CISSP101

Get Prepared And Pass The CISSP Exam

Telecommunications and Network Security

The Telecommunication and Network Security domain for the CISSP certification exam covers topics related to network components, such as network devices and protocols, transmission methods, transport formats, their functionality and how they relate to security.

Open Systems Interconnect Reference (OSI) Model

The OSI model represents the seven layers involved in sending data from one computer to another. The seven layers of the OSI model, from highest to lowest, are application, presentation, session, transport, network, data link, and physical. Each layer of the OSI model is responsible for certain functions within the process of sending data from one system to another. Each layer is responsible for communicating with the layers immediately above it and below it. The OSI model was developed by the International Organization for Standardization (ISO) in the early 1980s. The ISO 7498 defines the OSI Reference Model.

Functionality of the OSI Model

Each layer of the OSI model is responsible for performing specific task during the data exchange. The layers are numbered from bottom to top. The layers are separated from each other by boundaries called interfaces. All requests are passed from one layer, through the interface, to the next layer. Each layer builds upon the standards and activities of the layer below it.

Each layer functions based on a set of protocols. A protocol is a set of rules or language use by computer and networking devices to communicate with one another.

In the OSI model the data flows 2 ways, DOWN(data encapsulation) and UP(data decapsulation). Encapsulation is the addition of a header, and possibly a footer, to the data received by each layer form the layer above before it’s passed down to the layer bellow. Encapsulation happens as the data is passed down through the OSI Layers from Application to Physical. The reverse action Decapsulation occurs when the data moves up through the OSI layers from Physical to Application.

OSI Layers

Physical Layer

The Physical Layer is the first and the lowest layer in the OSI model of computer networking that manages the transfer of the data on the physical level, where the data is resented as a stream of bits – 0s and 1s. It doesn’t care about the meaning of the data; it deals only with the physical characteristics of the technologies used.

The Physical layer defines the following:

      • The type of medium used - Cable, Fiber Optics, or Wireless media
      • The transmission method - Unicast, Broadcast, or Multicast
      • The transmission rates available for the medium

Protocols that work at OSI-Layer 1:

      • Ethernet -802.3
      • Token Ring – 802.5
      • FDDI
      • Wireless – 802.11
      • SONET

Data Link Layer

The Data-Link Layer is divided into two sub layers. The interoperability of different network technologies is made easier by separating these two sublayers:
Logical Link Control – Considered to be the upper sublayer of the Data-Link Layer. Provides multiplexing, demultiplexing and flow and error control. Runs Cylindrical Redundancy Check to assure that nothing is damaged in transit. Acts as an interface between the Media Access Control sublayer and the Network Layer.
Media Access Control - When receiving a frame the MAC recognizes where in the bit stream the frame begins and ends; When sending the frame –it basically hides the beginning and the end of the frame from the physical layer, but leaves that info recognizable by the destination by adding some extra bits of data between the frames. The Media Access Control layer inserts the MAC address into every frame, verifies the destination address in the frames receive, detects transmission errors by inserting a checksum.

The Media Access Control (MAC) Address is a hardware/physical address defined by the IEEE standard. The MAC address is used in LANs. It is a 6-byte address, and in its human-readable form is represented by 12 hexadecimal numbers, divided into groups of two and then separated by colons. The first three groups of numbers represent the manufacturer IP. The last three groups of numbers represent the unique device IP.

Network Layer

The Network Layer is the lowest layer of the OSI Model that is concerned with transporting the data from source to destination, between remote networks. It uses logical addressing, while Layer 2 uses physical.

The key functions of the Network layer are:
Routing - moving the data across interconnected networks. Devices and software that function at this layer are concerned with handling the incoming packets from various sources, sent to various destinations by figuring out where they need to be sent next in order to get them closer to their final destination.
Logical Addressing - every device communicating over a network is associated with a logical address – Layer 3 address. For example, in the Internet Protocol, which is a network layer protocol, every machine has an IP address.
Datagram Encapsulation – encapsulates the data segments received from the higher layers into datagrams - called packets.
Fragmentation and Reassembly – since the Data-Link layer technologies have limits to the size of the message they are able to sent, the Network Layer fragments and reassembles the messages to the appropriate size of needed.
Error Handling and Diagnostics - handled mainly by the ICMP protocol, which is the main error-handling and control protocol.
Packet sequencing

IP Addressing

IP address is a logical address, and is a Network Layer mechanism used to identify the other party of the communication. It is configurable and unlike the MAC – Physical address the IP address can be changed. While a device can have only one physical address, it can have multiple IP addresses – one for each network interface or TCP/IP stack. On a network each host must have a unique IP address. IP addresses are assigned by the central authority ARIN – American Registry Of Internet Numbers.

The address scheme could be Version 4 or Version6. IPv4 address is a 32bit number, which is divided into four 8bit numbers, usually expressed which in decimal numbers and have values between 0 and 255. IPv6 address is the next generation IP protocol version. It is a 128 bit number, 16 bytes, 32 hexadecimal digits. Normally written with their hexadecimal digits with colon separators.

Advantages of IPv6 over IPv4:

      • Gigantic address space
      • Client-side IP address assignment, no need for DHCP - the configuration of the IPv6 address is automatic
      • Built-in security mechanisms - IPv6.
      • New, simplified header format - Routers do not calculate header checksum which improves performance
      • Efficient routing - IPv6 reduces the size of routing tables and makes routing more efficient and hierarchical
      • Supports multicasting - Allows Multicasting (addressing a number of hosts as parts of a group) as opposed to broadcasting (addressing all hosts at once), saving Network Bandwidth.

IPv6 is backwards compatible and can be used in most of today’s TCP/IP devices.

Every IP address consists of two parts – first part identifying the network part and the second part identifying the host part.

Classfull network addressing.

