CISSP Domain 4 Communication and Network Security Cheat Sheet


Layer 3 devices that route traffic from one LAN to another.

Static and Default Routes

Static routes are fixed routing entries such as “ via router”. Routers have static “default route” that sends all external traffic to one router.

Routing Protocols

Complex networks with many routers and redundant paths utilize routing protocols to automatically learn changes in topology. A network that has had no recent outages is normally “converged”.

Routing protocols comes in two basic varieties: Interior Gateway Protocols (IGPs) like RIP and OSPF and Exterior Gateway Protocols (EGPs) like BGP.

Distance Vector Routing Protocols

Uses hop counts as metric and will choses the closet hop, prone to routing loops. RIP is an example of a distance vector routing protocol

  • Sends updates every 30s – convergence is slow
  • Max hop is 15, 16 is infinite
  • Uses split horizon to avoid routing loops
  • Poison reverse is an addition to split horizon by sending route with cost of 16 so router can ignore path
  • Uses hold down timer (180s) to avoid flapping.
Link State Routing Protocols

Factor’s in additional metrics for best route, including bandwidth.

  • Open shortest Path first (OSPF) is an open link state routing protocol
  • OSPF learns the entire network topology for their area.
  • Routers sends even-driven updates
  • Faster convergence

Border Gateway protocol used on the internet. Routes between autonomous systems. It has some distance vector protocol properties but is known as a path vector routing protocol.


Performs stateful packet filtering on layers 3 and 4. Some proxy firewalls can make decisions based on layers 5-7.

Packet Filter

Performs filtering decision on a the basis of a single packet and has no concept of “state”. Ex. ICMP echo response and UDP return packets requires stateful packet inspection to allow packets to enter the firewall. Packet filters are faster but less secure.

Stateful Firewalls

Uses state tables to compare current packets with previous ones. It inspects return packets such as ICMP echos replies and UDP DNS replies and allows them back into the Firewall if there is matching previous packet. It is Slower but more secure.

Proxy Firewalls

Acts as intermediary servers often another hop that along in the route from the firewall or packet filter. It often terminates connections as oppose by intercepting and handling the TCP 3-way handshake on behalf of the client and server. It hides the origin of the connection.

Application-Layer Proxy Firewalls

Operates on layer 7 and makes decisions based on application data such as HTTP traffic. Dedicated proxies are often required for each protocol and allows for tighter control of filtering decisions.

Circuit-Level Proxies Including SOCKS

Operates at layer 5 (session layer) such as SOCKS. Applications needs to be reconfigured or recompiled to support SOCKS. SOCKS5 is the current version and listens on port 1080.

Fundamental Firewall Design

Bastion hosts

Any host that is placed on the internet that is not protected by another device (Firewall). Bastion hosts must protect themselves and hardened to withstand attack.

Dual-Homed Host

Has two network interfaces; one connected to the internet and one connected to the trusted network. It does not route. In order to access the internet a user must log into the dual homed host first.

Screened Host Architecture

Is an older flat network design using one router to filter external traffic to and from a bastion host via an access control list. The bastion host can reach other internal resources but the router ACL forbids direct external/internal connectivity. Weakness (does not employ defence in depth) – compromise of bastion host allows access to other systems in the internal network.

DMZ Networks and Screened Subnet Architecture

Demilitarized zone network utilizes two firewalls (the term DMZ alone implies two firewalls) where servers that are used to receive internet traffic to be placed in between two firewalls. The hosts needs to employ defence in depth strategies such as patching, hardening to mitigate risks. A compromise in the DMZ is designed to be contained from extending into the internal trusted networks. A single FW can be used to implement 3 legged DMZ which requires it to filter traffic on all interfaces. Dual firewalls are considered more secure than a single FW.


A modem is a modulator/demodulator – converts binary data into analog sound vice versa.


  • DTE – Data Terminal Equipment – Type of network connected user machine i.e. desktop, server, or actual terminal
  • DCE – Data Circuit terminating equipment – Router. DCE marks the end of the ISPs network connecting to DTE
  • Customer demarc (demarcation point)- Point where DCE meets DTE
  • CSU/DSU (Channel service unit/Data service unit) – A modem, a DCE device. Both sides of the the DCE/DTE must synchronize to a clock signal provided by the DCE
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV