the_players_company

OWASP Top 10—the foundational list of the most seen application vulnerabilities. This Top 10 currently includes:

The Open Worldwide Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation.

Broken Access control
Cryptographic Failure
Injection attacks
Insecure Design
Security misconfigurations
Vulnerability and outdated components
Identification and Authentication failures
Software and Data integrity failures
Broken Authentication
Security logging and Monitoring Failures
Server Side request forgery

A WAF is typically a reverse proxy (used by servers), NGFWs are often forward proxies (used by clients such as a browser).

Traffic analysis is one of the essential approaches used in network security, and it is part of multiple disciplines of network security operations listed below:

Network Sniffing and Packet Analysis
Network Monitoring 
Intrusion Detection and Prevention 
Network Forensics 
Threat Hunting

There are two main techniques used in Traffic Analysis:
Flow Analysis	
Collecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary without applying in-depth packet-level investigation.

Packet Analysis
Collecting all available network data. Applying in-depth packet-level investigation (often called Deep Packet Inspection (DPI) ) to detect and block anomalous and malicious packets.

Benefits of the Traffic Analysis:
Provides full network visibility.
Helps comprehensive baselining for asset tracking.
Helps to detect/respond to anomalies and threats.

Why SOC
=======
Compliance Purpose
Log management
Events Monitoring
Threat Response

SOC Types
=========
Private SOC - On premise dedicated to an enterprise.
Hybrid SOC - On premise SOC team works with external experts to run the SOC operations.
Command SOC - high-level SOC which overseeing multiple lower level SOCs in multiple geographical regions.
MSSP/Outsourced SOC - Managed Security Service Provider
Virtual SOC - team is distributed across different regions and work remotely.

SOC Agenda
==========
Process
Alerts
Investigation
Incidents
Reports

SOC Processes
=============
Alerts/Alarm/notification/offenses
Alert fatigue ** 
Assignment
Triage
Investigation

Closure (false positive, category)
Client Confirmation (need more info, so create ticket/email to client)
Detection Engineering (repeated false positive/noise to fine tune the alert)
Cyber Threat Intelligence (artifacts related to some malicious file, so involve/Escalate CTI to confirm)
L2 Escalation
Incident Response

why, who, what, where, how,

SOAR
Security Orchestration and Automation Response.
Security Orchestration is a method of connection desperate security technologies through standardized and automatable workflows that enable security teams to effectively carry out incident response and security operations.

Security Technologies
Ticketing
DLP
SIEM
EDR
CTI(TIP)
Email and Web gateways
Network Security
Vulnerability Management
Cloud Tools
IAM/PAM

Automatable Workflows
====================
Finding indicator reputation from CTI tools.
Managing tickets in ticketing platform.
Isolating machines ?
Sending emails to affected Users?

Manual
=======
Processes which cannot be automated
collect further evidence
resolving an alert dependent on user approval
pivoting during an investigation based on gained information.

Eg:
#If alert fired from SIEM
#we triage the alert
#SOAR triage and find hash of file and send to TIP, 
#if TIP give result it has bad reputations
#Orchestration contact EDR and give instruction/rules to block this hash file.
#SOAR performs a search on the SIMS solutions and finds other endpoint have such hash.
#According to the playbook it is following the steps.
one by one finish and finalize to close as False positive or need manual intervention.

Automation
Execution a single task on its own repeatedly.

Orchestration
multiple single tasks are executed

Task -> Automation -> Orchestration

Workflows
========
Playbooks
A step by step plan of action to serve as a response to different scenarios which may arise.
dependent on event type, organization policies and structure.

Playbooks becomes the bases for Orchestration

EDR
===
Endpoint
Detection
Response

Solution that 'records behavior' on 'endpoints', detects suspicious 'behavioral patterns' using data analytics and context-based information, 'block threats', and helps security analysts 'remediate' and restore compromised systems.

EDR Collecting:
==============
Network connections
Process Executions
Registry Modifications
Currently Running Processes
Cross Process Events

EDR Solutions in Market:
===========================
VMware carbon Black
Endgame
Crowd Strike Falcon

SIEM
EDR - visibility on below.
process creation, network connections, File creation, Registry modifications, DLL injections, whether connection to internet, while connecting to internet downloading any files, or any other behavior.

