Networking: Protocols & Data Organization

Questions and Answers

Why is understanding traditional computer network models important for network security?

• It only matters for legacy systems, not modern networks.
• It is not important in today's age of cloud computing.
• It simplifies network communication protocols.
• It helps in applying appropriate security countermeasures. (correct)

What is the primary role of a protocol in network communication?

• To define agreed conventions for behavior. (correct)
• To physically connect devices in a network.
• To manage the distribution of IP addresses.
• To encrypt data for secure transmission.

Which of the following best describes the function of TCP/IP in modern networking?

• The most common protocol suite. (correct)
• A tool for encrypting network traffic.
• A hardware component facilitating data transfer.
• A method for load balancing server requests.

Which of the following elements are typically included in a standard network packet?

Payload, header, and sometimes a tail. (B)

How does a switch use MAC addresses in a network?

To identify network interfaces for device identification. (D)

What is the main function of an IP address in a network?

To route packets across networks. (C)

What role do port numbers play in TCP and UDP protocols?

They identify the service or application on a server. (C)

What is a 'socket' in the context of network communication?

A set of corresponding IP addresses and port numbers. (B)

In the OSI model, which layer is responsible for formatting data at the coding and syntax level?

Presentation layer (B)

What is the primary function of the Session layer in the OSI model?

Establishing, managing, and terminating sessions. (B)

Which OSI model layer is responsible for the reliable end-to-end movement of data?

Transport (B)

What is the role of the Network layer in the OSI model?

Moving data packets between different networks. (D)

Which layer of the OSI model is responsible for defining the mechanical and electrical interface?

Physical (A)

Conceptually, how do layers in the OSI model communicate with each other?

Each layer communicates only with its peer on the other side. (B)

Which of the following is a key difference between the OSI model and the TCP/IP model concerning the lower layers?

The TCP/IP model combines multiple OSI layers into fewer layers. (D)

What role does the Domain Name System (DNS) play in network communications?

Providing IP addresses associated with domain names. (D)

Under the Internet Protocol (IP), what two main components make up the basic data unit?

Header and payload (A)

What key information is included in the IP header?

Source and destination IP addresses (D)

What is a primary limitation of IPv4 that led to the development of IPv6?

Limited address space. (D)

What is the purpose of private IP address ranges as defined by RFC 1918?

To allow internal networks to operate without public IP addresses. (A)

What does NAT (Network Address Translation) primarily achieve?

Mapping internal private IP addresses to a single public IP address. (A)

What is a DMZ (Demilitarized Zone) in network security?

A semi-protected area for servers that must be accessible from the internet. (A)

What is 'hide mode NAT' primarily used for?

To obscure the internal network structure from external observation. (A)

In TCP communication, what is the purpose of the three-way handshake?

To establish a connection. (C)

What happens when an error occurs during a TCP session?

The data is retransmitted. (A)

What is the purpose of FIN-ACK messages in a TCP session?

To acknowledge the session's closure. (A)

What does sending a TCP RST request accomplish?

It immediately terminates the session. (D)

What is the Address Resolution Protocol (ARP) used for?

To send broadcasts to identify network devices. (D)

What command can be used in Windows to view systems connected to a network?

arp -a (D)

Which of the following best describes a network firewall?

A system component to control data movement between networks. (C)

What are the two basic approaches to firewall policy?

Allow all vs. block all (A)

Why is it essential to regularly check firewall configuration data?

To prevent unauthorized policy violations. (B)

What is a potential risk associated with a firewall?

It can become a single point of failure. (B)

What is a key characteristic of stateless packet inspection?

It examines each packet in isolation. (A)

What does a router primarily use to forward packets?

IP addresses (B)

What factor determines if a stateful packet inspection will forward or drop a packet?

The state of the TCP connection. (B)

What is a primary function of a Deep Packet Inspection (DPI) system?

Analyzing data in the innermost payload. (A)

What security feature does a network switch typically use to allow direct traffic monitoring?

