Fundamentals of Quality of Service (QoS) (Notes):

Thanks to all time best Cisco instructor Kevin Willis for sharing his video on Youtube! I watched his video to revist QoS fundamentals and re-consolidate previous knowledge. KW, you’re a Legend!


 “Quality of Service is a managed unfairness.”


  1. Learn QoS Mechanisms
  • QoS is like a tool box with various number of tools, not just one thing
  1. Understand QoS Markings
  • how do we mark different traffics
  1. Demystify Weighted RED
  • Weighted Random Early Detection
  1. Select Appropriate Queuing
  • g.) LAN is running 1GB but WAN network is only 10mb, how does the router handle the 100:1 speed ratio,
  • High priority traffic such as Real-time streaming video or voice vs download/gaming traffic?
  1. Explain the ‘Token bucket’
  2. Configure QoS using MQC


Fundamentals of Quality of Service (QoS):

 “Quality of Service is a managed unfairness.”

  1. Learn QoS Mechanisms

If you have all different application fighting for the same bandwidth, you have to decide based on the characteristics of each traffic. Know what the applications are and what the business needs are.


10Gb links everywhere, no big deal to have a QoS.

Even within LAN, on high speed network the aggregation point becomes a bottleneck.



IntServ =  RSVP (Resource Reservation Protocol). Sometimes called “hard-QoS”. Bandwidth is pinned-up (reserved) so a certain traffic can use on demand. These days, we rarely see IntServ in use due to inflexible nation of this QoS mechanism.

DiffServ = Differentiated Service. Router will differentiate different traffic types. Put different traffic types for different class. Create no more than 11 different traffic (if everyone is special, nobody is special) <<<Cisco recommendation.

Best effort = FIFO, first in firs served. No QoS enabled.


Common QoS Mechanisms – QoS is not a single tool that you just activate. QoS is a collection of tools.

  1. Classification and Marking

e.g.) Boarding pass for an airline – priority marking on boarding pass

Cisco tells us to classify your traffic into no more than 11 network traffic types. Classify and mark the traffic as early as possible on your network, changing bits on the header. Routers and switches can look at the header information and quickly decide whether to forward/drop packets, so the decision becomes really fast. Use access lists (NBAR) to do this. Once the traffic is classified, put the marking on it. However, classification and marking alone does not do anything.


  1. Queuing

E.g.) 1GB or 10GB Switch network traffics coming into router network with 10MB link out. If we had FIFO. We only have a limited amount of memory to queue all traffics, once the queue buckets fill-up, the excess traffics will start dropping overflowing from the single bucket. So to make this more efficient based on different traffic’s characteristics, this bucket can be sub-divided into a few smaller buckets, then different traffic can fill-up and use different buckets with varying priorities.

Mark the traffics and it can be put into different buckets. e.g.) VoIP goes into different bucket vs Best effort traffic. Typically VoIP traffic gets DSCP 46 (Differentiated Services Code Point). If VoIP is marked with a DSCP of 46, then put this traffic into one bucket. Everybody else can go into the other bucket. This is called queue separation. Even though the Best Effort buckets gets full and start dropping packets, the VoIP bucket will fill up occasionally and will not get full and impacted by the Best Effort bucket’s performance.


Cisco has many tools to help us on how to manage queues and dictate emptying these queues. Different Queue mechanisms supported on Cisco IOS?  Weighted Fair Queuing, Class-based weighted Queuing, Low Latency Queuing, Priority queuing, Custom Queuing, In the real world scenario, Class-based weighted Queuing and Low Latency Queuing are most often used.

The beauty of queuing is that it can protect certain traffic just simply separating different traffics into different buckets.


  1. Congestion Avoidance

RED – Random Early Detection, drop random traffic for the good of many.


  1. Policing and Shaping

Traffic conditioners

Policing – sets speed limit, if some packet is trying to transmit more than allowed, policing drops any exceeding traffic packet and these traffics must be retransmitted if they are TCP packets. If this is UDP packets, there is no retransmission.

