CONCEPTS

FOR
INTERVIEW
This material is only for basic reference and candidates need to
explore deeper about the mentioned topics and need to self-explore
more topics if required for interview.

-By Md Abdul Bari

8977862412
Please reach out for any changes and suggestions
Note: Use Navigation Pan to Navigate to Access topics easily
using Dropdowns.
Ipv4 questions
https://www.geeksforgeeks.org/top-50-ip-addressing-interview-questions-and-answers/
network
http://networkerinterview.net/entries/bgp/border-gateway-protocol-ccnp
firewall, gateway
http://networkerinterview.net/entries/asa-firewall/asa-firewall-interview-questions-and-answers
https://www.sevenmentor.com/asa-interview-questions-answers
 NETWORKING
OSI MODEL
OSI stands for Open Systems Interconnection.
It has been developed by ISO – ‘International Organization for Standardization‘, in the year
1984. It is a 7-layer architecture with each layer having specific functionality to perform.
All these 7 layers work collaboratively to transmit the data from one person to another across the
globe.
Why do we need OSI LAYER?
Ans) In order to facilitate interoperability between diverse devices and applications, the
OSI model describes computing functions into a universal set of rules and standards.
https://www.youtube.com/watch?v=vv4y_uOneC0
https://www.imperva.com/learn/application-security/osi-model/
https://www.geeksforgeeks.org/layers-of-osi-model/
https://www.geeksforgeeks.org/this-is-exactly-why-we-still-use-the-osi-model-when-we-have-
tcp-ip-model/

Domain Name System

 Domain Name System(DNS) is a hostname for IP address translation service.

 It is an application layer protocol for message exchange between clients and servers. It is
required for the functioning of the Internet.
  Every host is identified by the IP address but remembering numbers is very difficult for
people. Also the IP addresses are not static therefore a mapping is required to change the
domain name to the IP address. So DNS is used to convert the domain name of the
websites to their numerical IP address.
Working:

 The client machine sends a request to the local name server (Resolver Server), which, if
the root does not find the address in its database, sends a request to the root name server,
which in turn, will route the query to a top-level domain (TLD) or authoritative name
server.
 The root name server can also contain some host Name to IP address mappings.
 The Top-level domain (TLD) server always knows who the authoritative name server is.
 So finally, the IP address is returned to the local name server which in turn returns the IP
address to the host.
 This time the Resolver server stores the Domain name with the IP Address for faster
results next time.
Source:
https://www.youtube.com/watch?v=mpQZVYPuDGU
https://www.youtube.com/watch?v=JkEYOt08-rU ( deeper explanation)
https://www.geeksforgeeks.org/domain-name-system-dns-in-application-layer/
DHCP
ABOUT DHCP:
Dynamic Host Configuration Protocol(DHCP) is an application layer protocol which is used
to provide:

1. Subnet Mask (Option 1 – e.g., 255.255.255.0)

2. Router Address (Option 3 – e.g., 192.168.1.1)
3. DNS Address (Option 6 – e.g., 8.8.8.8)
4. Vendor Class Identifier (Option 43 – e.g., ‘unifi’ = 192.168.1.9 ##where unifi =
controller)
DHCP is based on a client-server model and based on discovery, offer, request, and ACK.
DHCP port number for server is 67 and for the client is 68. It is a Client server protocol which
uses UDP services. IP address is assigned from a pool of addresses. In DHCP, the client and the
server exchange mainly 4 DHCP messages in order to make a connection, also called DORA
process, but there are 8 DHCP messages in the process.

DORA PROCESS:
what happens when DHCP client requests an IP address from DHCP Server?
There are some messages which are exchanged between the DHCP Server and Client. This
process is divided in to four steps
1. DHCP DISCOVER : * When a DHCP client first boots up, it broadcasts a DHCP Discover
message. This message is initiated from DHCP Client to DHCP Server, to find the DHCP server
on the local network
2. DHCP OFFER : If a DHCP server exists on the local segment, it will respond with a DHCP
offer. This offer message is From DHCP Server to DHCP Client , to offer the IP Parameters,
which contains IP address, subnet mask etc.
3. DHCP REQUEST: * Once the client receives the offer, it will respond with a DHCP
Request, indicating that it will accept the offered protocol information. * This message is from
DHCP Client to DHCP Server, giving a request to get the offered IP Parameters
4. DHCP ACK: Finally, the server responds with DHCP Ack, acknowledging the client
acceptance of offered protocol information This message is from DHCP server to DHCP Client,
giving confirmation to use the the offered IP parameters. This process is also known as DORA
process. DHCP is a UDP service. Uses two UDP port numbers for its operations DHCP Server
uses the UDP port 67 and DHCP client uses UDP port 68.
Use of ports number prevents an application from getting a message from a completely different
protocol. If the client and server are on different subnets, well a DHCP Helper or DHCP Relay
Agent must be used in this case. Other than dynamically assigning IP addresses to client
machines DHCP also has the ability to provide various other interesting parameters or DHCP
options to client machines, like time zone information, boot arguments/paths, NTP servers, static
routes, host name of the client, very useful for IoT and any device without user.
Source : https://www.youtube.com/watch?v=kS42C3vqFco
.
.
.
.
.
.
.
.
.
IMPORTANT PORT
Hub
In the context of networking, a hub is a hardware device that transfers communication data. A
hub transmits data packets (frames) to all devices on a network, regardless of whether the data
packet contains any MAC addresses or not.
A hub has many ports and a computer which intends to be connected to the network is plugged
into one of these ports. When a data frame arrives at a port, the hub broadcasts it to every other
port, without considering whether it is destined for a particular destination or not. So, hubs can
create network congestion.
A switch varies from a hub in that it keeps track of the MAC addresses of all connected devices.
As a result, a switch can tell which device or system is plugged into which port. When a data
packet is received, the switch understands exactly which port it should be sent to.
A 10/100 Mbps switch, unlike a hub, will distribute the full 10/100 Mbps to each of its ports,
ensuring that users always have access to the maximum bandwidth – a significant benefit of a
switch over a hub.
Network hubs, passive, intelligent, and switching hubs are all standard hubs used in networking.
 Network Hubs − These are popular network device connection points that connect parts
of a LAN (local area network) and may contain several ports – an interface for
connecting network devices, including printers, storage devices, workstations, and
servers. A data packet arriving at one Hub's port may be replicated to other ports,
allowing the data packet to be accessed by all network segments.
 Passive Hubs − Passive Hubs act as conduits or channels for data to travel from one
device or network segment.
 Intelligent Hubs − Also called managed hubs, allow system administrators to monitor
data flow and configure each port, allowing them to determine which devices or network
segments are connected to each port. Some ports may be left open even if there is no
connection.
 Switching Hubs − These hubs are responsible for reading the properties of each data
unit. After that, the data is transmitted to the proper or intended port.

Switch
A switch is a networking device, which provides the facility to share the information & resources
by connecting different network devices, such as computers, printers, and servers, within a small
business network.
 Types of Switch
There are mainly two types of switches in the network, which are given below:
 o Unmanaged Switches
The unmanaged switches are mainly used for basic connectivity. These are mostly used
in small networks or wherever only few more ports are required, such as at home, in a
lab, or in a conference room. In unmanaged switches, there is no requirement for any
configuration, which means by just plugging in, they will work.
o Managed Switches
Managed switches are more secure than unmanaged switch, and provide other features
and flexibility because we can easily configure them to custom-fit our network. Hence,
we can have the greater control, and can also better protect our network and improve
service quality for those who access the network.
 Working of switch:
When a device or computer sends an IP packet to another device, then switch put the IP packet
with source MAC address and destination MAC address, and encapsulate it with a Frame, and
then send it to another device.
When Frame reaches the destination device, it is stripped, and the device gets the IP packets and
reaches only that device, which matches the entered destination MAC address.

 Advantages of Switch
o It enhances the available bandwidth of the network.
o It can be directly connected to the workstations or devices.
o Enhances the performance of the network.
o Networks with switches have less frame collision, and it is because switches develop the
collision domain for each network.
o It helps in reducing the workload on the individual host such as PCs.

ROUTER
o Within a home or office, we have various networked devices such as PC, tablets, printers,
etc., and with the router, these devices can be connected to the internet and form a
network. A router first connects the modem to other devices to allow communication
between these devices and the internet.
o Router routes/transmit the data packets with the defined IP address from one network to
another or within a network. It does it by providing a local IP address to each device over
the internet; it ensures the right destination so that data reach the right place rather than
lost within the network.
o It finds out the best and fastest path and then sends data packets from that path to the
devices connected within the network.
o It works similar to the delivery package with a defined address to reach the right recipient
only.

 Types of Router
There are mainly two types of the router, which are given below:

1. Wireless Router
o Wireless routers are the most commonly used routers in offices and homes as they don't
need any wire or cable to connect with networking devices.
o It provides a secure connection, and only authenticated users can access the network
using the id & password.
o Using wireless router, internet can be accessed by the n number of users within the
specified range.

2. Wired Router/Broadband Router

o As its name suggests, it requires a wire or cable to connect to the network devices.
o Such routers are mostly used in schools or small offices to connect the PCs with the
Ethernet cable.
o It also has a Wi-fi access point, and a mobile phone can be connected to it using the
VOIP (Voice-over-Internet Protocol) technology.
o It is connected to the ADSL modems to take the transmission data from the modem and
distribute it to a further network.

 Advantages of Router
o The wireless routers are mostly used that enable most networking devices to connect
easily at any time, without the worry of a bunch of wires.
o It can connect with the different architecture of the network, such as Ethernet cable, Wi-
fi, or WLAN.
o It provides highly secure network access with password protection.
o It reduces the network traffic with the help of the collision feature.
o It provides data packets to the correct destination with the best route using the routing
table and intelligence.
 Difference between switch and router
Switch Router

It connects multiple networked devices in It connects multiple switches & their

the network. corresponding networks.

It works on the data link layer of the OSI It works on the network layer of the OSI
model. model.

It is used within a LAN. It can be used in LAN or MAN.

A switch cannot perform NAT or Network A router can perform Network Address
Address Translation. Translation.

The switch takes more time while making A router can take a routing decision much
complicated routing decisions. faster than a switch.

It provides only port security. It provides security measures to protect

the network from security threats.

It comes in the category of semi-Intelligent It is known as an Intelligent network

devices. device.

It works in either half or full-duplex It works in the full-duplex transmission

transmission mode. mode. However, we can change it
manually to work on half-duplex mode.

It sends information from one device to It sends information from one network to
another in the form of Frames (for L2 switch) another network in the form of data
and the form of packets (for L3 switch). packets.

