This document provides an overview of network security concepts related to the OSI model, TCP/IP, IP networking, and multi-layer protocols. It describes the seven layers of the OSI model and compares it to the TCP/IP model. It discusses IP addressing schemes, routing protocols, TCP/IP ports, DHCP, ICMP, and networking services like DNS, LDAP, FTP, SMTP, and HTTP. It also covers implications of industrial control systems that use multi-layer protocols like SCADA and Modbus.

1. CISSP:
Network Security
Week 5; Pages 266-315

2. Part 1
OSI & TCP/IP

3. OSI and TCP/IP

4. OSI and TCP/IP
Open System Interconnect Model
● Defined in 1984. Last revision in 1994.
● International Standard (ISO/IEC 7498-1)
● Theoretical way to describe network
structure
● Divided into 7 layers
○ Certain layers require further subdivisions

5. OSI and TCP/IP
The OSI Layers
1. Physical
a. CAT5 and fiber optic cables
b. Electrical signals
c. Topologies (Star, Bus, Ring)
2. Data-link
a. Logical Link Contol (Error and flow control)
b. Media Access Control (Hardware addressing)
c. Switches
3. Network
a. Internet Protocol (Addressing, Fragmentation)
b. Routers

6. OSI and TCP/IP
4. Transport
a. TCP & UDP
b. Error Detection and Correction
c. Three-Way Handshake
5. Session
a. Logical Persistent Connection
b. Duplex vs. Simplex
6. Presentation
a. Ensures common formats
b. Complex Architecture
7. Application
a. HTTP, FTP, SMTP, DHCP, etc...
b. Web browser

7. OSI and TCP/IP
Routing Protocols (under Network Layer)
● RIP v1 & 2 (RFCs 1058, 1723)
○ Uses distance vector to select path w/ fewest
hops; not always fastest; no more than 15 hops
○ v2 supports subnet mask and password
authentication
● OSPF v1 & 2 (RFCs 1131, 1583, 2328)
○ Link-state based
○ smaller, more frequent updates to routing tables
○ supports classless IP ranges

8. OSI and TCP/IP
● BGP (RFCs 4271, 1771, 1654, 1105, 1163,
1267)
○ for interdomain routing in TCP/IP networks
○ allows the internet to be decentralized
● ICMP (RFC 792)
○ Used heavily in troubleshooting
○ Announces network errors, congestion, and
timeouts
○ Common utilities using this protocol: Ping,
Traceroute

9. OSI & TCP/IP
TCP Control Bits
● URG - Urgent Pointer field significant
● ACK - Acknowledgement field significant
● PSH - Push Function
● RST - Reset the connection
● SYN - Synchronize sequence numbers
● FIN - No more data from sender

10. OSI and TCP/IP
Three-Way Handshake

11. OSI & TCP/IP
Sublayers of Presentation Layer
● CASE
○ provides common application services
○ ACSE, ROSE, CCR, RTSE
● SASE
○ provides specific application services
○ FTAM, VT, MOTIS, CMIP, MMS, RDA, DTP

12. OSI and TCP/IP

13. Part 2
IP Networking

14. IP Networking
Network Addressing
● In 8.24.28.159
○ 8 is network (assigned by orgs like ICANN)
○ .24.28.159 is unique to host
● .0 and .255 are not used by hosts
● Class A: 1.0.0.0 - 127.255.255.254
● Class B: 128.0.0.0 - 191.255.255.254
● Class C: 192.0.0.0 - 223.255.255.254
● Class D: 224. - 239. (for multicast)
● Class E: 240. - 255. (Special purpose)

15. IP Networking
Network Addressing
● Special networks: 10.0.0.0, 127.0.0.0,
172.16.0.0-172.31.0.0, 192.168.0.0
● Subnets
○ Octets represent bits
○ All bits with a value of 1 are network bits
○ Example: A host in the 172.25.156.0 network with a
subnet mask of 255.255.255.224 means that its
address will be between 172.27.165.1 and
172.27.165.30. Next subnet will start at
172.27.165.32.