Shaping – also sets speed limit, but softer, not enough bandwidth, buffer (delay) the packets and then send them off.


  1. Link Efficiency

Not as important as it used to be as we have higher WAN links these days.

  1. Link Fragmentation and Interleaving (LFI) = Sometime on the network on a slow speed link (56kbps link), there is a 1500byte data packet queued up and tiny voice packet has been queued up behind this packet. 214ms to send 1500bytes through 56kbps link.


Voice packet speed requirement:

<150ms transmission speed is OK.

>150ms = will start to get bad

>200ms = really get bad


E.g.) Analogy, metaphor – Caught at Traffic light and three trailer truck (Data packet) is in front of your sports car (voice packet). Fragment the 3 trailers and send them, but the sports car can swivel through them and get passed through. One issue: due to fragmentation, now you have three headers on each of the trailer, so increased header size. @768kbps (WAN link), if you are sending voice over IP, if less than 768kbps speed, use of LFI will help. If 768kbps or more, do not use LFI, it will hurt the network more than helping.


  1. Compression – sending the same amount of data using less bandwidth

The main use on today’s network is ‘RTP header compression’

RTP (Real Time Protocol) is a L4 protocol, depending on what sort of codec we use, the size of the payload could be 20 bytes, add L3 IP header + L4 UDP header + L4 RTP header = 40 bytes of header alone. Your header is 2 times the size of your payload. The payload to header ratio is 1:2. Turn on RTP header compression on the router interface. The routers looks at the voice packets arriving on its interface and see the commonalities between every packets in the same communication, it seems like every packet has the same destination IP address, same source and destination port IDs, why are we sending the same information multiple times? On each end routers, keep the copy of this information and send much smaller header (either 2 bytes or 4 bytes. 4 bytes have checksum. Generally on Cisco devices, it will use 2 bytes). The 2 bytes header contains the session context identifier (CID) which differentiates one voice conversation with another voice conversation. At the far end router, the router uses CID to identify the voice traffic and put the cached header copies onto the coming in traffic and send out to the LAN network.


 2. Understand QoS Markings


L2 marking = Class of Service (CoS)

ISL = not used

IEEE802.1Q = 4 bits added, (3 bits = 8 values (0-7) bits.)


6 and 7 bits = reserved for network use

cos 5 = voice traffic

DSCP Values:

CS (Class Selector)

Issue: Only layer 2 marking, if it goes out through a Router, it gets written over.  So, this has to be rewritten at L4 header using Type of Service (TOS) Bytes.


We can use three left bits; we can use IP Precedence (CoS matching only gives 6 classes of traffic as we cannot use 6 & 7 bits as in CoS). IP Precedence is not scalable. We now use DSCP using 6 bits in ToS byte – 0-63 DSCP values can be used. The 64 values gave too many options, so ITF decided to define commonly used DSCP values to set up certain standards.


ITF preselected 21 names Per Hop Behaviours (PHB), we can use the number or names that corresponds to ITF names.



 DSCP/PHB Value for Enterprise traffics.

사용자 지정 20


  1. Demystify Weighted RED

 Random Early Detection (RED)

사용자 지정 16

When we get to certain level (Min. threshold), start introducing the possibility of dropping. As it moves up and hit the Max Threshold, the chances of dropping packets get bigger.

 사용자 지정 17

 MPD = Mark Probability Denominator

 Cisco IOS already has MPD values, but this can be manipulated. The following is WRED profiles suggested by Cisco.

 사용자 지정 18


Explicit Congestion Notification (ECN)

Uses the 7th bit in ToS Byte for ECT and 8th bit for CE.

The receding router can mark the ECT and CE bits to binary 1’s and ask the other router to slow down. Otherwise, the packets gets dropped and then the TCP slow-start will kick-in (TCP windowing concept, where the window size is doubled continuously until it reaches threshold value and it drops down and TCP slow-start kicks in.)

 사용자 지정 19



  1. Select Appropriate Queuing


사용자 지정 25

Cisco recommends us to use no more than 11 traffic classes, but one class already is created by default, “class-default”.  Catch-all traffic class, so we can use 12 classes of traffic.

