ISCW Cram Sheet
Cable Modem Technology
Broadband – Using multiple frequencies to send information to make
better use of bandwidth, uses Frequency-Division Multiplexing to combine
several “channels” or frequencies into a larger pipe of bandwidth
CATV – Community Antenna Television – TV in general
Coaxial Cable – Cable used for cable TV and modem service
Tap – A device that splits one cable drop into several ports, usually 2, 4,
Amplifier – A device that magnifies an input signal
Hybrid Fiber-coaxial – A cable network in which most or all of the
backbone and trunk connections are fiber connecting to coaxial drops.
Downstream – An RF signal headed from the ISP to the Subscriber.
Upstream – An RF signal headed from the Subscriber to the ISP.
NTSC – National Television Standards Committee – governs analog TV
systems in North America using a 6-Mhz modulated signal.
PAL – Phase Alternating Line – A color coding system used in Europe,
Asia, Africa, Australia, Brazil, and Argentina. Uses 6, 7, or 8-Mhz
SECAM – Systeme Electronic Couleur avec Memoire – Analog color TV
system used in France and some Eastern European countries. Uses an
8-Mhz modulated signal.
Antenna Site – ISP’s site with sending and receiving satellite dishes.
Headend – Master site where signals are received, processed, formatted,
and distributed. Secured and generally unstaffed.
Transportation Network – Network that connects the headed to the
antenna site. Might be microwave, coaxial, or fiber.
Distribution Network – Either trunk and feeder coaxial cables or more
often hybrid fiber-coaxial. This is the backbone of the network.
Node – Performs optical-to-RF conversion of CATV signals. Allows
networks to use fiber.
Subscriber Drop – Connects the subscriber to the feeder portion of the
distribution network. In many cable networks, this is the ONLY part of the
network that is actually coax.
Physical Layer (Layer1) – Definition of data signals to be used by cable
operators. Channel widths are 200kHz, 400kHz, 800kHz, 1.6MHz, and
6.4MHz. Also defines how signals are modulated.
MAC Layer (Layer 2) – Definition of an access method depending on
DOCSIS version. Time Division Multiple Access for versions 1.0, 1.1, and
2.0 or Synchronous Code Division Multiple Access for version 2.0. The
DOCSIS MAC protocol uses a request/grant system, so there are very few
DOCSIS 3.0 – Allows “channel bonding”, similar to adding channels to a
fractional T1 to allow greater bandwidth.
CMTS – Cable Modem Termination System – Usually resides in the
headend. Modulates the signal to the Cable Modem (CM) and
demodulates the cable modem’s response.
Cable Modem (CM) – A CPE device that terminates as well as performs
modulation and demodulation of signals. Speeds range from 1.5 to
“Back Office” Services – TFTP, DHCP, ToD (Time of Day for log
timestamping) and other maintenance tools.
Cable Modem Provisioning Steps
Downstream Setup – When the modem is powered up, it scans and
locks the downstream path for the RF channel allocated so that layer 1
and 2 can be established.
Upstream Setup – The cable modem listens to management messages
broadcast down the downstream path that gives information on how and
when to communicate on the upstream path. This information is used to
establish layers 1 and 2 for the upstream path.
Layer 1 and 2 Establishment – Physical and Data Link Layers are
established between the CM and CMTS.
IP Address Allocation – The CM requests the DOCSIS config file from
the tftp server. This ASCII “binary” file has the parameters given by the
ISP including maximum downstream and upstream rates, maximum
upstream burst rate, class of service or baseline privacy, MIBs, and
others. This config file can be loaded via tftp or manually configured on
the cable modem.
Register QoS with CMTS – The CM negotiates traffic types and QoS
settings with the CMTS, in accordance with the customer’s plan.
IP Network Initialization – Once layers 1, 2, and 3 are established and
the CM has pulled a config via tftp, the CM can provide routing and NAT
functions for clients behind it at the subscriber site. To establish layer 3,
the CM requests an IP address, subnet mask, default gateway, tftp server,
dhcp relay agent, the complete name of the DOCSIS config file, address
of the ToD server, and the syslog server address, all from the dhcp server
on the ISP side. Once it has this information, it first requests its clock to
be set to the ToD server’s correct time, then it can request the DOCSIS
config from the tftp server.
Cable Modem Features/Limitations
Shared Medium – Cable modems can provide very fast download
speeds, but are a shared medium, meaning that those speeds may not be
achievable when the local network is in heavy use. In addition, upload
speeds are limited.
POTS Coexistence – Due to the frequencies used, DSL can send data
signals through existing telephone cabling without requiring any additional
wiring to carry both voice and data traffic. All that is required is some kind
of filtering for analog devices such as non-VoIP phones and fax machines.
