Module 4 Flashcards
Learning Unit 3 (38 cards)
TCP/IP Message Encapsulation Process
- Layers 7–5 (Application, Presentation, Session): Payload (data and instructions) created by an app (e.g., a browser).
- Layer 4 (Transport): TCP/UDP adds a header with port numbers → becomes a segment (TCP) or datagram (UDP).
- Layer 3 (Network): IP adds its header with destination IP address → becomes a packet.
- Layer 2 (Data Link): NIC adds header and trailer with physical (MAC) address → becomes a frame.
- Layer 1 (Physical): Frame is transmitted as electrical/light/wave signals.
Connectivity Devices by OSI Layer
- Layer 1: Devices like hubs only pass bits along, no processing.
- Layer 2: Switches read/process Data Link (MAC) headers. Known as Layer 2 devices.
- Layer 3: Routers read/process Network (IP) headers. Known as Layer 3 devices.
- Layer 4+: Firewalls read Transport headers (ports). Layer 7 firewalls read entire messages to detect malware.
TCP Overview – Reliable Delivery
- Connection-Oriented: Establishes a session using a three-way handshake before transmitting.
- Sequencing & Checksums: Adds sequence numbers and checksums for reordering and error detection.
- Flow Control: Sender adjusts transmission rate to match receiver’s buffer using sliding window.
- Encapsulation: All management is handled in the TCP header; the payload comes from the higher OSI layers.
TCP Segment Header Fields (Key Structure)
- Source Port (16 bits): Originating application/process.
- Destination Port (16 bits): Target application/process.
- Sequence Number (32 bits): Position in the stream.
- Acknowledgment Number (32 bits): Confirms receipt, = previous Seq + 1.
- Header Length (4 bits): TCP header size (20–60 bytes).
- Reserved (6 bits): For future use.
- Flags (6 bits): URG, ACK, PSH, RST, SYN, FIN.
- Window Size (16 bits): Max bytes before needing ACK (flow control).
- Checksum (16 bits): Error-checking of the segment.
- Urgent Pointer (16 bits): Marks urgent data location.
- Options (0–32 bits): E.g., max segment size.
- Padding (variable): Aligns header to 32-bit multiple.
- Data (variable): Payload from application layer—not part of header.
TCP Segment Flags (Control Bits)
- URG: Urgent pointer is valid.
- ACK: Acknowledgment number is valid.
- PSH: Push data to app immediately.
- RST: Reset the connection.
- SYN: Initiate connection (sync sequence numbers).
- FIN: Terminate the connection.
TCP Three-Way Handshake (Connection Establishment)
- Step 1 (SYN): Client sends SYN segment (SYN=1), picks random Seq # (e.g., 937013558), ACK=0.
- Step 2 (SYN-ACK): Server replies with SYN=1 and ACK=1. ACK number = client’s Seq + 1. Server sends its own Seq #.
- Step 3 (ACK): Client responds with ACK=1. Seq = previous ACK, ACK = server’s Seq + 1.
- Data Transmission Follows: Real payload begins after this, with sequence numbers increasing by data length.
TCP Flow Example: Sequence Numbers
- Initial Seq # from A: 937013558 → A sends SYN
- B Responds with: ACK=937013559, Seq=3043958669
- A Responds with: Seq=937013559, ACK=3043958670
- Next payload (e.g., 725 bits): A’s new Seq = 937014284 (937013559 + 725)
IP Protocol Overview
- Internet Protocol (IP) is a network layer (Layer 3), connectionless protocol.
- It enables data delivery across multiple LANs and networks via routers.
- IP does not ensure packet order or delivery—this is handled by TCP or UDP.
- Each IP packet is routed independently and may take different paths to the destination.
- Versions:
o IPv4: Introduced 1981, still most used.
o IPv6: Released 1998, offers more addresses, security, and prioritization.
IPv4 Packet Structure
- Version (4 bits): Protocol version (IPv4).
- IHL (4 bits): Header length in bytes (20–60).
- DiffServ (8 bits): Router processing priority (QoS).
- Total Length (16 bits): Entire packet size (max 65,535 bytes).
- Identification (16 bits): Helps reassemble fragmented packets.
