Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SEC301 > 2.3 Networking 102 > Flashcards

2.3 Networking 102 Flashcards

1
Q

Internet protocol

A
  • IP handles packets on a network including delivering packets, routing packets, and reporting any errors that occur in the delivery or routing of packets
  • The error reporting is done via the internet control message protocol
  • Because it is focused only on packet delivery it lacks other protocols, like it can’t garuantee delivery, or it can’t track a packet
  • IP is a best effort protocol, sometimes it doesn’t work and it only is error-reporting but does not actually fix the error so it is not error-correcting
  • Packets include information like the source and destination IP and port numbers, but it does not tell you who really sent the packet or whether the content has been altered during transmission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IPv4 header:
- version
- time to live
- protocol
- Source and destination IP
- picture on page 35

A
  • This slide is a graphical representation of an IP header, each row represents 32 bits (4 bytes). Let’s look at some of the header fields.
  • Version: the first nibble, or 4 bits, in the header is the IP version field and indicates the version of the IP the packet is based on – the only legal values are 4 (IPv4) or 6 (IPv6) – any other value in this field indicates a malformed packet and should be dropped by your routers.
  • Time to live: Indicates the maximum number of transfers (or hops) from router to router that the packet can take on the network. When a hop happens the TTL field is decremented by one. When the value reaches 0 the packet is dropped and a message is sent back to the originating computer, indicating that the TTL was exceeded. The maximum TTL is 255 hops, meaning the packet can hop no more than 255 times before being dropped – this is to limit wandering around a network indefinitely.
  • Protocol: Indicates the subprotocol that this packet is encapsulating – recall that I[ is concerned with only packet delivery. If it needs to add intelligence to IP, it needs to add another protocol like: internet control message protocol (ICMP), transmission control protocol (TCP), user datagram protocol (UDP), encapsulating security payload (for IPSec), authentication header (for IPSec)
  • Source and destination IP address: the source is the alleged address of the system where the packet originated (alleged because it is possible to spoof this address) and the destination address is the location of the system where the packet is destined. Each of these addresses is a 32-bit number, that translates to almost 4.3 billion unique addresses.
  • IPv4 header another view: wireshark shows every packet that goes through the network and shows them to you for analysis
  • Here you can see the version, TTL, protocol, and IP address fields clearly:
    o The version is set to 4
    o The time to live is set to 128
    o The protocol is set to 6 (meaning the next header will be a TCP header)
    o We also see the source and destination addresses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Internet control message protocol (ICMP)

A
  • The ICMP is the error reporting mechanism embedded in IP since it is a best effort protocol
  • For example, the TTL is 1, if there is something wrong with the routing tables and a router cannot figure out where to send a packet it sends an ICMP, if the routing is good but the destination computer will not respond with an ARP
  • Another function on ICMP is ping, which is a function to see if a host is up (turned on) and listening on the network – much like a radar ping, with this echo request you send it to a destination and if that computer is powered on to the network you should get an ICMP echo response back.
    o The originating machine collects the repoly, along with other info about how long the trip took and reports it to the user
    o What makes ping useful is that if it is unsuccessful then the path between two machines is blocked, and you can then investigate the problem to see if it s a routing error, failed equipment, or some other cause.
    o Denial of service attacks can utilize ping in a way where they can use botnets to overwhelm your system with echo requests – referred to as a ping flud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Traceroute

A
  • Helps you discover the actual path the network uses between two systems
  • It does this by manipulating the TTL – if this number is at 1 then the network sends back the originator that the TTL is exceeded, but when it does this you can see the router that throws away the packet
  • The way it does this is by sending a TTL of 1 first, to see the router that sends the TTL exceeded message, then it increases it by an increment of 1, so a total of 2 TTL, then it sees the second router, and so on. It increases the TTL until it can get to the target destination router IP address.
  • Traceroute and pinging are both used as troubleshooting tools.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

