Other Domain 4 Concepts

Permanent Virtual Circuit – routes are fixed unless changed by the carrier.

Switched Virtual Circuit – routes are configured dynamically each time the circuit is used.

Virtualization – the goal of virtualizing network functions is to shy away from specific hardware implementations and move into software implementations.

Layer 3 Firewall Filtering (static filtering) – happens by configuring packet filters or rules for:

  • Source/destination address
  • Service (e.g. finger service/protocol, port 79)

Stateful or Dynamic Packet Filtering:

  • Examines packets in the session context
  • Examines session/protocol behavior and adjusts rules to accommodate legitimate traffic

Next Generation Firewall (Deep Packet Inspection) integrates:

  • API gateways
  • Deep inspection of traffic
  • Database activity monitoring

Whitelisting – blocking all, allowing specific IP addresses

Blacklisting – allowing all, blocking specific IP addresses

Remote Meetings and Collaborative Concepts

Some key security concepts to be aware of for remote meetings and collaborative hardware/software are listed below:

Authentication – to ensure the participant’s identification and business need to be in the meeting, participates should be required to authenticate in some form.  Open attendance can lead to unauthorized access and information disclosure.

Preregistration for the meeting – can include use of a unique password. 

Encryption – ensure that transmissions between endpoints and servers are encrypted. 

Instant Messaging Vulnerabilities:

  • Account spoofing
  • Packet sniffing where transmissions are not encrypted
  • Transfer of malicious files between users
  • Social engineering
  • Blocking ports may not be effective as some IM products use port 80 (HTTP) or 21 (FTP).

Spam through IM is referred to as SPIM.

Email Security

Email is carried out by mail-handling servers and clients using Simple Mail Transfer Protocol (SMTP).  Protocols that allow the clients to pull the email from their server-based inboxes include: 

  • Post Office Protocol version 3 (POP3)
  • Internet Message Access Protocol (IMAP)

Ensure that strong authentication is enabled for both inbound and outbound mail, otherwise messages can be openly relayed. 

Insecure email configurations can lead to spam, piggybacking, account hijacking.

Consider the following:

  • Secure placement of servers and gateways
  • Ensure nonrepudiation, meaning that the sender is the sender
    • Use Secure Multipurpose Internet Mail Extensions (S/MIME) which is an email security standard that uses asymmetric encryption and digital signatures/certificates for authentication/confidentiality. Public Key Cryptography Standard (PKCS) encryption and x.509 certificates are used.
  • Authentication mechanisms that verify the source and delivery
  • Classification of data in the body of message or attachments
  • Email security policy that encompasses or reiterates:
    • Acceptable use: use the email system for business purposes only (we’ve all seen these policies, so we won’t rehash them here).
      • Acceptable use should include explicitly what is allowed/disallowed within email systems, most notably whether confidential information is allowed within email and how users should protect it (as default encryption services often rely on user input, thus subject to error, e.g. putting “encrypt” in the subject line to activate).
    • Access control: some systems can have a certain level of discretionary access (covered in Domain 5), thus users should be aware of access restrictions on other group or individuals’ inboxes.
    • Privacy: email is not considered private or confidential.  In fact, it’s the first go-to place for investigations and evidence.  Users should be aware that they “shall have no expectation of privacy.”
      • Another privacy issue with email is that they can be forwarded unwittingly to an unauthorized recipient at any time.  
    • Backup/retention – deleted emails can be recovered from the server; users should be aware of this.
    • Encryption: policy should dictate what level of encryption is needed for email and instruct users how to encrypt attachments or use the encryption trigger keyword.
  • Block suspicious attachments  at the gateway (zip and exe)
  • Employ filters against spam.
  • Antivirus/endpoint protection.
  • Training users on how to recognize and report spam and general email best practices (don’t click links).
  • MIME Object Security Services (MOSS) an email standard that also enables integrity and nonrepudiation using Message Digest 2 (MD2) and MD5 algorithms; Rivest, Shamir, and Adelman (RSA) public keys; and Data Encryption Standard (DES) for encryption.
  • Privacy Enhanced Mail (PEM) provides authentication, integrity, confidentiality, and nonrepudiation using RSA, DES, and X.509 certificates.
  • Domain Keys Identified Mail (DKIM) verifies valid mail through domain name identity. Uses public keys and digital signing.
  • Forcing TLS for email encryption between business partners.

Remaining concepts

RADIUS: a server initially used for dial-up authentications. 

Diameter: the successor to RADIUS with added reliability.

TACACS: the alternative to RADIUS. TACACS+ has two-factor authentication

Virtual Private Network: a VPN is a point-to-point communication tunnel through an untrusted network.

Tunneling: a process that encapsulates packets within another protocol for protection. The encapsulation is what’s considered the “tunnel” within the untrusted network, meaning that the transmission is only visible to the systems on either end of the tunnel. At each end of the tunnel, encapsulation and de-encapsulation is performed. Firewalls are unable to examine tunneled packets.