The IP addresses were originally organized into classes. The address class determined the potential size of the network. The class of an address specified which of the bits were used to identify the network ID, or which bits where used to identify the host ID. It also defined the total number of hosts per network.
In a classfull network there are five different address classes – class A, B, C, D, and E:
Class A addresses begin with 0xxx, or 1 to 127 decimal –the first 8 bits are used for the network part and the other 24 for the host part.
Class B addresses begin with 10xx, or 128 to 191 decimal – the first 16 bits are used for the network part and the rest 16 for the host.
Class C addresses begin with 110x, or 192 to 223 decimal – the first 24 bits are reserved for the network part, the rest 8 for the host.
Class D addresses begin with 1110, or 224 to 239 decimal - these are multicast addresses.
Class E addresses begin with 1111, or 240 to 254 decimal – these are reserved for future use.

In classfull network the network part of the address is defined by default by the class in which the address falls into. When specifying the network address, the host part of the address is set all to “0”s. The broadcast address is identified by setting all the bits from the host part all to “1”s.

IP addresses are divided into two parts:
Public IP Addresses – must be unique, and are routable on the internet.
Private IP Addresses - The private network addresses are common in home and office LANs. Anyone can use these addresses without approval from a regional Internet registry. They are not allowed to be routed through public networks. And must be unique in a given network.
Class A private IP addresses – 10.0.0.0 to 10.255.255.255 (10.0.0.0 with Subnet Mask 255.0.0.0 or 10.0.0.0/8)
Class B private IP addresses – 172.16.0.0 to 172.31.255.255 (172.16.0.0 with a Subnet Mask 255.240.0.0 or 172.16.0.0/12)
Class C private IP addresses – 192.168.0.0 to 192.168.255.255 (192.168.0.0 with a Subnet Mask 255.255.0.0 or 192.168.0.0/16

IP Subnetting

Subnetting is applying extended network addresses to individual network device addresses. Using subnet the traffic between hosts can be segregated based on a network configuration. Subnetting can be done for variety of reasons, including organization, use of different physical media, preservation of address space, and security.

Subnet Mask – the most recognizable aspect of subnetting. Applying a subnet mask allows the identification of the network and host part of the address. Like an IP address subnet mask contains 4 bytes (32 bits) and is often written in the same dotted-decimal notation. The network bits are represented by 1s in the mask and the host bits are represented by 0s. By performing logical ANDing between an IP address and the Subnet Mask results in the Network Address.
IP Address AND Subnet Mask = Subnet/Network Address

Classless Inter-Domain Routing (CIDR)

Classless Inter-Domain Routing (CIDR) is a methodology of allocating IP addresses and routing Internet Protocol packets. It was introduced to improve the address space utilization and routing scalability in the Internet. CIDR moves away from the traditional IP classes, which can be very wasteful and depicts more hierarchical Internet architecture. Each domain takes its IP address from a higher level. This means that a organization can subdivide its host address space into small group of networks called subnets, which is done by borrowing some of the bits from the host part of the IP address. The CIDR notation begins with the Internet Protocol address followed by a “/” character and a decimal number specifying the number of consecutive bits of the routing prefix or the subnet mask.

Address Resolution Protocol (ARP)

The Address Resolution Control Protocol is a Network Layer protocol used to determine host’s MAC/hardware address, when only the IP address is known. It can be used in any type of broadcast network.
The ARP request, which is broadcast packet, contains the source MAC and IP addresses and the destination IP address. Since it is a broadcast packet it is received by every host on the local network, but only the host with the destination IP sends a reply packet to the originating host with its MAC and IP address. The ARP reply packet is unicast. Requests and reply packets have the same format.

Reverse Address Resolution Protocol

Exactly the opposite to the ARP. Used to find the IP address when only the MAC/hardware address in knows. Similarly to ARP, RARP requests are broadcast and the replies are unicast. Used a lot by diskless workstations, where the IP cannot be stored in the system itself. When a diskless system broadcasts a RARP request packet with its MAC address, this packet is received by all the hosts in the network. When the RARP server receives this packet, it looks up this MAC address in the configuration file and determines the corresponding IP address. It sends this address in the RARP reply packet. The diskless system receives this packet and gets its IP address. A RARP request packet is normally generated during the booting sequence of a host.

Transport Layer

The Transport Layer is the connection between the bottom three and the upper three layers of the OSI Reference Model. It acts as a connection between the abstract world of applications (layers 5 through 7) and the concrete function of layers one to three.

General responsibilities of the Transport Layer are:
Reliable, error-free data delivery
Proper sequencing of the data
Flow control – makes sure that the transmitting device does not send more data than the receiving device could process.

The Transport Layer enables communication between software application processes on different computers. This Layer provides a reliable, end-to-end data transport between source and destination machines.

As the Network Layer uses IP addresses to identify a host on an internetwork and as the Data-Link Layer uses MAC addresses to identify a host on a private network, the Transport Layer uses Port numbers to identify to and from which application the data is flowing.

Port – the port identifies which program on the computer has to be used for the data received. A port is 16 bit integer, used to identify a process:
Ephemeral port – assigned automatically upon client’s request
Well-known port – are used by the servers and are associated with a specific service provided
The three types of ports are – Well known, Registered and Dynamic or Private ports.
Well known ports– 0 to 1023
Registered ports – 1024 to 49151
Dynamic or private – 49152 to 65535

Some important port numbers:
20/TCP, 20/UDP - File Transfer Protocol (FTP) Data
21/TCP, 21/UDP - File Transfer Protocol (FTP) Control
22/SCTP, 22/TCP, 22/UDP -SSH
23/TCP, 23/UDP –Telnet
25/TCP, 25/UDP – SMTP (Simple Mail Transport Protocol)
53/TCP, 53/UDP - DNS
80/TCP, 80/UDP – HTTP
443/TCP, 443/UDP – HTTPS

The Transport Layer utilizes the concept of socket address:
Socket Address = IP Address + Port number
Socket pair – source and destination socket addresses – method to uniquely identify connection between two end points.

