Communication and Network Security Flashcards
Protocol
Set of rules or restrictions that define how data is transmitted over a network medium
Open Systems Interconnection (OSI) Model
Developed by International Organization for Standardization (ISO) in late 1970s/early 1980s. ISO 7498 defines OSI Model.
TCP/IP
Most widely used protocol today. Based on DARPA model (TCP/IP model)- developed in early 1970s.
7 Layers of OSI Model
7- Application- Data Stream 6- Presentation- Data Stream 5- Session- Data Stream 4- Transport- Segment (TCP)/Datagram (UDP) 3- Network- Packet 2- Data Link- Frame 1- Physical- Bits
Encapsulation
Addition of a header and possibly a footer to the data received by each layer from the layer above before it’s handed off to the layer below. As the message is encapsulated at each layer, the previous layer’s header and payload combine to become the payload of the current layer. Inverse action is called Deencapsulation.
Encapsulation/Deencapsulation Process
- Application layer creates a message.
- Application layer passes the message to Presentation layer.
- Presentation layer encapsulates message by adding information to it. Information is usually added only at the beginning of the message (called a header); however, some layers (Data Link, Physical) also add material at the end of the message (called a footer).
- The process of passing the message down and adding layer-specific information continues until the message reaches the Physical layer.
- At the Physical layer, the message is converted into electrical impulses that represent bits and is transmitted over the physical connection.
- The receiving computer captures the bits from the physical connection and re-creates the message in the Physical layer.
- The Physical layer converts the message from bits into a Data Link frame and sends the message up to the Data Link layer.
- The Data Link layer strips its information and sends the message up to the Network layer.
- This process of deencapsulation is performed until the message reaches the Application layer.
- When the message reaches the Application layer, the data in the message is sent to the intended software recipient.
The information removed by each layer includes instructions, checksums, and so on that can be understood only by the peer layer that originally added or created the info.
Data Stream and Packet Transformation Down the Stack
Message sent into protocol stack at the Application layer, retains the label of data stream until it reaches the Transport layer (4) where it is called a segment (TCP protocols) or datagram (UDP protocols). In the Network layer, it is called a packet. In the DL Layer (2), it is called a frame. In the Physical layer (1), it is referred to as bits for transmission over the physical connection medium.
Physical Layer
Contains the device drivers that tell the protocol how to employ the hardware for the transmission and reception of bits. Contains: EIA/TIA-232 and EIA/TIA-449, X.21, High-Speed Serial Interface (HSSI), Synchronous Optical Network (SONET), V.24 and V.35.
Controls throughput rates, handles synchronization, manages line noise and medium access, and determines to use digital or analog signals or light pulses to transmit or receiver data over the physical hardware interface.
Network hardware devices that function here include network interface cards (NICs), hubs, repeaters, concentrators, and amplifiers.
Data Link Layer
Ethernet (IEEE 802.3), Token Ring (IEEE 802.5), asynchronous transfer mode (ATM), File Distributed Data Interface ( FDDI), and Copper DDI (CDDI). Only Ethernet remains a common DL layer technology in use in modern networks. Protocols found here include: Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP), Address Resolution Protocol (ARP), Reverse ARP (RARP), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), Integrated Services Digital Network (ISDN).
This layer includes adding the hardware sources and destination addresses to the frame. Hardware address is the Media Access Control (MAC) address, which is a 6-byte (48-bit) binary address written in hexadecimal notation. First 3 bytes (24 bits) denotes to the vendor or manufacturer of the physical network interface, known as the OUI, which is registered with IEEE, which controls their issuance. Last 2 bytes represent a unique number assigned to that interface by the manufacturer. EUI-48 replaced MAC-48 (IEEE 802). Converting to EUI-64 where 2 octets of FF:FF are added between cc and ee octets for MAC-48; in the case of EUI-48, 2 octets of FF:FE are added between cc and ee octets.
cc:cc:cc:FF:FF:ee:ee:ee
ARP- used to resolve IP addresses into MAC addresses
RARP- used to resolve MAC addresses into IP addresses
2 sublayers of DL Layer- Logical Link Control (LLC) and MAC
Switches and bridges function here, and support MAC-based traffic routing. Switches receive a frame on one port and send it out another port based on the destination MAC address. MAC address destinations are used to determine whether a frame is transferred over the bridge from one network to another.
Network Layer
Responsible for adding routing and addressing information to the data. Accepts the segment from the Transport later and adds information to it to create a packets, which includes source and destination IP addresses. Routing protocols found here include: Internet Control Message Protocol (ICMP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Internet Group Management Protocol (IGMP), Internet Protocol (IP), Internet Protocol Security (IPSec), Internetwork Packet Exchange (IPX), Network Address Translation (NAT), Simple Key Management for Internet Protocols (SKIP).
