SSCP : System Security Certified Practitioner (SSCP) : Part 21

SSCP : System Security Certified Practitioner (SSCP) : Part 21

1. Which of the following is NOT true about IPSec Tunnel mode?

   • Fundamentally an IP tunnel with encryption and authentication
   • Have two sets of IP headers
   • Have two sets of IP headers
   • Established for gateway service

   Explanation:

   IPSec can be run in either tunnel mode or transport mode. Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution:

   Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.

   Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host—for example, an encrypted Telnet session from a workstation to a router, in which the router is the actual destination.

   As Figure 1 shows, basically transport mode should be used for end-to-end sessions and tunnel mode should be used for everything else. (Refer to the figure for the following discussion.)

   Figure 1 Tunnel and transport modes in IPSec.

   Figure 1 displays some examples of when to use tunnel versus transport mode:

   Tunnel mode is most commonly used to encrypt traffic between secure IPSec gateways, such as between the Cisco router and PIX Firewall (as shown in example A in Figure 1). The IPSec gateways proxy IPSec for the devices behind them, such as Alice’s PC and the HR servers in Figure 1. In example A, Alice connects to the HR servers securely through the IPSec tunnel set up between the gateways.

   Tunnel mode is also used to connect an end-station running IPSec software, such as the Cisco Secure VPN Client, to an IPSec gateway, as shown in example B.

   In example C, tunnel mode is used to set up an IPSec tunnel between the Cisco router and a server running IPSec software. Note that Cisco IOS software and the PIX Firewall sets tunnel mode as the default IPSec mode.

   Transport mode is used between end-stations supporting IPSec, or between an end-station and a gateway, if the gateway is being treated as a host. In example D, transport mode is used to set up an encrypted Telnet session from Alice’s PC running Cisco Secure VPN Client software to terminate at the PIX Firewall, enabling Alice to remotely configure the PIX Firewall securely.

   AH Tunnel Versus Transport Mode
   Figure 2 shows the differences that the IPSec mode makes to AH. In transport mode, AH services protect the external IP header along with the data payload. AH services protect all the fields in the header that don’t change in transport. The header goes after the IP header and before the ESP header, if present, and other higher-layer protocols.

   In tunnel mode, the entire original header is authenticated, a new IP header is built, and the new IP header is protected in the same way as the IP header in transport mode.

   Figure 2 AH tunnel versus transport mode.

   AH is incompatible with Network Address Translation (NAT) because NAT changes the source IP address, which breaks the AH header and causes the packets to be rejected by the IPSec peer.
   ESP Tunnel Versus Transport Mode

   Figure 3 shows the differences that the IPSec mode makes to ESP. In transport mode, the IP payload is encrypted and the original headers are left intact. The ESP header is inserted after the IP header and before the upper-layer protocol header. The upper-layer protocols are encrypted and authenticated along with the ESP header. ESP doesn’t authenticate the IP header itself.

   NOTE
   Higher-layer information is not available because it’s part of the encrypted payload.

   When ESP is used in tunnel mode, the original IP header is well protected because the entire original IP datagram is encrypted. With an ESP authentication mechanism, the original IP datagram and the ESP header are included; however, the new IP header is not included in the authentication.

   When both authentication and encryption are selected, encryption is performed first, before authentication. One reason for this order of processing is that it facilitates rapid detection and rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the receiver can detect the problem and potentially reduce the impact of denial-of-service attacks.

   Figure 3 ESP tunnel versus transport mode.
   ESP can also provide packet authentication with an optional field for authentication. Cisco IOS software and the PIX Firewall refer to this service as ESP hashed message authentication code (HMAC). Authentication is calculated after the encryption is done. The current IPSec standard specifies SHA-1 and MD5 as the mandatory HMAC algorithms.

   The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn’t protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode). Figure 4 illustrates the fields protected by ESP HMAC.

   Figure 4 ESP encryption with a keyed HMAC.
   IPSec Transforms

   An IPSec transform specifies a single IPSec security protocol (either AH or ESP) with its corresponding security algorithms and mode. Example transforms include the following:

   The AH protocol with the HMAC with MD5 authentication algorithm in tunnel mode is used for authentication.

   The ESP protocol with the triple DES (3DES) encryption algorithm in transport mode is used for confidentiality of data.