There’s no place like 127.0.0.1

A
  • This is a loopback IP address, so anytime your computer sends anything to that address it is sending it to itself
  • Many services inside your computer need to communicate with other services inside the computer too, so they rely on this communication IP channel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IPv4 configuration requirements
- IP address
- subnet mask
- default gateway
- pictures on page 38 and beyond

A
  • For a computer to ocmmunicate on a network it must know some prerequisite knowledge:
    o IP address: Think back to the letter and post office analogy – we need to put a to address and include a from address – this is the same an IP network has an address of uniquely identifying each device so that the protocols and network equipment can receive and deliver packets to the correct place
     It is a 32 bit address field, that is 4 bytes – please note bytes and ocet are the same. We represent Ips by dotted decimal notation but computers see everything in binary.

o Subnet mask: an IP address has a network portion on the left and a host portion on the right. Meaning part of the IP address tells us which what network that computer is on and what computer or host is on that network. How much of the IP is for the network and how much is from the host (this is defined by the subnet mask).
 E.g., the subnet is 255.255.255.0
 To figure out subnet mask you must do so in binary not in anyway
 The 1s in the subnet mask represent the network, the 0s in the subnet mask represent the host.
 For the specific example below, you would say the network is 10.1.1 and it is computer 2.
 255 in subnet mask terms equals eight 1s and because the IP address begins with 10.1.1 and the mask begins with 255.255.255 this means any computer beginning with an IP address of 10.1.1 are all on the same subnet
 To simplify, /24 means the first 24 bits of the mask ae 1s and the remaining bits are 0s.

 What is the subnet mask used for: your computer uses three values to determine if the desination computer is on the same network or a different one – it looks at its own IP, the desination address, and the subnet mask. If the source and desination address have corresponding 1s, then they are on the same network, if there is a difference of even one placement they are on different networks.
 In the example on the left, all 24 bits are the same so the two Ips are on the same network – on the one on the right one of them is different – but the only way we make this determination is by looking at the binary. If the destination is on the same network then it sends the traffic directly, if it is on a different network then the computer forwards the packet to the default gateway.

o Default gate way (router on mac) –
* In almost all cases, you have to have a DNS server’s IP address in the configuration if you want to get much done – that setting is not technically a requirement since on small networks you would be able to work without a DNS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The default gateway
- both in LAN and WAN
- pictures on page 38 and beyond

A
  • Now that we know what happens when a computer decides that an address is not on its local network, the next question becomes “what happens if the packet is going elsewhere”
  • Every network has one entry and exit point: one place in which everything coming into the network or going out of the network must pass – this point is called the router – the devices inside the network see it as their default gateway
  • Remember that every device (pc, server) is in some ways a router since it routes traffic but the default gateway is the point of entry and it is where devices send traffic as the “gateway of last resort” because it tells your pc “if you don’t know what else to do with a packet, send it here, and let that device figure it out”
  • Every default gateway also has a default gateway that it sends packets to outside its network which continues onto the internet
  • SO in our previous mailing example this is how it starts:
    o The device labeled home fiber has a default gateway of a router at the ISP
    o The ISP router has a default gateway of a router at the ISP’s ISP in LA
    o The ISP’s ISP router has a default gateway of the San Franchischo internet router
    o The San Fran internet router has a default gateway of the Denver internet router
    o The Denver internet router has some idea of how to forward the packet to its desination based on routing information in its configuration so that is the next topic:
  • In the other diagram we see that each device on a subnet has a gateway (net1 gateway) which has a gateway (intermediate gateway) which also has a gateway (its ISP on the internet)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Routing basics

A
  • we understand what devices do when they don’t know what to do with a packet, but when they do they use the routing, which they have to at some point
  • each device has a routing table as part of its config with says if you’re trying to get to this location send it to this interface
  • Routing is a process used to determine where to send a packet next
  • Each device looks at the destination IP
  • If the device has no idea what to do with the packet, it sends it to the default gateway
  • If a routing table entry tells it how to send the packet closer to the destination it does so
    o If the destination is network 1, send it to the left interface – if network 2 send it top, if network 3 use the right interface
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Default gateway and routing (picture on page 40)