Responsible for providing routing or delivery information. Not responsible for guaranteeing or verifying delivery (that is the responsibility of the Transport layer).
Manages error detection and node data traffic, or traffic control.
Routers and bridge routers (brouters) are among the network hardware devices that function at this layer. Routers determine the best logical path for the transmission of packets based on speed, hops, preference, and so on. Routers use the destination IP address to guide the transmission of packets. A brouter, working primarily in layer 3 but in layer 2 when necessary, is a device that attempts to route first, but defaults to bridging if routing fails.
2 broad categories of routing protocols- distance vector and link state. Distance vector protocols maintain a list of destination networks along with metrics of direction and distance as measured in hops (number of routers hit to reach destination). Link state protocols maintain a topography map of all connected networks and use this map to determine the shortest path to the destination.
Distance vector examples- RIP, IGRP, and BGP
Link state example- OSPF
Non-IP Protocols
IPX, AppleTalk, NetBEUI
Transport Layer
Responsible for managing the integrity of a connection and controlling the session. Accepts a Protocol Data Unit (PDU) from the Session Layer and converts it into a segment.
Controls how devices on the network are addressed or referenced, establishes communication connections between nodes or devices, and defines the rules of a session. Session rules are established through SYN/ACK handshake.
Establishes a logical connection between two devices and provides end-to-end transport services to ensure data delivery. This layer includes mechanisms for segmentation, sequencing, error checking, controlling the flow of data, error correction, multiplexing, and network service optimization.
Protocols found here include: Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Sequenced Packet Exchange (SPX), Secure Sockets Layer (SSL), and Transport Layer Security (TLS).
Session Layer
Responsible for establishing, maintaining, and terminating communication sessions between 2 CPUs. Manages dialogue discipline or dialogue control (simplex, half duplex, full duplex), establishes checkpoints for grouping and recovery, and retransmits PDUs that have failed or been lost since the last verified checkpoint.
Protocols include Network File System (NFS), Structured Query Language (SQL), Remote Procedures Call (RPC).
Simplex- One way direction communication
Half Duplex- Two way communication, but only one direction can send data at a time
Full Duplex- Two way communication, in which data can be sent in both directions at the same time
Presentation Layer
Responsible for transforming data received from the Application layer into a format that any system following the OSI model can understand. Imposes common or standardized structure and formatting rules onto the data. Responsible for encryption and compression. Acts as an interface between the network and applications. Most file or data formats operate within this later, including formats for images, video, sound, documents, email, web pages, control sessions, and so on.
Format standards found here: American Standard Code for Information Interchange (ASCII), Extended Binary Coded Decimal Interchange Mode (EBCDICM), Tagged Image File Format (TIFF), Joint Photographic Experts Group (JPEG), Moving Picture Experts Group (MPEG), Musical Instrument Digital Interface (MIDI).
Application Layer
Responsible for interfacing user applications, network services, or the operating system with the protocol stack. Allows applications to communicate with the protocol stack. Determines whether a remote communication partner is available and accessible. Ensures that sufficient resources are available to support requested communication.
Transmits files, exchanges messages, and connects to remote terminals.
Protocols found here include: Hypertext Transfer Protocol (HTTP) File Transfer Protocol (FTP) Line Print Daemon (LPD) Simple Mail Transfer Protocol (SMTP) Telnet Trivial File Transfer Protocol (TFTP) Electronic Data Interchange (EDI) Post Office Protocol Version 3 (POP3) Internet Access Message Protocol (IMAP) Simple Network Management Protocol (SNMP) Network News Transport Protocol (NNTP) Secure Remote Procedure Call (S-RPC) Secure Electronic Transaction (SET)
Network device, or service, that works at this layer is called the gateway. Application layer gateway serves as a protocol translation tool.
TCP/IP Model
DARPA or DOD Model.
- Application (Application, Presentation, Session of OSI)
- Transport (Transport of OSI)
- Internet (Network of OSI)
- Link (Data Link, Physical of OSI)
TCP/IP
Platform independent protocol based on open standards. Consumes a significant amount of resources and is easy to hack into. Designed for ease of use rather than security. Not just a single protocol- is a protocol stack comprising dozens of individual protocols.
Can be secured using VPN links between systems. VPN links are encrypted to add privacy, confidentiality, and authentication to maintain data integrity. Protocols used to establish VPNs are PPTP, L2TP, and IPSec.
TCP/IP Protocols
Application Layer- FTP, Telnet, SNMP, LPD, TFTP, SMTP, NFS, X Window
Transport Layer- TCP, UDP
Internet Layer- ICMP, IGMP, IP
Link Layer- Ethernet, Fast Ethernet, Token Ring, FDDI
TCP Wrapper
Provides protocol level security. An application that can serve as a basic firewall by restricting access to ports and resources based on user IDs or system IDs. Form of port based access control.