Port Mirroring (D)

An attack where an opponent attempts to impersonate a known person or system to gain unauthorized access is known as?

Masquerade (C)

An attack on what aspect of a system best describes a denial of service?

Availability (B)

An attacker exploiting ARP vulnerabilities to re-route network traffic engages in which attack?

ARP Poisoning (A)

What type of information is held in a DNS server?

IP address to domain name mappings (A)

Flashcards

Computer Networks

Efficiently distributes resources between servers, computers and networked devices.

Load balancing

Allows systems to distribute workload across multiple resources, improving access speed and reliability.

Protocol (Networking)

An agreed convention for behavior in a specific context, enabling effective data communication.

TCP/IP

The most common protocol suite used in modern networking.

Network Data Units

Units into which data is organized for transmission, including frames, datagrams, and packets.

OSI Reference Model

A set of standards for describing how applications interconnect, allowing communication across different systems and software.

Application Layer (OSI)

The layer that deals with high-level data exchange e.g software

Presentation Layer (OSI)

Layer handling data formatting/syntax

Session Layer (OSI)

Layer that establishes, manages, and dissolves sessions.

Transport Layer (OSI)

Layer that provides reliable data delivery.

Network Layer (OSI)

Covers movement of data packets between different networks.

Data Link Layer (OSI)

Defines formatting and movement of the data between hardware devices.

Physical Layer (OSI)

Defines the mechanical/electrical interface

Network Addressing

A system having an address at each layer to communicate with other systems.

Domain Name System (DNS)

Provides the IP address associated with a domain name.

Internet Protocol (IP)

Consists of a header and payload. Source, dest. IP, and type of data included.

Private IP Addresses

The range defined by RFC 1918 for internal networks that should not be routed over the internet

Network Address Translation (NAT)

A router uses a single IP address to connect to the internet and maps internal IP addresses to it.

IP hide mode NAT

Hides the internal network structure, enhancing security.

Segment

In the Transmission Control Protocol (TCP), the basic data unit.

TCP Sessions

Establishes connections with SYN, SYN/ACK, and ACK.

Address Resolution Protocol (ARP)

A protocol used to discover the hardware address of a network interface.

Network Firewall

A system that controls data movement between networks.

Firewall Audits

Checking configuration data ensures security.

Firewall limitations

Is the single point of failure.

Stateless Packet Filter

A firewall that examines packets in isolation without retaining information about past packets.

MAC firewall/filter

Forwards frames only with specific MAC addresses.

Stateful Packet Filter

A dynamic filter which tracks the state of a TCP connection.

Socket

Combines IP address and TCP/UDP port number.

Deep Packet Inspection (DPI)

A firewall that inspects the data part of the packet

Span port

A switch use to allow direct traffic monitoring.

Simple Network Management Protocol (SNMP)

Protocol for network device monitoring

Network attacks

A attack on a computer network.

Modification (Network attack)

An attack where the message content is altered, affecting message's integrity.

Denial of Service (DoS)

An attack that prevents authorized users from accessing a system.

ARP poisoning/spoofing

An attack to impersonate other computers.

DNS Cache Poisoning

Insert fake address record into DNS cache.

Denial of Service (DoS)

Attempts to flood a boundary device.

Buffer Overflow

Packets overruns/underruns system.

Study Notes

Networking Overview

• Computer networks distribute resources between servers, computers, and networked devices
• Load balancing helps systems provide faster access for resource-intensive functions
• Understanding network models, systems, and architecture is essential for applying security measures
• The traditional corporate network perimeter is expanding past firewalls to support mobile devices and cloud computing
• Global internet consists of thousands of networks which are connected by routers
• Effective communication depends on a protocol between each entity
• A protocol defines conventions for behavior in context
• TCP/IP is a common protocol suite named for its levels

Data Organization and Communication

• Data is organized into frames, datagrams, or packets
• Protocols establish structure and exchange methods between systems
• Packets include a header, sometimes a tail, and a payload
• Header contains routing information (source and destination addresses)