Switches can only work with the wired Routers can work with both wired &
network. wireless networks.

Switches are available with different ports, A router contains two ports by default,
such as 8, 16, 24, 48, and 64. such as Fast Ethernet Port. But we can
also add the serial ports explicitly.

It uses the CAM (Content Addressable It uses the routing table to get the best
Memory) table for the source and route for the destination IP.
destination MAC address.

Important links:
https://www.javatpoint.com/switch-vs-router
https://www.tutorialspoint.com/difference-between-router-and-switch#
Difference between Hub and Switch
The following table highlights the major differences between a Hub and a Switch −

Key Hub Switch

Objective The main objective of a Hub is to transmit A switch allows you to set up
the signal to a port, which will respond to and terminate connections as
where the signal was received. needed.

Layer Hubs operate at the Physical Layer. Switches function at the Data
Link Layer.

Transmission Hubs use broadcast type transmission. Switches use unicast,

Type multicast as well as
broadcast type transmission.

Ports Hub can have maximum 4 ports. Switch can have 8 to 64

ports.

Collision There is only one collision domain in a In a Switch, each port has its
Domain Hub. own collision domain.

Packet Hubs do not provide packet filtering. Switches provide packet

Filtering filtering.

Transmission Hub uses half duplex transmission mode. Switch uses full duplex
Mode transmission mode.
 Important links:
https://www.tutorialspoint.com/difference-between-hub-and-switch
https://www.youtube.com/watch?v=ck3gx9HB9-k (Broadcast domain & Collision
Domain Explained)

ARP & RARP

https://www.youtube.com/watch?v=jQerVWxOGMc
TCP Vs UDP:
Transmission control protocol User datagram
Basis (TCP) protocol (UDP)

UDP is the Datagram-

oriented protocol. This
is because there is no
overhead for opening a
TCP is a connection-oriented connection, maintaining
protocol. Connection-orientation a connection, and
means that the communicating terminating a
devices should establish a connection. UDP is
connection before transmitting data efficient for broadcast
and should close the connection and multicast types of
Type of Service after transmitting the data. network transmission.

TCP is reliable as it guarantees the The delivery of data to

delivery of data to the destination the destination cannot
Reliability router. be guaranteed in UDP.

TCP provides extensive error- UDP has only the basic

checking mechanisms. It is error checking
Error checking because it provides flow control and mechanism using
mechanism acknowledgment of data. checksums.

An acknowledgment segment is No acknowledgment

Acknowledgment present. segment.

There is no sequencing
Sequencing of data is a feature of of data in UDP. If the
Transmission Control Protocol order is required, it has
(TCP). this means that packets to be managed by the
Sequence arrive in order at the receiver. application layer.

Speed TCP is comparatively slower than UDP is faster, simpler,

 Transmission control protocol User datagram
Basis (TCP) protocol (UDP)

and more efficient than

UDP. TCP.

There is no
retransmission of lost
packets in the User
Retransmission of lost packets is Datagram Protocol
Retransmission possible in TCP, but not in UDP. (UDP).

TCP has a (20-60) bytes variable UDP has an 8 bytes

Header Length length header. fixed-length header.

Weight TCP is heavy-weight. UDP is lightweight.

It’s a connectionless
Handshaking Uses handshakes such as SYN, protocol i.e. No
Techniques ACK, SYN-ACK handshake

UDP supports
Broadcasting TCP doesn’t support Broadcasting. Broadcasting.

UDP is used
by DNS, DHCP,
TCP is used by HTTP, TFTP, SNMP, RIP,
Protocols HTTPs, FTP, SMTP and Telnet. and VoIP.

The TCP connection is a byte UDP connection is

Stream Type stream. message stream.
 Transmission control protocol User datagram
Basis (TCP) protocol (UDP)

Overhead Low but higher than UDP. Very low.

Important link:
https://www.geeksforgeeks.org/differences-between-tcp-and-udp/

MAC & IP ADDRESS:

What is a MAC Address?
The term MAC address is an acronym for Media Access Control Address. The MAC Address refers
to a unique identifier that gets assigned to a Network Interface Card/ Controller (NIC). It has a 64-bit
or 48-bit address linked and connected to the concerned network adapter. The MAC Address can
exist in a hexadecimal format. This type of address exists in six separate sets of two characters/
digits – separated from each other using colons.

What is an IP Address?
The term IP Address is an acronym for Internet Protocol Address. An IP Address refers to the
address that assists a user in identifying a network connection. It also goes by the Logical
Address name provided to individual connections in the present network. An IP address lets us
understand and control the way in which various devices communicate on the Internet. It also
defines the specific behavior of various Internet routers.

Difference Between MAC Address and IP Address

Parameters MAC Address IP Address

Full-Form The term MAC address is an The term IP Address is an

acronym for Media Access Control acronym for Internet Protocol
Address. Address.

Number of It is a hexadecimal address of six This address is either an eight-

Bytes bytes. byte or a six-byte one.

Protocol Used You can retrieve a device attached You can retrieve a device
for Retrieval to the MAC address using the ARP attached to the IP address
protocol. using the RARP protocol.

Provider The Manufacturer of NIC Cards An ISO (Internet Service

 provides a device with its MAC Provider) provides a device’s
address. IP address.

Use The primary use of a MAC address The IP address, on the other
is to ensure the physical address of hand, defines a computer’s
a given device/ computer. logical address.

Operation The MAC address primarily The IP address primarily

operates on the data link layer. operates on the network layer.

Alteration and This address does not alter or This address gets modified
Changes change with the passing time and depending on the change in
change of environment. environment and time.

Third-Party Any third party can find out a The IP address stays hidden
Access device’s MAC address. from display in front of any
third party.

Important Links:
https://byjus.com/gate/difference-between-mac-address-and-ip-address/#:~:text=The%20primary
%20use%20of%20a,defines%20a%20computer's%20logical%20address.&text=The%20MAC
%20address%20primarily%20operates,operates%20on%20the%20network%20layer.

IPV4 AND IPV6

https://www.youtube.com/w atch?v=JiaL5A3qezg
https://www.geeksforgeeks.org/introduction-and-ipv4-datagram-header/
https://www.geeksforgeeks.org/internet-protocol-version-6-ipv6/
https://www.geeksforgeeks.org/differences-between-ipv4-and-ipv6/?ref=leftbar-rightbar
SUBNET
A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a
network into two or more networks is called subnetting. Below we can see the structure of an IP
Address.
FORMATION OF IP ADDRESS USING OCTET CHART
Octet Chart is formed beginning with 1 and doubling the number we go to 128. 1+1=2 ; 2+2 = 4;
4+4=8 ….. 64+64=128. Thus, the chart is formed.
We can see how the IP Address 192.168.1.0 is formed which will help us further understand how
the computer does Subnetting.
First, we solve for the first octet i.e., “192” of the IP Address which can be calculated by adding
128 + 64 =198. Thus 128 and 64 are assigned with 1 and rest numbers that are not used are
assigned with 0.
The Above step is followed for 168, 1 & 0 of IP 192.168.1.0 .
Thus , we got our binary format of our IP Address as seen Above.
Now for our Subnet mask, we must know that our Network ID is indicated by 1 and Host ID is
indicated by 0.
Thus for an IP of Subnet Mask 255.255.255.0 we can understand the Network ID & Host ID as
seen below.
Example 2:

Above we have seen for Subnet mask of 255.255.255.0 But what for subnet mask like for
example 255.255.224.0? Our next example lets us understand if a an Octet is partially occupied
how the Network and Host ID’s are determined.
Thus, we understand the importance of breaking a big network to subnetwork called subnetting.
11111111 and 00000000 are reserved. the first to identify the network and the last to be used as
the broadcast address. Thus, for hosts when a network is divided we will have two host less i.e.,
instead of 256 hosts we will have 254 and so on.
Classes of Subnet Mask

Source:
https://www.youtube.com/watch?v=s_Ntt6eTn94&t=831s
https://www.youtube.com/watch?v=AslJxRKgyeo&ab_channel=NETWORKINGPLUS

TCP DUMP

 Tcpdump is a data-network packet analyzer computer program that runs under a

command line interface. It allows the user to display TCP/IP and other packets being
transmitted or received over a network to which the computer is attached.
 Tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD,
DragonFly BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i, and AIX. In those
systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for
Windows is called WinDump; it uses WinPcap, the Windows version of libpcap.
 In some Unix-like operating systems, a user must have superuser privileges to use
tcpdump because the packet capturing mechanisms on those systems require elevated
privileges. However, the -Z option may be used to drop privileges to a specific
unprivileged user after capturing has been set up.
 In other Unix-like operating systems, the packet capturing mechanism can be configured
to allow non-privileged users to use it; if that is done, superuser privileges are not
required.
  USES:

 tcpdump prints the contents of network packets. It can read packets from a network
interface card or from a previously created saved packet file. tcpdump can write packets
to standard output or a file.

 It is also possible to use tcpdump for the specific purpose of intercepting and displaying
the communications of another user or computer. A user with the necessary privileges on
a system acting as a router or gateway through which unencrypted traffic such as Telnet
or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of
websites being viewed, or any other unencrypted information.

 The user may optionally apply a BPF-based filter to limit the number of packets seen by
tcpdump; this renders the output more usable on networks with a high volume of traffic.

 SOURCE:
https://en.wikipedia.org/wiki/Tcpdump#:~:text=tcpdump%20is%20a%20data
%2Dnetwork,license%2C%20tcpdump%20is%20free%20software

https://danielmiessler.com/study/tcpdump/

https://www.youtube.com/watch?v=e45Kt1IYdCI

https://en.wikipedia.org/wiki/Tcpdump#:~:text=tcpdump%20is%20a%20data
%2Dnetwork,license%2C%20tcpdump%20is%20free%20software.

Telnet & SSH

Important link: https://www.youtube.com/watch?v=tZop-zjYkrU

NETWORK SECURITY & CYBER SECURITY

TLS & SSL

TLS
Transport Layer Securities (TLS) are designed to provide security at the transport layer. TLS was
derived from a security protocol called Secure Socket Layer (SSL). TLS ensures that no third
party may eavesdrop or tampers with any message.
There are several benefits of TLS:
 Encryption:
TLS/SSL can help to secure transmitted data using encryption.
 Interoperability:
TLS/SSL works with most web browsers, including Microsoft Internet Explorer and on
most operating systems and web servers.
 Algorithm flexibility:
TLS/SSL provides operations for authentication mechanism, encryption algorithms and
hashing algorithm that are used during the secure session.
 Ease of Deployment:
Many applications TLS/SSL temporarily on a windows server 2003 operating systems.
 Ease of Use:
Because we implement TLS/SSL beneath the application layer, most of its operations are
 completely invisible to client.