Ticketing System - Service Now/Jira
Threat Intelligence Platform - TIP
SOAR - automate

Types
Internal SOC - internal company alone.
Distributed SOC - small or big
Global SOC - 8 to 5 in different region
Co-Managed SOC - Agreement signed with vendor

L1 Analyst
Alert Triage
1st Line of Defense
Identifying anomalies
Performing Investigations
Raising request to whitelists or L2

L2 Analyst
Monitoring Alerts
Threat Hunting
Resource Mentoring
Creating & Approving Whitelists
Handling Escalated Investigations

SOC Lead/L3 Analyst
Client Onboarding
Incident Management
Report and Documentation
Stakeholders Communication (Technical)

SOC Manager
Strategy and Road Map Development
Addition of new services
OPEX and CAPEX
Resources Training
Coordination with all stakeholders
Responsible for Security Operations

SIEM Engineer
Detection Use cases
SIEM Administration
Assisting SOC resources with Reports and Queries
Reporting and Dashboards

End Result
Threat Monitoring
Incident Response
Risk Management
Threat Intelligence
Vulnerability Management

Process - Series of actions
Monitoring
Alerting and Investigation
Escalation Process
Contextual Information Gathering
Incident Declaration
Incident Reporting
Report Sharing
Asset Discovery

summary
Who will perform this action?
What will trigger the action?
How will be action performed?
Who are involved in the action?


Pyramid of Pain and Indicator of Compromise
Indicator of Compromise
Indicator of Attack
Hashes
IPs
Domains
Network
Host
Tools
TTP

Threat Intelligence
IT Analyst - Use the threat intelligence in preventive defense
SOC Analyst - Enhance detection capabilities of the organization
Incident Response - Enhanced and Well-informed capabilities for incident response.
Threat Intel Analyst - Rapidly extract more details about specific threat actors.
Risk Analyst - Accurate and timely information about the vulnerabilities.
Executive Management - Understanding the risks an organization faces and correlating in with 
threat intelligence reports to make informed decisions.

Malware
Malicious Software
cause harm to a user, computer or an environment
it could be virus, trojan, worm, ransomware etc.

Virus - piece of code, attach it to host/exe file and spread across the computer, networks
Trojan - taking control of user computer, stealing data, acts like a legitimate program.
Ransomware - malware specifically designed the user cannot access the data unless he pays ransom.

Malware Analyst
will prepare a profile of a malware after analyzing.
(please refer the SIEM points)
behvaiour of Threat Actor
indicators of Attack & compromise
goals that attacker want to achieve

Contextual information
artifacts collection
Behavior understanding
Defense Enhancement
Automating Future Detections

Stages of Malware Analysis
Automated - use the sandbox
Static - understand what this file is, dll, exe, 
Dynamic - run the file in a safe environment and see what changes in the system, any internet connection, registry changes, changes in file system, process changes.
Manual - when open in tool, will go through the code.

How to protect yourself
use VPN
Protect your machine (user VM)
Isolated Systems

Online Resources 
Virus Total - Free service that analyze files, URLs for viruses, worms, trojans and other malicious content.
Virus scan - Free on-line scan service, which check uploaded files for malware, using antivirus engines.
Hybrid Analysis - File analysis approach that combines runtime data with memory dump analysis to extract all possible pathways even for the most evasive malware.
Any.Run - An interactive malware analysis sandbox

Kernel versions
uname
Linux

uname -r
4.15.0-72-generic

4-kernal version
15-major version
0-minor version
72-patch release
Generic -Distro specific info

Memory
Kernal Space - Kernal code,Kernal Extentions, Device Drivers
User Space - Application/Programs
System Calls

working with Hardware
usb
Device Driver (Kernel space)
uevent -->
udev (user space)
/dev/sdb1

dmesg
dmesg | grep -i usb

udevadm
udevadm info --query=path --name=/dev/sda5
udevadm monitor

lspci
ethernet card, raid controller, wireless,

lsblk
block devices
sda
sda1

lscpu
cpu archetecture
core, threads, model

lsmem
lsmem --summary
online mem
offline mem

free -m
total vs used memory

lshw
entire hardware configuration

sudo
(root user previledge)

Bios post
Boot Loader
Kernel Initialization
INIT Process


ls -l /sbin/init
 -> /lib/systemd/systemd

systemd Targets
runlevel
N  3

N  5
RunLevel
5 - Boots in a graphical Interface (display manager service enabled)
3 - Boots into a command line interface

systemctl get-default
graphical.target

ls -ltr /etc/systemd/system/default.target

systemctl set-default multi-user.target

Regular - Images, scripts, config/data files
directory - /hom/bob, /root, /home/bob/code-directory
special files
 character files - mouse keyboard
 Block files - Block devices
 Links - Hard links, Soft Links
 Sockets files
 Named Pipes

display the file type
file /home/michael/
:directory

file bash-script.sh
:Bourne-Again Shell script, UTF-8 

file insync1000.sock
: socket

file /home/michael/bash-script
:symbolic link to /home/sara/bash-script.sh

ls -ld /home/micheal/
drwxr-xr-x

/opt - to install web application third party
/mnt - temporary mount location
/tmp - store temporary data
/media - all external media
/bin - mkdir
/etc - store config files
/lib - shared libery
/usr - user based application, thunderbird
/var - logs stored, cache

df -hp
(list of mounted device)