Dedicated Medium – Unlike Cable modems, DSL is not shared
bandwidth and while speeds may be lower in some locations, they will be
Distance Limitations – As distance between the subscriber and the local
CO increases, speed and quality decrease. The most common DSL
technology, ADSL, has a limit of 18,000ft. Load coils are often used on
telephone lines to amplify signals to cross longer distances. The
presence of a load coil on a line will not allow DSL signals to pass
Older Home Wiring – Older buildings may have low quality wiring that is
subject to interference from AM radio waves or EMI.
Amplitude – Peak height or depth of a wave peak or valley, in relation to
the horizontal axis of a graph, during one cycle of the wave.
ATU-C – ADSL Transmission Unit –central office – a subscriber-facing
DSL modem in the provider’s CO.
ATU-R – ADSL Transmission Unit-remote – a provider-facing DSL modem
in the subscriber home. Could be a DLS-capable router or DSL modem.
DSLAM – A single chassis containing multiple ATU-C units.
Frequency – Number of cycles of a waveform over a given time.
Frequency = speed / wavelength
Line Code – Technique used to represent digital signals by an amplitude-
discreet and time-discreet signal that allows a receiving device to
synchronize to the phase of signals transmitted.
Maximum Data Rate – Maximum transmission speed possible for a
particular version of DSL.
Microfilter – Filters used to connect analog devices to a home network
which has DSL service. Filters out everything except the 0 – 4 kHz range
of frequencies (analog voice range).
Modulation – Process of varying a periodic waveform in order to use that
signal to convey a message.
Nature – The relationship between downstream and upstream speeds
(asynchronous or synchronous).
Network Interface Device – The CPE device providing the termination
point of the local loop.
Phase – A measure of the relative position over time of two waveforms
with identical frequency.
Splitter – A passive device used to separate DSL traffic from voice traffic.
Today, microfilters usually replace splitters at the CPE side of the local
Wavelength – Distance between repeating units of a wave pattern.
Wavelength = Frequency / speed
Asymmetrical DSL (ADSL) – Different speeds for upload and download,
generally download speeds are higher. Typical for home use.
Symmetrical DSL (SDSL) – Identical transmission speeds for upload and
Asymmetric DSL Types
ADSL – Maximum distance of 18,000 feet. Maximum download speed –
1.5 – 8Mbps and upload of 16kbps – 1Mbps.
G.Lite ADSL – Splitterless ADSL. Max download 1.5Mbps, max upload
512kbps. No splitters required.
RADSL (rate-adaptive DSL) – Nonstandard version of ADSL that adjusts
speed to compensate for quality of phone line. Has longer maximum
distances than ADSL, but ADSL does also have the ability to adapt
VDSL (very-high-bit-rate DSL) – Speeds of 13-55Mbps over distances
up to 4500 feet on short loops. Cisco Long Reach Ethernet (LRE) is
based on VDSL technologies. Limited availability for this.
Symmetric DSL Types
SDSL (symmetric DSL) – provides upload and download of 128kbps –
2.32Mbps. 768kbps is most typical. Distance limit is 21,000 feet.
G.SHDSL (symmetric high-data-rate DSL) – Longer distance of 26,000
feet. Speeds from 192kbps to 2.3Mbps. Best suited to data-only
HDSL (high-data-rate DSL) – Rates up to 768kbps in each direction,
1.544Mbps. Basically T1 or E1 over DSL. Does not allow standard
phone service over the same wiring.
HDSL2 (second-generations HDSL) – Allows 1.5Mbps rates while still
coexisting with voice using either ATM or other technology over the same
IDSL (ISDN DSL) – Supports downstream and upstream rates of up to
144kbps in the same channel types as traditional ISDN, but in an “always-
on” service rather than dialup style service. Does not coexist with
CAP (Carrierless Amplitude Phase) – Single-carrier modulation type
that divides the available space into 3 bands. Range 0 to 4kHz is used
for POTS, range 25 to 160kHz is used for upstream data, and range
240kHz to 1.1MHz is used for downstream data. Only used in legacy
implementations because it does not perform as well.
DMT (Discrete Multi-Tone) - Uses multiple independent subchannels
with a larger channel (RF range), which can be brought up or taken down
dynamically with no effect whatsoever on other existing channels. Most
ADSL equipment now uses DMT to divide a single upstream or
downstream channel into 256 equally sized channels.
Data Transmission Over ADSL
Layer 2 – Once DSL reaches the DSLAM, it reaches an ATM network.
The DSLAM is an ATM router with DSL interface cards.