Network Addressing

• Switches use the MAC address to identify a network interface
• Routers use IP addresses to route packets and identify nodes
• TCP and UDP use port numbers to identify services or applications
• Applications often exist in a "listening" state in a server
• A socket is a corresponding IP address and port

OSI Reference Model

• The International Organization for Standardization (ISO) defines the Open Systems Interconnection (OSI) Reference Model
• This model describes how software applications interconnect on two systems through the 7 layers:
  • Application: Deals with the high-level data exchanged between an application and its users
  • Presentation: Handles data formatting at the coding or syntax level
  • Session: Manages the establishment, management, and dissolution of sessions for data exchange
  • Transport: Covers reliable end-to-end data movement
  • Network: Covers movement of data packets between different networks
  • Data Link: Defines formatting and movement of data between hardware devices on the same network
  • Physical: Defines the mechanical and electrical interface between systems
• The upper 6 layers are the software function, and the lowest layer is the descriptor of physical connections
• Systems use a peer-to-peer basis which assumes they are equal in both status and capability
• Conceptually, each layer communicates with its peer on the other side
• Data moves up and down the layers except at the Physical layer
• Intermediate systems or devices assist exchange between end systems

TCP/IP Protocol Suite

• The most common implementation of layered architecture is the TCP/IP protocol suite defined in RFCs
• There is close correspondence between the OSI model and TCIP especially at the lower level
  • ISO OSI is the Application Model (HTTP, DNS, SMTP, POP, IMAP Protocol )
  • OSI Presentation
  • OSI Session
  • TCP/IP Transport(FTP, TELNET, and TCP, UDP Protocol)
  • OSI Network (IP, ICMP Protocl)
  • TCP/IP Internet
  • OSI Data Link/Physical (IEEE 802.11, PPP, USB, 10BASE-T Protocol)
  • TCP /IP Link/Physical

Domain Name System

• Systems have an address at different layers
• Communication requires determining the lower-level address associated with a higher identifier
• The Domain Name System (DNS) provides the IP address associated with a domain name
• DNS can provide an IP address at the IP Layer associated with a URL at the Application Layer
• The address resolution protocol (ARP) performs a similar function to help resolve addresses faster

Internet Protocol (IP)

• Most networking uses TCP/IP
• Internet Protocol (IP) has a basic data unit called a packet
• Packets consist of a header with defined fields and a payload
• Software examines fields or indicates data type
• Source and Destination IP addresses are in the header

IP Version 4

• Version 4 of IP will have 4.3 billion 32 bit long
• When the Internet became public, organizations were assigned blocks of addresses and were assigned too many
• The system runs out of IP Addresses

Private Networks

• RFC 1918 created private internet IP address allocation
  • 10.0.0.0–10.255.255.255 Is 1 class of A network
  • 172.16.0.0–172.31.255.255 Is 16 Contiguous class B network
  • 192.168.0.0–192.168.255.255 Is 256 class C network
• Addresses considered private if in the above ranges
• Packets not routed over an “inter-enterprise link"
• Private ranges share ranges since they are set up to never go past a network

Network Address Translation

• Network Address Translation (NAT) translates a socket using a Router
• “Translates” and “maps” a socket by assigning an arbitrary IP and port
• This creates a network address translation to the internet side and vice versa
• A router performing NAT sends a variety of packets with ephemeral port numbers on behalf of private-address clients with a single IP
• Routers listen to several port numbers and respond to requests by sending them to public-facing servers
• With IP Hide Mode, only the router can be seen

Transmission Control Protocol

• The Transmission Control Protocol (TCP) establishes packets as data unit
• Segments are segmented based on a defined header
• TCP requires the source, destination, and port numbers

