GBASE-SR versus 10GBASE-LR, for instance). Consequently, a transceiver is designed to support a specific wavelength. The transceivers must be installed as matched pairs.
Term
Wavelength Division Multiplexing (WDM)
Definition
is a means of using a strand to transmit and/or receive more than one channel at a time.
Term
hub 
Definition
A hub acts like a multiport repeater so that every port receives transmissions sent from any other port. As a repeater, the hub works only at the Physical layer. Electrically, the network segment still looks like a single length of cable. Consequently, every hub port is part of the same shared media access area and within the same collision domain. All node interfaces are half-duplex, using the CSMA/CD protocol, and the media bandwidth (10 Mbps or 100 Mbps) is shared between all nodes.
Term
 medium dependent interface (MDI);
Definition
When Ethernet is wired with a hub there needs to be a means of distinguishing the interface on an end system (a computing host) with the interface on an intermediate system (the hub). The end system interface is referred to as 
Term
MDI crossover (MDI-X)
Definition
 the interface on the hub is referred to as MDI crossover (MDI-X). This means that the transmit (Tx) wires on the host connect to receive (Rx) wires on the hub.
Term
bridge
Definition
An Ethernet bridge operates at the data link layer (layer 2) to connect separate physical network segments, allowing them to communicate as part of the same logical network while creating separate collision domains to improve network efficiency.
Term
Media Access Control (MAC) address
Definition

Each Ethernet network interface port has a unique hardware address known as the Media Access Control (MAC) address. This may also be referred to as the Ethernet address (EA) or, in IEEE terminology, as the extended unique identifier (EUI) . A MAC address is also referred to as a local or physical address.

Term
frame 
Definition
In the OSI model of computer networking, a frame is the protocol data unit at the data link layer.
Term
 Ethernet headers
Definition
[image]
Term

Preamble

Definition
The preamble and Start Frame Delimiter (SFD) are used for clock synchronization and as part of the CSMA/CD protocol to identify collisions early. The preamble consists of 8 bytes of alternating 1s and 0s with the SFD being two consecutive 1s at the end. This is not technically considered to be part of the frame.
Term
Error Checking
Definition
The error-checking field contains a 32-bit (4-byte) checksum called a Cyclic Redundancy Check (CRC) or Frame Check Sequence (FCS). The CRC is calculated based on the contents of the frame; the receiving node performs the same calculation and, if it matches, accepts the frame. There is no mechanism for retransmission if damage is detected nor is the CRC completely accurate at detecting damage; these are functions of error checking in protocols operating at higher layers.
Term
payload
Definition
the data area of the frame, which contains the information that is being sent or received.
Term
maximum transmission unit (MTU).
Definition

The maximum size of the data payload is 1500 bytes. The upper limit of the payload is also referred to as the maximum transmission unit (MTU).

Term

A standard Ethernet frame has a maximum length of 1518 bytes, excluding the preamble. Each frame has a header composed of various fields:

Definition

§  6-byte destination MAC address field

§  6-byte source MAC address field

 

§  2-byte Ether Type field

Term
Protocol Analyzer
Packet Sniffer
Definition

This is the tool that allows inspection of traffic received by a host or passing over a network link. A protocol analyzer depends on a packet sniffer.

A sniffer captures frames moving over the network medium.

Term

There are three main options for connecting a sniffer to the appropriate point in the network:
1: 
SPAN (switched port analyzer)/mirror port

Definition

§  this means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load.

Term
2: Passive test access point ( TAP )
Definition
this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. There are types for copper and fiber optic cabling. Unlike a SPAN, no logic decisions are made so the monitor port receives every frame-corrupt or malformed or not-and the copying is unaffected by load.
Term
3 : Active TAP
Definition

§  this is a powered device that performs signal regeneration (again, there are copper and fiber variants), which may be necessary in some circumstances. Gigabit signaling over copper wire is too complex for a passive TAP to monitor and some types of fiber links may be adversely affected by optical splitting. Because it performs an active function, the TAP becomes a point of failure for the links in the event of power loss.

Term
 
TCPDUMP
 
Definition

is a command-line packet capture utility for Linux, providing a user interface to the libpcap library. 

Term

 

WIRESHARK

Definition
Wireshark is an open source graphical packet capture and analysis utility, with installer packages for most operating systems. Having chosen the interfaces to listen on, the output is displayed in a three-pane view, with the top pane showing each frame, the middle pane showing the fields from the currently selected frame, and the bottom pane showing the raw data from the frame in hex and ASCII.
Term
Unmanaged versus managed

(Ethernet switches)
Definition

§  On a SOHO network, switches are more likely to be unmanaged, standalone units that can be added to the network and run without any configuration. The switch functionality might also be built into an Internet router/modem. On a corporate network, switches are most likely to be managed. This means the switch settings can be configured. If a managed switch is left unconfigured, it functions the same as an unmanaged switch does.

Term
Stackable
Definition

§  Switches that can be connected together and operate as a group. The switch stack can be managed as a single unit.

Term
Modular versus fixed
Definition
-A fixed switch comes with a set number of ports that cannot be changed or upgraded. A modular switch has slots for plug-in cards, meaning they can be configured with different numbers and types of ports
Term
Cisco IOS has three principal modes:

User EXEC mode-
Definition
This is a read-only mode where commands can be used to report the configuration, show system status, or run basic troubleshooting tools.
Term
Privileged EXEC mode/enable mode
(CISCO IOS)
Definition
This allows the user to reboot or shut down the appliance and to backup and restore the system configuration.
Term
Global configuration mode-
(CISCO IOS)
Definition
This allows the user to write configuration updates.
Term
show config 
Definition
displays the switch's configuration. The startup configuration 
Term
show startup-config 
Definition
) could be different from the running configuration 
Term
show running-config
Definition

§  If there has been some undocumented change to the switch, using these commands and comparing the output may reveal the source of a problem.

Term
show interface 
Definition
lists the state of all interfaces or the specified interface. Interfaces are identified by type, slot, and port number. For example, GigabitEthernet 0/2 (or G0/2) is port #2 on the first 10/100/1000 slot (or only slot). An interface has a line status (up if a host is connected via a good cable) and a protocol status (up if an Ethernet link is established). Down indicates a fault while administratively down indicates that the port has been purposefully disabled. Show interface will also report configuration details and traffic statistics if the link is up/up.
Term
MAC address table
Definition
A switch learns MAC addresses by reading the source address when a frame is received on a port. The address mapping for that port is normally cached in a MAC address table. The address table is implemented as content addressable memory (CAM), a special type of memory optimized for searching, rather than random access. 
Term
flooding
Definition
If a MAC address cannot be found in the MAC address table, then the switch acts like a hub and transmits the frame out of all the ports, except for the source port. 
Term

show mac address-table

Definition

You can query the MAC address table of a switch to find the MAC address or addresses associated with a particular port using a command such as:

Term
PORT AGGREGATION
Definition
Port aggregation means combining two or more separate cabled links into a single logical channel. From the host end, this can also be called NIC teaming. The term bonding is also widely substituted for aggregation.
Term
Link Aggregation Control Protocol (LACP)
Definition

Port aggregation is often implemented by the Link Aggregation Control Protocol (LACP). LACP can be used to autonegotiate the bonded link between the switch ports and the end system, detect configuration errors, and recover from the failure of one of the physical links.

Term
Port mirroring
Definition

§  copies all packets sent to one or more source ports to a mirror (or destination) port. On a Cisco switch, this is referred to as a switched port analyzer (SPAN).

The mirror port would be used by management or monitoring software, such as a packet sniffer, network analyzer, or intrusion detection system (IDS) sensor.

Term
jumbo frame 
Definition

jumbo frame is one that supports a data payload of up to around 9,000 bytes. This reduces the number of frames that need to be transmitted, which can reduce the amount of processing that switches and routers need to do. It also reduces the bandwidth requirement so
mewhat, as fewer frame headers are being transmitted


The MTU value in the show interface output will indicate whether jumbo frames are accepted on a particular port.

Term
IEEE 802.3x flow control 
Definition

IEEE 802.3x flow control allows a server to instruct the switch to pause traffic temporarily to avoid overwhelming its buffer and causing it to drop frames. 

§  . A switch port can be configured to enable or disable (ignore) use of PAUSE frames. The 802.3x global PAUSE mechanism does not distinguish between traffic types, however, which can pose problems with voice/video traffic and infrastructure-critical traffic, such as routing protocol updates. Class of service (CoS) and quality of service (QoS) mechanisms ensure reliable performance for these time-sensitive applications by marking and policing traffic. The updated priority flow control (PFC) mechanism (IEEE802.1Qbb) allows PAUSE frames to apply to certain traffic classes only.

Term
Power over Ethernet (PoE) 
802.3af 
Definition
Powered devices can draw up to about 13 W over the link. Power is supplied as 350mA@48V and limited to 15.4 W, but the voltage drop over the maximum 100 meters of cable results in usable power of around 13 W.
Term
Power over Ethernet (PoE) 
802.3at (PoE+)
Definition
Powered devices can draw up to about 25 W, with a maximum current of 600 mA.
Term
Power over Ethernet (PoE) 
802.3bt (Ultra PoE)-
Definition
Supplies up to about 51 W (Type 3) or 73 W (Type 4) usable power.
Term
STACKABLE SWITCH
Definition

Stackable means that switches can connect together and operate as a group. The sysadmin can manage the switch stack as a single unit.

Term
MODULAR SWITCH
Definition

A modular switch has slots for plug-in cards, meaning a sysadmin can configure them with different numbers and types of ports.

Term
MANAGED SWITCH
Definition

On a corporate network, switches are most likely to be managed. This means the sysadmin can configure the switch settings. If a managed switch is left unconfigured, it functions the same as an unmanaged switch does.

Term
What is the maximum size of a standard Ethernet frame, excluding the preamble?
Definition

The maximum size of an Ethernet frame is normally 1518 bytes, excluding the preamble.

 

Term
. Which of the following is part of the CSMA/CD protocol to identify collisions early?
Definition

A.           Preamble

 

B.           SFD

The preamble is for clock synchronization and as part of the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) protocol to identify collisions early.

 

The Start Frame Delimiter (SFD) is also used for clock synchronization and as part of the CSMA/CD protocol to identify collisions early.

Term
Global Configuration Mode
Definition

Global configuration mode allows the user to write configuration updates. This is important to consider when automatically pushing out configuration updates as well.

 

Term
User EXEC Mode
Definition

User EXEC mode is a read-only mode where commands can report the configuration, show system status, or run basic troubleshooting tools.

 

Term

Privileged EXEC Mode/Enable Mode

 
Definition
Privileged EXEC mode (or enable mode) allows the user to reboot or shut down the appliance and to backup and restore the system configuration.
Term
Organizationally Unique Identifier (OUI)
Definition
The first six hex digits of a MAC address (3 bytes or octets), also known as the Organizationally Unique Identifier (OUI), identifies the manufacturer of the adapter.

[image]
Term

troubleshooting methodology

1.    Identify the problem:

Definition

·         Gather information.

·         Duplicate the problem, if possible.

·         Question users.

·         Identify symptoms.

·         Determine if anything has changed.

 

·         Approach multiple problems individually.

Term

troubleshooting methodology

2.    Establish a theory of probable cause:

Definition

·         Question the obvious.

·         Consider multiple approaches.

·         Top-to-bottom/bottom-to-top OSI model.

 

·         Divide and conquer.

Term
troubleshooting methodology
3.            Test the theory to determine cause:
Definition

3.            Test the theory to determine cause:

·         Once theory is confirmed, determine next steps to resolve problem.

 

·         If theory is not confirmed, reestablish new theory or escalate.

Term

troubleshooting methodology

4.

Definition
    Establish a plan of action to resolve the problem and identify potential effects.
Term

troubleshooting methodology

5.

 

Definition
  Implement the solution or escalate as necessary.
Term
troubleshooting methodology
6.
Definition

6.    Verify full system functionality, and if applicable, implement preventive measures.

Term
troubleshooting methodology
7.
Definition

7.    Document findings, actions, and outcomes.

Term
Symbol
Definition
A symbol could be something like a pulse of higher voltage in an electrical current or the transition between the peak and the trough in an electromagnetic wave. The number of symbols that can be transmitted per second is called the baud rate. The baud rate is measured in hertz (or MHz or GHz).
Term
THROUGHPUT
Definition
Throughput is an average data transfer rate achieved over a period of time excluding encoding schemes, errors, and other losses incurred at the physical and data link layers.
Term
Speed 
Definition

In Ethernet terms, the speed is the expected performance of a link that has been properly installed to operate at 10 Mbps, 100 Mbps, 1 Gbps, or better.

Term
Attenuation 
Definition

§  the loss of signal strength, expressed in decibels (dB). dB expresses the ratio between two measurements; in this case, signal strength at origin and signal strength at destination.

Term
Noise
Definition
anything that gets transmitted within or close to the channel that isn't the intended signal. This serves to make the signal itself difficult to distinguish, causing errors in data and forcing retransmissions. This is expressed as the signal to noise ratio (SNR).
Term
loopback adapter (or loopback plug) 
Definition

A network loopback adapter (or loopback plug) is a specially wired RJ-45 plug with a 6" stub of cable. The wiring pinout is pin 1 (Tx) to pin 3 (Rx) and pin 2 (Tx) to pin 6 (Rx). This means that the packet sent by the NIC is received by itself. This is used to test for bad ports and network cards.

[image]

Term
On a switch port, the following LED link states are typical:
Definition

§  Solid green-The link is connected but there is no traffic.

§  Flickering green-The link is operating normally (with traffic). The blink rate indicates the link speed.

§  No light- The link is not working or the port is shut down.

§  Blinking amber- A fault has been detected (duplex mismatch, excessive collisions, or redundancy check errors, for instance).

§  Solid amber- The port is blocked by the spanning tree algorithm, which works to prevent loops within a switched network.

 

Term
time domain reflectometer (TDR)
Definition
A TDR is used to measure the length of a cable run and can locate open and short circuits, kinks/sharp bends, and other imperfections in cables that could affect performance
Term
Multimeter
Definition
  • multimeter can be used to check physical connectivity. The primary purpose of a multimeter is for testing electrical circuits, but it can test for the continuity of any sort of copper wire, the existence of a short, and the integrity of a terminator.

     

  •  if the resistance measured across UTP Ethernet cable is found to be 100 ohms, then the cable is okay, but if the resistance between the two ends of a cable is infinity, the cable has a break.

Term
wire map tester 
Definition
To perform a wire map test, the base unit is connected to one end of the cable and a remote unit to the other. When the test is activated, an LED for each wire conductor lights up in sequence. If an LED fails to light or does not light in sequence, there is a problem with the cable and/or termination. 
Term
wire map tester
(DETECTIONS) 
Definition

§  Continuity (open)-A conductor does not form a circuit because of cable damage or because the connector is not properly wired.

§  Short-Two conductors are joined at some point, usually because the insulating wire is damaged, or a connector is poorly wired.

§  Incorrect pin-out/incorrect termination/mismatched standards-The conductors are incorrectly wired into the terminals at one or both ends of the cable. The following transpositions are common:

·         Reversed pair-The conductors in a pair have been wired to different terminals (for example, from pin 3 to pin 6 and pin 6 to pin 3 rather than pin 3 to pin 3 and pin 6 to pin 6).

 

·         Crossed pair (TX/RX reverse)-The conductors from one pair have been connected to pins belonging to a different pair (for example, from pins 3 and 6 to pins 1 and 2). This may be done deliberately to create a crossover cable, but such a cable would not be used to link a host to a switch.

Term
tone generator 
Definition

A network tone generator and probe are used to trace a cable from one end to the other. This may be necessary when the cables are bundled and have not been labeled properly. This device is also known as a Fox and Hound or tone probe. The tone generator is used to apply a signal on the cable to be traced where it is used to follow the cable over ceilings and through ducts.

Term
decibel (dB) loss 
Definition

If a cable link is too long, decibel (dB) loss (or insertion loss) may mean that the link experiences problems with high error rates and retransmissions (frame or packet loss) resulting in reduced speeds and possibly loss of connectivity. Insertion loss is measured in decibels (dB) and represents the ratio of the received voltage to the original voltage.

Term
dB logarithmic scale
Definition

§  +3 dB means doubling, while -3 dB means halving.

§  +6 dB means quadrupling, while -6 dB relates to a quarter.

 

§  +10 dB means ten times the ratio, while -10 dB is a tenth.

Term
Electromagnetic interference
Definition
Careful cable placement is necessary during installation to ensure that the wiring is not subject to interference from sources such as electrical power cables, fluorescent lights, motors, electrical fans, radio transmitters, and so on
Term
Crosstalk 
Definition
Crosstalk usually indicates a problem with bad wiring (poor quality or damaged or the improper type for the application), a bad connector, or improper termination. Check the cable for excessive untwisting at the ends and for kinks or crush points along its run. Crosstalk is also measured in dB, but unlike insertion loss, higher values represent less noise.
Term
There are various types of crosstalk
Definition

§  Near End (NEXT)-This measures crosstalk on the receive pairs at the transmitter end and is usually caused by excessive untwisting of pairs or faulty bonding of shielded elements.

§  Attenuation to Crosstalk Ratio, Near End (ACRN)-This is the difference between insertion loss and NEXT. ACR is equivalent to a signal-to-noise ratio (SNR). A high value means that the signal is stronger than any noise present; a result closer to 0 means the link is likely to be subject to high error rates.

§  Attenuation-to-Crosstalk Ratio, Far End (ACRF)-Far End Crosstalk (FEXT) is measured on the receive pairs at the recipient end. The difference between insertion loss and FEXT gives ACRF, which measures cable performance regardless of the actual link length.

 

§  Power sum-Gigabit and 10 GbE Ethernet use all four pairs. Power sum crosstalk calculations (PSNEXT, PSACRN, and PSACRF) confirm that a cable is suitable for this type of application. They are measured by energizing three of the four pairs in turn.

Term
Straight through (PATCH CORDS)
Definition
the cable is terminated with either T568A at both ends or T568B at both ends. This type of cable is used for an uplink (MDI port to MDIX port).
Term
Crossover (PATCH CORDS)
Definition
the cable would have from one side to another: pin 1 to pin 3, pin 2 to pin 6, pin 3 to pin 1, pin 4 to pin 7, pin 5 to pin 8, pin 6 to pin 2, pin 7 to pin 4, and pin 8 to pin 5. This type of cable is used to connect an end system (host) to another host or a hub to a hub.

[image]
Term
console cable
Definition
A console cable is used to connect a PC or laptop to the command line terminal of a switch or router.
Term

Power over Ethernet

Definition
Cat 3 or better is required to support PoE, while PoE+ must be Cat 5e or better.
Term
optical time domain reflectometer (OTDR)
Definition

. If a break is identified in an installed cable, the location of the break can be found using an optical time domain reflectometer (OTDR). This sends light pulses down the cable and times how long it takes for any reflections to bounce back from the break. A broken cable will need to be repaired (spliced) or replaced. An OTDR can also be used to verify that new splices are sound.

Term
optical spectrum analyzer (OSA) 
Definition
An optical spectrum analyzer (OSA) is typically used with wavelength division multiplexing (WDM) to ensure that each channel has sufficient power. At very long distances, the attenuation of different wavelengths can vary. This is referred to as spectral attenuation. An OSA can determine whether the existing cable is suitable for reuse with WDM and which wavelengths will support the link distance required.
Term
IPv4 Header definitions
Definition
Version - Version field indicates the version of Internet Protocol in use (4),
Length Fields : 
Length fields indicate the size of the header and the total packet size (including the payload). The maximum theoretical size is 65,535 bytes, but actual packets would typically be much smaller to avoid fragmentation when transported as the payload of Ethernet frames.
Protocol -  describes what is contained (encapsulated) in the payload so that the receiving host knows how to process it.
Term
IP Protocols
Internet Control Message Protocol (ICMP/1)
Definition

§  is used for status messaging and connectivity testing.

Term
IP PROTOCOLS
Internet Group Management Protocol (IGMP/2)
Definition
is used with multicasting.
Term
IP PROTOCOLS
Generic Routing Encapsulation (GRE/47)
Definition
s used to tunnel packets across an intermediate network. This is used (for example) in some virtual private network (VPN) implementations.
Term
IP PROTOCOLS
Encapsulating Security Payload (ESP/50)
Authentication Header (AH/51)
Definition
are used with the encrypted form of IP (IPSec).
Term
IP PROTOCOLS
Enhanced Interior Gateway Routing Protocol (EIGRP/88)
and Open Shortest Path First (OSPF/89
Definition
  • are protocols used by routers to exchange information about paths to remote networks.
Term
IPv4 Addressing
Definition
An IPv4 address is 32 bits long.
Term
Address Resolution Protocol 
Definition

The TCP/IP suite includes the Address Resolution Protocol (ARP) to perform the task of resolving an IP address to a hardware address

When both sending and receiving hosts are within the same broadcast domain or subnet, local address resolution takes place using ARP requests and ARP replies, as shown in the figure:.

Term
unicast addressing
Definition
When an IPv4 host wants to send a packet to a single recipient, it uses a unicast packet, addressed to the IP address of the destination host. 

[image]
Term
broadcast
Definition
One means of addressing multiple hosts is to perform a broadcast. A broadcast can be performed by sending a packet to the network or subnet's broadcast address. The broadcast address is the last address in any IP network, or put another way, the address in any IP network where all the host bits are set to 1.
Term
unicast traffic
Definition
As with unicast traffic, IP packets must be delivered to hosts using layer 2 MAC addresses. At layer 2, broadcasts are delivered using the group MAC address (ff:ff:ff:ff:ff:ff). This means that there is also a broadcast domain scope at layer 2. 

[image]
Term

Multicast Addressing
IPv4

Definition

IPv4 multicasting allows one host on the Internet (or private IP network) to send content to other hosts that have identified themselves as interested in receiving the originating host's content. Multicast packets are sent to a destination IP address from a special range configured for use with that multicast group.

At layer 2, multicasts are delivered using a special range of MAC addresses. The switch must be multicast capable. If the switch is not multicast-capable, it will treat multicast like a broadcast and flood the multicast transmissions out of all ports.

[image]

Term
Anycast Addressing
IPv4
Definition

Anycast means that a group of hosts are configured with the same IP address. When a router forwards a packet to an anycast group, it uses a prioritization algorithm and metrics to select the host that is "closest" (that will receive the packet and be able to process it the most quickly). This allows the service behind the IP address to be provisioned more reliably. It allows for load balancing and failover between the server hosts sharing the IP address.
[image]

Term

broadcast domains, subnets can be used to achieve other network design goals:

Definition

§  Many organizations have more than one site with WAN links between them. The WAN link normally forms a separate subnet.

§  It is useful to divide a network into logically distinct zones for security and administrative control.

 

§  Networks that use different physical and data link technologies, such as Token Ring and Ethernet, should be logically separated as different subnets.

Term
classful addressing 
Definition
[image]
Term
Class A
Definition
Class A network addresses support large numbers of hosts-over 16 million. However, there are only 126 Class A network addresses.
First Octet Range: 1-126 
Term
Class B Network
Definition
16,384 Number of Networks
65,534 Number of Hosts per Network
128-191 First Octet of Address Range.
Term
Class C Network
Definition
2,097,152 Number of Networks
254 Number of Hosts per Network
192-223 First Octet of Address Range  

Term
Classful Addressing
Definition
  • Class A: 255.0.0.0 (/8)
  • Class B: 255.255.0.0 (/16)
  • Class C: 255.255.255.0 (/24)


[image]

Term
public IP address 
Definition

public IP address is one that can establish a connection with other public IP networks and hosts over the Internet. The allocation of public IP addresses is governed by IANA and administered by regional registries and ISPs. Hosts communicating with one another over a LAN could use a public addressing scheme but will more typically use private addressing.

Term
Private IP addresses 
Definition

Private IP addresses can be drawn from one of the pools of addresses defined in RFC 1918 as non-routable over the Internet:

§  10.0.0.0 to 10.255.255.255 (Class A private address range).

§  172.16.0.0 to 172.31.255.255 (Class B private address range).

 

§  192.168.0.0 to 192.168.255.255 (Class C private address range).

Term
Automatic Private IP Addressing (APIPA) 
Definition

 

Automatic Private IP Addressing (APIPA) was developed by Microsoft as a means for clients that could not contact a DHCP server to communicate on the local network anyway. If a Windows host does not receive a response from a DHCP server within a given time frame, it selects an address at random from the range 169.254.1.1 to 169.254.254.254.

Term

Loopback Addresses

Definition

While nominally part of Class A, the range 127.0.0.0 to 127.255.255.255 (or 127.0.0.0/8) is reserved. This range is used to configure a loopback address, which is a special address typically used to check that TCP/IP is correctly installed on the local host. The loopback interface does not require a physical interface to function. A packet sent to a loopback interface is not processed by a network adapter but is otherwise processed as normal by the host's TCP/IP stack. Every IP host is automatically configured with a default loopback address, typically 127.0.0.1. On some hosts, such as routers, more than one loopback address might be configured. Loopback interfaces can also be configured with an address from any suitable IP range, as long as it is unique on the network. A host will process a packet addressed to a loopback address regardless of the interface on which it is received.



Term
0.0.0.0/8
Definition

§  Used when a specific address is unknown. This is typically used as a source address by a client seeking a DHCP lease.

Term
255.255.255.255
Definition

§  Used to broadcast to the local network when the local network address is not known.

Term

100.64.0.0/10,
192.0.0.0/24,
192.88.99.0/24,
198.18.0.0/15

Definition
-Set aside for a variety of special purposes.
Term
192.0.2.0/24,
198.51.100.0/24,
203.0.113.0/24
Definition

§  Set aside for use in documentation and examples.

Term
Definition

netsh interface ip set address "Ethernet" dhcp

 

netsh interface ip set address "Ethernet" static 10.1.0.1 255.255.255.0 10.1.0.254

Term
netsh 
Definition

 

You can also use netsh to report the IP configuration ( netsh interface ip show config , for example).

Term
PowerShell cmdlets
Definition

Get-NetAdapter

Get-NetIPAddress

 

cmdlets can be used to query the existing configuration.
A new configuration can be applied using 
New-NetIPAddress or an existing one can be modified using Set-NetIPAddress 

Term
 ipconfig
Definition
without any switches will display the IP address, subnet mask, and default gateway (router) for all network interfaces to which TCP/IP is bound.
Term
ipconfig /all 
Definition
 displays complete TCP/IP configuration parameters for each interface, including whether the Dynamic Host Configuration Protocol (DHCP) is enabled for the interface and the interface's hardware (MAC) address.
Term
ipconfig /renew interface
Definition
forces a DHCP client to renew the lease it has for an IP address.
Term
ipconfig /release interface
Definition
releases the IP address obtained from a DHCP Server so that the interface(s) will no longer have an IP address.
Term
ipconfig /displaydns
Definition
displays the Domain Name System (DNS) resolver cache.
Term
ipconfig /flushdns
Definition
clears the DNS resolver cache.
Term
ipconfig /registerdns
Definition

 

  • registers the host with a DNS server (if it supports dynamic updates).
Term
ifconfig 
Definition
can still safely be used to report the network interface configuration, however. (LINUX)
Term
Linux Ethernet interfaces
Definition
  • classically identified as eth0, eth1 , eth2 etc.
    although some network packages now use different schemes, such as en
Term
Linux (persistant configuration)
Definition

The persistent configuration is the one applied after a reboot or after a network adapter is reinitialized. The method of applying an IP configuration to an adapter interface is specific to each distribution. Historically, the persistent configuration was applied by editing the /etc/network/interfaces file and bringing interfaces up or down with the ifup and ifdown scripts. Many distributions now use the NetworkManager package, which can be operated using a GUI or the nmcli tools. 

Term
YAML ain't markup language (YAML)
Definition
Additionally, recent distributions of Ubuntu use netplan to abstract some of this underlying complexity to configuration files written in YAML. The YAML configuration files are rendered by either systemd-networkd or NetworkManager.
Term
net-tools has been replaced by the iproute2 package
(Linux)
Definition

ip addr The basic reporting functionality of ifconfig (show the current address configuration)
ip addr show dev eth0to report a single interface only 
ip link - command shows the status of interfaces,
ip -s link reports interface statistics.
ip link set eth0 up|down command is used to enable or disable an interface,
ip addr add|delete can be used to modify the IP address configuration.

These changes are not persistent and apply only to the running configuration unless run as part of a startup script.

 

 

Term
Address Resolution Protocol (ARP)
Definition
is used by hosts to determine which MAC address is associated with an IP address on the local network.

ARP queries are sent as broadcasts. ARP broadcasts can generate considerable traffic on a network, which can reduce performance. To optimize this process, the results of an ARP broadcast are cached in an ARP table. If the entry is used within the timeout period, the entry is held in the cache for a few minutes before it is deleted.

 You would use this to diagnose a suspected problem with local addressing and packet delivery.
Term
ARP Commands

Definition

arp -a (or arp -g) - §  shows the ARP cache contents. You can use this with IPAddress to view the ARP cache for the specified interface only. The ARP cache will not necessarily contain the MAC addresses of every host on the local segment. There will be no cache entry if there has not been a recent exchange of frames.
arp -s IPAddress MACAddress - §  adds an entry to the ARP cache. Under Windows, MACAddress needs to be entered with hyphens between each hex byte.

arp -d * deletes all entries in the ARP cache; it can also be used with IPAddress to delete a single entry.

In Linux, the ip neigh command shows entries in the local ARP cache (replacing the old arp command).

 

 

Term
Internet Control Message Protocol (ICMP)
Definition
used to report errors and send messages about the delivery of a packet. ICMP messages are generated under error conditions in most types of unicast traffic, but not for broadcast or multicast packets.
Term
 ping
Definition
 The ping utility sends a configurable number and size of ICMP request packets to a destination host. ping is implemented on both Windows and Linux hosts. ping can be used to perform a basic connectivity test that is not dependent on the target host running any higher-level applications or services.

A basic connectivity test is performed by running ping IPAddress , where IPAddress is an IPv4 or IPv6 address.
Term
The Time to Live (TTL)
Round Trip Time (RTT) 
Definition

The millisecond measures of Round Trip Time (RTT) can be used to diagnose latency problems on a link.

The Time to Live (TTL) IP header field is reduced by one every time a packet is forwarded by a router (referred to as a hop). The TTL output field in the ping command shows the value of the counter when the packet arrived at its destination.

Term
Destination host unreachable
Definition

§  There is no routing information (that is, the local computer does not know how to get to that IP address). This might be caused by some sort of configuration error on the local host, such as an incorrect default gateway, by a loss of connectivity with a router, or by a routing configuration error.

Term
No reply (Request timed out.)-
Definition
The host is unavailable or cannot route a reply to your computer. Requests time out when the TTL is reduced to 0 because the packet is looping (because of a corrupted routing table), when congestion causes delays, or when a host does not respond.
Term
ping sequence for identifying connectivity issues
Definition
[image]
Term

IGMP snooping 

Definition
IGMP snooping means the switch reads IGMP messages and can determine if the host on an access port or one or more hosts in a VLAN have joined a multicast group. IGMP snooping is not an available feature for switches that are not multicast-aware, and multicast traffic is treated as broadcast traffic across all ports and VLANs.
Term
IPv6 Header:
Traffic Class
Definition
Describes the packet's priority.
Term
IPv6 Header:
Flow Label
Definition
Used for quality of service (QoS) management, such as for real-time streams. This is set to 0 for packets not part of any delivery sequence or structure.
Term
IPv6 Header
Payload Length
Definition
Indicates the length of the packet payload, up to a maximum of 64 KB; if the payload is bigger than that, this field is 0 and a special Jumbo Payload (4 GB) option is established.
Term
IPv6 Header
Next Header
Definition
Used to describe what the next extension header (if any) is, or where the actual payload begins.
Term
IPv6 Header:
Hop Limit
Definition
Replaces the TTL field in IPv4 but performs the same function.
Term
canonical notation
Definition
, the hex notation can be compressed further. Where a double byte contains leading 0s, they can be ignored. In addition, one contiguous series of 0s can be replaced by a double colon place marker. You can only use double colon compression once in a given address.
Term
IPv6
Definition
128 - Bit Addressing Scheme
Term
IPv6
Definition

Like IPv4, IPv6 can use unicast, multicast, and anycast addressing. Unlike IPv4, there is no broadcast addressing.

Term

IPv6 Global Addressing

Globally scoped unicast addresses are routable over the Internet and are the equivalent of public IPv4 addresses. The parts of a global address are:

Definition

§  The first 3 bits (001) indicate that the address is within the global scope. Most of the IPv6 address space is unused. The scope for globally unique unicast addressing occupies just 1/8th of the total address space. In hex, globally scoped unicast addresses will start with a 2 (0010 in binary) or 3 (0011).

§  The next 45 bits are allocated in a hierarchical manner to regional registries and from them to ISPs and end users.

§  The next 16 bits identify site-specific subnet addresses.

§  The final 64 bits are the interface ID.

 

Term
IPv6 global unicast 
Definition
[image]
Term

Interface ID/EUI-64

The 64-bit interface ID can be determined by using two techniques.

Definition
  • First, the digits fffe are added in the middle of the MAC address.
  • Second, the first 8 bits, or 2 hex digits, are converted to binary, and the 7th bit (or U/L bit) is flipped (from 0 to 1 or 1 to 0).

    As a MAC address is currently 48 bits (6 bytes), a (relatively) simple translation mechanism allows driver software to create a 64-bit interface ID (an EUI-64) from these 48 bits.
Term
Link local 
Definition

Link local addresses span a single subnet (they are not forwarded by routers). Nodes on the same link are referred to as neighbors. The link local range is fe80::/10. Link local addresses start with a leading fe80, with the next 54 bits set to 0, and the last 64 bits are the interface ID.

The equivalent in IPv4 is Automatic Private IP Addressing (APIPA) and its 169.254.0.0 addresses. However, unlike IPv4, an IPv6 host is always configured with link local addresses (one for each link), even if it also has a globally unique address.


[image]

Term
zone index (or scope id
Definition

A link local address is also appended with a zone index (or scope id) of the form %1 (Windows) or %eth0 (Linux). This is used to define the source of the address and make it unique to a particular link. For example, a given host may have links to a loopback address, Ethernet, and a VPN. Each of these links may use the same link local address, so each is assigned a zone ID to make it unique. Zone indices are generated by the host system, so where two hosts communicate, they may be referring to the link using different zone IDs.

Term
Neighbor Discovery (ND) protocol 
Definition

Address autoconfiguration-Enables a host to configure IPv6 addresses for its interfaces automatically and detect whether an address is already in use on the local network, by using neighbor solicitation (NS) and neighbor advertisement (NA) messages.

§  Prefix discovery-Enables a host to discover the known network prefixes that have been allocated to the local segment. This facilitates next-hop determination (whether a packet should be addressed to a local host or a router). Prefix discovery uses router solicitation (RS) and router advertisement (RA) messages. An RA contains information about the network prefix(es) served by the router, information about autoconfiguration options, plus information about link parameters, such as the MTU and hop limit. Routers send RAs periodically and in response to a router solicitation initiated by the host.