The Transport Layer protocols used on the Internet are TCP, UDP and SCTP.
Transmission Control Protocol (TCP)
The Transmission Control Protocol is one of the main protocols used for data transmission. TCP, working on top of the unreliable IP protocol, ensures that data transmission is reliable. TCP is a connection-oriented protocol, which means that a connection between to end points must be established before actually transmitting data. Data can be transmitted only when the connection is open. It also guarantees that all data sent will be received without any error and in the correct order.
User Datagram Protocol (UDP)
UDP is a Layer 4 protocol.UDP is connectionless protocol, which means that data can be sent at any moment without prior advertising, negotiation or preparation. UDP not only does not guarantee that the data will be delivered; it also can be delivered in a wrong order. It is very simple protocol and is mainly concerned with speed. Often used for video steaming and on-line gaming. UDP traffic is organized on the form of datagrams. One datagram consists of one message unit. The first 8 bytes of the datagram reveal the UDP header, which consists of four fields, 2 bytes each: 1. Source port number, 2. Destination port number, 3.datagram size, 4. Checksum.

Three way handshake

The three way handshake, which establishes and terminates the connection together with the flow control make the TCP communication reliable. The three way handshake is absolutely necessary for a reliable TCP communication.

The three way handshake process:
1. The originator of the communication sends an initiative packet, called SYN which contains the initial send sequence number. This sequence number is a 32-bit number and increments by one for every byte of data send within this segment.
2. The destination receives the SYN and then sends back a SYN-ACK. The SYN segment contains the destination’s initial sequence number. The ACK segment is an increment on the sequence number on the last received segment. In this step the Maximum Segment Size is agreed on.
3. The originator receives the SYN-ACK and sends back an ACK segment which is an increment of the destination’s SYN. Now the connection is open and the communication between the two hosts is permitted.
4. The communication continues until one of the parties sends a FIN segment or the connection times out.

Since TCP is a connection oriented protocol – a reliable connection must be obtained and acknowledged before any data transmission. This is achieved by the three-way handshake.

There are three stages of TCP communication in the data exchange:
Connection establishment. ACK and SYN flags are used.
Data transfer. ACK and PSH flags used.
Connection termination. ACK and FIN flags are used.

Stream Control Transmission Protocol (SCTP)

The Stream Control Transmission Protocol is a fairly new alternative to the UDP and TCP protocols. It is well designed and powerful. Provides some of the same services of both TCP and UDP, ensuring reliable, sequences transport of data with congestion control.

Session Layer

The Session Layer is the fifth layer in the OSI Reference Model. It is also the lowest of the three upper layers, which are mainly concerned with software application issues rather than with network and internet implementation. It provides the mechanism for opening, closing and managing a session between end-user application processes.

Functions of the Session Layer:

      • Session establishment, maintenance and termination
      • Session support

Session Layer protocols:

      • ASP - Apple Talk Session Protocol
      • RPC – Remote Procedure Call
      • SQL – Structured Query Language
      • NFS – Network File System

Presentation Layer

The Presentation Layer is the sixth layer of OSI. It delivers and formats the data to be presented to the Application layer.

Functions of Presentation layer:

      • Character code translation
      • Data conversion
      • Data compression
      • Data encryption

Presentation Layer protocols:

      • ASCII –American Standard Code for Information Interchange
      • EBCDIC – Extended Binary Coded Decimal Interchange Code
      • NDR – Network Data Representation
      • RDP – Remote Desktop Protocol
      • LPP – Lightweight Presentation Protocol
      • NCP – NetWare Core Protocol

Application Layer - OSI Layer 7

The seventh layer of the OSI Model is the Application layer and it is the closest layer to the end user. At this layer both - the user and the Application layer interact with the software application, which implement a communicating component.

Functions of the Application Layer:

      • Resource sharing and device redirection
      • Remote file access
      • Inter-process communication
      • Network management
      • Directory services
      • Electronic messaging
      • Network virtual terminals

Application Layer protocols:

      • FTP – File Transfer Protocol
      • SMTP – Simple Mail Transfer Protocol
      • HTTP – Hypertext Transfer Protocol
      • SNMP – Simple Network Management Protocol
      • NDIS – Network Driver Interface Specification

Benefits of the OSI Model

The benefits of the OSI Model are:

      • Simpler network protocols design - the network communications are separated into smaller logical pieces
      • Any software or hardware that meets the OSI standard is able to communicate with any other software and hardware that also meets the standard
      • Software/hardware from different manufacturers work together – wider choice for the consumer
      • It is easier to add new protocols and other network services to a layered architecture – network designs are more extensible.

      TCP/IP Model

      Today TCP/IP is the most commonly-used internet-working protocol suite. The Internet is built on top of the TCP/IP protocol. It is everywhere! It is the basis of Internet that allows communication between computers from different vendors, of different sizes, running completely different operating systems.

      The development of TCP/IP began in 1973, as a part of research network developed by DARPA - ARPANET. The Network Control Protocol used by ARPANET at that time had a lot of flaws and limitations. The purpose of TCP/IP was to meet the data communication need of the US Department of Defense. In the early versions of this technology. In the first written version of modern TCP/IP there was only one protocol – TCP.

      The basic concepts used in the development of TCP/IP came from the packet switching network CYCLADES in France, which was created in the early 1970s and where protocol going through the physical layer of computers was used.

      The TCP/IP model consists only of four layers. The four layers of the TCP/IP model are Application, Transport, Internet, and Link. The TCP/IP model’s Application Layer corresponds to layers 5, 6, and 7 of the OSI model. The TCP/IP model’s Transport layer corresponds to layer 4 from the OSI model. The TCP/IP model’s Internet layer corresponds to layer 3 from the OSI model. The TCP/IP model’s Link layer corresponds to layers 1 and 2 from the OSI model.

      Network Architecture

      Network Types.LAN, WAN, MAN area networks. Internetwork.

      LAN - Local Area Network is a network implemented within a relatively small area. LAN computers are rarely more than a mile away. A networked office building, school, or home network is usually represents a single LAN. In typical configuration one computer is designated to be the file server, which stores all the software that controls the network and the software shared by the users on the network. Some LANs are connected through cables, other are wireless. In TCP/IP networking, a LAN is often but not always implemented as a single IP subnet. Uses primarily the technology of Ethernet and Token Ring.