  • class-default uses FIFO.
  • CB-WFQ – during the time of congestion when QoS kicks in, give minimum of x Mbps of bandwidth, but give more if more bandwidth is available.
  • LLQ (priority) queue – during the time of congestion, give up to 3Mbps of bandwidth, but nor more that 3Mbps.

E.g.) Car pool lane or bus lane – if you have more passengers, you have rights to use the special lane, but still needs to keep the speed-limit.


  1. Explain the ‘Token bucket’

Using Frame-relay network, speed of 128kbps.

How do you send data at the half the rate of the line speed? of if the full line speed is 128kbps, send at 64kbps speed. Use the analogy of car traveling at 100km/h to reach 50kms in 0.5 hours.

Send & stop, send & stop, this is how the policing and shaping does its magic.

 사용자 지정 26


  1. Configure QoS using MQC

고정된 영역 1

고정된 영역 2

고정된 영역 3


고정된 영역 4




MQC Demo

QoS configuration is a 3 steps process:


Step 1: Create Class-maps


R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#class-map ?

WORD       class-map name

match-all  Logical-AND all matching statements under this classmap

match-any  Logical-OR all matching statements under this classmap

type       Configure CPL Class Map


R1(config)#class-map match-any EMAIL

R1(config-cmap)#match protocol pop3

R1(config-cmap)#match protocol imap

R1(config-cmap)#match protocol exchange

R1(config-cmap)#match protocol smtp



R1(config)#class-map VOICE

R1(config-cmap)#match protocol rtp ?

audio             Match voice packets

in-app-hierarchy  Match protocol in transport hierarchy

payload-type      Match an explicit PT

potentially       Match protocol, and all potentiall traffic

video             Match video packets


R1(config-cmap)#match protocol rtp audio





R1(config)#class-map match-any WEB

R1(config-cmap)#match protocol http

R1(config-cmap)#match protocol secure-http



R1(config)#class-map SCAVENGER

R1(config-cmap)#match protocol bitt

R1(config-cmap)#match protocol bittorrent



R1#show class-map

Class Map match-any class-default (id 0)

Match any


Class Map match-any EMAIL (id 1)

Match protocol pop3

Match protocol imap

Match protocol exchange

Match protocol smtp


Class Map match-any WEB (id 3)

Match protocol http

Match protocol secure-http


Class Map match-all VOICE (id 2)

Match protocol rtp audio


Class Map match-all SCAVENGER (id 4)

Match protocol bittorrent



Step 2: Create Policy-maps

R1(config)#policy-map QOS-LAB1


Policy-map configuration commands:

class        policy criteria

description  Policy-Map description

exit         Exit from policy-map configuration mode

no           Negate or set default values of a command

R1(config-pmap)#class EMAIL


Policy-map class configuration commands:

admit            Admit the request for

bandwidth        Bandwidth

compression      Activate Compression

drop             Drop all packets

exit             Exit from class action configuration mode

fair-queue       Enable Flow-based Fair Queuing in this Class

flow             Flow subcommands

log              Log IPv4 and ARP packets

measure          Measure

netflow-sampler  NetFlow action

no               Negate or set default values of a command

police           Police

priority         Strict Scheduling Priority for this Class

queue-limit      Queue Max Threshold for Tail Drop

random-detect    Enable Random Early Detection as drop policy

service-policy   Configure QoS Service Policy

set              Set QoS values

shape            Traffic Shaping


R1(config-pmap-c)#set dscp af13

R1(config-pmap-c)#bandwidth 512 <<<give this command first before giving ‘random-detect’ command


R1(config-pmap-c)#random-detect ?

atm-clp-based                   Enable atm-clp-based WRED as drop policy

clp                             parameters for each clp value

cos                             parameters for each cos value

cos-based                       Enable cos-class-based WRED as drop policy

discard-class                   parameters for each discard-class value

discard-class-based             Enable discard-class-based WRED as drop


dscp                            parameters for each dscp value

dscp-based                      Enable dscp-based WRED as drop policy

ecn                             explicit congestion notification

exponential-weighting-constant  weight for mean queue depth calculation

precedence                      parameters for each precedence value

precedence-based                Enable precedence-based WRED as drop policy



R1(config-pmap-c)#random-detect dscp-based <<<default is using cos, this command enables dscp based WRED