Working of TLS:

The client connect to server (using TCP), the client will be something. The client sends number
of specification:
1. Version of SSL/TLS.
2. which cipher suites, compression method it wants to use.

The server checks what the highest SSL/TLS version is that is supported by them both, picks a
cipher suite from one of the clients options (if it supports one) and optionally picks a
compression method. After this the basic setup is done, the server provides its certificate. This
certificate must be trusted either by the client itself or a party that the client trusts. Having
verified the certificate and being certain this server really is who he claims to be (and not a man
in the middle), a key is exchanged. This can be a public key, “PreMasterSecret” or simply
nothing depending upon cipher suite.
Both the server and client can now compute the key for symmetric encryption. The handshake is
finished and the two hosts can communicate securely. To close a connection by finishing. TCP
connection both sides will know the connection was improperly terminated. The connection
cannot be compromised by this through, merely interrupted.

https://www.geeksforgeeks.org/transport-layer-security-tls/?ref=lbp
https://www.youtube.com/watch?v=AlE5X1NlHgg&t=656s (TLS 1.2 &1.3)

SSL
Secure Socket Layer (SSL) provides security to the data that is transferred between web browser
and server. SSL encrypts the link between a web server and a browser which ensures that all data
passed between them remain private and free from attack.
Secure Socket Layer Protocols:
 SSL record protocol
 Handshake protocol
 Change-cipher spec protocol
 Alert protocol
SSL Protocol Stack:

SSL Record Protocol:

SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment is
compressed and then encrypted MAC (Message Authentication Code) generated by algorithms
like SHA (Secure Hash Protocol) and MD5 (Message Digest) is appended. After that encryption
of the data is done and in last SSL header is appended to the data.
FRAGMENT IS AS SHOWN BELOW
Handshake Protocol:
Handshake Protocol is used to establish sessions. This protocol allows the client and server to
authenticate each other by sending a series of messages to each other. Handshake protocol uses
four phases to complete its cycle.
 Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP
session, cipher suite and protocol version are exchanged for security purposes.
 Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-2
by sending the Server-hello-end packet.
 Phase-3: In this phase, Client replies to the server by sending his certificate and Client-
exchange-key.
 Phase-4: In Phase-4 Change-cipher suite occurred (definition given below page) and
after this Handshake Protocol ends.
SSL Handshake Protocol Phases diagrammatic representation
Change-cipher Protocol:
This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL
record Output will be in a pending state. After the handshake protocol, the Pending state is
converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have only
one value. This protocol’s purpose is to cause the pending state to be copied into the current
state.

Alert Protocol:
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this
protocol contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1):

This Alert has no impact on the connection between sender and receiver. Some of them are:
Bad certificate: When the received certificate is corrupt.
No certificate: When an appropriate certificate is not available.
Certificate expired: When a certificate has expired.
Certificate unknown: When some other unspecified issue arose in processing the certificate,
rendering it unacceptable.
Close notify: It notifies that the sender will no longer send any messages in the connection.

Fatal Error (level = 2):

This Alert breaks the connection between sender and receiver. The connection will be stopped,
cannot be resumed but can be restarted. Some of them are :
Handshake failure: When the sender is unable to negotiate an acceptable set of security
parameters given the options available.
Decompression failure: When the decompression function receives improper input.
Illegal parameters: When a field is out of range or inconsistent with other fields.
Bad record MAC: When an incorrect MAC was received.
Unexpected message: When an inappropriate message is received.
The second byte in the Alert protocol describes the error.
Silent Features of Secure Socket Layer:
 The advantage of this approach is that the service can be tailored to the specific needs of
the given application.
 Secure Socket Layer was originated by Netscape.
 SSL is designed to make use of TCP to provide reliable end-to-end secure service.
 This is a two-layered protocol.
Versions of SSL:
SSL 1 – Never released due to high insecurity.
SSL 2 – Released in 1995.
SSL 3 – Released in 1996.
TLS 1.0 – Released in 1999.
TLS 1.1 – Released in 2006.
TLS 1.2 – Released in 2008.
TLS 1.3 – Released in 2018.
https://www.geeksforgeeks.org/secure-socket-layer-ssl/?ref=lbp
https://youtu.be/SXErMCgrT0o (ssl protocol explained)
https://www.youtube.com/watch?v=Nh5jdNxPL7g ( ssl handshake)
https://youtu.be/bm8mB8zYST0 (ssl record protocol)
https://www.youtube.com/watch?v=yeiU5SRSBjU (SSL Alert Protocol)
https://www.youtube.com/watch?v=AlE5X1NlHgg&t=656s (TLS 1.2 &1.3)
TLS VS SSL
SSL TLS

TLS stands for Transport Layer

SSL stands for Secure Socket Layer.
Security.

SSL (Secure Socket Layer) supports TLS (Transport Layer Security) does
the Fortezza algorithm. not support the Fortezza algorithm.

SSL (Secure Socket Layer) is the 3.0 TLS (Transport Layer Security) is the
version. 1.0 version.

In SSL( Secure Socket Layer), the In TLS(Transport Layer Security), a

Message digest is used to create a Pseudo-random function is used to
master secret. create a master secret.

In SSL( Secure Socket Layer), the In TLS(Transport Layer Security),

Message Authentication Code Hashed Message Authentication Code
protocol is used. protocol is used.

SSL (Secure Socket Layer) is more

TLS (Transport Layer Security) is
complex than TLS(Transport Layer
simple.
Security).

SSL (Secure Socket Layer) is less

TLS (Transport Layer Security)
secured as compared to
provides high security.
TLS(Transport Layer Security).

TLS is highly reliable and upgraded. It

SSL is less reliable and slower.
provides less latency.

SSL has been depreciated. TLS is still widely used.

SSL uses port to set up explicit TLS uses protocol to set up implicit
connection. connection.
SOURCE:
https://www.geeksforgeeks.org/difference-between-secure-socket-layer-ssl-and-transport-layer-
security-tls/

https://www.youtube.com/watch?v=-f4Gbk-U758&t=968s ( TLS SSL DEEPER

UNDERSTANDING VIDEO)

AD VALUE
 An AD value is the trustworthiness of the source.
 Routers assign an AD value to each source from the range 0 – 255. In this range, a
smaller number is considered more reliable than a bigger number.
 For example, if a source has an AD value of 40, it will be considered more reliable than a
source that has an AD value of 50.
 Routers assign the value 0 to the most reliable source and the value 255 to the most
unreliable source.

https://www.youtube.com/watch?v=ty4nNli7Mys
https://www.computernetworkingnotes.com/ccna-study-guide/administrative-distance-ad-
explained.html#:~:text=An%20AD%20value%20is%20the,reliable%20than%20a%20bigger
%20number.
https://www.geeksforgeeks.org/administrative-distance-ad-and-autonomous-system-as/
Active Directory
OWASP top 10

 Broken access control-in which a user can access, modify, delete or perform actions outside
the limit of permissions provided for that user.
ex-
 Bypassing access control checks by modifying the URL
 Permitting viewing or editing someone else's account
 acting as an admin when logged in as a user.
 Force browsing to authenticated pages as an unauthenticated user or to privileged pages
as a standard user.
Preventions -
 Except for public resources, deny by default all other sources
 Report admin for repeated login failure logs
 Cryptographic failure – this is vulnerability where security of data will fail and which
expose sensitive data to read a non-authorised user
ex-
 data transmitted in clear text
 any old or weak cryptographic algorithms or protocols used
 weak crypto keys generated or re-used
Preventions -
 using asymmetric encryption
 Make sure to encrypt all sensitive data at rest.
 Ensure up-to-date and strong standard algorithms, protocols, and keys are in use

 Injection attack –in injection attack hacker injects a malicious code, quarry or command to
the web application to get unauthorised access.
ex-
 Attack can happen when user supplied data like quarry, command or programme was not
validated, filtered or sanitised by application
 Allowing user to execute command or quarry’s which are not in there limit of
permissions given to a particular user
Preventions -
 Filtering, validating or sanitising in input data of a user to application
 Not allowing a normal user to execute commands which are not in there permissions

 Insecure design–in this attack developers, QA or security team fails to meet or evaluate
parameters of security during code design.
Preventions -
 Restrict resource consumption by user or service
 Check for possible critical vulnerabilities from frontend and backend at each tier of
system

 Security misconfiguration –security controls that are not secure or misconfigured

ex-
 Default accounts/passwords are enabled or unchanged
  Lacking security hardening in any part of an application
 Wrongly configured permissions on cloud services
Preventions -
 Keep software up to date
 Change default password
 Rectify the wrongly configured permissions

 Vulnerable and outdated components –using components with known vulnerability’s and
using old components which are not having patches
ex-
 When we not to updates for given patches
 If we are not aware of which version of software’s are using at client and server side
Preventions -
 Keep software up to date
 Remove unnecessary components which are not in use.

 Identification and authentication failure –this includes vulnerabilities related applications

authentications and identifications schemes
ex-
 Allowing brute force attack and dictionary attacks
 Not applying strong password policy
 Allowing to use default or weak passwords
Preventions -
 Add to step authentications methods
 Block dictionary and bruit force attacks
 Strong password policy’s

 Software and data integrity failures –this include vulnerabilities of software and critical
data whose integrity was not verified.
ex-
 Known vulnerabilities of software
 When auto updated software’s are not tested
Preventions -
 Use a software supply chain security tool to make sure that components do not have any
known vulnerabilities

 Security logging and monitoring failure –this includes failure of logging, monitoring and
detection of vulnerable events.
ex-
 When critical events not detected or not monitored properly
Preventions -
 Make sure that logs will be in form of that can be easily understandable and using logs
can easily detect malicious activities
 Make sure logging of critical events were not missing

 Server side request forgery –this occurs when application is fetching remote resources
without validating users supplied URL.
ex-
Preventions –
 Sanitize the URL or user supplied data

Important link:
https://owasp.org/www-project-top-ten/
 FIREWALL
Firewall and Its Types:
Differences between Stateless and Stateful firewalls :
Stateless Packet Filtering Firewalls Stateful Packet Filtering Firewalls

The stateless firewalls are designed to

Stateful firewalls filter packets based on the
protect networks based on static
full context of the connection.
1. information such as source and destination.

It uses some predefined packet filtering

It uses the concept of a state table where it
rules, the packets are judged based on that,
stores the state of legitimate connections.
if it conforms to the predefined rules then
Stateless firewall filters are only based on
it is considered to be “safe” and allowed to
header information in a packet but stateful
pass through. If the conditions are not met,
firewall filter inspects everything inside
the packet is considered to be
data packets, the characteristics of the data,
“unidentified” or “malicious” and it will be
and its channels of communication.
2. blocked.