Layer 3 – Data can be encapsulated in 3 ways: RFC1483/2684 bridging
(multiprotocol data encapsulation or AAL5SNAP over ATM), PPP over
Ethernet, or PPP over ATM.
RFC 1483/2684 Bridging – Simpliest technology with least configuration
at CPE end. DSL router acts only as a bridge, but has lack of features,
security, and scalability.
PPP – PPP enables authentication as well as higher layer protocols
versus bridging. Each packet is encapsulated with a 16-bit protocol
identifier. The packet contains: LCP (Link Control Protocol) information
which negotiates things like packet size, type of authentication, and other
link parameters, NCP (Network Control Protocol) information which
contains information about higher layer protocols, such as routing, and
Data Frames, which contain the actual user data.
PPP Process –
1. Each end of the PPP link sends LCP packets to configure and
test the layer 2 connection.
2. After the link has been established, PPP must send NCP
packets to choose and configure network layer protocols (such as
3. Once the layer 3 protocol has been configured, traffic from each
layer 3 protocol can be sent.
4. The link remains configured and ready for communication until it
receives explicit LCP or NCP packets telling it to close or some
external event or timeout occurs. PPP can handle multiple
protocols at once.
PPPoE (Point-to-Point Protocol over Ethernet) -
Uses PAP or CHAP to authenticate a connection. Each PPP
session must learn the address of the remote peer to create a
unique session identifier. This is done by a discovery protocol,
which adds 2 additional phases:
Discovery Phase -
1. PPPoE client sends a PADI (PPPoE Active Discovery Initiation)
packet as a broadcast requesting service.
2. The router responds with a PADO (PPPoE Active Discovery
Offer) packet describing the offered services in a unicast packet
directly to the MAC address of the client.
3. The PPPoE client responds directly to the server with a unicast
PADR (PPPoE Active Discovery Request) packet to move on to the
4. The router sends the client a PPPoE Active Discovery Session-
Confirmation which contains a session-ID and confirms they can
move to the Session phase. (If this all sounds a lot like dhcp, it is!)
This is the phase where authentication takes place, as well as any
other configured LCP options. In order to accomplish
authentication and the negotiation of session variables, there are
usually 3 options:
1. Placing a DSL-capable router at the subscriber’s home – In this
case, PPP is terminated on the provider’s equipment at the
2. Placing a non-DSL-capable router at the subscriber’s home –
Here an external DSL modem must be placed in addition to the
router. PPP is still terminated on the provider’s router at the
3. Placing an External DSL Modem at the subscriber’s home –
here a simple DSL modem terminates the physical DSL connection.
PPP is terminated either on the hosts using PPPoE software or on
a router provided by the subscriber.
Label – Short, fixed-length identifier used to identify a group of networks
Label Stack – A set of labels attached to a packet header.
Label Swap – Basic forwarding operation. Incoming label is looked at to
determine outgoing label, encapsulation, port, and others.
LSH (Label-switched Hop) – A hop between two MPLS nodes. All
forwarding done by labels.
LSP (Label-switched Path) – A path through one or more LSR’s at
followed by a packet in a particular FEC.
LSR (Label Switching Router) – An MPLS node that is capable of
forwarding label switched packets.
MPLS Domain – A contiguous set of LSR’s in one routing or
MPLS edge node – An MPLS node that connects to a neighboring node
outside of its MPLS domain.
MPLS Egress Node – An MPLS node that handles traffic leaving an
MPLS Ingress Node – An MPLS node that handles traffic entering an
MPLS Label – A label that is carried in a packet header and identifies the
MPLS Node – A node running MPLS. Optionally can also forward native
layer 3 packets.
FEC (Forwarding Equivalence Classes) – Roughly corresponds to a
packet’s “next hop” within the MPLS domain. 2 packets with different
destinations can share a FEC at a router if they both have the next hop.
They will share a FEC until they reach a router at which they must exit
through different interfaces. Packets sorted into the same FEC at one
router may later be sorted into separate FEC’s at a later router.
PHP (Penultimate Hop Pop) – An LSR immediately before the
destination edge LSR pops the label before sending it to the edge LSR.
This saves time because the edge router then needs only to look at the
network layer routing rather than first looking at and popping the label.
Router Switching Modes
Process Switching – Slowest and most resource-intensive method.
Each packet has to be looked up in the routing table individually.
Cache-driven Switching – Once one packet is looked up in the routing
table, the destination is stored in memory for subsequent packets.