      WAN – Wide Area Network connects lager geographic areas. Dedicated transoceanic cabling or satellite links may be used to connect this type of network. The Internet is the largest WAN, spreading across the Earth. WAN is a connection of LANS. Router is the device that connects LANs to WANs. In IP networking, the router maintains both the LAN and the WAN address.

      The main difference between LAN and WAN networks is that in most of the cases like Internet, WANs are not owned by anyone. Primarily uses the technology of ATM, Frame Relay and X.25.

      MAN – Metropolitan Area Network - is a network over an area larger than LAN, but smaller that WAN, such as city. Typically owned and operated by a single entity – corporation, organization, government body, etc.

      Internetwork is a collection of individual networks, connected by intermediate networking devices, that functions a single large network. This network runs between computers configured with the TCP/IP protocols.

      Intranet commonly refers to a network within an organization. This network can be tailored to meet the specific requirements of an organization.

      Extranet is basically an interconnection of previously separated LANs or WANs networks originating from different business entities.

      VAN - Value-added network is a private network provider used to facilitate electronic data interchange (EDI) or provide other network services.

      WWW - World Wide Web is an arrangement of services on the Internet that provides archives of information accessible from browsers or search engines. The information is presented in a hypertext format

      Network Topologies

      Network Topology is the design and the layout of the various elements, such as links and nodes of a computer network. The topology of a network can be looked at from a physical or a logical point of view. Physical topology refers to the physical placement of the networks various components, including device location and cable installation. The logical topology shows how data flows within the network, regardless of its physical design.

      The basic types of network topologies are:

      Point-to-point

      Point-to-point is the simplest type of topology, it represents a link between two nodes. It is also called an end to end connection.

      Bus Topology

      The bus topology is typically used in LAN networks, where each computer is connected to a single cable. This is the most commonly used topology covering the Ethernet IEEE 802.3 networks

      The advantages of the bus network topology are:

          • The addition of new devices is straightforward, which makes the bus network to be easy to implement and extend
          • Well suited for temporary or small networks not requiring high speed
          • Cable faults are easily identified

      The disadvantages of the bus network topology are:

          • Limited cable length and number of stations
          • If there is a problem with the cable, the entire network goes down
          • Proper termination is required

      Star Topology

      In a network with a star topology each network host is connected to a central hub or a switch with a point-to-point connection. All the traffic that travels on the network passes through the central hub, which act as a signal repeater. The star topology is considered to be the easiest one to design and implement.

      The advantages of the star network topology are:

          • Improved performance
          • Isolation of devices
          • Simplicity

      The disadvantages of the star network topology are:

          • High dependence on the functioning of central hub
          • The performance of the network also depends on the capabilities of the central hub
          • Network size is limited of the connections that can be made to the hub

      Ring Topology

      In a ring topology each computer is connected to the network in closed loop or ring. This network is set up in a circular fashion in which data travels around the ring in one direction and each device acts as a repeater to keep the signal strong as it travels.

      The advantages of the ring network topology:

          • Performs better that a star topology under heavy network load
          • Every device has access to the token and the opportunity to transmit
          • Does not require network server to manage connectivity between the computers

      The disadvantages of the ring network topology are:

          • One malfunctioning workstation or bed port can create problems for the entire network
          • Moves, ads and changes of devices can affect the network
          • Much slower that an Ethernet network under normal load

      Tree Topology

      The tree topology has a hierarchical type of structure. It could be described as a combination of the bus and star topologies. This topology provides the ability for branching the network. Very useful for colleges, universities and schools. Works very well on widely spread and vastly divided in branches networks.

      The advantages of the tree network topology are:

          • Widely supported by many network and hardware vendors
          • Point to point connection is possible
          • All computers have access to the larger and their immediate networks
          • Best for branched out network

      The disadvantages of the tree network topology are:

          • The length of the network depends on the type of cable used
          • Entirely dependent on the trunk – the main backbone of the network
          • Difficult to configure and gets more complicated as it grows

      Mesh Topology

      The Internet is based on the mesh topology. The mesh topology network is complete network, where all nodes are connected to each other. Each node is connected to the other nodes on the network through hops.

      FDDI Technology

      Fiber distributed data interface (FDDI) is a network architecture that uses fiber-optic cabling, token passing, and a ring topology, but FDDI also uses two counter-rotating rings for fault tolerance on the network. FDDI is similar to a Token Ring network in the sense that it uses token passing as the access method, but there are two rings - primary and secondary, instead of the one found in Token Ring. The primary ring is used at all times, and the secondary ring is used only if the primary ring fails. The token is passed on each ring in opposite directions. FDDI is specifically for WAN use, not for LAN use.

      LAN Implementations

      Ethernet

      Ethernet is the most widely used local area network (LAN) technology. It is a packet based network protocol. Ethernet was invented in 1973, by the Xerox Corporation. Its purpose was to provide connectivity between many computers and one printer. Today it is the predominant form of local area network technology. This designed evolved into an IEEE series of standards (802.XXX) with many variations, which include – 10Base-T, Fast-Ethernet (100Base-T), Gigabit Ethernet.

      Ethernet consists of three basic elements:

          • The physical medium used.
          • Each Ethernet interface has its own unique MAC address.
          • Ethernet frame – consists of standardized set of bits used to carry data over the system.

      Ethernet allows data to move at a very high speed by setting up a broadband connection. Many users can communicate with devices on a timely manner.

      CSMA/CD - Carrier Sense Multiple Access with Collision Detection is a traditional Ethernet protocol. It is used to “sense carrier” – listens and detects if any host on the network with “multiple access “(many hosts) is transmitting. It also offers collision detection – when more than one host transmits at the same time.

      Commonly used Ethernet protocols are:

          • 10Base-T – runs over twisted pair copper and suites small office data communication requirements.
          • 10Base-F –fiber optics
          • 100Base-T – Fast Ethernet –twisted pair, could cause overload
          • 100Base – TX –two twisted copper pair – 100Mbps throughput
          • Gigabit Ethernet – very high bandwidth service – 1Gbps

      Token Ring Topology

      Token Ring is the second most widely used LAN technology after Ethernet. Token ring is a LAN topology in which all the computers are connected in a ring or star topology and a token passing method is used to prevent the collision of data between two computers that want to send messages at the same time. The Token Ring protocol is the second most widely-used protocol on local area networks after Ethernet. The IEEE 802.5 Token Ring technology provides for data transfer rates of either 4 or 16 megabits per second.

      Wireless LANs

      The continued demand for wireless communications has vastly expanded in the past ten years. The use of wireless LANs (WLANS) has revolutionized information exchange in personal and industrial situations. WLANs enable mobile user connectivity, simplify installation, and enable a movable or relocatable network. WLANs are easy and fast to deploy, however they lack the security controls found in wired networks. In the majority of situations, a wireless LAN is connected to a traditional wired Ethernet LAN. When connected to the wired LAN, the wireless access point acts as a bridge to the wired LAN for the wireless devices. All wireless devices communicating at the same access point can access the same LAN resources.

      Communications and Transmission Services

      Synchronous Communications

      The synchronous communication relies on the presence of clocks at both ends of the transmissions which must be synchronized at the beginning of each session. To preserve the timing during the session, a special bit-transition pattern is embedded in the digital signal assisting in maintaining the timing between the sender and receiver. Synchronous communication can achieve much higher rates than asynchronous communication methods.

      Asynchronous Communications

      Asynchronous communication lacks predetermined time intervals between the transmission of data. This type of communication does not use a timing mechanism to control the flow of data or to interpret the start or end of discreet pieces of data; rather, it uses its own encapsulation overhead to ensure that data is received error-free, in the order transmitted.

      Analog Communications

      An analog communication is a data transmitting technique that utilizes continuous, analog signals to transmit data. Analog signal is a variable signal continuous in both time and amplitude which is generally carried by use of modulation. Analog trans missions include voice, facsimile, and data transmission using a modem.

      Digital Communications

      While analog signals are continuous waves, representing an unlimited number of values, digital signals are electrical signals that change from one state to another is discrete steps, or on-off pulses. When analog data is converted to digital data, it can be transmitted over digital circuits faster and without distortion. While the digital data is precise it can never transmit the range of information available with analog.

      Broadband and Baseband

      Two different techniques may be used to transmit signal along the network wire - baseband communication and broadband communication.

      Baseband Digital signals are send as a single channel and the entire bandwidth of the media is being used. The signal is delivered as a pulse of electricity or light. Baseband communication is bidirectional.

      BroadbandThe information is send in a form of analog signal, which flows as electromagnetic waves or optical waves. Each transmission is assigned to a portion of the bandwidth, which makes it possible to have multiple transmissions at the same time. Broadband connection is however, unidirectional, so in order to send and receive two pathways have to be used.

      Circuit-Switched Networks

      In a circuit-switched type of network a circuit needs to be established between two nodes before communication can occur. After the circuit is established, the whole communication between the two devices goes through this circuit, even though there might be other possible ways for the data to be passes over the network. The circuit might be either a fixed one that is always available or created on the as-needed basis. A circuit connection is a physical, permanent connection lasting for the duration of a call. If a connection is made over a long distance, many circuits are dedicated to this one call, using substantial resources. Circuit calls are not shared by other traffic. The telephone system is a classic example of circuit switched network. It goes through a switch instead of a router.

      Packet-Switched Networks

      Routers take place is a packet switching type of network. Multiple paths for sending packets between two nodes are used. The data is grouped into suitably-sized packets. There is no exclusive use of paths as in the switched network.

      Core Network Protocols

      ICMP Protocol

      The ICMP Protocol works at the Network Layer – OSI Layer 3. Since IP is an unreliable protocol that has no mechanisms for error checking or error control, ICMP protocol was designed to compensate for this IP deficiency. However ICMP simply reports errors, it does not make IP reliable. Also through query messages ICMP can diagnose some network problems. ICMP is not used to transfer data and also with the exception of the ping and traceroute utilities it is not used directly from user applications.

      ICMP’s main purpose is to deliver messages, which are divided into two types:

          • Error-reporting – reports errors occurred during routing or at the destination host (examples – destination unreachable, source quench, time exceeded, parameter problems, redirection)
          • Query messages – used to get information about a host (examples echo request/reply, timestamp request/reply, address mask request/reply, router solicitation and advertisement)

      There are 40 different types of ICMP messages, which are divided into code numbers. Some examples are:

          • Type 3 message is an error-reporting message – Destination unreachable - Only the destination-unreachable messages with codes 2 or 3 can be created by the destination host, all the other destination unreachable messages can be created only by routers.
          • Type 11 message is an error-reporting message – Time exceeded – when all the fragments are not received by the destination in a set time, the received fragments are discarded and a time-exceeded message is send to the original host. When the time to live value reaches zero, the router discards the datagram and sends a time-exceeded message to the original host. Code 0 is use only by routers to show that the time to live value reached zero. Code 1 is used only by the destination host.
          • Type 4 message is an error-reporting message – Source quench - The source-quench message informs the source that a datagram has been discarded due to congestion in a router or destination host. A source-quench message is generated for each datagram discarded.
          • Type 8/0 message is a query message – Echo request and reply used by network managers to check the operation of IP protocol
          • Type 13/14 message is a query message - Timestamp request and reply – can be used to calculate round-trip time between a source and a destination even if their clocks are not synchronized. The clocks of two machines can be synchronized if the one-way time duration is known.
          • Type 15/16 message is a query type of message – Address Mask request and Address Mask reply.

      Most common implementations of the ICMP protocol are the following two programs:

      Ping command – checks the reachability of a host through echo request-reply messages. Used to test basic connectivity issues –check if the host is alive, if there is a route to the host and how long does it take to reach it. It does packet loss statistics, uses unique sequence number to match request and reply.

