In this simulation, you will analyze network traffic patterns and identify the architectural role of specific protocols. Understanding the OSI model is fundamental for mapping attacks to specific layers and implementing granular defensive controls.

CND (312-38) Network Defense Simulation

Network Scenario

You are monitoring a Windows-heavy enterprise environment. The network architecture includes a centralized file server, multiple workstations, and an application server utilizing distributed computing components. You notice several internal systems communicating using mechanisms that manage the establishment, maintenance, and termination of sessions between applications.

Traffic & Logs

The following IDS alert and packet summary highlight internal communication between a client workstation (10.0.0.45) and an internal application server (10.0.0.10).

[IDS ALERT] Potential Distributed System Query Timestamp: 2023-10-24 09:12:44 Source: 10.0.0.45:49152 Destination: 10.0.0.10:135 (MSRPC) Protocol: TCP/RPC Action: ALLOWED Details: Client initiating procedure call to remote endpoint. [NETWORK CAPTURE SUMMARY] Frame 102: Client -> Server [SYN] Seq=0 Win=64240 Len=0 Frame 103: Server -> Client [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 Frame 104: Client -> Server [ACK] Seq=1 Ack=1 Win=64240 Len=0 Frame 105: RPC Bind Request - Context ID: 1, Interface: [UUID 000...000] Frame 106: RPC Bind Ack - Max Xmit: 5840, Max Recv: 5840

Note: The logs show a session being bound at the application programming interface level to facilitate remote procedure execution.

Question

Which of the following is a session layer protocol?

Think about the OSI Layer 5. This layer is responsible for establishing, managing, and terminating connections between local and remote applications. Look for a protocol that allows a program to cause a procedure to execute in another address space without the programmer explicitly coding the details for that remote interaction.

Expert Analysis

1. What is happening in the network

The logs indicate a client workstation is communicating with a server via port 135, which is associated with the Microsoft Remote Procedure Call (MSRPC) service. The handshake and subsequent "RPC Bind Request" signify the establishment of a logical session between two software components.

2. Identify attack or behavior

This is standard administrative or application behavior. However, defenders monitor RPC because attackers often use it for lateral movement (e.g., via WMI or scheduled tasks) or to enumerate services on a target host.

3. Why correct answer is correct

RPC (Remote Procedure Call) is the correct answer. In the OSI model, RPC operates primarily at the Session Layer (Layer 5). It provides a mechanism for processes to communicate and manage sessions across a network, abstracting the underlying transport details (Layer 4) from the application (Layer 7).

4. Why others are wrong

5. Defensive Action

Defenders should restrict RPC traffic to known administrative segments. Using host-based firewalls to block port 135 and dynamic RPC ports from untrusted zones prevents unauthorized lateral movement and enumeration. Monitoring for "null sessions" or excessive RPC binds from unusual sources is a key detection strategy.

MINI LESSON: Traffic Pattern Recognition

Session Layer (Layer 5) Responsibilities:

  • Authentication & Permissions: Ensuring the entities are who they say they are.
  • Session Restoration: Checkpointing and recovery during a session.
  • Dialogue Control: Managing which side transmits and when (simplex, half-duplex, full-duplex).

Key Protocols at Layer 5: RPC, NetBIOS, PAP, PPTP, and SOCKS.

Analyze deeper network defense scenarios to master your CND certification.

Explore more CND simulations