   The ESP protocol with the 56-bit DES encryption algorithm and the HMAC with SHA-1 authentication algorithm in tunnel mode is used for authentication and confidentiality.
   Transform Sets

   A transform set is a combination of individual IPSec transforms designed to enact a specific security policy for traffic. During the ISAKMP IPSec security association negotiation that occurs in IKE phase 2 quick mode, the peers agree to use a particular transform set for protecting a particular data flow. Transform sets combine the following IPSec factors:

   Mechanism for payload authentication—AH transform

   Mechanism for payload encryption—ESP transform

   IPSec mode (transport versus tunnel)

   Transform sets equal a combination of an AH transform, plus an ESP transform, plus the IPSec mode (either tunnel or transport mode).

   This brings us to the end of the second part of this five-part series of articles covering IPSec. Be sure to catch the next installment.

   Cisco Press at: http://www.ciscopress.com/articles/printerfriendly.asp?p=25477
   and
   Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Pages 166-167.

2. Why is infrared generally considered to be more secure to eavesdropping than multidirectional radio transmissions?

   • Because infrared eavesdropping requires more sophisticated equipment.
   • Because infrared operates only over short distances.
   • Because infrared requires direct line-of-sight paths.
   • Because infrared operates at extra-low frequencies (ELF).
   Explanation:
   Infrared is generally considered to be more secure to eavesdropping than multidirectional radio transmissions because infrared requires direct line-of-sight paths.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of CompAuthenticationuter Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 173).

3. Authentication Headers (AH) and Encapsulating Security Payload (ESP) protocols are the driving force of IPSec. Authentication Headers (AH) provides the following service except:

   • Authentication
   • Integrity
   • Replay resistance and non-repudiations
   • Confidentiality
   Explanation:

   AH provides integrity, authentication, and non-repudiation. AH does not provide encryption which means that NO confidentiality is in place if only AH is being used. You must make use of the Encasulating Security Payload if you wish to get confidentiality.

   IPSec uses two basic security protocols: Authentication Header (AH) and Encapsulation Security Payload.

   AH is the authenticating protocol and the ESP is the authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality and message integrity.

   The modes of IPSEC, the protocols that have to be used are all negotiated using Security Association. Security Associations (SAs) can be combined into bundles to provide authentication, confidentialility and layered communication.

   Source:
   TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, page 164.
   also see:
   Shon Harris, CISSP All In One Exam Guide, 5th Edition, Page 758

4. What is NOT an authentication method within IKE and IPsec?

   • CHAP
   • Pre shared key
   • certificate based authentication
   • Public key authentication
   Explanation:

   CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user’s password).

   After the completion of the link establishment phase, the authenticator sends a “challenge” message to the peer.
   The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
   The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
   At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.

   The following were incorrect answers:

   Pre Shared Keys
   In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in WiFi encryption such as WEP or WPA, where both the wireless access points (AP) and all clients share the same key.

   The characteristics of this secret or key are determined by the system which uses it; some system designs require that such keys be in a particular format. It can be a password like ‘bret13i’, a passphrase like ‘Idaho hung gear id gene’, or a hexadecimal string like ’65E4 E556 8622 EEE1′. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems.
   Certificate Based Authentication

   The most common form of trusted authentication between parties in the wide world of Web commerce is the exchange of certificates. A certificate is a digital document that at a minimum includes a Distinguished Name (DN) and an associated public key.

   The certificate is digitally signed by a trusted third party known as the Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. Each principal in the transaction presents certificate as its credentials. The recipient then validates the certificate’s signature against its cache of known and trusted CA certificates. A “personal
   certificate” identifies an end user in a transaction; a “server certificate” identifies the service provider.

   Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the Open Systems Interconnect
   (OSI) X.500 specification.

   Public Key Authentication
   Public key authentication is an alternative means of identifying yourself to a login server, instead of typing a password. It is more secure and more flexible, but more difficult to set up.

   In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means that if the server has been hacked, or spoofed an attacker can learn your password.

   Public key authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have a copy of that private key; but anybody who has your public key can verify that a particular signature is genuine.

   So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, you can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.

   There is a problem with this: if your private key is stored unprotected on your own computer, then anybody who gains access to your computer will be able to generate signatures as if they were you. So they will be able to log in to your server under your account. For this reason, your private key is usually encrypted when it is stored on your local machine, using a passphrase of your choice. In order to generate a signature, you must decrypt the key, so you have to type your passphrase.