3. Less secure than stateless firewalls. Stateful firewalls are more secure.

4. Cheaper or cost-efficient. Expensive as compared to stateless firewall

Faster than Stateful packet filtering Slower in speed when compared to Stateless
5. firewall. firewall.

For larger enterprises, a stateful firewall

would be a smarter option, as they have
For small businesses, a stateless firewall
larger outgoing traffic that needs monitoring
could be a better option, as they face fewer
and enough money to afford it. Stateful
threats and also have a limited budget in
firewalls offer dynamic packet filtering, so
hand.
they can provide a thick security layer to
6. mitigate attacks.
Architecture of firewall

3 Tier architecture
About Smart Console(SC GUI), Security Management Server(SMS) And Security
Gateway (SG):
 Deployment Scenarios

1) Standalone

2) Distributed

(2) Is a SIC Connection that is established to connect the management server and security
gateway.
3) Management High Availability
4) Full High Availability

Cluster
As per TIER

Question ) WHAT IF IN STANDALAONE OR DISTRIBUTED

ENVIRONMENT THE SMS IS DOWN? WILL SG WORK. (Answer in
dropdown)
ANS) Yes, SG Will work but we will not be able to install new policy. It will be work based on
existing policies.
Important Links
https://www.youtube.com/watch?v=Xi-oisdGr_g
https://www.youtube.com/watch?v=hfyLjRZmEFc
https://www.geeksforgeeks.org/what-are-cloud-firewalls/
https://www.fortinet.com/resources/cyberglossary/stateful-firewall
https://www.youtube.com/watch?v=kDEX1HXybrU
https://www.youtube.com/watch?v=Yi2HfNySPUk
 SIC (Secure Internal Communication)
 About

 Registered ports of SIC:

 Responsibility:
Firewall Blades:
Firewall blade – helps in access control by using applied policy’s and NAT rules on
security gateway
 Identity awareness blade – it enables to create identity-based policies and also helps in
monitoring of all machines from single smart console.
 Application control and URL filtering blade – it enables to create more granular
policies for a particular user or group to identify, block or limit the usage of application
and URL
 IPS blades protects users from malware websites
 Antibot blade – identifies the bot infected machines and block outbound communication
to the C&C sites to protect sensitive data
 Anti virus – it protects from the network from malware attack like trojans, worms, virus,
ransomware
 Threat emulation – it protects network from unknown threats in files which are
downloaded from internet or attached in emails. It detects these types of files and blocks
them from accessing
 Threat extraction – it removes the malicious content from the file and provides clean
and safe file for users. By this helps in uninterested business flow
IDS - Intrusion Detection System:

Types of Intruders:

Masquerader: The category of individuals that are not authorized to use the system but still
exploit user’s privacy and confidential information by possessing techniques that give them
control over the system, such category of intruders is referred to as Masquerader. Masqueraders
are outsiders and hence they don’t have direct access to the system, their aim is to attack
unethically to steal data/ information.
Misfeasor: The category of individuals that are authorized to use the system, but misuse the
granted access and privilege. These are individuals that take undue advantage of the permissions
and access given to them, such category of intruders is referred to as Misfeasor. Misfeasors are
insiders and they have direct access to the system, which they aim to attack unethically for
stealing data/ information.

Classification of Intrusion Detection System:

IDS are classified into 5 types:

1. Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network. It performs an observation of passing traffic on
the entire subnet and matches the traffic that is passed on the subnets to the collection of known
attacks. Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of a NIDS is installing it on the subnet where firewalls are located in
order to see if someone is trying to crack the firewall.
2. Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A
HIDS monitors the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system
files and compares it with the previous snapshot. If the analytical system files were edited or
deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be
seen on mission-critical machines, which are not expected to change their layout.
3. Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises a system or agent that would
consistently resides at the front end of a server, controlling and interpreting the protocol between
a user/device and the server. It is trying to secure the web server by regularly monitoring the
HTTPS protocol stream and accept the related HTTP protocol. As HTTPS is un-encrypted and
before instantly entering its web presentation layer then this system would need to reside in this
interface, between to use the HTTPS.
4. Application Protocol-based Intrusion Detection System (APIDS):
Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that
generally resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application-specific protocols. For example, this would
monitor the SQL protocol explicit to the middleware as it transacts with the database in the web
server.
5. Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the combination of two or more approaches of the
intrusion detection system. In the hybrid intrusion detection system, host agent or system data is
combined with network information to develop a complete view of the network system. Hybrid
intrusion detection system is more effective in comparison to the other intrusion detection
system. Prelude is an example of Hybrid IDS.
 Detection Method of IDS:
Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns such as number of
bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of the
already known malicious instruction sequence that is used by the malware. The detected patterns
in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in
system but it is quite difficult to detect the new malware attacks as their pattern (signature) is not
known.
Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown malware attacks as new malware are
developed rapidly. In anomaly-based IDS there is use of machine learning to create a trustful
activity model and anything coming is compared with that model and it is declared suspicious if
it is not found in model. Machine learning-based method has a better-generalized property in
comparison to signature-based IDS as these models can be trained according to the applications
and hardware configurations.

Important links:
https://www.youtube.com/watch?v=dfVAi87BSEs
https://www.geeksforgeeks.org/intrusion-detection-system-ids/?ref=lbp
https://www.geeksforgeeks.org/intruders-in-network-security/

IPS -Intrusion Prevention System:

Intrusion Prevention System is also known as Intrusion Detection and Prevention System. It is a
network security application that monitors network or system activities for malicious activity.
Major functions of intrusion prevention systems are to identify malicious activity, collect
information about this activity, report it and attempt to block or stop it.

Intrusion prevention systems are contemplated as augmentation of Intrusion Detection Systems

(IDS) because both IPS and IDS operate network traffic and system activities for malicious
activity.

IPS typically record information related to observed events, notify security administrators of
important observed events and produce reports. Many IPS can also respond to a detected threat
by attempting to prevent it from succeeding. They use various response techniques, which
involve the IPS stopping the attack itself, changing the security environment or changing the
attack’s content.

Classification of Intrusion Prevention System (IPS):

Intrusion Prevention System (IPS) is classified into 4 types:

Network-based intrusion prevention system (NIPS):

It monitors the entire network for suspicious traffic by analyzing protocol activity.
Host-based intrusion prevention system (HIPS):
It is an inbuilt software package which operates a single host for doubtful activity by scanning
events that occur within that host.

Wireless intrusion prevention system (WIPS):

It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.

Network behavior analysis (NBA):

It examines network traffic to identify threats that generate unusual traffic flows, such as
distributed denial of service attacks, specific forms of malware and policy violations.

Comparison of Intrusion Prevention System (IPS) Technologies:

The Table below indicates various kinds of IPS Technologies:

IPS
Technology Types of Malicious Scope per
Type Activity Detected Sensor Strengths

Multiple
network
Network, transport, and subnets Only IDPS which can
Network- application TCP/IP layer and groups analyze the widest range of
Based activity of hosts application protocols;

Wireless protocol Multiple

activity; unauthorized WLANs and
wireless
groups of
local area networks wireless Only IDPS able to predict
Wireless (WLAN) in use clients wireless protocol activity

NBA Network, transport, and Multiple Typically more effective

application TCP/IP layer network than the others at
activity subnets
identifying reconnaissance
that causes anomalous and groups scanning and
network flows of hosts
DoS attacks, and at
reconstructing major
 malware infections

Host application and

operating system (OS)
Can analyze activity that
activity; network,
transport, was transferred in end-to-
Individual end
and application TCP/IP
Host-Based layer activity host encrypted communications

Detection Method of Intrusion Prevention System (IPS):

Signature-based detection:
Signature-based IPS operates packets in the network and compares with pre-built and
preordained attack patterns known as signatures.

Statistical anomaly-based detection:

Anomaly based IPS monitors network traffic and compares it against an established baseline.
The baseline will identify what is normal for that network and what protocols are used. However,
It may raise a false alarm if the baselines are not intelligently configured.

Stateful protocol analysis detection:

This IPS method recognizes divergence of protocols stated by comparing observed events with
pre-built profiles of generally accepted definitions of not harmful activity.

Comparison of IPS with IDS:

The main difference between Intrusion Prevention System (IPS) with Intrusion Detection
Systems (IDS) are:

 Intrusion prevention systems are placed in-line and are able to actively prevent or block
intrusions that are detected.
 IPS can take such actions as sending an alarm, dropping detected malicious packets,
resetting a connection or blocking traffic from the offending IP address.
 IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams,
mitigate TCP sequencing issues and clean up unwanted transport and network layer
options.
IP-SEC:

IPsec can be used to do the following things:

 To encrypt application layer data.
 To provide security for routers sending routing data across the public internet.
 To provide authentication without encryption, like to authenticate that the data originates
from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in which all data
being sent between the two endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.
Important Links:
https://www.geeksforgeeks.org/ip-security-ipsec/ ( short overview on IPSEC)
Architecture of IPSec:

Explanation:
All these components shown above are very important in order to provide the three main
services:
 Confidentiality
 Authentication
 Integrity
1. Architecture: Architecture or IP Security Architecture covers the general concepts,
definitions, protocols, algorithms, and security requirements of IP Security technology.
2. ESP Protocol: ESP(Encapsulation Security Payload) provides a confidentiality service.
Encapsulation Security Payload is implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.
Packet Format:

 Security Parameter Index(SPI): This parameter is used by Security Association. It is

used to give a unique number to the connection built between the Client and Server.
 Sequence Number: Unique Sequence numbers are allotted to every packet so that on the
receiver side packets can be arranged properly.
 Payload Data: Payload data means the actual data or the actual message. The Payload
data is in an encrypted format to achieve confidentiality.
 Padding: Extra bits of space are added to the original message in order to ensure
confidentiality. Padding length is the size of the added bits of space in the original
message.
 Next Header: Next header means the next payload or next actual data.
 Authentication Data This field is optional in ESP protocol packet format.
https://www.youtube.com/watch?v=EPVwhLFT0tY (Explanation)
3. Encryption algorithm: The encryption algorithm is the document that describes various
encryption algorithms used for Encapsulation Security Payload.
4. AH Protocol: AH (Authentication Header) Protocol provides both Authentication and
Integrity service. Authentication Header is implemented in one way only: Authentication along
with Integrity.
Authentication Header covers the packet format and general issues related to the use of AH for
packet authentication and integrity.
https://www.youtube.com/watch?v=baTcW5ofgFo&t=151s (Explanation)
5. Authentication Algorithm: The Authentication Algorithm contains the set of documents that
describe the authentication algorithm used for AH and for the authentication option of ESP.
6. DOI (Domain of Interpretation): DOI is the identifier that supports both AH and ESP
protocols. It contains values needed for documentation related to each other.
7. Key Management: Key Management contains the document that describes how the keys are
exchanged between sender and receiver. I.e., Manually using IPSecKey command or
Automatically by using Internet Key Exchange (IKE)
Explanation:
https://www.youtube.com/watch?v=xwtZBLxbjaU
https://www.geeksforgeeks.org/ipsec-architecture/?ref=rp
Protocols / Components of IP Security:
It has the following components:
1. Encapsulating Security Payload (ESP)
2. Authentication Header (AH)
3. Internet Key Exchange (IKE)
1. Encapsulating Security Payload (ESP):
It provides data integrity, encryption, authentication, and anti-replay. It also provides
authentication for payload.
2. Authentication Header (AH):
It provides data integrity, authentication, and anti-replay and it does not provide
encryption. The anti-replay protection protects against the unauthorized transmission
of packets. It does not protect data confidentiality.