R1(config-pmap-c)#random-detect ecn <<<turns on ECN


R1(config-pmap)#class VOICE

R1(config-pmap-c)#priority 256 <<<Enabled LLQ, go first

R1(config-pmap-c)#random-detect dscp-based <<<Since voice traffic is RTP encapsulated in UDP, TCP slow-start will not help us. So, no need to use ECN bits. No need to use WRED.

Must deconfigure priority in this class before issuing this command


R1(config-pmap)#class WEB

R1(config-pmap-c)#bandwidth 768


R1(config-pmap)#class SCAVENGER

R1(config-pmap-c)#police 128000 <<<Set the maximum bandwidth using Policing. This is in bps (bits) not Bps (Bytes).




R1#show policy-map

Policy Map QOS-LAB1


set dscp af13

bandwidth 512 (kbps)


priority 256 (kbps)

Class WEB

bandwidth 768 (kbps)


police cir 128000 bc 4000

conform-action transmit

exceed-action drop


#Marking only can be done on the inbound traffic.

#Shaping can only be applied to outbound traffic.

#Policing can be applied to either directions.


R1#conf t

R1(config)#int gi0/0

R1(config-if)#service-policy output QOS-LAB1 <<<Apply configuration to outgoing traffic



R1#show policy-map interface gi0/0



Service-policy output: QOS-LAB1


queue stats for all priority classes:


queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0


Class-map: EMAIL (match-any)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: protocol pop3

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol imap

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol exchange

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol smtp

0 packets, 0 bytes

5 minute rate 0 bps


queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

QoS Set

dscp af13

Packets marked 0

bandwidth 512 kbps


Class-map: VOICE (match-all)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: protocol rtp audio

Priority: 256 kbps, burst bytes 6400, b/w exceed drops: 0



Class-map: WEB (match-any)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: protocol http

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol secure-http

0 packets, 0 bytes

5 minute rate 0 bps


queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 768 kbps


Class-map: SCAVENGER (match-all)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: protocol bittorrent


cir 128000 bps, bc 4000 bytes

conformed 0 packets, 0 bytes; actions:


exceeded 0 packets, 0 bytes; actions:


conformed 0000 bps, exceeded 0000 bps


Class-map: class-default (match-any)

3 packets, 180 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: any


queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 3/180



4. Install and configure NTP server in Red Hat/Centos 7.5 Linux

NTP (Network Time Protocol) is a protocol which runs over UDP port 123. NTP synchronise clients’ time and date with a master server. Within Enterprise Networking environment, to provide a reliable time service, an NTP server should have a minimum NTP stratum of 5 or less.

Step 1: Install and configure NTP daemon

sudo yum install ntp


Step 2: Check and adjust time zone

  1. timedatectl
  2. timedatectl list-timezones <<<to list and find time zones
  3. timedatectl set-timezone Australia/Sydney

Step 3: Enable and start ntpd service

sudo systemctl enable ntpd

sudo systemctl start ntpd


Step 4: Check basic NTP functionality



ntpq –p


Step 5: Check NTP configuration under /etc/ntp.conf

more /etc/ntp.conf

3. Install and configure TFTP server in Red Hat/Centos 7.5 Linux

Step 1: Install, enable and start firewalld

sudo yum install firewalld

sudo systemctl enable firewalld <<<starts up firewall when system boots up

sudo systemctl start firewalld


Step 2: Punch a hole in firewalld to allow TFTP traffic.


firewall-cmd –permanent –zone=public –add-service=tftp

firewall-cmd –reload

iptables -I INPUT -p udp –dport 69 -j ACCEPT


Step 3: Install, enable and start TFTP server and client

sudo yum install xinetd tftp-server tftp

sudo systemctl enable xinetd tftp <<<starts up automatically on system boot-up

sudo systemctl start xinetd tftp


Step 4: We don’t want TFTP user to have root user permission. So let’s create a system account called tftpuser with no home directory and no login capability.