   References:
   RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan

   Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E.

   Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467.

   http://en.wikipedia.org/wiki/Pre-shared_key
   http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf
   http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1

5. In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server?

   • Peer-to-peer authentication
   • Only server authentication (optional)
   • Server authentication (mandatory) and client authentication (optional)
   • Role based authentication scheme
   Explanation:
   RESCORLA, Eric, SSL and TLS: Designing and Building Secure Systems, 2000, Addison Wesley Professional; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

6. Which of the following are suitable protocols for securing VPN connections at the lower layers of the OSI model?

   • S/MIME and SSH
   • TLS and SSL
   • IPsec and L2TP
   • PKCS#10 and X.509
   Explanation:
   Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

7. What is the role of IKE within the IPsec protocol?

   • peer authentication and key exchange
   • data encryption
   • data signature
   • enforcing quality of service
   Explanation:
   Reference: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan, Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

8. What is a decrease in amplitude as a signal propagates along a transmission medium best known as?

   • Crosstalk
   • Noise
   • Delay distortion
   • Attenuation
   Explanation:

   Attenuation is the loss of signal strength as it travels. The longer a cable, the more at tenuation occurs, which causes the signal carrying the data to deteriorate. This is why standards include suggested cable-run lengths. If a networking cable is too long, attenuation may occur. Basically, the data are in the form of electrons, and these electrons have to “swim” through a copper wire. However, this is more like swimming upstream, because there is a lot of resistance on the electrons working in this media. After a certain distance, the electrons start to slow down and their encoding format loses form. If the form gets too degraded, the receiving system cannot interpret them any longer. If a network administrator needs to run a cable longer than its recommended segment length, she needs to insert a repeater or some type of device that will amplify the signal and ensure it gets to its destination in the right encoding format.
   Attenuation can also be caused by cable breaks and malfunctions. This is why cables should be tested. If a cable is suspected of attenuation problems, cable testers can inject signals into the cable and read the results at the end of the cable.

   The following answers are incorrect:

   Crosstalk – Crosstalk is one example of noise where unwanted electrical coupling between adjacent lines causes the signal in one wire to be picked up by the signal in an adjacent wire.

   Noise – Noise is also a signal degradation but it refers to a large amount of electrical fluctuation that can interfere with the interpretation of the signal by the receiver.

   Delay distortion – Delay distortion can result in a misinterpretation of a signal that results from transmitting a digital signal with varying frequency components. The various components arrive at the receiver with varying delays.

   Following reference(s) were/was used to create this question:
   CISA review manual 2014 Page number 265
   Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 &
   CISSP All-In-One Exam guide 6th Edition Page Number 561

9. Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model?

   • Bridge
   • Repeater
   • Router
   • Gateway
   Explanation:

   A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack.

   Important Note:
   For the purpose of the exam, you have to remember that a gateway is not synonymous to the term firewall.

   The second thing you must remembers is the fact that a gateway act as a translation device.

   It could be used to translate from IPX to TCP/IP for example. It could be used to convert different types of applications protocols and allow them to communicate together. A gateway could be at any of the OSI layers but usually tend to be higher up in the stack.

   For your exam you should know the information below:

   Repeaters
   A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.
   Repeaters can also work as line conditioners by actually cleaning up the signals. This works much better when amplifying digital signals than when amplifying analog signals, because digital signals are discrete units, which makes extraction of background noise from them much easier for the amplifier. If the device is amplifying analog signals, any accompanying noise often is amplified as well, which may further distort the signal.
   A hub is a multi-port repeater. A hub is often referred to as a concentrator because it is the physical communication device that allows several computers and devices to communicate with each other. A hub does not understand or work with IP or MAC addresses. When one system sends a signal to go to another system connected to it, the signal is broadcast to all the ports, and thus to all the systems connected to the concentrator.

   Repeater

   

   Image Reference- http://www.erg.abdn.ac.uk/~gorry/course/images/repeater.gif

   Bridges
   A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.

   Bridge

   

   Image Reference- http://www.oreillynet.com/network/2001/01/30/graphics/bridge.jpg

   Routers
   Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary. Because routers have more network-level knowledge, they can perform higher-level functions, such as calculating the shortest and most economical path between the sending and receiving hosts.