DPKG/APT
Ubuntu / Debian

RPM
RedHat, CentOS

.DEB - Ubuntu, Debian, Linux Mint
.RPM - RHEL, CentOS, Fedora

Types of Package Managers
DPKG
APT
APT-GET
RPM - Redhat Linux, CentOS, Fedora
YUM
DNF

RPM
====
Installing
rpm -ivh telnet.rpm

Uninstalling
rpm -e telnet.rpm

Upgrade
rpm -Uvh telnet.rpm

Query
rpm -q telnet.rpm

Verifying
rpm -Vf <path to file>

YUM
===
yum install httpd

yum repolist

yum provides scp

yum remove httpd

yum update telnet

yum update

DPKG and APT
================
DPKG Utility
Debien package manager
Installing
dpkg -i telnet.deb

Uninstalling
dpkg -r telnet.deb

List
dpkg -l telnet

Status
dpkg -s telnet

Verifying
dpkg -p <path to file>

APT /APT-GET
============
Higher level debien package manager

apt install gimp
apt-get install gimp

APT
====
apt update
apt upgrade
apt edit-sources

apt install telnet
apt remove telnet
apt search telnet

apt list | grep telnet

Viewing file sizes
du -sk test.img
in kb
du -sh test.img
98m
ls -lh test.img
-rw-rw-r-- 1 99M Mar 13 15:48 test.img

Archiving files
tar -cf test.tar file1 file2 file3 (c-archive, f-mention filename)
ls -ltr test.tar

tar -tf test.tar (use to see the contents)
./file1
./file2
./file3

tar -xf test.tar
(used to extracts contents for tar)

tar -zcf test.tar file1 file2 file3
(to compress)

compressing
============
bzip2
gzip
xz

Uncompressing
===============
bunzip2
gunzip
unxz

zcat/bzcat/xzcat
can read the file without uncompressing

locate city.txt

updatedb

find /home/michael -name city.txt

GREP
====
to search a word in a file
case sensitive
grep second sample.txt

insensitive
grep -i capital sample.txt

grep -r "third Line" /home/michael

grep -v "printed" sample.txt
prints do not match a particular string

grep -w exam examples.txt
to search whole word

grep -vw exam examples.txt
to search words not a whle word

grep -A1 Arsenal premier-league-table.txt
serach and print the matching word and one line below it also

grep -B1 4 premier-league-table.txt
to print the search word and one line above it

grep -A1 -B1 Chelsea premier-league-table.txt
will print the search work and one line below and above it

IO Redirection
==============

Standard Input
Standard Output
Standard Error

Redirect STDOUT
---------------
echo $shell > shell.txt
(will overwrite)

echo "this is the bash shell" >> shell.txt
(will uppend the file)

Redirect STDERR
-----------------
cat missing_file 2> error.txt
(will create a file and overwrite it)

cat missing_file 2>> shell.txt
(will uppend)

cat missing_file 2> /dev/null
(redirect without display error on screen)
/dev/null is refferred as bit packet

grep Hello sample.txt | less
Hello There!
(END)

less sample.txt
(will display all linesin file)

echo $SHELL | tee shell.txt
(to redirect and overwrite error on shell.txt)

echo "this is the bash shell"| tee -a shell.txt
(to redirect and uppend error on shell.txt)

ext2
max file system 2TB
max vol size 4TB

ext3
quicker startup after ungrateful shutdown

ext4
max 16TB file size
max 1 Exabyte volue size

mkfs.ext4 /dev/sdb1
mkdir /mnt/ext4;
mount /dev/sdb1 /mnt/ext4

mount | grep /dev/sdb1

df -hp | grep /dev/sdb1

/etc/fstab
echo "/dev/sdb1 /mnt/ext4 ext4 rw 0 0" >> /etc/fstab

lsblk
sdb
gdisk /dev/sdb
(like fdisk inGPT)

?
to list all options

n
1
2048
4194306

W
will create /dev/sdb1

sudo fdisk -l /dev/sdb
to see the partition details

/dev
block stograge device
ssd/HDD

lsblk
ls -l
b (first character)

sda - entire disk
sda1, 2, 3 - partitions
maj: 8 SD
Min: partition numbers

sudo fdisk -l /dev/sda
print partition info

partition types
primary - to boot OS
extended - cannot be used as its own. can have four logical partitions

MBR - master boot record
can have only four primary per disk
2 TB max

GPT
GUID partition Table
can have unlimited primary partion
no disk space limitation

ip link 
to see the interface is set up

nslookup caleston-repo-0l
to see whether can resolve the IP

ping caleston-repo-01

traceroute 192.168.2.5

netstat -an | grep 80 | grep -i LISTEN
to see the port 80 is listening

ip link 
(on server side)

ip link set dev enp1s0f1 up
(to set the network interface of server up)