 

§  Local address resolution-Allows a host to discover other nodes and routers on the local network (neighbors). This process also uses neighbor solicitation (NS) and neighbor advertisement (NA) messages.

§  Redirection-Enables a router to inform a host of a better route to a particular destination.

Term
stateless address autoconfiguration (SLAAC):
Definition

§  The host generates a link local address and tests that it is unique by using the Neighbor Discovery (ND) protocol.

 

§  The host listens for a router advertisement (RA) or transmits a router solicitation (RS) using ND protocol messaging. The router can either provide a network prefix, direct the host to a DHCPv6 server to perform stateful autoconfiguration, or perform some combination of stateless and stateful configuration.

Term

ICMPv6

Definition

§  Error messaging-ICMPv6 supports the same sort of destination unreachable and time exceeded messaging as ICMPv4. One change is the introduction of a Packet Too Big class of error. Under IPv6, routers are no longer responsible for packet fragmentation and reassembly, so the host must ensure that they fit in the MTUs of the various links used.

ICMPv6 supports ICMPv4 functions, such as echo and redirect, plus a whole new class of messages designed to support Neighbor Discovery (ND) and Multicast Listener Discovery (MLD), such as router and neighbor advertisements and solicitations.

Term
The parts of a multicast address
Definition

§  The first 8 bits indicate that the address is within the multicast scope (1111 1111 or ff).

§  The next 4 bits are used to flag types of multicast if necessary; otherwise, they are set to 0.

§  The next 4 bits determine the scope; for example, 1 is node-local (to all interfaces on the same node) and 2 is link local.

 

§  The final 112 bits define multicast groups within that scope.

Term
Multicast Listener Discovery (MLD) 
Definition

The Multicast Listener Discovery (MLD) protocol allows nodes to join a multicast group and discover whether members of a group are present on a local subnet.

Term
Dual stack 
Definition

Dual stack hosts and routers can run both IPv4 and IPv6 simultaneously and communicate with devices configured with either type of address. Most modern desktop and server operating systems implement dual stack IP. Most modern dual stack systems will try to initiate communications using IPv6 by default.

Term

Tunneling

Definition

As an alternative to dual stack, tunneling can be used to deliver IPv6 packets across an IPv4 network. Tunneling means that IPv6 packets are inserted into IPv4 packets and routed over the IPv4 network to their destination. Routing decisions are based on the IPv4 address until the packets approach their destinations, at which point the IPv6 packets are stripped from their IPv4 carrier packets and forwarded according to IPv6 routing rules. This carries a high protocol overhead and is not nearly as efficient as operating dual stack hosts.

Term
- 6to4 addresses 

IPv6 Rapid Deployment (6RD).
Definition

use the prefix 2002::/16

With 6RD, the 2002::/16 prefix is replaced by an ISP-managed prefix and there are various other performance improvements.

Term
Teredo protocol (Microsoft)
Definition
Microsoft provides support for tunneling by Windows hosts using its Teredo protocol. Teredo tunnels IPv6 packets as IPv4-based UDP messages over port 3544. Teredo requires compatible clients and servers. 
Term
Miredo 
Definition
The open-source Miredo package implements the Teredo for UNIX/Linux operating systems. PORT (3544)?
Term
Generic Routing Encapsulation (GRE)
Definition

Generic Routing Encapsulation (GRE) GRE allows a wide variety of Network layer protocols to be encapsulated inside virtual point-to-point links. This protocol has the advantage that because it was originally designed for IPv4, it is considered a mature mechanism and can carry both v4 and v6 packets over an IPv4 network.

Term

COMMON IPV6 ADDRESS PREFIXES

Definition

Type

Prefix

Leading Hex Characters

Global unicast

2000::/3

2

3

Link local unicast

fe80::/10

fe80

Multicast

ff00::/8

ff

Multicast (link local)

ff02::/16

ff02::1 (all nodes)

ff02::2 (all routers)

ff02::1:2 (DHCP)

Solicited-node

ff02::1:ff00:0/104

ff02::1:ff

Unspecified

::/128

0::0

Loopback

::1/128

::1

Documentation/Examples

2001:db8::/32

2001:db8

 

The 0000::/8 block (that is, IPv6 addresses where the first bits are 0000 0000) is reserved for special functions. Within this block, there are two special addresses defined:

§  Unspecified address (0:0:0:0:0:0:0:0)-A host that has not obtained a valid address. This is often expressed as ::.

 

§  Loopback address (0:0:0:0:0:0:0:1)-Used for testing (for the host to send a packet to itself). This is often expressed as ::1.

Term
Error messaging
Definition
Error messaging is one of the new features of Internet Control Message Protocol version 6 (ICMPv6). One change is the introduction of a Packet Too Big class of error. Under IPv6, routers are no longer responsible for packet fragmentation and reassembly.
Term
ROUTING TABLE 
The main parameters define a routing entry
Definition

§  Protocol-The source of the route.

§  Destination-Routes can be defined to specific hosts but are more generally directed to network IDs. The most specific destination prefix (the longest mask) will be selected as the forwarding path if there is more than one match.

§  Interface-The local interface to use to forward a packet along the chosen route. This might be represented as the IP address of the interface or as a layer 2 interface ID.

Gateway/next hop-The IP address of the next router along the path to the destination.

Term
Routing table entries fall into four general categories
Definition

§  Direct network routes, for subnets to which the router is directly attached.

§  Remote network routes, for subnets and IP networks that are not directly attached.

§  Host routes, for routes to a specific IP address. A host route has a /32 network prefix.

 

§  Default routes, which are used when an exact match for a network or host route is not found.

Term

directly connected routes.

Definition

The IP network or subnet for each active router interface is automatically added to the routing table. These are known as directly connected routes.

Term
Static Routes
Definition

 

static route is manually added to the routing table and only changes if edited by the administrator. Configuring static routing entries can be useful in some circumstances, but it can be problematic if the routing topology changes often, as each route on each affected router needs to be updated manually.

Term
default route 
Definition

 

default route is a special type of static route that identifies the next hop router for a destination that cannot be matched by another routing table entry. The destination address 0.0.0.0/0 (IPv4) or ::/0 (IPv6) is used to represent the default route. The default route is also described as the gateway of last resort. Most end systems are configured with a default route (pointing to the default gateway). This may also be the simplest way for an edge router to forward traffic to an ISP's routers.

Term

PACKET FORWARDING

When a router receives a packet, it reads the destination address in the packet and looks up a matching destination network IP address and prefix in its routing table. If there is a match, the router will forward the packet out of one of its interfaces by encapsulating the packet in a new frame:

Definition

§  If the packet can be delivered to a directly connected network via an Ethernet interface, the router uses ARP (IPv4) or Neighbor Discovery (ND in IPv6) to determine the interface address of the destination host.

§  If the packet can be forwarded via a gateway over an Ethernet interface, it inserts the next hop router's MAC address into the new frame.

§  If the packet can be forwarded via a gateway over another type of interface (leased line or DSL, for instance), the router encapsulates the packet in an appropriate frame type.

 

§  If the destination address cannot be matched to a route entry, the packet is either forwarded via the default route or dropped (and the source host is notified that it was undeliverable).

Term

Hop Count

Definition
If the packet is forwarded via a gateway, this process is repeated at each router to deliver the packet through the internetwork. Each router along the path counts as one hopNote that the switches do not count as hops
Term

Time To Live

Definition

At each router, the Time to Live (TTL) IP header field is decreased by at least 1. This could be greater if the router is congested. The TTL is nominally the number of seconds a packet can stay on the network before being discarded. While TTL is defined as a unit of time (seconds), in practice, it is interpreted as a maximum hop count. When the TTL is 0, the packet is discarded. This prevents badly addressed packets from permanently circulating the network.

Term

FRAGMENTATION

Definition

IPv6 does not allow routers to perform fragmentation. Instead, the host performs path MTU discovery to work out the MTU supported by each hop and crafts IP datagrams that will fit the smallest MTU.

Term
Convergence
Definition

Convergence is the process whereby routers running dynamic routing algorithms agree on the network topology. Routers must be capable of adapting to changes such as newly added networks, router or router interface failures, link failures, and so on. Routers must be able to communicate changes to other routers quickly to avoid black holes and loops. A black hole means that a packet is discarded without notification back to the source; a loop causes a packet to be forwarded around the network until its TTL expires.

Term
steady state
Definition
A network where all the routers share the same topology is described as steady state. The time taken to reach steady state is a measure of a routing protocol's convergence performance.
Term
autonomous system (AS)
Interior Gateway Protocol (IGP)
Definition
 A network under the administrative control of a single owner is referred to as an autonomous system (AS). An Interior Gateway Protocol (IGP) is one that identifies routes within an AS.
Term
Exterior Gateway Protocol (EGP) 
Definition
An Exterior Gateway Protocol (EGP) is one that can advertise routes between autonomous systems. An EGP includes a field to communicate the network's autonomous system ID and allows network owners to determine whether they can use paths through another organization's network.
Term

Protocol

Type

Class

Transport

Routing Information Protocol (RIP)

Distance Vector

IGP

UDP (port 520 or 521)

Enhanced Interior Gateway Routing Protocol (EIGRP)

Distance Vector/Hybrid

IGP

Native IP (88)

Open Shortest Path First (OSPF)

Link State

IGP

Native IP (89)

Border Gateway Protocol (BGP)

Path Vector

EGP

TCP (port 179)

Definition

Protocol

Type

Class

Transport

Routing Information Protocol (RIP)

Distance Vector

IGP

UDP (port 520 or 521)

Enhanced Interior Gateway Routing Protocol (EIGRP)

Distance Vector/Hybrid

IGP

Native IP (88)

Open Shortest Path First (OSPF)

Link State

IGP

Native IP (89)

Border Gateway Protocol (BGP)

Path Vector

EGP

TCP (port 179)

Term
Routing Information Protocol (RIP) 
Definition

The Routing Information Protocol (RIP) is a distance vector routing protocol. RIP only considers a single piece of information about the network topology-the next hop router to reach a given network or subnet (vector). It considers only one metric to select the optimal path to a given destination network-the one with the lowest hop count (distance).

Term
three versions of RIP
Definition

§  RIPv1 is a classful protocol and uses inefficient broadcasts to communicate updates over UDP port 520.

§  RIPv2 supports classless addressing and uses more efficient multicast transmissions over UDP port 520. It also supports authentication.

 

§  RIPng (next generation) is a version of the protocol designed for IPv6. RIPng uses UDP port 521.

Term

ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL

Definition

Native IP (88) port


There are versions for IPv4 and IPv6. 
Like RIP, EIGRP is a distance vector protocol because it relies on neighboring routers to report paths to remote networks. Unlike RIP, which is based on a simple hop count metric, EIGRP uses a metric composed of administrator-weighted elements. The two default elements are bandwidth and delay.

§  Bandwidth-Applies a cost based on the lowest bandwidth link in the path.

 

§  Delay-Applies a cost based on the time it takes for a packet to traverse the link. This metric is most important if the route is used to carry time-sensitive data, such as voice or video. Delay is calculated as the cumulative value for all outgoing interfaces in the path.

EIGRP does use regular hello messaging to confirm connectivity with its neighbors. Unlike RIP, EIGRP maintains a topology table alongside its routing information base. The topology table is used to prevent loops while also supporting a greater number of maximum hops than RIP (nominally up to 255).

Unlike RIP, EIGRP is a native IP protocol, which means that it is encapsulated directly in IP datagrams, rather than using TCP or UDP. It is tagged with the protocol number 88 in the Protocol field of the IP header. Updates are transmitted using multicast addressing.

Term
Open Shortest Path First (OSPF) 
Definition
is the most widely adopted link state protocol. It is suited to large organizations with multiple redundant paths between networks. It has better convergence performance than RIP. It was designed from the outset to support classless addressing.
Term
area border routers
Definition
Routers that can connect to multiple areas are known as area border routers. A backbone (always called Area 0) is created by the collection of border routers. This backbone is only visible to the border routers and invisible to the routers within a specific area.
Term
OSPF
Definition

In a given area, routers exchange OSPF hello messages, both as a form of a keep-alive packet and in order to acquire neighbors with which to exchange routing information. Neighbors share Link State Advertisement (LSA) updates to build a consistent link state database (LSDB) that represents the network topology of the area. The router applies an algorithm called shortest path first (SPF) to analyze the LSDB and add least-cost, loop free routes to its routing table. This use of a topology table of the whole network to select routes is the key difference between link state and distance vector algorithms.

 

The small, frequent updates used by OSPF lead to more rapid convergence and more efficiently support larger networks. The use of areas to subdivide the network minimizes the amount of routing traffic that must be passed around the network as a whole, further improving convergence performance. However, link state algorithms can be more expensive to implement because they require more CPU and memory resource.

Term
OSPF
Definition
OSPF also supports plaintext or cryptographic authentication
This is tagged as protocol number 89 in the IP datagram's Protocol field.
Term
Border Gateway Protocol (BGP) 
Definition
The Border Gateway Protocol (BGP) is designed to be used between routing domains in a mesh internetwork and as such is used as the routing protocol on the Internet, primarily between ISPs.
Term
BGP 
Definition

BGP works with classless network prefixes called Network Layer Reachability Information (NLRI). Path selection is based on multiple metrics, including hop count, weight, local preference, origin, and community. BGP is not a pure distance vector algorithm. In fact, BGP is more usually classed as a path vector routing protocol.

Term
BGP 
Definition

BGP works over TCP on port 179.

Term
administrative distance (AD) 
Definition

However, as routing protocols use different methods to calculate the metric, it cannot be used to compare routes from different protocols in the overall IP routing table. Instead, an administrative distance (AD) value is used to express the relative trustworthiness of the protocol supplying the route. Default AD values are coded into the router but can be adjusted by the administrator if necessary.

Source

AD

Local interface/Directly connected

0

Static route

1

BGP

20

EIGRP

90

OSPF

110

RIP

120

Unknown

255

Term
Classless Inter-Domain Routing (CIDR) 
Definition
Classless Inter-Domain Routing (CIDR) uses bits normally assigned to the network ID to mask the complexity of the subnet and host addressing scheme within that network. CIDR is also sometimes described as supernetting.
Term
Dynamic routing protocols that support classless addressing include 
Definition
 RIPv2, EIGRP, OSPF, and BGPv4.
Term
variable length subnet masking (VLSM)
Definition

allows a network designer to allocate ranges of IP addresses to subnets that match the predicted need for numbers of subnets and hosts per subnet more closely. Without VLSM, you have to allocate subnetted ranges of addresses that are the same size and use the same subnet mask throughout the network. This typically means that some subnets have many wasted IP addresses or additional routing interfaces must be installed to connect several smaller subnets together within a single building or department.

 

VLSM allows different length netmasks to be used within the same IP network, allowing more flexibility in the design process.

Term
EDGE ROUTERS
Definition

Edge routers, placed at the network perimeter, are typified by distinguishing external (Internet-facing) and internal interfaces. These routers can perform framing to repackage data from the private LAN frame format to the WAN Internet access frame format. The customer's router is referred to as the customer edge (CE), while the service provider's router is referred to as the provider edge (PE).

They feature specialized processors to handle the routing and forwarding processes, and memory to buffer data. Most routers of this class will also support plug-in cards for WAN interfaces. Another important feature is support for different methods of configuring site-to-site virtual private networks (VPNs).

Term

Layer 3 Capable Switches

Each Port is going to act as its own broadcast domain and its own collision domain. Makes routing decisions, just like a router. Makes Layer 3 routing decisions and then interconnects entire networks, not just network segments. 

Definition

Passing traffic between a router appliance and the switch over a trunk link is relatively inefficient and does not scale well to tens of VLANs. Consequently, enterprise networks usually deploy layer 3 switches at the core of their networks. A layer 3 capable switch is one that is optimized for routing between VLANs. It can use static and dynamic routing to identify which VLAN an IP address should be forwarded to. A layer 3 switch can maintain a mapping table of IP addresses to MAC addresses so that when a path is established, it can use low-latency hardware-based forwarding. However, layer 3 switches do not typically have WAN interfaces and so are not usually used for routing at the network edge.

Term

ROUTER CONFIGURATION

Definition

§  Apply an IP configuration to each interface.

 

§  Configure one or more routing protocols and/or static routes so that the router can serve its function.

Term
show route, 
show ip route , 
show ipv6 route 
Definition

The show route, show ip route , show ipv6 route , or similar command will output the active routing table. As well as destination, gateway, AD/metric, and interface, the output will show the source of the route, identified as a letter code (C = connected, S = static, R = RIP, B = BGP, D = EIGRP, O = OSPF, and so on).

Term
route 
Definition

The route command is used to view and modify the routing table of end system Windows and Linux hosts.

In Windows, to show the routing table, run route print

In Windows, to show the routing table, run route print. Apart from loopback addresses and the local subnet, the routing table for an end system generally contains a single entry for the default route.

Term

To add a route, the syntax for the Windows version of the tool is:

Definition

route [-f -p] add DestinationIP mask Netmask GatewayIP metric MetricValue if Interface

The variables in the syntax are defined as:

§  DestinationIP is a network or host address.

§  Netmask is the subnet mask for DestinationIP.

§  GatewayIP is the router to use to contact the network or host.

§  MetricValue is the cost of the route.

 

§  Interface is the adapter the host should use (used if the host is multihomed).

Term
route (command)
Definition
A route can be permanently configured (stored in the registry) using the -p switch. The tool also allows for routes to be deleted ( route delete ) and modified ( route change ).
Term
route (Linux)
Definition
  • route (no parameters) 
  • A nonpersistent route can be added using the following general syntax:

 

  • route add -net 192.168.3.0 netmask 255.255.255.0 metric 2 dev eth0

  • The iproute2 suite of tools is designed to replace deprecated legacy command-line tools in Linux. You can use ip route show and ip route add to achieve the same ends.
Term
traceroute Linux and router OSes
Definition
  • The traceroute tool allows you to test the whole path between two nodes with a view to isolating the node or link that is causing the problem.
  • traceroute is supported on Linux and router OSes (such as Cisco)
  • traceroute uses UDP probe messages by default. The command issues a UDP probe for port 32767 with a TTL of 1. 

 Linux and router OSes (such as Cisco IOS) support traceroute. The command traceroute uses User Datagram Protocol (UDP) probe messages by default.

Term
traceroute Linux and router OSes
Definition

The first hop should reduce this to zero and respond with an ICMP Time Exceeded message. The command then increments the TTL by one and sends a second probe, which should reach the second hop router. This process is repeated until the end node is reached, which should reply with an ICMP Port Unreachable response.

 


The output shows the number of hops, the IP address of the ingress interface of the router or host (that is, the interface from which the router receives the probe), and the time taken to respond to each probe in milliseconds (ms). If no acknowledgment is received within the timeout period, an asterisk is shown against the probe. Note that while this could indicate that the router interface is not responding, it could also be that the router is configured to drop packets with expired TTLs silently.

Term
traceroute Linux and router OSes
Definition

traceroute can be configured to send ICMP Echo Request probes rather than UDP by using traceroute -I . The traceroute -6 or traceroute6 commands are used for IPv6 networks.

Term
tracert (Windows system)
Definition

tracert uses ICMP Echo Request probes by default. The command issues an Echo Request probe with a TTL of 1. The first hop should reduce this to zero and respond with a Time Exceeded response. tracert then increments the TTL by one each time to discover the full path.

On a Windows system, the tracert command performs the same function as traceroute. The command tracert uses Internet Control Message Protocol (ICMP) Echo Request probes by default.

 

Term
tracert (Windows)
Definition

-d switch to suppress name resolution, -h to specify the maximum number of hops (the default is 30), and -w to specify a timeout in ms (the default is 4000)

When used with host names (rather than IP addresses), tracert can be forced to use IPv6 instead of IPv4 by adding the -6 switch.

Term

MISSING ROUTE ISSUES

Definition

If you suspect a problem with router configuration and the network topology, use traceroute to try to identify where the network path is failing and the route or show route commands to investigate the routing tables of intermediate systems at that point in the path.

When inspecting a routing table, you can use show ip route w.x.y.z to check for the presence of a route to a specific IP network. A missing route may arise because a required static routing entry has not been entered or has been entered incorrectly. Missing routes may also arise because a router fails to communicate with its neighbors and so does not receive routing protocol updates. Performing a device configuration review means checking that the running configuration matches the documented baseline.

Term

MISSING ROUTE ISSUES (x2)

Definition
You might start troubleshooting this by pinging the router nodes that are neighbors of the system with the issue to check basic connectivity. If there is a network path and the neighbors are up, you would investigate the protocol configuration (perhaps there is an authentication issue or incorrect parameter).
Term
routing loop 
Definition

routing loop occurs when two routers use one another as the path to a network. Packets caught in a routing loop circle around until the TTL expires. One symptom of a potential routing loop is for routers to generate ICMP Time Exceeded error messages.

Term
vector protocols use mechanisms to prevent loops
Definition

§  Maximum hop count-If the cost exceeds a certain value (16 in RIP), the network is deemed unreachable. A poison route is one advertised with a hop count of 16. This can provide an explicit failure notice to other routers.

§  Holddown timer-If a node declares a network unreachable, its neighbors start a holddown timer. Any updates about that route received from other nodes are discarded for the duration of the timer. This is designed to ensure that all nodes have converged information about an unreachable network.

 

§  Split horizon-Prevents a routing update from being copied back to the source. In the example above, this would prevent router C from sending an update about a route to router A via router B to router B.

Term
Asymmetrical routing 
Definition

Asymmetrical routing refers to a topology where the return path is different to the forward path. This is common where there are load balancers and where routing takes place over multiple redundant paths across the Internet or other complex internetwork. Asymmetric routing is problematic where the return path is much higher latency than the forward path or where the difference between the paths causes stateful firewall or network address translation (NAT) devices to filter or drop communications. These types of devices should not be placed in the middle of a network where the forward and return paths could diverge. Problematic asymmetric routing could be caused by incorrectly configured static or dynamic routes. You should use traceroute from both sender and receiver to compare the per-hop latency to identify where the routing topology is misconfigured.

Term

An optical link budget, or loss budget, is the amount of loss suffered by all components along a fiber transmission path. This is calculated using the following parameters:

Definition

§  Attenuation-This is the loss over the length of the cable, based on fiber type and the wavelength used. Single mode has a loss of up to 0.4 dB/km, while multimode can be from 0.8 dB/km to 3 dB/km.

§  Connectors-Each connector in the path incurs a loss, usually assumed to be 0.75 dB.

 

§  Splices-Additional splices in the cable are budgeted at around 1 dB for mechanical and 0.3 dB for fusion.

Term
power budget 
Definition

The loss budget must be less than the power budget. The power budget is calculated from the transceiver transmit (Tx) power and receiver (Rx) sensitivity, which are both typically measured in dB per milliwatt or dBm. For example, if Tx is -8 dBm and Rx is -15 dBm, then the power budget is 7 dB.

If the loss budget is 5 dB, the margin between the power budget and loss budget will be 2 dB. Margin is a safety factor to account for suboptimal installation conditions (such as bends or stress), aging, repair of accidental damage (additional splices), and performance under different thermal conditions (extreme temperatures can cause loss).

If the margin between the transmitter power and link budget is low, the link is less likely to achieve the expected bandwidth. There may be opportunities to improve performance with better or fewer splices, or it may be necessary to use an amplifier to boost the signal. Most outdoor plants would be designed with a margin of at least 5 dB. In a datacenter where conditions are less variable a lower margin might be acceptable.

Term
Which of the following will decrement when it passes through switches?
Definition

Neither hop count nor TTL will decrement when passing through a switch, only when it passes through routers.

 

Term

Which of the following is NOT a mechanism for preventing routing loops?

  1. Maximum hop count
  2. Convergence
  3. Holddown timer
  4. Split horizon
Definition

Convergence is the process where routers running dynamic routing algorithms agree on the network topology.

 

Term

End system nodes can be classified as either clients or servers:

Definition

§  A server makes network applications and resources available to other hosts.

 

§  A client consumes the services provided by servers.

Term
client-server 
Definition

client-server network is one where some nodes, such as PCs, laptops, and smartphones, act mostly as clients. The servers are more powerful computers. Application services and resources are centrally provisioned, managed, and secured.

Term
peer-to-peer 
Definition
peer-to-peer network is one where each end system acts as both client and server. This is a decentralized model where provision, management, and security of services and data is distributed around the network.
Term
Local Area Networks
Definition
A local area network (LAN) describes a network type that is confined to a single geographical location. In a LAN, all nodes and segments are directly connected with cables or short-range wireless technologies. It does not require a leased telecommunication system to function. Most of the network infrastructure in a LAN would be directly owned and managed by a single organization. 
Term
Local Area Networks examples
Definition

§  Home/residential networks-with an Internet router and a few computers, plus mobile devices, gaming consoles, and printers.

§  Small office/home office (SOHO) networks-A business-oriented network possibly using a centralized server in addition to client devices and printers, but often still using a single Internet router/switch/access point to provide connectivity.

§  Small and medium-sized enterprise (SME) networks-A network supporting dozens of users. Such networks would use structured cabling and multiple switches and routers to provide connectivity.

§  Enterprise LANs-A larger network with hundreds or thousands of servers and clients. Such networks would require multiple enterprise-class switch and router appliances to maintain performance levels. The term campus area network (CAN) is sometimes used for a LAN that spans multiple nearby buildings.

 

§  Datacenters-A network that hosts only servers and storage, not end user client devices.

Term
wireless local area network (WLAN) 
Definition

The term wireless local area network (WLAN) is used for LANs based on Wi-Fi. Open (public) WLANs are often referred to as hotspots.

Term
Wide Area Networks
Definition

A wide area network (WAN) is a network of networks, connected by long-distance links. A typical enterprise WAN would connect a main office site with multiple branch office sites, possibly in different countries. A WAN could link two or more large LANs or could be used for remote workers connecting to an enterprise network via a public network such as the Internet. WANs are likely to use leased network devices and links, operated and managed by a service provider.

Term
metropolitan area network (MAN) 
Definition

The term metropolitan area network (MAN) is sometimes used for something a bit smaller than a WAN: a city-wide network encompassing multiple buildings.

Term
personal area network (PAN) 
Definition

The terms personal area network (PAN) and wireless PAN (WPAN) have gained some currency over the last few years. They refer to the fact that a person might establish close-range network links between a variety of devices, such as smartphones, tablets, headsets, and printers. As digital and network functionality continues to be embedded in more and more everyday objects, appliances (the Internet of Things), and clothing, the use of PANs will only grow.

Term
Topology 
Definition

describes the physical or logical structure of the network in terms of nodes and links.

Term
Logical Topology
Definition
The logical topology describes the flow of data through the network.
Term
point-to-point 
Definition

In the simplest type of topology, a single link is established between two nodes. This is called a point-to-point link. Because only two devices share the connection, they are guaranteed a level of bandwidth.
A point-to-point link can be a physical or logical topology
With either a physical or logical topology, it is the 1:1 relationship that defines a point-to-point link.

Term
star topology
Definition

In a star topology, each endpoint node is connected to a central forwarding node, such as a hub, switch, or router

The star topology is easy to reconfigure and easy to troubleshoot because all data goes through a central point, which can be used to monitor and manage the network. Faults are automatically isolated to the media, node (network card), or the hub, switch, or router at the center of the star.

Term

MESH TOPOLOGY

Definition

mesh topology is commonly used in WANs, especially public networks like the Internet. In theory, a mesh network requires that each device has a point-to-point link with every other device on the network (fully connected). This approach is normally impractical, however. The number of links required by a full mesh is expressed as n ( n -1)/2, where n is the number of nodes. For example, a network of just four nodes would require six links, while a network of 40 nodes would need 780 links! Consequently, a hybrid approach is often used, with only the most important devices interconnected in the mesh, perhaps with extra links for fault tolerance and redundancy. In this case, the topology is referred to as a partial mesh.

 

Mesh networks provide excellent redundancy, because other routes, via intermediary devices, are available between locations if a link failure occurs.

Term

RING TOPOLOGY

Definition

In a physical ring topology, each node is wired to its neighbor in a closed loop. A node receives a transmission from its upstream neighbor and passes it to its downstream neighbor until the transmission reaches its intended destination. Each node can regenerate the transmission, improving the potential range of the network.

 

The physical ring topology is no longer used on LANs, but it does remain a feature of many WANs. Two ring systems (dual counter-rotating rings) can be used to provide fault tolerance. These dual rings allow the system to continue to operate if there is a break in one ring.

RING TOPOLOGY

In a physical ring topology, each node is wired to its neighbor in a closed loop. A node receives a transmission from its upstream neighbor and passes it to its downstream neighbor until the transmission reaches its intended destination. Each node can regenerate the transmission, improving the potential range of the network.

[image]

Ring topology.

 

The physical ring topology is no longer used on LANs, but it does remain a feature of many WANs. Two ring systems (dual counter-rotating rings) can be used to provide fault tolerance. These dual rings allow the system to continue to operate if there is a break in one ring.

Term

Access/Edge Layer

Definition

The access or edge layer allows end-user devices, such as computers, printers, and smartphones to connect to the network. The access layer is implemented for each site using structured cabling and wall ports for wired access and access points for wireless access. Both are ultimately connected to workgroup switches. Switches deployed to serve the access layer might also be referred to as LAN switches or data switches. End systems connect to switches in the access/edge layer in a star topology. There are no direct links between the access switches.

Term

Distribution/Aggregation Layer

Definition

The distribution or aggregation layer provides fault-tolerant interconnections between different access blocks at either the core or other distribution blocks. Each access switch has full or partial mesh links to each router or layer 3 switch in its distribution layer block. The distribution layer is often used to implement traffic policies, such as routing boundaries, filtering, or quality of service (QoS).

Term

Distribution/Aggregation Layer
(Cont)

Definition

The layer 3 capable switches used to implement the distribution/aggregation layer have different capabilities to the layer 2 only workgroup switches used in the access tier. Rather than 1 Gbps access ports and 10 Gbps uplink ports, as would be typical of a workgroup switch, basic interfaces on an aggregation switch would be 10 Gbps and uplink/backbone ports would be 40 Gbps (or possibly 40 Gbps/100 Gbps). Layer 3 switches work on the principle of "route once, switch many," which means that once a route is discovered, it is cached with the destination MAC address and subsequent communications are switched without invoking the routing lookup. While a router uses a generic processor and firmware to process incoming packets, a layer 3 switch uses an application-specific integrated circuit (ASIC). This can have an impact on the relative performance of the two types of devices. Layer 3 switches can be far faster, but they are not always as flexible. Layer 3 switches cannot usually perform WAN routing and work with interior routing protocols only. Often layer 3 switches support cabled Ethernet only.

Term

Core Layer

Definition

The core layer provides a highly available network backbone. Devices such as client and server computers should not be attached directly to the core. Its purpose should be kept simple: provide redundant traffic paths for data to continue to flow around the access and distribution layers of the network. Routers or layer 3 switches in the core layer establish a full mesh topology with switches in distribution layer blocks.

Term
spanning tree protocol (STP) 

802.1d - Permits redundant links between switches and prevents looping of network traffic. 
Definition

The spanning tree protocol (STP) is a means for the bridges or switches to organize themselves into a hierarchy. The switch at the top of the hierarchy is the root. The switch with the lowest ID, comprising a priority value and the MAC address, will be selected as the root.

Term
bridge protocol data unit (BPDU) 
Definition

Each switch then determines the shortest path to the root bridge by exchanging information with other switches. This STP information is packaged as bridge protocol data unit (BPDU) multicast frames. A port that forwards "up" to the root, possibly via intermediate switches, is identified as a root port. Ports that can forward traffic "down" through the network with the least cost are identified as designated ports. A port that would create a loop is identified as a blocking or non-designated port. Subsequently, bridges exchange Topology Change Notifications if devices are added or removed, enabling them to change the status of forwarding/blocked ports appropriately.

[image]

Term

different states that a port can be in.

Definition

State

Forwards Frames?

Learns MACs?

Notes

Blocking

No

No

Drops all frames other than BPDUs.

Listening

No

No

Port is listening for BPDUs to detect loops.

Learning

No

Yes

The port discovers the topology of the network and builds the MAC address table.

Forwarding

Yes

Yes

The port works as normal.

Disabled

No

No

The port has been disabled by the administrator.

 

When all ports on all switches are in forwarding or blocking states, the network is converged. When the network is not converged, no communications can take place. Under the original 802.1D standard, this made the network unavailable for extended periodstens of secondsduring configuration changes. STP is now more likely to be implemented as 802.1D-2004/802.1w or Rapid STP (RSTP). The rapid version creates outages of a few seconds or less. In RSTP, the blocking, listening, and disabled states are aggregated into a discarding state.

Term
switching loop 
Definition

switching loop is where flooded frames circulate the network perpetually. Because switches flood broadcasts, such as ARP or DHCP requests, out all ports, these frames will go down one link to the next switch, which will send the broadcast back up the redundant link, and back to the originating switch. As this repeats, the switches start to see source MAC addresses associated with multiple ports and so clear the MAC address table mapping, which causes them to start flooding unicast traffic too.

Term
broadcast storm
Definition

Without intervention, this loop will continue indefinitely, causing a broadcast storm. A broadcast storm will cause network utilization to go to near maximum capacity, and the CPU utilization of the switches to jump to 80 percent or more. This makes the switched segment effectively unusable until the broadcast storm stops. A broadcast storm may quickly consume all link bandwidth and crash network appliances.

Term

If a broadcast storm occurs on a network where STP is already enabled, you should investigate the following potential causes:

Definition

If a broadcast storm occurs on a network where STP is already enabled, you should investigate the following potential causes:

§  Verify compatible versions of STP are enabled on all switches.

§  Verify the physical configuration of segments that use legacy equipment, such as Ethernet hubs.

 

§  Investigate networking devices in the user environment and verify that they are not connected as part of a loop. Typical sources of problems include unmanaged desktop switches and VoIP handsets.

Term
Segment 
(data link and network layers)
Definition
At the data link and network layers, a segment is a group of hosts in the same broadcast domain. At the network layer, this group is identified as either an IP network or as a subnet within an IP network. At the data link layer, a broadcast domain can be established by connecting the hosts to the same unmanaged switches.
Term
VLANs 
Definition
Implementing VLANs can reduce broadcast traffic when a network has expanded beyond a certain number of hosts or users. As well as reducing the impact of broadcast traffic, from a security point of view, each VLAN can represent a separate zone. VLANs are also used to separate nodes based on traffic type and the need for Quality of Service. 
Term
VLANs (Configuration)
Definition

The simplest means of assigning a node to a VLAN is by configuring the port interface on the switch with a VLAN ID in the range 1 to 4,094. For example, from the switch management interface, ports 1 through 10 could be configured as a VLAN with the ID 10 and ports 11 through 20 could be assigned to VLAN 20. Host A connected to port 2 would be in VLAN 10, and host B connected to port 12 would be in VLAN 20. Host A and Host B would not be able to communicate directly, even though they are connected to the same switch. Each VLAN is typically configured with its own subnet address and IP address range. Communications between VLANs must go through an IP router or layer 3 capable switch.