sudo useradd –no-create-home –s /sbin/nologin tftpuser


Step 4: Create a directory for TFTP Server use.

sudo mkdir –p /tftpdata

sudo chmod 777 /tftpdata

nano /tftpdata/demo1.txt

chown tftpuser:tftpuser –R /tftpdata



Step 5: Configure TFTP service using the following settings.


nano /etc/xinetd.d/tftp


Server_args notes:

-c = allows clients to connect and create files on the directory

-s = automatically change directory when client connect to TFTP server, to a specific directory in the configure file such as /tftpdata. A security feature.

-u = specifies the user as the owner of the directory /tftpdata

-p = Perform no additional permissions check

-U = Set-up Umask setting when client creates or pushes a new file

-v = Print some logging verbose when client connect to TFTP server.


Step 6: Edit file system start service for TFTP. Update [Service] > ‘ExecStart’line as below:

sudo nano /usr/lib/systemd/system/tftp.service




Description=Tftp Server





ExecStart=/usr/sbin/in.tftpd -c -v -u tftp -p -U 117 -s /tftpdata






Step 7: Reload the system daemon & TFTP services


sudo systemctl daemon-reload

sudo systemctl start xinetd

sudo systemctl enable xinetd

sudo systemctl start tftp

sudo systemctl enable tftp



Step 8: Check UDP port 69 is in listening mode


netstat -na | grep udp6



Use ‘netstat –lu’ for all UDP listening ports/services


Use ‘netstat –ap | grep tftp’ to check the service.



Check that firewall is allowing udp port 69.

netstat -tupan

netstat –tupan | grep 69



Step 9: Check connection and download a demo.txt file. Using another server/router/switch. Download a demo.txt from TFTP server.


  1. On TFTP server (, create demo.txt file under tftpdata directory.


nano /tftpdata/demo.txt



  1. On another Linux host (IP:, download demo.txt file.



get demo.txt




Now verification has been completed and you have a working TFTP server.

2. Install and configure SFTP server in Red Hat/Centos 7.5 Linux

Step 1: Create a SFTP user with password

sudo adduser sftpuser

sudo passwd password


Step 2: Create Directory for File Transfer


  1. sudo mkdir –p /var/sftp/sftpdata


[root@localhost /]# find . -name “sftpdata”

find: ‘./run/user/1000/gvfs’: Permission denied



  1. Make the root user as the owner of this directory.

sudo chown root:root /var/sftp


  1. Grant write permission to the root user and read permission to other users.

sudo chmod 755 /var/sftp


  1. Modify the owner of sftpdata to be the user access.

sudo chown sftpdata:sftpdata /var/sftp/sftpdata


Step 3: Restrict Directory Access


  1. open sshd_config file


sudo nano /etc/ssh/sshd_config


  1. Add the following to the end of the file.

Match User sftpuser

ForceCommand internal-sftp

PasswordAuthentication yes

ChrootDirectory /var/sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no


  1. Restart sshd to apply change

sudo systemctl restart sshd


Step 4: Verification via SSH connection


ssh sftpuser@


The SSH connection gets closed as expected.



sftp sftpuser@

You can connect via sftp and now download and manage files as below.


Now the ssh access has been restricted successfully and the sftpuser can only upload and manage his/her file via SFTP only.

1. Install and configure FTP server in Red Hat/Centos 7.5 Linux

Step 1: Install vsftpd (very secure FTP daemon) package.

yum install -y vsftpd ftp


Step 2: Enable FTP on firewall

firewall-cmd –permanent –zone=public –add-service=ftp
firewall-cmd –reload


Step 3: to automatically start FTP Server when server powers on.

