Iscw Cram Sheet


Published on

Iscw Cram Sheet

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Iscw Cram Sheet

  1. 1. ISCW Cram Sheet Cable Modem Technology Terms Broadband – Using multiple frequencies to send information to make better use of bandwidth, uses Frequency-Division Multiplexing to combine several “channels” or frequencies into a larger pipe of bandwidth CATV – Community Antenna Television – TV in general Coaxial Cable – Cable used for cable TV and modem service Tap – A device that splits one cable drop into several ports, usually 2, 4, or 8 Amplifier – A device that magnifies an input signal Hybrid Fiber-coaxial – A cable network in which most or all of the backbone and trunk connections are fiber connecting to coaxial drops. Downstream – An RF signal headed from the ISP to the Subscriber. Upstream – An RF signal headed from the Subscriber to the ISP. Standards NTSC – National Television Standards Committee – governs analog TV systems in North America using a 6-Mhz modulated signal. PAL – Phase Alternating Line – A color coding system used in Europe, Asia, Africa, Australia, Brazil, and Argentina. Uses 6, 7, or 8-Mhz modulated signal. SECAM – Systeme Electronic Couleur avec Memoire – Analog color TV system used in France and some Eastern European countries. Uses an 8-Mhz modulated signal. Components Antenna Site – ISP’s site with sending and receiving satellite dishes. Headend – Master site where signals are received, processed, formatted, and distributed. Secured and generally unstaffed. Transportation Network – Network that connects the headed to the antenna site. Might be microwave, coaxial, or fiber. Distribution Network – Either trunk and feeder coaxial cables or more often hybrid fiber-coaxial. This is the backbone of the network. Node – Performs optical-to-RF conversion of CATV signals. Allows
  2. 2. networks to use fiber. Subscriber Drop – Connects the subscriber to the feeder portion of the distribution network. In many cable networks, this is the ONLY part of the network that is actually coax. DOCSIS Standards Physical Layer (Layer1) – Definition of data signals to be used by cable operators. Channel widths are 200kHz, 400kHz, 800kHz, 1.6MHz, and 6.4MHz. Also defines how signals are modulated. MAC Layer (Layer 2) – Definition of an access method depending on DOCSIS version. Time Division Multiple Access for versions 1.0, 1.1, and 2.0 or Synchronous Code Division Multiple Access for version 2.0. The DOCSIS MAC protocol uses a request/grant system, so there are very few collisions. DOCSIS 3.0 – Allows “channel bonding”, similar to adding channels to a fractional T1 to allow greater bandwidth. DOCSIS Components CMTS – Cable Modem Termination System – Usually resides in the headend. Modulates the signal to the Cable Modem (CM) and demodulates the cable modem’s response. Cable Modem (CM) – A CPE device that terminates as well as performs modulation and demodulation of signals. Speeds range from 1.5 to 6Mbps. “Back Office” Services – TFTP, DHCP, ToD (Time of Day for log timestamping) and other maintenance tools. Cable Modem Provisioning Steps Downstream Setup – When the modem is powered up, it scans and locks the downstream path for the RF channel allocated so that layer 1 and 2 can be established. Upstream Setup – The cable modem listens to management messages broadcast down the downstream path that gives information on how and when to communicate on the upstream path. This information is used to establish layers 1 and 2 for the upstream path. Layer 1 and 2 Establishment – Physical and Data Link Layers are established between the CM and CMTS. IP Address Allocation – The CM requests the DOCSIS config file from the tftp server. This ASCII “binary” file has the parameters given by the ISP including maximum downstream and upstream rates, maximum
  3. 3. upstream burst rate, class of service or baseline privacy, MIBs, and others. This config file can be loaded via tftp or manually configured on the cable modem. Register QoS with CMTS – The CM negotiates traffic types and QoS settings with the CMTS, in accordance with the customer’s plan. IP Network Initialization – Once layers 1, 2, and 3 are established and the CM has pulled a config via tftp, the CM can provide routing and NAT functions for clients behind it at the subscriber site. To establish layer 3, the CM requests an IP address, subnet mask, default gateway, tftp server, dhcp relay agent, the complete name of the DOCSIS config file, address of the ToD server, and the syslog server address, all from the dhcp server on the ISP side. Once it has this information, it first requests its clock to be set to the ToD server’s correct time, then it can request the DOCSIS config from the tftp server. Cable Modem Features/Limitations Shared Medium – Cable modems can provide very fast download speeds, but are a shared medium, meaning that those speeds may not be achievable when the local network is in heavy use. In addition, upload speeds are limited. DSL Technology DSL Features/Limitations POTS Coexistence – Due to the frequencies used, DSL can send data signals through existing telephone cabling without requiring any additional wiring to carry both voice and data traffic. All that is required is some kind of filtering for analog devices such as non-VoIP phones and fax machines. Dedicated Medium – Unlike Cable modems, DSL is not shared bandwidth and while speeds may be lower in some locations, they will be consistent. Distance Limitations – As distance between the subscriber and the local CO increases, speed and quality decrease. The most common DSL technology, ADSL, has a limit of 18,000ft. Load coils are often used on telephone lines to amplify signals to cross longer distances. The presence of a load coil on a line will not allow DSL signals to pass properly. Older Home Wiring – Older buildings may have low quality wiring that is subject to interference from AM radio waves or EMI.