   Router and Switch

   

   Image Reference- http://www.computer-networking-success.com/images/router-switch.jpg

   Switches
   Switches combine the functionality of a repeater and the functionality of a bridge. A switch amplifies the electrical signal, like a repeater, and has the built-in circuitry and intelligence of a bridge. It is a multi-port connection device that provides connections for individual computers or other hubs and switches.

   Gateways
   Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol
   packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet.

   Gateway Server

   

   Image Reference- http://static.howtoforge.com/images/screenshots/556af08d5e43aa768260f9e589dc547f-3024.jpg

   The following answers are incorrect:

   Repeater – A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.

   Bridges – A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.

   Routers – Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary.

   Following reference(s) were/was used to create this question:
   CISA review manual 2014 Page number 263
   Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 and 230

10. Which of the following is true of network security?

    • A firewall is a not a necessity in today’s connected world.
    • A firewall is a necessity in today’s connected world.
    • A whitewall is a necessity in today’s connected world.
    • A black firewall is a necessity in today’s connected world.
    Explanation:
    Commercial firewalls are a dime-a-dozen in todays world. Black firewall and whitewall are just distracters.

11. What is called the access protection system that limits connections by calling back the number of a previously authorized location?

    • Sendback systems
    • Callback forward systems
    • Callback systems
    • Sendback forward systems
    Explanation:
    The Answer: Call back Systems; Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.

12. FTP, TFTP, SNMP, and SMTP are provided at what level of the Open Systems Interconnect (OSI) Reference Model?

    • Application
    • Network
    • Presentation
    • Transport
    Explanation:

    The Answer: Application. The Layer 7 Application Layer of the Open Systems Interconnect (OSI) Reference Model is a service for applications and Operating Systems data transmission, for example FTP, TFTP, SNMP, and SMTP.

    The following answers are incorrect:
    Network. The Network layer moves information between hosts that are not physically connected. It deals with routing of information. IP is a protocol that is used in Network Layer. FTP, TFTP, SNMP, and SMTP do not reside at the Layer 3 Network Layer in the OSI Reference Model.

    Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation such as
    ASCII. FTP, TFTP, SNMP, and SMTP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.

    Transport. The Transport Layer creates an end-to-end transportation between peer hosts. The transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure error-free delivery such as TCP. FTP, TFTP, SNMP, and SMTP do not reside at the Layer 4 Transportation Layer in the OSI Reference Model.

    The following reference(s) were/was used to create this question: Reference: OSI/ISO.

    Shon Harris AIO v.3 p. 420-421
    ISC2 OIG, 2997 p.412-413

13. Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)?

    • TCP is connection-oriented, UDP is not.
    • UDP provides for Error Correction, TCP does not.
    • UDP is useful for longer messages, rather than TCP.
    • TCP does not guarantee delivery of data, while UDP does guarantee data delivery.
    Explanation:

    TCP is a reliable connection-oriented transport for guaranteed delivery of data.

    Protocols represent certain rules and regulations that are essential in order to have data communication between two entities. Internet Protocols work in sending and receiving data packets. This type of communication may be either connection-less or connection-oriented.

    In a connection-oriented scenario, an acknowledgement is being received by the sender from the receiver in support of a perfect transfer. Transmission Control Protocol or TCP is such a protocol.

    On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it’s not a guaranteed method, but, once a connection is established, UDP works much faster than TCP as TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.

    The following answers are incorrect:

    UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP does.

    UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its connectionless nature.
    TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true.

    References Used for this question:
    http://www.cyberciti.biz/faq/key-differences-between-tcp-and-udp-protocols/
    http://www.skullbox.net/tcpudp.php
    James’s TCP-IP FAQ – Understanding Port Numbers.

14. Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided?

    • Data Link
    • Transport
    • Presentation
    • Application
    Explanation:

    RFC 1661 – The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components:

    1 A method for encapsulating multi-protocol datagrams.
    2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.
    3 A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols.

15. In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided?

    • Transport
    • Network
    • Presentation
    • Application
    Explanation:

    The Answer: Transport. The Layer 4 Transport layer supports the TCP and UDP protocols in the OSI Reference Model. This layer creates an end-to-end transportation between peer hosts. The transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure error-free delivery such as TCP.

    The following answers are incorrect:
    Network. The Network layer moves information between hosts that are not physically connected. It deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not reside at the Layer 3 Network Layer in the OSI Reference Model.

    Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation such as
    ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.

    Application. The Application Layer is a service for applications and Operating Systems data transmission, for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI Reference Model.

