About this note

This is the expanded reference version of my original CISSP exam notes. The bullet-point original is preserved in Domain 4 - Communication and Network Security (Original-Stichpunkte) for comparison. Written for readers with several years of hands-on security and networking experience — this domain overlaps heavily with day-to-day network engineering, so the focus here is on the CISSP framing and the details exams (and audits) actually probe. See also the OSI note elsewhere in the garden for the pure networking view.

OSI Model

The seven layers with their protocol data units (PDUs) — the framing the exam cares about is which layer a control or attack operates on, because that determines what it can and cannot see:

LayerNamePDU
7ApplicationData
6PresentationData
5SessionData
4TransportSegment (TCP) / Datagram (UDP)
3NetworkPacket
2Data LinkFrame
1PhysicalBits

(The original note grouped layers 5–7 simply as “PDU” — strictly, the upper three layers’ unit is just called data; the named units start at Transport.)

The security-relevant reading of the model: encryption at layer N protects against observers at layers below it but is transparent to everything above. TLS (sitting between 4 and 7, depending on whom you ask) hides content from a layer-3 observer but not from the endpoints’ applications; MACsec at layer 2 protects a single link and nothing beyond the next switch. Knowing where a control lives tells you exactly what threat it does and doesn’t address — which is most of what the exam tests in this domain.

Media Access: The CSMA Family

How stations share a medium without a central scheduler — Carrier-Sense Multiple Access: listen before transmitting. The two variants solve the same collision problem for different physics:

  • CSMA/CD (Collision Detection) — classic shared-medium Ethernet: stations transmit while listening, detect collisions as they happen, back off randomly, retry. Effectively historical now — full-duplex switched Ethernet has no collision domain left — but the exam keeps it alive.
  • CSMA/CA (Collision Avoidance) — wireless (802.11): a radio cannot listen while transmitting (its own signal drowns out everything), so collisions can’t be detected — they must be avoided up front via waiting periods and optional RTS/CTS handshakes. This is also why Wi-Fi throughput degrades so gracelessly under contention: the avoidance overhead is paid on every frame.

TCP/IP

The Three-Way Handshake

Every TCP connection begins SYN → SYN-ACK → ACK: the client proposes (SYN with its initial sequence number), the server acknowledges and proposes its own (SYN-ACK), the client acknowledges (ACK). Sequence numbers from this exchange order and acknowledge every byte that follows.

Security angles the handshake carries: SYN flooding exploits the server’s need to hold state after step 2 — flooding half-open connections until the backlog exhausts (SYN cookies are the standard countermeasure). And the sequence numbers negotiated here are exactly what a TCP session hijacker (Domain 3’s attack list) must predict or observe to inject into an established connection — the historical reason initial sequence numbers became randomized.

TCP Header

The header is 20–60 bytes: 20 bytes of fixed fields plus up to 40 bytes of options. The layout:

FieldSize
Source Port16 bit
Destination Port16 bit
Sequence Number32 bit
Acknowledgment Number32 bit
Data Offset4 bit
Reserved4 bit
Flags8 bit
Window Size16 bit
Checksum16 bit
Urgent Pointer16 bit
Optionsvariable, multiple of 32 bit

The fields worth having active knowledge of: the flags (SYN, ACK, FIN, RST, PSH, URG) are what firewalls and scanners read — every nmap scan type (SYN scan, FIN scan, Xmas scan) is a game played with this byte, and abnormal flag combinations are a classic IDS signature. The window size implements flow control and fingerprints operating systems. The data offset exists because options make the header variable-length — and malformed values there have been the basis of more than one parser CVE.

IPv4 Address Classes

The historical classful division — obsolete for routing since CIDR (1993), still exam vocabulary:

  • Class A — 1.0.0.0–126.255.255.255 (8-bit network prefix): huge networks.
  • Class B — 128.0.0.0–191.255.255.255 (16-bit prefix).
  • Class C — 192.0.0.0–223.255.255.255 (24-bit prefix): the original note skipped this one, but the set is incomplete without it.
  • Class D — 224.0.0.0–239.255.255.255: multicast, not host addressing.
  • Class E — 240.0.0.0–255.255.255.255: reserved/experimental.

Modern practice thinks entirely in CIDR prefixes and the RFC 1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) — which happen to carve one block each out of the old A, B, and C spaces.