  1. enable vsftpd service.

systemctl enable vsftpd.service

2. Checking the status of ftp server

systemctl status vsftpd.service


Step 4: Configure vsftpd package. Edit /etc/vsftpd/vsftpd.conf

nano /etc/vsftpd/vsftpd.conf


  1. Change the line which contain anonymous_enable=NO to anonymous_enable=YES. This will give permit any one to access FTP server with authentication. If this setting is changed to ‘NO’, then users must use their login and password to access files from their home directory. [Note: For our use, I am keeping this setting as YES, so each user has to log in access their own files]
  2. local_enable=YES
    c. write_enable=YES
  3. Add the following to the end of the file.







Step 5: Start FTP Server
systemctl start vsftpd.service


Step 6: Verification. Create a file under ‘var/ftp/pub’. Use a web browser to access the file.

[root@localhost /]# find . -name “pub”

find: ‘./run/user/1000/gvfs’: Permission denied


[root@localhost /]# cd var/ftp/pub

[root@localhost pub]# nano ftppubfile1.txt


If anonymous_enable=YES, ./var/ftp/pub Directory will be used.


If anonymous_enable=NO, users have to login with their credentials to access files.


Putty Trick – 1. Save output to a file

To automatically save the output to a file while using Putty, you can change one setting of Putty to achieve this.
1. Start putty.exe.
2. Go to Session -> Logging.
3. Select “Printable output”
4. Choose the folder, where you want the file to be placed.
5. Append a file name like &H_&Y&M&D_&T.log to the path (host_YearMonthDay_time.log)
6. Save the profile as default settings.

CCNA Security 210-260: Module 1: Fundamentals of Network Security, Lession 1: Networking Security Concepts and Common Principles

Source: CCNA Security 210-260,

Lesson 1: Networking Security Concepts and Common Principles
1.1 Understanding Network and Information Security Basics
1.2 Confidentiality, Integrity, and Availability
1.3 Classifying Assets
1.4 Types of Security Vulnerabilities
1.5 Classifying Countermeasures
1.6 Attack Methods & Vectors
1.7 Applying Fundamental Security Principles To Network Design
1.8 Understanding the Security Attack Surface in Different Network Typologies


1.1 Understanding Network and Information Security Basics
– Attacks are more targeted and sophisticated
– Custom malware created even at the victim’s site
– More organized attack campaigns

Every organization, individual or system is a target. Doesn’t matter the size/country/who.
You are a target, attackers are always target to steal:
– Intellectual Property
– Personal Information
– Distributed Development (source code)

Recent evolution of threats:
– Custom malware is being deployed
– Multiple bad actors are present simultaneously
– Attached infrastructure is a platform for the next attack
– Many are blind to network malfeasance
– Some are conceding loss of control
– Denial of Service can be a precursor to damage
– Undetected communication to embargoed countries

Today’s reality:
– Over 75% of attacks start extracting data within minutes.
– Over 50% of attacks are left undetected for months, if at all
– Detection and response capabilities must change
Security professionals must understand what they are trying to protect… and from WHOM?
We need to think like actors and bad guys, try to understand all the threats happening now days.

The Industrialization of hacking: Cyber crime as a business. Often the criminals know about your network that you know.
Threats grow more sophisticated every day.
1990 – 2000 Viruses
1997 – Phishing, low sophistication,
2000 – 2005 Worms
2005 – Hacking becomes an Industry
2005 – today: Spyware and rootkits
2015 – APTs cyber ware
2016 – Sophisticated attacks, attack as service
2020 – ???

“Criminals know more about your network than you do”
Initial malware may remain dormant for months to learn vulnerabilities and network custom malware developed to attack after learning your vulnerabilities.

Typical stages of a data breach:


What is a vulnerability?
A vulnerability is an exploitable weakness in a system or its design. Vulnerabilities can be found in protocols, operating systems, applications, and system designs.

What is a threat?
A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited or, more importantly, it has not yet publicly known, the threat is not yet realized.
If someone is actively launching an attack against your system and successfully accesses something or compromises your security against an asset, the threat is realized.

What is a countermeasure?
A countermeasure is a safeguard that somehow mitigates a potential risk. It does so by either reducing or eliminating the vulnerability, or at least reduces the likelihood of the threat agent to actually exploit the risk.