16. IP Networking
CIDR/IPv6
● IP addresses in high demand since '90s
● CIDR introduced to help remedy
○ Classless interdomain (remember BGP?)
● IPv6 currently being introduced
○ Much longer addresses using hexadecimal
○ IPSec implemented
○ Increased throughput
○ Better QoS (meaning better VoIP)

17. IP Networking
● Connection requires two parts
○ IP Address
○ Ports
● Ports associated with TCP/UDP
● IANA manages standard port numbers
○ 0-1023: well-known; 1024-49151: registered;
49152-65535: private

18. IP Networking

19. IP Networking
DHCP
● Allows hosts to get their own IP addresses
● Process is similar to three-way handshake
○ Workstation sends out DHCPDISCOVER
○ Server responds with DHCPOFFER
○ Workstation sends DHCPREQUEST to begin lease
○ Server responds with DHCPACK
● Authentication supported (RFC 3118)

20. IP Networking
While ICMP is useful, attackers also love it.
● Ping of Death
○ ICMP echo larger than 65,536 bytes would cause
systems to crash; OSs now made to handle it
● Redirect attacks
○ Man-in-the-Middle by redirecting a host through
an attackers computer
● Ping Scanning & Traceroute Exploitation
○ Scanning for open ports/mapping network; NMAP
● IGMP
○ used to manage multicasting groups

21. IP Networking
● VRRP
○ Performs failover for routers
○ Acts as a virtual router transparently
● RPCs
○ Allows a host to execute code not stored on it
○ CORBA and DCOM are examples

22. IP Networking
Port 53
RFCs 882, 1034, 1035

23. IP Networking
Directory Services (Again...)
● LDAP
○ supports lots of back ends
○ weak authentication; transfers in CT
● NetBIOS
● NIS, NIS+
○ Commonly used to manage user credentials
○ NIS does not authenticate between request, NIS+
does
Port 389; RFC 1777
Ports 135, 137, 138, 139; RFCs 1001, 1002

24. IP Networking
File sharing
● CIFS/SMB/Samba
○ Prevalent on Windows, but also used on Unix-
based systems
○ Capable of user- and tree-level security
○ Credentials sent in CT for backwards compatability
● NFS
○ Prevalent on Unix-type systems, but also found on
Windows.
○ v2 & v3 are stateless protocols for performance
○ Secure NFS uses DES for authentication and
encryption; time stamps for tokens
○ v4 uses Kerberos and is stateful
Port 445
RFCs 1094, 1813, 3010, 3530

25. IP Networking
● SMTP
○ Routes email
○ No authentication; identification using email
address
○ ESMTP improves security; provides authentication
● FTP
○ Requires two channels: control and data
○ Original: username/password auth passed in CT
○ TLS: sends AUTH TLS command to encrypt session
○ SFTP: encrypts both control and data
○ FTP over SSH: tunneling; only encrypts control
○ Active and Passive: server could be blocked by
firewall
Port 25
Ports 20, 21; RFCs 959, 4217

26. IP Networking
● Anonymous FTP
○ Replaced with similar HTTP services
○ Considered unsafe due to the need to input an
email address for access
● TFTP
○ Simplified FTP similar in purpose to Anonymous
○ Used on LANs for system administration tasks
Ports 69; RFC 1350

27. IP Networking
● HTTP
○ Initially "Web enabled" apps caused security
issues
○ No encryption support; simple authentication
● Proxying
○ Anonymizing
■ Allows obfuscation of connection information
○ Open
■ Allows unrestricted access to GET commands
■ Can be used to launch attacks
○ Content Filtering
■ Blocks traffic to restricted sites
■ Protects against accidental downloading of
viruses
Port 80; RFCs 1945, 2109, 2616

28. Part 3
Implications of
Multi-Layer
Protocols

29. Multi-Layer Protocols
Typically found used with industrial systems
● SCADA (also called ICS)
○ Control Server - hosts software
○ RTU - equipped with radios
○ HMI - where people control the machines
○ PLC - controls machinery components
○ IED - sensors that collect data
○ IO Server - collects info from RTUs, PLCs, IEDs
○ Data Historian - like SEIM
● Modbus
○ Information sent in clear text
○ No authentication to send commands

30. Questions?