DNS

A fully qualified domain name (FQDN) reads right to left through the hierarchy: the top-level domain (.net), the registered domain name (nettailor), and the subdomain or hostname (gitea) — gitea.nettailor.net., with the implicit root dot completing it.

DNS is security-critical because everything trusts it while it authenticates nothing (in its classic form) — subvert name resolution and you redirect traffic without touching the target. The attack inventory:

  • DNS poisoning (cache poisoning) — injecting forged records into a resolver’s cache, so every client it serves gets the attacker’s answer until the TTL expires. The Kaminsky attack (2008) showed this at scale; source-port randomization and DNSSEC are the responses.
  • HOSTS file alteration — the local shortcut: the hosts file overrides DNS entirely, so malware that edits it redirects the victim without any network attack at all.
  • Corrupting the IP configuration — point the victim at an attacker-controlled DNS server (rogue DHCP is the usual vehicle) and every lookup is attacker-answered.
  • Proxy falsification — same idea one layer up: subvert proxy settings (e.g. via WPAD/PAC) and route the victim’s web traffic through an attacker’s box.
  • Domain hijacking — stealing the domain itself at the registrar level, via compromised registrar credentials or social-engineered transfers. No packets involved; registrar-level MFA and transfer locks are the defense.

The pattern across all five: the attacker never breaks the target service — they break the path to it. Defenses follow the same logic: DNSSEC signs the answers, DoT/DoH encrypt the transport, and monitoring watches for resolution anomalies.

Wireless Networks

Identifier vocabulary: the SSID is the human-readable network name; the BSSID is the MAC address of one specific access point radio; the ESSID is the shared SSID spanning multiple APs in one extended service set — the thing that lets you roam a building without reassociating by hand.

The attack inventory:

  • War driving — systematically mapping wireless networks from a moving vehicle; war chalking was its street-notation companion (symbols marking open networks) — quaint now, but the recon phase it represents is not.
  • Replay attacks — capturing and re-transmitting valid wireless frames to trick the network into repeating an action or revealing keystream.
  • IV attacks — the WEP-killer: WEP’s 24-bit initialization vectors were so short they repeated within hours on a busy network, and reused IVs with RC4 leak keystream — collect enough traffic and the key falls out. The historical proof that protocol-level crypto mistakes are unfixable by configuration.
  • Rogue access points — unauthorized APs on the corporate network, whether malicious or just an employee’s convenience purchase; either way an unmanaged bridge past the perimeter.
  • Evil twin — the attacker’s AP broadcasting your SSID with stronger signal; clients auto-join and the attacker owns the on-path position. The reason certificate validation in enterprise Wi-Fi (see EAP below) matters so much: it’s the only thing distinguishing the real network from a perfect imitation.

Spread Spectrum and Modulation

The physical-layer techniques, in evolutionary order:

  • FHSS (Frequency Hopping Spread Spectrum) — transmitter and receiver hop across frequencies in a synchronized pseudorandom sequence. Resistant to narrowband interference and casual interception; Bluetooth’s heritage.
  • DSSS (Direct Sequence Spread Spectrum) — each data bit is spread across a wide band via a chipping code; early 802.11b.
  • OFDM (Orthogonal Frequency-Division Multiplexing) — data split across many closely packed orthogonal subcarriers; the basis of everything modern (802.11a/g/n/ac/ax, LTE, DSL). Not a security mechanism — but knowing which generation uses which explains their interference and performance behavior.

Network Authentication Protocols

The evolution here is a case study in learning from failure — each protocol fixes its predecessor’s specific weakness.

PAP — Password Authentication Protocol

The client sends username and password in plain text at connection start. No protection against sniffing, no protection against replay — PAP is the baseline everything else improves on, and its only legitimate modern appearance is inside an already-encrypted tunnel where the transport provides what PAP doesn’t.

CHAP — Challenge Handshake Authentication Protocol

The first fix: the password never crosses the wire. The server sends a variable challenge value; the client returns a hash of challenge + shared secret; the server, knowing the same secret, verifies. Replay protection comes from the incrementally changing identifier and the fresh challenge per authentication — a captured response is worthless next time. Used by PPP, and CHAP re-challenges periodically mid-session, catching connection hijacking after initial auth.

The residual weakness the original notes flagged correctly: both sides must store the plain-text shared secret — the server-side password store becomes the prize. (MS-CHAPv2 tried to improve on this and added its own famous weaknesses — cracking it is a commodity service.)