  4. 4. DSL Terminology Amplitude – Peak height or depth of a wave peak or valley, in relation to the horizontal axis of a graph, during one cycle of the wave. ATU-C – ADSL Transmission Unit –central office – a subscriber-facing DSL modem in the provider’s CO. ATU-R – ADSL Transmission Unit-remote – a provider-facing DSL modem in the subscriber home. Could be a DLS-capable router or DSL modem. DSLAM – A single chassis containing multiple ATU-C units. Frequency – Number of cycles of a waveform over a given time. Frequency = speed / wavelength Line Code – Technique used to represent digital signals by an amplitude- discreet and time-discreet signal that allows a receiving device to synchronize to the phase of signals transmitted. Maximum Data Rate – Maximum transmission speed possible for a particular version of DSL. Microfilter – Filters used to connect analog devices to a home network which has DSL service. Filters out everything except the 0 – 4 kHz range of frequencies (analog voice range). Modulation – Process of varying a periodic waveform in order to use that signal to convey a message. Nature – The relationship between downstream and upstream speeds (asynchronous or synchronous). Network Interface Device – The CPE device providing the termination point of the local loop. Phase – A measure of the relative position over time of two waveforms with identical frequency. Splitter – A passive device used to separate DSL traffic from voice traffic. Today, microfilters usually replace splitters at the CPE side of the local loop. Wavelength – Distance between repeating units of a wave pattern. Wavelength = Frequency / speed DSL Variants Asymmetrical DSL (ADSL) – Different speeds for upload and download, generally download speeds are higher. Typical for home use. Symmetrical DSL (SDSL) – Identical transmission speeds for upload and download. Asymmetric DSL Types
  5. 5. ADSL – Maximum distance of 18,000 feet. Maximum download speed – 1.5 – 8Mbps and upload of 16kbps – 1Mbps. G.Lite ADSL – Splitterless ADSL. Max download 1.5Mbps, max upload 512kbps. No splitters required. RADSL (rate-adaptive DSL) – Nonstandard version of ADSL that adjusts speed to compensate for quality of phone line. Has longer maximum distances than ADSL, but ADSL does also have the ability to adapt speeds. VDSL (very-high-bit-rate DSL) – Speeds of 13-55Mbps over distances up to 4500 feet on short loops. Cisco Long Reach Ethernet (LRE) is based on VDSL technologies. Limited availability for this. Symmetric DSL Types SDSL (symmetric DSL) – provides upload and download of 128kbps – 2.32Mbps. 768kbps is most typical. Distance limit is 21,000 feet. G.SHDSL (symmetric high-data-rate DSL) – Longer distance of 26,000 feet. Speeds from 192kbps to 2.3Mbps. Best suited to data-only implementations. HDSL (high-data-rate DSL) – Rates up to 768kbps in each direction, 1.544Mbps. Basically T1 or E1 over DSL. Does not allow standard phone service over the same wiring. HDSL2 (second-generations HDSL) – Allows 1.5Mbps rates while still coexisting with voice using either ATM or other technology over the same wire pair. IDSL (ISDN DSL) – Supports downstream and upstream rates of up to 144kbps in the same channel types as traditional ISDN, but in an “always- on” service rather than dialup style service. Does not coexist with traditional voice. ADSL Modulation CAP (Carrierless Amplitude Phase) – Single-carrier modulation type that divides the available space into 3 bands. Range 0 to 4kHz is used for POTS, range 25 to 160kHz is used for upstream data, and range 240kHz to 1.1MHz is used for downstream data. Only used in legacy implementations because it does not perform as well. DMT (Discrete Multi-Tone) - Uses multiple independent subchannels with a larger channel (RF range), which can be brought up or taken down dynamically with no effect whatsoever on other existing channels. Most ADSL equipment now uses DMT to divide a single upstream or downstream channel into 256 equally sized channels.
  6. 6. Data Transmission Over ADSL Layer 2 – Once DSL reaches the DSLAM, it reaches an ATM network. The DSLAM is an ATM router with DSL interface cards. Layer 3 – Data can be encapsulated in 3 ways: RFC1483/2684 bridging (multiprotocol data encapsulation or AAL5SNAP over ATM), PPP over Ethernet, or PPP over ATM. RFC 1483/2684 Bridging – Simpliest technology with least configuration at CPE end. DSL router acts only as a bridge, but has lack of features, security, and scalability. PPP – PPP enables authentication as well as higher layer protocols versus bridging. Each packet is encapsulated with a 16-bit protocol identifier. The packet contains: LCP (Link Control Protocol) information which negotiates things like packet size, type of authentication, and other link parameters, NCP (Network Control Protocol) information which contains information about higher layer protocols, such as routing, and Data Frames, which contain the actual user data. PPP Process – 1. Each end of the PPP link sends LCP packets to configure and test the layer 2 connection. 2. After the link has been established, PPP must send NCP packets to choose and configure network layer protocols (such as IP). 3. Once the layer 3 protocol has been configured, traffic from each layer 3 protocol can be sent. 4. The link remains configured and ready for communication until it receives explicit LCP or NCP packets telling it to close or some external event or timeout occurs. PPP can handle multiple protocols at once. PPPoE (Point-to-Point Protocol over Ethernet) - Uses PAP or CHAP to authenticate a connection. Each PPP session must learn the address of the remote peer to create a unique session identifier. This is done by a discovery protocol, which adds 2 additional phases: Discovery Phase - 1. PPPoE client sends a PADI (PPPoE Active Discovery Initiation) packet as a broadcast requesting service. 2. The router responds with a PADO (PPPoE Active Discovery
  7. 7. Offer) packet describing the offered services in a unicast packet directly to the MAC address of the client. 3. The PPPoE client responds directly to the server with a unicast PADR (PPPoE Active Discovery Request) packet to move on to the session phase. 4. The router sends the client a PPPoE Active Discovery Session- Confirmation which contains a session-ID and confirms they can move to the Session phase. (If this all sounds a lot like dhcp, it is!) Session Phase- This is the phase where authentication takes place, as well as any other configured LCP options. In order to accomplish authentication and the negotiation of session variables, there are usually 3 options: 1. Placing a DSL-capable router at the subscriber’s home – In this case, PPP is terminated on the provider’s equipment at the subscriber’s home. 2. Placing a non-DSL-capable router at the subscriber’s home – Here an external DSL modem must be placed in addition to the router. PPP is still terminated on the provider’s router at the subscriber’s home. 3. Placing an External DSL Modem at the subscriber’s home – here a simple DSL modem terminates the physical DSL connection. PPP is terminated either on the hosts using PPPoE software or on a router provided by the subscriber. MPLS MPLS Terminology Label – Short, fixed-length identifier used to identify a group of networks Label Stack – A set of labels attached to a packet header. Label Swap – Basic forwarding operation. Incoming label is looked at to determine outgoing label, encapsulation, port, and others. LSH (Label-switched Hop) – A hop between two MPLS nodes. All forwarding done by labels. LSP (Label-switched Path) – A path through one or more LSR’s at followed by a packet in a particular FEC. LSR (Label Switching Router) – An MPLS node that is capable of forwarding label switched packets. MPLS Domain – A contiguous set of LSR’s in one routing or administrative domain.
  8. 8. MPLS edge node – An MPLS node that connects to a neighboring node outside of its MPLS domain. MPLS Egress Node – An MPLS node that handles traffic leaving an MPLS domain. MPLS Ingress Node – An MPLS node that handles traffic entering an MPLS domain. MPLS Label – A label that is carried in a packet header and identifies the packet’s FEC. MPLS Node – A node running MPLS. Optionally can also forward native layer 3 packets. FEC (Forwarding Equivalence Classes) – Roughly corresponds to a packet’s “next hop” within the MPLS domain. 2 packets with different destinations can share a FEC at a router if they both have the next hop. They will share a FEC until they reach a router at which they must exit through different interfaces. Packets sorted into the same FEC at one router may later be sorted into separate FEC’s at a later router. PHP (Penultimate Hop Pop) – An LSR immediately before the destination edge LSR pops the label before sending it to the edge LSR. This saves time because the edge router then needs only to look at the network layer routing rather than first looking at and popping the label. Router Switching Modes Process Switching – Slowest and most resource-intensive method. Each packet has to be looked up in the routing table individually. Cache-driven Switching – Once one packet is looked up in the routing table, the destination is stored in memory for subsequent packets. Topology-driven Switching – A FIB (Forwarding Information Base) is created and used for high-speed switching operations at layer 3 (CEF – Cisco Express Forwarding). The FIB acts as a shorthand reference so that the router can bypass the routing table and use its adjacency table, simply knowing which adjacent neighbor is next in the packet’s path is enough. Can take up a lot of processing and memory if the routing table is large. MPLS Components LDP (Label Distribution Protocol) – Functions much like a routing protocol for sending Label information. RSVP (Resource Reservation Protocol) – Used by MPLS to allow reservation of bandwidth within the MPLS network for voice or other sensitive traffic.