1.2 Confidentiality, Integrity, and Availability

CIA concept:


Confidentiality means that only the authorized individuals/systems can view sensitive or classified information. This also implies that unauthorized individuals should not have any type of access to the data.

Integrity applies to systems and data. For data means that changes made to data are done only by authorized individuals/systems. Corruption of data is a failure to maintain data integrity.

Availability also applies to systems and to data. If the network or its data is not available to authorized users the impact may be significant to organizations and users who rely on that network as a business tool. The failure of a system, to include data, applications, devices, and networks, generally equates to loss of revenue.


1.3 Classifying Assets

What is an Asset?

An asset is an item that is to be protected and can include property, people and information/data that have value to the company.

This includes intangible items such as proprietary information or trade secrets and the reputation of the company.

The data could include company records, client information, proprietary software, and so on.

Asset classifications:

Type of classification Calssification
Governmental classifications * Unclassified
* Sensitive but unclassified (SBU)
* Confidential
* Secret
* Top secret
Private sector classifications * Public
* Sensitive
* Private
* Confidential
Classification criteria * Value
* Age
* Replacement cost
*Useful lifetime
Classification roles * Owner (the Group ultimately responsible for the data, usually senior management of a company)

* Custodian (the group responsible for implementing the policy as dictated by the owner)

* User (those who access the data and abide by the rules of acceptable use for the data)

1.4 Types of Security Vulnerabilities

Understanding the weaknesses and vulnerabilities in a system or network is a huge step toward correcting the vulnerability or putting in appropriate countermeasures to mitigate threats against those vulnerabilities.

Different types of security vulnerabilities

  • Policy flaws
  • Design errors
  • Protocol weaknesses
  • Misconfiguration
  • Software vulnerabilities
  • Human factors (weakest link, social engineering)
  • Malicious software
  • Hardware vulnerabilities
  • Physical access to network resources


Buffer overflows

  • Buffer
    • Data Container
  • Buffer overflow:
    • Stuffing too much data into a data container
    • Data written beyond the container overwrites other data and/or control information


Instruction Pointer (EIP)

  • Holds address of next instruction to execute
  • Is impacted by jumps, branches and returns
  • Is only valid if pointing to an executable memory region


What is the stack?

  • Holds all local variables and parameters used by any function
  • Remembers the order in which functions are called so the function returns correctly
  • When a function is called, local variables and parameters are “pushed” onto the stack
  • When the function returns, these locals and parameters are “popped” off of the stack


What does main’s frame look like on the stack?

What happens when we put more than 512 bytes in mybuffer[]?

What does main’s frame look like on the stack? We overwrite saved EBP, EIP, and more.


Target: EIP

Goal: Control execution flow

  • locate saved EIP
  • place a favorable address in the saved EIP
  • Don’t crash


Cross Site Scripting (XSS)

  • XSS is the ability to execute Javascript code within the Browser’s Document Object Model (DOM)
    • In non-web-tech-speak: Run scripts in the user’s context
    • The web application does not “taint” the data before it is stored and/or reflected back to the end user
  • Stored SSX:
    • Web application stores the attack in the database for later display
    • Common to attack multiple users on forums, etc
  • Reflected XSS:
    • Immediately attack the user based on input
    • Typically performed with social engineering when an XSS vulnerability is discovered on a trusted website

What is the threat from XSS?

  • Cookie stealing
  • Browser control
  • Forced actions (CSRF)
  • Enhanced social engineering


XSS “Cousin”: CSRF

  • Cross site request forgery
  • Exploits the trust a site has in a users browser
    • Typically uses social engineering or XSS to lure a user
  • Some mitigation:
    • Don’t allow “blind submissions” — Use a secret token
    • Check the refer header

<img src=””&gt;


SQL Injection

  • Dynamic web applications require database back ends
  • Developers don’t always sanitize user input before using it in SQL Queries


Additional Vulnerability categories


1.5 Classifying Countermeasures

        Classifying controls & countermeasures


Administrative Controls

  • These consist of written policies, procedures, guidelines and standards
    • Examples:
      • written acceptable use policy (AUP)
      • change control process that needs to be followed when making changes to the network
  • Administrative controls could involve items such as background checks for users


Physical Controls

Physical security for the network servers, equipment, and infrastructure.