§  This type of port-based assignment is described as a static VLAN. Nodes or hosts can also be assigned to dynamic VLANs using some feature of the host, such as its MAC address or authentication credentials supplied by the user.

Term
trunks
Definition
The interconnections between switches are referred to as trunks. One of the ports on each switch would be configured as a trunk port for this purpose.


Term
VLAN ID (VID
Definition

§  When frames designated for different VLANs are transported across a trunk, the VLAN ID (VID) of each frame must be preserved for the receiving switch to forward it correctly. VIDs are normally defined by the IEEE 802.1Q standard. Under 802.1Q, per-VLAN traffic is identified by a tag inserted in the Ethernet frame between the Source Address and EtherType fields. The tag contains information about the VID (from 1 to 4,094) and priority (used for QoS functions). The EtherType value is set to identify the frame as 802.1Q.
[image]

Term

TAGGED AND UNTAGGED PORTS

If a switch port will only ever participate in a single VLAN, that port can be configured as untagged. This is also referred to as an access port or host port. An untagged/access port uses the following port tagging logic:

Definition

§  If a frame is addressed to a port in the same VLAN on the same switch, no tag needs to be added to the frame.

§  If the frame needs to be transported over a trunk link, the switch adds the relevant 802.1Q tag to identify the VLAN, and then forwards the frame over the trunk port.

 

§  If the switch receives an 802.1Q tagged frame on an access port, it strips the tag before forwarding it.

Term
Voice over IP (VoIP)
Definition
Voice over IP (VoIP) transmits voice traffic as data packets, rather than over circuit-based transmission lines. The bandwidth and latency requirements of voice traffic mean that it is often necessary to prioritize it over other types of data packets. This can be accomplished using a dedicated VLAN for voice traffic. 
Term
voice or auxiliary VLAN 

Definition

Normally, for a switch interface to process tagged frames, it would have to be configured as a trunk port. This adds a lot of configuration complexity, so most switches now support the concept of a voice or auxiliary VLAN to distinguish the PC and VoIP traffic without having to configure a trunk. In the following example, the interface configuration assigns traffic from the PC to VLAN 100 and the voice traffic to VLAN 101:

interface GigabitEthernet0/0

switchport mode access

switchport access vlan 100

switchport voice vlan 101

 

The switch will only accept tagged frames that match the configured voice VLAN ID. To avoid having to configure this manually, the voice VLAN ID and other configuration parameters can be communicated to the handset using a protocol such as Cisco Discovery Protocol (CDP).

Term
port
Definition

A TCP/IP host may be running multiple services or communicating with multiple servers, clients, or peers in parallel. This means that incoming packets must be directed to the appropriate service or application. To facilitate this, each application is assigned a unique identification number called a port. A host can operate multiple ports simultaneously.

Term
socket
Definition
The port number is used in conjunction with the source IP address to form a socket. Each socket is bound to a software process. Only one process can operate a socket at any one time. A connection is formed when a client socket requests a service from the server socket. A connection is uniquely identified by the combination of server port and IP address and client port and IP address. A server socket can therefore support multiple connections from a number of client sockets.
Term
Port numbers 
Definition

0 through 1,023 are preassigned by the Internet Assigned Numbers Authority (IANA) to "well-known" server applications. Other server applications have been registered in the port range 1,024 through 49,151.The remaining ports (up to 65,535) are designated for private or dynamic use. As well as the server application needing a port, each client application must assign its own port number to track its requests. Client ports are also referred to as ephemeral ports or source ports.

 

 

Term
Transmission Control Protocol (TCP) 
Definition

The Transmission Control Protocol (TCP) works at the Transport layer to provide connection-oriented, guaranteed communication using acknowledgements to ensure that delivery has occurred. If packets are missing, they can be retransmitted. TCP can be used for unicast transmission only.

Term
main fields in the header of a TCP segment 
Definition

Field

Explanation

Source port

TCP port of sending host.

Destination port

TCP port of destination host.

Sequence number

The ID number of the current segment (the sequence number of the last byte in the segment). This allows the receiver to rebuild the message correctly and deal with out-of-order packets.

Ack number

The sequence number of the next segment expected from the other host (that is, the sequence number of the last segment received +1). Packets might be out-of-order because they are delayed, but they could also be lost completely or arrive in a damaged state. In the first case, the lack of acknowledgement results in the retransmission of data and, in the second case, a Negative Acknowledgement (NAK or NACK) forces retransmission.

Data length

Length of the TCP segment.

Flags

Type of content in the segment (ACK, SYN, FIN, and so on).

Window

The amount of data the host is willing to receive before sending another acknowledgement. TCP's flow control mechanism means that if it is getting overwhelmed with traffic, one side can tell the other to slow the sending rate.

Checksum

Ensures validity of the segment. The checksum is calculated on the value of not only the TCP header and payload but also part of the IP header, notably the source and destination addresses. Consequently, the mechanism for calculating the checksum is different for IPv6 (128-bit addresses) than for IPv4 (32-bit addresses).

Urgent Pointer

If urgent data is being sent, this specifies the end of that data in the segment.

Options

Allows further connection parameters to be configured. The most important of these is the Maximum Segment Size. This allows the host to specify how large the segments it receives should be, minimizing fragmentation as they are transported over data link frames.

Term

TCP Three-Way Handshake

A connection is established using a three-way handshake:

Definition

1.    The client sends a segment with the TCP flag SYN set to the server with a randomly generated sequence number. The client enters the SYN-SENT state.

2.    The server, currently in the LISTEN state (assuming it is online), responds with a SYN/ACK segment, containing its own randomly generated sequence number. The server enters the SYN-RECEIVED state.

3.    The client responds with an ACK segment. The client assumes the connection is ESTABLISHED.

 

4.    The server opens a connection with the client and enters the ESTABLISHED state.

Term

TCP Connection Teardown

Definition

1.    The client sends a FIN segment to the server and enters the FIN-WAIT1 state.

2.    The server responds with an ACK segment and enters the CLOSE-WAIT state.

3.    The client receives the ACK segment and enters the FIN-WAIT2 state. The server sends its own FIN segment to the client and goes to the LAST-ACK state.

4.    The client responds with an ACK and enters the TIME-WAIT state. After a defined period, the client closes its connection.

 

5.    The server closes the connection when it receives the ACK from the client.

Term
reset (RST) segment
Definition

A host can also end a session abruptly using a reset (RST) segment. This would not be typical behavior and might need to be investigated. A server or security appliance might refuse connections using RST, a client or server application might be faulty, or there could be some sort of suspicious scanning activity ongoing.

Term
User Datagram Protocol (UDP) 
Definition

The User Datagram Protocol (UDP) also works at the Transport layer, but unlike TCP, it is a connectionless, nonguaranteed method of communication with no acknowledgments or flow control. There is no guarantee regarding the delivery of messages or mechanism for retransmitting lost or damaged packets. When an application uses UDP, it must specify reliability mechanisms in the application layer headers or software logic, if this is required.

Term

USER DATAGRAM PROTOCOL
(Cont.) 

Definition


UDP is suitable for applications that send small amounts of data in each packet and do not require acknowledgment of receipt. It is used by Application layer protocols that need to send multicast or broadcast traffic. It may also be used for applications that transfer time-sensitive data but do not require complete reliability, such as voice or video. Using small packets means that if a few are lost or arrive out of order, they only manifest as minor glitches in playback quality. The reduced overhead means that overall delivery is faster.

Term
Structure of a UDP datagram
Definition

Field

Explanation

Source port

UDP port of sending host.

Destination port

UDP port of destination host.

Message length

Size of the UDP packet.

Checksum

Ensures validity of the packet

Term

File Transfer Protocol-Data

 
Definition

Port Number

Transport Protocol

Service or Application

 

20

TCP

ftp-data

Term
File Transfer Protocol-Control
Definition

Port Number

Transport Protocol

Service or Application

21

TCP

ftp

Term

 

Secure Shell/FTP over SSH

Definition

Port Number

Transport Protocol

Service or Application

 

22

TCP

ssh/sftp

Term

Telnet

 
Definition

Port Number

Transport Protocol

Service or Application

 

23

TCP

telnet

Term

Simple Mail Transfer Protocol

 
Definition

Port Number

Transport Protocol

Service or Application

 

25

TCP

smtp

Term

Domain Name System

 
Definition

Port Number

Transport Protocol

Service or Application

 

53

TCP/UDP

domain

Term

BOOTP/DHCP Server

 
Definition

Port Number

Transport Protocol

Service or Application

 

67

UDP

bootps

Term

BOOTP/DHCP Client

 
Definition

Port Number

Transport Protocol

Service or Application

 

68

UDP

bootpc

Term

Trivial File Transfer Protocol

 
Definition

Port Number

Transport Protocol

Service or Application

 

69

UDP

tftp

Term
HTTP
Definition

Port Number

Transport Protocol

Service or Application

 

80

TCP

http

Term

Post Office Protocol

 
Definition

Port Number

Transport Protocol

Service or Application

 
Term
IP scanner 
Definition
An IP scanner is a tool that performs host discovery and can establish the overall logical topology of the network in terms of subnets and routers.
IP scanning can be performed using lightweight standalone open source or commercial tools, such as Nmap, AngryIP, or PRTG.

Enterprise network management suites will also be able to perform IP scanning and combine that with asset or inventory information about each host. This functionality is often referred to as IP Address Management (IPAM). Suites that integrate with DHCP and DNS servers can be referred to as DHCP, DNS, and IPAM (DDI). Windows Server is bundled with a DDI product. Other notable vendors and solutions include ManageEngine, Infoblox, SolarWinds, Bluecat, and Men -and- Mice.
Term
Nmap Security Scanner 
Definition

The Nmap Security Scanner ( nmap.org ) is widely used for IP scanning, both as an auditing and as a penetration testing tool. The tool is open-source software with packages for most versions of Windows, Linux, and macOS®. It can be operated with a command line or via a GUI (Zenmap).

The basic syntax of an Nmap command is to give the IP subnet (or IP address) to scan. When used without switches like this, the default behavior of Nmap is to ping and send a TCP ACK packet to ports 80 and 443 to determine whether a host is present. On a local network segment, Nmap will also perform ARP and Neighbor Discovery (ND) sweeps. If a host is detected, Nmap performs a port scan against that host to determine which services it is running. This OS fingerprinting can be time consuming on a large IP scope. If you want to perform only host discovery, you can use Nmap with the -sn switch to suppress the port scan. The tool can also work out hop counts by specifying the --traceroute switch.

Term

NETSTAT

Definition

The netstat command allows you to check the state of ports on the local host. You can use netstat to check for service misconfigurations, such as a host running a web or FTP server that a user installed without authorization. You may also be able to identify suspicious remote connections to services on the local host or from the host to remote IP addresses.

Term
NETSTAT (Windows) 

Definition
  • -a switch displays all open ports, including both active TCP and UDP connections and ports in the listening state.

  • -n displays ports and addresses in numerical format.

  • -p switch with the protocol type ( TCP , TCPv6 , UDP , or UDPv6 )
  • -o shows the Process ID (PID) number that has opened the port,
  • -b shows the process name
Term
NETSTAT (Linux)
Definition
  • On Linux®, running netstat without switches shows active connections of any type
  • TCP ( -t ) and UDP ( -u ), raw connections ( -w ), and UNIX® sockets/local server ports ( -x ). 
  • -a switch includes ports in the listening state in the output-l shows only ports in the listening state, omitting established connections.
    -n displays ports and addresses in numerical format.
  •  using -4 or -6 filters sockets by IPv4 or IPv6 addresses respectively. 
  • -p to show the PID and process name.

  • netstat -s reports per protocol statistics, such as packets received, errors, discards, unknown requests, port requests, failed connections, and so on. 
  • The tool will report Ethernet statistics using -I (Linux). netstat -r displays the routing table.

    The Linux netstat command is part of the deprecated net-tools package. The preferred package iproute2 contains a number of different commands to replace netstat functionality. Most of the port scanning functions are performed by ss, while interface statistics are reported by nstat.

Term
port scanner 
Definition

Where netstat reports on the status of local ports, a remote port scanner performs the probes from another machine, or even a machine on another network.

Term
main types of scanning that Nmap can perform
Definition

§  TCP SYN (-sS)-This is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.

§  TCP connect (-sT)-A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. If privileged access is not available, Nmap must use the OS to attempt a full TCP connection. This type of scan is less stealthy.

§  UDP scans (-sU)-Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.

 

§  Port range (-p)-By default, Nmap scans 1,000 commonly used ports. Use the -p argument to specify a port range. You can also use --top-ports n , where n is the number of commonly used ports to scan. The frequency statistics for determining how commonly a port is used are stored in the nmap-services configuration file.

When services are discovered, you can use Nmap with the -sV or -A switch to probe a host more intensively to discover the software or software version operating each port.

Term

The process of identifying an OS or software application from its responses to probes is called?

Definition

 fingerprinting.

Term
protocol analyzer 
Definition

protocol analyzer works in conjunction with a packet capture or sniffer tool. You can either analyze a live capture to analyze frames as they are read by a sniffer or open a saved capture (.pcap) file. Most protocol analyzer tools bundle a sniffer component with the analyzer in the same software package.

Term
Functions of a protocol analyzer 
Definition
  • One function of a protocol analyzer is to parse each frame in a stream of traffic to reveal its header fields and payload contents in a readable format. This is referred to as packet analysis
  • use display filters to show only particular frame or sequence of frames
  • Another useful option is to use the Follow TCP Stream context command to reconstruct the packet contents for a TCP session.
  • Another function of a protocol analyzer is to perform traffic analysis. Rather than reading each frame individually, you use the tool to monitor statistics related to communications flows, such as bandwidth consumed by each protocol or each host, identifying the most active network hosts, monitoring link utilization and reliability, and so on. In Wireshark, you can use the Statistics menu to access traffic analysis tools.

Term

 

A security analyst wants to reconstruct the packet contents for a Transmission Control Protocol (TCP) session in Wireshark. Which function should the security analyst use?

Definition
  1. Follow TCP Stream

    A useful option is to use the Follow TCP Stream context command to reconstruct the packet contents for a TCP session.

     

Term

 

A security engineer is looking at Transmission Control Protocol (TCP) traffic headers. Which of the following allows the receiver to rebuild the message correctly?

Definition
  1. Sequence number

The sequence number allows the receiver to rebuild the message correctly and deal with out-of-order packets.

 

Term

 

A server administrator is analyzing a normal Transmission Control Protocol (TCP) Teardown connection to their servers. How many FIN-WAIT states does the client go through during this process?

Definition
  1. Two

     

    The client goes through two FIN-WAIT states. In the first step, the client sends a FIN segment to the server and then enters the FIN-WAIT1 state.

     

Term

 

A security analyst is looking at traffic from older devices between ports 2,000 - 3,000. What is this traffic most likely?

Definition
  1. Client ports


    OS implementations of Transmission Control Protocol/Internet Protocol (TCP/IP) have not always conformed to recommendations. For example, earlier versions of Windows and UNIX/Linux used 1,024—5,000 for client ports.

     

Term
Lightweight standalone IP scanners ( a tool that performs host discovery and can establish the logical topology of the network in terms of subnets and routers.)
Definition
Nmap,
AngryIP, or
PRTG
Term
Enterprise network management suites will also be able to perform IP scanning and combine that with asset or inventory information about each host. This functionality is often referred to as IP Address Management (IPAM).
Definition
Term
(DDI)
Definition
Suites that integrate with Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers are also known as DHCP, DNS, and IPAM (DDI).
Term
DDI vendors and solutions include
Definition
ManageEngine,
Infoblox,
SolarWinds,
Bluecat, 
Men & Mice.
Windows Server is bundled with a DDI product.
Term

 

A network architect is reviewing a network where application services and resources are centrally provisioned, managed, and secured. What is this called?

Definition
  1. Client-server

    A client-server network is one where some nodes, such as PCs, laptops, and smartphones, act mostly as clients. Application services and resources are centrally provisioned, managed, and secured.

     

Term

 

A network administrator wants to set up a switch with a voice or auxiliary Virtual Local Area Network (VLAN) to distinguish the PC and VoIP traffic without having to set up a trunk port. Which of the following commands should the administrator perform first?

Definition
  1. interface GigabitEthernet0/0

    The interface GigabitEthernet0/0 is the first command. Normally, for a switch interface to process tagged frames, it would have to be configured as a trunk port. This adds a lot of configuration complexity.

     

Term

 

A network technician does not have enough ports on a single switch and has to connect multiple switches. What should the technician research for interconnections between switches?

Definition
  1. Trunks

    The interconnections between switches are known as trunks. The network technician should configure one of the ports on each switch as a trunk port for this purpose.

     

Term

 

A network administrator is setting up Virtual Local Area Networks (VLANs) for various segments, such as voice and data. Which of the following IDs is the default VLAN?

Definition
  1. 1

    The VLAN with ID 1 is known as the default VLAN. Unless configured differently, all ports on a switch default to being in VLAN 1.

Term
Dynamic Host Configuration Protocol (DHCP) 
Definition

The Dynamic Host Configuration Protocol (DHCP) provides an automatic method for allocating an IP address, subnet mask, and optional parameters, such as the default gateway and DNS server addresses, when a host joins the network. All the major operating systems provide support for DHCP clients and servers. DHCP servers are also embedded in many SOHO routers and modems.

Term
DORA process
-Discover,
-Offer,
-Request,
-Ack(nowledge)
Definition
  • When a DHCP client initializes, it broadcasts a DHCPDISCOVER packet to find a DHCP server. All communications are sent using UDP, with the server listening on port 67 and the client on port 68.
  • Presuming it has an IP address available, the DHCP server responds to the client with a DHCPOFFER packet, containing the address and other configuration information.
  • The client may choose to accept the offer using a DHCPREQUEST packet-also broadcast onto the network.
  • Assuming the offer is still available, the server will respond with a DHCPACK packet. The client broadcasts an ARP message to check that the address is unused. If so, it will start to use the address and options; if not, it declines the address and requests a new one.
  • The IP address is leased by the server for a limited period only. A client can attempt to renew or rebind the lease before it expires. If the lease cannot be renewed, the client must release the IP address and start the discovery process again.
Term

DHCP SERVER CONFIGURATION

Definition

DHCP is normally deployed as a service of a network operating system or through an appliance such as a switch or router. A DHCP server must be allocated a static IP address and configured with a range (or pool) of IP addresses and subnet masks plus option values to allocate.

Term
scope
Definition

A range of addresses and options configured for a single subnet is referred to as a scope. To define a scope, you must provide a start and end IP address along with a subnet mask. The server maintains a one-to-one mapping of scopes to subnets. That is, no scope can cover more than one subnet and no subnet can contain more than one scope.

Term

DHCP SERVER CONFIGURATION (Cont). 

Definition

The multifunction device shown only supports a single scope. The DHCP server must be placed in the same subnet as its clients. More advanced DHCP servers might be configured to manage multiple scopes. Where a server provides IP configuration for multiple subnets/scopes, it must choose the pool to service each request based on the subnet from which the request originated.

There is no mechanism for a client to choose between multiple servers. Therefore, if multiple DHCP servers are deployed-for fault tolerance, for instance-they must be configured with nonoverlapping or split scopes. DHCP for multiple subnets is usually handled by configuring relay agents to forward requests to a central DHCP server.

Term

 

DHCP Options

When the DHCP server offers a configuration to a client, at a minimum it must supply an IP address and subnet mask. Typically, it will also supply other IP-related settings, known as DHCP options. Each option is identified by a tag byte or decimal value between 0 and 255 (though neither 0 nor 255 can be used as option values). Some widely used options include:

Definition

§  The default gateway (IP address of the router).

§  The IP address(es) of DNS servers that can act as resolvers for name queries.

§  The DNS suffix (domain name) to be used by the client.

 

§  Other useful server options, such as time synchronization (NTP), file transfer (TFTP), or VoIP proxy.

Term
reservation (static or fixed address assignment)
Definition
 A reservation is a mapping of a MAC address or interface ID to a specific IP address within the DHCP server's address pool. When the DHCP server receives a request from the given interface, it always provides the same IP address. This is also referred to as static or fixed address assignment. An automatically allocated reservation refers to an address that is leased permanently to a client. This is distinct from static allocation as the administrator does not predetermine which specific IP address will be leased.
Term
DHCP relay 
Definition

Normally, routers do not forward broadcast traffic. This means that each broadcast domain must be served by its own DHCP server. On a large network with multiple subnets, this would mean provisioning and configuring many DHCP servers. To avoid this scenario, a DHCP relay agent can be configured to provide forwarding of DHCP traffic between subnets. Routers that can provide this type of forwarding are described as RFC 1542 compliant.

Term
IP helper 
Definition

This IP helper functionality can be configured on routers to allow set types of broadcast traffic (including DHCP) to be forwarded to an interface. The IP helper function supports the function of the DHCP relay agent.

The router is configured as a DHCP relay agent, using the following commands to enable forwarding of DHCP broadcasts on the interfaces serving the client subnets:

interface eth1

ip helper-address 10.1.0.200

interface eth2

 

ip helper-address 10.1.0.200

 

Term

DHCPV6 SERVER CONFIGURATION

Definition

As IPv6 does not support broadcast, clients use the multicast address ff02::1:2 to discover a DHCP server. DHCPv6 uses ports 546 (clients) and 547 (servers), rather than ports 68 and 67 as in DHCPv4.

In stateless mode, a client obtains a network prefix from a Router Advertisement and uses it with the appropriate interface ID.

If so configured, the client solicits a DHCPv6 server using the multicast address ff02::1:2 and requests additional configuration information.

 

Term
DHCPv6 stateless mode
Definition

In stateless mode, a client obtains a network prefix from a Router Advertisement and uses it with the appropriate interface ID. The router can also set a combination of flags to tell the client that a DHCP server is available. If so configured, the client solicits a DHCPv6 server using the multicast address ff02::1:2 and requests additional configuration information.

Term
DHCPv6 Stateful mode
Definition

By contrast, stateful mode means that a host can also obtain a routable IP address from a DHCPv6 scope, plus any other options (like with DHCP for IPv4).

Term
host name 
Definition

host name is assigned to a computer by the administrator, usually when the OS is installed. The host name needs to be unique on the local network.

Term
fully qualified domain name (FQDN) 
Definition

To avoid the possibility of duplicate host names on the Internet, a fully qualified domain name (FQDN) is used to provide a unique identity for the host belonging to a particular network. An example of an FQDN might be nut.widget.example. An FQDN is made up of the host name and a domain suffix. In the example, the host name is nut and the domain suffix is widget.example. This domain suffix consists of the domain name widget within the top-level domain (TLD) .example . A domain suffix could also contain subdomains between the host and domain name. The trailing dot or period represents the root of the hierarchy.

A domain name must be registered with a registrar to ensure that it is unique within a top-level domain. Once a domain name has been registered, it cannot be used by another organization. The same domain name may be registered within different top-level domains, however-widget.example. and widget.example.uk. are distinct domains, for instance.

Term

Given that, FQDNs must follow certain rules:

Definition

§  The host name must be unique within the domain.

§  The total length of an FQDN cannot exceed 253 characters, with each label (part of the name defined by a period) no more than 63 characters (excluding the periods).

§  A DNS label should use letter, digit, and hyphen characters only. A label should not start with a hyphen. Punctuation characters such as the period (.) or forward slash (/) should not be used.

 

§  DNS labels are not case-sensitive.

Term
Domain Name System (DNS) 
Definition

The Domain Name System (DNS) is a global hierarchy of distributed name server databases that contain information on domains and hosts within those domains. At the top of the DNS hierarchy is the root, which is represented by the null label, consisting of just a period (.). There are 13 root level servers (A to M).

Term
DNS hierarchy
Definition
  • At the top of the DNS hierarchy is the root, which is represented by the null label, consisting of just a period (.). 
  • Immediately below the root lie the top-level domains (TLDs). There are several types of top-level domains, but the most prevalent are generic (such as .com, .org, .net, .info, .biz), sponsored (such as .gov, .edu), and country code (such as .uk, .ca, .de). 

Term
DNS HIERARCHY
Definition
[image]
Term
iterative lookups
Definition
Most queries between name servers are performed as iterative lookups. This means that a name server responds to a query with either the requested record or the address of a name server at a lower level in the hierarchy that is authoritative for the namespace. 
Term
recursive lookup 
Definition
recursive lookup means that if the queried server is not authoritative, it does take on the task of querying other name servers until it finds the requested record or times out. The name servers listed in a client's TCP/IP configuration accept recursive queries. 
Term
resource records
Definition

A DNS zone will contain numerous resource records. These records allow a DNS name server to resolve queries for names and services hosted in the domain into IP addresses. Resource records can be created and updated manually (statically), or they can be generated dynamically from information received from client and server computers on the network.

Term
Start of Authority (SOA) 
authoritative name server 
Definition

The Start of Authority (SOA) record identifies the primary authoritative name server that maintains complete resource records for the zone. The primary name server can be used to modify resource records. The SOA also includes contact information for the zone and a serial number for version control.


Name Server (NS) records
identify authoritative DNS name servers for the zone. As well as the primary name server, most zones are configured with secondary name servers for redundancy and load balancing. Secondary name servers hold read-only copies of resource records but can still be authoritative for the zone.

Term
Mail Exchange (MX) record 
Definition
A Mail Exchange (MX) record is used to identify an email server for the domain. 
Term
DNS records 
Definition
While most DNS records are used to resolve a name into an IP address
Term
Sender Policy Framework (SPF)
Definition
An SPF record is used to list the IP addresses or names of servers that are permitted to send email from a particular domain and is used to combat the sending of spam.
Term
DomainKeys Identified Mail (DKIM)
Definition

. DKIM records are used to decide whether you should allow received email from a given source, preventing spam and mail spoofing. DKIM can use encrypted signatures to prove that a message really originated from the domain it claims.

Term
: forward lookup 
Definition

A DNS server may have two types of zones: forward lookup and reverse lookup.  For example, given a name record, a forward lookup returns an IP address; an MX record returns a host record associated with the domain's mail services. 

Term
reverse lookup
Definition
Conversely, a reverse DNS query returns the host name associated with a given IP address. This information is stored in a reverse lookup zone as a pointer (PTR) record.
Term
Reverse DNS querying 
Definition

Reverse DNS querying uses a special domain named by the first three octets of IP addresses in the zone in reverse order and appended with in-addr.arpa. The name server is configured with a reverse lookup zone . This zone contains PTR records consisting of the final octet of each host record. For example, the reverse lookup for a host record containing the IP address 198.51.100.1 is:

1.100.51.198.in-addr.arpa

Term
Reverse DNS querying (IPv6) 
Definition

IPv6 uses the ip6.arpa domain; each of the 32 hex characters in the IPv6 address is expressed in reverse order as a subdomain. For example, the IPv6 address:

2001:0db8:0000:0000:0bcd:abcd:ef12:1234

is represented by the following pointer record:

 

4.3.2.1.2.1.f.e.d.c.b.a.d.c.b.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa

Term

DNS name servers maintain the DNS namespace in zones. A single zone namespace might host records for multiple domains. A single name server might be configured to manage multiple zones. A name server can maintain primary and/or secondary zones:

Definition

§  Primary means that the zone records held on the server are editable. A zone can be hosted by multiple primary servers for redundancy. As the zone records are editable on all primaries, changes must be carefully replicated and synchronized. It is critically important to update the serial number for each change.

§  Secondary means that the server holds a read-only copy of the zone. This is maintained through a process of replication known as a zone transfer from a primary name server. A secondary zone would typically be provided on two or more separate servers to provide fault tolerance and load balancing. Again, the serial number is a critical part of the zone transfer process.

Term
authoritative
Definition

A name server that holds complete records for a domain can be defined as authoritative. This means that a record in the zone identifies the server as a name server for that namespace. Both primary and secondary name servers are authoritative.

 

Servers that don't maintain a zone (primary or secondary) are referred to as cache-only servers. A non-authoritative answer from a server is one that derives from a cached record, rather than directly from the zone records.

Term
time to live (TTL) (DNS Caching)
Definition

 

Each resource record can be configured with a default time to live (TTL) value, measured in seconds. This value instructs resolvers how long a query result can be kept in cache. Setting a low TTL allows records to be updated more quickly but increases load on the server and latency on client connections to services. Some common TTL values include 300 (5 minutes), 3,600 (1 hour), 86,400 (1 day), and 604,800 (1 week).

Term
DNS caching (Cont)
Definition

DNS caching is performed by both servers and client computers. In fact, each application on a client computer might be configured to manage its own DNS cache. For example, separate web browser applications typically maintain their own caches rather than relying on a shared OS cache.


If there is a
change to a resource record, server and client caching means that the updated record can be relatively slow to propagate around the Internet. These changes need to be managed carefully to avoid causing outages. Planning for a record change involves reducing the TTL in the period before the change, waiting for this change to propagate before updating the record, and then reverting to the original TTL value when the update has safely propagated.

 

 

Term
DNS spoofing
Definition

where an attacker is able to supply false name resolutions to clients.

Term
Internal DNS zones refer to the domains used on the private network only. These name records should only be available to internal clients
Definition

For example, a company might run a Windows Active Directory network using the domain name corp.515support.com. The zone records for the subdomain corp.515support.com would be served from internal name servers. This would allow a client PC ( pc1.corp.515support.com ) to contact a local application server ( crm.corp.515support.com ). The name servers hosting these internal subdomain records must not be accessible from the Internet.

Term
External DNS zones refer to records that Internet clients must be able to access
Definition

External DNS zones refer to records that Internet clients must be able to access. For example, the company might run web and email services on the domain 515support.com. In order for Internet hosts to use a web server at www.515support.com or send email to an @515support.com address, the zone records for 515support.com must be hosted on a name server that is accessible over the Internet.

Term

NSLOOKUP
In Windows, you can use the command ipconfig /all to display the fully qualified domain name (FQDN) of the local host

Definition

In a Windows environment, you can troubleshoot DNS name resolution with the nslookup command:

 


nslookup -
Option Host DNSServer

Host can be either a host name, domain name, FQDN, or IP addressDNSServer is the IP address of a server used to resolve the query; the default DNS server is used if this argument is omitted. Option specifies an nslookup subcommand.  

Term
Domain Information Groper (dig) 
Definition

Domain Information Groper (dig) is a command-line tool for querying DNS servers that ships with the BIND DNS server software published by the Internet Systems Consortium (ISC)


dig
 can be run pointing at a specific DNS server; otherwise, it will use the default resolver. Without any specific settings, it queries the DNS root zone. A simple query uses the syntaxdig host . This will search for the address record for the host, domain, or FQDN or PTR record for an IP address.

Term

Domain Information Groper (dig)
CLI Examples

Definition
  1. A simple query uses the syntaxdig host . This will search for the address record for the host, domain, or FQDN or PTR record for an IP address.
  2. The following command example directs the resolve request to the specific DNS server identified after the @ symbol. This can be an FQDN or IP address.

    dig @ns1.isp.example host

  3. Other examples of dig are to display all the resource records about a domain or just specific ones such as Mail Exchange:


    dig @ns1.isp.example host all

    dig @ns1.isp.example host MX

  4. dig often generates a lot of information, so it is possible to add parameters to the end of the command like +nocomments or +nostats , which will reduce the output.
Term

 

ICANN is a non-profit organization that’s dedicated to keeping the Internet secure. What does ICANN manage? (Select all that apply.)

Definition
  1. Generic TLDs
  2. DNS

    ICANN (Internet Corporation for Assigned Names and Numbers) manages the generic TLDs (top level domains) such as .com, .org, .net, .info, and .biz.

    ICANN manages the Domain Name System (DNS) which is a global hierarchy of distributed name server databases that contain information on domains and hosts within those domains.

Term
SMTP communications can be secured using the TLS version of the protocol (SMTPS). This works much like HTTPS with a certificate on the SMTP server and a negotiation between client and server about which cipher suites to use.

There are two ways for
SMTP to use TLS:
Definition

§  STARTTLS-This is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS.

 

§  SMTPS-This establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS.

Term

The STARTTLS method is generally more widely implemented than SMTPS. Typical SMTP configurations use the following ports and secure services:

Definition

§  Port 25-Used for message relay between SMTP servers, or message transfer agents (MTAs). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.

 

§  Port 587-Used by mail clients or message submission agents (MSAs) to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.

Term

Post Office Protocol

Definition

 

The Post Office Protocol (POP) is an early example of a mailbox access protocol. POP is often referred to as POP3 because the active version of the protocol is version 3. A POP client application, such as Microsoft Outlook® or Mozilla Thunderbird®, establishes a connection to the POP server on TCP port 110. The user is authenticated (by username and password), and the contents of his or her mailbox are downloaded for processing on the local PC. Generally speaking, the messages are deleted from the mailbox server when they are downloaded, though some clients have the option to leave messages on the server.

Term
secure POP (POP3S) 
Definition

Like other TCP application protocols, POP transfers all information as cleartext. This means anyone able to monitor the session would be able to obtain the user's credentials and snoop on messages.

POP can be secured by using TLS encryption. The default TCP port for secure POP (POP3S) is port 995.

Term

 

Internet Message Access Protocol

Definition

POP has some significant limitations, some of which are addressed by the Internet Message Access Protocol (IMAP). Like POP, IMAP is a mail retrieval protocol, but with mailbox management features lacking in POP. POP is primarily designed for dial-up access; the client contacts the server to download its messages, and then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage the mailbox on the server (to organize messages in folders and to control when they are deleted, for instance) and to create multiple mailboxes.

Term
Messaging Application Programming Interface (MAPI) 
Definition

In a Windows environment, the proprietary Messaging Application Programming Interface (MAPI) protocol is typically used to access Microsoft Exchange mailboxes. MAPI uses HTTPS as a secure transport protocol.

Term
public switched telephone network (PSTN). 
plain old telephone service (POTS)
Definition
Legacy voice services use the public switched telephone network (PSTN). A residential telephone installation would be serviced by a simple box providing a one- or two-line analog interface to the local exchange. This analog interface is also referred to as the plain old telephone service (POTS). Each line provides a single channel for an incoming or outgoing call. A typical business requires tens or hundreds of lines for voice communications, let alone capacity for data communications. 
Term
Time Division Multiplexing (TDM) 
Definition

Historically, this requirement would have been facilitated by a digital trunk line, also referred to as a Time Division Multiplexing (TDM) circuit. 
A TDM can multiplex separate voice and data channels for transmission over a single cable.

Term
private branch exchange (PBX) 
Definition

private branch exchange (PBX) is an automated switchboard providing a single connection point for an organization's voice lines. A TDM-based PBX connects to the telecommunications carrier over a digital trunk line, which will support multiple channels (inward and outward calls). The PBX allows for the configuration of the internal phone system to direct and route calls to local extensions, and provides other telephony features such as call waiting, music on hold, and voice mail.private branch exchange (PBX) is an automated switchboard providing a single connection point for an organization's voice lines. A TDM-based PBX connects to the telecommunications carrier over a digital trunk line, which will support multiple channels (inward and outward calls). The PBX allows for the configuration of the internal phone system to direct and route calls to local extensions, and provides other telephony features such as call waiting, music on hold, and voice mail.