    The following reference(s) were/was used to create this question:

    ISC2 OIG, 2007 p. 411
    Shon Harris AIO v.3 p. 424

16. Which of the following is unlike the other three choices presented?

    • El Gamal
    • Teardrop
    • Buffer Overflow
    • Smurf
    Explanation:
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 76, 157.

17. The standard server port number for HTTP is which of the following?

    • 81
    • 80
    • 8080
    • 8180
    Explanation:
    HTTP is Port 80.
    Reference: MAIWALD, Eric, Network Security: A Beginner’s Guide, McGraw-Hill/Osborne Media, 2001, page 135.

18. Which OSI/ISO layer is responsible for determining the best route for data to be transferred?

    • Session layer
    • Physical layer
    • Network layer
    • Transport layer
    Explanation:

    The main responsibility of the network layer is to insert information into the packet’s header so that it can be properly routed. The protocols at the network layer must determine the best path for the packet to take.

    The following answers are incorrect:

    Session layer. The session layer is responsible for establishing a connection between two applications.

    Physical layer. The physical layer if responsible for converting electronic impulses into bits and vice-versa.

    Transport layer. The transport layer is responsible for data transmission and error detection.

    The following reference(s) were/was used to create this question:

    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, v3, chapter 7: Telecommunications and Network Security (page 422-428).

    ISC2 Official ISC2 Guide to the CBK (OIG) 2007, p. 409-412

19. Which of the following is true related to network sniffing?

    • Sniffers allow an attacker to monitor data passing across a network.
    • Sniffers alter the source address of a computer to disguise and exploit weak authentication methods.
    • Sniffers take over network connections.
    • Sniffers send IP fragments to a system that overlap with each other.
    Explanation:

    The following answers are incorrect: Sniffers alter the source address of a computer to disguise and exploit weak authentication methods. IP Spoofing is a network-based attack, which involves altering the source address of a computer to disguise the attacker and exploit weak authentication methods.

    Sniffers take over network connections. Session Hijacking tools allow an attacker to take over network connections, kicking off the legitimate user or sharing a login.

    Sniffers send IP fragments to a system that overlap with each other. Malformed Packet attacks are a type of DoS attack that involves one or two packets that are formatted in an unexpected way. Many vendor product implementations do not take into account all variations of user entries or packet types. If software handles such errors poorly, the system may crash when it receives such packets. A classic example of this type of attack involves sending IP fragments to a system that overlap with each other (the fragment offset values are incorrectly set. Some unpatched Windows and Linux systems will crash when the encounter such packets.

    The following reference(s) were/was used to create this question:

    Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, Auerbach, NY, NY 2001, Chapter 22, Hacker Tools and Techniques by Ed Skoudis.
    ISC2 OIG, 2007 p. 137-138, 419

20. In which layer of the OSI Model are connection-oriented protocols located in the TCP/IP suite of protocols?

    • Transport layer
    • Application layer
    • Physical layer
    • Network layer
    Explanation:

    Connection-oriented protocols such as TCP provides reliability.

    It is the responsibility of such protocols in the transport layer to ensure every byte is accounted for. The network layer does not provide reliability. It only privides the best route to get the traffic to the final destination address.

    For your exam you should know the information below about OSI model:

    The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the Open Systems Interconnection project at the International Organization for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.

    The model groups communication functions into seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of that path. Two instances at one layer are connected by a horizontal.

    OSI Model

    

    Image source: http://www.petri.co.il/images/osi_model.JPG

    PHYSICAL LAYER
    The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher layers. It provides:

    Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It determines:

    What signal state represents a binary 1
    How the receiving station knows when a “bit-time” starts
    How the receiving station delimits a frame

    DATA LINK LAYER
    The data link layer provides error-free transfer of data frames from one node to another over the physical layer, allowing layers above it to assume virtually error-free transmission over the link. To do this, the data link layer provides:

    Link establishment and termination: establishes and terminates the logical link between two nodes.
    Frame traffic control: tells the transmitting node to “back-off” when no frame buffers are available.
    Frame sequencing: transmits/receives frames sequentially.
    Frame acknowledgment: provides/expects frame acknowledgments. Detects and recovers from errors that occur in the physical layer by retransmitting non-acknowledged frames and handling duplicate frame receipt.
    Frame delimiting: creates and recognizes frame boundaries.
    Frame error checking: checks received frames for integrity.
    Media access management: determines when the node “has the right” to use the physical medium.