- Flags (3 bits): Fragmentation control.
- Fragment Offset (13 bits): Position of fragment in sequence.
- TTL (8 bits): Router hops allowed before discard (usually 32 or 64).
- Protocol (8 bits): Type of payload (TCP, UDP, ICMP, etc.).
- Header Checksum (16 bits): Detects header corruption.
- Source/Destination IP (32 bits each): IPv4 addresses.
- Options (variable): Optional routing/timing info.
- Padding (variable): Aligns header to 32-bit multiple.
- Data (variable): Encapsulated data from higher layers (not part of header).
IPv6 Packet Structure
- Version (4 bits): Protocol version (IPv6).
- Traffic Class (8 bits): Packet priority (similar to DiffServ).
- Flow Label (20 bits): Identifies related packet flow for prioritization.
- Payload Length (16 bits): Size of data (not header).
- Next Header (8 bits): Type of following header (e.g., TCP/UDP).
- Hop Limit (8 bits): Max router hops (like TTL).
- Source/Destination IP (128 bits each): Full IPv6 addresses.
- Data (variable): Encapsulated higher-layer data (not part of header).
- IPv6 does not include fragmentation fields (host adjusts size before sending).
ICMP and ICMPv6
- ICMP (Internet Control Message Protocol): Layer 3 protocol for error reporting and diagnostics.
- Informs about delivery failures, TTL expiry, or congestion.
- ICMP does not fix errors—higher layers (like TCP) do that.
- Commonly used by tools like ping.
- ICMP messages include both IP and ICMP headers.
ICMP Header Fields:
* Type (8 bits): ICMP message type (e.g., Destination Unreachable).
* Code (8 bits): Message subtype (e.g., Host Unknown).
* Checksum (16 bits): Corruption detection.
* Rest of Header (32 bits): Varies by message type.
* Data (variable): Includes triggering IP header + 8 bytes of data (not part of ICMP header).
ICMPv6:
* Replaces ICMPv4 + ARP in IPv6.
* Adds neighbor discovery, error messages, and multicast group management.
ARP (Address Resolution Protocol)
- ARP resolves IPv4 addresses to MAC addresses (used within local subnet).
- Operates at Layer 2 but interacts with Layer 3 (often called Layer 2.5).
- Sends broadcasts asking, “Who has IP X? Tell me your MAC.”
- Replies are unicast with the MAC address.
ARP Table (aka ARP Cache):
* Stores IP-to-MAC mappings.
* Dynamic Entries: Auto-added from ARP responses.
* Static Entries: Manually added with arp command.
* To view ARP table on Windows: use arp -a in Command Prompt or PowerShell.
* Each OS formats ARP tables differently.
States of Data Security
Data exists in three states:
* At rest: Most secure; protected by firewalls, anti-malware, physical security (e.g., locked room). Best practice: divide data into separate, individually meaningless parts.
* In use: Inherently risky as it must be accessible. Controlled via strict access and authentication.
* In motion: Most vulnerable. Transmitted data (especially wirelessly) faces risks of interception or tampering. Encryption adds essential protection.
CIA Triad
The CIA triad guides encryption protocol design:
* Confidentiality: Only intended recipients can view data.
* Integrity: Data isn’t altered during transmission.
* Availability: Data is accessible to intended users when needed. Sender must ensure delivery.
Key Encryption Types
Key encryption scrambles data into ciphertext using keys and algorithms.
* Private key encryption (symmetric): Same key used for encryption and decryption. Risk: secure key sharing.
* Public key encryption (asymmetric):
o Data is encrypted with a public key, decrypted with a private key (or vice versa).
o Ensures confidentiality and integrity.
o Uses key pairs (public + private key).
o Public keys are distributed via public key servers.
PKI and Digital Certificates
- Digital certificate: Small file with verified ID + public key.
- Issued/verified by a CA (Certificate Authority).
- System of managing certificates = PKI (Public-Key Infrastructure).
- Helps identify users and securely manage public keys.
IPsec Overview
IPsec (Internet Protocol Security) secures TCP/IP transmissions at the network layer.
* Native to IPv6; adds security headers and encrypts payloads.