A
  • Net 1 system 2 to net 3 system 2
  • To tie it together let’s use the three story LAN example
    o Net 1 system 2 would determine that the desination is not on its own network, therefore it would forward the traffic to its default gateway of net1 gateway
    o Net1 gateway would check its routing table information and see it does not have a route to network 3 – it therefore needs to forward to its default gateway of the intermediate gateway
    o The intermediate checks its routing table and sees that any traffic going to net3 should go out to the right hand interface, it therefore sends the traffic to net3 gateway
    o Net3 gateway checks its routing table and sees that net3 is on the right-hand interface so it sends it to the appropriate location
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Internet routing
- picture on page 42

A
  • Functionally a LAN and internet router are the same, what’s different is their position
  • As we saw in the previous example, the default gateway router go the packet all the way to Denver
  • That process was I don’t know where the destination is but I need to send it to my default gateway
  • At Denver, the routing table kicks in – the Denver router doesn’t know where the IP is but its table says that anything going to Texas should go to the router in Dallas – the Dallas router does now know where the IP is exactly but it knows to route to Houston somewhere – the ISP’s ISP does not know whose IP the destination is but recognizes the address belongs to one of its customers ISPs so the routing table causes the packet to go to that company – the customer’s ISP sees that destination address is one of its customers and their routing table causes the packet to route to that particular house
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

OSI layer 4 - network ports
- well known ports
- registered ports
- ephemeral ports

A

Network Ports:
* On a computer, a network port is a number representing a logical connection point for communications. It is not a physical port, but rather a mapped via software to a specific function or application – when a packet arrives at a computer the packet contains a destination port number – it is that number that notifies the server of which service the user wants to interact with – it is a two byte number at max
o Well known ports (0-1,023) – these are the well known ports that networks typically use
o Registered ports (1,024-49,151) – ports that were registered afterwards using the internet corporation for assigned names and numbers – you should avoid using these, not illegal, but may cause communication and network conflicts
o Ephemeral ports (49,152-65,535)
* Some examples of ports:
o Destination port 21 instructs the server to provide file transfer service using the file transfer protocol (FTP)
o Destination port 25 advises the server the user wants to send email using the simple mail transfer protocol (smtp)
o Desination port 80 advises the server that the user wants to view the we page via insecure unecrepted hypertext transfer protocol (HTTP)
o Destination port 443 indicates to the server that the user wants to view the web page using secure encrupted hypertext transfer protocol secure (HTTPS)
* Good security would have 1/server for 1/service because if it’s all on the same server then you can into one system and backdoor your way to other services
* Let’s say we have one server for all services though:
o The client sends a packet to the server it comes from of the empheral port numbers – 49152 to 65535
o When the packet arrives at the server the only piece of information that tells it what service to access is the destination port number (443 it wants secure web)
o What is so magical about the 49152 – let’s put it in binary – this is the first two-byte number that begins with 11 = 11000000 00000000 = 49,152
o That means that all empheberal port numbers start with two 1s all registered port numbers have other than two 1s at the start
o For software when it sees it starts with two 1s it makes it easy to recognize it’s emphemberal and to forward it a certain way
* Note that a port may mean many things in the IT world:
o Network ports
o Hardware ports
o Wall ports
o Software ports
o Printer or video ports
o USB ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Network sockets
- picture on page 44

A
  • Amazon sells 25,00 items per second – the server needs some mechanism to keep those separate from one another – that’s the socket
    o Consists of the client IP and port number
    o And server IP and port number
  • When you combine those four elements, you can uniquely identigy any communications channel – this remains true even on busy internet servers that might have thousands of simultanous connections – at least one of those four elements will be different for each channel
  • Let’s say we have one client and one server – 3 simultaneous connections to three different services
    o The first socket is the IP 10.1.1.1 and port number 152, which is going to server’s IP 7.7.7.1 with port number 80
    o The second IP is the same client but a different port number and the server is responding with a different port
    o Same with the third one
  • 3 simultaneous connects to one service – the source IP is the same but there is 3 different empheral port numbers
  • Part of why this matters: think about a firewall – it has got the recognize all of these communication sockets so if it’s permitted it would have to allow the communication to go through
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

