Network Layer Protocol and Transport Layer Protocol Review
Session – SSL
Transport- TCP or UDP
Network – logical addressing (IP or IPX), icmp
Data-link – mac/ physical, switches
Physical – 0s,1s, cables and hubs
The Application layer is associated with the data that is generated by a service or a protocol. A security device operating at the Application layer makes security decisions based on the actual data within a data stream.
An example of an application at this layer is an application proxy firewall. Functions defined by the Application layer include:
*Communication partner identification.
*Gateway services (protocol translation).
*Programming interfaces that allow services to operate and clients to access the service.
*Advertisement of networking services.
*Protocols associated with the Application layer include HTTP, TELNET, FTP, TFTP, and SNMP.
*Formatting and translation of data between systems. Data format (file formats) such as JPEG, BMP, WMV, AVI, WAV, and MIDI are supported at this layer.
*Negotiation of data transfer syntax between systems, through converting character sets to the correct format.
*Encapsulation of data into message envelopes by encryption and compression.
*Restoration of data by decryption and decompression.
*Management of multiple sessions (each client connection is called a session). A server can concurrently maintain thousands of sessions.
*Assignment of the session ID number to each session to keep data streams separate.
*Negotiation of communication parameters to set up, maintain, and tear down a session.
*SSL is a protocol that operates at this layer.
*Host and service identification through port and socket numbers.
*Breaking larger messages into segments and combining smaller messages.
*Recombining segments into the original message using segment sequencing.
*Ensuring reliable data transmissions (called connection-oriented services) using acknowledgements and other mechanisms. Connectionless services do not guarantee delivery, but are delivered with best-effort delivery, which results in low overhead.
*Controlling the information flow rate between sender and receiver.
*Using port numbers to identify source and destination upper-layer protocols.
Two protocols associated with the Transport layer are:
*The Transmission Control Protocol (TCP) provides services that ensure accurate and timely delivery of network communications between two hosts. TCP provides the following services to ensure message delivery:
*Sequencing of data packets
TCP is referred to as a connection-oriented protocol because it includes these delivery guarantees.
*The User Datagram Protocol (UDP) is similar to TCP, but does not include mechanisms for ensuring timely and accurate delivery. Because it has less overhead, it offers fast communications, but at the expense of possible errors or data loss. UDP is referred to as a connectionless protocol because it lacks these delivery guarantee mechanisms.
*Definition of the logical host address, in the form of the IP address.
*Path identification and selection.
*Breaking larger segments into datagrams (also called packets).
Routers operate at the Network layer by reading the IP address in the packet to make forwarding decisions. Protocols associated with the Network layer include IP, IPX, and ICMP.
*Converting bits into bytes and bytes into frames.
*Physical addressing using the MAC address with Ethernet.
*Describing how messages travel through the network (logical topology).
*Controlling access to the transmission medium.
*Controlling the rate of data transmissions between intermediary devices (host-to-host flow control).
*Detecting, and in some cases, correcting errors in frames through parity or CRC.
*Employing protocols such as IBM’s Synchronist Data Link Control (SDLC) and ISO’s High-level Data Link Control (HDLC) to send data across a serial link.
Network interface cards (NICs) contain the MAC address and perform functions at the Data Link layer. Switches operate at the Data Link layer by reading the MAC address in a frame to make forwarding decisions.
*Details regarding the transmission medium, such as cable and connector specifications.
*Details about the electrical composition of signals as they pass through the transmission medium, such as voltage levels and synchronization.
*Specifications for the physical topology (layout) of network devices.
Standards that are associated with the Physical layer include EIA/TIA 232 (serial signaling), V.35 (modem signaling), Cat5 (cable specifications), and RJ45 (connector specifications).
*Routers and most firewalls operate at the Network layer.
*Bridges, switches, and network interface cards (NICs) operate at the Data Link layer.
*As the name implies, Layer 3 switches operate at the Network layer and use switching technology for routing functions.
*Hubs and repeaters operate at the Physical layer.
*Decimal (for example 126.96.36.199).
*Binary (for example 10000011.01101011.00000010.11001000). In binary notation, each octet is an 8-character number.