Network saturation and bottlenecking are concerns with tunneling due to additional resource usage.  SSL/TLS can also be considered a VPN protocol, however it typically encrypts information within the session and routing information remains visible (end-to-end encryption).

IP Security (IPSec) 

The most common VPN protocol used. Two components/functions:

  • Authentication Header (AH): for authentication, integrity, and nonrepudiation.  Contains the origin source of the packet. Also ensures that contents of the header and payload haven’t changed.
  • Encapsulating Security Payload (ESP): Provides encryption and limited authentication. Encrypts the payload but not the packet header.  
    • Transport mode: the packet is encrypted, but not the header
    • Tunnel mode: the packet is encrypted, and a new header is added to manage transmission through the tunnel. 

If you’re not familiar with IPSec, we recommend doing some simple YouTube searches.  We may put one together at some point, but for now there is plenty of material already out there on how it works.  

Telnet: text-oriented communication that uses port 23 typically.  Typically no encryption or authentication..

Secure Shell: the replacement for telnet. Creates a tunnel to protect the integrity of communication, preventing man in the middle attacks. Secure File Transfer Protocol (SFTP) is the combination of SSH and FTP to encrypt data and commands.

Frame Relay: uses packet switching with virtual circuits instead of dedicated physical circuits. 

Virtualization: managed by software console; resilient, and admins can take down and rebuild virtual environments in minutes. 

Virtual Machine: as stated in Domain 3, this is a software program or operating system that acts as a self-contained device on a host.

Hypervisor / virtual machine monitor (VMM): software, firmware, or hardware that creates and manages VMs.

East-west bound interfaces refer to “sideways” communications between storage and hypervisors in the virtual or cloud environment.

Virtual Machine Jumping or Hyperjumping: also known as guest escape. Caused by misconfiguration of the environment or hypervisor. Traffic from one VM can be delivered to other VMs. 

Modbus is a communications protocol widely used in SCADA infrastructures, such as refineries or petroleum pipelines. It doesn’t provide authentication, and information is passed without cryptographic protections for confidentiality and integrity, and may have multiple mechanisms for denial of service attacks, but, apparently in 2018 TLS was adopted to provide confidentiality and authenticity. 

Captive portals are, authentication controls for wireless networks that are implemented for public use at hotels, restaurants, libraries, etc.  The way it works is to force a newly connected device to a starting webpage to establish authorized access. For a hotel you might have to enter your room number and last name.  It might require other credentials like payment amount, or an access code.  The portal is also a good place to display privacy policies and acceptable use terms and conditions. If end user consent for tracking and information collection is required, the captive portal allows for that as well. Once the end user satisfies the conditions required by the starting page, only then can they communicate across the network.

Some countermeasures for wireless attacks are:

  • Periodic radio frequency (RF) site surveys to look for rogue access points that want to lure devices to attach to them
  • Analysis of WAP logs
  • Captive portals
  • Mechanisms can also be put in place to ensure the integrity of device data
  • Administrative policies regarding physical areas where guest Wi-Fi devices can or cannot be used
  • Rule-based controls to prevent use of the WAP outside of normal work hours


Microsegmentation is referred to in zero-trust networks, where firewalls are found at every connecting point, and where information, services, and security properties are encapsulated.

VXLAN, which oddly isn’t covered in ISC2’s official material, so here’s a video that explains it with tons of detail for those of you with Domain 4 experience: https://www.youtube.com/watch?v=QPqVtguOz4w 

In a nutshell, it’s

  • A method of encapsulating layer 2 frames.
  • It provides much more scalability than VLAN
  • It’s largely used by data centers 

Additional information can be found here: https://www.juniper.net/us/en/research-topics/what-is-vxlan.html

On to Zigbee, which is another term that was on the exam outline but not found in ISC2’s official training.  The following video (not ours) explains it in simple terms:

In a nutshell, Zigbee:

  • Is a suite of protocols used to create personal area networks with small, low-power digital radios for medical device data collection, and other low-power low-bandwidth needs, designed for small scale projects which need wireless connection. 
  • It’s low power, low data rate, and requires close proximity (i.e., personal area) and serves as a wireless ad hoc network.  You can think of it as something between WiFi and Bluetooth.  
  • It resides at the physical layer, and operates at 250 kbps and can go up to 10 to 20 meters.  
  • It uses a mesh topology.  
  • It uses 128 bit AES for security.  
  • The city of Gothenburg claims to be a “Zigbee City”: https://www.smart-energy.com/regional-news/north-america/sweden-boasts-the-world-s-first-zigbee-city/

For third party connectivity, ISC2 gives us the following good management practices to follow:

  • Create a policy for controlling third party connectivity relationships. 
  • Take inventory of existing third party relationships, which means we should evaluate the relationship against the third party policy, and then identify any of those relationships that pose greater risk to us. 
  • Monitoring and auditing practices, and we should make sure that those practices are included in the contract documentation – basically they should know what you’re monitoring and how. 
  • When access is terminated, we need to verify that privileges are removed and that interconnections are removed, and that any physical property is recovered, for example, physical access tokens or proximity access cards, etc….