TCP
Full-duplex connection-oriented protocol. Has 65,536 ports. Operates at layer 4 (Transport). Employs reliable sessions. Connection oriented because of the handshake process employed.
Two methods to disconnect session- FIN, finish, and RST, or reset.
FIN- FIN, ACK, FIN, ACK. Takes 4 packets to gracefully tear down a TCP session. RST- causes an immediate and abrupt session termination.
Segments of TCP transmission are tagged with a sequence number. Transmission window- number os packets transmitted before an ACK packet is sent.
Data flow is controlled through sliding windows.
UDP
Simplex connectionless protocol. Has 65,536 ports. Operates at Layer 4 (Transport). Offers no error detection or correction, does not use sequencing, does not use flow control mechanisms, does not use preestablished session, and is unreliable. Often used for audio and video, employed by real time or streaming communications.
IP header protocol field value- 17 bits (0 * 11)
Port
Also called a socket. An address number that both ends of the communication link agree to use when transferring data. Allows a single IP address to be able to support multiple simultaneous communications, each using a different port number.
Well Known Ports
The first 1,024 ports (0-1,023). Has standardized assignments for services they support. I.e. HTTP is Port 80.
Registered Software Ports
Ports 1,024 to 49,151. Has one or more networking software products specifically registered with the International Assigned Numbers Authority, or IANA.
Random, Dynamic, Ephemeral Ports
Ports 49,152 to 65,535. Often used random or temporarily by clients as a source port. Associated with common FTP.
Berkeley Software Distribution (BSD)- Ports 1,024 to 4,999
Linux Kernels- 32,768 to 61,000
Microsoft up to Windows Server 2003- 1,025 to 5,000
All Windows After- IANA range
FreeBSD since version 4.6- IANA
TCP Header
Relatively complex compared to UDP. 20 to 60 bytes long.
(Size in Bits) Source Port- 16 Destination Port- 16 Sequence Number- 32 Data Offset- 4 Reserved for Future Use- 4 Flags- 8 Window Size- 16 Checksum- 16 Urgent Pointer- 16
TCP Header Flag Field Values
CWR- Congestion Window Reduced ECE- ECN- Echo (Explicit Congestion Notification) URG- Urgent ACK- Acknowledgement PSH- Push RST- Reset SYN- Synchronization FIN- Finish
X X U A P R S F
0 0 0 1 0 0 1 0
SYN, ACK flag set
“Unskilled Attackers Pester Real Security Folk”
IP Header Protocol Field Value for TCP- 6
UDP Header
8 bytes long (64 bits). Divided into 4 sections, each 16 bits long:
Source Port
Destination Port
Message Length
Checksum
Network Layer Protocols
IP. Provides route addressing for data rackets. Connectionless and is an unreliable datagram service. Does not guarantee that packets will be delivered or that they will be delivered in correct order and does not guarantee only one time delivery. You must employ TCP on IP to gain reliable and controlled communication sessions.
IPv4 vs. IPv6
IPv4- most widely used around the world. Uses a 32-bit addressing scheme. Being taken over by IPv6.
IPv6- supported by most operating systems released since 2000 but is slowly adopted. Uses 128 bits for addressing. Features include scoped addresses, autoconfiguration, and Quality of Service (QoS) priority values.
Scope Addresses- gives admins the ability to group and then block or allow access to network services, such as file serivces or printing
Autoconfig- removes the need for both DHCP and NAT
QoS Priority Values- allow for traffic management based on prioritized content
IP Classes
Full Class A Subnet- supports 16,777,214 hosts
Full Class B Subnet- supports 65,534 hosts
Full Class C Subnet- supports 254 hosts
Class D- used for multicasting
Class E- reserved for future use
IP Classes Continued
Class First Binary Digits Decimal Range of 1st Octet
A 0 1-126
B 10 128-191
C 110 192-223
D 1110 224-239
E 1111 240-255
IP Classes Default Subnet Masks
Class Default Subnet Mask CIDR Equivalent
A 255.0.0 /8
B 255.255.0.0 /16
C 255.255.255.0 /24
Classless Inter Domain Routing (CIDR)
Notation that uses mask bits rather than a full dotted-decimal notation subnet mask. Instead of 255.255.0.0, a CIDR is added to the IP address after a slash, as in 172.16.1.1/16.