Topology-driven Switching – A FIB (Forwarding Information Base) is
created and used for high-speed switching operations at layer 3 (CEF –
Cisco Express Forwarding). The FIB acts as a shorthand reference so
that the router can bypass the routing table and use its adjacency table,
simply knowing which adjacent neighbor is next in the packet’s path is
enough. Can take up a lot of processing and memory if the routing table
LDP (Label Distribution Protocol) – Functions much like a routing
protocol for sending Label information.
RSVP (Resource Reservation Protocol) – Used by MPLS to allow
reservation of bandwidth within the MPLS network for voice or other
LFIB (Label Forwarding Information Base) – Stores label information
gained from LDP and/or routing protocols. Essentially Label routing table.
Part of the data plane.
P Router – Router inside the provider network that does not have
customer routers as neighbors.
PE Router – Provider Edge router that interacts directly with CE routers.
CE Router – Customer Edge router that interacts directly with PE routers.
LIB (Label Information Base) – Part of the control plane, provides the
database for LDP which maps IP addresses with local and next-hop
FIB (Forwarding Information Base) – Part of the data plane, stores
database used for forwarding unlabeled IP packets created from a regular
routing protocol. (IP routing table.) Each MPLS router creates its own
LIB, FIB, and LFIB.
Data Confidentiality – Data is kept private between endpoints of the VPN
using encryption, such as DES, 3DES, or AES. (Optional, but common)
Data Integrity – Guarantee that data has not been altered since it was
sent. Provided by a hash algorithm, such as SHA or MD5.
Data Origin Authentication – Ensures that the sender and receiver are
who they say they are. Provided by IKE by ISAKMP or Oakley protocols.
Anti-replay – ensures that no packets are duplicated and helps prevent a
man-in-the-middle style attack. (Optional but common.) Provided by AH
using a hashing algorithm such as SHA or MD5.
IKE (Internet Key Exchange) – Provides the framework for exchanging
security parameters and authentication keys securely over the internet in
ESP (Encapsulating Security Payload) – Provides the framework for
encryption, integrity, authentication, and anti-replay. Uses Data
Encryption Standard (DES), Triple Data Encryption Standard (3DES), and
Advanced Encryption Standard (AES).
AH (Authentication Header) – provides the framework for data integrity,
authentication, and anti-replay. Generally used today in combination with
ESP since it does not provide for encryption. Uses hash algorithms to
ensure that data has not been tampered with. Uses Message Digest 5
(MD5) and Secure Hash Algorithm (SHA-1).
Transport – Ipsec headers are inserted in an IP packet to route traffic
over a tunnel. The original IP header is unprotected and visible to points
between the endpoints. Only the transport layer and above are protected.
Tunnel Mode – The entire packet is encapsulated with a new header and
only the IP addresses of the tunnel endpoints are protected.
Internet Key Exchange (IKE)
IKE Phase 1 – Mandatory IKE phase. A bidirectional SA (Security
Association) is established between IPSec peers. May also perform peer
authentication. Two modes available here, Main Mode (site-to-site
tunnels) and Aggressive Mode (Easy VPN).
IKE Phase 1.5 – Optional IKE phase. Provides additional layer of
authentication called Xauth or Extended Authentication. Xauth forces the
user to authenticate before the connection is granted.
IKE Phase 2 – Second mandatory IKE phase. Implements unidirectional
SA’s between IPsec endpoints so that keys are not shared. Uses IKE
GRE Over IPsec Characteristics
GRE – packets are encapsulated, however few security features are
provided. However, it allows routing protocols to travel over the tunnel,
unlike IPsec. Most often today, the two are combined to allow an
encrypted tunnel which also allows multicast and routing protocols to
travel over it. Creates high packet overhead.
IPsec High Availability Options
Stateless – Redundant IPsec tunnels are used to provide primary and
backup paths. The state of the tunnels is not known, but traffic is sent
across the backup tunnel if the end-to-end path has failed. Uses DPD
(Dead Peer Detection), and IGP (interior gateway protocol) within GRE
over IPsec, or HSRP (Hot Standby Routing Protocols).
Stateful – Redundant equipment is employed, generally identical, that
communicate with each other to determine which one is the current
best device. Uses either HSRP or SSO (Stateful Switchover).
Easy VPN Components
Easy VPN Components
Easy VPN Remote – the remote or “client” end of the Easy VPN
connection. This is the “easy” part of Easy VPN since it does not
require a static IP address or complicated configuration on this end.
Easy VPN Server – The “HQ” end of the VPN, which is more difficult
to configure and requires further configuration. The VPN server
provides the client addresses as well as all other dhcp settings along
with the VPN tunnel.
Unnecessary Services and Interfaces – The largest category of
vulnerabilities. Includes TCP and UDP small services and other services
enabled by default that are generally not necessary.