A - websever - IPV4 192.168.1.1
AAAA - websever - IPV6 
CNAME - food.web-server - eat.web-server, hungry.web-server

nslookup www.google.com
server: 8.8.8.8
Address: 8.8.8.8#53

ip link
(to check the interface for the host)
 
ip addr

ip addr add 192.168.1.10/24 dev eth0
(add host ip to the network)


Router
------
Gateway
route
(to check the routing info, gateway)

ip route

ip route add 192.168.2.0/24 via 192.168.1.1

ip route add default via 192.168.2.1 (network gateway add)
(default can be 0.0.0.0)


/etc/network/interface

SSH
login in remote computer
ssh <hostname or IP Address>
ssh <user>@<hostname or IP address>
ssh -l <user> <hostname or IP address>>

ssh devapp01
keypair
private+public

password-less ssh
ssh-keygen -t rsa

public key stored under
/home/bob/.ssh/id_rsa.pub

Private key 
/home/bob/.ssh/id_rsa

to copy public key to transfer to remote system
ssh-copy-id bob@devapp01

stored in remote server under
cat /home/bob/.ssh/authorized_keys

scp
----
copy files from client to webserver
scp /home/bob/calseton-code.tar.gz devapp01:/home/bob

scp /home/bob/caleston-code.tar.gz devapp01:/root

scp -pr /home/bob/media/ devapp01:/home/bob

DNS
====

/etc/hosts
/etc/resolv.conf (point to a name server)
nameserver 192.168.1.100
search mycompany.com


/etc/nsswitch.conf (order change to lookup first)

grep -i ^bob /etc/passwd
username:password:uid:gid:gecos:homedir:shell


/etc/shadow
(password are stored, contents are hashed)
username:password:lastchange:minage:maxage:warn:inactive:expdate


/etc/group
name:password:gid:members

Linus file permissions
-----------------------
-rwx rwx r-x

-regular file
first 3 -owner
second 3 - group
third 3 - others

r - 4
w - 2
x - 1
- - no permission 0

modifying file permission
-------------------------
chmod <permission> file

chmod u+rwx test-file
chmod ugo+r-x test-file
chmod o-rwx test-file
chmod u+rwx, g+r-x,o-rwx test file

chmod 777 test-file
chmod 555 test-file
chmod 660 test-file
chmod 750 test-file

change ownership
----------------
chown owner:group file

chown bob:developer test-file
chown bob andoid.apk

chgrp android test-file

useradd bob

grep -i bob /etc/passwd

grep -i bob /etc/shadow

passwd bob

whoami

passwd (user change password)

delete user account
userdel bob
groupadd -g 1011 developer
groupdel developer

switching users
---------------

su ~
password:

su -c "whoami"
password:
(not recommended as u need password of the switching user)

better
sudo apt-get install nginx 
[sudo] password for michael:

cat /etc/sudoers

only users listed here can use sudo command

visudo
(used to edit the list)

/etc/sudoers

no login shell
grep -i ^root /etc/passwd

(no one can login to root with password directly)

user privilege specification
(refer screenshot)

User account
Superuser account - root
System Accounts - ssh, mail
Service Accounts - nginx, mercury

id
who - who currently logged in the system
last - display all logged in users, reboot date and time

Switch CPU, Memory, File System, Environment resources

Show version | inc software | uptime | Last
Show process CPU
show process cpu detailed
show process cpu sorted
show process cpu sorted | ex 0.00
show process cpu history
Show process memory sorted
show file systems
dir filesystem
dir crashinfo
show environment all
show environment stack
show spanning-tree summary
show spanning-tree detail

show logs
show proc cpu
show proc mem
show env all
show test
show mod
show version (uptime)

Switch>enable
Switch#conf t
#hostname Test-Switch
#enable password Cisco

#conf t
#vlan 10
#name sales
#exit

To make a interface as access port mode:
----------------------------------------
config t -> go to interface
switch(Config)# interface range FastEthernet 1/1-2
switch(Config-if-range)#switchport mode access
switch(Config-if-range)#switchport access vlan 10
switch(Config-if-range)#exit

To view Vlan details:
--------------------
switch#show vlan brief


To view the trunk port:
-----------------------
switch#show int trunk
To make a port as trunk port:
------------------------------
switch(config)#int fastethernet 0/5
switch(config-if)#switchport mode trunk
switch(config-if)#switchport trunk allowed vlan 10,20
switch(config-if)#exit

#conf t
#interface range fastenthernet 0/2-10
#switchport mode access
#switchport access vlan 10
#exit