TCP and UDP

A
  • There are two primary layer 4 protocols (transmission control protocol) and user datagram protocol (UDP)
  • TCP – is a session irented protocol, meaning it tracks the state of communication between the two communicating parties – it establishes a connection between the parties and monitors the state of that connection. A common misunderstanding is that it “guarantees packet delivery” that is actually not possible – it runs on top of the IP protocol, and this is a best effort protocol that does not guarantee delivery. It does have a error control mechanism where if some data is missing the sender can tell this has happened and retransmits the remaining data.
  • UDP: is a connectioneless and does not have a state of any kind. It is still purely a best effort protocol, when sending with UDP you also don’t get a receive response.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

TCP header
- picture on page 46 and beyond

A
  • Like the IP header the shortest this header is allowed to be is 20 bytes, unlike the IP header that almost never has options added, the TCP header options are common
  • The first two fields in the TCP header are the source port and destination port – these contain the port numbers
  • Well known port indicates to the server the service we want to use and the client uses an ephemeral port
  • Which one of those ports end up in which of those fields depends on which direction the packet travels – if it goes from the client to the server the source port is ephemeral and the destination port is well know, if the packet returns from the server back to the client, the source port is well known and the destination port is the ephemeral.
  • The next two fields are the sequence number and the acknowledgment number each of them is a 4-bytefield and make up the core of the TCP error contro mechanism – they allow the sender to determine if the receiver didn’t get some of the information sent.
  • In the TCP header there are a series of flags – by looking at these you can tell what happens in TCP session
    o SYN flag is used during the intitial three-step handshake, it essentially tells the distant end that you want to syncrhonize a connected
    o ACK is used to determine the distant end that you are acknowledging bytes that were sent to you in one of their prior packets – this is integral to the error control mechanism
    o Fin: NOTIFIES THE OTHER END OF THE COMMUNICATION THAT YOU HAVE NOTHING MORE TO SAY TO THEM AND WANT TO TERMINATE THE CONNECTION
    o RST: happens when something has gone wrong with a session and cannot be fixed – either side can send a reset at tnytime, it causes a TCP session to terminate – it is like a rude goodbye
    o PSH: indicates a packet contains data – if you captured suspicious network traffic, it is simple to zero in on the packets with PSH flag and determine if an attacker accesses your data
  • Wireshark representation: here we see the TCP header displayed in the wireshark tool – we can tell that this packet is part of a secure web browsing session using the HTTPS protocol because we see the well-known port 443. The fact that the PSH and ACK bits are set indicate to us this packet contains data and is acknowledging receipt of data from the other system – note: in wireshark, anything in square is not information fond in the packet – it is information wireshark extrapolates about the packet, data created from data is metadata.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

TCP session example
- three-step handshake
- TCP communications session
- TCP four-step session termination
- picture on page 48

A
  • The minumim number of packets needed for a successful TCP communication is 10.
  • The TCP session includes the first three-step handshake to establish connections, the next three are the data exchange, the last four is the four-step termination.
  • Three-step handshake:
    o Occurs anytime there is a new TCP session between a client computer and server computer – the purpose is to establish the connected and let each side know the computer’s initial sequence number.
    o To begin the client sends a TCP packet to a specific port on the server, for example port 80 for HTTP service – in the TCP header there is a series of flag bits, one specifically is the SYN (synchronize) is a binary 1 – this setting in the packet effectively tells the server “here is the client’s sequence number: please synchronize on it”
    o When the packet arrives at the server, if that port is open, the server responds with a TCP packet two of the flag bits are binary 1’s, specificalluy the SYN and ACK (acknowledge) telling the client “here is the server’s sequence number, please synchronize on it, and I acknowledge receipt of the first packet”
    o The client responds with a TCP packet with ACK telling the server “we are done synchronizing, and I acknowledge receipt of the second step” at this point, we have fully established a TCP session between the client and server
  • Then it goes through the TCP communications session:
    o After the handshake, the clinet asks the server for some data and the server responds with that data
    o When the server returns that data it is also acknowledging the bytes that made up the request
    o When the client receives the data it also acknowledges receipt of those bytes which is the TCP error correction mechanism in action – if the client did not acknowledge receipt of enough bytes of data, then the server would retransmit them
  • TCP four-step session termination
    o One side sends a TCP packet with FIN flag bit in the TCP header set to a binary of 1 – when the server receives that packet it responds with ACK – the server then sends FIN and the client receives it and responds with ACK
    o This is a normal termination of a TCP session – but if it does not terminate normally then one side can send RST (reset) packet which instantly terminates the session and no further data is part of this session will be transmitted or processed by either side
  • Summary: TCP has a tremendous overhead compared to UDP, but it is the way to go when you want to make sure that a message reaches its destination
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