 

[image]

Term
VoIP-Enabled PBX
Definition

TDM-based PBXes are being replaced by hybrid and fully IP/VoIP PBXes. For internal calls and conferences, a VoIP PBX establishes connections between local VoIP endpoints with data transmitted over the local Ethernet network. A VoIP PBX can also route incoming and outgoing calls from and to external networks. This might involve calls between internal and external VoIP endpoints, or with voice telephone network callers and receivers. A VoIP PBX will also support features such as music on hold and voice mail.

A TDM PBX is supplied as vendor-specific hardware. A VoIP PBX can be implemented as software running on a Windows or Linux server. Examples of software-based solutions include 3CX (3cx.com) and Asterisk ( asterisk.org ). There are also hardware solutions, where the VoIP PBX runs on a router, such as Cisco Unified Communications Manager ( cisco.com/c/en/us/products/unified-communications/unified-communications-manager-callmanager/index.html ).

 


A VoIP PBX would normally be placed at the network edge and be protected by a firewall. Internal clients connect to the PBX over Ethernet data cabling and switching infrastructure, using Internet Protocol (IP) at the Network layer for addressing. The VoIP PBX uses the organization's Internet link to connect to a VoIP service provider, which facilitates inward and outward dialing to voice-based telephone networks.

Term
Session Initiation Protocol
SIP typically runs over UDP or TCP ports 5060 (unsecured) and 5061 (SIP-TLS). 
Definition

 

The Session Initiation Protocol (SIP) is one of the most widely used session control protocols. SIP endpoints are the end-user devices (also known as user agents), such as IP-enabled handsets or client and server web conference software. Each device, conference, or telephony user is assigned a unique SIP address known as a SIP Uniform Resource Indicator (URI). Examples of SIP URIs include:

sip:jaime@515support.com

sip:2622136227@515support.com

sip:jaime@2622136227

 

meet:sip:organizer@515support.com;ms-app=conf;ms-conf-id=subg42

SIP typically runs over UDP or TCP ports 5060 (unsecured) and 5061 (SIP-TLS).

SIP has its own reliability and retransmission mechanisms and can thus be seen to benefit most from the lower overhead and reduced latency and jitter of UDP. Some enterprise SIP products use TCP anyway.

Term
Real-Time Transport Protocol and RTP Control Protocol
Definition

While SIP provides session management, the actual delivery of real-time data uses different protocols. The principal one is Real-time Transport Protocol (RTP). RTP enables the delivery of a stream of media data via UDP, while implementing some of the reliability features usually associated with TCP communications. RTP works closely with the RTP Control Protocol (RTCP). Each RTP stream uses a corresponding RTCP session to monitor the quality of the connection and to provide reports to the endpoints. These reports can then be used by the applications to modify codec parameters or by the network stacks to tune Quality of Service (QoS) parameters.

 

 

Term

VOIP PHONES

Definition

A VoIP/SIP endpoint can be implemented as software running on a computer or smartphone or as a dedicated hardware handsetVoIP phones use VLAN tagging to ensure that the SIP control and RTP media protocols can be segregated from normal data traffic. In a typical voice VLAN configuration, the LAN port on the handset is connected to the wall port, while the PC is connected to the PC port on the handset. The two devices share the same physical link, but data traffic is distinguished from voice traffic by configuring separate VLAN IDs.


Handsets can use Power over Ethernet (PoE), if available, to avoid the need for separate power cabling or batteries. There are also wireless handsets that work over 802.11 Wi-Fi networks.

Connection security for VoIP works in a similar manner to HTTPS. To initiate the call, the secure version of SIP (SIPS) uses digital certificates to authenticate the endpoints and establish an SSL/TLS tunnel. The secure connection established by SIPS can also be used to generate a master key to use with the secure versions of the transport and control protocols.

 

When you are installing a new handset, you should also test that the connection works and that the link provides sufficient call quality. Most service providers have test numbers to verify basic connectivity and perform an echo test call, which replays a message you record so that you can confirm voice quality.

Term

VOICE GATEWAYS

Definition

SIP endpoints can establish communications directly in a peer-to-peer architecture, but it is more typical to use intermediary servers, directory servers, and VoIP gateways. There can also be requirements for on-premises integration between data and voice networks and equipment. voice gateway is a means of translating between a VoIP system and legacy voice equipment and networks, such as POTS lines and handsets. There are many types of VoIP gateways, serving different functions. For example, a company may use VoIP internally, but connect to the telephone network via a gateway. To facilitate this, you could use a hybrid or hardware-based VoIP PBX with a plug-in or integrated VoIP gateway, or you could use a separate gateway appliance. There are analog and digital types to match the type of incoming landline. An analog version of this type of gateway is also called a Foreign Exchange Office (FXO) gateway.


A VoIP gateway can also be deployed to allow a legacy analog or digital internal phone system to use a VoIP service provider to place calls. In this type of setup, low rate local and national calls might be placed directly, while international calls that would attract high charges if placed directly are routed via the VoIP service provider.


Finally, a VoIP gateway or adapter can be used to connect POTS handsets and fax machines to a VoIP PBX. This type of device is also called a Foreign Exchange Subscriber (FXS) gateway.

Term
VoIP gateway connecting legacy handsets to a VoIP PBX. 
Definition
[image]
Term
VoIP gateway connecting a local network using legacy PBX and handsets to a VoIP service provider. 
Definition
[image]
Term
VoIP gateway connecting a local network using VoIP calling to the ordinary telephone network.
Definition
[image]
Term

 

A mail administrator configured the DNS server to allow connections on TCP port 53. Why would the administrator make this kind of configuration?

Definition

Administrators may configure some DNS servers to allow connections over TCP port 53, as this allows larger record transfers (over 512 bytes) which may be necessary if the network is using IPv6.

 

Term

 

A server is running Microsoft SQL Server and is replicating the data to other Microsoft SQL servers on the network. The application service is using which principal port?

Definition

Microsoft SQL Server uses TCP/1433 to allow clients to connect to the database server over the network and allow replication traffic to move between database servers. Microsoft SQL Server uses TCP/1433.

 

Term
terminal
Definition

The name "terminal" comes from the early days of computing where configuration was performed by a teletype (TTY) device. The TTY is the terminal or endpoint for communication between the computer and the user. The TTY handles text input and output between the user and the shell, or command environment. Where the terminal accepts input and displays output, the shell performs the actual processing.

Term
terminal emulator 
Definition

 

terminal emulator is any kind of software that replicates this TTY input/output function. A given terminal emulator application might support connections to multiple types of shell. A remote terminal emulator allows you to connect to the shell of a different host over the network.

Term

Secure Shell (SSH) 

An SSH server listens on TCP port 22 by default.

Definition
Secure Shell (SSH) is the principal means of obtaining secure remote access to UNIX and Linux servers and to most types of network appliances (switches, routers, and firewalls). As well as terminal emulation, SSH can be used as the secure file transfer protocol (SFTP). There are numerous commercial and open source SSH servers and terminal emulation clients available for all the major NOS platforms (UNIX®, Linux®, Windows®, and macOS®). The most widely used is OpenSSH (openssh.com). An SSH server listens on TCP port 22 by default.
Term
SSH Host Key
Definition

 

An SSH server is identified by a public/private key pair, referred to as the host key. A mapping of host names to public keys can be kept manually by each SSH client, or there are various enterprise software products designed for SSH key management.

Term
SSH Client Authentication
SSH allows various methods for the client to authenticate to the SSH server. Each of these methods can be enabled or disabled as required on the server:
Definition

§  Username/password -The client submits credentials that are verified by the SSH server either against a local user database or using a network authentication server.

§  Public key authentication-Each remote user's public key is added to a list of keys authorized for each local account on the SSH server.

§  Kerberos-The client submits the Kerberos credentials (a Ticket Granting Ticket) obtained when the user logged onto the server using the Generic Security Services Application Program Interface (GSSAPI). The SSH server contacts the Ticket Granting Service (in a Windows environment, this will be a domain controller) to validate the credential.



Term

SECURE SHELL COMMANDS
Some of the most important commands are:

Definition

§  sshd-Start the SSH Daemon (server). Parameters such as the host's certificate file, port to listen on, and logging options can be set via switches or in a configuration file.

§  ssh-keygen-Create a key pair to use to access servers. The private key must be stored securely on your local computer. The public key must be copied to the server. You can use the ssh-copy-id command to do this, or you can copy the file manually.

§  ssh-agent - Configure a service to store the keys used to access multiple hosts. The agent stores the private key for each public key securely and reduces the number of times use of a private key has to be confirmed with a passphrase. This provides a single sign-on (SSO) mechanism for multiple SSH servers. The ssh-add command is used to add a key to the agent.

§  ssh Host -Use the SSH client to connect to the server running at Host . Host can be an FQDN or IP address. You can also create a client configuration file.

§  ssh Username@Host -Use the SSH client to connect to the server running at Host with a different Username .

§  ssh Host "Command or Script" -Use the SSH client to execute a command or script on the remote server running at Host without starting a shell.

§  scp Username@Host:RemoteFile /Local/Destination -A file transfer client with remote copy/rcp-like command interface.

sftp-A file transfer client with FTP-like command interface.

Term

TELNET
TCP port 23 by default

Definition

§  Telnet is both a protocol and a terminal emulation software tool that transmits shell commands and output between a client and the remote host. In order to support Telnet access, the remote computer must run a service known as the Telnet Daemon. The Telnet Daemon listens on TCP port 23 by default.

§  A Telnet interface can be password protected but the password and other communications are not encrypted and therefore could be vulnerable to packet sniffing and replay. Historically, Telnet provided a simple means to configure switch and router equipment, but only secure access methods should be used for these tasks now. Ensure that the Telnet service is uninstalled or disabled, and block access to port 23.

Term

REMOTE DESKTOP PROTOCOL
TCP port 3389

Definition

Telnet and SSH provide terminal emulation for command-line shells. This is sufficient for most administrative tasks, but where users want to connect to a desktop, they usually prefer to work with a graphical interface. A GUI remote administration tool sends screen and audio data from the remote host to the client and transfers mouse and keyboard input from the client to the remote host. Remote Desktop Protocol (RDP) is Microsoft's protocol for operating remote GUI connections to a Windows machine. RDP uses TCP port 3389. The administrator can specify permissions to connect to the server via RDP and can configure encryption on the connection.RDP is mainly used for the remote administration of a Windows server or client, but another function is to publish software applications on a server, rather than installing them locally on each client (application virtualization).

 

Term

NETWORK TIME PROTOCOL
NTP works over UDP on port 123

Definition

Many applications on networks are time-dependent and time-critical, such as authentication and security mechanisms, scheduling applications, and backup software. The Network Time Protocol (NTP) enables the synchronization of these time-dependent applications. NTP works over UDP on port 123.

 

 

Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC) via a direct physical link to an accurate clock source, such as an atomic clock accessed over the Global Positioning System (GPS). An NTP server that synchronizes its time with a stratum 1 server over a network is operating at stratum 2. Each stratum level represents a step away from the accurate clock source over a network link. These lower stratum servers act as clients of the stratum 1 servers and as servers or time sources to lower stratum NTP servers or client hosts. Most switches and routers can be configured to act as time servers to local client hosts and this function is also typically performed by network directory servers. It is best to configure each of these devices with multiple reference time sources (at least three) and to establish them as peers to allow the NTP algorithm to detect drifting or obviously incorrect time values.

Client hosts (application servers and workstations) usually obtain the time by using a modified form of the protocol called Simple NTP (SNTP). SNTP works over the same port as NTP. A host that supports only SNTP cannot act as a time source for other hosts. In Windows, the Time Service can be configured by using the w32tm command. In Linux, the ntp package can be configured via /etc/ntp.conf.

 

If a server or host is configured with the incorrect time, it may not be able to access network services. Authentication, and other security mechanisms will often fail if the time is not synchronized on both communicating devices. In this situation, errors are likely to be generic failed or invalid token type messages. Always try to rule out time synchronization as an issue early in the troubleshooting process.

Term

Performance Metrics

When you are monitoring a network host or intermediate system, several performance metrics can tell you whether the host is operating normally:

Definition

§  Bandwidth/throughput-This is the rated speed of all the interfaces available to the device, measured in Mbps or Gbps. For wired Ethernet links, this will not usually vary, but the bandwidth of WAN and wireless links can change over time.

§  CPU and memory-Devices such as switches and routers perform a lot of processing. If CPU and/or system memory utilization (measured as a percentage) is very high, an upgrade might be required. High CPU utilization can also indicate a problem with network traffic.

 

§  Storage-Some network devices require persistent storage (typically, one or more flash drives) to keep configuration information and logs. Storage is measured in MB or GB. If the device runs out of storage space, it could cause serious errors. Servers also depend on fast input/output (I/O) to run applications efficiently.

Term

 

Bottlenecks

Definition

bottleneck is a point of poor performance that reduces the productivity of the whole network. A bottleneck may occur because a device is underpowered or faulty. It may also occur because of user or application behavior. To identify the cause of a bottleneck, you need to identify where and when on the network overutilization or excessive errors occur. If the problem is continual, it is likely to be device-related; if the problem only occurs at certain times, it is more likely to be user- or application-related.

Term

 

Performance Baselines

Definition

performance baseline establishes the resource utilization metrics at a point in time, such as when the system was first installed. This provides a comparison to measure system responsiveness later. For example, if a company is expanding a remote office that is connected to the corporate office with an ISP's basic tier package, the baseline can help determine if there is enough reserve bandwidth to handle the extra user load, or if the basic package needs to be upgraded to support higher bandwidths.

 


Reviewing baselines is the process of evaluating whether a baseline is still fit for purpose or whether a new baseline should be established. Changes to the system usually require a new baseline to be taken.

Term

ENVIRONMENTAL MONITORING

The following environmental factors need monitoring:

Definition

§  Temperature-High temperature will make it difficult for device and rack cooling systems to dissipate heat effectively. This increases the risk of overheating of components within device chassis and consequent faults.

§  Humidity-More water vapor in the air risks condensation forming within a device chassis, leading to corrosion and short circuit faults. Conversely, very low humidity increases risks of static charges building up and damaging components.

§  Electrical-Computer systems need a stable power supply, free from outages (blackouts), voltage dips (brownouts), and voltage spikes and surges. Sensors built into power distribution systems and backup battery systems can report deviations from a normal power supply.

 

§  Flooding-There may be natural or person-made flood risks from nearby water sources and reservoirs or risks from leaking plumbing or fire suppression systems. Electrical systems need to be shut down immediately in the presence of any significant amount of water.

Term
Simple Network Management Protocol (SNMP) 
Definition

The Simple Network Management Protocol (SNMP) is a widely used framework for remote management and monitoring of servers and network appliances. SNMP consists of agents and a monitoring system.

Term
SNMP Agents
Definition

The agent is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device. This agent maintains a database called a Management Information Base (MIB) that holds statistics relating to the activity of the device, such as the number of frames per second handled by a switch. Each parameter stored in a MIB is referred to by a numeric Object Identifier (OID). OIDs are stored within a tree structure. Part of the tree is generic to SNMP, while part can be defined by the device vendor.

An agent is configured with the Community Name of the computers allowed to manage the agent and the IP address or host name of the server running the management system. The community name acts as a rudimentary type of password. An agent can pass information only to management systems configured with the same community name. There are usually two community names; one for read-only access and one for read-write access (or privileged mode).

Term

 

 

SNMP Monitor

Definition

An SNMP monitor is management software that provides a location from which you can oversee network activity. The monitor polls agents at regular intervals for information from their MIBs and displays the information for review. It also displays any trap operations as alerts for the network administrator to assess and act upon as necessary.

Term

SNMP Monitor

Device queries
take place over UDP port 161; traps are communicated over UDP port 162.


The monitor can retrieve information from a device in two main ways:

Definition

§  Get-The software queries the agent for a single OID. This command is used by the monitor to perform regular polling (obtaining information from devices at defined intervals).

 

§  Trap-The agent informs the monitor of a notable event (port failure, for instance). The threshold for triggering traps can be set for each value.

The monitor can be used to change certain variables using the Set command. It can also walk an MIB subtree by using multiple Get and Get Next commands. This is used to discover the complete layout of an MIB. 

Term

System and Application Logs

Definition

A system log records startup events plus subsequent changes to the configuration at an OS level. This will certainly include kernel processes and drivers but could also include core services.

By contrast, an application log records data for a single specific service, such as DNS, HTTP, or an RDBMS. Note that a complex application could write to multiple log files, however. For example, the Apache web server logs errors to one file and access attempts to another.


Term

Audit Logs

Definition

An audit log records use of authentication and authorization privileges. It will generally record success/fail type events. An audit log might also be described as an access log or security log. Audit logging might be performed at an OS level and at a per-application level.

Audit logs typically associate an action with a particular user. This is one of the reasons that it is critical that users not share logon details. If a user account is compromised, there is no means of tying events in the log to the actual attacker.

Term

Performance/Traffic Logs

Definition

Performance and traffic logs record statistics for computer, storage, and network resources over a defined period.

Term

Syslog 

A syslog collector usually listens on UDP port 514.

Definition

Syslog is an example of a protocol and supporting software that facilitates log collection. It has become a de facto standard for logging events from distributed systems. For example, syslog messages can be generated by Cisco® routers and switches, as well as UNIX or Linux servers and workstations. A syslog collector usually listens on UDP port 514.

Term

EVENT MANAGEMENT

For example, in Windows, system and application events are defined as Informational, Warning, or Critical, while audit events are categorized as Success or Fail.

Definition
Term
Syslog severity levels are as follows:
Definition

Code

Level

Interpretation

0

Emergency

The system is unusable (kernel panic)

1

Alert

A fault requiring immediate remediation has occurred

2

Critical

A fault that will require immediate remediation is likely to develop

3

Error

A nonurgent fault has developed

4

Warning

A nonurgent fault is likely to develop

5

Notice

A state that could potentially lead to an error condition has developed

6

Informational

A normal but reportable event has occurred

7

Debug

Verbose status conditions used during development and testing

Term

LOG REVIEWS

Monitoring involves viewing traffic, protocols, and events in real time. Network and log reviewing, or analysis involves later inspection and interpretation of captured data to determine what the data shows was happening on the network during the capture. Monitoring is aligned with incident response; analysis is aligned with investigating the cause of incidents or preventing incidents in the first place. It is important to perform performance analysis and log review continually. Referring to the logs only after a major incident is missing the opportunity to identify threats and vulnerabilities or performance problems early and to respond proactively.

Definition

Not all performance incidents will be revealed by a single event. One of the features of log analysis and reporting software should be to identify trends. A trend is difficult to spot by examining each event in a log file. Instead, you need software to chart the incidence of types of events and show how the number or frequency of those events changes over time.

 

Plotting data as a graph is particularly helpful as it is easier to spot trends or spikes or troughs in a visualization of events, rather than the raw data. Most performance monitors can plot metrics in a graph.

Term
Bandwidth
Definition
Bandwidth is the amount of information that can be transmitted, measured in bits per second (bps), or some multiple thereof.
Term
Bandwidth for Audio 
Definition

Bandwidth for audio depends on the sampling frequency (Hertz) and bit depth of each sample. For example, telecommunications links are based on 64 Kbps channels. This was derived through the following calculation:

§  The voice frequency range is 4000 Hz. This must be sampled at twice the rate to ensure an accurate representation of the original analog waveform.

 

§  The sample size is 1 byte (or 8 bits). Therefore, 8 KHz x 8 bits = 64 Kbps.

Term
VoIP, bandwidth 
Definition

For VoIP, bandwidth requirements for voice calling can vary, but allowing 100 Kbps per call upstream and downstream should be sufficient in most cases.

Term
Bandwidth required for video 
Definition

Bandwidth required for video is determined by image resolution (number of pixels), color depth, and the frame rate, measured in frames per second (fps).

Term
Latency 
Definition
Latency is the time it takes for a transmission to reach the recipient, measured in milliseconds (ms).

You can test the latency of a link using tools such as ping, pathping, and mtr.. When assessing latency, you need to consider the Round Trip Time (RTT). VoIP is generally expected to require an RTT of less than 300 ms.
Term
Jitter 
Definition

Jitter is defined as being a variation in the delay. Jitter manifests itself as an inconsistent rate of packet delivery. Jitter is also measured in milliseconds, using an algorithm to calculate the value from a sample of transit times.
You can also use mtr to calculate jitter. 

Term

Differentiated Services

Definition

The Differentiated Services (DiffServ) framework classifies each packet passing through a device. Router policies can then be defined to use the packet classification to prioritize delivery. DiffServ is an IP (Layer 3) service tagging mechanism. It uses the Type of Service field in the IPv4 header (Traffic Class in IPv6). The field is populated with a 6-bit DiffServ Code Point (DSCP) by either the sending host or by the router. Packets with the same DSCP and destination are referred to as Behavior Aggregates and allocated the same Per Hop Behavior (PHB) at each DiffServ-compatible router.

Term

Differentiated Services

DiffServ traffic classes are typically grouped into three types:

Definition

§  Best Effort.

§  Assured Forwarding (which is broken down into sub-levels).

 

§  Expedited Forwarding (which has the highest priority).

Term

 

IEEE 802.1p

Definition

 

While DiffServ works at layer 3, IEEE 802.1p can be used at Layer 2 (independently or in conjunction with DiffServ) to classify and prioritize traffic passing over a switch or wireless access point. 802.1p defines a tagging mechanism within the 802.1Q VLAN field (it also often referred to as 802.1Q/p). The 3-bit priority field is set to a value between 0 and 7. Most vendors map DSCP values to 802.1p ones.

For example, 7 and 6 can be reserved for network control (such as routing table updates),
5 and 4 map to expedited forwarding levels for 2-way communications,
3 and 2 maps to assured forwarding for streaming multimedia, 
1 and 0 for "ordinary" best-effort delivery.

Term
QoS, network functions are commonly divided into three planes
Definition

§  Control plane-makes decisions about how traffic should be prioritized and where it should be switched.

§  Data plane-handles the actual switching of traffic.

 

§  Management plane-monitors traffic conditions.

Term
Traffic shapers 
Definition

delay certain packet types-based on their content-to ensure that other packets have a higher priority. This can help to ensure that latency is reduced for critical applications.A traffic shaper will store packets until there is free bandwidth available. Hopefully, this leads to consistent usage of the bandwidth and few lost packets.
Random Early Detection (RED) is one of several algorithms that can be implemented to help manage traffic overflow on the shaper.

 

Term
Determining Network Throughput 
Definition

simply divide the file size by the amount of time taken to copy the file. For example, if you transfer a 1 GB file in half an hour, the throughput can be calculated as follows:

§  1 gigabyte is 1024x1024x1024 bytes (1,073,741,824 bytes or 8,589,934,592 bits).

 

§  8,589,934,592 bits in 1,800 seconds is 4,772,186 bits per second or 4.55 Mbps.

Term
Software Programs that measure network throughput
Definition
  1. iperf
  2. Ttcp 
  3. bwping 
Term

 

Top Talkers/Listeners

Definition

Top talkers are interfaces generating the most outgoing traffic (in terms of bandwidth), while top listeners are the interfaces receiving the most incoming traffic. 

Term

bandwidth speed tester

There are many Internet tools available for checking performance. The two main classes are:

 

Definition

§  Broadband speed checkers-These test how fast the local broadband link to the Internet is. They are mostly designed for SOHO use. The tool will test downlink and uplink speeds, test latency using ping, and can usually compare the results with neighboring properties and other users of the same ISP.

 

§  Website performance checkers-These query a nominated website to work out how quickly pages load. One of the advantages of an online tool is that you can test your site's response times from the perspective of customers in different countries.

Term

Cisco's NetFlow

Using NetFlow involves deploying three types of components:

Definition

Cisco's NetFlow gathers traffic metadata only and report it to a structured database. These technologies can also use sampling to further reduce processing demands. NetFlow has been redeveloped as the IP Flow Information Export (IPFIX) IETF standard

§  A NetFlow exporter is configured on network appliances (switches, routers, and firewalls). Each flow is defined on an exporter. A traffic flow is defined by packets that share the same characteristics, such as IP source and destination addresses and protocol type. These five bits of information are referred to as a 5-tuple. A 7-tuple flow adds the input interface and IP type of service data. Each exporter caches data for newly seen flows and sets a timer to determine flow expiration. When a flow expires or becomes inactive, the exporter transmits the data to a collector.

§  A NetFlow collector aggregates flows from multiple exporters. A large network can generate huge volumes of flow traffic and data records, so the collector needs a high bandwidth network link and substantial storage capacity. The exporter and collector must support compatible versions of NetFlow and/or IPFIX. The most widely deployed versions of NetFlow are v5 and v9.

 

§  A NetFlow analyzer reports and interprets information by querying the collector and can be configured to generate alerts and notifications. In practical terms, the collector and analyzer components are often implemented as a single product.

Term
interface statistics
Definition

§  Link state-Measures whether an interface is working (up) or not (down). You would configure an alert if an interface goes down so that it can be investigated immediately. You may also want to track the uptime or downtime percentage so that you can assess a link's reliability over time.

§  Resets-The number of times an interface has restarted over the counter period. Interfaces may be reset manually or could restart automatically if traffic volume is very high, or a large number of errors are experienced. Anything but occasional resets should be closely monitored and investigated. An interface that continually resets is described as flapping.

§  Speed-This is the rated speed of the interface, measured in Mbps or Gbps. For wired Ethernet links this will not usually vary, but the bandwidth of WAN and wireless links may change over time. For Ethernet links, the interface speed should be the same on both the host and switch ports.

§  Duplex-Most Ethernet interfaces operate in full duplex mode. If an interface is operating in half duplex mode, there is likely to be some sort of problem, unless you are supporting a legacy device.

§  Utilization-The data transferred over a period. This can either be measured as the amount of data traffic both sent and received (measured in bits or bytes per second or a multiple thereof) or calculated as a percentage of the available bandwidth.

You also need to differentiate between average utilization and peak utilization. If average utilization is around 80%, it may appear that there is sufficient bandwidth. However, if peak utilization often spikes to 100%, then that will manifest as delay and packet loss and may require that you upgrade the link. Monitoring the queue length can help to determine whether the link is a bottleneck.

§  Per-protocol utilization-Packet or byte counts for a specific protocol. It is often useful to monitor both packet counts and bandwidth consumption. High packet counts will incur processing load on the CPU and system memory resources of the appliance, even if the size of each packet is quite small.

§  Error rate-The number of packets per second that cause errors. Errors may occur as a result of interference or poor link quality causing data corruption in frames. In general terms, error rates should be under 1 percent; high error rates may indicate a driver problem, if a network media problem can be ruled out.

§  Discards/drops-An interface may discard incoming and/or outgoing frames for several reasons, including checksum errors, mismatched MTUs, packets that are too small (runts) or too large (giants), high load, or permissions- the sender is not on the interface's access control list (ACL) or there is some sort of VLAN configuration problem, for instance. Each interface is likely to class the type of discard or drop separately to assist with troubleshooting the precise cause.

Some vendors may use the term discard for frames that are rejected because of errors or security policies and drop for frames that are lost due to high load, but often the terms are used interchangeably.

 

§  Retransmissions-Errors and discards/drops mean that frames of data are lost during transmission between two devices. As a result, the communication will be incomplete, and the data will, therefore, have to be retransmitted to ensure application data integrity. If you observe high levels of retransmissions (as a percentage of overall traffic), you must analyze and troubleshoot the specific cause of the underlying packet loss, which could involve multiple aspects of network configuration and connectivity.

Term
Cyclic Redundancy Check Errors
Definition

A cyclic redundancy check (CRC) is calculated by an interface when it sends a frame. A CRC value is calculated from the frame contents to derive a 32-bit value. This is added to the header as the frame check sequence. The receiving interface uses the same calculation. If it derives a different value, the frame is rejected. The number of CRC errors can be monitored per interface.

CRC errors are usually caused by interference. This interference might be due to poor quality cable or termination, attenuation, mismatches between optical transceivers or cable types, or due to some external factor.

Term

 

Encapsulation Errors

Encapsulation is the frame format expected on the interface. Encapsulation errors will prevent transmission and reception. If you check the interface status, the physical link will be listed as up, but the line protocol will be listed as down. This type of error can arise in several circumstances:

Definition

§  Ethernet frame type-Ethernet can use a variety of frame types. The most common is Ethernet II, but if a host is configured to use a different type, such as SNAP, then errors will be reported on the link.

§  Ethernet trunks-When a trunk link is established between two switches, it will very commonly use the Ethernet 802.1Q frame format. 802.1Q specifies an extra frame header to carry a VLAN ID and type of service data. If one switch interface is using 802.1Q but the other is not, this may be reported as an encapsulation error.

 

§  WAN framing-Router interfaces to provider networks can use a variety of frame formats. Often these are simple serial protocols, such as High-level Data Link Control (HDLC) or Point-to-Point Protocol (PPP). Alternatively, the interface may use encapsulated Ethernet over Asynchronous Transfer Mode (ATM) or Virtual Private LAN Service (VPLS) or an older protocol, such as Frame Relay. The interface on the Customer Edge (CE) router must be configured for the same framing type as the Provider Edge (PE) router.

Term
Runt Frame Errors
Definition

A runt is a frame that is smaller than the minimum size (64 bytes for Ethernet). A runt frame is usually caused by a collision. In a switched environment, collisions should only be experienced on an interface connected to a legacy hub device and there is a duplex mismatch in the interface configuration (or possibly on a misconfigured link to a virtualization platform). If runts are generated in other conditions, suspect a driver issue on the transmitting host.

Term

Giant Frame Errors

A giant is a frame that is larger than the maximum permissible size (1518 bytes for Ethernet II). There are two likely causes of giant frames:

Definition

§  Ethernet trunks-As above, if one switch interface is configured for 802.1Q framing, but the other is not, the frames will appear too large to the receiver, as 802.1Q adds 4 bytes to the header, making the maximum frame size 1522 bytes.

 

An Ethernet frame that is slightly larger (up to 1600 bytes) is often referred to as a baby giant.

 

§ 

 

Jumbo frames-A host might be configured to use jumbo frames, but the switch interface is not configured to receive them. This type of issue often occurs when configuring storage area networks (SANs) or links between SANs and data networks.

 

Term
CIA Triad
Definition

§  Confidentiality means that certain information should only be known to certain people.

§  Integrity means that the data is stored and transferred as intended and that any modification is authorized.

 

§  Availability means that information is accessible to those authorized to view or modify it.

Term

 

Vulnerability, Threat, and Risk

Definition

§  Vulnerability-A weakness that could be accidentally triggered or intentionally exploited to cause a security breach.

§  Threat- The potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector.

 

§  Risk-The likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Term

Vulnerability, Threat, and Risk

Definition
[image]
Term
Risk management
Definition

Risk management is a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. Risk management is complex and treated very differently in companies and institutions of different sizes, and with different regulatory and compliance requirements. Most companies will institute enterprise risk management (ERM) policies and procedures, based on published frameworks.

Term
Risk assessment 
Definition

Risk assessment is a subset of risk management where the company's systems and procedures are evaluated for risk factors. Separate assessments can be devised to perform an initial evaluation and ongoing monitoring of threats, vulnerabilities, and security posture.

Term
security control 
Definition

. A security control is something designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation.

Term
Posture assessment 
Definition

The overall status of risk management is referred to as risk posture. Risk posture shows which risk response options can be identified and prioritizedPosture assessment is often performed with reference to an IT or security framework. The framework can be used to assess the organization’s maturity level in its use of security policies and controls.

Term
mission essential function (MEF)
Definition
mission essential function (MEF) is one that cannot be deferred. This means that the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first.
Term
Business impact analysis (BIA) 
Definition

Business impact analysis (BIA) is the process of assessing what losses might occur for a range of threat scenarios. 

Term
, business continuity planning (BCP)
Definition

Identifies controls and processes that enable an organization to maintain critical workflows in the face of some adverse event.

Term
software vulnerability 
Definition

A software vulnerability is a design flaw that can cause the application security system to be circumvented or that will cause the application to crash. The most serious vulnerabilities allow the attacker to execute arbitrary code on the system, which could allow the installation of malware or allow the threat actor to disable or weaken a secure configuration. Typically, applications such as web servers, web browsers, web browser plug-ins, email clients, and databases are targeted.

Term
exploit 
Definition

An exploit is the specific code or method of using a vulnerability to gain control of a system or damage it in some way. Typically, software vulnerabilities can be exploited only in quite specific circumstances, but because of the complexity of modern software and the speed with which new versions must be released to market, almost no software is free from vulnerabilities.

Term
zero-day
Definition

 

. A vulnerability that is exploited before the developer knows about it or can release a patch is called a zero-day. These can be extremely destructive, as it can take the vendor a lot of time to develop a patch, leaving systems vulnerable for days, weeks, or even years.

The term zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it.

Term
Vulnerability Assessment
Definition

vulnerability assessment is an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system. Essentially, the vulnerability assessment determines if the current configuration matches the ideal configuration (the baseline). Vulnerability assessments might involve manual inspection of security controls but are more often accomplished through automated vulnerability scanners.

Term

Common Vulnerabilities and Exposures (CVE) Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems and applications software ( cve.mitre.org ). Automated vulnerability scanning software makes use of this dictionary to develop tests to discover vulnerabilities on live systems. There are several elements that make up a vulnerability's entry in the CVE:

 

Definition

§  An identifier in the format: CVE-YYYY-####, where YYYY is the year the vulnerability was discovered, and #### is at least four digits that indicate the order in which the vulnerability was discovered.

§  A brief description of the vulnerability.

§  A reference list of URLs that supply more information on the vulnerability.

 

§  The date the vulnerability entry was created.

Term
external threat actor 
Definition

An external threat actor or agent is one that has no account or authorized access to the target system. A malicious external threat must infiltrate the security system using malware and/or social engineering. Note that an external actor may perpetrate an attack remotely or on-premises (by breaking into the company's headquarters, for instance). It is the threat actor that is defined as external, rather than the attack method.

Term
internal (or insider) threat actor 
Definition

Conversely, an internal (or insider) threat actor is one that has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners.

Term

 

Threat Research

Threat research is a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of threat actors.

The outputs from the primary research undertaken by security solutions providers and academics can take three main forms:

Definition

§  Behavioral threat research -narrative commentary describing examples of attacks and TTPs gathered through primary research sources.

§  Reputational threat intelligence-lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.

 

§  Threat data-computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

Term

Security Information and Event Management (SIEM) 
Security Information and Event Management (SIEM) is a security control designed to integrate vulnerability and threat assessment efforts through automated collection, aggregation, and analysis of log data. The core function of a SIEM tool is to aggregate logs from multiple sources. In addition to logs from Windows and Linux-based hosts, this could include switches, routers, firewalls, intrusion detection sensors, vulnerability scanners, malware scanners, and databases.

Definition

The second critical function of SIEM (and the principal factor distinguishing it from basic log management) is that of correlation. This means that the SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or indicator of compromise (IOC). Correlation can then be used to drive an alerting system. Finally, SIEM can provide a long-term retention function and be used to demonstrate regulatory compliance.

Term
penetration testing 
Definition

Where vulnerability testing uses mostly automated scanning tools and is a largely passive, or non-intrusive assessment activity, penetration testing aims to model how exposed the organization is to vulnerabilities that could be exploited by threat actors.

 

A penetration test-often shortened to pen test-uses authorized hacking techniques to discover exploitable weaknesses in the target's security systems. Pen testing is also referred to as ethical hacking.

Term
privileged account 
Definition

A privileged account is one that can make significant configuration changes to a host, such as installing software or disabling a firewall or other security system. Privileged accounts also have rights to log on network appliances and application servers.

Term
Privileged access management (PAM)
Definition

Privileged access management (PAM) refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts by internal threat actors and to mitigate risks from weak configuration control over privileges. These controls identify and document privileged accounts, giving visibility into their use, and manage the credentials used to access them.

Term

Some other general principles of PAM include least privilege, role-based access, and zero trust

Definition

§  Least privilege means that a user is granted sufficient rights to perform his or her job and no more. This mitigates risk if the account should be compromised and fall under the control of a threat actor. Authorization creep refers to a situation where a user acquires more and more rights, either directly or by being added to security groups and roles. Least privilege should be ensured by closely analyzing business workflows to assess what privileges are required and by performing regular account audits.

§  Role-based access means that a set of organizational roles are defined, and subjects allocated to those roles. Under this system, the right to modify roles is reserved to a system owner. Therefore, the system is nondiscretionary, as each subject account has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways. Users are said to gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly).

§  Zero trust is based on the idea that perimeter security is unlikely to be completely robust. On a modern network, there are just too many opportunities for traffic to escape monitoring/filtering by perimeter devices. Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise by threat actors. Another zero-trust technique is to apply microsegmentation. Microsegmentation is a security process that is capable of applying policies to a single node, as though it was in a zone of its own.

Term
Vendor management 
Definition

Vendor management is a process for selecting supplier companies and evaluating the risks inherent in relying on a third-party product or service. When it comes to data and cybersecurity, you must understand that risks cannot be wholly transferred to the vendor. If a data storage vendor suffers a data breach, you may be able to claim costs from them, but your company will still be held liable in terms of legal penalties and damage to reputation. If your webstore suffers frequent outages because of failures at a hosting provider, it is your company's reputation that will suffer and your company that will lose orders because customers look elsewhere.

Term
access control list (ACL)
Definition

In computer security, the basis of access control is usually an access control list (ACL). This is a list of subjects and the rights or permissions they have been granted on the object.

Term

An identity and access management (IAM) system to mediate use of objects by subjects is usually described in terms of four main processes:

Definition

§  Identification -Creating an account or ID that identifies the user, device, or process on the network.

§  Authentication-Proving that a subject is who or what it claims to be when it attempts to access the resource.

§  Authorization-Determining what rights subjects should have on each resource and enforcing those rights.

§  Accounting-Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

 

 

Term

Authentication factors fall into the following categories:

 

Definition

§  Knowledge factor-something you know (such as a password).

§  Ownership factor-something you have (such as a smart card).

§  Human or biometric factor-something you are (such as a fingerprint).

§  Behavioral factor-something you do (such as making a signature).

§  Location factor-somewhere you are (such as using a mobile device with location services).

 

 

Term
multifactor
Definition

An authentication technology or mechanism is considered strong if it combines the use of more than one authentication data type (multifactor).

Two-factor authentication combines something like a smart card or biometric mechanism with a knowledge factor, such as a password or personal identity number (PIN). Three-factor authentication combines three of the possible technologies. An example of this would be a smart card with an integrated fingerprint reader. This means that to authenticate, the user must possess the card, the user's fingerprint must match the template stored on the card, and the user must input a PIN.

Term
hashes
Definition

Knowledge-based authentication relies on cryptographic hashes. A cryptographic hash is a function that converts any string to a unique, fixed-length code. The function should ensure that the code cannot be converted back into the plaintext string.

Term

Windows Authentication

Definition

§  Windows local sign-in-the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.

§  Windows network sign-in-the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.

 

§  Remote sign-in-if the user's device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.

Term

Linux Authentication

Definition

In Linux, local user account names are stored in /etc/passwd. When a user logs in to a local interactive shell, the password is checked against a hash stored in /etc/shadow. Interactive login over a network is typically accomplished using Secure Shell (SSH). With SSH, the user can be authenticated using cryptographic keys instead of a password.

Term
pluggable authentication module (PAM) 
Definition

A pluggable authentication module (PAM) is a package for enabling different authentication providers, such as smart card login (tecmint.com/configure-pam-in-centos-ubuntu-linux). The PAM framework can also be used to implement authentication to network servers.

Term

Single Sign-On

Definition

single sign-on (SSO) system allows the user to authenticate once to a local device and be authorized to access compatible application servers without having to enter credentials again. In Windows, SSO is provided by the Kerberos framework.

Term

KERBEROS

Definition

Kerberos provides SSO authentication to Active Directory®, as well as compatibility with other, non-Windows operating systems. Kerberos was named after the three-headed guard dog of Hades (Cerberus) because it consists of three parts. Clients request services from a server, which both rely on an intermediary-a Key Distribution Center (KDC)-to vouch for their identity.

 

There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service.

Term
Kerberos Authentication Service[image]
Definition

The Authentication Service is responsible for authenticating user logon requests. More generally, users and services can be authenticated; these are collectively referred to as principals. For example, when you sit at a Windows domain workstation and log on to the domain (Kerberos documentation refers to realms rather than domains, which is Microsoft's terminology), the first step of logon is to authenticate with a KDC server (implemented as a domain controller).

Term
Kerberos Ticket Granting Serv[image]ice
Definition

When authenticated, the KDC server presents the user with a Ticket Granting Ticket. To access resources within the domain, the client requests a Service Ticket (a token that grants access to a target application server) by supplying the Ticket Granting Ticket to the Ticket Granting Service (TGS).

Term
Digital certificates 
asymmetric encryption
Definition


A smart card is programmed with an encryption key pair and a 
digital certificate, issued by the authenticating domain. Digital certificates are also used to authenticate server machines when using Transport Layer Security (TLS). A certificate can be installed on a web server or email server to validate its identity and establish a secure transmission channel.
Digital certificates depend on the concept of public key cryptography. Public key cryptography, also referred to as asymmetric encryption, solves the problem of distributing encryption keys when you want to communicate securely with others, authenticate a message that you send to others, or authenticate yourself to an access control system. With asymmetric encryption, you generate a key pair. The private key in the pair remains a secret that only you know. The public key can be transmitted to other subjects. The private key cannot be derived from the public key

Term

Key pair can be used in the following ways:

Definition

§  When you want others to send you confidential messages, you give them your public key to use to encrypt the message. The message can then only be decrypted by your private key, which you keep known only to yourself. Due to the way asymmetric encryption works, the public key cannot be used to decrypt a message, even though it was used to encrypt it in the first place.

As encryption using a public key is relatively slow; rather than encrypting the whole message using a public key, more typically, the public key is used to encrypt a symmetric encryption key for use in a single session and exchange it securely. The symmetric session key is then used to encrypt the actual message. A symmetric key can perform both encryption and decryption.

§  When you want to authenticate yourself to others, you create a signature and sign it by encrypting the signature with your private key. You give others your public key to use to decrypt the signature. As only you know the private key, everyone can be assured that only you could have created the signature.

The basic problem with public key cryptography lies in proving the identity of the owner of a public key. The system is vulnerable to an on-path attack where a threat actor substitutes your public key for their own. 

Term
Public key infrastructure (PKI) 
Definition

Public key infrastructure (PKI) aims to prove that the owners of public keys are who they say they are. Under PKI, anyone issuing public keys should obtain a digital certificate. The validity of the certificate is guaranteed by a certificate authority (CA). A digital certificate is essentially a wrapper for a subject's (or end entity's) public key. As well as the public key, it contains information about the subject and the certificate's issuer or guarantor. The certificate is digitally signed to prove that it was issued to the subject by a particular CA.

Term

Smart-card authentication can be used if required by a network in conjunction with Kerberos authentication, where the computer is attached to the local network and the user is logging on to Windows. This type of multifactor authentication may also be required in other contexts:

Definition

§  When the user is accessing a wireless network and needs to authenticate with the network database.

§  When a device is connecting to a network via a switch and network policies require the user to be authenticated before the device is allowed to communicate.

 

§  When the user is connecting to the network over a public network via a virtual private network (VPN).

Term
Extensible Authentication Protocol (EAP)
Definition

In these scenarios, the Extensible Authentication Protocol (EAP) provides a framework for deploying multiple types of authentication protocols and technologies. EAP allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines. These certificates allow the machines to establish a trust relationship and create a secure tunnel to transmit the user credential or to perform smart card authentication without a user password.

Term

IEEE 802.1X Port-based Network Access Control (NAC)Where EAP implements a particular authentication factor and mechanism, the IEEE 802.1X Port-based Network Access Control (NAC)standard provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point, or VPN gateway. 802.1X uses authentication, authorization, and accounting (AAA) architecture.
AAA uses the following components:


Definition

§  Supplicant-the device requesting access, such as a user's PC or laptop.

§  Network access server (NAS) or network access point (NAP)-edge network appliances, such as switches, access points, and VPN gateways. These are also referred to as AAA clients or authenticators.

 

§  AAA server-the authentication server, positioned within the local network. There are two main types of AAA server: RADIUS and TACACS+.

With AAA, the NAS devices do not have to store any authentication credentials. They forward this data between the AAA server and the supplicant.

Term
RADIUS authentication with EAP overview
Definition
[image]
Term

Remote Authentication Dial-in User Service (RADIUS) 

RADIUS.

 

RADIUS typically uses UDP ports 1812 and 1813

Definition

Remote Authentication Dial-in User Service (RADIUS) is very widely used for client device access over switches, wireless networks, and VPNs. There are several RADIUS server and client products. Microsoft has the Network Policy Server (NPS) for Windows platforms, and there are open-source implementations for UNIX and Linux, such as FreeRADIUS, as well as third-party commercial products, such as Cisco's Secure Access Control Server, OSC Radiator, and Juniper Networks Steel-Belted RADIUS.

 

RADIUS typically uses UDP ports 1812 and 1813. Each RADIUS client must be configured with the IP address of the RADIUS server plus the same shared secret.

Term

Terminal Access Controller Access Control System (TACACS+) Terminal Access Controller Access Control System (TACACS+) is a similar protocol to RADIUS but designed to be more flexible and reliable. TACACS+ was developed by Cisco but is also supported on many of the other third-party and open-source RADIUS server implementations. Where RADIUS is often used for network access control over end user devices, TACACS+ is often used in authenticating administrative access to routers and switches. It uses TCP over port 49 and the reliable delivery offered by TCP makes it easier to detect when a server is down.

 

Definition

Also, authentication, authorization, and accounting functions are discrete. Many device management tasks require reauthentication (similar to having to reenter a password for sudo or UAC) and per-command authorizations and privileges for users, groups, and roles. TACACS+ supports this workflow better than RADIUS.

Term
Directory services explanation
Definition

When an authenticated user logs on to the network, the server security service generates an access key for the user. This contains the username and group memberships of the authenticated user. Whenever the user attempts to access a resource, his or her access key is provided as identification. The server's security service matches username and group memberships from the access key with entries in the access list, and from this, it calculates the user's access privileges.

All this information is stored in a directory. A directory is like a database, where an object is like a record, and things that you know about the object (attributes) are like fields. For products from different vendors to be interoperable, most directories are based on the same standard. The main directory standard is the X.500 series of standards. As X.500 is complex, most directory services are implementations of the Lightweight Directory Access Protocol (LDAP).

Term
Lightweight Directory Access Protocol (LDAP).
LDAP messaging uses TCP and UDP port 389 by default.
Definition

LDAP is not a directory standard, but a protocol used to query and update an X.500-like directory. LDAP is widely supported in current directory products (Windows Active Directory®, NetIQ eDirectory, or the open source OpenLDAP). LDAP messaging uses TCP and UDP port 389 by default.

Term
X.500
Definition

In an X.500, each object has a unique identifier called a distinguished name. A distinguished name is made up of attribute=value pairs, separated by commas. The most specific attribute is listed first, and successive attributes become progressively broader. This most specific attribute is also referred to as the relative distinguished name, as it uniquely identifies the object within the context of successive (parent) attribute values.

The types of attributes, what information they contain, and the way object types are defined through attributes (some of which may be required and some optional) is described by the directory schema. For example, the distinguished name of a web server operated by Widget in London might be:

 

CN=WIDGETWEB, OU=Marketing, O=Widget, L=London, ST=London, C=UK, DC=widget, DC=example

Term

Authentication, referred to as binding to the server, can be implemented in the following ways:

Definition

§  No authentication-Anonymous access is granted to the directory.

§  Simple bind-the client must supply its distinguished name (DN) and password, but these are passed as plaintext.

§  Simple Authentication and Security Layer (SASL)-the client and server negotiate the use of a supported authentication mechanism, such as Kerberos. The STARTTLS command can be used to require encryption (sealing) and message integrity (signing). This is the preferred mechanism for Microsoft's Active Directory (AD) implementation of LDAP.

§  LDAP Secure (LDAPS)-the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.

 

 

If secure access is required, anonymous and simple authentication access methods should be disabled on the server.

Generally, two levels of access will need to be granted on the directory: read-only access (query) and read/write access (update). This is implemented using an access control policy, but the precise mechanism is vendor-specific and not specified by the LDAP standards documentation.

Unless it is hosting a public service, the LDAP directory server should also only be accessible from the private network. This means that LDAP ports (389 over TCP and UDP) should be blocked by a firewall from access over the public interface.

 

 

Term
LDAP Secure (LDAPS)-
Definition
389 over TCP and UDP
Term
Threat 
Definition

A threat is the potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector.

Term
Calculate Risk
Definition
 impact * likelihood
Term
Vulnerability 
Definition
A vulnerability is a weakness that could be accidentally triggered or intentionally exploited to cause a security breach.
Term
Role-based access 
Definition

§  Role-based access means that a set of organizational roles are defined, and subjects allocated to those roles. Under this system, the right to modify roles is reserved to a system owner. Therefore, the system is nondiscretionary, as each subject account has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways. Users are said to gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly).

Term
Least privilege 
Definition

Least privilege means that a user is granted sufficient rights to perform his or her job and no more.

Term
Privileged access management (PAM) 
Definition
Privileged access management (PAM) refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts by internal threat actors and to mitigate risks from weak configuration control over privileges.
Term
Zero trust 
Definition

Zero trust is based on the idea that perimeter security is unlikely to be completely robust. 

Term

An organization that issues public keys should obtain a digital certificate. What does the digital certificate contain?

Definition

The validity of the certificate is guaranteed by a certificate authority (CA) and the certificate will contain information about the certificate's issuer or guarantor.

A digital certificate will contain information about the subject. The CA digitally signs the certificate to prove that it was issued to the subject by a particular CA.

Under PKI, anyone issuing public keys should obtain a digital certificate and the digital certificate is essentially a wrapper for a subject's (or end entity's) public key.

Term
  1. Process assessment
Definition

The organization used a process assessment which involves identifying critical systems and assets that support mission essential functions.

 

Term
network segmentation enforcement
Definition

Effective placement of security appliances depends on segmenting the network into clearly defined areas. At layers two and three, network segmentation enforcement is applied using a combination of virtual LANs and subnets. Each segment is a separate broadcast domain. Any traffic between segments must be routed. In security terms, the main unit of a logically segmented network is a zone. A zone is an area of the network where the security configuration is the same for all hosts within it. Network traffic between zones should be strictly controlled using a security device-typically a firewall.

 


These zones would typically be configured to protect the integrity and confidentiality of different asset groups within the organization. For example, servers storing financial records can be their own VLAN, and marketing servers could be another VLAN. If something like a remote access Trojan were introduced in one VLAN, it should not be able to spread to other VLANs without also being able to pass through the firewall protecting each zone.

Term
perimeter network 
Definition

A perimeter network is a secured boundary between the Internet and an organization’s private network and uses two firewalls placed on either side of the perimeter network zone

A perimeter network is a secured boundary between the Internet and an organization’s private network and uses two firewalls placed on either side of the perimeter network zone. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the perimeter zone subnet. The edge firewall can be referred to as the screening firewall or router. The internal firewall filters communications between hosts in the perimeter and hosts on the LAN. This firewall is often described as the choke firewall. A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.

Term

screened subnet

Triple-homed firewall

Definition

A perimeter network can also be established using a screened subnet, which is one router/firewall appliance with three network interfaces. In a screened subnet, one interface is the public one, another is the perimeter subnet, and the third connects to the LAN. Routing and filtering rules determine what forwarding is allowed between these interfaces. This is also referred to as a triple homed firewall.

 

[image]

Term

firewall 

The basic function of a firewall is traffic filtering. 

Definition

One distinction can be made between firewalls that protect a whole network (one that is placed inline in the network and inspects all traffic that passes through) and firewalls that protect a single host only (one that is installed on the host and inspects only that traffic addressed to that host). A further distinction can be made about what parts of a packet a particular firewall technology can inspect and operate on.

Term

PROXY SERVERS

 

Definition

proxy server forwards requests and responses on behalf of its clients. Rather than inspecting traffic as it passes through, the proxy deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on, providing it conforms to the rules. This type of device is placed in a perimeter network.

 

Term

Forward Proxies

 

Definition

A forwarding proxy server provides for protocol-specific outbound traffic. For example, you might deploy a web proxy that enables client hosts to connect to websites and secure websites on the Internet. A proxy server must understand the application it is servicing. A web proxy must be able to parse and modify HTTP and HTTPS commands (and potentially HTML, too). Some proxy servers are application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types, such as HTTP, FTP, and SMTP.

 

Term

nontransparent proxy server

Definition

the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080.

Term

transparent (or "forced" or "intercepting") proxy

Definition

intercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance.

 

Term

Network Address Translation (NAT

Definition

was devised as a way of freeing up scarce IP addresses for hosts needing Internet access. NAT is a service translating between a private (or local) addressing scheme used by hosts on the LAN and a public (or global) addressing scheme used by an Internet-facing device. NAT is configured on a border device, such as a router, proxy server, or firewall. NAT is not a security mechanism; security is provided by the router/firewall's ACL.

Term

Network Address Translation (NAT)
(cont)

Definition

In a basic NAT static configuration, a simple 1:1 mapping is made between the private (inside local) network address and the public (inside global) address. If the destination network is using NAT, it is described as having outside global and outside local addressing schemes.

Term

Network Address Translation (NAT)  (cont)

Definition

A single static mapping is not very useful in most scenarios. Under dynamic NAT, the NAT device exposes a pool of public IP addresses. To support inbound and outbound connections between the private network and the Internet, the NAT service builds a table of public to private address mappings. Each new session creates a new public-private address binding in the table. When the session is ended or times out, the binding is released for use by another host.

 

Term

PORT ADDRESS TRANSLATION

 

Definition
PAT works by allocating each new connection an ephemeral TCP or UDP port. For example, say two hosts (10.0.0.101 and 10.0.0.102) initiate a web connection at the same time. The PAT service creates two new port mappings for these requests (10.0.0.101:61101 and 10.0.0.102:61102) in its state table. It then substitutes the private IP for the public IP and forwards the requests to the public Internet. It performs a reverse mapping on any traffic returned using those ports, inserting the original IP address and port number, and forwarding the packets to the internal hosts.
Term

DEFENSE IN DEPTH

 

Definition

Network security design must address the concept of defense in depth. This refers to placing security controls throughout the network, so that all access attempts are authenticated, authorized, and audited. Some examples of security controls that provide defense in depth additional to network segmentation and screened subnets include Network Access Control, honeypots, separation of duties, and intrusion detection.

Term

Network Access Control
(Cont)

 

Definition


Basic NAC solutions can authenticate a client on the basis of machine certificates and/or user passwords. More sophisticated solutions can enforce a health policy. A health policy means that the client must submit an
attestation report. This secure report proves that the client is running an authorized OS and has up-to-date patches and security scanner configuration.

 

Term

Honeypots

 

Definition

honeypot is a computer system set up to attract attackers, with the intention of analyzing attack strategies and tools, to provide early warning of attack attempts, or possibly as a decoy to divert attention from actual computer systems. Another use is to detect internal fraud, snooping, and malpractice. A honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator.

 

On a production network, a honeypot is more likely to be located in a protected but untrusted area between the Internet and the private network or on a closely monitored and filtered segment within the private network itself. This provides early warning and evidence of whether a threat actor has been able to penetrate to a given security zone.

 

Term

intrusion detection system (IDS)

 

Definition

An intrusion detection system (IDS) performs real-time analysis of either network traffic or system and application logs. Where a firewall applies rules from an ACL, an IDS is configured with signature patterns. Each pattern represents a known type of malicious activity. If a pattern is matched in a traffic stream, the IDS raises an alert. Like antivirus software, the IDS must be kept up to date with the latest signature patterns. An IDS is often also configured with automated threat data, such as lists of IP addresses and domains that are associated with threat actors.

 

Like a packet analyzer, an IDS must be configured with a sniffer to read frames from a mirrored port or TAP. Placement of the sniffer must be carefully considered to meet security goals. Typically, an IDS is positioned behind a firewall. The aim is to detect suspicious traffic that the firewall has not blocked, providing defense in depth. This type of passive sensor does not slow down traffic and is undetectable by the attacker (it does not have an IP address on the monitored network segment).

 

Term

intrusion prevention system (IPS)

Definition

can provide an active response to any network threats that it matches. One typical preventive measure is to end the session by sending a TCP reset packet to the attacking host. Another option is for the sensor to apply a temporary filter on the firewall to block the attacker's IP address (shunning). Other advanced measures include throttling bandwidth to attacking hosts, applying complex firewall filters, and even modifying suspect packets to render them harmless. Finally, the appliance may be able to run a script or third-party program to perform some other action not supported by the IPS software itself.

Term

DHCP

Definition

The Dynamic Host Configuration Protocol (DHCP) provides IP addressing autoconfiguration to hosts without static IP parameters. If a Windows client fails to obtain a DHCP lease, it defaults to using an address in the Automatic Private IP Addressing (APIPA) range of 169.254.0.0/16. It will be limited to communication with other APIPA hosts on the same network segment (broadcast domain). Linux hosts will use the 169.254.0.0/16 range if they have Zeroconf support, leave the IP address set to 0.0.0.0, or disable IPv4 on the interface.

 

Term

DHCP Server and Scope Exhaustion Issues

 

Possible reasons for a client to fail to obtain a lease include:

 

Definition

§  The DHCP server is offline. If your DHCP servers go offline, users will continue to connect to the network for a period and thereafter start to lose contact with network services and servers as they come to try to renew a lease.

 

§  No more addresses available (DHCP scope exhaustion). Create a new scope with enough addresses or reduce the lease period. Remember that IP Address Management (IPAM) software suites can be used to track address usage across a complex DHCP infrastructure.

 

§  The router between the client and DHCP server doesn't support BOOTP forwarding. Either install RFC 1542-compliant routers or add another type of DHCP relay agent to each subnet or VLAN.

 

Term

Rogue DHCP Server Issues

Definition

Clients have no means of preferring a DHCP server. If two DHCP servers are running on the same subnet, clients could end up with an incorrect IP configuration because they have obtained a lease from a rogue server. A rogue DHCP server may be deployed accidentally (forgetting to disable a DHCP server in an access point or router, for instance) or may be used by a malicious attacker to subvert the network. An attacker would normally use a rogue server to change the default gateway and/or DNS resolver addresses for the subnet and route communications via his or her machine (an on-path attack).

 

Term

Name Resolution Methods

. A host can use a variety of methods to resolve a name or FQDN to an IP address. In very general terms, these will be as follows:

Definition

1.    Check local cache. One complication here is that there are different types of cache and separate caches for individual applications, such as web browsers. On Windows, you can use ipconfig /displaydns and ipconfig /flushdns to monitor and clear the system cache.

2.    Check HOSTS. The HOSTS file is a static list of host name to IP address mappings. The default location under Windows is %SystemRoot%\system32\drivers\etc\, while under Linux it is usually placed in the /etc directory. In most cases, HOSTS should not contain any entries (other than the loopback address). Any static entries in HOSTS could be the cause of a name resolution issue. The file can also be used for troubleshooting.

3.    Query DNS. A host uses the name servers defined in its IP configuration to resolve queries.

Any text preceded by the # symbol in a HOSTS file is a comment and will not be processed.

 

While we are focusing on name resolution via DNS here, note that a host can use multiple methods, especially on Windows workgroup networks. Link Local Multicast Name Resolution (LLMNR) and multicastDNS (mDNS) are modified forms of DNS that allow clients to perform name resolution on a local link without needing a server.

Term

VLAN ASSIGNMENT ISSUES

When you partition a network into separate VLANs, as each VLAN is a discrete broadcast domain, you must ensure that services, such as DHCP and DNS, are properly available to all VLANs. Otherwise, users will complain that "the Internet is down," when it transpires that there is no local DNS server available to handle their name resolution requests.

Definition

If devices are not in the same VLAN and must communicate, ensure that routing has been configured to enable VLAN-to-VLAN communications. You may also need to configure services such as DHCP relay to allow hosts to contact a DHCP server. Also, if a device is placed in a designated VLAN, its IP configuration must be appropriate in terms of IP address, subnet mask, default gateway, and DNS servers.

Another issue is that a host has been placed in an incorrect VLAN. Make sure all devices are placed into the appropriate VLAN as per the configuration baseline. VLAN assignments can be configured manually, and the administrator may have made a mistake, so check the interface configuration for switch port. VLAN assignments can also be configured automatically, using parameters such as the host MAC address or authentication credentials, and this process may have failed, or the database used to map the dynamic data to a VLAN ID might be misconfigured.

Term

UNRESPONSIVE SERVICE AND NETWORK PERFORMANCE ISSUES

If you can rule out connectivity problems with a local client or subnet, the issue may be with an application server, rather than the client. Such unresponsive service issues will usually manifest with multiple clients being unable to connect. There can be any number of underlying causes, but consider some of the following:

Definition

§  The application or OS hosting the service has crashed (or there is a hardware or power problem).

§  The server hosting the service is overloaded (high CPU/memory/disk I/O utilization/disk space utilization). Try throttling client connections until the server resources can be upgraded.

§  There is congestion in the network, either at the client or server end (or both). Use ping or traceroute to check the latency experienced over the link and compare to a network performance baseline. Again, throttling connections or bandwidth may help to ease the congestion until higher bandwidth links can be provisioned.

§  A broadcast storm is causing loss of network bandwidth. Switching loops cause broadcast and unknown unicast frames to circulate the network perpetually, as each switch repeatedly floods each frame. A broadcast storm may quickly consume all link bandwidth and crash network appliances (check for excessive CPU utilization on switches and hosts). The Spanning Tree Protocol (STP) is supposed to prevent such loops, but this can fail if STP communications between switches do not work correctly, either because of a fault in cabling or a port/transceiver or because of a misconfiguration.

Network congestion may also be a sign that the service is being subject to a Denial of Service (DoS) attack. Look for unusual access patterns (for example, use GeoIP to graph source IP addresses by country and compare to baseline access patterns).

Term

UNTRUSTED CERTIFICATE ISSUES

If the digital certificate presented by a subject (server or user) is not trusted by the client application (such as a browser), the client will notify the user. The most common reason for a certificate not to be trusted is that the certificate issuer is not trusted. For example, say Widget's web server receives a certificate signed by MyCA. Unless MyCA's own certificate is stored in the browser's trusted root store, the client application will not trust the Widget server. The user can usually choose to ignore this warning and add an exception, but this should be done only if the cause of the lack of a trust relationship is understood.

Definition

If you trust the issuer, you can add their certificate to the client device's root certificate store. In Windows, you can use the certmgr.msc console to manage user certificates and the certlm.msc console to manage machine certificates. You also use these consoles to manage certificates used by the computer or its user accounts.

Term

Some other causes of untrusted certificates are:

Definition

One complication here is that different applications may have different stores of trusted certificates. For example, there is a Windows certificate store, but the Firefox® browser does not trust it by default and maintains its own certificate stores. The various Linux distributions store trusted root certificates in several different locations.

 

Frequently, certificates are untrusted because they are self-signed (the certificate holder is both the issuer and the subject of the certificate). This is often the case with the certificates used to protect the web management interfaces of consumer-grade appliances and server applications. You might be able to replace the default certificate with one trusted by the enterprise.

Term

Some other causes of untrusted certificates are:

Definition

§  The certificate's subject name does not match the URL. This is usually a configuration error on the part of the web server manager, but it could indicate malicious activity. You should confirm the certificate's common name and access the website by using that URL.

§  The certificate is not being used for its stated purpose. For example, a certificate issued to sign email is being used on a web server. In this circumstance, you should not add an exception. The service owner or subject should obtain a correctly formatted certificate.

§  The certificate is expired or revoked. Again, unless there are explainable circumstances, you should not allow an exception. If you are managing a legacy appliance (a SOHO router or NAS drive, for instance), it is likely that the certificate installed on it will have expired. If you know that the appliance has not been tampered with, you can proceed.

§  Time is not correctly synchronized between the server and client.

Term

Some other causes of untrusted certificates are:

Definition

§  The certificate's subject name does not match the URL. This is usually a configuration error on the part of the web server manager, but it could indicate malicious activity. You should confirm the certificate's common name and access the website by using that URL.

§  The certificate is not being used for its stated purpose. For example, a certificate issued to sign email is being used on a web server. In this circumstance, you should not add an exception. The service owner or subject should obtain a correctly formatted certificate.

§  The certificate is expired or revoked. Again, unless there are explainable circumstances, you should not allow an exception. If you are managing a legacy appliance (a SOHO router or NAS drive, for instance), it is likely that the certificate installed on it will have expired. If you know that the appliance has not been tampered with, you can proceed.

§  Time is not correctly synchronized between the server and client.

Term
NTP Issues
Network Time Protocol (NTP).
port UDP 123
w32tm /query /configuration
Definition

Most network services, and especially authentication and authorization mechanisms, depend upon each host using a synchronized time source. Inaccurate time sources also affect the reliability and usability of log data, which can have implications for regulatory compliance.

 

Time synchronization is usually accomplished via the Network Time Protocol (NTP). Clients must be able to access a time source over port UDP 123. In a Windows environment, the time source for clients will usually be a domain controller. The domain controller can either use a hardware GPS-based time source or rely on Internet servers, depending on the level of accuracy required. In Windows, the w32tm /query /configuration command can be used to check the current configuration.

Term

Bring Your Own Device (BYOD) 

Bring Your Own Device (BYOD) is a smartphone/tablet provisioning model that allows users to select a personal device to use to interact with corporate network services and cloud apps. Allowing user selection of devices introduces numerous compatibility, support, and security challenges:

Definition

§  Compatibility/support-The wide range of devices, mobile OS versions, and vendor support for patches make the job of ensuring that each device can connect to corporate network apps and data resources highly complex.

 

§  Security-This device variety also causes security issues, especially in terms of unpatched devices. Another issue is that the device is not fully under the administrative control of the IT department. An insider threat actor could install apps that might pose a risk to corporate data or misuse the device to exfiltrate data.

Term

BYOD Challenges
MDM (or mobile device management
enterprise mobility management (EMM)

Definition

Some of the impact of these issues can be mitigated through the use of enterprise mobility management (EMM) suites and corporate workspaces. MDM (or mobile device management) is a type of network access control solution that registers devices as they connect to the network. It can then enforce security policies while the device is connected. These might restrict use of device functions or personal apps. A corporate workspace is an app that is segmented from the rest of the device and allow more centralized control over corporate data. Users must also agree to acceptable use policies, which might prohibit installing nonstore apps and rooting/jailbreaking a device and keeping the device up to date with patches. Users will also usually have to submit to inspection of the device to protect corporate data.

Term
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
Definition

§  802.11 uses Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) to cope with contention. Under CSMA/CA, when a station receives a frame, it performs error checking. If the frame is intact, the station responds with an acknowledgment (ACK). If the ACK is not received, the transmitting station resends the frame until timing out. 802.11 also defines a Virtual Carrier Sense flow control mechanism to further reduce the incidence of collisions. A station broadcasts a Request to Send (RTS) with the source and destination and the time required to transmit. The receiving station responds with a Clear To Send (CTS) and all other stations in range do not attempt to transmit within that period.

[image]

Term
2.4 GHz 
Definition

§  2.4 GHz is better at propagating through solid surfaces, making it ideal for providing the longest signal range. However, the 2.4 GHz band does not support a high number of individual channels and is often congested, both with other Wi-Fi networks and other types of wireless technology, such as Bluetooth®. Consequently, with the 2.4 GHz band, there is increased risk of interference, and the maximum achievable data rates are typically lower than with 5 GHz.

Term
5 GHz 
Definition

§  5 GHz is less effective at penetrating solid surfaces and so does not support the maximum ranges achieved with 2.4 GHz standards, but the band supports more individual channels and suffers less from congestion and interference, meaning it supports higher data rates at shorter ranges.

The IEEE 802.11a standard specifies use of the 5 GHz frequency band and a multiplexed carrier scheme called Orthogonal Frequency Division Multiplexing (OFDM). 802.11a has a nominal data rate of 54 Mbps.

The 5 GHz band is subdivided into 23 non-overlapping channels, each of which is 20 MHz wide. Initially, there were 11 channels, but the subsequent 802.11h standard added another 12. 802.11h also adds the Dynamic Frequency Selection (DFS) method to prevent access points (APs) working in the 5 GHz band from interfering with radar and satellite signals. The exact use of channels can be subject to different regulation in different countries. Regulatory impacts also include a strict limit on power output, constraining the range of Wi-Fi devices.

Term

IEEE 802.11B/G AND 2.4 GHZ CHANNEL BANDWIDTH

Definition

The 802.11b standard uses the 2.4 GHz frequency band and was released in parallel with 802.11a. It standardized the use of the carrier method Direct Sequence Spread Spectrum (DSSS), along with Complementary Code Keying (CCK) signal encoding. While in some ways DSSS was an inferior technology to OFDM-with a nominal data rate of just 11 Mbps-802.11b products were quicker to market and became better established than 802.11a.

The 2.4 GHz band is subdivided into up to 14 channels, spaced at 5 MHz intervals from 2412 MHz up to 2484 MHz. Because the spacing is only 5 MHz and Wi-Fi needs ~20 MHz channel bandwidth, 802.11b channels overlap quite considerably. This means that co-channel interference is a real possibility unless widely spaced channels are chosen (1, 6, and 11, for instance). Also, in the Americas, regulations permit the use of channels 1-11 only, while in Europe channels 1-13 are permitted, and in Japan all 14 channels are permitted.

Term
802.11g 
Definition

The 802.11g standard offered a relatively straightforward upgrade path from 802.11b. Like 802.11a, 802.11g uses OFDM, but in the 2.4 GHz band used by 802.11b and with the same channel layout. This made it straightforward for vendors to offer 802.11g devices that could offer backwards support for legacy 802.11b clients. 802.11g has a nominal data rate of 54 Mbps. When in 802.11b compatibility mode, it drops back to using DSSS.

