CISSP Flashcards: Communication and Network Security, OSI Model, Protocols, Attacks

The Open Systems Interconnection model has seven layers from bottom to top: physical layer one handles electrical signals and cables, data link layer two handles MAC addresses and switches, network layer three handles IP addresses and routing, transport layer four handles TCP and UDP port-based communication, session layer five manages connections between applications, presentation layer six handles data formatting and encryption, and application layer seven interfaces with user applications. The mnemonic "Please Do Not Throw Sausage Pizza Away" helps remember the order.

Transmission Control Protocol, or TCP, is a connection-oriented transport layer protocol that provides reliable, ordered delivery through a three-way handshake, sequence numbers, acknowledgments, and retransmission of lost packets. It is used for applications requiring guaranteed delivery like web browsing, email, and file transfer. User Datagram Protocol, or UDP, is a connectionless protocol that sends packets without establishing a connection or guaranteeing delivery, making it faster but less reliable.

A firewall is a network security device that monitors and controls incoming and outgoing traffic based on predetermined rules. Packet filtering firewalls inspect individual packets against access control lists based on source and destination IP addresses, ports, and protocols. Stateful inspection firewalls track the state of active connections and make decisions based on context. Application layer firewalls, also called proxies, inspect the content of traffic at layer seven and can filter based on application-specific data.

A Virtual Private Network, or VPN, creates an encrypted tunnel over a public network, allowing remote users or sites to communicate securely as if they were on a private network. Common VPN protocols include IPsec, which operates at the network layer and provides authentication and encryption through Authentication Header and Encapsulating Security Payload; TLS VPN, which operates at the transport layer and is commonly used for remote access through web browsers; and WireGuard, a modern protocol using state-of-the-art cryptography with minimal attack surface.

A man-in-the-middle attack occurs when an attacker secretly intercepts and potentially alters communication between two parties who believe they are communicating directly. The attacker can eavesdrop on sensitive data, modify messages, or inject malicious content. Common techniques include ARP spoofing on local networks, DNS spoofing, and rogue wireless access points. Prevention measures include using TLS and HTTPS for encrypted communications, implementing certificate pinning, deploying network monitoring for ARP anomalies, and using mutual authentication.

DNS poisoning, also called DNS spoofing, corrupts the Domain Name System cache so that a domain name resolves to a malicious IP address instead of the legitimate one. The attacker injects forged DNS responses that the DNS server caches as legitimate, redirecting all future queries for that domain to the attacker's server. Users who type the correct domain name are unknowingly sent to a fake site that may steal credentials or distribute malware.

Network segmentation divides a network into smaller isolated subnetworks to contain breaches, reduce attack surface, and improve performance. A Virtual Local Area Network, or VLAN, is a logical grouping of network devices that communicate as if they were on the same physical network regardless of their physical location. VLANs are created on managed switches and separate broadcast domains. Traffic between VLANs must pass through a router or layer-3 switch with access control rules.

An Intrusion Detection System, or IDS, monitors network traffic or system activity for suspicious patterns and generates alerts but does not block traffic. An Intrusion Prevention System, or IPS, sits inline in the traffic flow and can automatically block or drop malicious traffic in addition to alerting. Both use signature-based detection that matches known attack patterns and anomaly-based detection that identifies deviations from normal behavior. ---