  9. 9. LFIB (Label Forwarding Information Base) – Stores label information gained from LDP and/or routing protocols. Essentially Label routing table. Part of the data plane. P Router – Router inside the provider network that does not have customer routers as neighbors. PE Router – Provider Edge router that interacts directly with CE routers. CE Router – Customer Edge router that interacts directly with PE routers. LIB (Label Information Base) – Part of the control plane, provides the database for LDP which maps IP addresses with local and next-hop labels. FIB (Forwarding Information Base) – Part of the data plane, stores database used for forwarding unlabeled IP packets created from a regular routing protocol. (IP routing table.) Each MPLS router creates its own LIB, FIB, and LFIB. IPsec Overview IPsec Features Data Confidentiality – Data is kept private between endpoints of the VPN using encryption, such as DES, 3DES, or AES. (Optional, but common) Data Integrity – Guarantee that data has not been altered since it was sent. Provided by a hash algorithm, such as SHA or MD5. Data Origin Authentication – Ensures that the sender and receiver are who they say they are. Provided by IKE by ISAKMP or Oakley protocols. Anti-replay – ensures that no packets are duplicated and helps prevent a man-in-the-middle style attack. (Optional but common.) Provided by AH using a hashing algorithm such as SHA or MD5. IPsec Protocols IKE (Internet Key Exchange) – Provides the framework for exchanging security parameters and authentication keys securely over the internet in phase 1. ESP (Encapsulating Security Payload) – Provides the framework for encryption, integrity, authentication, and anti-replay. Uses Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). AH (Authentication Header) – provides the framework for data integrity, authentication, and anti-replay. Generally used today in combination with ESP since it does not provide for encryption. Uses hash algorithms to
  10. 10. ensure that data has not been tampered with. Uses Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1). IPsec Modes Transport – Ipsec headers are inserted in an IP packet to route traffic over a tunnel. The original IP header is unprotected and visible to points between the endpoints. Only the transport layer and above are protected. Tunnel Mode – The entire packet is encapsulated with a new header and only the IP addresses of the tunnel endpoints are protected. Internet Key Exchange (IKE) IKE Phase 1 – Mandatory IKE phase. A bidirectional SA (Security Association) is established between IPSec peers. May also perform peer authentication. Two modes available here, Main Mode (site-to-site tunnels) and Aggressive Mode (Easy VPN). IKE Phase 1.5 – Optional IKE phase. Provides additional layer of authentication called Xauth or Extended Authentication. Xauth forces the user to authenticate before the connection is granted. IKE Phase 2 – Second mandatory IKE phase. Implements unidirectional SA’s between IPsec endpoints so that keys are not shared. Uses IKE quick mode. GRE Over IPsec Characteristics GRE – packets are encapsulated, however few security features are provided. However, it allows routing protocols to travel over the tunnel, unlike IPsec. Most often today, the two are combined to allow an encrypted tunnel which also allows multicast and routing protocols to travel over it. Creates high packet overhead. IPsec High Availability Options Failover Strategies Stateless – Redundant IPsec tunnels are used to provide primary and backup paths. The state of the tunnels is not known, but traffic is sent across the backup tunnel if the end-to-end path has failed. Uses DPD (Dead Peer Detection), and IGP (interior gateway protocol) within GRE over IPsec, or HSRP (Hot Standby Routing Protocols). Stateful – Redundant equipment is employed, generally identical, that
  11. 11. communicate with each other to determine which one is the current best device. Uses either HSRP or SSO (Stateful Switchover). Easy VPN Components Easy VPN Components Easy VPN Remote – the remote or “client” end of the Easy VPN connection. This is the “easy” part of Easy VPN since it does not require a static IP address or complicated configuration on this end. Easy VPN Server – The “HQ” end of the VPN, which is more difficult to configure and requires further configuration. The VPN server provides the client addresses as well as all other dhcp settings along with the VPN tunnel. Device Hardening Router Vulnerabilities Services Unnecessary Services and Interfaces – The largest category of vulnerabilities. Includes TCP and UDP small services and other services enabled by default that are generally not necessary. Management Services – Includes SNMP and DNS. These services should be disabled on any external interfaces or any on which they are not specifically required. Path Integrity Mechanisms – ICMP redirects, IP source routing. These can give an attacker information about a network that is used for transferring config files and IOS images to a router, but not good for an attacker to use. Disable these on all outside interfaces and on any interface that they are not necessary on. Probes and Scans – Includes Finger and some ICMP features. These can also be used for reconnaissance and should be disabled unless needed. Terminal Access Security – IP identification service and TCP keepalives. Can be used for DoS attacks or to gather information. Again, disable unless needed. Gratuitous and Proxy ARP – Can be used to launch DoS attacks. Both are enabled by default but it is not likely they will be needed in modern networks unless your router is acting as a layer 2 bridge.