Term

Wi-Fi 6 (802.11ax)

 

Definition

Wi-Fi 6 uses more complex modulation and signal encoding to improve the amount of data sent per packet by about 40%. As with Wi-Fi 5, products are branded using the combined throughput. For example, AX6000 allows 1,148 Mbps on the 2.4 GHz radio and 4,804 over 5 GHz.

 

Term

2G AND 3G CELLULAR TECHNOLOGIES

 

Definition
Cellular radio works in the 850 and 1900 MHz frequency bands (mostly in the Americas) and the 900 and 1800 MHz bands (rest of the world).
Term

2G AND 3G CELLULAR TECHNOLOGIES

 

Definition

Cellular radio works in the 850 and 1900 MHz frequency bands (mostly in the Americas) and the 900 and 1800 MHz bands (rest of the world).

§  Global System for Mobile Communication (GSM)-based phones using Time Division Multiple Access (TDMA). With TDMA, each subscriber gets access to the radio channel by being allocated a time slot. GSM allows subscribers to use a subscriber identity module (SIM) card to use an unlocked handset with their chosen network provider. GSM is adopted internationally and by AT-and-T and T-Mobile in the United States.

 

§  TIA/EIA IS-95 (cdmaOne)-based handsets, using Code Division Multiple Access (CDMA). CDMA means that each subscriber uses a code to key the modulation of their signal and this "key" is used by the receiver to extract the subscriber's traffic from the radio channel. With CDMA, the handset is managed by the provider, not the SIM. CDMA adoption is largely restricted to the telecom providers Sprint and Verizon.

 

Term

Long Term Evolution (LTE)

Definition

Long Term Evolution (LTE) is a converged 4G standard supported by both the GSM and CDMA network providers. LTE devices must have a SIM card issued by the network provider installed. LTE has a maximum downlink of 150 Mbps in theory, but no provider networks can deliver that sort of speed at the time of writing, with around 20 Mbps far more typical of real-world performance.

 


LTE uses neither TDMA nor CDMA but Orthogonal Frequency Division Multiple Access (OFDMA), which is also used by Wi-Fi 6.

 

 

 

LTE Advanced (LTE-A) is intended to provide a 300 Mbps downlink, but again this aspiration is not matched by real-world performance. Current typical performance for LTE-A is up to 90 Mbps.

 

Term

5G

Definition
1 Gbps for stationary or slow-moving users (including pedestrians) and 100 Mbps for access from a fast-moving vehicle.
Term

INFRASTRUCTURE TOPOLOGY AND WIRELESS ACCESS POINTS

Definition
Wireless network devices are referred to as stations (STA),In an infrastructure topology, each station is configured to connect through a base station or access point (AP), forming a logical star topology. The AP mediates communications between client devices and can also provide a bridge to a cabled network segment. In 802.11 documentation, this is referred to as an infrastructure Basic Service Set (BSS). The MAC address of the AP is used as the Basic Service Set Identifier (BSSID) . More than one BSS can be grouped together in an Extended Service Set (ESS)..

[image]
Term

WIRELESS SITE DESIGN

Definition

Clients are configured to join a WLAN through the network name or Service Set Identifier (SSID).
In infrastructure mode, when
multiple APs connected to the same distribution system are grouped into an ESS, this is more properly called the Extended SSID (ESSID) . This just means that all the APs are configured with the same SSID and security information. The area served by a single AP is referred to as a basic service area (BSA) or wireless cell. The area in which stations can roam between access points to stay connected to the same ESSID is referred to as an extended service area (ESA).

Term

SSID Broadcast and Beacon Frame

Definition

A beacon is a special management frame broadcast by the AP to advertise the WLAN. The beacon frame contains the SSID (unless broadcast is disabled), supported data rates and signaling, plus encryption/authentication requirements. The interval at which the beacon is broadcast (measured in milliseconds) can be modified. The default is usually 100 ms. Increasing the interval reduces the overhead of broadcasting the frame but delays joining the network and can hamper roaming between APs.

 

Even if SSID broadcast is suppressed, it is fairly easy for a network sniffer to detect it as clients still use it when connecting with the AP.

Term
SITE SURVEYS 
Definition

site survey is performed first by examining the blueprints or floor plan of the premises to understand the layout and to identify features that might produce radio frequency interference (RFI). This can be backed up by a visual inspection that may reveal things that are not shown on the blueprints, such as thick metal shelving surrounding a room that needs to have WLAN access. Each AP mounting point needs a network port and power jack, so it will help to obtain plans that show the locations of available ports.

 

A switch that supports Power over Ethernet (PoE) can be used to power a PoE-compatible AP.

Term
heat map
Definition
Many tools can show the signal strength within a particular channel obtained in different locations graphically using a heat map. The heat map would show areas with a strong signal in greens and yellows with warning oranges and reds where signal strength drops off.
Term
wireless distribution system (WDS)
Definition

You can also configure multiple access points to cover areas where it is not possible to run cabling. This is referred to as a wireless distribution system (WDS). You must set the APs to use the same channel, SSID, and security parameters. The APs are configured in WDS/repeater mode. One AP is configured as a base station, while the others are configured as remote stations. The base station can be connected to a cabled segment. The remote stations must not be connected to cabled segments. The remote stations can accept connections from wireless stations and forward all traffic to the base station.

Another use for WDS is to bridge two separate cabled segments. When WDS is configured in bridge mode, the APs will not support wireless clients; they simply forward traffic between the cabled segments.

Term
wireless LAN controller
Definition
Rather than configure each device individually, enterprise wireless solutions such as those manufactured by Cisco, Ruckus, or Ubiquiti allow for centralized management and monitoring of the APs on the network.
A wireless controller, an enterprise-level appliance capable of supporting up to 1500 APs and 20,000 clients. 
Term
WIRELESS LAN CONTROLLERS
Definition

An AP whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as a fat AP, while one that requires a wireless controller in order to function is known as a thin AP . Cisco wireless controllers usually communicate with the APs by using the Lightweight Access Point Protocol (LWAPP). LWAPP allows an AP configured to work in lightweight mode to download an appropriate SSID, standards mode, channel, and security configuration. Alternatives to LWAPP include the derivative Control And Provisioning of Wireless Access Points (CAPWAP) protocol or a proprietary protocol.

 

As well as autoconfiguring the appliances, a wireless controller can aggregate client traffic and provide a central switching and routing point between the WLAN and wired LAN. It can also assign clients to separate VLANs. Automated VLAN pooling ensures that the total number of stations per VLAN is kept within specified limits, reducing excessive broadcast traffic. Another function is to supply power to wired access points, using Power over Ethernet (PoE).

Term

Ad Hoc Topology
peer-to-peer 

Definition

In an ad hoc topology, the wireless adapter allows connections to and from other devices. In 802.11 documentation, this is referred to as an Independent Basic Service Set (IBSS). This topology does not require an access point. All the stations within an ad hoc network must be within range of one another. An ad hoc network might suit a small workgroup of devices, or connectivity to a single device, such as a shared printer, but it is not scalable to large network implementations.

Term
Mesh Topology
Definition

The 802.11s standard defines a Wireless Mesh Network (WMN). There are also various proprietary mesh protocols and products. Unlike an ad hoc network, nodes in a WMN (called mesh stations) are capable of discovering one another and peering, forming a Mesh Basic Service Set (MBSS). The mesh stations can perform path discovery and forwarding between peers using a routing protocol, such as the Hybrid Wireless Mesh Protocol (HWMP).

 

These features make a mesh topology more scalable than an ad hoc topology because the stations do not need to be within direct radio range of one another-a transmission can be relayed by intermediate stations. Mesh topologies are becoming increasingly popular and are the foundation of most Internet of Things (IoT) networks.

Term
Speed 
Definition

§  Speed is the data rate established at the physical and data link layers. The nominal link speed is determined by standards support (Wi-Fi 5 or Wi-Fi 6, for instance), use of bonded channels, and optimizations, such as MU-MIMO. If the sender and receiver are far apart or subject to interference, a lower rate will be negotiated to make the link more reliable.

Term
Throughput 
Definition

§  Throughput is the amount of data that can be transferred at the network layer, discarding overhead from layers 1 and 2. Often the term goodput is used to describe data transfer achieved at the application layer (accounting for overhead from header fields and packet loss/retransmissions).

Term
radio frequency (RF) attenuation 
Definition
As the distance from the antenna increases, the strength of the signal decreases in accordance with the inverse-square rule. For example, doubling the distance decreases the signal strength by a factor of four. Meanwhile, interference sources collectively overlay a competing background signal, referred to as noise. These factors impose distance limitations on how far a client can be from an access point.
Term
Received Signal Strength Indicator (RSSI) 
Definition

The Received Signal Strength Indicator (RSSI) is the strength of the signal sent from the transmitter measured at the receiver on the client end. When you are measuring RSSI, dBm will be a negative value (a fraction of a milliwatt) with values closer to zero representing better performance. A value around - 65 dBm represents a good signal, while anything beyond -80 dBm is likely to suffer packet loss or be dropped. The RSSI must exceed the minimum receiver sensitivity.

Term
Signal-To-Noise Ratio (SNR). 
Definition
The comparative strength of the data signal to the background noise is called the Signal-To-Noise Ratio (SNR). Noise is also measured in dBm, but here values closer to zero are less welcome as they represent higher noise levels

RSSI and SNR can be measured by using a Wi-Fi analyzer.
Term
unidirectional antennas 
A unidirectional antenna is only suitable for point-to-point connections, not for general client access. 
Definition

To extend the signal to a particular area, you can use an antenna focused in a single direction (unidirectional). Both the sender and receiver must use directional antennas, or one will be able to receive signals but not send responses. Unidirectional antenna types include the Yagi (a bar with fins) and parabolic (dish or grid) form factors.

Unidirectional antennas are useful for point-to-point wireless bridge connections. The increase in signal strength obtained by focusing the signal is referred to as the gain and is measured in dBi (decibel isotropic). The amount of directionality, referred to as the beamwidth, is measured in degrees. A pair of 10-degree antennas are very highly directional and will require more exact alignment than a pair of 90 degree antennas.

Term
Polarization 
Definition
Polarization refers to the orientation of the wave propagating from the antenna. If 
Term

Effective Isotropic Radiated Power (EIRP) is calculated as the sum of transmit power, antenna cable/connector loss, and antenna gain.

As a general rule of thumb, AP power should be 2/3rds of the weakest client power. For example, if the weakest client can output 14 dBm, the AP should transmit at 9 to 10 dBm.

Definition

The EIRP for each radio is reported through the access point or controller management software. EIRP must not exceed regulatory limits. Power limits are different for the 2.4 GHz and 5 GHz bands and for point-to-multipoint versus point-to-point operation modes.

Term

There are two main types of channel interference:

Definition

§  Co-channel interference (CCI)-This can be more accurately described as contention. When multiple access points use the same channel, opportunities to transmit are reduced. The wireless devices must use CSMA/CA to find opportunities to transmit. CCI can be measured as a percentage referred to as channel utilization. Channel utilization can be measured from the access point or using a Wi-Fi analyzer. As a design goal, a channel should exhibit no more than 50% utilization.

 

§  Adjacent channel interference (ACI)-This occurs when access points are configured to use different but overlapping channels, such as 1 and 3 in the 2.4 GHz band. ACI slows down the CSMA/CA process and raises noise levels.

Term
Apart from channel interference described earlier, there are several other sources of interference to consider:
Definition

§  Refraction -Glass or water can cause radio waves to bend and take a different path to the receiver. This can also cause the data rate to drop.

§  Absorption-This refers to the degree to which walls and windows will reduce signal strength (some of the radio wave's energy is lost as heat when passing through construction materials). An internal wall might "cost" 3 to 15 dB, depending on the material used (concrete being the most effective absorber). The 2.4 GHz frequency has better penetration than the 5 GHz one, given the same power output. To minimize absorption from office furniture (and people), use ceiling-mounted APs.

 

§  Electromagnetic interference (EMI)-Interference from a powerful radio or electromagnetic source working in the same frequency band, such as a Bluetooth device, cordless phone, or microwave oven.

Term
Wi-Fi Protected Access (WPA) 
Definition

The first version of Wi-Fi Protected Access (WPA) was designed to fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Like WEP, version 1 of WPA uses the RC4 stream cipher to encrypt traffic but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to try to mitigate the various attacks against WEP that had been developed.

Neither WEP nor the original WPA version are considered secure enough for continued use. They can be exploited by various types of replay attack that aim to recover the encryption key.

Term
WPA2
Definition

WPA2 uses the Advanced Encryption Standard (AES) cipher deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. CCMP provides authenticated encryption, which is designed to make replay attacks harder.

 

Weaknesses have also been found in WPA2, however, which has led to its intended replacement by WPA3.

Term

PERSONAL AUTHENTICATION

Definition
Wi-Fi authentication comes in three types: personal, open, and enterprise. Within the personal authentication category, there are two methods: pre-shared key authentication (PSK) and simultaneous authentication of equals (SAE).
Term

WPA2 Pre-Shared Key Authentication

Definition

In WPA2, pre-shared key (PSK) authentication uses a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret. When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 characters. This is converted to a type of hash value, referred to as the pairwise master key (PMK). The same secret must be configured on the access point and on each node that joins the network. The PMK is used as part of WPA2's 4-way handshake to derive various session keys.

 

All types of Wi-Fi PSK authentication have been shown to be vulnerable to attacks that attempt to recover the passphrase. At a minimum, the passphrase must be at least 14 characters long to try to mitigate risks from cracking.

Term

WPA3 Personal Authentication

Definition

While WPA3 still uses a passphrase to authenticate stations in personal mode, it changes the method by which this secret is used to agree session keys. The scheme used is also referred to as Password Authenticated Key Exchange (PAKE). In WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake, which has been found to be vulnerable to various attacks.

Term
WPA3-Enterprise 
Definition
Term

CLIENT DISASSOCIATION ISSUES

Definition

In the normal course of operations, an access point and client use management frames to control connections. The access point normally broadcasts a beacon frame to advertise service capabilities. Clients can choose to first authenticate and then associate to an access point when they move into range of the beacon. The client or access point can use disassociation and/or deauthentication frames to notify the other party that it has ended a connection. A legitimate client might disassociate but not deauthenticate because it is roaming between wireless access points in an extended service area. A client might "flap" between two access points, causing numerous disassociations and reassociations. Investigate the access point or controller event log to identify the cause of disassociations.

 

If clients are disassociated unexpectedly and there is no roaming, interference, or driver issue, you should consider the possibility of a malicious attack. A disassociation attack exploits the lack of encryption in management frame traffic to send spoofed frames. One type of disassociation attack injects management frames that spoof the MAC address of a single victim station in a disassociation notification, causing it to be disconnected from the network. Another variant of the attack broadcasts spoofed frames to disconnect all stations. Frames can be spoofed to send either disassociation or deauthentication notifications.

 

Disassociation/deauthentication attacks may be used to perform a denial of service attack against the wireless infrastructure or to exploit disconnected stations to try to force reconnection to a rogue WAP. Disassociation/deauthentication attacks might also be used in conjunction with a replay attack aimed at recovering the network key.

Term
 open authentication
Configuring an access point for open authentication means that the client is not required to authenticate.
Definition

Configuring an access point for open authentication means that the client is not required to authenticate. This mode would be used on a public AP or "hotspot". In WPA/WPA2, this also means that data sent over the link is unencrypted. Open authentication may be combined with a secondary authentication mechanism managed via a browser. When the client associates with the open hotspot and launches the browser, the client is redirected to a captive portal or splash page. This will allow the client to authenticate to the hotspot provider's network (over HTTPS, so the login is secure). The portal may also be designed to enforce terms and conditions and/or take payment to access the Wi-Fi service.

Term

OPEN AUTHENTICATION AND CAPTIVE PORTAL ISSUES

Definition

. The captive portal should use HTTPS. Most modern browsers will block redirection to sites that do not use TLS. This means that the captive portal also needs to be installed with a digital certificate issued by a certification authority (CA) that is trusted by the client browser.

When using open wireless, users must ensure they send confidential web data only over HTTPS connections and only use email, VoIP, IM, and file transfer services with SSL/TLS enabled. Another option is for the user to join a virtual private network (VPN). The user would associate with the open hotspot then start the VPN connection. This creates an encrypted "tunnel" between the user's computer and the VPN server. This allows the user to browse the web or connect to email services without anyone eavesdropping on the open Wi-Fi network being able to intercept those communications. The VPN could be provided by the user's company or they could use a third-party VPN service provider. Of course, if using a third party, the user needs to be able to trust them implicitly. The VPN must use certificate-based tunneling to set up the "inner" authentication method.

 

 

Term
T-CARRIER AND LEASED LINE PROVIDER LINKS
Definition

 T-carrier is based on Time Division Multiplexing (TDM). The protocol assigns each circuit (or channel) a time slot. Each 64 Kbps channel provides enough bandwidth for a digitized voice call.

This service comprises 24 channels multiplexed into a single 1.544 Mbps full duplex digital connection that can be used for voice and/or data. The T1 lines themselves can be multiplexed to provide even more bandwidth.

A T1 line from the service provider is terminated at the demarc on a smartjack or Network Interface Unit (NIU). The smart jack has an RJ-48C or RJ-48X interface on the customer side that is used to connect to the customer’s Channel Service Unit/Data Service Unit (CSU/DSU) . The cabling from the smart jack to the CSU/DSU can use an ordinary RJ-45 patch cord (up to 3 meters/10 feet in length), but a shielded two-pair 22 AWG cable with connectors wired for RJ-48 is required for any distance longer than that.

The RJ-48X jack has a shorting bar to provide loopback on the connection if the equipment on the customer side is unplugged. This allows the service provider to test the line remotely.

The DSU encodes the signal from Data Terminal Equipment (DTE)-that is, the company's private branch exchange (PBX) internal telecoms system and/or an IP router-to a serial digital signal transmitted over copper wiring. The DSU part functions as a digital modem, while the CSU is used to perform diagnostic tests on the line. The devices can be supplied separately, but more typically they are combined as a single WAN interface card that can be plugged into a compatible router or PBX.

At the data link layer, T1 leased lines typically use either High-level Data Link Control (HDLC) or Point-to-Point Protocol (PPP).

Term
Digital subscriber line (DSL)
Definition

Digital subscriber line (DSL) is a technology for transferring data over voice-grade telephone lines, often referred to as the local loop. DSL uses the frequencies above those used by the human voice as a full duplex communications channel.

Term

FIBER TO THE CURB

Definition

The major obstacle to providing WAN access that can approach LAN performance is bandwidth in the last mile, where the copper wiring infrastructure is generally not good. The projects to update this wiring to use fiber optic links are referred to by the umbrella term Fiber to the X (FTTx).

 

 

The most expensive solution is Fiber to the Premises (FTTP) or its residential variant Fiber to the Home (FTTH). The essential point about both these implementations is that the fiber link is terminated at the demarc. Other solutions can variously be described as Fiber to the Node (FTTN) or Fiber to the Curb (FTTC). These retain some sort of copper wiring to the demarc while extending the fiber link to a communications cabinet servicing multiple subscribers. The service providers with their roots in telephone networks use Very high-speed DSL (VDSL) to support FTTC. VDSL (G.993) achieves higher bit rates than other DSL types at the expense of range. It allows for both symmetric and asymmetric modes. Over 300 m (1000 feet), an asymmetric link supports 52 Mbps downstream and 6 Mbps upstream, while a symmetric link supports 26 Mbps in both directions. VDSL2 specifies a very short range (100 m/300 feet) rate of 100 Mbps (bi-directional).

Term
Data Over Cable Service Interface Specification (DOCSIS)
Definition

More coax then links all the premises in a street with a Cable Modem Termination System (CMTS), which routes data traffic via the fiber backbone to the ISP's Point of Presence (PoP) and from there to the Internet. Cable based on the Data Over Cable Service Interface Specification (DOCSIS) supports downlink speeds of up to 38 Mbps (North America) or 50 Mbps (Europe) and uplinks of up to 27 Mbps. DOCSIS version 3 allows the use of multiplexed channels to achieve higher bandwidth. 

Term

 

DSL Types

Definition

§  Symmetrical DSL (SDSL) is so-called because it provides the same downlink and uplink bandwidth. There are various types of symmetric DSL service. SDSL services tend to be provided as business packages, rather than to residential customers.

 

§  Asymmetrical DSL (ADSL) is a consumer version of DSL that provides a fast downlink but a slow uplink. There are various iterations of ADSL, with the latest (ADSL2+) offering downlink rates up to about 24 Mbps and uplink rates up to 3.3 Mbps. Service providers may impose usage restrictions to limit the amount of data downloaded per month. Actual speed may be affected by the quality of the cabling in the consumer's premises and between the premises and the exchange, and by the number of users connected to the same DSLAM (contention).

Term

metro-optical The term Metro Ethernet refers to Carrier Ethernet where the geographic scope is limited to a single city. Carrier Ethernet can use different types of physical connectivity. Some examples include:

 

Definition

§  Ethernet over Fiber-Uses the IEEE 802.3 10GBASE-LR and 10GBASE-ER specifications.

 

§  Ethernet over Copper-Uses DSL variants such as single-pair high-speed DSL (SHDSL) and VDSL to overcome the usual distance limitations of copper Ethernet. This does not support anything like the same speeds as LAN Ethernet (more typically 2-10 Mbps), but multiple pairs can be aggregated for higher bandwidth.

Term
Carrier Ethernet. Two of these are E-line and E-LAN
Definition

§  E-line-Establishes a point-to-point link between two sites. Multiple E-lines can be configured on a single Metro Ethernet interface, with each E-line representing a separate VLAN.

 

§  E-LAN-Establishes a mesh topology between multiple sites.

Term
passive optical network 
100 Mbps up to 1 Gbps[image]
Definition

In a PON, a single fiber cable is run from the nearest exchange to an optical line terminal (OLT) located in the street. This link uses dense wavelength division multiplexing (DWDM) to support a ratio of backhaul cable to subscribers of 1:64 or 1:128. From the OLT, splitters direct each subscriber’s wavelength frequency over a shorter length of fiber to an optical network unit (ONU) or optical network terminal (ONT) installed at the demarc. The ONU/ONT converts the optical signal to an electrical one. The ONU/ONT is connected to the customer’s router using a copper wire patch cord.

 

 [image]

Term
very small aperture terminal (VSAT), 
Video Broadcast Satellite (DVB-S) 
Definition

To create a satellite Internet connection, the ISP installs a satellite dish, referred to as a very small aperture terminal (VSAT), at the customer's premises and aligns it with the orbital satellite. The size of a VSAT ranges from 1.2 to 2.4 meters in diameter. The satellites are in geostationary orbit over the equator, so in the northern hemisphere the dish will be pointing south. The antenna is connected via coaxial cabling to a Digital Video Broadcast Satellite (DVB-S) modem.

Term

The remote access policy should then implement the measures identified through compiling the documentation. Typical policy restrictions would be:

Definition

§  Restricting access to defined users or groups.

§  Restricting access to defined times of day or particular days of the week.

§  Restricting privileges on the local network (ideally, remote users would only be permitted access to a clearly defined part of the network).

 

§  Logging and auditing access logons and attempted logons.

Term

Point-to-Point Protocol

Definition

VPNs depend on tunneling protocols. Tunneling is used when the source and destination hosts are on the same logical network but connected via different physical networks. The Point-to-Point Protocol (PPP) is an encapsulation protocol that works at the Data Link layer (Layer 2). PPP is used to encapsulate IP packets for transmission over serial digital lines. PPP has no security mechanisms, so must be used with other protocols to provision a secure tunnel.

Term

Generic Routing Encapsulation
Where PPP works at Layer 2, Generic Routing Encapsulation (GRE) works at Layer 3.

The "outer" GRE packet is assigned protocol number 47

Definition

A GRE packet can itself encapsulate an IP packet (or most other network layer protocol types) as its payload. The "outer" GRE packet is assigned protocol number 47 and has its own IP source and header address fields. The GRE packet is then itself encapsulated in a Layer 2 frame for transmission to the next hop router. Each intermediate router inspects only the outer GRE header to determine the forwarding destination. At the final destination, the receiving router de-encapsulates the GRE packet to extract the inner IP payload and forwards that inner packet to its destination. GRE does not have any mechanisms for authenticating users or devices and so is often used with other protocols in a VPN solution.

Term

IP Security
Internet Protocol Security (IPSec) also operates at the network layer (Layer 3

Definition

Internet Protocol Security (IPSec) also operates at the network layer (Layer 3) of the OSI model to encrypt packets passing over any network. IPSec is often used with other protocols to provide connection security, but is increasingly used as a native VPN protocol.

Term

Transport Layer Security

Definition

Transport Layer Security (TLS) over TCP or datagram TLS (DTLS) over UDP can be used to encapsulate frames or IP packets. The main drawback is that as TLS already operates at the session layer, the headers from the inner and outer packets add up to a significant overhead.

Term
Client-to-site 
Definition

Client-to-site is the "telecommuter" model, allowing home-workers and employees working in the field to connect to the corporate network.

Client-to-site VPNs can be configured using a number of protocols. An SSL/TLS VPN solution uses certificates to establish the secure tunnel. One example is Microsoft’s Secure Socket Tunneling Protocol (SSTP). Cisco’s Layer 2 Tunneling Protocol (L2TP) is also widely used, in conjunction with IPSec

Term
Split tunnel
the client accesses the Internet directly using its "native" IP configuration and DNS servers.
Definition
[image]
Term
Full tunnel[image]
Definition

Full tunnel-Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy.

Full tunnel offers better security, but the network address translations and DNS operations required may cause problems with some websites, especially cloud services. It also means more data is channeled over the link and the connection can exhibit higher latency.

Term
HTML5 VPN or clientless VPN 
Definition
The canvas element introduced in HTML5 allows a browser to draw and update a desktop with relatively little lag. It can also handle audio. This allows ordinary browser software to connect to a remote desktop or VPN. This is referred to as an HTML5 VPN or clientless VPN ( guacamole.apache.org ). This solution also uses a protocol called WebSockets, which enables bidirectional messages to be sent between the server and client without requiring the overhead of separate HTTP requests.
Term

SITE-TO-SITE VIRTUAL PRIVATE NETWORKS[image]

Definition
A VPN can also be deployed in a site-to-site model to connect two or more private networks.site-to-site VPN is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any information about the VPN. The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel. This is also referred to as compulsory tunneling. Compulsory tunnels can be in place permanently (static), or they can be put in place based on the data or client type (dynamic).
Term
hub and spoke topology
Definition
A site-to-site VPN that involves more than two sites connects the remote sites (or spokes) to a headquarters site (hub) by using static tunnels configured between the hub and each spoke. This is referred to as a hub and spoke topology. The VPN router installed in the central office or hub needs to be a powerful machine capable of aggregating high traffic volumes.
Term
VPN headend
Definition
The VPN router installed in the central office or hub needs to be a powerful machine capable of aggregating high traffic volumes. This VPN router is also referred to as a VPN headend. VPN headends would normally be installed in groups for load balancing and fault tolerance. A VPN headend must be able to scale to meet changing demand levels. The VPN routers installed at the spokes, are referred to as branch office routers.
Term
dynamic multipoint VPN (DMVPN) [image]
Definition

dynamic multipoint VPN (DMVPN) allows VPNs to be set up dynamically according to traffic requirements and demand. The original concept was developed by Cisco but has been adopted by other vendors and now runs on diverse router platforms. DMVPN allows for the use of a dynamic mesh topology between multiple remote sites, effectively setting up direct VPNs, rather than the remote sites having to route traffic via the hub. Each site can communicate with all other spokes directly no matter where they are located.

Term
configure a DMVPN
Definition

To configure a DMVPN, each remote site's router is still connected to the hub router using an IPSec tunnel. As a large percentage of a remote site's traffic is likely to be with the main HQ, this ensures this normal traffic is dealt with efficiently. If two remote sites (spokes) wish to communicate with one another, the spoke instigating the link informs the hub. The hub will provide the connection details for the other spoke facilitating a dynamic IPSec tunnel to be created directly between the two spokes. This process invokes the use of the Next Hop Router Protocol (NHRP) to identify destination addresses and the GRE tunneling. GRE encapsulates the encrypted IPSec packets. The two remote sites use the physical communications links between the two locations but all traffic flows over the temporary, encrypted VPN tunnel setup between them. DMVPN will then decide how long this temporary VPN remains in place based on timers and traffic flows.

In this way, DMVPN allows remote sites to connect with each other over the public WAN or Internet, such as when using video conferencing, but doesn't require a static VPN connection between sites. This on-demand deployment of IPSec VPNs is more efficient. Routing policies can be used to select the most reliable path between the remote sites, which potentially reduces the chance of latency and jitter affecting any voice/video services running over the VPN.

Term

INTERNET PROTOCOL SECURITY

Definition

Internet Protocol Security (IPSec) can be used to secure IPv4 and/or IPv6 communications on local networks and as a remote access protocol.

 

Each host that uses IPSec must be assigned a policy. An IPSec policy sets the authentication mechanism and also the protocols and mode for the connection. Hosts must be able to match at least one matching security method for a connection to be established. There are two core protocols in IPSec, which can be applied singly or together, depending on the policy.

Term
There are two core protocols in IPSec, which can be applied singly or together, depending on the policy.[image]
Definition

Authentication Header

The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this secret in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality. Also, the inclusion of IP header fields in the ICV means that the check will fail across NAT gateways, where the IP address is rewritten. Consequently, AH is not often used.

Term

Encapsulating Security Payload (ESP) [image]

IPSec datagram using ESP-The TCP header and payload from the original packet is encapsulated within ESP and encrypted to provide confidentiality.

Definition

) provides confidentiality and/or authentication and integrity. It can be used to encrypt the packet rather than simply calculating a hash. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value. Unlike AH, ESP excludes the IP header when calculating the ICV.

Term
Internet Key Exchange (IKE) 
Definition

IPSec's encryption and hashing functions depend on a shared secret. The secret must be communicated to both hosts and the hosts must confirm one another's identity (mutual authentication). The Internet Key Exchange (IKE) protocol handles authentication and key exchange, referred to as Security Associations (SA).

Term
IPSec can be used in two modes
Definition

§  Transport mode-this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header.

 

§  Tunnel mode-this mode is used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required.

Term
An appliance may support the following interfaces
Definition

§  Console Port-This requires connecting a device running terminal emulator software (a laptop, for instance) to the device via a separate physical interface using a special console (or rollover) cable. The terminal emulator can then be used to start a command line interface (CLI).

§  AUX port-This port is designed to connect to an analog modem and provide remote access over a dial-up link. Once the AUX port is enabled and configured, the modem can be connected to it by using an RS-232 serial cable, a specially wired RJ-45 rollover cable and terminal adapter (RJ-45 to DB9), or a management cable (RJ-45 to DB9). Configure the modem with appropriate serial link settings (refer to the vendor guide), connect it to an appropriate telephone line, and allocate an extension number. A remote host can connect to the appliance CLI by using a terminal emulation program such as HyperTerminal or PuTTY.

 

§  Management port-This means configuring a virtual network interface and IP address on the device to use for management functions and connecting to it via one of the normal Ethernet ports. The port must be enabled for this function (some appliances come with a dedicated management port). Using Telnet (unsecure) or Secure Shell (SSH) to connect to a CLI remotely over the management interface in this way is referred to as a virtual terminal.

Term
in-band 
Definition
An in-band management link is one that shares traffic with other communications on the "production" network. The console port is a physically out-of-band management method; the link is limited to the attached device. With an in-band connection, better security can be implemented by using a VLAN to isolate management traffic. This makes it harder for potential eavesdroppers to view or modify traffic passing over the management interface.
Term
out-of-band (OOB)
Definition

When you are using a browser-based management interface or a virtual terminal, the link can be made out-of-band by connecting the port used for management access to physically separate network infrastructure. Obviously, this is costly to implement, but out-of-band management is more secure and means that access to the device is preserved when there are problems affecting the production network.

Term

In band Management

Definition
An in-band management involves managing devices through the protocols such as telnet/SSH. It is a common way that provides identity based access control for better security. It is good practice to segregate your management traffic from your production customer traffic. Create a management VLAN or loopback interface for other management activities such as device monitoring, system logging and SNMP.
Term

Out of Band Management

Definition
When network is down and traffic is not flowing, in such a scenario, an alternate path is required to reach the network nodes. Here we need a secure remote emergency network access path to manage and troubleshoot the device when network traffic is down. For critical networks, in-band management tools are not enough. Management using independent dedicated channels is called OOB. OOB provides accessibility when an alternate path is needed to access the network nodes.
Term
Digital subscriber line (DSL)
Definition
Digital subscriber line (DSL) is a technology that can transfer data over voice-grade telephone lines, often referred to as the local loop.
Term
Enterprise WAN
Definition

The term enterprise WAN describes a WAN that is used and controlled by a single organization.

 

Term
Fiber to the Premises (FTTP)
Definition

The major obstacle to providing WAN access that can approach LAN performance is bandwidth in the last mile. The most expensive solution is Fiber to the Premises (FTTP).

 

Term
T-Carrier
Definition
Term
VPN
Definition

Most modern remote network access solutions use Internet access infrastructure and set up a secure tunnel for private communications through the internet. This is known as a virtual private network (VPN).

 

Term
Remote Access VPN
Definition

A remote access VPN refers to extending local network access over an intermediate public network so that a remote computer can join the local network.

 

Term
Hub and Spoke VPN
Definition

A site-to-site VPN that involves more than two sites connects the remote sites (or spokes) to a headquarters site (hub) by using static tunnels configured between the hub and each spoke. This is referred to as a hub and spoke topology.

Term
VPN headend
Definition
Term
Ethernet over Copper
Definition

Ethernet over Copper uses DSL variants such as single-pair high-speed DSL (SHDSL) and very high-speed DSL (VDSL) to overcome the usual distance limitations of copper Ethernet. This does not support the same speeds as LAN Ethernet (more typically 2-10 Mbps), but the organization can combine multiple pairs for higher bandwidth.

 

Term
Ethernet over Fiber
Definition

Ethernet over Fiber uses the IEEE 802.3 10GBASE-LR and 10GBASE-ER specifications.

 

Term
E-line
Definition

E-line establishes a point-to-point link between two sites. An organization can configure multiple E-lines on a single Metro Ethernet interface, with each E-line representing a separate VLAN.

 

Term
E-LAN
Definition

E-LAN establishes a mesh topology between multiple sites.

 
Term
WAN
Definition

Wide area network (WAN) technologies support data communications over greater distances than LANs. Long-distance communications usually involve the use of public networks. Public networks are owned by telecommunications (telco) companies and provide WAN services to businesses and households.

 

Term
Enterprise WAN
Definition

Wide area network (WAN) technologies support data communications over greater distances than LANs. Long-distance communications usually involve the use of public networks. Public networks are owned by telecommunications (telco) companies and provide WAN services to businesses and households.