UDP header
- picture on page 48

A
  • only eight bytes
  • packet fields follow:
    o source port and destination port
    o UDP length: total number of bytes in the UDP packet
    o Checksum: provides a basic means for determining whether information has been altered during transmission – not infallible nd should not be rlied upon as a true indicator of the integrity of packet data
  • Good: super simple and almost always works
  • Bad: when it doesn’t work, there is not much to troubleshoot
17
Q

UDP process

A
  • Is found on OSI layer 4 like TCP – much less overhead traffic but zero error correction or notification – no conifmration for ensuring hey arrive properly, intact, or in the right order
  • UDP is called a connectionaless protocol: it does not maintain persistent information about the state of the communication between the sending and receiving machines in the same way that TCP does – whereas tcp will do its part to ensure the delivery of data, UDP leaves this tak to the application - called “fire and forget” – “send and hope”
  • The lack of error connection has benefits like far fewer packets required so no three-step handshake or four-step teardown
  • UDP can exchange information in 2 packets
  • It goes from send me data from the client to here is the data from the server
18
Q

UDP advantages over TCP

A

o When you have limited network bandwidth and do not want the excessive overhead that TCP’s error checking requires – things like satellite communication is also charged per packet so that can get expensive
o Voice over IP consists of many raw packets that has to be routed and switched by the network gear crashes the network – you can eliminate TCP retransmissions
o Repetitive data: such as network time protocol and certain routing protocols – in these cases, the data is sent every miunte or two, so if you don’t get it this time you will shortly
o One-way connections – data diodes for sensors: sometimes it is vital that data travels only goes in one direction (think of nuclear power plan monitoring stations) in those cases, a hardware solution called a data diode is used – this is a chip constructed in such a way that it is only physically possible for data to move in one direction – this means you cannot receive the acknowledge required by TCP
o Multicast traffic – a stoke brokerage is sending lots of data from one source simultaneously and does not work to have all of those receiepents acknowledging receipts of data
o Understand that networks and the internet today is a lot more robust and packet loss is not common today – consequently, gmail is all UDP

19
Q

Dynamic Host Configuration Protocol (DHCP)

A
  • Two options for giving a system an IP address.
  • First, is to statically assign those setting – those systems must retain the same IP frome one day to the next
  • The next is to have network settings assigned to the computer automatically at boot time using the DHCP protocol – client computers in orgs have this and they have dynamic and changing Ips
  • This simplifies moving a computer from one network to another (think about going to another location on campus)
  • The DCHP has a pool of addresses set aside for dynamic assignment – when a PC boots it sends a broadcast on the network asking if there is a DCHP server available and the DCHP leases the IP for a given amount of time
  • Remember there are 3 pieces of information you need for communication: IP, default gateway, and network mask. You usually also need a DNS IP
  • The DCHP is UDP based meaning it’s transported over the network using UDP port 68 and port 67.
  • The DCHP protocol occurs in four fundamental steps:
    o DCHP discover: the client broadcasts on the local network segment asking if a DCHP server is present
    o DCHP offer: the server responds to the client bradcast by asking what type of configuration information the client requires
    o DCHP request: the client informs the server of what configuration information it requires – at min, this will always include at least an IP, network mast, and default gateway
    o DCHP ACK – the server sends the client the necessary info
20
Q