      Traceroute program – used to determine a valid route to a host. In order to determine a valid path it sends packets with successively increasing TTL values and records which routers respond with ICMP – Time exceeded messages.

      Address Resolution Protocol (ARP)

      The Address Resolution Control Protocol is a Network Layer protocol used to determine host’s MAC/hardware address, when only the IP address is known. It can be used in any type of broadcast network.
      The ARP request, which is broadcast packet, contains the source MAC and IP addresses and the destination IP address. Since it is a broadcast packet it is received by every host on the local network, but only the host with the destination IP sends a reply packet to the originating host with its MAC and IP address. The ARP reply packet is unicast. Requests and reply packets have the same format.

      Reverse Address Resolution Protocol

      Exactly the opposite to the ARP. Used to find the IP address when only the MAC/hardware address in knows. Similarly to ARP, RARP requests are broadcast and the replies are unicast. Used a lot by diskless workstations, where the IP cannot be stored in the system itself. When a diskless system broadcasts a RARP request packet with its MAC address, this packet is received by all the hosts in the network. When the RARP server receives this packet, it looks up this MAC address in the configuration file and determines the corresponding IP address. It sends this address in the RARP reply packet. The diskless system receives this packet and gets its IP address. A RARP request packet is normally generated during the booting sequence of a host.

      Transmission Control Protocol (TCP)

      The Transmission Control Protocol is one of the main protocols used for data transmission. TCP, working on top of the unreliable IP protocol, ensures that data transmission is reliable. TCP is a connection-oriented protocol, which means that a connection between to end points must be established before actually transmitting data. Data can be transmitted only when the connection is open. It also guarantees that all data sent will be received without any error and in the correct order.

      User Datagram Protocol (UDP)

      UDP is a Layer 4 protocol.UDP is connectionless protocol, which means that data can be sent at any moment without prior advertising, negotiation or preparation. UDP not only does not guarantee that the data will be delivered; it also can be delivered in a wrong order. It is very simple protocol and is mainly concerned with speed. Often used for video steaming and on-line gaming. UDP traffic is organized on the form of datagrams. One datagram consists of one message unit. The first 8 bytes of the datagram reveal the UDP header, which consists of four fields, 2 bytes each: 1. Source port number, 2. Destination port number, 3.datagram size, 4. Checksum.

      Routing protocols

      Routing is the process of selecting appropriate path for data movement from a source to a destination. Routing occurs at the Network Layer - Layer 3 of the OSI Reference Model. The basic functions of the routing are – determining optimal routing paths and transporting packets between computer networks.
      Router - a networking device that forwards data packets along networks. A router is connected to at least two networks. Routers are located at gateways, places where two or more networks connect. They keep data flowing between networks and networks connected to the Internet. Routers work at the Network, Data-link, and Physical Layers of the TCPI/IP stack. Accordingly the router’s TCP/IP stack consists of The Network, Data-link, and Physical Layers.

      The routing protocols could be of two types – intra-domain and inter-domain. The intra-domain routing protocols are designed for use within an autonomous system, while the inter-domain routing protocols are designed for use between autonomous systems.

      Intra-domain routing protocols are:

          • Distance vector routing - The Distance vector routing protocol uses the Bellman-Ford algorithm for calculating routing tables. It involves two factors – the distance of a destination and a vector – direction to take to get there. A table of minimum distances (least cost routes) to every node is maintained by every node. Routing information is exchanged only between directly connected neighbors. Distance vector routing protocol is an intra-domain. Example of a distance-vector routing and intra-domain routing protocol is RIP – Routing Information Protocol, which is a very simple protocol, it uses the Bellman-Ford algorithm. A RIP counting table consists of a destination network address, the hop count to that destination and the IP address of the next router.
          • Link state routing protocol – The Link state routing protocol requires that all routers know about the paths reachable by all other routers within an autonomous system. The Dijkstra’s algorithm is used to build a routing table. Example of an intra-domain protocol based on link state routing is the Open Shortest Path First (OSPF) protocol.

      Inter-domain routing protocol:

          • Path vector routing protocol – it is similar to the distance vector routing protocol. It is used for inter-domain routing. There is at least one node in each autonomous system, which is the speaker node and it communicates routing tables with other speaker nodes from different autonomous systems. The Border Gateway Protocol (BGP) is an example of inter-domain routing protocol using path vector routing.

      DNS Protocol

      The DNS server, which implements the DNS protocol, is a database that stores DNS records. It translates host and domain names into IP addresses. It is based on client-server communication. The client sends a query to the server to resolve a given host name or IP address into the corresponding IP address or host name. The role of the DNS server and DNS protocol in computer communication is to provide the client with the DNS records upon request.

      DNS is important for people and provides the ability to access a host, using a human-readable name without having to remember the IP address of that host. If you don’t have a DNS server, you won’t be able to access a host just by knowing its name. If you have a wrong DNS server you won’t be able to access the correct host by name.

      Even though DNS is a very important part of the TCP/IP stack and the modern Internet, since keeps billions of IP addresses all over the globe along with their human-readable names, it is possible to avoid it in a TCP/IP stack configuration. Another option to resolve names to IP addresses is consulting the local host file, which is limited to resolve the IP addresses that are entered into this file. Unlike DNS, it requires individual maintenance. You also, would not be able to access any host outside of the host file, without knowing the IP address for it.

      The most important DNS Resource records are:

          • A – Value-1 - Ipv4 address record. It is a record of an IPv4 address for a host.
          • AAAA – Value 28 - Ipv6 address record. An Ipv6 address for a host.
          • CNAME – Value 5 - Canonical name. An alias name for a host.
          • MX – Value 15 - Mail exchanger record.
          • PTR – Value 12 IP (could be v4 or v6) address to a host. TXT – Value 16. Text information associated with a name.

      DHCP Protocol

      DHCP protocol is a Dynamic Host Configuration Protocol – it lets computer, printers and other TCP/IP devices to dynamically obtain unique IP addresses on a given network. If a device does not have a preconfigured IP address and want s to connect to a network, which has DHCP enabled, its purpose is to dynamically configure an IP address to the device. Also it releases and renews this IP addresses as devices leave and rejoin the network. DHCP was created by the Dynamic Host Configuration Working Group of the Internet Engineering Task Force. It is basically a successor of the BOOTP protocol.