  • Door locks, gates, badge access
  • Cameras
  • a redundant system like an uninterruptible power supply


Logical Controls

  • These consist of passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, and so on.
  • Logical controls are often referred to as technical controls.


1.6 Attack Methods & Vectors

Attack methods

Most attackers do not want to be discovered and so they use a variety of techniques to remain in the shadows when attempting to compromise a network.

Attack methods: Reconnaissance

Used to find information about the network and the victim: Passive or Active

  • Passive: Studying user behaviors, social media etc.
  • Active: scans of the network to find out which IP addresses respond, and further scans to see which ports are open and what vulnerabilities are present.

This is usually the first step taken, to discover what is on the network and to determine potential vulnerabilities.

Attack methods: Social Engineering

  • Targets the weakest link: the user.
  • If the attacker can get the user to reveal information, it is much easier for the attacker than using some other method of reconnaissance.


  • Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is prompted to disclose confidential information such as usernames/passwords.
  • Pharming is used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user.

Attack methods: Privilege Escalation

The process of taking some level of access (whether authorized or not) and achieving an even greater level of access.

Example: an attacker who gains user mode access to a router and then uses a brute-force attack against the router, determining what the enable secret is for privilege level 15 access.

Attack methods: Backdoors

An application can be installed to either allow future access or to collect information to use in further attacks.

Many back doors are installed by users clicking something without realizing the link they click or the file they open is a threat. Back doors can be also be implemented as a result of a virus or a worm (often referred to as malware).

Attack methods: Remote code execution

  • One of the most devastating actions available to an attacker is the ability to execute code within a device.
  • Code execution could result in an adverse impact to the confidentiality (attacker can view information on the device), integrity (attacker can modify the configuration of the device), and availability (attacker can create a denial of service through the modification of code) of a device.

Attack methods: Man-in-the-Middle Attacks

  • A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them.
  • This can happen at Layer 2 or Layer 3.
  • The main purpose is eavesdropping, so the attacker can see all the traffic.

Attack methods: Denial-of-service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

  • When numerous or hundreds/thousands of systems send traffic to a victim and this produces a denial of service condition where the genuine users cannot access the site and unable to use the service. Covered in depth in lesson 2.

Attack methods: Botnet & Command & Control (CnC)

  • A botnet is group of private computers that are infected by malware and controlled by attacker, performing malicious activities. Some activities include, sending spams, carry on denial of service attacks from these private computers.
  • Bots are controlled by CnC (Command & Control) server. Historically the CnC control is operated over IRC (Internet Relay Chat), in recent times, CnC control can be done through TLS/SSH/IPSec tunnels. Also, twitter is used for CnC control environment. Infected machines are controlled by the bad actors to carry out specific attacks. Sending spam or steal information from victims.


1.7 Applying Fundamental Security Principles To Network Design

Examples of guidelines for secure network architecture:

  • Rule of least privilege – give a user or a system just enough privilege to carry out certain tasks
  • Defense in depth –  a layer approach on how to apply security within an organization
  • Separation of duties – a concept of having more than one person completing a task to prevent fraud, malicious activities or errors


Improving Security Posture:



1.8 Understanding the Security Attack Surface in Different Network Typologies

  • We need to understand security attack surface in different network typologies and environments, including BYOB (Bring Your Own Device), firewalls, Mobile device Management (MDM), Identity Management Systems (IDS) and other devices within security network environment. Different technologies covered in detail in later chapters.
  • DC environment – it is also important to understand different types of threats in DC’s. Example, The North-South traffic is the traffic carried to and from the data center and other parts of the network. On the other hand, the East-West traffics is referred to as lateral movement within the data center. Whenever there is a security compromise, it is important to know how traffics flow as often the traffic from the compromised machine traverses both from/to North-South and East-West directions.