Domain Name Systems (DNS)

A
  • Protocol designed to take a domain name such as sans.org and resolve it to the correct IP address
  • Necessary because you can’t put a domain name such as sans.org into the destination IP of a cpket, you must have the IP for that domain
  • It is the largest distributed database ever created – there are a LOT of domains and associated IP addresses for DNS to keep track of and the number is growing
  • Top-level domains: .com .org .edu .biz . info .net .int .name .uk .ca .fr
  • DNS process: steps 1-4 are in your inside local PC – only steps 5 and 6 involve external servers, if the IP is found at any step the process is completed, if not it goes onto the next step
    o The user types a domain name into a browser – the browser cannot create a packet containing a domain name, so the domain must be resolved to an IP
    o The browser calls a background application called resolver, you never see resolver run because it is a background app – it is part of your PC – only job is to resolve a domain name to an IP
    o Resolver checks the DNS cache in memory to see if the domain has been resolevd in the last few mins, if not then
    o The resolver checks the local hosts file to see if the UP address can be resolved there
    o Resolver sends the query to the IP of the DNS server in the PC network config settings
    o If that DNS server does not know the answer, the query can be passed to another server and another server and so on. Eventually, a server in the DNS hiercahry knows the answer and it is sent back to the resolver.
21
Q

Why Network Address Translation (NAT)

A
  • Why do we need it? To make more efficient use of the available IP address space. IP address assignment used to be inefficient, and with a 32-bit IP, you have just under 3.4 billion addresses, but there are over 4 billion internet users, making NAT an absolute requirement.
  • Wihout NAT, you would have to have a public IP assigned to your organization for each internal user that needs to communicate on the internet. With NAT, you can have thousands of users and still only require a signle public IP address.
  • As traffic leaves your internal network they are edited so that they come froma signle source IP.
  • Sometimes, it is not desirable to use an IP that is publicly known: 1) your network might not be connected to the internet and does not need to route info to and from other networks; 2) you might need a larger set of addresses than the ones your ISP assigns to you; 3) you do not want anyone to know the ISP your network uses – this is all solved with private addressing as described in RFC1918. Address allocation for private internets
  • Example:
    o Sometimes called non-routable addresses
    o You route them on your own internal network all the time
    o These will not route on the public internet
     An internet rrouter drops any packet destined to one of those addresses
     This is useful for more effficent and secure address use through a technique known as address translation
22
Q

NAT/port address translation process
- picture on page 52

A
  • NAT can be accomplished in several different ways – one common method is called port address translation (PAT
  • This only works for internal network traffic going to the internet, not for incoming traffic.
  • Process:
    o The internal client sends the initial SYN pack of the TCP session (has an IP of 10.1.1.1 and a source port number of 49152)
    o As the packet traverses through the NAT device, its config instructs it to edit the source IP and source port number to new values
    o The device shooses a new source port number, it then edits the source port number to the port it selected (6500 in this example)
    o It also edits the source IP address to the public assigned IP (7.7.7.1)
    o The NAT device places the original IP and port number along with the new iP and port number into the four required fields of a PAT table
    o The packet foes on to the server, which always responds back to the source IP and port number of the incoming packet
    o When the response arrives at the NAT device, that device looks at the PAT table and sees the entry created earlier
    o It then edits the destination IP and port number back to the original values and the packet continues to the internal client
  • For this to work, every entry in the PAT table must be unique – if the same 10.1.1.1 machine generates another simultaneous connection, the original IP will be the same, but it will have a different port number, so the nat DEVICE PICKS A DIFFERENT PORT NUMBER FOR THE pat TABLE ENTRY. Likewise, if the machine at 10.1.1.2 happened to create a connection using the same port number as the 10.1.1.1 machine, the port numbers would differ and therefore the PAT table entry would be different as well.

SEC301 (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions