If you’re planning to take the Security+ SY0-501 exam, you should understand some basic network protocols and concepts that are relevant to security.
For example, can you answer this question?
Q. You are troubleshooting a network connectivity issue and find that when you try to ping a remote server, it fails. You suspect that an ACL within a router may be blocking some traffic. Which of the following would give you this symptom?
A. The router is blocking DNS traffic.
B. The router is blocking ICMP traffic
C. The router is blocking SSH traffic.
D. The router is blocking SFTP traffic.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Networking protocols provide the rules needed for computers to communicate with each other on a network. Some of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocols, such as TCP and IP, provide basic connectivity. Other protocols, such as Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP), support specific types of traffic.
TCP/IP isn’t a single protocol, but a full suite of protocols. This blog post is to remind you of some of the commonly used protocols. Additionally, many of these protocols meet specific use cases.
CompTIA has historically placed a lot of emphasis on well-known ports used by protocols. For example, the default port for HTTP is 80 and CompTIA Security+ test takers needed to know that. The current objectives have deemphasized the importance of ports. However, you still need to know them when implementing access control lists (ACLs) in routers and stateless firewalls, and when disabling unnecessary ports and services.
Commonly Used Protocols
Here are well-known ports for many of the protocols that you’ll need to understand for the CompTIA Security+ exam.
- TCP. Transmission Control Protocol (TCP) provides connection-oriented traffic (guaranteed delivery). TCP uses a three-way handshake and Figure 3.1 shows the TCP handshake process. To start a TCP session, the client sends a SYN (synchronize) packet. The server responds with a SYN/ACK (synchronize/acknowledge) packet, and the client completes the third part of the handshake with an ACK packet to establish the connection.
- UDP. User Datagram Protocol (UDP) provides connectionless sessions (without a three- way handshake). While TCP traffic provides guaranteed delivery, UDP makes a best effort to deliver traffic without using extra traffic to ensure delivery. ICMP traffic such as the ping command and audio/video streaming use UDP. Many network-based denial- of-service (DoS) attacks use UDP. TCP/IP traffic is either connection-oriented TCP traffic or connectionless UDP.
- IP. The Internet Protocol (IP) identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses. IPv4 uses 32-bit addresses represented in dotted decimal format, such as 192.168.1.100. IPv6 uses 128-bit addresses using hexadecimal code, such as FE80:0000:0000:0000:20D4:3FF7:003F:DE62.
- ICMP. Internet Control Message Protocol (ICMP) is used for testing basic connectivity and includes tools such as ping, pathping, and tracert. As an example, ping can check for basic connectivity between two systems. Many DoS attacks use ICMP. Because of how often ICMP is used in attacks, it has become common to block ICMP at firewalls and routers, which disables a ping response. Blocking ICMP prevents attackers from discovering devices in a network. For example, a scan can send a ping to every IP address in a subnet. The devices that reply verify that they are on and have an IP address.
- ARP. Address Resolution Protocol (ARP) resolves IPv4 addresses to media access control (MAC) addresses. MACs are also called physical addresses, or hardware addresses. TCP/ IP uses the IP address to get a packet to a destination network, but once it arrives on the destination network, it uses the MAC address to get it to the correct host. In other words, ARP is required once the packet reaches the destination subnet. ARP poisoning attacks use ARP packets to give clients false hardware address updates and attackers use it to redirect or interrupt network traffic.
- NDP. Neighbor Discovery Protocol (NDP) performs several functions on IPv6. For example, it performs functions similar to IPv4’s ARP. It also performs autoconfiguration of device IPv6 addresses and discovers other IPv6 devices on the network such as the address of the default gateway.
Q. You are troubleshooting a network connectivity issue and find that when you try to ping a remote server, it fails. You suspect that an ACL within a router may be blocking some traffic. Which of the following would give you this symptom?
A. The router is blocking DNS traffic.
B. The router is blocking ICMP traffic
C. The router is blocking SSH traffic.
D. The router is blocking SFTP traffic.
Answer is B. The most likely cause of this symptom is that the router is blocking Internet Control Message Protocol (ICMP) traffic, which is used by ping. None of the other protocols listed use pint.
Domain Name System (DNS) traffic is used to resolve domain names to IP addresses.
Secure Shell (SSH) encrypts traffic sent over a network.
Secure File Transfer Protocol (SFTP) is used to transfer encrypted files over a network and uses SSH for encryption.
See Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on basic networking concepts.