ISCW Cram Shee

Document Sample
ISCW Cram Shee Powered By Docstoc

                             ISCW Cram Sheet

Cable Modem Technology


          Broadband – Using multiple frequencies to send information to make
          better use of bandwidth, uses Frequency-Division Multiplexing to combine
          several “channels” or frequencies into a larger pipe of bandwidth
          CATV – Community Antenna Television – TV in general
          Coaxial Cable – Cable used for cable TV and modem service
          Tap – A device that splits one cable drop into several ports, usually 2, 4,
          or 8
          Amplifier – A device that magnifies an input signal
          Hybrid Fiber-coaxial – A cable network in which most or all of the
          backbone and trunk connections are fiber connecting to coaxial drops.
          Downstream – An RF signal headed from the ISP to the Subscriber.
          Upstream – An RF signal headed from the Subscriber to the ISP.


          NTSC – National Television Standards Committee – governs analog TV
          systems in North America using a 6-Mhz modulated signal.
          PAL – Phase Alternating Line – A color coding system used in Europe,
          Asia, Africa, Australia, Brazil, and Argentina. Uses 6, 7, or 8-Mhz
          modulated signal.
          SECAM – Systeme Electronic Couleur avec Memoire – Analog color TV
          system used in France and some Eastern European countries. Uses an
          8-Mhz modulated signal.


          Antenna Site – ISP’s site with sending and receiving satellite dishes.
          Headend – Master site where signals are received, processed, formatted,
          and distributed. Secured and generally unstaffed.
          Transportation Network – Network that connects the headed to the
          antenna site. Might be microwave, coaxial, or fiber.
          Distribution Network – Either trunk and feeder coaxial cables or more
          often hybrid fiber-coaxial. This is the backbone of the network.
          Node – Performs optical-to-RF conversion of CATV signals. Allows

  networks to use fiber.
  Subscriber Drop – Connects the subscriber to the feeder portion of the
  distribution network. In many cable networks, this is the ONLY part of the
  network that is actually coax.

DOCSIS Standards

  Physical Layer (Layer1) – Definition of data signals to be used by cable
  operators. Channel widths are 200kHz, 400kHz, 800kHz, 1.6MHz, and
  6.4MHz. Also defines how signals are modulated.
  MAC Layer (Layer 2) – Definition of an access method depending on
  DOCSIS version. Time Division Multiple Access for versions 1.0, 1.1, and
  2.0 or Synchronous Code Division Multiple Access for version 2.0. The
  DOCSIS MAC protocol uses a request/grant system, so there are very few
  DOCSIS 3.0 – Allows “channel bonding”, similar to adding channels to a
  fractional T1 to allow greater bandwidth.

DOCSIS Components

  CMTS – Cable Modem Termination System – Usually resides in the
  headend. Modulates the signal to the Cable Modem (CM) and
  demodulates the cable modem’s response.
  Cable Modem (CM) – A CPE device that terminates as well as performs
  modulation and demodulation of signals. Speeds range from 1.5 to
  “Back Office” Services – TFTP, DHCP, ToD (Time of Day for log
  timestamping) and other maintenance tools.

Cable Modem Provisioning Steps

  Downstream Setup – When the modem is powered up, it scans and
  locks the downstream path for the RF channel allocated so that layer 1
  and 2 can be established.
  Upstream Setup – The cable modem listens to management messages
  broadcast down the downstream path that gives information on how and
  when to communicate on the upstream path. This information is used to
  establish layers 1 and 2 for the upstream path.
  Layer 1 and 2 Establishment – Physical and Data Link Layers are
  established between the CM and CMTS.
  IP Address Allocation – The CM requests the DOCSIS config file from
  the tftp server. This ASCII “binary” file has the parameters given by the
  ISP including maximum downstream and upstream rates, maximum

          upstream burst rate, class of service or baseline privacy, MIBs, and
          others. This config file can be loaded via tftp or manually configured on
          the cable modem.
          Register QoS with CMTS – The CM negotiates traffic types and QoS
          settings with the CMTS, in accordance with the customer’s plan.
          IP Network Initialization – Once layers 1, 2, and 3 are established and
          the CM has pulled a config via tftp, the CM can provide routing and NAT
          functions for clients behind it at the subscriber site. To establish layer 3,
          the CM requests an IP address, subnet mask, default gateway, tftp server,
          dhcp relay agent, the complete name of the DOCSIS config file, address
          of the ToD server, and the syslog server address, all from the dhcp server
          on the ISP side. Once it has this information, it first requests its clock to
          be set to the ToD server’s correct time, then it can request the DOCSIS
          config from the tftp server.