#conf t
#interface vlan 10
#ip address 10.10.10.1 255.255.255.0
#exit

#show ip interface brief

#conf t
#ip routing

inter Vlan routing or Router on Stick
-----------------------------
To communicate between two different vlan in differnt switch thru a router or layer 3 switch

Router configuration:

Router#config
Router(config)#interface fastethernet 0/0.10 (sub interface)
Router(config-subif)#encapsulation dot1q 10 (vlan id)
Router(config-subif)#ip address 10.0.0.50 255.255.255.0 (gateway ip of the vlan)
Router(config-subif)#no shutdown
Router(config-subif)#exit

Router#show ip route

#config t
#ip dhcp pool 10 (name for dhcp to understand)
#network 10.10.10.0 /24
#default-router 10.10.10.1 (same as the vlan ip)
#exit

exclude ip address from dhcp ip pool:

#ip dhcp excluded-address 10.10.10.1 10.10.10.10

**to save memory
#copy running-config startup-config

Backup/upload firmware:
#show flash
#copy flash tftp
source file?

delete firmware:
switch#delete flash://c3750-ipbase-mz.122-35.se5

reboot router and enter break to go rommon mode.
rommon 1 > confreg 0x2142
rommon 2 > reset

after booting.
Router>
Router>enable
Router#copy startup-config running-config
(copied the old configuration in running configuration)
ASRR431#conf t
ASR431(config t)#enable secret Cisco123
ASRR431(config t)#exit
ASRR431#wr

ASRR431#conf t
ASRR431(config t)#config-register 0x2102
ASRR431(config t)#exit
ASRR431#wr

show run interface fastenthernet 0/48
show interface trunk

#conif t
#interface fastethernet 0/48
#switchport trunk encapsulation dot1q
#switchport mode trunk
#exit

#switchport nonegotiate (for safe side)

show ip bgp neighbor x.x.x.x advertise-routes
Show ip bgp
show ip bgp neignbor x.x.x.x received-routes

BGP Basics
---------
Protocol - IP
TYPE -  Path vector
Transport - TCP (Port 179)
Administrative Distance - eBGP 20
Administrative Distance- iBGP 200
Metric = Attibutes (weight, local preference, next hop...etc)
Routing protocol of internet
PBR - Policy based routing, gives more control to administrator.
GRT - Global Routing table.
Range of ASN - 0 to 65535
0 and 65535 - Reserved
1-64511 - Internet Routing ISP
64512 - 65534 - Private User.
convergencies very slow
timer - hello 60 sec
Dead - 180 secs

External BGP or eBGP - BGP adjecencies between different autonomous systems.Runs between AS. 
Internal BGP or iBGP - BGP adjecencies within the same autonomous system.


BGP Neighbor States
-------------------
1.Idle, 2.Connect, 3.Active 4.Opensent, 5.Openconfirm, 6.Established

BGP Message type
----------------
Open, Update, Keepalive, Notification

BGP Troubleshooting commands
----------------------------
show ip route [bgp] - to show BGP routes in routing table
clear ip bgp *[soft] - to reset a BGP connection using BGP soft
debug ip bgp [....] - to debug BGP communication packet
Rx#show ip bgp summary - tocheck neighbor status
Rx#show ip bgp neighbor <Neigbor-IP> - to verify neighbor detail information
Rx#show tcp brief - to verify TCP socket details
Rx#show process cpu - to verify BGP running process

Autonomous System:
------------------
its a collection of network/routers under a single common administrative domain(ABC organisation).

IGP, EGP (BGP)
Service providers use BGP

When exchange the route between two or more AS numbers then use protocol BGP.

Path vector
-----------
Sending route information with AS_path information.

BGP Features
-------------
Manually neighborship configuration 
Loop prevention mechanism - whenever AS see its own AS number will not accept the route information.

show interfaces
show interface status
show interfaces status err-disabled
show run int Fo4/0/9
show interfaces accounting
show mac address-table
show mac address-table interface Gi1/0/1
Show module
show log

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer based application upon a set of rules and other criteria.

Deep Security firewall rules have both a rule action and a rule priority.

Bypass, Log Only, Force Allow, Deny, Allow

Rules are run in priority order from highest (Priority 4) to lowest (Priority 0).

A firewall policy defines how an organization's firewalls should handle inbound and outbound network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization's information security policies.

Types of Firewalls
------------------

Packet filtering
Proxy service
Stateful inspection
Next Generation Firewall (NGFW)


Failover Vs Failback
=====================
The failover operation is the process of switching production to a backup facility (normally your recovery site). A failback operation is the process of returning production to its original location after a disaster or a scheduled maintenance period.

Failover is a backup operational mode that automatically switches to a standby database, server or network if the primary system fails, or is shut down for servicing. Failover is an extremely important function for critical systems that require always-on accessibility.

A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications. They improve the overall performance of applications by decreasing the burden on servers associated with managing and maintaining application and network sessions, as well as by performing application-specific tasks.