 

Term
Site-to-Site VPN
Definition

A site-to-site VPN that involves more than two sites connects the remote sites (or spokes) to a headquarters site (hub) by using static tunnels configured between the hub and each spoke. This is referred to as a hub and spoke topology.

Term
Dynamic Multipoint VPN
Definition

A dynamic multipoint VPN (DMVPN) allows VPNs to be set up dynamically according to traffic requirements and demand.DMVPN allows for the use of a dynamic mesh topology between multiple remote sites, effectively setting up direct VPNs, rather than the remote sites having to route traffic via the hub. Each site can communicate with all other spokes directly no matter where they are located.

 

 

Term

Configuration Management

Definition
Configuration management means identifying and documenting all the infrastructure and devices installed at a site. 
Term

Under ITIL, configuration management is implemented using the following elements:

Definition

§  Service assets are things, processes, or people that contribute to the delivery of an IT service. Each asset must be identified by some sort of label.

§  A Configuration Item (CI) is an asset that requires specific management procedures for it to be used to deliver the service. CIs are defined by their attributes.

§  A baseline documents the approved or authorized state of a CI. This allows auditing processes to detect unexpected or unauthorized change. A baseline can be a configuration baseline (the ACL applied to a firewall, for instance) or a performance baseline (such as the throughput achieved by the firewall).

 

§  A Configuration Management System (CMS) is the tools and databases that collect, store, manage, update, and present information about CIs. A small network might capture this information in spreadsheets and diagrams; there are dedicated applications for enterprise CMS.

Term

 

Change Management

Definition

A documented change management process minimizes the risk of unscheduled downtime by implementing changes in a planned and controlled way. The need to change is often described either as reactive, where the change is forced on the organization, or as proactive, where the need for change is initiated internally. Changes can also be categorized according to their potential impact and level of risk (major, significant, minor, or normal, for instance).

Term

 

Change Management

Definition

In a formal change management process, the need or reasons for change and the procedure for implementing the change is captured in a Request for Change (RFC) document and submitted for approval. The RFC will then be considered at the appropriate level and affected stakeholders will be notified. Major or significant changes might be managed as a separate project and require approval through a Change Advisory Board (CAB).

Term

 

Standard Operating Procedures

Definition

A SOP sets out the principal goals and considerations, such as budget, security, or customer contact standards, for performing a task and identifies lines of responsibility and authorization for performing it. A SOP may also contain detailed steps for completing a task in an approved way, or these steps may be presented as work instructions.

Term

Audit Reports

Definition

An audit report focuses on identifying and recording assets. There are many software suites and associated hardware solutions available to assist with audit tracking and managing inventory. An asset management database can be configured to store as much or as little information as is deemed necessary, though typical data would be type, model, serial number, asset ID, location, user(s), value, and service information. For each asset record, there should also be a copy of or link to the appropriate vendor documentation. This includes both an invoice and warranty/support contract and support and troubleshooting guidance.

Term

Assessment Reports 

Definition

Where an audit report focuses on identifying and documenting assets, an assessment report evaluates the configuration and deployment of those assets, such as deviation from baseline configuration or performance. The report will make recommendations where the network is not meeting goals for performance or security. Audit and assessment reports are often contracted to third parties and might be driven by regulatory or compliance demands.

Term

System Life Cycle 

Definition

One of the functions of auditing and assessment is to manage system life cycle. A system life cycle roadmap refers to the controlled acquisition, deployment, use, and decommissioning of assets. An audit and assessment report can identify assets that are no longer fully supported by the vendor or that otherwise no longer meet performance or security requirements.

Term

Floor Plan 

Definition

floor plan is a detailed diagram of wiring and port locations. For example, you might use floor plans to document wall port locations and cable runs in an office. Physically accurate floor plans are hard to design and are likely to require the help of an architect or graphics professional.

Term

Wiring Diagram 

Definition

wiring diagram (or pin-out) shows detailed information about the termination of twisted pairs in an RJ-45 or RJ-48C jack or Insulation Displacement Connector (IDC). You might also use a wiring diagram to document how fiber-optic strands are terminated.

 

 

You should document the wiring diagrams used to terminate twisted pairs. Ethernet is wired by T568A or T568B, and the same standard should be used consistently throughout the network.

Term

Distribution Frame 

Definition
A port location diagram identifies how wall ports located in work areas are connected back to ports in a distribution frame or patch panel and then from the patch panel ports to the switch ports.
Term
Main Distribution Frame (MDF)-[image]
Definition
The location for distribution/core level internal switching. The MDF will terminate trunk links from multiple Intermediate Distribution Frames (IDFs). The MDF also serves as the location for termination of external (WAN) circuits. You should ensure that WAN links to the Internet or to remote offices from the MDF are clearly labeled and that key information such as IP addresses and bandwidth is documented. The WAN provider will assign a circuit ID, and you will need to quote this if raising any sort of support issue.
Term
Intermediate Distribution Frame (IDF)-[image]
Definition
-In a large network, one or more IDFs provides termination for access layer switches that serve a given area, such as a single office floor. Each IDF has a trunk link to the MDF. Make sure that these are clearly labeled and distinct from access ports.
Term

Site Survey Report 

Definition

A wireless site survey report overlays a floor plan with graphics showing signal strength and channel utilization at different points in the building.

Term

Incident Response Plan

An incident response plan sets out the procedures, tools, methods of communication, and guidelines for dealing with security incidents. An incident is where security is breached or there is an attempted breach. Incident response is one of the most difficult areas of security to plan for and implement because its aims can be incompatible:

Definition

1.    The immediate aim is usually to protect confidential data or minimize impacts from its loss and re-establish a secure working system.

2.    It may also be important to preserve evidence of the incident with the aim of prosecuting the perpetrators. Forensic evidence collection can interfere with re-establishing availability, however.

 

3.    Follow-up or lessons learned analysis will attempt to prevent reoccurrence of similar incidents.

Term

 

Disaster Recovery Plan

Where incident response is focused on individual security policy violations, a disaster recovery plan (DRP) addresses large-scale incidents. These will typically be incidents that threaten the performance or security of a whole site. A DRP should accomplish the following:

Definition

§  Identify scenarios for natural and non-natural disasters and options for protecting systems.

§  Identify tasks, resources, and responsibilities for responding to a disaster. Disaster recovery focuses on tasks such as switching services to failover systems or sites and restoring systems and data from backups.

 

§  Train staff in the disaster planning procedures and how to react well to adverse events.

Term

 

Business Continuity Plan

Where disaster recovery focuses on plans for specific scenarios, a business continuity plan (BCP) or continuity of operations plan (COOP) is a collection of processes and resources that enable an organization to maintain normal business operations in the face of some adverse event. Continuity planning activity focuses on the functions performed by a business or other organization:

Definition

§  Business impact analysis (BIA) identifies mission essential and primary business functions and the risks that would arise if the organization cannot fulfill them.

 

§  IT contingency planning (ITCP) or IT service continuity planning (ITSCP) ensures that these functions are supported by resilient IT systems, working to identify and mitigate all single points of failure from a process or function.

Term

Password Policy

password policy instructs users on best practice in choosing and maintaining a network access credential. Password protection policies mitigate against the risk of attackers being able to compromise an account and use it to launch other attacks on the network. For example, users must be instructed not to write down passwords, store them in unsecure files, or share them with other users. The credential management policy also needs to alert users to different types of social engineering and phishing attacks.

System-enforced policies can help to enforce credential management principles by stipulating requirements for user-selected passwords. The following rules enforce password complexity and make them difficult to guess or compromise:

Definition

§  Length-The longer a password, the stronger it is. A typical strong network password should be 12 to 16 characters. A longer password or passphrase might be used for mission critical systems or devices where logon is infrequent.

§  Complexity-Varying the characters in the password makes it more resistant to dictionary-based attacks.

 

§  Aging and history-Requiring that the password be changed periodically and preventing the reuse of previously selected passwords.

Term

 

Acceptable Use Policies 

Definition

An acceptable use policy (AUP) sets out the permitted uses of a product or service. It might also state explicitly prohibited uses. Such a policy might be used in different contexts. For example, an AUP could be enforced by a business to govern how employees use equipment and services, such as telephone or Internet access, provided to them at work. Another example might be an ISP enforcing a fair use policy governing usage of its Internet access services.

Term
BYOD Policies 
Definition

 

A mobile deployment model describes the way employees are provided with smartphone or tablet devices and applications. Some companies issue employees with corporate-owned and controlled devices and insist that only these are used to process company data. Other companies might operate a bring your own device (BYOD) policy. BYOD means that the mobile is owned by the employee and can be used on the corporate network so long as it meets a minimum specification required by the company (in terms of OS version and functionality). The employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. Very often, BYOD devices are registered with enterprise management software and configured with sandboxed corporate workspaces and apps.

Term
Data loss prevention (DLP)  
Definition

Data loss prevention (DLP) products scan content in structured formats (such as a database with a formal access control model) or unstructured formats, such as email or word processing documents. DLP products use some sort of dictionary database or algorithm (regular expression matching) to identify confidential or personal/sensitive data. The transfer of content to removable media or by email or to social networking or cloud storage services can then be blocked if it does not conform to a predefined policy.

Term

REMOTE ACCESS POLICIES

Where employees are assigned the right to connect to the corporate network from a remote location using a VPN, their use of remote access privileges must be governed by technical and policy controls. Some of the issues that must be mitigated include the following:

Definition

 

§  Malware protection-The computer may not be accessible to network systems used to update and enforce malware protection. This may have to be left to the end-user. If a worm or Trojan is installed, network security may be compromised.

§  Security information-Authentication information may be stored on the client (saving a password, for instance), making the network vulnerable if the computer is stolen.

§  Data transfer-Files copied to the client may no longer be properly secured, raising the potential that confidential information could be stolen along with the device.

§  Local privileges-The user of a remote computer might be configured with administrative privileges but have no understanding of how such privileges can be exploited or misused. They might install unauthorized software on the machine or make it more vulnerable to malware by browsing the web using their administrative account.

§  Weak authentication-Relying on a username and password combination is simply not secure enough in a remote access scenario. Two-factor authentication using smart cards or biometric recognition in addition to a PIN or password should be enforced. If this is not an option, a strong password policy must be enforced, and users made aware of the very real risks of writing down or sharing their password.

 

§  Untrusted networks-The user might configure weak authentication on a home wireless network or use a public access point, raising the risk of snooping attacks.

Term
service level agreement (SLA)  
Definition

service level agreement (SLA) is a contractual agreement setting out the detailed terms under which an ongoing service is provided. This can be a legally binding formal contract between supplier and customer businesses or a less formal agreement, such as an SLA agreed between internal departments. SLA requirements define aspects of the service, such as scope, performance characteristics, and responsibilities that are agreed upon between the service provider and the customer.

Term

Non-Disclosure Agreement 

Definition

non-disclosure agreement (NDA) is the legal basis for protecting information assets. It defines what uses of sensitive data are permitted, what storage and distribution restrictions must be enforced, and what penalties breaches of the agreement will incur. A contract of employment is highly likely to contain NDA clauses. NDAs are also used between companies and contractors and between two companies.

Term

Memorandum of Understanding

 

 

Definition

memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. MOUs almost always have clauses stating that the parties shall respect confidentiality, however.

Term
Badge reader 
Definition
A photographic ID badge showing name and access level is one of the cornerstones of building security. A smart badge comes with an integrated chip and data interface that stores the user’s key pair and digital certificate. The user presents the card and enters a PIN and then the card uses its cryptographic keys to authenticate securely via the entry point’s badge reader. A smart badge is either contact based, meaning that it must be physically inserted into a reader, or contactless, meaning that data is transferred using a tiny antenna embedded in the card. The ISO has published various ID card standards to promote interoperability, including ones for smart cards (ISO 7816 for contact and ISO 14443 for contactless types).
Term
Biometric 
Definition
An electronic lock may also be integrated with a biometric scanner. A biometric device is activated by human physical features, such as a fingerprint, voice, retina, or signature. Each user’s biometric is recorded as a template and stored on an authentication server. To gain access, the user’s biometric is scanned again by a fingerprint reader or iris/retina scanner and compared to the template scan.
Term
access control vestibule  
Definition
An access control vestibule is where one gateway leads to an enclosed space protected by another barrier.
Term

Asset Tags 

Definition

An asset tag shows the ID of a device or component and links it to an inventory management database. Radio Frequency ID (RFID) asset tracking tags allow electronic surveillance of managed assets. The tags can be detected at entry/exit points to prevent theft. A battery-powered component might be in the tag, or the tag might be passive and read and scanned by a powered device. The tags are entered into a tracking database, which also usually has a map of the coverage area so that a particular asset can be located.

Term

ALARMS AND TAMPER DETECTION 

Alarms provide a detection-based security mechanism, though an audible alarm can also be an effective deterrent by causing the attacker to abandon the intrusion attempt. There are two main types:

Definition

§  Circuit-A circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door or window opening or by a fence being cut. A closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit. This type of system can be used for tamper detection.

 

§  Motion detection-A motion-based alarm is linked to a detector triggered by any movement within a relatively large area, such as a room. The sensors in these detectors are either microwave radio reflection (similar to radar) or passive infrared (PIR), which detect moving heat sources.

Term
Protected Distribution System (PDS 
Definition

Another potential threat is that an attacker could splice a tap into network data cable. A physically secure cabled network is referred to as a Protected Distribution System (PDS). A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection. Lower grade options are to use different materials for the conduit (plastic, for instance). Tamper detection alarm systems can be implemented within the cable conduit.

Term

Methods of destroying media include incineration, pulverization, and degaussing (for magnetic media such as hard drives). 

Definition

Media sanitization refers to erasing data from HDD, SSD, and tape media before they are disposed of or put to a different use. The standard method of sanitizing an HDD is called overwriting. This can be performed using the drive's firmware tools or a utility program. The basic type of overwriting is called zero filling, which just sets each bit to zero. Single- pass zero filling can leave patterns that can be read with specialist tools. A more secure method is to overwrite the content with one pass of all zeros, then a pass of all ones, and then one or more additional passes in a pseudorandom pattern.

Term

Secure Erase 

Definition

Since 2001, the SATA and Serial Attached SCSI (SAS) specifications have included a Secure Erase (SE) command. This command can be invoked using a drive/array utility or the hdparm Linux utility. On HDDs, this performs a single pass of zero-filling.

 

For SSDs and hybrid drives and some USB thumb drives and flash memory cards, overwriting methods are not reliable, because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. On SSDs, the SE command marks all blocks as empty. A block is the smallest unit on flash media that can be given an erase command. The drive firmware's automatic garbage collectors then perform the actual erase of each block over time. If this process is not completed (and there is no progress indicator), there is a risk of remnant recovery, though this requires removing the chips from the device to analyze them in specialist hardware.

Term

Instant Secure Erase 

Definition

HDDs and SSDs that are self-encrypting drives (SEDs) support another option, invoking a SANITIZE command set in SATA and SAS standards from 2012 to perform a crypto erase. Drive vendors implement this as Instant Secure Erase (ISE). With an SED, all data on the drive is encrypted using a media encryption key. When the erase command is issued, the MEK is erased, rendering the data unrecoverable.

Term
Internet of Things (IoT)  
Definition

The term Internet of Things (IoT) is used to describe the global network of personal devices, home appliances, home control systems, vehicles, and other items that have been equipped with sensors, software, and network connectivity. These features allow these types of objects to communicate and pass data between themselves and other traditional systems like computer servers. This is often referred to as Machine to Machine (M2M) communication.

Term

§  Hub/control system-IoT devices usually require a communications hub to facilitate wireless networking. There must also be a control system, as most IoT devices are headless, meaning they have no user control interface. A headless hub could be implemented as a smart speaker operated by voice control or use smartphone/PC app for configuration. 

Definition

§  Smart devices-IoT endpoints implement the function, such as a smart lightbulb, refrigerator, thermostat/heating control, or doorbell/video entry phone that you can operate remotely. These devices are capable of compute, storage, and network functions that are all potentially vulnerable to exploits. Most smart devices use a Linux or Android kernel. Because they're effectively running mini-computers, smart devices are vulnerable to some of the standard attacks associated with web applications and network functions. Integrated peripherals such as cameras or microphones could be compromised to facilitate surveillance.

Term

Physical Access Control Systems and Smart Buildings 

Definition

physical access control system (PACS) is a network of monitored locks, intruder alarms, and video surveillance cameras. A building automation system (BAS) or smart building for offices and datacenters can include PACS, but also network-based configuration and monitoring of heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators. These subsystems are implemented by programmable logic controllers (PLCs) and various types of sensors that measure temperature, air pressure, humidity, room occupancy, and so on.

 

 

Term
industrial control system (ICS) 
distributed control system (DCS)
programmable logic controllers (PLCs)
Definition

An industrial control system (ICS) provides mechanisms for workflow and process automation. An ICS controls machinery used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services. An ICS that manages process automation within a single site is usually referred to as a distributed control system (DCS).

An ICS comprises plant devices and equipment with embedded PLCs. The PLCs are linked by a cabled network to actuators that operate valves, motors, circuit breakers, and other mechanical components, plus sensors that monitor some local state, such as temperature. Output and configuration of a PLC is performed by one or more human-machine interfaces (HMIs). An HMI might be a local control panel or software running on a computing host. PLCs are connected within a control loop, and the whole process automation system can be governed by a control server. Another important concept is the data historian, which is a database of all the information generated by the control loop.

Term
supervisory control and data acquisition (SCADA)  
Definition

supervisory control and data acquisition (SCADA) system takes the place of a control server in large-scale, multiple-site ICSs. SCADA typically run as software on ordinary computers, gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices.

Term

 

Operational Technology Networks 

Definition

A cabled network for industrial applications is referred to as an operational technology (OT) network. These typically use either serial data protocols or industrial Ethernet. Industrial Ethernet is optimized for real-time, deterministic transfers. Such networks might use vendor-developed data link and networking protocols, as well as specialist application protocols.

Term

 

Cellular Networks 

Definition

A cellular network for IoT enables long-distance communication over the same system that supports mobile and smartphones. This is also called baseband radio, after the baseband processor that performs the function of a cellular modem. There are several baseband radio technologies:

Term
Narrowband-IoT (NB-IoT)
Definition
this refers to a low-power version of the Long Term Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth than regular cellular. This means that data rates are limited (20-100 kbps), but most sensors need to send small packets with low latency, rather than making large data transfers. Narrowband also has greater penetrating power, making it more suitable for use in inaccessible locations, such as tunnels or deep within buildings, where ordinary cellular connectivity would be impossible.
Term

§  LTE Machine Type Communication (LTE-M)-

Definition
this is another low-power system but supports higher bandwidth (up to about 1 Mbps)
Term

Z-Wave

Z-Wave is a wireless communications protocol used primarily for home automation and creates a mesh network topology. The Z-Wave Alliance operates a device and software certification program.

 

Definition

 

Z-Wave is a wireless communications protocol used primarily for home automation. The Z-Wave Alliance operates a certification program for devices and software. Z-Wave creates a mesh network topology. Devices can be configured to work as repeaters to extend the network but there is a limit of four "hops" between a controller device and an endpoint. Z-Wave has been registered in most countries worldwide and uses radio frequencies in the high 800 to low 900 MHz range. It is designed to run for long periods (years) on battery power.

Term
Cameras
Definition

A security camera is either fixed or operated using Pan-Tilt-Zoom (PTZ) controls. Different cameras suit different purposes. A fixed, narrow focal length camera positioned on the doorway is adequate to record images of individuals entering through an access control vestibule.

 

Term
Circuit-based alarm 
Definition

A circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm.

 

Term
Motion Detection
Definition

A motion-based alarm is an alarm linked to a detector triggered by movement within a relatively large area, such as a room.

 

Term
Asset Tag
Definition
 
Term
 (PACS)
Definition
A physical access control system (PACS) is a network of monitored locks, intruder alarms, and video surveillance cameras.
Term
Degauss
Definition

Degaussing a hard drive will cause it to be inoperable. This method is best for disposal, not reuse.

 

Term
Factory Reset
Definition

When a server or appliance is disposed of by resale, gift, or recycling, there is risk that software licenses could be misused or valuable configuration information leaked to an attacker. Invoking the built-in factory reset routine to wipe any custom configuration settings or modifications when decommissioning a server, switch, router, firewall, or printer can mitigate these risks.

 

Term
Circuit
Definition

A circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. A door, window, or fence opening can cut an open-circuit alarm.

 

Term
Closed-Circuit
Definition
A closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit. This type of system can be used for tamper detection.
Term
Incident Response Plan
Definition

An incident response plan sets out the procedures, tools, methods of communication, and guidelines for dealing with security incidents.

 

Term
Security Response
Definition

Security response plans and procedures establish what to do when certain types of events occur. These plans attempt to minimize impacts by anticipating adverse events.

 

Term
Service Level Agreement
Definition

A service level agreement (SLA) is a contractual agreement setting out the detailed terms of an ongoing service. This can be a legally binding formal contract between supplier and customer businesses or a less formal agreement, such as an SLA between internal departments.

 

Term
Disaster Recovery Plan
Definition
 

Term
OT
Definition
 
Term
availability 
Definition
Availability is the percentage of time that the system is online, measured over a certain period, typically one year. 
Term
High availability  
Definition
High availability is a characteristic of a system that can guarantee a certain level of availability.
Term
Maximum Tolerable Downtime (MTD) 
Definition

The Maximum Tolerable Downtime (MTD) metric states the requirement for a business function. 

Availability

Annual MTD (hh:mm:ss)

99.9999%

00:00:32

99.999%

00:05:15

99.99%

00:52:34

99.9%

08:45:36

99%

87:36:00

Term
Recovery time objective (RTO)  
Definition

§  Recovery time objective (RTO) is the period following a disaster that an individual IT system may remain offline. This represents the maximum amount of time allowed to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance).

Term
Work Recovery Time (WRT) 
Definition
Following systems recovery, there may be additional work to reintegrate different systems, restore data from backups, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported.
Term
Recovery Point Objective (RPO)  
Definition
 is the amount of data loss that a system can sustain, measured in time units. That is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered from a backup copy to a point not more than 24 hours before the database was infected.
Term
Mean Time Between Failures (MTBF) 
Definition

§  Mean Time Between Failures (MTBF) represents the expected lifetime of a product. The calculation for MTBF is the total operational time divided by the number of failures. For example, if you have 10 appliances that run for 50 hours and two of them fail, the MTBF is 500 hours divided by 2 failures (10*50)/2, or 250 hours. 10*50 = 500

Term
Mean Time to Failure (MTTF)  
Definition
expresses a similar metric for non-repairable components. For example, a hard drive may be described with an MTTF, while a server, which could be repaired by replacing the hard drive, would be described with an MTBF. The calculation for MTTF is the total operational time divided by the number of devices. For example, say two drives were installed in the server in a RAID array. One had failed after 10 years, but had never been replaced, and the second failed after 14 years, bringing down the array and the server. The MTTF of the drives is (10+14)/2 = 12 years.
Term
Mean Time to Repair (MTTR) 
Definition
is a measure of the time taken to correct a fault so that the system is restored to full operation. This can also be described as mean time to replace or recover. MTTR is calculated as the total number of hours of unplanned maintenance divided by the number of failure incidents. This average value can be used to estimate whether a recovery time objective (RTO) is achievable.
Term
Redundant spares
Definition
Components such as power supplies, network cards, drives (RAID), and cooling fans provide protection against hardware failures. A fully redundant server configuration is configured with multiple components for each function (power, networking, and storage). A faulty component will then automatically failover to the working one.
Term
Network links
Definition
If there are multiple paths between switches and routers, these devices can automatically failover to a working path if a cable or network port is damaged.
Term
Uninterruptible power supplies (UPSs) and standby power supplies
Definition
Provide power protection in the event of complete power failure (blackout) and other types of building power issues.
Term
Backup strategies 
Definition
Provide protection for data.
Term
Cluster services 
Definition
A means of ensuring that the total failure of a server does not disrupt services generally.
Term
disaster 
Definition

A disaster could be anything from a loss of power or failure of a minor component to manmade or natural disasters, such as fires, earthquakes, or acts of terrorism.

Term
hot site 
Definition

§  hot site can failover almost immediately. It generally means that the site is already within the organization's ownership and is ready to deploy. For example, a hot site could consist of a building with operational computer equipment that is kept updated with a live data set.

Term
warm site 
Definition

§  warm site could be similar, but with the requirement that the latest data set will need to be loaded.

Term
cold site 
Definition

§  cold site takes longer to set up. A cold site may be an empty building with a lease agreement in place to install whatever equipment is required when necessary.

Term
power distribution unit (PDU).  
Definition

A PDU has circuitry to "clean" the power signal, provides protection against spikes, surges, and brownouts, and can integrate with an uninterruptible power supply (UPS).

Term
uninterruptible power supply (UPS) 
Definition
At the system level, an uninterruptible power supply (UPS) will provide a temporary power source in the event of a blackout. 
Term
Generators 
Definition
The runtime allowed by a UPS should be sufficient to failover to an alternative power source, such as a standby generator
A backup power generator can provide power to the whole building, often for several days. Most generators use diesel, propane, or natural gas as a fuel source. A UPS is always required to protect against any interruption to computer services. A backup generator cannot be brought online fast enough to respond to a power failure.
Term
State/bare metal 
Definition

§  A snapshot-type image of the whole system. This can be re-deployed to any device of the same make and model as a system restore.

Term
Configuration file 
Definition
A copy of the configuration data in a structured format, such as extensible markup language (XML). This file can be used in a two-stage restore where the OS or firmware image is applied first (or a new appliance provisioned) and then the configuration is restored by importing the backup file.
Term
Multipathing 
Definition
Multipathing means that a network node has more than one physical link to another node. Multipathing is a default feature of full and partial mesh internetworks, where routers can select alternative paths through the network if a link is not available.
Term
SAN multipathing 
Definition
In a SAN, a server uses shared storage accessed over a network link. Multipathing means that the server has at least two SAN controllers each with a dedicated link to the storage network.
Term
Multiple ISPs
Definition

§  If an organization depends on a single ISP for Internet access, that circuit represents a critical single point of failure. Even if there are multiple circuits to the same ISP, problems within that ISP's routing or DNS infrastructure could result in complete loss of connectivity. Contracting with multiple ISPs and using routing policies to forward traffic over multiple external circuits provides fault tolerance and load balancing. You need to ensure that the ISPs are operating separate infrastructure and not using peering arrangements.

Term
Diverse paths 
Definition
Diverse paths refers to provisioning links over separate cable conduits that are physically distant from one another.
Term

Link aggregation  - IEEE 802.3ad 
Combines multiple physical connections into a single logical connection to minimize or prevent congestion. 

NIC teaming
port aggregation 

Definition

Link aggregation means combining two or more separate cabled links between a host and a switch into a single logical channel. From the host end, this can also be called NIC teaming; at the switch end, it can be called port aggregation and is referred to by Cisco as an EtherChannel. The term bonding is also widely substituted for aggregation. For example, a single network adapter and cable segment might support 1 Gbps; bonding this with another adapter and cable segment gives a link of 2 Gbps. Link aggregation can also be used in an uplink between two switches or between a switch and a router or between two routers.

Term
IEEE 802.3ad / 802.1ax
Definition

Link aggregation is typically implemented using the IEEE 802.3ad/802.1ax standard. 802.3ad bonded interfaces are described as a Link Aggregation Group (LAG). 802.3ad also defines the Link Aggregation Control Protocol (LACP), which can be used to detect configuration errors and recover from the failure of one of the physical links.

Term

LOAD BALANCERS 

Definition

load balancer can be deployed as a hardware appliance or software instance to distribute client requests across server nodes in a farm or pool.

You can use a load balancer in any situation where you have multiple servers providing the same function. Examples include web servers, front-end email servers, and web conferencing, A/V conferencing, or streaming media servers. The load balancer is placed in front of the server network and distributes requests from the client network or Internet to the application servers. The service address is advertised to clients as a virtual server. This is used to provision services that can scale from light to heavy loads, provision fault tolerant services, and to provide mitigation against distributed denial of service (DDoS) attacks.

Term
Topology of basic load balancing architecture. 
Definition
[image]
Term

There are two main types of load balancers:

Definition

§  Layer 4 switch-Basic load balancers make forwarding decisions on IP address and TCP/UDP header values, working at the transport layer of the OSI model.

 

§  Layer 7 switch (content switch)-As web applications have become more complex, modern load balancers need to be able to make forwarding decisions based on application-level data, such as a request for a particular URL or data types like video or audio streaming. This requires more complex logic, but the processing power of modern appliances is sufficient to deal with this.

Term
clustering 
Definition

clustering allows multiple redundant processing nodes that share data with one another to accept connections. If one of the nodes in the cluster stops working, connections can failover to a working node. To clients, the cluster appears to be a single server.

Term

Virtual IP
[image] 

Definition

For example, you might want to provision two load balancer appliances so that if one fails, the other can still handle client connections. Unlike load balancing with a single appliance, the public IP used to access the service is shared between the two instances in the cluster. This is referred to as a virtual IP or shared or floating address. The instances are configured with a private connection, on which each is identified by its "real" IP address. This connection runs some type of redundancy protocol, such as Common Address Redundancy Protocol (CARP), that enables the active node to "own" the virtual IP and respond to connections. The redundancy protocol also implements a heartbeat mechanism to allow failover to the passive node if the active one should suffer a fault.

Term
active-passive clustering 
Definition

In the previous example, if one node is active, the other is passive. This is referred to as active-passive clustering. The major advantage of active/passive configurations is that performance is not adversely affected during failover. However, the hardware and operating system costs are higher because of the unused capacity.

Term
active-active cluster 
Definition

An active-active cluster means that both nodes are processing connections concurrently. This allows the administrator to use the maximum capacity from the available hardware while all nodes are functional. In the event of a failover the workload of the failed node is immediately and transparently shifted onto the remaining node. At this time, the workload on the remaining nodes is higher and performance is degraded.

Term
Hot Standby Router Protocol (HSRP)  
Definition

The proprietary Hot Standby Router Protocol (HSRP) developed by Cisco allows multiple physical routers to serve as a single default gateway for a subnet. To do this, each router must have an interface connected to the subnet, with its own unique MAC address and IP address. In addition, they also need to be configured to share a common virtual IP address and a common MAC address.

Term
Hot Standby Router Protocol (HSRP) explination [image]
Definition

The group of routers configured in this way is known as a standby group. They communicate among themselves using IP multicasts and choose an active router based on priorities configured by an administrator. The active router responds to any traffic sent to the virtual IP address. Of the remaining routers in the standby group, the router with the next highest priority is chosen as the standby router. The standby router monitors the status of the active router and takes over the role if the active router becomes unavailable, also triggering the selection of a new standby router from the remaining routers in the group.

Term

Virtual Router Redundancy Protocol

Definition

In VRRP, the active router is known as the master, and all other routers in the group are known as backup routers. There is no specific standby router; instead, all backup routers monitor the status of the master, and in the event of a failure, a new master router is selected from the available backup routers based on priority.

One advantage of VRRP over HSRP is that it does not require each router interface to be assigned a unique IP address. It is possible to configure VRRP routers to use only the virtual IP address. This can be useful on subnets where address space utilization is high.

Term
Load Balancer
Definition

A load balancer can be deployed as a hardware appliance or software instance to distribute client requests across server nodes in a farm or pool. A network engineer can also use a load balancer in any situation with multiple servers providing the same function.

 

Term

Multipathing

Definition

Multipathing means that a network node has more than one physical link to another node.

Term
Hot Standby Router
Definition
Term
Virtual IP
Definition

A virtual IP or shared or floating address uses a public IP to access the service shared between the two instances in the cluster, unlike load balancing with a single appliance. This allows the network specialist to provision two load balancer appliances.

 

Term
  1. Layer 2 Switch
Definition
Term
Bridge
Definition

An Ethernet bridge works at the data link layer (layer 2) to establish separate physical network segments while keeping all nodes in the same logical network.

 

Term
Layer 4 Switch
Definition

Layer 4 switch—Basic load balancers make forwarding decisions on IP address and TCP/UDP header values, working at the transport layer of the OSI model.

 

Term
Layer 7 switch
Definition
As web applications have become more complex, modern load balancers need to make forwarding decisions based on application-level data. This requires more complex logic, but the processing power of modern appliances is sufficient.
Term
PDU
Definition

A power distribution unit (PDU) has circuitry to "clean" the power signal. It also provides protection against spikes, surges, and brownouts and can integrate with an uninterruptible power supply (UPS).

 

Term
uninterruptible power supply (UPS) 
Definition

At the system level, an uninterruptible power supply (UPS) will provide a temporary power source in the event of a blackout. UPS runtime may range from a few minutes for a desktop-rated model to hours for an enterprise system.

 

Term
HVAC
Definition

Environmental controls mitigate the loss of availability through mechanical issues with equipment, such as overheating. Building control systems maintain an optimum working environment for different parts of the building. The acronym HVAC (Heating, Ventilation, Air Conditioning) describes these services.

 

Term
Hot Standby Router
Definition

Cisco's proprietary Hot Standby Router Protocol (HSRP) allows multiple physical routers to serve as a single default gateway for a subnet. Each router must have an interface connected to the subnet, with its own unique MAC address and IP address.

 

Term
Mean Time Between Failures (MTBF)
Definition

Mean Time Between Failures (MTBF) represents the expected lifetime of a product. The calculation for MTBF is the total operational time divided by the number of failures.

 

Term
Mean Time to Failure (MTTF)
Definition

Mean Time to Failure (MTTF) expresses a similar metric as MTBF, however, for non-repairable components.

 

Term
Mean Time to Repair (MTTR)
Definition

Mean Time to Repair (MTTR) measures the time to correct a fault and restore the system to full operation.

 

Term
Fingerprinting 
Definition
Fingerprinting allows a threat actor to identify device and OS types and versions.

When a host running a particular operating system responds to a port scan, the syntax of the response might identify the specific operating system. This fact is also true of application servers, such as web servers, FTP servers, and mail servers. The responses these servers make often include headers or banners that can reveal a great deal of information about the server. A threat actor can use this information to probe for known vulnerabilities.
Term
Footprinting
Definition
Footprinting allows a threat actor to discover the topology and general configuration of the network and security systems

Footprinting can be done by social engineering attacks-persuading users to give information or locating information that has been thrown out as trash, for instance. Port scanning specifically aims to enumerate the TCP or UDP application ports on which a host will accept connections.

Term
spoofing 
Definition
The term spoofing covers a wide range of different attacks. Spoofing can include any type of attack where the attacker disguises his or her identity, or in which the source of network information is forged to appear legitimate
Term
Denial of Service Attacks 
Definition

denial of service (DoS) attack causes a service at a given host to fail or to become unavailable to legitimate users. Resource exhaustion DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth. It is also possible for DoS attacks to exploit design failures or other vulnerabilities in application software. A physical DoS attack might involve cutting telephone lines or network cabling or switching off the power to a server. DoS attacks may be motivated by the malicious desire to cause trouble. They may also be part of a wider attack, such as the precursor to a spoofing or data exfiltration attack. DoS can assist these attacks by diverting attention and resources away from the real target. For example, a blinding attack attempts to overload a logging or alerting system with events.