       Cable Modem Features/Limitations

          Shared Medium – Cable modems can provide very fast download
          speeds, but are a shared medium, meaning that those speeds may not be
          achievable when the local network is in heavy use. In addition, upload
          speeds are limited.

DSL Technology

       DSL Features/Limitations

          POTS Coexistence – Due to the frequencies used, DSL can send data
          signals through existing telephone cabling without requiring any additional
          wiring to carry both voice and data traffic. All that is required is some kind
          of filtering for analog devices such as non-VoIP phones and fax machines.
          Dedicated Medium – Unlike Cable modems, DSL is not shared
          bandwidth and while speeds may be lower in some locations, they will be
          Distance Limitations – As distance between the subscriber and the local
          CO increases, speed and quality decrease. The most common DSL
          technology, ADSL, has a limit of 18,000ft. Load coils are often used on
          telephone lines to amplify signals to cross longer distances. The
          presence of a load coil on a line will not allow DSL signals to pass
          Older Home Wiring – Older buildings may have low quality wiring that is
          subject to interference from AM radio waves or EMI.

DSL Terminology

  Amplitude – Peak height or depth of a wave peak or valley, in relation to
  the horizontal axis of a graph, during one cycle of the wave.
  ATU-C – ADSL Transmission Unit –central office – a subscriber-facing
  DSL modem in the provider’s CO.
  ATU-R – ADSL Transmission Unit-remote – a provider-facing DSL modem
  in the subscriber home. Could be a DLS-capable router or DSL modem.
  DSLAM – A single chassis containing multiple ATU-C units.
  Frequency – Number of cycles of a waveform over a given time.
  Frequency = speed / wavelength
  Line Code – Technique used to represent digital signals by an amplitude-
  discreet and time-discreet signal that allows a receiving device to
  synchronize to the phase of signals transmitted.
  Maximum Data Rate – Maximum transmission speed possible for a
  particular version of DSL.
  Microfilter – Filters used to connect analog devices to a home network
  which has DSL service. Filters out everything except the 0 – 4 kHz range
  of frequencies (analog voice range).
  Modulation – Process of varying a periodic waveform in order to use that
  signal to convey a message.
  Nature – The relationship between downstream and upstream speeds
  (asynchronous or synchronous).
  Network Interface Device – The CPE device providing the termination
  point of the local loop.
  Phase – A measure of the relative position over time of two waveforms
  with identical frequency.
  Splitter – A passive device used to separate DSL traffic from voice traffic.
  Today, microfilters usually replace splitters at the CPE side of the local
  Wavelength – Distance between repeating units of a wave pattern.
  Wavelength = Frequency / speed

DSL Variants

  Asymmetrical DSL (ADSL) – Different speeds for upload and download,
  generally download speeds are higher. Typical for home use.
  Symmetrical DSL (SDSL) – Identical transmission speeds for upload and

Asymmetric DSL Types

  ADSL – Maximum distance of 18,000 feet. Maximum download speed –
  1.5 – 8Mbps and upload of 16kbps – 1Mbps.
  G.Lite ADSL – Splitterless ADSL. Max download 1.5Mbps, max upload
  512kbps. No splitters required.
  RADSL (rate-adaptive DSL) – Nonstandard version of ADSL that adjusts
  speed to compensate for quality of phone line. Has longer maximum
  distances than ADSL, but ADSL does also have the ability to adapt
  VDSL (very-high-bit-rate DSL) – Speeds of 13-55Mbps over distances
  up to 4500 feet on short loops. Cisco Long Reach Ethernet (LRE) is
  based on VDSL technologies. Limited availability for this.