  12. 12. AutoSecure – command-line tool that automatically disables all these vulnerabilities, enables firewall inspection and CEF, implements logging and NTP, restricts access to SSH and prevents TCP SYN-flooding attacks as well as configures a security banner and prompts for secure passwords…all with just the auto secure command. SDM Security Audit Wizard – Displays a list of these vulnerabilities with the option to disable them, as well as allows the user to configure inside and outside interfaces for firewall purposes. SDM One-Step Lockdown Wizard – Tool in SDM similar to the auto secure command in the CLI. Securing Administrative Access Passwords – Set strong, complex passwords and also use ACL’s to restrict access to management interfaces. A password policy including minimum length, expiration, etc should be implemented. Login Limitations – Lock out users after a certain number of failed login attempts and/or log the failure. You can also configure a delay, or quiet mode which will allow access from an ACL only when it is locked. Password Encryption – use the “enable secret” over the “enable” password as it is encrypted with MD5 and very difficult to decrypt and remember that the enable password, console, aux, and vty passwords are all initially stored in clear text. Use the “service password encryption” command to encrypt all current plaintext passwords, but remember that this uses a weak encryption algorithm. Individual logins with a “secret” password are a better choice. Multiple Privilege Levels – Use built-in privilege levels from 1-15 to give individual users only the access they require or map commands to specific levels. Role-Based CLI – Enable different “views” for different users so that only the commands they are authorized to use will show up as available. The “Duh” Stuff – Configure a legally secure banner on all devices, physically secure all devices, set minimum password lengths, remember that telnet and tftp are cleartext, etc. AAA to Secure and Scale Access TACACS+ vs. Radius Radius – Multi-vendor solution that allows centralized management of Authentication, Authorization, and Accounting for multiple platforms. Uses combines authentication and authorization into a single request, so this
  13. 13. information must be on the same server. Does not limit what commands a user can issue on a network device, only gives access or does not. TACACS+ - Uses TCP for greater reliability and scalability. Entire body of packets are encrypted, separate servers can handle authentication and authorization, provides multiprotocol support, allows admins to specify commands or privilege modes available to users. Designed by Cisco for Cisco equipment. IOS Firewall Features – Beyond Static ACLs Stateful Packet Filtering – Allows a firewall to be knowledgable of the “state” of a connection, opening ports as needed and closing them once they are finished so that ports do not need to be constantly left open or manually closed. Generally only connections initiated from the inside interface are allowed to open connections to the outside. Proxy Firewalls – Stand between an inside host and the outside and make requests on behalf of the inside host. The inside host is never directly exposed. Common for web traffic so that it can be monitored and filtered. To the outside, all requests appear to come from the proxy firewall. IDS and IPS IDS – Sits outside the path of active network traffic and has copies of the traffic sent to it. It creates alerts whenever it determines that a series of packets may be a threat. It can actively configure other devices to block or quarantine these packets, but cannot itself block any packets. IPS – Sits directly in the path of active network traffic and can both alert and block packets itself and stop an attack. HIPS or HIDS – A software-based IDS or IPS system protecting a single server or host. NIPS or NIDS – Network-based IDS or IPS. Types of IPS/IDS – Signature-based – Cisco’s preferred solution. Uses attack signatures that identify known patterns of attacks that are constantly updated and then downloaded to the device. Can have problems detecting zero-day attacks. Policy-based – Use algorithms to identify traffic that strays outside set norms or that meets certain patterns of malicious traffic. Additional
  14. 14. policies can be configured. Anomaly-Based – Used by MARS and others, system “learns” what normal network behavior “looks” like and then is able to alert or take action when network behavior differs from that pattern. Works well in smaller networks, but can be difficult to define “normal” in larger networks.