Load balancers are generally grouped into two categories: Layer 4 and Layer 7. Layer 4 load balancers act upon data found in network and transport layer protocols (IP, TCP, FTP, UDP). Layer 7 load balancers distribute requests based upon data found in application layer protocols such as HTTP.

Requests are received by both types of load balancers and they are distributed to a particular server based on a configured algorithm. Some industry standard algorithms are:

Round robin
Weighted round robin
Least connections
Least response time

Layer 7 load balancers can further distribute requests based on application specific data such as HTTP headers, cookies, or data within the application message itself, such as the value of a specific parameter.

Load balancers ensure reliability and availability by monitoring the "health" of applications and only sending requests to servers and applications that can respond in a timely manner.

The 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN.

Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

CPPM:
=====
Aruba’s ClearPass Policy Manager Network Access Control (NAC) technology provides secure access for corporate, guest, BYOD, and IoT devices. Devices on networks can be secured when making wired, wireless, or VPN connections easily without compromising security. 

Clearpass policy manager -Policy server
Clearpass Guest - Authentication
Clearpass Onboard - BYOD bring your own device onboard
CLearpass insight - reporting tool

Aurba which is combination of RADIUS Server, TACAC Server, Web Server, Advance policy manager server.
RADIUS Server - contains database of all the users
Onguard - for health verification of network devices.
Endpoint

Radius -Remote Access Dial-In User Service 
======

To provide a centralized management system for the authentication, authorization, and accounting (AAA framework), Access Control Server (ACS) is used. For the communication between the client and the ACS server, two protocols are used namely TACACS+ and RADIUS. 

RADIUS is an AAA (authentication, authorization, and accounting) protocol that manages network access. RADIUS uses two types of packets to manage the full AAA process: Access-Request, which manages authentication and authorization; and Accounting-Request, which manages accounting.


RADIUS uses UDP as Transport Layer Protocol
RADIUS uses UDP ports 1812 and 1813 / 1645 and 1646
RADIUS encrypts passwords only
RADIUS combines authentication and Authorization
RADIUS is an open protocol supported by multiple vendors
RADIUS is a light-weight protocol consuming less resources
RADIUS is limited to privilege mode
Mainly used for Network Access

TACACS (Terminal Access Controller Access Control System)
======
TACACS+ uses TCP as Transport Layer Protocol
TACACS+ uses TCP port 49
TACACS+ encrypts the entire communication
TACACS+ treats Authentication, Authorization, and Accountability differently
TACACS+ is Cisco proprietary protocol
TACACS+ is a heavy-weight protocol consuming more resources
TACACS+ supports 15 privilege levels
Mainly used for Device Administration

Address Resolution Protocol
---------------------------
Used to resolve MAC address of device using the IP address.
for local network need MAC address instead of IP.
When try to communicate will check ARP Cache table whether the MAC is available, if so it will directly send the ICMP packet thru ping.
If the destination device MAC address not present in the ARP table it will send a ARP request, which will be broadcasted to all the device directly connected to the switch, by that the destination MAC address will be know to the source and be learned in ARP Table.

To check the ARP cache table whether any MAC learnt.
PC>arp -a

ARP request will have Source and destination IP address and Destination MAC address as FFFF.FFFF.FFFF.
when the destination Ip address reply to the broadcast, it will send its MAC address.

switch#show mac address-table

How ARP works in two network
----------------------------
Router#show ip interface brief

Source will chk ARP cache, if not send the ARP request to switch then go to router. Router will send its own MAC as reply, then source will send the ICMP to the Router, now router will send the ARP request to other network device and get the reply from destination device then it will forward to the source.
The device in different network will learn the routers MAC address only.

Spanning Tree Protocol
======================
Advantages:
Avoid Broadcast storm in the Layer 2 network.
Avoid Datbase inconsistency.
Avoid Duplicate and multiple copy of data transmission.

how STO works?
-------------
step1 -> Root Bridge election.
STP uses the 64big bridge ID for the selection of Root Bridge.
Bridge ID = Switch Priority + MAC address
Default Bridge priority for all Cisco switches is 32768.
The bridge (Switch) with the lowest Bridge Id will be selected as Root Bridge.
If more than one switch has same bridge id then the device with lowest MAC address will be selected as Root Bridge.
All ports at the Root Bridge will be in Forwarding State.
	
step2 -> Root Port selection.
Every Non Root Switches should have at least one ROot Port to reach the Root Bridge.
Root Ports are selected based on the below for 3 different setup:
Port that has the lowest path cost to reach Root Bridge.
If Path cost are same, Lowest switch ID(Priority + MAC) of the forwarding device is preferred.
If Path cost and switch Id is same, lowest physical port of the forwarding device is prefereed.
once the Root port is selected it will be always in forwarding state.

step3 -> selecting Designated and Non designated port.
Designated port will be in forwarding state, however it go through Blocking>Listening>Learning>Forwarding state step by step and Non designated ports will be in Blocking state.