      SMTP Protocol

      The main purpose of SMTP – Simple Mail Transfer Protocol is reliable and efficient mail transfer.
      When a user sends a mail it goes to its sender SMTP and from there it is sent to the Receiver SMTP (destination SMTP). The sender is using an ephemeral port and the receiver is using well known port 25/TCP.
      When the SMTP sender has a message to transmit to the SMTP receiver a two way transmission channel is established between both, three way handshake is done and after that the mail is transferred. Different replies are sent back from the server depending on the fact if the mail was accepted or not.

      One of the major problems of SMTP is that it does not require authentication, this makes spam possible, by allowing any originator to send e-mail to any destination. Other SMPT problems are - limitations related to the length of the messages; possible difference of the timeouts between a client and a server; infinite mail storms can be triggered.

      Some of the security consideration in SMTP are:
      The relaying model of SMTP communication is entirely designed around the idea cooperation and trust between servers. When SMTP was designed the basic assumption was that users will be all well-behaved and would not abuse the system by flooding it lots of mail to be delivered or sent messages to cause problems.
      It is easy to impersonate an SMPT server. Using the Telnet protocol you can connect directly to an SMTP server on port 25. SMTP’s commands and replies are all send as text, which allows to manually perform a mail transaction.
      Efforts to apply general security mechanism have been resisted mainly due to the fact that SMTP is very widely used and implementing new security mechanisms could create incompatibilities between systems.
      Some of the most common security provisions that could be implemented include:

          • Refusing to start an SMTP session if the IP address of the attempting to connect device is not in the list of authorized client devices
          • Restriction of certain commands or features – could be done by requiring authentication using the SMTP extension AUTH
          • Some servers verify the validity of the sender e-mail address before accepting the message
          • Limiting the size or the number of messages that could be received in a given period of time
          • Logging all access to the server to keep records and check for abuse

      MTA – Mail Transfer Agent – is a server program that implements SMTP and it is used to move mail from one server to another.
      strong>Mail Gateway – connect and transfers messages between two or more e-mail systems that might be differ from one another and be on different networks.
      Relay – it is an e-mail server, device or a program, which responsibility is to route an e-mail to the correct final destination.
      E-mail header – contains details about the sender, route and receiver of an e-mail. It is a part of every e-mail.
      SPAM –flooding the Internet with large quantities of unwanted and e-mail and forcing it to people.
      MIME – Multi-purpose Internet Mail Extension; Originally SMTP was designed to send and receive only plain text. MIME standard extends the support of the e-mail format beyond plain text.

      Network Components

      Hardware Network Components

      Repeaters and Hubs

      Repeaters and hubs are layer 1 devices.

      Repeaters are used to strengthen the whenever the network layout exceeds the normal specifications of the cable. Repeaters allow the signal that is weakened as it travels through the wire to travel longer distances than the supported from the network cable used.

      Hubs act as a central point for all network devices to connect to. When a computer sends a piece of data to another computer, and when the signal reaches the hub, the hub broadcasts the signal to all ports on the hub so that all systems can check to see whether the data is destined for them.

      Bridges

      Bridge is a device that breaks down one network into multiple segments. Bridge is a layer 2 device and unlike the hubs, it forwards traffic only to the destination network segment.

      Switches

      Switches combine the functionality of a repeated and a bridge. The switch provides traffic isolation by associating the MAC address of each host. A switch shrinks the collision domain to a single port. You will normally have no collisions assuming one device is connected per port.

      Routers

      Routers are Layer 3 devices that route traffic from one network to another. IP-based routers make routing decisions based on the source and destination IP addresses. Routers work with layer-3 addresses, which are logical addresses assigned to the systems that are used to determine how to reach the destination network. Routers use a routing table stored in memory on the router to determine how to reach a system on a destination network.

      Modems

      A Modem is a Modulator/Demodulator. It takes binary data and modulates it into analog sound that can be carried on phone networks designed to carry the human voice. The receiving modem then demodulates the analog sound back into binary data. Modems are asynchronous devices: they do not operate with a clock signal.

      Transmission Media

      Each type of transmission media has its purpose and serves best in a particular set of circumstances. The types of transmission media could be generally divided into two types –cable media and wireless media. The following factors have to be considered when choosing the type of media used: 1. Cost, 2. Distance limitations, 3. Number of nodes.

      Cable media

      There are three primary types of cable media that can be used to connect systems to a coaxial cable, twisted-pair cable, and fiber-optic cable. The coaxial and twisted pair cables are copper cables and the fiber-optic cable consists of a glass or high-grade optical strands surrounded by a tough cloth-and-plastic wrap. Transmission rates that can be supported on each of these physical media are measured in millions of bits per second, or megabits per second (Mbps).

      Coaxial Cable

      The coaxial cable looks like the cable used to connect a TV to the cable TV outlet. One strand of a solid copper wire runs down the middle of the cable. Around that strand is a layer of insulation, and covering that insulation is braided wire and metal foil, which shields against electromagnetic interference. Because of the layers of insulation, the coaxial cable is more resistant to outside interference than other type of cables, such as unshielded twisted pair cable.

      The two types of coax cabling are thinnet and thicknet. The main differences between the two types is their thickness and the distance that the signal can travel.

          • Thinnet The thinnet coax cable is known as RG-58 cable. This cable is about 1/4 inches thick and it is used for short-distance communication. The maxim transfer rate for the thinnet cable is 10Mbps and the maximum supported cable distance is 185m. British naval connection (BNC) is used to connect directly to a workstation’s network adapter card.
          • Thicknet The thicknet coax cable is known as RG-8 cable. this cable is about 1/2 inches thick and it can be used for communications over longer distances than the thinnet cable. The maximum transfer rate is the same as with the thinnet cable - 10Mbps. However, the maximum supported distance is 500m. The connection to the network adapter is made using a drop cable to connect to the adapter unit interface (AUI) port connector.