Term
on-path attack
Definition

An on-path attack, previously known as a "Man-in-the-Middle (MitM)" attack, is a specific type of spoofing attack where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them. The threat actor might also have the opportunity to modify the traffic before relaying it.

Term

MAC Spoofing and IP Spoofing 

Definition

A host can arbitrarily select any MAC and/or IP address and attempt to use it on the network. A threat actor might exploit this to spoof the value of a valid MAC or IP address to try to circumvent an access control list or impersonate a legitimate server. For this type of attack to succeed, the threat actor must normally disable the legitimate host or there will be duplicate addresses on the network, which will have unpredictable results.

IP spoofing is also used in most denial of service (DoS) attacks to mask the origin of the attack and make it harder for the target system to block packets from the attacking system. In this type of spoofing, the threat actor does not care about not receiving return traffic.

Term

 

ARP Spoofing

Definition

 

ARP spoofing, or ARP cache poisoning, is a common means of perpetrating an on-path attack. It works by broadcasting unsolicited ARP reply packets, also known as gratuitous ARP replies, with a source address that spoofs a legitimate host or router interface. Because ARP has no security, all devices in the same broadcast domain as the rogue host trust this communication and update their MAC:IP address cache table with the spoofed address. Because the threat actor broadcasts endless ARP replies, it overwhelms the legitimate interface.

The usual target will be the subnet's default gateway. If the attack is successful, all traffic destined for remote networks will be sent to the attacker. The threat actor can then perform an on-path attack to monitor the communications and continue to forward them to the router to avoid detection. The attacker could also modify the packets before forwarding them. ARP poisoning could also perform a DoS attack by not forwarding the packets.

Term
Rogue DHCP 
Definition

An on-path attack can also be launched by running a rogue DHCP server. DHCP communications cannot be authenticated, so a host will generally trust the first offer packet that it receives. The threat actor can exploit this to set his or her machine as the subnet's default gateway or DNS resolver.

Term

DNS POISONING ATTACKS

Definition

DNS poisoning is an attack that compromises the name resolution process

 Typically, the attacker will replace the valid IP address for a trusted website, such as mybank.example, with the attacker's IP address. The attacker can then intercept all the packets directed to mybank.example and bounce them to the real site, leaving the victim unaware of what is happening (referred to as pharming). Alternatively, DNS spoofing could be used for a DoS attack by directing all traffic for a particular FQDN to an invalid IP address (a black hole).

 

 

One way to attack DNS is to corrupt the client's name resolution process. This can be accomplished by changing the servers used for resolving queries, intercepting and modifying DNS traffic, or polluting the client's name cache (by modifying the HOSTS file, for instance). DNS server cache poisoning (or pollution) is another redirection attack, but instead of trying to subvert the name service used by the client, it aims to corrupt the records held by the DNS server itself.

Term

 

VLAN HOPPING ATTACKS

Definition

VLAN hopping is an attack designed to send traffic to a VLAN other than the one the host system is in. This exploits the native VLAN feature of 802.1Q. Native VLANs are designed to provide compatibility with non-VLAN capable switches. The attacker, using a device placed in the native VLAN, crafts a frame with two VLAN tag headers. The first trunk switch to inspect the frame strips the first header, and the frame gets forwarded to the target VLAN. Such an attack can only send packets one way but could be used to perform a DoS attack against a host on a different VLAN. Double tagging can be mitigated by ensuring that the native VLAN uses a different ID to any user accessible VLAN.

A VLAN hopping attack can also be launched by attaching a device that spoofs the operation of a switch to the network and negotiating the creation of a trunk port. As a trunk port, the attacker's device will receive all inter-VLAN traffic. This attack can be mitigated by ensuring that ports allowed to be used as trunks are pre-determined in the switch configuration and that access ports are not allowed to auto-configure as trunk ports.

Term

Rogue Access Points 

Definition

rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not. A malicious user can set up such an AP with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an AP by accident. If connected to a LAN without security, an unauthorized AP creates a backdoor through which to attack the network.

Term

Evil Twins 

Definition

A rogue AP masquerading as a legitimate one is called an evil twin. An evil twin might advertise a similar network name (SSID) to the legitimate one. For example, an evil twin might be configured with the network name "compeny" where the legitimate network name is "company." Alternatively, the evil twin might spoof the SSID and BSSID (MAC address) of an authorized access point and then the attacker might use some DoS technique to overcome the legitimate AP. After a successful DoS attack, the users will be forced to disconnect from the network and then manually attempt to reconnect. At that point, with many users busy and trying to get back to work, some or all may associate with the evil twin AP and submit the network passphrase or their credentials for authentication.

However it is configured, when a user connects to an evil twin, it might be able to harvest authentication information and, if it is able to provide wider network or Internet access, execute an on-path attack to snoop on connections established with servers or websites.

Term

Deauthentication Attacks 

Definition

The use of an evil twin may be coupled with a deauthentication attack. This sends a stream of spoofed management frames to cause a client to deauthenticate from an AP. This might allow the attacker to interpose the evil twin, sniff information about the authentication process, or perform a denial of service (DoS) attack against the wireless infrastructure. These attacks work against both WEP and WPA. The attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP/802.11w). Both the AP and clients must be configured to support MFP.

Term
distributed DoS (DDoS)  
Definition

distributed DoS (DDoS) is launched simultaneously by multiple hosts. Some types of DDoS attack simply aim to consume network bandwidth, denying it to legitimate hosts. Others cause resource exhaustion on the hosts processing requests, consuming CPU cycles and memory. This delays processing of legitimate traffic and could potentially crash the host system completely.

For example, a SYN flood attack works by withholding the client's ACK packet during TCP's three-way handshake. The client's IP address is spoofed, meaning that an invalid or random IP is entered so the server's SYN/ACK packet is misdirected. A server can maintain a queue of pending connections. When it does not receive an ACK packet from the client, it resends the SYN/ACK packet a set number of times before "timing out" and giving up on the connection. The problem is that a server may only be able to manage a limited number of pending connections, which the DoS attack quickly fills up. This means that the server is unable to respond to genuine traffic.

Term

Distributed Reflection DoS/Amplification Attacks 

Definition

A more powerful TCP SYN flood attack is a type of distributed reflection DoS (DRDoS) or amplification attack. In this attack, the adversary spoofs the victim's IP address and attempts to open connections with multiple servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim's available bandwidth.

 

The same sort of technique can be used to bombard a victim network with responses to bogus DNS queries. One of the advantages of this technique is that while the request is small, the response to a DNS query can be made to include a lot of information, so this is a very effective way of overwhelming the bandwidth of the victim network with much more limited resources on the attacker's network. The Network Time Protocol (NTP) can be abused in a similar way.

Term

Botnets 

Definition

botnet is a group of compromised hosts that can be used to launch DDoS and DRDoS attacks. A threat actor will first compromise one or two machines to use as handlers or herders. The handlers are used to compromise hundreds or thousands or millions of zombie hosts with DoS tools (the bots). To compromise a host, the attacker must install malware that opens a backdoor remote connection. The attacker can then use the malware to install bots and trigger the zombies to launch the attack at the same time. The network established between the handlers and the bots is called a command and control (C-and-C or C2) network.

Term
malware
Definition
Malware can be defined simply as software that does something bad, from the perspective of the system owner.
Some malware classifications, such as Trojan, virus, and worm, focus on the vector used by the malware. The vector is the method by which the malware executes on a computer and potentially spreads to other network hosts.
Term
Viruses and worms
Definition
These represent some of the first types of malware and spread without any authorization from the user by being concealed within the executable code of another process.
Term
Trojan
Definition
Malware concealed within an installer package for software that appears to be legitimate. This type of malware does not seek any type of consent for installation and is actively designed to operate secretly.
Term
Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)-
Definition
Software installed alongside a package selected by the user or perhaps bundled with a new computer system. Unlike a Trojan, the presence of a PUP is not automatically regarded as malicious. It may have been installed without active consent or consent from a purposefully confusing license agreement. This type of software is sometimes described as grayware rather than malware
Term
Ransomware 
Definition
is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism. This may block access to the computer by installing a different shell program or browser window that is difficult to close, but this sort of attack is usually relatively simple to fix.
Term
crypto-malware  
Definition
The crypto-malware class of ransomware attempts to encrypt data files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate, unless the user has up to date backups of the encrypted files. One example of this is Cryptolocker, a Trojan that searches for files to encrypt and then prompts the victim to pay a sum of money before a certain countdown time, after which the malware destroys the key that allows the decryption
Term
Dictionary
Definition

§  The software matches the hash to those produced by ordinary words found in a dictionary. This could also include information such as user and company names, pet names, or any other data that people might naively use as passwords.

Term
Brute force
Definition
The software tries to match the hash against one of every possible combination it could be. If the password is short (under eight characters) and non-complex (using only letters, for instance), a password might be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to run.
Term
Social engineering 
Definition
Social engineering (or hacking the human) refers to a collection of techniques and tricks designed to make victims reveal confidential information.
Term

Phishing Attacks 

Definition
Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector. A phishing message might try to convince the user to perform some action, such as installing disguised malware or allowing a remote access connection by the attacker. Other types of phishing campaign use a spoof website set up to imitate a bank or e‑commerce site or some other web resource that should be trusted by the target
Term

Shoulder Surfing

Definition

A threat actor can learn a password or PIN (or other secure information) by watching the user type it. This is referred to as a shoulder surfing attack. Despite the name, the attacker may not have to be in close proximity to the target-they could use high-powered binoculars or CCTV to directly observe the target remotely.

Term
Tailgating
Definition
Tailgating is a means of entering a secure area without authorization by following closely behind the person that has been allowed to open the door or checkpoint. 
Term
Piggybacking
Definition
Piggybacking is a similar situation but means that the attacker enters a secure area with an employee's permission. For instance, an attacker might impersonate a member of the cleaning crew and request that an employee hold the door open while they bring in a cleaning cart or mop bucket.
Term
MAC filtering 
Definition

Configuring MAC filtering on a switch means defining which MAC addresses are permitted to connect to a particular port. This can be done by creating a list of valid MAC addresses or by specifying a limit to the number of permitted addresses. For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port but then drop any traffic from machines with different network adapter IDs that try to connect.

Term
dynamic ARP inspection (DAI)
Definition

A malicious host may use a spoofed MAC address to try to perform ARP cache poisoning against other hosts on the network and perpetrate an on-path attack. A switch port security feature such as dynamic ARP inspection (DAI) prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies. ARP inspection maintains a trusted database of IP:ARP mappings. It also ensures that ARP packets are validly constructed and use valid IP addresses.

Term

DHCP Snooping

Definition

Configuring DHCP snooping causes the switch to inspect DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. It can also be used to prevent rogue DHCP servers from operating on the network. With DHCP snooping, only DHCP offers from ports configured as trusted are allowed.

Term

Neighbor Discovery Inspection and Router Advertisement Guard 

Definition

Neighbor Discovery (ND) Inspection and Router Advertisement (RA) Guard perform similar functions to DAI and DHCP snooping for IPv6 networks. Most hosts have IPv6 enabled by default and disabling it can often cause unexpected problems. Consequently, these switch protections should be enabled to mitigate spoofing and on-path attacks over IPv6.

Term

Port Security/IEEE 802.1X Port-Based Network Access Control 

Definition

MAC limiting and filtering and ARP inspection provide some protection against attacks, but they are not a means of ensuring only valid hosts are connecting to the network. Port security refers to the IEEE 802.1X standard’s Port-Based Network Access Control (PNAC) mechanism. PNAC means that the switch performs some sort of authentication of the attached device before activating the port.

 

Under 802.1X, the device requesting access is the supplicant. The switch, referred to as the authenticator, enables the Extensible Authentication Protocol over LAN (EAPoL) protocol only and waits for the device to supply authentication data. The authenticator passes this data to an authenticating server, typically a RADIUS server, which checks the credentials and grants or denies access. If access is granted, the switch will configure the port to use the appropriate VLAN and enable it for ordinary network traffic. Unauthenticated hosts may be denied any type of access or be placed in a guest VLAN with only limited access to the rest of the network.

Term
private VLAN (PVLAN)  
Definition
private VLAN (PVLAN) applies an additional layer of segmentation by restricting the ability of hosts within a VLAN to communicate directly with one another. 
Term

PVLAN ports can be configured within the primary VLAN:

Definition

Promiscuous port Can communicate with all ports in all domains within the PVLAN. This is normally the port through which routed and/or DHCP traffic is sent.
  Isolated port-Can communicate with the promiscuous port only. This creates a subdomain of a single host only. The PVLAN can contain multiple isolated ports, but each is in its own subdomain.
Community port-Can communicate with the promiscuous port and with other ports in the same community. This creates a subdomain that can contain multiple hosts.

Term
default VLAN.  
Definition

The VLAN with ID 1 is referred to as the default VLAN. This cannot be changed. However, unless configured differently, all ports on a switch default to being in VLAN 1. When you are implementing VLANs, you should avoid sending user data traffic over the default VLAN. It should remain unused or used only for inter-switch protocol traffic, where necessary. For example, spanning tree traffic would be permitted to run over the default VLAN. Make sure that unused ports are not assigned to VLAN 1.

Term
native VLAN  
Definition

native VLAN is one into which any untagged traffic is put when receiving frames over a trunk port. When a switch receives an untagged frame over a trunk, it assigns the frame to the native VLAN. Untagged traffic might derive from legacy devices, such as hubs or older switches that do not support 802.1Q encapsulated frames. The native VLAN is initially set with the same VLAN ID (VID) as the default VLAN (VID 1). You can and should change this, however, to make the native VID any suitable ID. This should not be the same as any VLAN used for any other data traffic. The same native VID should be configured for the trunk port on both switches.

Term
control plane policing  
Definition

control plane policing policy is designed to mitigate the risk from route processor vulnerabilities. Such a policy can use ACLs to allow or deny control traffic from certain sources and apply rate-limiting if a source threatens to overwhelm the route processor.

Term
Extensible Authentication Protocol 
Definition
An access point can implement a similar port security mechanism to switches. This is configured on the access point by selecting enterprise authentication. This allows users to authenticate to the wireless network against a RADIUS server using their regular network credential. EAP also allows for device authentication using digital certificates.
Term
Captive portal 
Definition
A guest network might be configured to perform authentication by redirecting stations to a secure web page. The user must authenticate to the page and meet other administrator-set requirements, such as accepting a use policy, before the station is authorized to use the network.
Term
MAC filtering
Definition
As with a switch, an access point can be configured with an accept or deny list of known MAC addresses.
Term
Geofencing 
Definition
Can be used to ensure that the station is within a valid geographic area to access the network, such as ensuring the device is within a building rather than trying to access the WLAN from a car park or other external location.
Term
Antenna placement and power levels 
Definition
Site designs and surveys facilitate robust wireless coverage when all expected areas receive a strong signal. Power levels and channel selection should be tuned so that access points do not interfere with one another or broadcast a signal that stations can "hear" but cannot reply to. The presence of an unusually strong transmitter (30 dBm+) might indicate the presence of an evil twin rogue access point.
Term
Wireless client isolation 
Definition
Clients connected to a WLAN are normally within the same broadcast domain and can communicate with one another. An access point can be configured to prevent this so that stations can only communicate via its gateway. Peer-to-peer traffic is dropped by the AP.
Term
Guest network isolation 
Definition
A guest network can have separate security and forwarding policies applied to it than the network that permits access to the corporate LAN. Typically, a guest network is permitted access to the Internet but not to local servers. Most SOHO routers come with a preconfigured guest network. Within an enterprise, a guest network would be implemented using a separate VLAN
Term

Ransomware

Definition

Ransomware is malware that extorts money from victims. One class displays threatening messages, requiring Windows be reactivated or suggesting police locked the computer for illegal activity.

Term
Distributed Reflection DoS (DRDoS) 
Definition

A more powerful TCP SYN flood attack is distributed reflection DoS (DRDoS) or amplification attack. The adversary spoofs an IP address and opens connections with multiple servers directing their SYN/ACK responses to the victim server.

Term
distributed denial of service (DDoS)
Definition

A distributed denial of service (DDoS) attack is launched simultaneously by multiple hosts. Some attacks aim to consume network bandwidth. Others cause resource exhaustion on the hosts' processing requests.

Term
Trojan
Definition

A trojan is a malware concealed within an installer package for software that appears to be legitimate. A trojan does not seek consent for installation and operates secretly.

Term
VLAN Hopping
Definition

VLAN hopping is an attack designed to send traffic to a VLAN other than the one the host system is in.

 

Term
On-path attack
Definition

An on-path attack is a specific spoofing attack where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them.

 

Term
DNS Poisoning
Definition

DNS poisoning is an attack that compromises the name resolution process.

Term
Malware
Definition
Term
Firewall access control lists (ACLs)
Definition

A network technician configures firewall access control lists (ACLs) based on the principle of least access. This is the same as the principle of least privilege; only allow the minimum amount of traffic required to operate valid network services and no more.

 

Term
Control plane policing
Definition

A control plane policing policy mitigates the risk from route processor vulnerabilities. Such a policy can use ACLs to allow or deny control traffic from certain sources and apply rate-limiting if a source threatens to overwhelm the route processor.

 

Term
Endpoint security
Definition

Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level.

 

Term
Hardening
Definition
Term
Scalability  
Definition

§  Scalability means that the costs involved in supplying the service to more users are linear. For example, if the number of users doubles in a scalable system, the costs to maintain the same level of service would also double (or less than double). If costs more than double, the system is less scalable. Scalability can be achieved by adding nodes (horizontal/scaling out) or by adding resources to each node (vertical/scaling up).

Term
Elasticity 
Definition

§  Elasticity refers to the system's ability to handle changes on demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly doubles (or triples, or quadruples). Conversely, it may be important for the system to be able to reduce costs when demand is low.

Term
Public (or multitenant) 
Definition
a service offered over the Internet by cloud service providers (CSPs) to cloud consumers, often referred to as tenants. With this model, businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing lower-tier services free of charge. As a shared resource, there are risks regarding performance and security. Multicloud architectures are where the consumer organization uses services from more than one CSP.
Term
Hosted Private 
Definition
Hosted by a third party for the exclusive use of the organization. This is more secure and can guarantee a better level of performance, but it is correspondingly more expensive.
Term
Private 
Definition
Cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations.
Term
Community 
Definition
This is where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies.
Term
Hybrid 
Definition

§  A cloud computing solution that implements some sort of hybrid public/private/community/hosted/onsite/offsite solution. For example, a travel organization may run a sales website for most of the year using a private cloud but "break out" the solution to a public cloud at times when much higher utilization is forecast. As another example, a hybrid deployment may be used to provide some functions via a public cloud, but keep sensitive or regulated infrastructure, applications, and data on-premises.

Term
Infrastructure as a Service (IaaS)  
Definition

Infrastructure as a Service (IaaS) is a means of provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly. Rather than purchase these components and the Internet links they require, you rent them on an as-needed basis from the service provider's datacenter. Examples include Amazon Elastic Compute Cloud ( aws.amazon.com/ec2 ), Microsoft® Azure® Virtual Machines (azure.microsoft.com/services/virtual-machines), and OpenStack® (openstack.org).

 

 

Term
Software as a Service (SaaS)  
Definition

Software as a Service (SaaS) is a different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement (on-demand). Virtual infrastructure allows developers to provision on-demand applications much more quickly than previously. The applications can be developed and tested in the cloud without the need to test and deploy on client computers. Examples include Microsoft Office 365® (support.office.com), Salesforce® (salesforce.com), and Google Workspace™ ( workspace.google.com ).

Term

Platform as a Service 

Definition

Platform as a Service (PaaS) provides resources somewhere between SaaS and IaaS. A typical PaaS solution would deploy servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top. This platform could be based on Oracle® or MS SQL or PHP and MySQL™. 

 

 

As distinct from SaaS though, this platform would not be configured to actually do anything. Your own developers would have to create the software (the CRM or e‑commerce application) that runs using the platform. The service provider would be responsible for the integrity and availability of the platform components, but you would be responsible for the security of the application you created on the platform.

Term
Desktop as a Service (DaaS)  
Definition

Desktop as a Service (DaaS) is a means of provisioning virtual desktop infrastructure (VDI) as a cloud service. VDI allows a client browser to operate an OS desktop plus software apps. This removes the need for an organization to deploy and maintain client PCs and software installs.

Term

infrastructure as code (IaC)

Definition
An approach to infrastructure management where automation and orchestration fully replace manual configuration is referred to as infrastructure as code (IaC).
Term
Imperative tools  
Definition

§  Imperative tools require the precise steps to follow to achieve the desired configuration as input. This approach is most similar to automation through traditional scripting languages such as Bash and PowerShell.

Term
Declarative tools 
Definition

§  Declarative tools take the desired configuration as input and leave detail of how that configuration should be achieved to the implementation platform.

Term
orchestration performs a sequence of automated tasks.  
Definition
Term
Type II hypervisor
Guest OS virtualization 
Definition

In a guest OS (or host-based) system, the hypervisor application (known as a Type II hypervisor) is itself installed onto a host operating system. Examples of host-based hypervisors include VMware Workstation™, Oracle® Virtual Box, and Parallels® Workstation. The hypervisor software must support the host OS.

Term
Type I bare metal hypervisor[image] 
Definition

A bare metal virtual platform means that a Type I hypervisor is installed directly onto the computer and manages access to the host hardware without going through a host OS. Examples include VMware ESXi® Server, Microsoft's Hyper-V®, and Citrix's XEN Server. The hardware needs to support only the base system requirements for the hypervisor plus resources for the type and number of guest OSes that will be installed.

Term
. For example, in Microsoft's Hyper-V virtualization platform, three types of virtual switches can be created:
Definition

§  External-Binds to the host's NIC to allow the VM to communicate on the physical network.

§  Internal-Creates a bridge that is usable only by VMs on the host and the host itself. This type of switch does not permit access to the wider physical network.

§  Private-Creates a switch that is usable only by the VMs. They cannot use the switch to communicate with the host.

Term

These virtual appliances might be developed against a standard architecture, such as ETSI's Network Function Virtualization (NFV). NFV divides the provisioning of these appliances into three domains: 

 

 

Definition

§  Virtual Network Function (VNF)-Specifies and deploys instances of each virtual appliance. VNFs are designed to run as VMs on standard CPU platforms.

§  NFV infrastructure-Controls the allocation of computing (CPU and memory) plus storage and networking resources to each VNF.

§  Management and orchestration (MANO)-Positions VNFs within workflows to perform the forwarding and filtering tasks they are designed for.

 

 

Term
storage area network (SAN
Definition

storage area network (SAN) provisions access to storage devices at block level. Each read or write operation addresses the actual location of data on the media (Block I/O). A SAN is isolated from the main network. It is only accessed by servers, not by client PCs and laptops. SAN clients are servers running databases or applications that require access to shared storage.

[image]

A SAN can integrate different types of storage technology-RAID arrays and tape libraries, for instance. It can contain a mixture of high-speed and low-cost devices, allowing for tiered storage to support different types of file access requirements without having to overprovision high-cost, fast drives.

Term

Fibre Channel is defined in the T11 ANSI standard

A SAN based on a Fibre Channel (FC) Switched Fabric (FC-SW) involves three main types of components:

 

 

Definition

§  Initiator-This is a client device of the SAN, such as a file or database server installed with a fibre channel host bus adapter (HBA).

§  Target-The network port for a storage device. Typical devices include single drives, RAID drive arrays, tape drives, and tape libraries. Space on the storage devices is divided into logical volumes, each identified by a 64-bit logical unit number (LUN). The initiator will use SCSI, Serial Attached SCSI (SAS), SATA, or NVMe commands to operate the storage devices in the network, depending on which interface they support. Most devices have multiple ports for load balancing and fault tolerance.

§  The initiators and targets are identified by 64-bit WorldWide Names (WWN), similar to network adapter MAC addresses. Collectively, initiators and targets are referred to as nodes. Nodes can be allocated their own WWN, referred to as a WWNN (WorldWide Node Name). Also, each port on a node can have its own WorldWide Port Name (WWPN).

 

§  FC switch-This provides the interconnections between initiators and targets (a fabric). The switch topology and interconnections would be designed to provide multiple paths between initiators and targets, allowing for fault tolerance and load balancing. High performance FC switches are often referred to as directors.

Term

Fibre Channel can use rates from 1GFC (1 Gbps) up to 128GFC. Using fiber optic cabling, an FC fabric can be up to 10 km (6 miles) in length using single mode cable or 500 m (1640 ft) using multimode cable. 

Definition
Term

Fibre Channel over Ethernet 

Definition
Provisioning separate Fibre Channel adapters and cabling is expensive. As its name suggests, Fibre Channel over Ethernet (FCoE) is a means of delivering Fibre Channel packets over Ethernet cabling and switches. FCoE requires special 10/40/100G adapters that combine the function of NIC and HBA, referred to as converged network adapters (CNAs). FCoE uses a special frame type, identified by the EtherType value 0x8096. The protocol maps WWNs onto MAC addresses.
Term
Internet Small Computer System Interface (iSCSI) 
Definition

is an IP tunneling protocol that enables the transfer of SCSI data over an IP-based network. iSCSI works with ordinary Ethernet network adapters and switches.

iSCSI can be used to link SANs but is also seen as an alternative to Fibre Channel itself, as it does not require FC-specific switches or adapters. iSCSI initiator and target functions are supported by both Windows Server and Linux operating systems.

Term
datacenter 
Definition
A datacenter is a site that is dedicated to provisioning server resources.The datacenter hosts network services (such as authentication, addressing, and name resolution), application servers, and storage area networks (SANs). Most datacenters are housed in purpose-built facilities, but some of the concepts also apply to server rooms.
Term
north-south
Definition
Traffic that goes to and from a datacenter is referred to as north-south.

This traffic represents clients outside the datacenter making requests and receiving responses. Corporate network traffic flows are also typically north-south. A client device is located on a workgroup switch connected to a router, while the server is connected to a separate switch or VLAN. Traffic from the client to the server passes "north" from the client's switch to the router and then back "south" to the server's switch. 
Term
east-west traffic.  
Definition
In datacenters that support cloud and other Internet services, most traffic is actually between servers within the datacenter. This is referred to as east-west traffic.
Term
overlay network 
Definition

An overlay network is used to implement this type of point-to-point logical link between two nodes or two networks. The overlay network abstracts the complexity of the underlying physical topology. An overlay network uses encapsulation protocols and software defined networking to create a logical tunnel between two nodes or networks. When used inside the datacenter, overlay networks are typically implemented using virtual extensible LANs (VXLANs).

Term
Software defined networking (SDN)  
Definition
Software defined networking (SDN) is a model for how these processes can be used to provision and deprovision networks.

Cloud services require the rapid provisioning and deprovisioning of server instances and networks using automation and orchestration, plus the use of overlay networks to establish point-to-point links quickly and reliably. This means that these components must be fully accessible to scripting-representing the ideal of infrastructure as code. 
Term

SDN Architecture 

Definition

§  Application layer-Applies the business logic to make decisions about how traffic should be prioritized and secured and where it should be switched. This layer defines policies such as segmentation, ACLs, and traffic prioritization and policing/shaping.

§  Infrastructure layer-Devices (physical or virtual) that handle the actual forwarding (switching and routing) of traffic and imposition of ACLs and other policy configurations for security.

Term
control layer 
SDN controller[image]
Definition

The principal innovation of SDN is to insert a control layer between the application layer and infrastructure layer. The functions of the control plane are implemented by a virtual device referred to as the SDN controller. Each layer exposes an application programming interface (API) that can be automated by scripts that call functions in the layer above or below.
The interface between SDN applications and the SDN controller is described as the
service interface or as the "northbound" API,
while that between the SDN controller and infrastructure devices is the "
southbound" API.

Term

Management Plane[image]

Definition

A management plane sits at the same level as the control plane to interface with the operational plane. This is used to implement monitoring of traffic conditions and network status

Term

SPINE AND LEAF TOPOLOGY

The spine and leaf topology provides better support for east-west traffic and the use of SDN and overlay networks within datacenters. A spine and leaf topology has two layers:[image]

Definition

§  The spine layer comprises a backbone of top-tier switches. Note that while this is described as a backbone, the spine switches are not linked to one another.

§  The leaf layer contains access switches. Each access switch is connected to every spine switch in a full mesh topology. The access switches never have direct connections to one another.

Term

The spine and leaf topology has a number of advantages:

Definition

The spine and leaf topology has a number of advantages:

§  Each server is only ever a single hop from the backbone, making network latency more predictable.

§  There are multiple redundant paths between a leaf switch and the backbone, allowing for load balancing and failover.

§  As there are no direct connections between spine switches in the backbone or between leaf switches, the network is loop free and does not need to run spanning tree. Instead, each leaf switch runs a protocol called Equal Cost Multipathing (ECMP) to distribute traffic between the links to the spine switches.

 

§  Servers are connected to multiple leaf switches for multipath redundancy, using a first hop gateway protocol to determine the active path.

Term
top-of-rack (ToR) 
Definition

The leaf layer access switches are implemented as top-of-rack (ToR) switch models. These are switch models designed to provide high-speed connectivity to a rack of server appliances and support higher bandwidths than ordinary workgroup switches. For example, where a workgroup switch might have 1 Gbps access ports and a 10 Gbps uplink port, top-of-rack switches have 10 Gbps access ports and 40/100 Gbps uplink ports.

Term
Generic Routing Encapsulation (GRE) protocol encapsulates data from layer 2 (Ethernet) or layer 3 (IP) for tunneling over any suitable transport network.

Multipoint GRE (mGRE) is a version of the protocol that supports point-to-multipoint links, such as the hub and spoke dynamic multipoint VPN.
Definition

This protocol is widely used to connect branch offices to an on-premises datacenter located at the head office.

Term
Colocation 
Definition
Colocation means that a company's private servers and network appliances are installed to a datacenter that is shared by multiple tenants. 
 The colocation provider manages the datacenter environment; the company's servers are installed to dedicated rack space on the datacenter floor. The rack or space within a rack is locked so that only authorized keyholders can gain physical access to the server equipment.
Term
Multiprotocol Label Switching (MPLS) [image]
Definition

Most WAN providers offer Multiprotocol Label Switching (MPLS) as a means of establishing private links with guaranteed service levels. MPLS can operate as an overlay network to configure point-to-point or point-to-multipoint links between nodes regardless of the underlying physical and data link topologies.

MPLS allows WAN providers to offer various solutions for enterprise networking requirements. A basic use of MPLS is to create site-to-site VPNs to interconnect LANs or connect a branch office to a datacenter. The traffic passing over an MPLS VPN is isolated from any other customer or public traffic. Different sites can use any access method available (DSL, cellular, leased line, or Ethernet), and the sites can use point-to-point or multipoint topologies as required. The MPLS provider can apply traffic shaping policies to communications between enterprise LANs and the datacenter to guarantee a service level and provide link redundancy, making the connection much more reliable than one over the open Internet would be.

Term
MPLS topology explained: [image]
Definition

For example, in this diagram, the CPE router at site 1 wants to communicate with site 4. The router is attached to the service provider's MPLS cloud via a Label Edge Router (LER). This router inserts or "pushes" a label or "shim" header into each packet sent from CPE1, and then forwards it to a label switch router LSR. Each LSR examines the shim and determines the Label Switched Path (LSP) for the packet, based on the type of data, network congestion, and any other traffic engineering parameters determined by the service provider. It uses the label, rather than the Layer 3 header, to forward the packet to its neighbor. In this way, costly routing table lookups are avoided. The shim is removed (or "popped") by the egress LER and delivered to CPE4.

Term
asoftware-defined WAN (SD-WAN)
Definition
SD-WAN replaces hub and spoke type designs with more efficient, but still secure, connectivity to corporate clouds with less of the expense associated with provisioning an MPLS service to each remote location.
Term
SD-WAN  
Definition

In a branch office topology, access to the datacenter or the cloud would be routed and authorized via the hub office. An SD-WAN is a type of overlay network that provisions a corporate WAN across multiple locations and can facilitate secure access to the cloud directly from a branch office or other remote location. It uses automation and orchestration to provision links dynamically based on application requirements and network congestion, using IPSec to ensure that traffic is tunneled through the underlying transport networks securely. An SD-WAN solution should also apply microsegmentation and zero trust security policies to ensure that all requests and responses are authenticated and authorized.

Term
Components in an SD-WAN solution.  
Definition
[image]
Term
Layer 1 (Physical)
Definition
Devices such as Ethernet Hubs, Media Converters operate on the Physical Layer 1 of the OSI Model. The actual infrastructure, such as the cable medium, or wireless frequency is also part of the Physical Layer. 
Term
Data-Link Layer (Layer 2)
Definition
The Data-Link Layer is where the system transfers data between nodes on a network segment across the physical layer. Bridges, network interface cards (NIC) and the frames that contain network packets are examples of Layer 2 topological components.
Term
Network Layer (Layer 3)
Definition
The main appliance operating at the Network Layer 3 is the Router, forwarding packets between networks through a route of intermediaries using the logical address of the Destination. Firewalls enforcing access control lists (ACLs) do so on the Network Layer. 
Term
Transport Layer (Layer 4)
Definition
Layer 4 the Transport Layer, data segments get decapsulated and passed to relevant application layer handlers based on the port number. The Transport Layer provides standardized access to transfer protocols for controlling the volume, rate, and destination of data. 
Term
Session Layer (Layer 5)
Definition
Layer 5 the Session Layer, is responsible for negotiating standardized dialogue sessions consisting of requests & responses between various end-user processes such as remote procedure calls. Synchronization points in audio & video streams can prevent problems with synchronization between lip movement and a person's voice.
Term
Presentation Layer (Layer 6)
Definition
Layer 6 is the Presentation Layer, sometimes referred to as the Syntax layer. This layer is where the system translates and delivers data structures in a format encoded as expected by requests from application-layer protocols. Application Layer protocols are responsible for communicating with host-based and user-facing applications and include SMTP, DNS, SSH, SMB, IMAP, RDP & many others.
Term
Application Layer (Layer 7)
Definition
Application Layer protocols are responsible for communicating with host-based and user-facing applications and include SMTP, DNS, SSH, SMB, IMAP, RDP & many others.
Term
TFTP
Definition

Trivial File Transfer Protocol (TFTP) is a simple protocol that provides basic file transfer function with no user authentication. TFTP uses port 69 to communicate. TFTP is intended for applications that do not need the sophisticated interactions that File Transfer Protocol (FTP) provides.

Term
Collision Domain
Definition
Each area of the network that shares a single segment.
Term
Ethernet Standards & Speeds.
Definition
[image]
Term

Fiber Optic Standards / Speeds

"S is not single" 

So, if you see an S there in the fiber ethernet standard,

like 100BASE-SX, 1000BASE-SX, 10GBASE-SR,
youll know its using a Multimode Fiber because its short range. 

Definition
[image]
Term
Router (Layer 3 Network)
Definition
Layer 3 device that connects multiple networks and makes forwarding decisions based on logical network information. 

Can separate broadcast domains.
Supporting users have an ad free experience!