Below are the selection criteria for Designated:
Port with the Least cost
Device with Least Local Switch ID (Switch Priority + MAC Address) is preferred.
If both the device has same switch ID, device that has least port number connected is preferred.





Root Bridge(RB)
Non Rood Bridge (NRB)
Root Port
Designated Port (DP)
BPDU (Bridge Protocol Data Unit)
BPDU is the message that is exchanged between the network devices using Spanning Tree Protocol to form a loop-free Topology.
2 types:
Configuration BPDU
Topology change Notification (TCN) BPDU

BPDU contain information like, Bridge ID, Switch Priority, Switch MAC address, port information, 
Path cost:
All the non root switch will reach the Root Bridge through its Root Port. The Root Port is calculated in every switch with its path cost.
The port which has the lowest accumulated path cost value to reach the root bridge is selected as the Root Port.
Link Speed 10 Gbps (cost 2)
Link Speed 1 Gbps (cost 4)

Routing is a process of moving a packet from one network to other network by means of a device known as ROuter in the shortest distance path.

Static Routing
Dynamic Routing -> Interiro Gateway Protocol(IGP) & Exterior Gateway Protocol(EGP)

IGP -> Link State Routing Protocol (OSPF, ISIS)
Distance Vector Routing Protocol (RIP, IGRP)
Hybrid Routing Protocol (EIGRP)

EGP -> BGP

Config Default Route
--------------------
Router(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
(destination ip address, subnet mast, next hop)

Config static route
-------------------
Router(config)#ip route 100.0.0.0 255.255.255.0 30.0.0.2
(destination network address, subnetmask, next hop)

EIGRP
=====
Enhanced Interior Gateway Routing Protocol
EIGRP is an IGP that is used to share the routes with other Routers within the same AS.
Hybrid Routing Protocol.
Maximum Hop count is 255
Classless Routing Protocol supports VLSM and Summarization.
Load Balancing can be done on both Equal & Unequal Path.
It supports to provide backup route.
Use Bandwidth & Delay as a common metrics.

Special Features:
----------------
It Uses Protocol Dependent Moduels (PDM) that provide support for different Network Layer protocols such as IP, IPX, AppleTalk.
Every EIGRP PDM maintains a seperate routing information that applies to a particular protocol, so each router will have 
IP/EGRP Table, IPX/EIGRP table and AppleTalk/EIGRP table.
Efficient Neighbour discover, Hello packets are sent in regular intervals of time to directly connected routers to discover the neighbours.
Time intervals depends on the interface.
LAN = 5 seconds, WAN = 60 seconds.
Dead Interval = 3 * Hello Packet interval.

To manage communication between Neighbours it uses the class D address 224.0.0.10 to send Multicast traffic to all Neighbours in its table.
And maintain the list of Neighbour who have replied for the multicast it sends out. If it doesn't gets the reply then resend the same data using Unicast
and declared Dead, if it doesnt get a reply even after 16 Unicast attempts. This is often referred as Reliable Multicast.

In EIGRP, Diffusing update Algorithm(DUAL) is used for selecting and maintaining best path to each remote network, that support the following.
>Backup Route determination
>Supports Variable-Length Subnet Mast(VLSM)
>Dynamic route recoveries
>sending out queires for alternate route if no route found.

EIGRP Tables:
3 Types of tables are used in EIGRP, they are
Neighbour Table: Maintains the information about all the directly connected Neighbours
Topology Table: Maintains the list of all possible path to all possible remote networks
Routing Table: Maintains the list of only the best path to all possible remote networks

EIGRP Packets:
There are 5 packets used in EIGRP.
HELLO : used to discover neighbours
UPDATE : used to update the newly learnt Network to neighbours.
QUERY : if the current best path is down then this packet is sent to the neighbours to know the next best path to reach the destination.
REPLY : this is the reply packet for the query packet sent to the Neighbours.
ACK : this is the acknowledge packet sent for the reply packet.

EIGRP Metrics:
Unlike many other protocols that uses single factor to compare routes, EIGRP select the best possible path by using the following factors.
>Bandwidth
>Delay
>Load
>Reliability
>MTU(Maximum Transmission Unit)
By default, EIGRP uses only Bandwidth & Delay to determine the best path to a remote Network.

EIGRP Terms:
Feasible Distance (FD) is the possible distance from source to Destination.
Advertised Distance(AD) is the possible distance from next Neighbour to Destination.
Successor: Best Path from the source to Destination.
Feasible Succesor: Next best path from Source to destination.
FD of successor should be greater than AD of feasible successor.