Symmetric DSL Types

  SDSL (symmetric DSL) – provides upload and download of 128kbps –
  2.32Mbps. 768kbps is most typical. Distance limit is 21,000 feet.
  G.SHDSL (symmetric high-data-rate DSL) – Longer distance of 26,000
  feet. Speeds from 192kbps to 2.3Mbps. Best suited to data-only
  HDSL (high-data-rate DSL) – Rates up to 768kbps in each direction,
  1.544Mbps. Basically T1 or E1 over DSL. Does not allow standard
  phone service over the same wiring.
  HDSL2 (second-generations HDSL) – Allows 1.5Mbps rates while still
  coexisting with voice using either ATM or other technology over the same
  wire pair.
  IDSL (ISDN DSL) – Supports downstream and upstream rates of up to
  144kbps in the same channel types as traditional ISDN, but in an “always-
  on” service rather than dialup style service. Does not coexist with
  traditional voice.

ADSL Modulation

  CAP (Carrierless Amplitude Phase) – Single-carrier modulation type
  that divides the available space into 3 bands. Range 0 to 4kHz is used
  for POTS, range 25 to 160kHz is used for upstream data, and range
  240kHz to 1.1MHz is used for downstream data. Only used in legacy
  implementations because it does not perform as well.
  DMT (Discrete Multi-Tone) - Uses multiple independent subchannels
  with a larger channel (RF range), which can be brought up or taken down
  dynamically with no effect whatsoever on other existing channels. Most
  ADSL equipment now uses DMT to divide a single upstream or
  downstream channel into 256 equally sized channels.

Data Transmission Over ADSL

  Layer 2 – Once DSL reaches the DSLAM, it reaches an ATM network.
  The DSLAM is an ATM router with DSL interface cards.
  Layer 3 – Data can be encapsulated in 3 ways: RFC1483/2684 bridging
  (multiprotocol data encapsulation or AAL5SNAP over ATM), PPP over
  Ethernet, or PPP over ATM.

  RFC 1483/2684 Bridging – Simpliest technology with least configuration
  at CPE end. DSL router acts only as a bridge, but has lack of features,
  security, and scalability.

  PPP – PPP enables authentication as well as higher layer protocols
  versus bridging. Each packet is encapsulated with a 16-bit protocol
  identifier. The packet contains: LCP (Link Control Protocol) information
  which negotiates things like packet size, type of authentication, and other
  link parameters, NCP (Network Control Protocol) information which
  contains information about higher layer protocols, such as routing, and
  Data Frames, which contain the actual user data.

        PPP Process –
        1. Each end of the PPP link sends LCP packets to configure and
        test the layer 2 connection.
        2. After the link has been established, PPP must send NCP
        packets to choose and configure network layer protocols (such as
        3. Once the layer 3 protocol has been configured, traffic from each
        layer 3 protocol can be sent.
        4. The link remains configured and ready for communication until it
        receives explicit LCP or NCP packets telling it to close or some
        external event or timeout occurs. PPP can handle multiple
        protocols at once.

        PPPoE (Point-to-Point Protocol over Ethernet) -
        Uses PAP or CHAP to authenticate a connection. Each PPP
        session must learn the address of the remote peer to create a
        unique session identifier. This is done by a discovery protocol,
        which adds 2 additional phases:
        Discovery Phase -
        1. PPPoE client sends a PADI (PPPoE Active Discovery Initiation)
        packet as a broadcast requesting service.
        2. The router responds with a PADO (PPPoE Active Discovery

               Offer) packet describing the offered services in a unicast packet
               directly to the MAC address of the client.
               3. The PPPoE client responds directly to the server with a unicast
               PADR (PPPoE Active Discovery Request) packet to move on to the
               session phase.
               4. The router sends the client a PPPoE Active Discovery Session-
               Confirmation which contains a session-ID and confirms they can
               move to the Session phase. (If this all sounds a lot like dhcp, it is!)
               Session Phase-
               This is the phase where authentication takes place, as well as any
               other configured LCP options. In order to accomplish
               authentication and the negotiation of session variables, there are
               usually 3 options:
               1. Placing a DSL-capable router at the subscriber’s home – In this
               case, PPP is terminated on the provider’s equipment at the
               subscriber’s home.
               2. Placing a non-DSL-capable router at the subscriber’s home –
               Here an external DSL modem must be placed in addition to the
               router. PPP is still terminated on the provider’s router at the
               subscriber’s home.
               3. Placing an External DSL Modem at the subscriber’s home –
               here a simple DSL modem terminates the physical DSL connection.
               PPP is terminated either on the hosts using PPPoE software or on
               a router provided by the subscriber.