01000000 -> 64
00100000 -> 32
00010000 -> 16
00001000 -> 8
00000100 -> 4
00000010 -> 2
00000001 -> 1
*In binary form, the subnet mask is always a series of 1’s followed by a series of 0’s (1’s and 0’s are never mixed in sequence in the mask). A simple mask might be 255.255.255.0.
*In Classless Inter-Domain Routing (CIDR) form, the subnet mask appears as a slash (/) followed by the number of bits in the mask that are set to 1. A simple mask might be /24.
First Octet Range -> 1-126
Default Subnet Mask -> 255.0.0.0
CIDR Notation -> /8
First Octet Range -> 128-191
Default Subnet Mask -> 255.255.0.0
CIDR Notation -> /16
First Octet Range -> 192-223
Default Subnet Mask -> 255.255.255.0
CIDR Notation -> /24
First Octet Range -> 224-239
Default Subnet Mask -> n/a
CIDR Notation -> n/a
First Octet Range -> 240-255
Default Subnet Mask -> n/a
CIDR Notation -> n/a
*The quartets are separated by colons.
*Each quartet is represented as a hexadecimal number between 0 and FFFF. Each quartet represents 16-bits of data (FFFF = 1111 1111 1111 1111).
*Leading zeros can be omitted in each section. For example, the quartet 0284 could also be represented by 284.
*Addresses with consecutive zeros can be expressed more concisely by substituting a double-colon for the group of zeros. For example:
*FEC0::78CD:1283:F398:23AB (concise form)
*If an address has more than one consecutive location where one or more quartets are all zeros, only one location can be abbreviated. For example, FEC2:0:0:0:78CA:0:0:23AB could be abbreviated as:
But not FEC2::78CA::23AB
But not FEC2::78CA::23AB
*The 64-bit prefix can be divided into various parts, with each part having a specific meaning. Parts in the prefix can identify the geographic region, the ISP, the network, and the subnet.
*The prefix length identifies the number of bits in the relevant portion of the prefix. To indicate the prefix length, add a slash (/) followed by the prefix length number. Full quartets with trailing 0’s in the prefix address can be omitted (for example 2001:0DB8:4898:DAFC::/64).
*Because addresses are allocated based on physical location, the prefix generally identifies the location of the host. The 64-bit prefix is often referred to as the global routing prefix.
*Addresses are assigned to interfaces (network connections), not to the host. Technically, the interface ID is not a host address.
*In most cases, individual interface IDs are not assigned by ISPs, but are rather generated automatically or managed by site administrators.
*Interface IDs must be unique within a subnet, but can be the same if the interface is on different subnets.
*On Ethernet networks, the interface ID can be automatically derived from the MAC address. Using the automatic host ID simplifies administration.
*Increase the number of devices that can be added to the LAN (to overcome the architecture limits)
*Reduce the number of devices on a single subnet to reduce congestion and collisions
*Reduce the processing load placed on computers and routers
*Combine networks with different media types within the same internetwork (subnets cannot be used to combine networks of different media type on to the same subnet)
*Subnetting uses custom rather than the default subnet masks. For example, instead of using 255.0.0.0 with a Class A address, you might use 255.255.0.0 instead.
*Using custom subnet masks is often called classless addressing because the subnet mask cannot be inferred simply from the class of a given IP address. The address class is ignored and the mask is always supplied to identify the network and host portions of the address.
*When you subnet a network by using a custom mask, you can divide the IP addresses between several subnets. However, you also reduce the number of hosts available on each network.
Default example 188.8.131.52
Custom example 184.108.40.206
Default example 255.255.0.0
Custom example 255.255.255.0
# of Subnet addresses
Defualt example One
Custom example 254
# of hosts per subnet
Default example 65,534
Custom example 254 per subnet
Default example 220.127.116.11 (only one)
Custom example 18.104.22.168
(and so on)
Host address ranges
Default example 22.214.171.124 to 126.96.36.199
Custom example 188.8.131.52 to 184.108.40.206
220.127.116.11 to 18.104.22.168
22.214.171.124 to 126.96.36.199
(and so on)
*The beginning network address in the range
*The number of bits used in the subnet mask
For example, the subnet 188.8.131.52 with a mask of 255.255.0.0 is represented as 184.108.40.206/16 (with 16 being the number of 1 bits in the subnet mask).