Common Protocols and Ports

• Some protocols and ports include:
  • File Transfer Protocol (FTP): A TCP protocol on port 20/21 to easily relocate files
  • Secure Shell ( SSH): A TCP protocol on port 22 for remote connection
  • Telnet: A TCP Protocol on port 23 for unsecured manageability connection
  • Simple Mail Transfer Protocol (SMTP): A TCP Protocol on port 25 transfers email
  • Domain Name System (DNS): A TCP/UDP 53 protocol mapping to IP addresses
  • Dynamic Host Configuration Protocol (DHCP): A UCP Protocol 67/68 to assign IP addresses
  • Hypertext Transfer Protocol (HTTP): A TCP Protocol on port 80 to access websites

Network Session

• To establish a server connection, a PC requires a 3-way handshake
  • First a TCP Transport will send a SYN opening
  • Then the webserver transport has 2. SYN, ACK (1) Acknowledgement of 1) and then ACK opens
• While transmitting data, Carry HTTP Request & Response through the following transports:
  • First send 4.Data = HTTP Request
  • Then it acknowledges 5. ACK (4)
  • Then send 6. Data = HTTP Response to the 7, ACK (6) transports
• If an error occurs, you resend the HTTP Request
  • 8. Data = HTTP Request (Error) which will either
  • 9; Data = HTTP Request (No ACK - Retransmit) transport and will either
  • 10 acknowledge ACK (9) or by sending the transport 11 Data= HTTP Response then 12 which is the ACK (11) transports
• When ending a TCP session, the 4 way transports are:
  • 13. FIN (close) then will
  • Will acknowledge 14. ACK then
  • Is a 15. FIN
  • To 16 Acknowledge ACK (15)
• Resetting sessions requires sending request to transport
• There is an abrupt close and the transport is close (1)

Addressing Resolution Protocol

• The Address Resolution Protocol (ARP) broadcasts to identify that the combination is through their MAC and IP through the OSI
• ARP is bridge between OSI layers 2 and 3
• Network Device IP pairings can be identified by ARP command

Network Architectures

• Firewalls exist as fireproof barriers that allow for controlled passage through doors
• There are many holes need to allow wires and controls
• In I.T. a network firewall (often called just a firewall) controls the movement of data between networks
• They could exist as hardware software or dedicated softwares
• Software data firewalls allow both data and disallows

Security

• Good software data depends the configuration and data allowed that should be part of auditing
• However, there are some that may not need to be checked since they only allow some of them
• Firewalls are considered a single component that if stops that is all but
• If more data will drop and processing will affect the functionality

Router Packet System

• A router is a network device that is tied to more than 2 device in layers 3 and the IP Stack.
• It uses the routing table link and can deny packets

Stateless Packets

• The simplest form comes in a static pack and uses isolated checks in the state
• It may also have MAC Firewalls that whitelist or provide rules for drop

Stateful Packets

• Stateful are programmed to check TCP on what to close and not close depending on protocols
• A SYN segment will be allowed when a socket is open, has been sent out and would be in the open

Deep packet

• When more is given, applications can be used to check malware or anit-virus for rules

DNS Poisoning

• There must always be a good set-up of equipment.
• Malware often does positioning
• Windows file is %SytemRoot%/ System 32/ drives etc/hosts

Attacks and Defenses

• A few defenses exist to protect against DNS poisoning, include UDP source
• port randomization or blocking incoming UDP traffic, but this may degrade firewall performance.
• Additional defenses include DNS servers identifying known bad query responses and discarding fake answers sent by an attacker.

Denial Of Service

• Forbids uses by flooding
• It uses syn to send out a 3 way packet
• DOS checks and attempts security
• Sends a flood that overpowers traffic, floods the line, or sends a reboot and shutdown
• There are many attacks -Buffer overflow which is what it sounds like
• Land attack
• Ping of death
• Reflection attack
• Smurf Attack

Distributed Denial of Service

• Distributed Denial of Service (DDoS) is to reduce attacks (Blacklisting, Sinkholing, Handshake Validation and Throttle the speed)
• Attacks target
  • Blacklisting- Stops packet but easily changed
  • Sinkholing- rerouting can be bad
  • Handshaking -terminates and is validated
  • When someone can infiltrate, they can start injecting traffic and have it all routed to pass.
• The attacker can be found
• The code can run freely with an ID System