* Supports both authentication and encryption.
Five IPsec steps:
1. Initiation: Triggered by policy-defined traffic.
2. Key management (via IKE & ISAKMP):
o IKEv2: Negotiates/exchanges keys.
o ISAKMP: Establishes key management policies.
3. Security negotiation: Define protection parameters.
4. Data transfer:
o Encrypted via AH (Authentication Header) or ESP (Encapsulating Security Payload).
o ESP encrypts full IP packet; both ensure authentication.
5. Termination: Regular renegotiation to prevent attacks.
Modes:
* Transport mode: Host-to-host encryption.
* Tunnel mode: Used in VPNs between network devices.
SSL and TLS Overview
- SSL (Secure Sockets Layer) and TLS (Transport Layer Security) encrypt TCP/IP transmissions (e.g., websites, email).
- SSL = legacy; TLS = modern standard (TLS is preferred, SSL deprecated).
- Encrypts protocols like HTTP (HTTPS = TCP port 443), SMTP, IMAP, POP3, LDAP.
- Public key encryption establishes secure sessions.
SSL/TLS Session and Handshake Process
- A session defines agreed-upon encryption for communication between client/server.
- Handshake Protocol:
1. Client Hello: Sends capabilities + random session ID.
2. Server Hello: Confirms terms, may provide certificate or public key.
3. Certificate exchange: Establishes session keys; client encrypts data using server’s public key.
4. Secure session starts. - TLS 1.2: Up to 10 steps, 3 round trips, uses public key encryption to set up, then switches to private key for speed.
- TLS 1.3: Streamlined—1 round trip. 0-RTT mode can skip handshake for faster reconnections.
Remote Access Overview
Remote access allows a client to connect to a LAN, WAN, or server from a different location to access files, apps, and resources.
Requires:
* A transmission path
* Remote access server (RAS) software on both client and host
Types of RAS:
* Dedicated Devices: e.g., Digi Connect IT 48, authenticate via credential matching
* Software on Server: e.g., Windows DirectAccess (since Server 2008 R2) and Always On VPN (since Server 2012 R2), authenticate users to Windows domain
Common Methods:
* Remote file access (e.g., FTP)
* Terminal emulation (e.g., SSH, Telnet)
* VPNs
Security: Encryption is often necessary. Some protocols natively support it; others require pairing with encryption protocols.
Remote File Access Protocols
- FTP: Transfers files using port 21 (control) and port 20 (data). No encryption.
- FTPS: FTP over SSL/TLS. Encrypts control and data channels. Uses ports 989 & 990 or negotiates a port range. Complex with firewalls.
- SFTP: Built on SSH (not FTP). Uses single channel over port 22. Provides encryption and authentication. Incompatible with FTP/FTPS.
- TFTP: Simplified FTP using UDP and port 69. No authentication or encryption. Limited to 4 GB transfers. Used for boot/config files in internal networks.
Terminal Emulation Concepts
Terminal emulation lets a remote client control a host as if physically present.
Privileges can range from screen viewing to full app execution and file editing.
Examples:
* CLI-based: Telnet, SSH
* GUI-based: RDP (Windows Remote Desktop), VNC, TeamViewer, join.me
Use cases: Accessing proprietary software remotely, managing network devices, remote IT support.
Telnet
A command-line terminal emulation protocol with minimal security.
* No encryption
* Poor authentication
* Uses default port (not specified; typically port 23)
Usage:
* Enable Telnet in OS
* Command: telnet <IP>
* End session: Ctrl + ] → quit
Example: A network admin modifies a remote router's settings via Telnet.</IP>
SSH (Secure Shell)
SSH provides secure remote terminal access via encryption and authentication.
* Encrypts full session (data and commands)
* Prevents: unauthorized access, data interception, IP & DNS spoofing
* Port: 22
Encryption: Triple DES, AES, Blowfish, etc.
Authentication Methods:
1. Password
2. Public/Private Keys:
o Generate keys (ssh-keygen)
o Transfer public key to host
o Upon connection, keys are exchanged for authentication
* Tools: PuTTY (supports SSH & Telnet)
* Built into UNIX/Linux/macOS; Windows requires separate SSH client