       MPLS Terminology

         Label – Short, fixed-length identifier used to identify a group of networks
         Label Stack – A set of labels attached to a packet header.
         Label Swap – Basic forwarding operation. Incoming label is looked at to
         determine outgoing label, encapsulation, port, and others.
         LSH (Label-switched Hop) – A hop between two MPLS nodes. All
         forwarding done by labels.
         LSP (Label-switched Path) – A path through one or more LSR’s at
         followed by a packet in a particular FEC.
         LSR (Label Switching Router) – An MPLS node that is capable of
         forwarding label switched packets.
         MPLS Domain – A contiguous set of LSR’s in one routing or
         administrative domain.

  MPLS edge node – An MPLS node that connects to a neighboring node
  outside of its MPLS domain.
  MPLS Egress Node – An MPLS node that handles traffic leaving an
  MPLS domain.
  MPLS Ingress Node – An MPLS node that handles traffic entering an
  MPLS domain.
  MPLS Label – A label that is carried in a packet header and identifies the
  packet’s FEC.
  MPLS Node – A node running MPLS. Optionally can also forward native
  layer 3 packets.
  FEC (Forwarding Equivalence Classes) – Roughly corresponds to a
  packet’s “next hop” within the MPLS domain. 2 packets with different
  destinations can share a FEC at a router if they both have the next hop.
  They will share a FEC until they reach a router at which they must exit
  through different interfaces. Packets sorted into the same FEC at one
  router may later be sorted into separate FEC’s at a later router.
  PHP (Penultimate Hop Pop) – An LSR immediately before the
  destination edge LSR pops the label before sending it to the edge LSR.
  This saves time because the edge router then needs only to look at the
  network layer routing rather than first looking at and popping the label.

Router Switching Modes

  Process Switching – Slowest and most resource-intensive method.
  Each packet has to be looked up in the routing table individually.
  Cache-driven Switching – Once one packet is looked up in the routing
  table, the destination is stored in memory for subsequent packets.
  Topology-driven Switching – A FIB (Forwarding Information Base) is
  created and used for high-speed switching operations at layer 3 (CEF –
  Cisco Express Forwarding). The FIB acts as a shorthand reference so
  that the router can bypass the routing table and use its adjacency table,
  simply knowing which adjacent neighbor is next in the packet’s path is
  enough. Can take up a lot of processing and memory if the routing table
  is large.

MPLS Components

  LDP (Label Distribution Protocol) – Functions much like a routing
  protocol for sending Label information.
  RSVP (Resource Reservation Protocol) – Used by MPLS to allow
  reservation of bandwidth within the MPLS network for voice or other
  sensitive traffic.

           LFIB (Label Forwarding Information Base) – Stores label information
           gained from LDP and/or routing protocols. Essentially Label routing table.
           Part of the data plane.
           P Router – Router inside the provider network that does not have
           customer routers as neighbors.
           PE Router – Provider Edge router that interacts directly with CE routers.
           CE Router – Customer Edge router that interacts directly with PE routers.
           LIB (Label Information Base) – Part of the control plane, provides the
           database for LDP which maps IP addresses with local and next-hop
           FIB (Forwarding Information Base) – Part of the data plane, stores
           database used for forwarding unlabeled IP packets created from a regular
           routing protocol. (IP routing table.) Each MPLS router creates its own
           LIB, FIB, and LFIB.

IPsec Overview

        IPsec Features

           Data Confidentiality – Data is kept private between endpoints of the VPN
           using encryption, such as DES, 3DES, or AES. (Optional, but common)
           Data Integrity – Guarantee that data has not been altered since it was
           sent. Provided by a hash algorithm, such as SHA or MD5.
           Data Origin Authentication – Ensures that the sender and receiver are
           who they say they are. Provided by IKE by ISAKMP or Oakley protocols.
           Anti-replay – ensures that no packets are duplicated and helps prevent a
           man-in-the-middle style attack. (Optional but common.) Provided by AH
           using a hashing algorithm such as SHA or MD5.