3. Internet Key Exchange (IKE):

 It is a network security protocol designed to dynamically exchange encryption
keys and find a way over Security Association (SA) between 2 devices.
 The Security Association (SA) establishes shared security attributes between 2
network entities to support secure communication.
 The Key Management Protocol (ISAKMP) and Internet Security Association
provides a framework for authentication and key exchange. ISAKMP tells how
the setup of the Security Associations (SAs) and how direct connections between
two hosts are using IPsec.
 Internet Key Exchange (IKE) provides message content protection and also an
open frame for implementing standard algorithms such as SHA and MD5.
 The algorithm’s IP sec users produce a unique identifier for each packet. This
identifier then allows a device to determine whether a packet has been correct or
not. Packets that are not authorized are discarded and not given to the receiver.
4. Internet Security Association and Key Management Protocol (ISAKMP):
 Internet Security Association and Key Management Protocol are simply specified as one
of the parts of IKE protocol.
 It is a framework that is majorly used for key establishment, authentication, and
negotiation of a security association for a secure exchange of packets over an Internet
Protocol layer.
 In other words, we can say that this protocol defines the security parameters for how two
systems can communicate with each other.
 Each security association defines a connection in one direction, from one host to another.
 The security association includes all attributes which are required for a connection,
including the cryptographic algorithm, the IPsec mode, the encryption key, and any other
parameters which are related to data transmission which are required to establish a secure
connection.
5. Security Association (SA):
 An SA is a set of IPSec specifications that are negotiated between devices that are
establishing an IPSec relationship.
 These specifications include preferences for the type of authentication, encryption, and
IPSec protocol that should be used when establishing the IPSec connection.
 An SA can be either unidirectional or bidirectional, depending on the choices made by the
network administrator.
 An SA is uniquely identified by a Security Parameter Index (SPI), an IPv4 or IPv6
destination address, and a security protocol (AH or ESP) identifier.

Parameters:
1. Security Parameter Index (SPI): A 32-bit number that is chosen to uniquely identify a
particular SA for any connected device. The SPI is placed in AH or ESP datagrams and
thus links each secure datagram to the security association. It is used by the recipient of a
transmission so it knows what SA governs the datagram.
2. Security Protocol Identifier: Specifies whether this association is for AH or ESP for an
SA. If both are in use with this device they have separate SAs.
3. Sequence Number Counter: A 32-bit value used to generate the Sequence Number field
in AH or ESP headers.
Initially the sequence number is 0 as packets keep getting sent the value increases by 1
everytime. Hence its range begins from 0 to 232 -1 (4,294,967,295)
4. AH Information: Information related to Authentication algorithm, keys, key lifetimes,
and related parameters being used with AH (required for AH implementations).
5. ESP Information: Information related to Encryption and authentication algorithm, keys,
initialization values, key lifetimes, and related parameters being used with ESP (required
for ESP implementations).
 6. Lifetime of This Security Association: A time interval or byte count after which an SA
must be replaced with a new SA (and new SPI) or terminated, plus an indication of which
of these actions should occur (required for all implementations).
7. IPSec Protocol Mode: The AH or ESP protocol can be implemented in Tunnel,
transport, or wildcard mode (required for all implementations).

Important Links:

https://www.geeksforgeeks.org/ipsec-protocols/?ref=rp

https://www.geeksforgeeks.org/ip-security-ipsec/

IPSec Mode

Transport Mode:
 In this mode the IPSec Header(AH or ESP) is Inserted between the IP Header and the
Payload of the packet. Thus, only the payload gets Encrypted but not the IP Header.

 In transport mode End to End Communication occurs.

Tunnel Mode:
 In this mode the IPSec Header (AH or ESP) is attached Before the IP Header and the
Payload of the packet. Thus, it forms a new IP packet and New IP Header is given to the
packet. Here the payload gets Encrypted as well as the IP Header.

 In transport mode, Communication occurs from Gateway of one network to Gateway of

another network. The area between the two gateways is encrypted for safe transfer of
data.

https://www.youtube.com/watch?v=QLuJYzcWbmM&t=2s (Explanation)

Working on IP Security
 The host checks if the packet should be transmitted using IPsec or not. This packet traffic
triggers the security policy for itself. This is done when the system sending the packet
applies appropriate encryption. The incoming packets are also checked by the host that
they are encrypted properly or not.
 Then IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate themselves to
each other to start a secure channel. It has 2 modes. The Main mode provides greater
security and the Aggressive mode which enables the host to establish an IPsec circuit
more quickly.
 The channel created in the last step is then used to securely negotiate the way the IP
circuit will encrypt data across the IP circuit.
 Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts
negotiate the type of cryptographic algorithms to use on the session and agree on secret
keying material to be used with those algorithms.
 Then the data is exchanged across the newly created IPsec encrypted tunnel. These
packets are encrypted and decrypted by the hosts using IPsec SAs.
 When the communication between the hosts is completed or the session times out then
the IPsec tunnel is terminated by discarding the keys by both hosts.
https://www.geeksforgeeks.org/ip-security-ipsec/
 SIEM – SPLUNK & ALIEN VAULT
SIEM- Security Information & Event Management
Collection

Data parsing is converting data from one format to another. Widely used for data
structuring, it is generally done to make the existing, often unstructured, unreadable data more
comprehensible.
Aggregation

Normalization & Categorization

Enrichment

Correlation Rules & Alerts

Indexing

Storage
SPLUNK
What is Splunk?

Working of SPLUNK
  In case of firewall and router we do not need a forwarder.

Deployment

 Splunk Enterprise and Cloud are paid versions without any storage data limit. They can
be installed as standalone, distributed or Cluster components.
  Splunk Light is for single user and has limitation.

Components Of Splunk

Processing Components
Indexer

 Index is a repository that stores processed data. It contains data that are transformed into
events.
 Index contains of 2 types of data i.e., Raw data in compressed form and Index data that
point to the raw data. Index files are also called tsidx files.
 Files reside in directories organized by their age. These directories are also called
buckets.
 Bucket stages:

Search Heads:

 Search head takes search request from user and distributes it to the indexers. The indexer
searches through its indexes and gives the result to search head.
 The search head applies knowledge object to the results and represents the data to the
user.
 Knowledge objects used to extract additional fields and transform data without changing
underlined index data
Forwarder :
These collect the data and forward it to indexer or other forwarded depending in the instances.
These are of 2 types:
Difference between universal forwarder and heavy forwarder is universal forwarder forwards
unparsed Data. Heavy forwarder forwards Parsed Data to indexer.

Managing Splunk Components:

Deployments Environments:
Standalone Deployment:
In this deployment all functions of splunk software are hosted in a single server.

Distributed Deployment:
In this deployment, functions of splunk software are hosted in different instances.
Important configuration files
In global context includes function like indexing and app/user includes searching
Binding Splunk to an IP address:

Temporary

Permanent
To make the settings permanent edit the web.conf file do as shown In below screenshots:
Then, finally restart the service .
Data Ingestion Phases:
Data ingestion is the process of obtaining and importing data for immediate use or storage in a
database. To ingest something is to take something in or absorb something. Data can be streamed
in real time or ingested in batches. In real-time data ingestion, each data item is imported as the
source emits it.

Data Pipeline:
The route that data takes through Splunk Enterprise, from its origin in sources such as log files
and network feeds, to its transformation into searchable events that encapsulate valuable
knowledge.
Each pipeline has its own functions called processors. The data que & data ingest flow will help
us understand the functioning.
Data Ques & Data Ingest Flow
Data queues are the memory space used to store data between the pipelines. The output of the
previous is saved here as a que before it gets picked by the next pipeline.
The Forwarder forwards the data to the indexer.
In the Indexer the pipelines pick up the data from the ques and do the following functions.
Parsing pipeline : character set detection, line breaking & Header parsing of data.
Merging Pipeline: grid parsing and line merging of data
Typing Pipeline: Regular expression replacement, adds Annotation to the data.
Index Pipeline: Indexing and storing of data.
Then, the data moves to the buckets
Correlation between Splunk Data Pipeline and splunk Components:
SPLUNK LICENSES:

APPS AND ADD-ONS:

Roles & Permissions:

Data Inputs Types and ways:

Default Meta Data Settings

Meta data values are source , source type & host. i.e the help in identifying source of the data,
the type of the data and details of the host.
If meta data is not available than it will use the default instead of the metadata as shown in the
above table.
Installing Splunk

Considering All the network setup is done for the system or vm we may proceed with the below
steps.
Latest as of 12/4/23
1) Give the below command to download the splunk package.
wget -O splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb
https://download.splunk.com/products/splunk/releases/9.1.2/linux/splunk-9.1.2-b6b9c8185839-
linux-2.6-amd64.deb

2) Give the ls command to see if the package is downloaded

3) Now we may proceed to install splunk by giving the below command.

apt-get install ./s (Press tab)

4) Than we enable boot-start so whenever the system is started by default even splunk starts.

During this process we may have to provide the username and password to access Splunk.

You may check status of splunk if required by giving the command “systemctl status splunk”.
Incase if it is not active than you may start it manually by the below command.
By one of the below examples, You may access webui by giving the I.P as follows
1) V.M I.P:PORT Eg: 192.168.15.82:8000 or 192.168.15.82:8080
2) http://V.M I.P:PORT Eg: http://192.168.15.82:8000 or http://192.168.15.82:8080
3) https://V.M I.P:PORT Eg: https://192.168.15.82:8000 or https://192.168.15.82:8080

Interface
Tour of splunk
Account settings
Preferences setting: change the time zone
Creating a user:

Choose new user

 We can create new roles also option is available as can be seen in above screenshot.