Management Services – Includes SNMP and DNS. These services
should be disabled on any external interfaces or any on which they are not
Path Integrity Mechanisms – ICMP redirects, IP source routing. These
can give an attacker information about a network that is used for
transferring config files and IOS images to a router, but not good for an
attacker to use. Disable these on all outside interfaces and on any
interface that they are not necessary on.
Probes and Scans – Includes Finger and some ICMP features. These
can also be used for reconnaissance and should be disabled unless
Terminal Access Security – IP identification service and TCP
keepalives. Can be used for DoS attacks or to gather information. Again,
disable unless needed.
Gratuitous and Proxy ARP – Can be used to launch DoS attacks. Both
are enabled by default but it is not likely they will be needed in modern
networks unless your router is acting as a layer 2 bridge.
AutoSecure – command-line tool that automatically disables all these
vulnerabilities, enables firewall inspection and CEF, implements logging and
NTP, restricts access to SSH and prevents TCP SYN-flooding attacks as well
as configures a security banner and prompts for secure passwords…all with
just the auto secure command.
SDM Security Audit Wizard – Displays a list of these vulnerabilities with the
option to disable them, as well as allows the user to configure inside and
outside interfaces for firewall purposes.
SDM One-Step Lockdown Wizard – Tool in SDM similar to the auto secure
command in the CLI.
Securing Administrative Access
Passwords – Set strong, complex passwords and also use ACL’s to restrict
access to management interfaces. A password policy including minimum
length, expiration, etc should be implemented.
Login Limitations – Lock out users after a certain number of failed login
attempts and/or log the failure. You can also configure a delay, or quiet mode
which will allow access from an ACL only when it is locked.
Password Encryption – use the “enable secret” over the “enable” password
as it is encrypted with MD5 and very difficult to decrypt and remember that
the enable password, console, aux, and vty passwords are all initially stored
in clear text. Use the “service password encryption” command to encrypt all
current plaintext passwords, but remember that this uses a weak encryption
algorithm. Individual logins with a “secret” password are a better choice.
Multiple Privilege Levels – Use built-in privilege levels from 1-15 to give
individual users only the access they require or map commands to specific
Role-Based CLI – Enable different “views” for different users so that only the
commands they are authorized to use will show up as available.
The “Duh” Stuff – Configure a legally secure banner on all devices,
physically secure all devices, set minimum password lengths, remember that
telnet and tftp are cleartext, etc.
AAA to Secure and Scale Access
TACACS+ vs. Radius
Radius – Multi-vendor solution that allows centralized management of
Authentication, Authorization, and Accounting for multiple platforms. Uses
combines authentication and authorization into a single request, so this
information must be on the same server. Does not limit what commands a
user can issue on a network device, only gives access or does not.
TACACS+ - Uses TCP for greater reliability and scalability. Entire body of
packets are encrypted, separate servers can handle authentication and
authorization, provides multiprotocol support, allows admins to specify
commands or privilege modes available to users. Designed by Cisco for
IOS Firewall Features – Beyond Static ACLs
Stateful Packet Filtering – Allows a firewall to be knowledgable of the “state”
of a connection, opening ports as needed and closing them once they are
finished so that ports do not need to be constantly left open or manually
closed. Generally only connections initiated from the inside interface are
allowed to open connections to the outside.
Proxy Firewalls – Stand between an inside host and the outside and make
requests on behalf of the inside host. The inside host is never directly
exposed. Common for web traffic so that it can be monitored and filtered. To
the outside, all requests appear to come from the proxy firewall.
IDS and IPS
IDS – Sits outside the path of active network traffic and has copies of the
traffic sent to it. It creates alerts whenever it determines that a series of
packets may be a threat. It can actively configure other devices to block or
quarantine these packets, but cannot itself block any packets.
IPS – Sits directly in the path of active network traffic and can both alert and
block packets itself and stop an attack.
HIPS or HIDS – A software-based IDS or IPS system protecting a single
server or host.
NIPS or NIDS – Network-based IDS or IPS.
Types of IPS/IDS –
Signature-based – Cisco’s preferred solution. Uses attack signatures
that identify known patterns of attacks that are constantly updated and
then downloaded to the device. Can have problems detecting zero-day
Policy-based – Use algorithms to identify traffic that strays outside set
norms or that meets certain patterns of malicious traffic. Additional
policies can be configured.
Anomaly-Based – Used by MARS and others, system “learns” what
normal network behavior “looks” like and then is able to alert or take action
when network behavior differs from that pattern. Works well in smaller
networks, but can be difficult to define “normal” in larger networks.