Network Layer Protocols (ICMP)
ICMP- Internet Control Message Protocol. Used to determine the health of a network or specific link. Utilized by ping, traceroute, pathping, and other network management tools. Ping employs ICMP echo packets and bounces them off remote systems. Ping is used to determine whether the remote system is online, responding promptly, whether the intermediary systems are supporting communications, and the level of performance efficiency at which the intermediary systems are communicating. Ping includes the redirect function, which allows the echo responses to be sent to a different destination than the system of origin. ICMP was exploited in DOS attacks.
IP header- 1 Type field in ICMP header- defines the type or purpose of the message contained within the ICMP payload More than 40 defined types, but only 7 are commonly used: 0- Echo reply 3- Destination unreachable 5- Redirect 8- Echo request 9- Router advertisement 10- Router solicitation 11- Time exceeded
Network Layer Protocols (IGMP)
Internet Group Management Protocol allows systems to support multicasting, or the transmission of data to multiple recipients. RFC 1112 discusses the requirements to perform IGMP multicasting. Used by IP hosts to register their dynamic multicast group membership. Used by connected routers to discover these groups. Single initial signal is multiplied at the router if divergent pathways exist to the intended recipient.
IP header protocol field value- 2
Network Layer Protocols (ARP, RARP)
ARP- used to resolve IP addresses (32 bit binary number for logical addressing) into MAC addresses (48 bit number for physical addressing) or EUI 48 or EUI 64. Traffic on a network segment, i.e. across a hub, is directed from its source system to its destination system using MAC addresses.
RARP- used to resolve MAC addresses into IP addresses
Both function using caching and broadcasting. First step into resolving IP addresses into MAC addresses is to check local ARP cache. ARP Cache Poisoning is when an attacker inserts bs information into the ARP cache. If not in local cache, requested will be broadcast and if owner of queried address is not in local subnet, router or default gateway will perform the process of ARP request.
Common Application Level Protocols
Telnet- TCP Port 23. Terminal emulation network application that supports remote connectivity for executing commands and running apps but does not support file transfer.
FTP- TCP Ports 20 and 21. Network app that supports an exchange of files that requires anonymous or specific authentication.
TFTP- UDP Port 69. Network app that supports file exchange but does not require authentication.
SMTP- TCP Port 25. Used to transmit email messages from a client to an email server and from one email server to another.
POP3- TCP Port 110. Used to pull email messages from an inbox to en email server down to an email client.
IMAP- TCP Port 143. Used to pull email messages from an inbox on an email server down to an email client. More secure than POP3 and offers the ability to pull headers down from the email server as well as to delete messages directly off the email server without having to download to the local client first.
DHCP- UDP Ports 67 and 68. Uses port 67 for server point to point response and port 68 for client request broadcasts. Used to assign TCP/IP configuration settings to systems upon bootup. Enable centralized control of network addressing.
HTTP- TCP Port 80. Used to transmit web page elements from a web server to web browsers.
SSL- TCP Port 443 for HTTP encryption. VPN-like security protocol that operates at the Transport layer. Originally designed to support secured web communications (HTTPS) but is capable of securing any Application layer protocol communications.
LPD- TCP Port 515. Network service used to spool print jobs and to send print jobs to printers.
X Window- TCP Ports 6000 to 6003. GUI API for command line operating systems.
BootP/DCHP- UDP Ports 67 and 68. Used to connect diskless workstations to a network through autoassignment of IP configuration and download of basic OS elements. BootP is the forerunner to DHCP.
NFS- TCP Port 2049. Network service used to support file sharing between dissimilar systems.
SNMP- UDP Port 161, 162 for Trap Messages. Collects network health and status information by polling monitoring devices from a central monitoring station.
Multilayer Protocols
Wide range of protocols and encryption can be used at higher and various layers. Flexibility and resiliency in complex network structures is supported.
Drawbacks include allowing covert channels, filters can be bypassed, and logically imposed network segment boundaries can be overstepped.
Distributed Network Protocol 3
DNP 3. Used in electric and water utility and management industries. Used to support communications between data acquisition systems and the system control equipment. This includes substation computers, RTUs- remote terminal units, IEDs- intelligent electronic devices, and SCADA control centers.
Multilayer protocol that functions similarly to TCP/IP and has link, transport, and transportation layers.
Domain Name Resolution
Top Layer- Domain name, a temporary human friendly convention assigned over or onto the IP address
2nd or Middle Layer- IP address, a temporary logical address assigned over or onto the MAC address
3rd/Bottom layer- MAC address, or hardware address, the permanent physical address
Domain Name System
DNS. Resolves a human friendly domain name into its IP address equivalent. Then, ARP resolves the IP address into its MAC address equivalent.
Inverse- DNS reverse lookups and RARP
Converged Protocols
The merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. Uses existing TCP/IP supporting network infrastructure to host special or proprietary services without the need for unique deployments of alternate networking hardware. Provides cost saving benefits.