      Twisted-Pair Cable

      There are two types of twisted pair cables - unshielded twisted-pair (UTP) and shielded twisted-pair (STP).

          • Unshielded Twisted-Pair (UTP) This cable looks like the cable used to connect the telephone line to the wall. The typical twisted-pair cable for network use contains four pairs of wires. Each member of the pair of wires contained in the cable is twisted around the other. The twists in the wires help shield against electromagnetic interference. The maximum distance of UTP is 100 meters. UTP cables uses RJ-45 connector. The RJ-45 connector is similar to the phone connectors, except that instead of four wires, the RJ-45 connectors contains eight contacts. Twisted-pair cable is more susceptible to interference than coaxial, however, and should not be used in environments containing large electrical or electronic devices.
          • Shielded Twisted-Pair (STP) Shielded twisted-pair (STP) cable is very similar to UTP cabling. It differs from UTP in that it uses a layer of insulation within the protective jacket, which helps maintain the quality of the signal.

      Fiber-Optic Cable

      The fiber-optic resembles coaxial cable from the outside. Consists of a glass or high-grade optical strands surrounded by a tough cloth-and-plastic wrap. It has similar technology used in the fiber-optic lamps, in which colored lights feed into optical strands to create the appearance of dozens of pinpoints of light. An optical fiber consists of an extremely thin cylinder of glass, called the core, surrounded by a concentric layer of glass, known as the cladding. There are two fibers per cable—one to transmit and one to receive. There are two types of fiber-optic cables:

          • Single-mode fiber uses a single ray of light
          • Multimode fiber uses multiple rays of light simultaneously

      Fiber-optic cable can carry the signal up to and beyond 2 kilometers. It can support up to 1000 stations and is highly secure from outside interference. Fiber-optic cables can use many types of connectors, but the two main once are: the straight-tip (ST) connector and the subscriber (SC) connector. The ST connector is based on the BNC-style connector and the SC connector is similar to an RJ-45 connector. The transfer rates for fiber-optic cables are typically 1000Mbps and faster.

      Wireless Media

      Wireless transmissions use radio waves or infrared light to transmit data through the air. Two types of wireless networks can be created - ad hoc mode and infrastructure mode wireless networks. With the ad hoc more a wireless device is connected to another wireless device and there is no need for a wireless access point. With the infrastructure mode the wireless devices are connected to a central wireless access point.

      Wireless Standards

      802.11a This is an older standard that runs at the 5 GHz frequency. 802.11a devices can transmit data at 54 Mbps and are incompatible with 802.11b and 802.11g devices.

      802.11b This standard has a transfer rate of 11Mbps and runs at the 2.4 GHz frequency. These devices are compatible with 802.11g/n devices because they run at the same frequency and follow the WiFi standard.

      802.11g This is a newer wireless standard. It is designed to be compatible with 802.11b but is increases the transfer rate. The transfer rate of this standard is 54Mbps and a frequency of 2.4 GHz is used. All 802.11g devices are compatible with 802.11b/n devices because they all follow the WiFi standard and run at the same frequency of 2.4 GHz.

      802.11n This standard implements two new features: multiple input multiple output (MIMO) and channel bonding. MIMO is the use of multiple antennas to achieve more throughput than can be accomplished with only a single antenna. Channel bonding allows 802.11n to transmit data over two channels to achieve more throughput. This standard is backward compatible with 802.11a, 802.11b, and 802.11g and can run at the 2.4 GHz or 5 GHz frequency.

      Network Access Control Devices

      Firewalls

      A firewall is a system designed to prevent unauthorized access to or from a private network. A firewall can be implemented in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet. All packets entering or leaving the private network must pass through the firewall. The firewall then examines each packet and blocks those that do not meet the specified security criteria.

      Packet-Filtering Firewall

      Each packet entering or leaving the network is examined based on configured filters, that are set up at the Transport and Network layers. Incoming or outgoing packets can be blocked based on the IP address or port address rules. The information that rules can be based on includes source address, destination address, protocol type, and source and destination port address. A packet filtering firewall uses ACLs to decide which traffic is allowed to pass through the firewall.

      Application-Level Firewall

      Application-level firewalls operate at the application, presentation, and session layers of the OSI model. This type of firewall understands the data at the application level and monitors it to verify that no harmful information is included.

      A proxy server is a application-level firewall. it can analyze the application data in the packet and decide if it is allowed through the firewall.

      Circuit-Level Firewall

      Circuit-level firewalls operate at the transport layer. This firewall applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

      Stateful vs. Stateless firewalls

      A packet-filtering firewall is a stateless firewall because it simply allows or denies traffic based off the header of the packet. It does not look at any other characteristics of the packet.

      A stateful firewall will look at the packet and the context of the conversation and will only allow a packet that are supposed to be received at that point and time of the conversations.

      Intrusion Detection Systems

      Intrusion Detection System (IDS) is a hardware or software application that monitors network or system activities for malicious activities or policy violations and notifies the administrator of any suspicious activity. The IDS is an important device because it will notify you not only of suspicious activity against the firewall, but also of suspicious activity inside the network.

      There are two types of IDSs:

          • Host-based Host-based intrusion detection systems monitor the local system for suspicious activity. It is a typically a piece of software installed on the system and can only monitor the activity of that system.
          • Network-based Network-based intrusion detection systems monitor the activity on the network for suspicious behavior.

      Intrusion Prevention Systems

      Intrusion prevention system (IPS) is a hardware or software application that monitors network or system for malicious activities and attempt to block/stop activity before reporting it. Intrusion prevention systems are considered extensions of intrusion detection systems.

      There are two types of IPSs:

          • Host-based Host-based IPS is installed on a single host and monitors and prevents malicious activity only that host.
          • Network-based Network-based IPS monitor and prevent malicious activity on the network.

      the network attacks part is still not completed

      Network Attacks

      TCP SYN Flood

      Land Attack

      Fraggle Attacks

      Tear Drop Attack