View capabilities shows the users capabilities. Using this we can control what searches are
allowed to the user.
ONBOARDING LOGS
File uploading
Creating a new index
Uploading file:
Configuring inputs.conf file
Logs Importing
Logs onboarding from Linux
for onboarding the linux authentication log I am using a putty access from rdp to the ubuntu
linux , having the ip of 192.168.30.10 And login as ubuntu cdlin

Then going as root user and changing the directory to var/log to get the authentication logs
For getting the authentication logs use the command as tail -f auth.log this is used in ubuntu
based linux.

then create a duplicate session to check it is logging the session or not

The below screenshot shows that the logs are generated

For onboarding the logs to splunk webui we are using the gui method by going to the settings
then data inputs and add new as shown in shown in the below screenshot chronologically
Then click on the browse for authentication logs of the ubuntu and do a continuously monitor
Then the 2nd step is source type selection as we know that the all the authentication logs are
formed in linux_secure as shown in screenshot
Creating a new index as linux
Then reviewing and submit
As shown in the below screenshot the linux logs are successfully onboarded the splunk webui
and it shows also the failed login as I highlighted

For checking the continuous monitoring

I have once again started new session in putty and again given the wrong login credentials
For windows onboarding

Ping to check for the connectivity to the spunk host i.e 192.168.30.10
we are creating a rdp connection from our purplesynapz rdp to window client1 rdp as shown in
the below screenshot and from rdp(192.168.15.172)host windows forwarder is copied and pasted
to the rdp 192.168.30.40
Leave it empty

For deployment of logs from splunk to splunk we use forwarding and receiving
 cli
ck on configure receiving as mentioned in below screenshot

the
n click on new receiving port

I have given the listening port as 9997 it will receive data on tcp port 9997

Now the our splunk instance Is listening other splunks instances logs

the
n the we have given the splunk receiving indexer the hostname and the listening port no.
Then install
Creating a input.conf file in splunk universal forwarder for the logs to the our splunk instance

Then open that input.conf by the notepad and add a stanza because we collecting the windows
event logs
As we want the logs of the security channel we have given the security as I mentioned in the
screenshot below as I want to send this logs to the windows that’s why I have given the index as
windows
Eg 1: only security logs
[WinEventLog://Security]
index = windows2

INPUTS.CONF ( Example 1)
[monitor://C:\Windows\Performance\WinSAT\winsat.log]
disabled = 0
index = windows2
sourcetype = Windowslogs
source = C:\Windows\Performance\WinSAT\winsat.log

[WinEventLog://Application]
disabled = 0
index = windows2
sourcetype = Windowslogs

[WinEventLog://Security]
disabled = 0
index = windows2
sourcetype = Windowslogs

[WinEventLog://System]
disabled = 0
index = windows2
sourcetype = Windowslogs

[perfmon://CPU]
disabled = 0
index = windows2
counters = % Processor Time
instances = _Total;
object = Processor
interval = 300
[perfmon://LogicalDisk]
disabled = 0
index = windows2
counters = % Free Space; Free Megabytes; Used Space; Used Megabytes
instances = *
object = LogicalDisk
interval = 300
inputs.conf ( example 2)

[default]
index = windows_logs

[monitor://C:\Windows\Performance\WinSAT\winsat.log]
disabled = 0

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0
[perfmon://CPU]
disabled = 0
counters = % Processor Time
instances = _Total
object = Processor
interval = 300

[perfmon://LogicalDisk]
disabled = 0
counters = % Free Space; Free Megabytes; Used Space; Used Megabytes
instances = *
object = LogicalDisk

Ex 3
[default]
index = windows_logs

[monitor://C:\Windows\Performance\WinSAT\winsat.log]
disabled = 0

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0
[WinEventLog://Setup]
disabled = 0

[WinEventLog://ForwardedEvents]
disabled = 0

[WinEventLog://DNS Server]
disabled = 0

[WinEventLog://Directory Service]
disabled = 0

[WinEventLog://File Replication Service]

disabled = 0

[WinEventLog://Windows PowerShell]
disabled = 0

[perfmon://CPU]
disabled = 0
counters = % Processor Time
instances = _Total
object = Processor
interval = 300

[perfmon://LogicalDisk]
disabled = 0
counters = % Free Space; Free Megabytes; Used Space; Used Megabytes
instances = *
object = LogicalDisk

[perfmon://Memory]
disabled = 0
counters = Available MBytes; Pages/sec; Committed Bytes
instances = _Total
object = Memory
interval = 300

[perfmon://Network]
disabled = 0
counters = Bytes Total/sec; Bytes Received/sec; Bytes Sent/sec
instances = *
object = Network Interface
interval = 300

[perfmon://System]
disabled = 0
counters = Processor Queue Length; System Calls/sec
instances = _Total
object = System
interval = 300

Explanation of Additional Stanzas:

1. Setup Logs:
 o [WinEventLog://Setup]: Logs related to system setup.

2. Forwarded Events:
o [WinEventLog://ForwardedEvents]: Logs forwarded from other systems.

3. DNS Server Logs:

o [WinEventLog://DNS Server]: Logs related to DNS server activities.

4. Directory Service Logs:

o [WinEventLog://Directory Service]: Logs from Active Directory services.

5. File Replication Service Logs:

o [WinEventLog://File Replication Service]: Logs related to file replication.

6. Windows PowerShell Logs:

o [WinEventLog://Windows PowerShell]: Logs related to PowerShell activities.

7. Memory Performance Monitoring:

o [perfmon://Memory]: Monitoring memory-related counters.

8. Network Performance Monitoring:

o [perfmon://Network]: Monitoring network interface-related counters.

9. System Performance Monitoring:

o [perfmon://System]: Monitoring overall system performance counters.
OUTPUTS.CONF

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.30.10:9997

[tcpout-server://192.168.30.10:9997]
Now creating the index in our splunk instance

By writing the stanza as renderXml= true we are getting the logs in xml format
In order to update the configuration we have to restart the splunk forwarder either from cli or
services,

Note : whenever we are trying to change the configuration try to restart the services
Logs from Checkpoint
cp_log_export add name splunk_log target-server 192.168.30.10 target-port 5141 protocol tcp
format splunk read-mode semi-unified –apply-now
Splunk search Assistant:
Search Assistant
Search Modes
Search Components

Search Pipeline
Using Time Range Filter

Time range abbrevation

Time modifiers
Search Jobs
Jobs setting
About Jobs setting and Search controls like stop, pause etc

Search Job Permission

Search Job Sharing

Exporting Search Result

Saved Jobs

Search Fields
Field
Field Discovery

Field sidebar
Selected Fields

Using Fields:
Field Extraction

Commands
STATS
Calculates statistics about events, such as counts, sums, averages, and more

Distinct count
Renaming fields using stats
https://www.youtube.com/watch?
v=5YXjmQpJEjw&list=PLFF93FRoUwXEGaNAmZTc9pek9WzUq6unp

TIMECHART
Visualizes event trends over time in a chart format.
 https://www.youtube.com/watch?
v=Rx7d47ilkIw&list=PLFF93FRoUwXEGaNAmZTc9pek9WzUq6unp&index=2
DEDUP
Removes duplicate events based on specified fields
https://www.youtube.com/watch?
v=WouGxslDN2s&list=PLFF93FRoUwXEGaNAmZTc9pek9WzUq6unp&index=3

USING STATS INSTEAD OF DEDUP

https://www.youtube.com/watch?
v=WouGxslDN2s&list=PLFF93FRoUwXEGaNAmZTc9pek9WzUq6unp&index=3

CHART
SAME AS STATS COMMAND

TOP/RARE
Top: displays the most frequent values for a given field
Rare: shows the least frequent values for a field
Top 10 shows by default with only top command
Search/Where
Where: further filters events based on additional conditions.

Search: initiates a search and filters events based on specified criteria

SORT
Sort: orders events based on specified fields.
Before using sort

Sort applies only after giving - or +

After applying sort
Can be used for multiple fields.

RENAME
Rename: renames existing fields
Double Quotes for “Source IP” is required when you want a name with space in it. If not
SourceIP or Source_IP can be given as name

https://www.youtube.com/watch?
v=PrT9l1s9Fv0&list=PLFF93FRoUwXEGaNAmZTc9pek9WzUq6unp&index=8

FIELDS
Fields: specifies which fields to include or exclude in the results.

TABLE
Table: presents results in a tabular format.
EVAL
Eval: creates new fields or modifies existing fields.
SYNTAX

EXAMPLE CONDITION:
Below is a case in which the syntax is applied and 1=1 acts like else function.
https://www.youtube.com/watch?
v=IcHApZh9eEg&list=PLFF93FRoUwXEGaNAmZTc9pek9WzUq6unp&index=10
HEAD
Head: returns only the first n events in the results.
TAIL
Tail: returns only the last n events in the results.
Before applying the tail command:
As we can observe the data is not showing the latest values sorted accurately.

After applying the tail command:

Shows latest 10 values
ALIEN VAULT

Architecture

Commercial version (USM) includes all 3 usm sensor, server & logger
But free version(OSSIM) does not include logger.
OSSIM VS USM
Assets & Inventory:
Scroll down after scan is complete. Next click on update managed assets.
 After clicking in save we can see our assets updated as follows.

Again navigate to assets & group.

We can schedule the scan for the assests.
Note: IF WE DO NOT GIVE ASSET VALUE BY DEFAUT THEY WILL BE TAKEN AS 2.
Then, enable the scan.
 Change the asset value:
Select an asset.

In “actions” choose edit option. Notice asset value is 2.

This tab as shown below opens where we can edit the asset.
 Asset value has changed to 5.

Scroll down in the same page and we can see all these options to explore related to the asset like
softwares it has , alarms set for it, services etc.
Behavioral Monitoring

Security Intelligence
 INTRODUCTION:
 CLOUD COMPUTING.
cloud computing is the delivery of computing services—including servers, storage,
databases, networking, software, analytics, and intelligence—over the Internet (“the cloud”) to
offer faster innovation, flexible resources, and economies of scale. You typically pay only for
cloud services you use, helping lower your operating costs, run your infrastructure more
efficiently and scale as your business needs chang
Reason for cloud computing
Types of Cloud:

There are 2 models :

1. Deployment Model

I. Public cloud:

 Definition of Public Cloud

Public cloud is a cloud deployment model where computing resources are owned and operated
by a provider and shared across multiple tenants via the Internet.
  Why Public Cloud?
Many enterprise businesses look to public cloud as a way to scale existing IT resources on
demand without committing to expanding their physical IT infrastructure. For instance, instead
of purchasing a physical desktop machine, a company can purchase a virtual desktop license.
The virtual desktop can be spun up or deactivated in minutes and can be located anywhere,
instantly.
The public cloud is also a popular solution for storage needs since data stored on a public cloud
is backed up and accessible from anywhere. There are many different types of storage plans, and
data that does not need to be accessed frequently can often be stored in the public cloud very
cheaply.
For companies that host an application with periods of peak usage, the public cloud makes
perfect sense because the extra computing power is only needed for a short time.