The local loopback address is not assigned to an interface. It can be used to verify that the TCP/IP protocol stack has been properly installed on the host.
is the unspecified address (also identified ::/128) The unspecified address is used when there is no IPv6 address.
128 bit address
In binary notation 172.17.0.0 can be viewed as 11111111.11111111.11000000.000000. Because the first two bits of the third octet are used for the network portion of the address, four subnets are possible:
*Sequencing of data packets
The TCP three-way handshake is the process used to establish a TCP session.
The steps to a TCP three-way handshake process are:
1.A host sends a SYN packet to the target host.
2.The target host responds to the original host with a SYN ACK packet.
3.The host responds to the target host with an ACK packet.
*NetBIOS was used in early Windows networks.
*Beginning with Windows 2000, NetBIOS is no longer required.
*NetBIOS might be needed if the network includes clients running previous versions of Windows.
*ping is an ICMP Echo Request and once executed should initiate an Echo Reply to the source from the target device. Ping can be used to determine whether devices are reachable and can communicate across the network.
*traceroute determines how many routers (hops) are between the source and the target in addition to determining timeout response values for each router.
ICMP also works with IP to send notices when destinations are unreachable and when devices’ buffers overflow. ICMP messages are used to determine the route and hops packets take through the network and whether devices can communicate across the network.
1.The host looks in its local cache to see if it has recently resolved the host name.
2.If the information is not in the cache, it checks the Hosts file. The Hosts file is a static text file that contains hostname-to-IP address mappings.
3.If the IP address is not found, the host contacts its preferred DNS server. If the preferred DNS server can’t be contacted, it continues contacting additional DNS servers until one responds.
4.The host sends the name information to the DNS server. The DNS server then checks its cache and Hosts file. If the information is not found, the DNS server checks any zone files that it holds for the requested name.
5.If the DNS server can’t find the name in its zones, it forwards the request to a root zone name server. This server returns the IP address of a DNS server that has information for the corresponding top-level domain (such as .com).
6.The first DNS server then requests the information from the top-level domain server. This server returns the address of a DNS server with the information for the next highest domain. This process continues until a DNS server is contacted that holds the necessary information.
7.The DNS server places the information in its cache and returns the IP address to the client host. The client host also places the information in its cache and uses the IP address to contact the desired destination device.
*A manager is the computer used to perform management tasks. The manager queries agents and gathers responses.
*An agent is a software process that runs on managed network devices. The agent communicates with the manager and can send dynamic messages to the manager.
*The management information base (MIB) is a database of host configuration information. Agents report data to the MIB, and the manager can then view information by requesting data from the MIB.
*A trap is an event configured on an agent. When the event occurs, the agent logs details regarding the event.
SNMP version 2 added some security features, but most security comes with SNMP version 3. SNMP version 3 adds the following:
*Authentication for agents and managers.
*Encryption of SNMP information.
*Message integrity to ensure that data is not altered in transit.
*Ports allow a single host with a single IP address to run multiple network services. Each port number identifies a distinct service.
*Each host can have over 65,000 ports per IP address.
*Port use is regulated by the Internet Corporation for Assigning Names and Numbers (ICANN).
*Registered ports range from 1024 to 49151 and are assigned by ICANN to a specific service.
*Dynamic (also called private or high) ports range from 49,152 to 65,535 and can be used by any service on an ad hoc basis. Ports are assigned when a session is established, and released when the session ends.
SSH File Transfer Protocol (SFTP)
Secure Copy (SCP)
137 and 138 TCP and UDP
162 TCP and UDP
990 TCP and UDP
1813 TCP and UDP
*Configure a firewall to open (allow) or block ports through the firewall or on a device.
*As a best practice, only open the necessary ports. For example, if the server is only being used for e-mail, then shut down ports that correspond to FTP, DNS, and HTTP (among others).
*For auditing purposes, you can use a port scanner to check systems and firewalls for open ports.
*Use netstat -a to view a list of opened ports on a system.
*Use a port scanning tool such as Nmap to scan for open ports on local and remote systems.
TCP: conncetion-ortiented, reliable, sequenced, high overhead.
A company connects two networks through an expensive WAN link. The communication media is reliable, but very expensive. They want to minimize connection times.