Configuration Syntax:
--------------------
Router1(config)#router eigrp <AS number>
Router1(config-router)#nework <network id>
Router1(config-router)#network <network id>
Router1(config-router)#no auto-summary (by default EIGRP will do summarization, this is to stop that)

Model Configuration:
Router1(config)#router eigrp 10
Router1(config-router)#network 100.150.0.0 (advertise all directly connected network)
Router1(config-router)#network 20.10.10.0 (advertise all directly connected network)
Router1(config-router)#no auto-summary

EIGRP Commands:
---------------
Show ip eigrp neighbors (display all EIGRP neighbors)
Show ip eigrp topology (display entries in EIGRP topology table)
show ip route eigrp (displays only EIGRP entries in routing table)
Show ip route (Display the entire routing table)

OSPF
====
show ip ospf database
show ip route
Show ip ospf neighbor

Open Shortest path first
It is an IGP, interior Gateway Protocol that is used to route the information within the Autonomous System.
It is a Link State protocol.
Open standard (can use with any router vendor)
Unlimited Hop Count (Cisco recommend 40 to 50 router in each area)
It uses Shortest Path First(SPF) Algorithm
Administrative distance is 110.
uses multicast address 224.0.0.5 & 224.0.0.6 to send the updates.
cost is the metric used.
cost can be calculated by formula COST = 10^8/bandwidth
support Equal cost load balancing
OSPF support only equal cost load balancing (EIGRP support equal and unequal)
classless routing protocol supports VLSM(Subnetting) and CIDR (RIP did not support subnetting VLSM)
uses the concept of Area to manage.(area concept is introduced to reduce LSA fludding)
Sends Hello packet (10 seconds) in regular intervals.
Dead timer = 4*hello timer.
Router ID plays an important role in OSPF.
Router only sends the changes in updates not the entire routing table. (whereas in RIP entire routing table is sent)
OSPF support authentication.

OSPF Tables:
-----------
There are 3 types of tables maintained in OSPF.
Neighbour Table
Database Table
Routing Table

Neighbour Table:
---------------
contian list of directly connected routers (neighbours)
it is also known as adjacency database.
show ip ospf neighbour

Database Table:
-----------------
Contain information about all possible routes in network within an Area.
It is also known as LSDB (Link State Database)
show ip ospf database

Routing Table:
---------------
contains the list of best path to each destination
show ip route

Router ID:
-----------
In general, Router ID is the name of the route.
If logical interface (loop back) is configures, the highest IP of the logical interface will be the router ID.
or else the highest IP of the physical interface will be the Router ID.

7 states of OSPF:
Down state - Router A sends multicast packet, 
Init State - router B when receives this multicast packet , it will send unicast packet to router A.
Two way state - here neighbourship table will be formed between router A and B
Exstart state - negotiation take place for who should send the first database description packet (highest router id should share their database)
Exchange state - they will share the database
Loading state - they will compare the existing database with the newly received database and syn.
Full state - both router will be having the completely synched database.

OSPF Area:
Backbone Area or Transit Area:
This is the first area to be configured in OSPF with area id asd "0"
All other area in the OSPF network will be directly connected to this area.
Any traffic between different area will pass through this area and hence known as transit area.

Normal Area:
Apart from backbone area all other areas are known as Normal areas.
Unlike backbone area, a normal area doesnt allow traffic between different area to pass through it.

OSPF Router Types:
Ther are 3 types of routers in OSPF
Internal Router: All routers inside the area is known as internal router.
Backbone Router: Internal Router of backbone area is known as backbone router.
Area Border Router (ABR): Router that connects the normal area and backbone area is konwn as ABR.

LSA:
Link State Advertisement is a data packet that contains entire information about the link that includes info such as IP address, status of the interface(Up/Down), subnet mask, type of interface, bandwidth and delay.

LSA Types:
---------
Type 1 (Router LSA).
Type 2 (Network LSA)
Type 3 (Summary LSA)
Type 4 (Summary ASBR LSA)
Type 5 (Autonomous system external LSA)
Type 6 (Multicast LSA)
Type 7 (Not so stubby area LSA)


OSPF packet type:
----------------
Type 1 = Hello - used to discover neighbor
Type 2 = High level DBD (summary of LSDB)- Database discription - synchronisation between router
Type 3 = LSR - Link State Request - List of all missing LSA's
Type 4 = LSU - Link state update - Respond to LSA - whatever missing will be responded with update.
Type 5 = Link state Acknowledgement

Cost:
-----
Ethernet - 10
FastEthernet - 1
Loopback - 1

MPLS
=====
Multi Protocol Label Switching
LDB - Labe distribution protocol (to generate labels)
CE - Customer Edge Router
PE - Provider Edge Router
LSR - Label Switch Router

Push swap and pop