Using the public cloud can save businesses money in a couple of different ways:
Lower equipment purchase costs: Because employees can access and pay for cloud-based
resources only when they need them, using public cloud–based desktops and applications is often
less expensive than purchasing physical IT equipment or software packages that may or may not
be used and will need to be maintained.
Lower equipment maintenance costs: With public cloud-based services, the cost of
maintaining IT equipment is also passed on to the cloud service provider.
A small or new business may have an easier time migrating applications to the public cloud;
organizations with a large legacy IT infrastructure and applications have more to consider and
plan for. However, more and more enterprise businesses are moving toward public cloud as one
element of a multi-faceted IT plan. This way, they can access the benefits of public cloud while
also maintaining the different benefits that come with on-premises architecture and private cloud
options.
  How Public Cloud works?

 Public Cloud provides a shared platform that is accessible to

the general public through an Internet connection.
 Public cloud operated on the pay-as-per-use model and
administrated by the third party, i.e., Cloud service provider.
 In the Public cloud, the same storage is being used by multiple users at
the same time.
 Public cloud is owned, managed, and operated by businesses,
universities, government organizations, or a combination of them.
 Amazon Elastic Compute Cloud (EC2), Microsoft Azure, IBM's Blue
Cloud, Sun Cloud, and Google Cloud are examples of the public cloud.

Advantages of Public Cloud

There are the following advantages of public cloud -

1) Low Cost
Public cloud has a lower cost than private, or hybrid cloud, as it shares the
same resources with a large number of consumers.

2) Location Independent
Public cloud is location independent because its services are offered through
the internet.

3) Save Time
In Public cloud, the cloud service provider is responsible for the manage and
maintain data centers in which data is stored, so the cloud user can save
their time to establish connectivity, deploying new products, release product
updates, configure, and assemble servers.

4) Quickly and easily set up

Organizations can easily buy public cloud on the internet and deployed and
configured it remotely through the cloud service provider within a few hours.

5) Business Agility
Public cloud provides an ability to elastically re-size computer resources
based on the organization's requirements.
6) Scalability and reliability
Public cloud offers scalable (easy to add and remove) and reliable (24*7
available) services to the users at an affordable cost.
Disadvantages of Public Cloud
1) Low Security
Public Cloud is less secure because resources are shared publicly.

2) Performance
In the public cloud, performance depends upon the speed of internet
connectivity.

3) Less customizable
Public cloud is less customizable than the private cloud.

II. Private Cloud:

 Private cloud is also known as an internal cloud or corporate cloud.

 Private cloud provides computing services to a private internal network (within the
organization) and selected users instead of the general public.
 Private cloud provides a high level of security and privacy to data through firewalls and
internal hosting. It also ensures that operational and sensitive data are not accessible to
third-party providers.
 HP Data Centers, Microsoft, Elastra-private cloud, and Ubuntu are the example of a
private cloud.

 Advantages of Private cloud

There are the following advantages of Private Cloud -
1) More Control
Private clouds have more control over their resources and hardware than public clouds because it
is only accessed by selected users.
2) Security & privacy
Security & privacy are one of the big advantages of cloud computing. Private cloud improved the
security level as compared to the public cloud.
3) Improved performance
Private cloud offers better performance with improved speed and space capacity.

III. Hybrid Cloud

o Hybrid cloud is a combination of public and private clouds.

Hybrid cloud = public cloud + private cloud
o The main aim to combine these cloud (Public and Private) is to create a unified,
automated, and well-managed computing environment.
o In the Hybrid cloud, non-critical activities are performed by the public
cloud and critical activities are performed by the private cloud.
o Mainly, a hybrid cloud is used in finance, healthcare, and Universities.
o The best hybrid cloud provider companies are Amazon, Microsoft, Google,
Cisco, and NetApp.
Advantages of Hybrid Cloud
There are the following advantages of Hybrid Cloud -
1) Flexible and secure
It provides flexible resources because of the public cloud and secure resources because of the
private cloud.
2) Cost effective
Hybrid cloud costs less than the private cloud. It helps organizations to save costs for both
infrastructure and application support.

3) Cost effective
It offers the features of both the public as well as the private cloud. A hybrid cloud is capable of
adapting to the demands that each company needs for space, memory, and system.
4) Security
Hybrid cloud is secure because critical activities are performed by the private cloud.
5) Risk Management
Hybrid cloud provides an excellent way for companies to manage the risk.
Disadvantages of Hybrid Cloud
1) Networking issues
In the Hybrid Cloud, networking becomes complex because of the private and the public cloud.
2) Infrastructure Compatibility
Infrastructure compatibility is the major issue in a hybrid cloud. With dual-levels of
infrastructure, a private cloud controls the company, and a public cloud does not, so there is a
possibility that they are running in separate stacks.
3) Reliability
The reliability of the services depends on cloud service providers.

Public Cloud vs Private Cloud vs Hybrid Cloud

A company that needs cloud computing services can choose to use a public cloud (where cloud
services are hosted by a cloud service provider and shared with other tenants), a private cloud
(where cloud services are hosted by the company itself), or a combination of the two, known as
a hybrid cloud.
Public cloud offers the advantage of easy scalability. Although a private cloud is less expensive
than using a public cloud (after an initial investment in the infrastructure), it doesn’t scale as
easily. Growing the infrastructure can require the purchase of additional equipment. If usage of
the private cloud shrinks, expensive resources and equipment become underutilized.
Hybrid cloud can be a great compromise for those considering public cloud vs private cloud.
Hybrid cloud refers to any combination of private and public cloud solutions. A hybrid cloud
environment allows organizations to benefit from the advantages of both types of cloud
platforms and choose which cloud to use based on specific data needs. For instance, hybrid cloud
provides an alternative for storing sensitive data—a company might provide services via a public
cloud while keeping sensitive information on a private cloud.
 2. Service Model

Cloud Service Models

There are the following three types of cloud service models -
1. Infrastructure as a Service (IaaS)

2. Platform as a Service (PaaS)

3. Software as a Service (SaaS)

 I. Infrastructure as a Service (IaaS)

IaaS is also known as Hardware as a Service (HaaS). It is a computing infrastructure managed

over the internet. The main advantage of using IaaS is that it helps users to avoid the cost and
complexity of purchasing and managing the physical servers.
Characteristics of IaaS
There are the following characteristics of IaaS -
o Resources are available as a service
o Services are highly scalable
o Dynamic and flexible
o GUI and API-based access
o Automated administrative tasks
Example: DigitalOcean, Linode, Amazon Web Services (AWS), Microsoft Azure, Google
Compute Engine (GCE), Rackspace, and Cisco Metacloud.

Platform as a Service (PaaS)

PaaS cloud computing platform is created for the programmer to develop, test, run, and manage
the applications.
Characteristics of PaaS
There are the following characteristics of PaaS -
o Accessible to various users via the same development application.
o Integrates with web services and databases.
o Builds on virtualization technology, so resources can easily be scaled up or down as per
the organization's need.
o Support multiple languages and frameworks.
o Provides an ability to "Auto-scale".
Example: AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine,
Apache Stratos, Magento Commerce Cloud, and OpenShift
Advantages of IaaS cloud computing layer
There are the following advantages of IaaS computing layer -
1. Shared infrastructure
IaaS allows multiple users to share the same physical infrastructure.
2. Web access to the resources
Iaas allows IT users to access resources over the internet.
3. Pay-as-per-use model
IaaS providers provide services based on the pay-as-per-use basis. The users are required to pay
for what they have used.
4. Focus on the core business
IaaS providers focus on the organization's core business rather than on IT infrastructure.
5. On-demand scalability
On-demand scalability is one of the biggest advantages of IaaS. Using IaaS, users do not worry
about to upgrade software and troubleshoot the issues related to hardware components.
Disadvantages of IaaS cloud computing layer
1. Security
Security is one of the biggest issues in IaaS. Most of the IaaS providers are not able to provide
100% security.
2. Maintenance & Upgrade
Although IaaS service providers maintain the software, but they do not upgrade the software for
some organizations.
3. Interoperability issues
It is difficult to migrate VM from one IaaS provider to the other, so the customers might face
problem related to vendor lock-in.

Software as a Service (SaaS)

SaaS is also known as "on-demand software". It is a software in which the applications are
hosted by a cloud service provider. Users can access these applications with the help of internet
connection and web browser.
Characteristics of SaaS
There are the following characteristics of SaaS -
 o Managed from a central location
o Hosted on a remote server
o Accessible over the internet
o Users are not responsible for hardware and software updates. Updates are applied
automatically.
o The services are purchased on the pay-as-per-use basis
Example: BigCommerce, Google Apps, Salesforce, Dropbox, ZenDesk, Cisco WebEx,
ZenDesk, Slack, and GoToMeeting.
MORE INFO ON IAAS: https://www.javatpoint.com/infrastructure-as-a-service

II. Platform as a Service (PaaS)

PaaS cloud computing platform is created for the programmer to develop, test, run, and manage
the applications.
Characteristics of PaaS
There are the following characteristics of PaaS -
o Accessible to various users via the same development application.
o Integrates with web services and databases.
o Builds on virtualization technology, so resources can easily be scaled up or down as per
the organization's need.
o Support multiple languages and frameworks.
o Provides an ability to "Auto-scale".
Example: AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine,
Apache Stratos, Magento Commerce Cloud, and OpenShift.

Advantages of PaaS
There are the following advantages of PaaS -
1) Simplified Development
PaaS allows developers to focus on development and innovation without worrying about
infrastructure management.
2) Lower risk
No need for up-front investment in hardware and software. Developers only need a PC and an
internet connection to start building applications.
3) Prebuilt business functionality
Some PaaS vendors also provide already defined business functionality so that users can avoid
building everything from very scratch and hence can directly start the projects only.
4) Instant community
PaaS vendors frequently provide online communities where the developer can get the ideas to
share experiences and seek advice from others.
5) Scalability
Applications deployed can scale from one to thousands of users without any changes to the
applications.