802.1X / EAP

802.1X is port-based network access control — the framework that keeps a switch port or Wi-Fi association useless until authentication succeeds. Three roles:

  • the supplicant — the client requesting access,
  • the authenticator — the switch or AP, which does no credential checking itself; it just relays and enforces,
  • the authentication server — typically RADIUS, usually backed by AD/LDAP, which makes the actual decision.

The clean separation is the design win: credentials and policy live centrally, the network edge just enforces verdicts. EAP (Extensible Authentication Protocol) is the carrier framework inside 802.1X — deliberately extensible, which produced a zoo of methods:

  • EAP-MD5 — a bare MD5 challenge/response: no server authentication, no tunnel, vulnerable to dictionary attacks and MITM. Weak; do not deploy.
  • LEAP — Cisco’s proprietary early method; broken (dictionary attacks — the asleap tool) and long deprecated even by Cisco.
  • EAP-TLS — mutual certificate authentication: PKI on both ends, client and server certificates, the TLS handshake itself is the authentication. The gold standard — effectively immune to password attacks and evil twins (the client verifies the server’s certificate before offering anything) — at the price of operating client-certificate lifecycle management, which is exactly the “complex and expensive” from the original notes. Modern MDM/SCEP deployment has shrunk that cost considerably.
  • EAP-TTLS — keeps the server certificate (so the tunnel and server authentication remain), drops the client certificate requirement: the client authenticates inside the tunnel with simpler methods (even PAP, safely, because the tunnel wraps it).
  • PEAP — Microsoft/Cisco/RSA’s sibling of TTLS: EAP within a TLS tunnel, server-certificate-only, client typically authenticating with MS-CHAPv2 inside. Ubiquitous in Windows shops. The operational pitfall for both PEAP and TTLS: clients that don’t validate the server certificate reopen the evil-twin door the tunnel was supposed to close — certificate validation must be enforced in the client profile, not left to user judgment.
  • PANA — Protocol for Carrying Authentication for Network Access: an IETF effort to carry EAP over IP (UDP) rather than at the link layer, handling key distribution, agreement, and derivation. Conceptually tidy, practically rare — recognize the acronym.

Secure Network Components

Firewalls

The generations, each defined by how deep into the stack it looks:

  • Stateful inspection firewalls — operate at layers 3 and 4, evaluating the state and context of traffic: a connection table tracks established flows, so return traffic is permitted because this specific connection was initiated from inside, not because some static rule allows the port. The baseline of every modern firewall; its blind spot is content — a permitted port carries whatever the application puts in it.
  • Circuit-level gateway firewalls — operate at the session layer (layer 5), validating that a session’s establishment is legitimate (handshake correctness, endpoints) and then relaying without inspecting content. SOCKS is the canonical implementation. Fast and content-blind by design.
  • Application-layer gateway firewalls (proxy firewalls) — terminate the client’s connection, understand the actual application protocol (HTTP, FTP, DNS), validate it semantically, and open their own connection to the destination. Maximum inspection depth and the ability to enforce protocol correctness — at a real performance cost, since every connection is fully proxied. The conceptual ancestor of today’s WAFs and forward proxies.
  • Deep packet inspection (DPI) firewalls — inspect the payload, not just headers: matching signatures, identifying applications regardless of port, spotting exfiltration patterns. The capability that dissolves the old “port = application” assumption — and the one that increasingly requires TLS interception to remain useful, with all the certificate-trust trade-offs that brings.
  • Next-generation firewalls (NGFW) — the multifunction consolidation: firewall, IDS/IPS, TLS proxy, web filtering, QoS, NAT, VPN termination, and antivirus in one device, with application- and user-aware policy (“marketing may use this SaaS app” instead of “TCP/443 permit any”). The consolidation is operationally attractive and architecturally double-edged: one box is one management plane, one performance bottleneck when every feature is enabled, and one very high-value target — NGFW management interfaces and VPN portals have been among the most exploited perimeter components of recent years. The defense-in-depth instinct from Domain 1 applies to the firewall itself: patch it like the critical system it is, and never expose its management plane.

Erstellt: 2026-07-08 — ausformulierte Fassung der Original-Stichpunkte, siehe Domain 4 - Communication and Network Security (Original-Stichpunkte)