        IPsec Protocols

           IKE (Internet Key Exchange) – Provides the framework for exchanging
           security parameters and authentication keys securely over the internet in
           phase 1.
           ESP (Encapsulating Security Payload) – Provides the framework for
           encryption, integrity, authentication, and anti-replay. Uses Data
           Encryption Standard (DES), Triple Data Encryption Standard (3DES), and
           Advanced Encryption Standard (AES).
           AH (Authentication Header) – provides the framework for data integrity,
           authentication, and anti-replay. Generally used today in combination with
           ESP since it does not provide for encryption. Uses hash algorithms to

   ensure that data has not been tampered with. Uses Message Digest 5
   (MD5) and Secure Hash Algorithm (SHA-1).

IPsec Modes

   Transport – Ipsec headers are inserted in an IP packet to route traffic
   over a tunnel. The original IP header is unprotected and visible to points
   between the endpoints. Only the transport layer and above are protected.

   Tunnel Mode – The entire packet is encapsulated with a new header and
   only the IP addresses of the tunnel endpoints are protected.

Internet Key Exchange (IKE)

   IKE Phase 1 – Mandatory IKE phase. A bidirectional SA (Security
   Association) is established between IPSec peers. May also perform peer
   authentication. Two modes available here, Main Mode (site-to-site
   tunnels) and Aggressive Mode (Easy VPN).
   IKE Phase 1.5 – Optional IKE phase. Provides additional layer of
   authentication called Xauth or Extended Authentication. Xauth forces the
   user to authenticate before the connection is granted.
   IKE Phase 2 – Second mandatory IKE phase. Implements unidirectional
   SA’s between IPsec endpoints so that keys are not shared. Uses IKE
   quick mode.

GRE Over IPsec Characteristics

   GRE – packets are encapsulated, however few security features are
   provided. However, it allows routing protocols to travel over the tunnel,
   unlike IPsec. Most often today, the two are combined to allow an
   encrypted tunnel which also allows multicast and routing protocols to
   travel over it. Creates high packet overhead.

IPsec High Availability Options

   Failover Strategies

      Stateless – Redundant IPsec tunnels are used to provide primary and
      backup paths. The state of the tunnels is not known, but traffic is sent
      across the backup tunnel if the end-to-end path has failed. Uses DPD
      (Dead Peer Detection), and IGP (interior gateway protocol) within GRE
      over IPsec, or HSRP (Hot Standby Routing Protocols).
      Stateful – Redundant equipment is employed, generally identical, that

              communicate with each other to determine which one is the current
              best device. Uses either HSRP or SSO (Stateful Switchover).

        Easy VPN Components

           Easy VPN Components

              Easy VPN Remote – the remote or “client” end of the Easy VPN
              connection. This is the “easy” part of Easy VPN since it does not
              require a static IP address or complicated configuration on this end.
              Easy VPN Server – The “HQ” end of the VPN, which is more difficult
              to configure and requires further configuration. The VPN server
              provides the client addresses as well as all other dhcp settings along
              with the VPN tunnel.

Device Hardening

     Router Vulnerabilities


           Unnecessary Services and Interfaces – The largest category of
           vulnerabilities. Includes TCP and UDP small services and other services
           enabled by default that are generally not necessary.
           Management Services – Includes SNMP and DNS. These services
           should be disabled on any external interfaces or any on which they are not
           specifically required.
           Path Integrity Mechanisms – ICMP redirects, IP source routing. These
           can give an attacker information about a network that is used for
           transferring config files and IOS images to a router, but not good for an
           attacker to use. Disable these on all outside interfaces and on any
           interface that they are not necessary on.
           Probes and Scans – Includes Finger and some ICMP features. These
           can also be used for reconnaissance and should be disabled unless
           Terminal Access Security – IP identification service and TCP
           keepalives. Can be used for DoS attacks or to gather information. Again,
           disable unless needed.
           Gratuitous and Proxy ARP – Can be used to launch DoS attacks. Both
           are enabled by default but it is not likely they will be needed in modern
           networks unless your router is acting as a layer 2 bridge.

  AutoSecure – command-line tool that automatically disables all these
  vulnerabilities, enables firewall inspection and CEF, implements logging and
  NTP, restricts access to SSH and prevents TCP SYN-flooding attacks as well
  as configures a security banner and prompts for secure passwords…all with
  just the auto secure command.