    NETWORK LAYER
    The network layer controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors. It provides:

    Routing: routes frames among networks.
    Subnet traffic control: routers (network layer intermediate systems) can instruct a sending station to “throttle back” its frame transmission when the router’s buffer fills up.
    Frame fragmentation: if it determines that a downstream router’s maximum transmission unit (MTU) size is less than the frame size, a router can fragment a frame for transmission and re-assembly at the destination station.
    Logical-physical address mapping: translates logical addresses, or names, into physical addresses.
    Subnet usage accounting: has accounting functions to keep track of frames forwarded by subnet intermediate systems, to produce billing information.

    Communications Subnet
    The network layer software must build headers so that the network layer software residing in the subnet intermediate systems can recognize them and use them to route data to the destination address.

    This layer relieves the upper layers of the need to know anything about the data transmission and intermediate switching technologies used to connect systems. It establishes, maintains and terminates connections across the intervening communications facility (one or several intermediate systems in the communication subnet).

    In the network layer and the layers below, peer protocols exist between a node and its immediate neighbor, but the neighbor may be a node through which data is routed, not the destination station. The source and destination stations may be separated by many intermediate systems.

    TRANSPORT LAYER
    The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern with the transfer of data between them and their peers.

    The size and complexity of a transport protocol depends on the type of service it can get from the network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is required. If the network layer is unreliable and/or only supports datagrams, the transport protocol should include extensive error detection and recovery.

    The transport layer provides:

    Message segmentation: accepts a message from the (session) layer above it, splits the message into smaller units (if not already small enough), and passes the smaller units down to the network layer. The transport layer at the destination station reassembles the message.
    Message acknowledgment: provides reliable end-to-end message delivery with acknowledgments.
    Message traffic control: tells the transmitting station to “back-off” when no message buffers are available.
    Session multiplexing: multiplexes several message streams, or sessions onto one logical link and keeps track of which messages belong to which sessions (see session layer).

    Typically, the transport layer can accept relatively large messages, but there are strict message size limits imposed by the network (or lower) layer. Consequently, the transport layer must break up the messages into smaller units, or frames, prepending a header to each frame.

    The transport layer header information must then include control information, such as message start and message end flags, to enable the transport layer on the other end to recognize message boundaries. In addition, if the lower layers do not maintain sequence, the transport header must contain sequence information to enable the transport layer on the receiving end to get the pieces back together in the right order before handing the received message up to the layer above.

    End-to-end layers
    Unlike the lower “subnet” layers whose protocol is between immediately adjacent nodes, the transport layer and the layers above are true “source to destination” or end-to-end layers, and are not concerned with the details of the underlying communications facility. Transport layer software (and software above it) on the source station carries on a conversation with similar software on the destination station by using message headers and control messages.

    SESSION LAYER
    The session layer allows session establishment between processes running on different stations. It provides:

    Session establishment, maintenance and termination: allows two application processes on different machines to establish, use and terminate a connection, called a session.
    Session support: performs the functions that allow these processes to communicate over the network, performing security, name recognition, logging, and so on.

    PRESENTATION LAYER
    The presentation layer formats the data to be presented to the application layer. It can be viewed as the translator for the network. This layer may translate data from a format used by the application layer into a common format at the sending station, then translate the common format to a format known to the application layer at the receiving station.

    The presentation layer provides:

    Character code translation: for example, ASCII to EBCDIC.
    Data conversion: bit order, CR-CR/LF, integer-floating point, and so on.
    Data compression: reduces the number of bits that need to be transmitted on the network.
    Data encryption: encrypt data for security purposes. For example, password encryption.

    APPLICATION LAYER
    The application layer serves as the window for users and application processes to access network services. This layer contains a variety of commonly needed functions:

    Resource sharing and device redirection
    Remote file access
    Remote printer access
    Inter-process communication
    Network management
    Directory services
    Electronic messaging (such as mail)
    Network virtual terminals

    The following were incorrect answers:

    Application Layer – The application layer serves as the window for users and application processes to access network services.
    Network layer – The network layer controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors.
    Physical Layer – The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher layers.

    The following reference(s) were/was used to create this question:

    CISA review manual 2014 Page number 260
    and
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 287
    and
    http://en.wikipedia.org/wiki/Tcp_protocol