Disadvantages of PaaS cloud computing layer

1) Vendor lock-in
One has to write the applications according to the platform provided by the PaaS vendor, so the
migration of an application to another PaaS vendor would be a problem.
2) Data Privacy
Corporate data, whether it can be critical or not, will be private, so if it is not located within the
walls of the company, there can be a risk in terms of privacy of data.
3) Integration with the rest of the systems applications
It may happen that some applications are local, and some are in the cloud. So there will be
chances of increased complexity when we want to use data which in the cloud with the local
data.

III. Software as a Service (SaaS)

SaaS is also known as "on-demand software". It is a software in which the applications are
hosted by a cloud service provider. Users can access these applications with the help of internet
connection and web browser.
Characteristics of SaaS
There are the following characteristics of SaaS -
o Managed from a central location
o Hosted on a remote server
o Accessible over the internet
o Users are not responsible for hardware and software updates. Updates are applied
automatically.
o The services are purchased on the pay-as-per-use basis
Example: BigCommerce, Google Apps, Salesforce, Dropbox, ZenDesk, Cisco WebEx,
ZenDesk, Slack, and GoToMeeting.

MORE INFO : https://www.javatpoint.com/platform-as-a-service

Advantages of SaaS cloud computing layer
1) SaaS is easy to buy
SaaS pricing is based on a monthly fee or annual fee subscription, so it allows organizations to
access business functionality at a low cost, which is less than licensed applications.
Unlike traditional software, which is sold as a licensed based with an up-front cost (and often an
optional ongoing support fee), SaaS providers are generally pricing the applications using a
subscription fee, most commonly a monthly or annually fee.
2. One to Many
SaaS services are offered as a one-to-many model means a single instance of the application is
shared by multiple users.
3. Less hardware required for SaaS
The software is hosted remotely, so organizations do not need to invest in additional hardware.
4. Low maintenance required for SaaS
Software as a service removes the need for installation, set-up, and daily maintenance for the
organizations. The initial set-up cost for SaaS is typically less than the enterprise software. SaaS
vendors are pricing their applications based on some usage parameters, such as a number of users
using the application. So SaaS does easy to monitor and automatic updates.
5. No special software or hardware versions required
All users will have the same version of the software and typically access it through the web
browser. SaaS reduces IT support costs by outsourcing hardware and software maintenance and
support to the IaaS provider.
6. Multidevice support
SaaS services can be accessed from any device such as desktops, laptops, tablets, phones, and
thin clients.
7. API Integration
SaaS services easily integrate with other software or services through standard APIs.
8. No client-side installation
SaaS services are accessed directly from the service provider using the internet connection, so do
not need to require any software installation.
Disadvantages of SaaS cloud computing layer
1) Security
Actually, data is stored in the cloud, so security may be an issue for some users. However, cloud
computing is not more secure than in-house deployment.
2) Latency issue
Since data and applications are stored in the cloud at a variable distance from the end-user, there
is a possibility that there may be greater latency when interacting with the application compared
to local deployment. Therefore, the SaaS model is not suitable for applications whose demand
response time is in milliseconds.
3) Total Dependency on Internet
Without an internet connection, most SaaS applications are not usable.
4) Switching between SaaS vendors is difficult
Switching SaaS vendors involves the difficult and slow task of transferring the very large data
files over the internet and then converting and importing them into another SaaS also
 Difference between IaaS, PaaS, and SaaS
The below table shows the difference between IaaS, PaaS, and SaaS -

IaaS Paas SaaS

It provides a virtual data center to store It provides virtual platforms and It provides web software and
information and create platforms for tools to create, test, and deploy apps to complete business tasks.
app development, testing, and apps.
deployment.

It provides access to resources such as It provides runtime environments It provides software as a service
virtual machines, virtual storage, etc. and deployment tools for to the end-users.
applications.

It is used by network architects. It is used by developers. It is used by end users.

IaaS provides only Infrastructure. PaaS provides SaaS provides

Infrastructure+Platform. Infrastructure+Platform
+Software.

https://www.geeksforgeeks.org/difference-between-iaas-paas-and-saas/
 Virtualization:
 Types

 What is Cloud
 Cloud Vs Virtualization
 Amazon Web Services (AWS)

 About AWS and ( Service regions and availability zones)

  EC2 : ELASTIC COMPUTE CLOUD
About EC2

Types of EC2:
Amazon EC2 provides a wide selection of instance types optimized to fit different use
cases. Instance types comprise varying combinations of CPU, memory, storage, and networking
capacity and give you the flexibility to choose the appropriate mix of resources for your
applications. Each instance type includes one or more instance sizes, allowing you to scale your
resources to the requirements of your target workload.
  General Purpose:

General purpose instances provide a balance of compute, memory and networking resources, and
can be used for a variety of diverse workloads.

These instances are ideal for applications that use these resources in equal proportions such as
web servers and code repositories.

EG: MAC , T4g, T3, T3a, M6g, M6a etc. ( Link provided in important links for in depth
references)

 Compute Optimized:

Compute Optimized instances are ideal for compute bound applications that benefit from high
performance processors.
Instances belonging to this family are well suited for batch processing workloads, media
transcoding, high performance web servers, high performance computing (HPC), scientific
modeling, dedicated gaming servers and ad server engines, machine learning inference and other
compute intensive applications.
EG : C7g, C6g, C6gn, C6i, C5, C4 etc.
  Memory Optimized:

Memory optimized instances are designed to deliver fast performance for workloads that process
large data sets in memory.

EG: R6a, R6g, R5, R4, X2gd, X1e, X1 etc.

 Accelerated Computing:

Accelerated computing instances use hardware accelerators, or co-processors, to perform

functions, such as floating point number calculations, graphics processing, or data pattern
matching, more efficiently than is possible in software running on CPUs.
EG: P4, P3, P2, G5, DL1, G3 Etc.
 Storage Optimized:

Storage optimized instances are designed for workloads that require high, sequential read and
write access to very large data sets on local storage. They are optimized to deliver tens of
thousands of low-latency, random I/O operations per second (IOPS) to applications.

EG: Im4gn, I4i, I3

 EC2 User Data:

 When you launch an instance in Amazon EC2 for first time, you have the option of
passing user data to the instance that can be used to perform common automated
configuration tasks and even run scripts after the instance starts.
 You can pass two types of user data to Amazon EC2: shell scripts and cloud-init
directives.
  You can also pass this data into the launch instance wizard as plain text, as a file (this is
useful for launching instances using the command line tools), or as base64-encoded text
(for API calls).
Important links:
https://www.youtube.com/watch?v=k1fEBxAoHdk&t=276s
 Security Groups :
 IAM (Identity Access Management)
Short notes image:
 Shared Responsibility Model:

 Security and Compliance is a shared responsibility between AWS and the customer.
 This shared model can help relieve the customer’s operational burden as AWS operates,
manages and controls the components from the host operating system and virtualization
layer down to the physical security of the facilities in which the service operates. The
customer assumes responsibility and management of the guest operating system
(including updates and security patches), other associated application software as well as
the configuration of the AWS provided security group firewall.
 AWS responsibility “Security of the Cloud”.
 Customer responsibility “Security in the Cloud”.

 MFA – Multiple Factor Authentication

https://aws.amazon.com/compliance/shared-responsibility-model/
 VPC ( Virtual Private Cloud):
https://www.youtube.com/watch?v=tVuZSBrLM0A&t=181s
 ELB (Elastic Load Balancer) :
 Load balancing can be done based on algorithms also , refer link
https://kemptechnologies.com/load-balancer/load-balancing-algorithms-techniques
Important Links:
https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-
target-group-for-network-load-balancer/#:~:text=Application%20Load%20Balancer%20(ALB)
%20is,such%20as%20Amazon%20EC2%20instances.
https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
https://www.youtube.com/watch?v=VFwLffElIgc
 OWASP top 10
◦ SQL injection (About attack & mitigations)
◦ Cross-site scripting (About attack & mitigations)
◦ TCP 3-way handshake
◦ OSI model (layers, protocols, examples, ports)
◦ What are Ransomwares
◦ How will you protect a computer/end point
◦ How does a malware spread
◦ Mitre Attack
◦ Tell us about some cyber-attacks happened
◦ What are IDS and IPS and How do you differentiate between IDS and IPS
system?
◦ What is understanding of SIEM
◦ Log onboarding process
◦ Splunk Architecture
◦ Man in the middle attack
◦ Bruteforce attack
◦ SSL handshake
◦ TCP flags
◦ How does a firewall work? What is the better approach of setting up a firewall?
◦ What is the difference between Satateful and stateless firewall?
 Cyber Security
MITRE ATT&CK Framework
The MITRE ATT&CK framework is a knowledge base of tactics and techniques designed for
threat hunters, defenders and red teams to help classify attacks, identify attack attribution and
objectives, and assess an organization's risk. Organizations can use the framework to identify
security gaps and prioritize mitigations based on risk.
Q) What Are Tactics in the MITRE ATT&CK Framework?
Ans) Tactics represent the “why” of an ATT&CK technique or sub-technique. Adversarial
tactics represent the attacker's goal or the reason for performing an action. For example, an
adversary may want to achieve credential access.
There are 14 tactics in the Enterprise ATT&CK Matrix:

Tactic Attacker(s) Objective

1. Reconnaissance Gather information they can use to plan future operations

2. Resource Development Establish resources they can use to support operations

3. Initial Access Get into your network

4. Execution Run malicious code

5. Persistence Maintain their foothold

6. Privilege Escalation Gain higher-level permissions

7. Defense Evasion Avoid being detected

8. Credential Access Steal account names and passwords

9. Discovery Figure out your environment

10. Lateral Movement Move through your environment

11. Collection Gather data of interest to their goal

12. Command and Control Communicate with compromised systems to control them

13. Exfiltration Steal data

14. Impact Manipulate, interrupt or destroy your systems and data

Source:
https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-framework#:~:text=The
%20MITRE%20ATT%26CK%C2%AE%20framework,and%20assess%20an%20organization's
%20risk.

Cyber Kill Chain:

The Lockheed Martin Cyber Kill Chain® is another well-known framework for understanding
adversary behavior in a cyber-attack. The Kill Chain model contains the following stages,
presented in sequence:

Source:
https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-
framework.html#:~:text=The%20MITRE%20ATT%26CK%20framework%20is,they%20are
%20known%20to%20target.

CRLF Injection Attack

https://www.geeksforgeeks.org/crlf-injection-attack/

LOAD BALANCER
https://www.enjoyalgorithms.com/blog/types-of-load-balancing-algorithms

OSINT FRAME WORK

NIST