  SDM Security Audit Wizard – Displays a list of these vulnerabilities with the
  option to disable them, as well as allows the user to configure inside and
  outside interfaces for firewall purposes.

  SDM One-Step Lockdown Wizard – Tool in SDM similar to the auto secure
  command in the CLI.

Securing Administrative Access

  Passwords – Set strong, complex passwords and also use ACL’s to restrict
  access to management interfaces. A password policy including minimum
  length, expiration, etc should be implemented.
  Login Limitations – Lock out users after a certain number of failed login
  attempts and/or log the failure. You can also configure a delay, or quiet mode
  which will allow access from an ACL only when it is locked.
  Password Encryption – use the “enable secret” over the “enable” password
  as it is encrypted with MD5 and very difficult to decrypt and remember that
  the enable password, console, aux, and vty passwords are all initially stored
  in clear text. Use the “service password encryption” command to encrypt all
  current plaintext passwords, but remember that this uses a weak encryption
  algorithm. Individual logins with a “secret” password are a better choice.
  Multiple Privilege Levels – Use built-in privilege levels from 1-15 to give
  individual users only the access they require or map commands to specific
  Role-Based CLI – Enable different “views” for different users so that only the
  commands they are authorized to use will show up as available.
  The “Duh” Stuff – Configure a legally secure banner on all devices,
  physically secure all devices, set minimum password lengths, remember that
  telnet and tftp are cleartext, etc.

AAA to Secure and Scale Access

  TACACS+ vs. Radius

     Radius – Multi-vendor solution that allows centralized management of
     Authentication, Authorization, and Accounting for multiple platforms. Uses
     combines authentication and authorization into a single request, so this

      information must be on the same server. Does not limit what commands a
      user can issue on a network device, only gives access or does not.

      TACACS+ - Uses TCP for greater reliability and scalability. Entire body of
      packets are encrypted, separate servers can handle authentication and
      authorization, provides multiprotocol support, allows admins to specify
      commands or privilege modes available to users. Designed by Cisco for
      Cisco equipment.

IOS Firewall Features – Beyond Static ACLs

   Stateful Packet Filtering – Allows a firewall to be knowledgable of the “state”
   of a connection, opening ports as needed and closing them once they are
   finished so that ports do not need to be constantly left open or manually
   closed. Generally only connections initiated from the inside interface are
   allowed to open connections to the outside.
   Proxy Firewalls – Stand between an inside host and the outside and make
   requests on behalf of the inside host. The inside host is never directly
   exposed. Common for web traffic so that it can be monitored and filtered. To
   the outside, all requests appear to come from the proxy firewall.


   IDS – Sits outside the path of active network traffic and has copies of the
   traffic sent to it. It creates alerts whenever it determines that a series of
   packets may be a threat. It can actively configure other devices to block or
   quarantine these packets, but cannot itself block any packets.

   IPS – Sits directly in the path of active network traffic and can both alert and
   block packets itself and stop an attack.

   HIPS or HIDS – A software-based IDS or IPS system protecting a single
   server or host.

   NIPS or NIDS – Network-based IDS or IPS.

   Types of IPS/IDS –

      Signature-based – Cisco’s preferred solution. Uses attack signatures
      that identify known patterns of attacks that are constantly updated and
      then downloaded to the device. Can have problems detecting zero-day
      Policy-based – Use algorithms to identify traffic that strays outside set
      norms or that meets certain patterns of malicious traffic. Additional

policies can be configured.
Anomaly-Based – Used by MARS and others, system “learns” what
normal network behavior “looks” like and then is able to alert or take action
when network behavior differs from that pattern. Works well in smaller
networks, but can be difficult to define “normal” in larger networks.

Description: Channel Partner, Cisco Certified Network Professional, Course Objectives, troubleshooting network, how to, enterprise network, Interconnecting Cisco Network Devices, Cisco Career Certifications, Cisco Routing, Microsoft Word, Study Guide, Wireless Networking, Wireless LAN, Cisco Certified Network Associate, Todd Lammle, CCNA Cisco Certified Network, ccna exam, Cisco CCNA, exam objective, wireless clients, Practice Exam, Wireless Training, Certification Exam, Cisco certification, Exam Questions,