Introduction to network security pdf

Window size is for flow control. Flags are for additional control functions, such as, session establishment or handshaking and session termination. Checksum is for detecting a possible transmission error within a segment i. The main concern of UDP is that it does not maintain the integrity and reliability of application layer data as TCP does.

Therefore, UDP is an unreliable protocol that does not perform flow control and error control. Because of the absence of reliability features, UDP significantly reduces the workload of source and destination hosts, and also does not burden the network with acknowledgment traffic.

This simplicity and efficiency makes UDP an ideal transport protocol for real-time data produced by such applications as voice over IP VoIP , video conferencing, online gaming, and multimedia streaming.

For them, avoiding latency is more important than ensuring integrity of exchanged data. Just as UDP, most protocols in other layers e. This is fine because, even if transmission errors e. But UDP does not.

Handshaking for session establishment should be done between the two hosts prior to data exchange. It represents a mutual agreement to exchange data. Alternatively, the source host can simply dispatch the data to the destination host without handshaking. In this mode, there is no need for the source to seek an approval or agreement from its counterpart before releasing the data. When handshaking is needed between two hosts, TCP is used. As it establishes a session through handshaking before exchanging application data, TCP becomes a connection-oriented protocol.

Meanwhile, UDP is a connectionless protocol as application layer data relying on UDP are transmitted without having a formal handshaking process between hosts. In summary, TCP is a connection-oriented and reliable protocol, whereas UDP is a connectionless and unreliable protocol. By setting each of the three field bits either 0 or 1, two hosts can convey their intentions. The ACK bit is used only for session management e.

Exchange of application layer data e. To better relate the session management shown in Figure 2. It shows that to display the web page on a browser, it has to download several objects including the main text page and several JPEG and GIF image files. To download an object, one TCP session is established.

Sometimes, if the object is oversized, it is fragmented and delivered using multiple TCP segments e.

There are four image files in Figure 2. Although the TCP sessions are established in parallel to load the web page faster, it is not difficult to see that there is a considerable overhead to be able to see just one web page.

Many application layer protocols e. Once a logical connection or session is established through TCP handshaking, two hosts start to exchange application data e. Handshaking is not a guaranteed process, though. For example, when a server host is too tied up with handling existing sessions, it may not accept additional handshaking requests or it may take too long to respond.

The failure of handshaking results in the display of such error message as shown in Figure 2. From www. Another important transport layer function is port management. Be careful, the port here has nothing to do with the physical switch or router port. Port numbers are divided into three groups: well-known, registered, and private ports. Well-known Ports 0 through : They are mainly used to indicate standard server application layer protocols.

The source port and destination port fields see Figures 2. Generally, a client tries to connect to a server to obtain available resources e. In doing so, the client host randomly chooses a source port number, termed ephemeral port. Meanwhile, a well-known server port see Table 2. Subsequently, the same port numbers will be reused throughout a session. Find out the IP address of a particular web server using the nslookup command e.

Assume that the IP of www. What happens? Explain the result. The IP packet arriving at a host station should be adequately handed over to the target application.

When an IP packet containing an email message arrives at the laptop, how does it know that the email should be forwarded to MS Outlook, not to Firefox or Skype? It uses socket information that combines an IP address and a port number assigned to an application. By combining an IP address and a port number, a host can direct incoming data to a right application. The port number is simply a critical information piece in correctly forwarding data to a target program.

This means that an application can be associated with multiple sockets, each assigned to a particular TCP session established. For example, referring back to Figure 2. The output has four columns: protocol, source socket, destination socket, and status e.

Based only on the screenshot information: 1. How many different sessions are established by visiting the particular website? How many different source sockets are used to establish the sessions? What is the port range assigned to source sockets? How many different destination sockets are shown in the sessions? What is the server port used by the destination socket? Find out the server name of Conduct the following activities: 1. Open up a web browser and a command line prompt concurrently.

This layer conducts internetworking functions—creation of IP packets and their routing decisions from one subnet to another subnet referring to their destination IP addresses. The routing of packets, therefore, presumes that multiple delivery paths are available between the source and destination hosts.

To support internetworking, the internet layer is responsible for:. Creating IP packets and making their routing decisions 2. Performing other supervisory functions. Packet creation: Packets have a predefined structure including data or payload and header fields as shown in Figure 2. Packet routing decision: Assuming the existence of several delivery paths between the source and destination hosts of an IP packet, this layer makes its forwarding decisions from one subnet to another subnet so that the packet can ultimately reach the destination host.

Although IPv6 represents a significant enhancement over IPv4 in many aspects, the Internet is still dominated by the IPv4 standard for packet construction and transportation for more details of IPv6, see Chapter Note: The header is 20 bytes in length excluding Options and Padding, and the data or payload field can be significantly longer more than 65, bytes than the header, although shown only as a single row.

Version 4 always : It says that IPv4 is used to create the packet. Header length 4 bits : It specifies header size. DiffServ 8 bits : It indicates priority or urgency of a packet, thus intended to provide quality of network service QoS. Total length in Octets 16 bits : It tells the size of an entire packet. Identification 16 bits : It identifies a fragment of an IP packet, if it is broken into smaller pieces prior to their transportation.

These days, the fragmentation of an IP packet during the initial negotiation process is avoided by host nodes, and thus usage of this field is limited. Time to live TTL 8 bits : As a counter, its value e. Header Checksum 16 bits : This field is used for detecting an error in the header e.

Any IP packet with an error bit s in the header should be removed, because it can affect network performance e. Source and destination IP addresses 32 bits each : The fields include bit IP address information necessary for packet forwarding. For instance, in Figure 2. The routing decision by a router is, therefore, all about determining which next hop router should get an IP packet, so that it ultimately reaches the destination host.

The routing decision for an IP packet is, therefore, made by each router along the way. Bear in mind that the source and destination addresses of an IP packet stay unchanged while it crosses subnetworks. For example, a packet issued by PC1 in Figure 2. This is what makes IP addresses different from data link MAC addresses that remain unchanged only within a subnetwork boundary. For packet routing, a router maps the destination IP address of an arriving packet to the routing table maintained in its memory, finds the best path toward the destination network, and forwards the packet to the next hop router for more details, see Chapter 6.

For the transportation, the packet is encapsulated within a frame. The internet layer also conducts additional supervisory functions. The ICMP is the protocol designed to exchange supervisory packets in this layer. There are many different usages of ICMP including the diagnosis of connectivity between two network nodes and reporting of transmission errors e.

Among the heavily used are 0 echo reply , 3 destination unreachable , and 8 echo request. The Code value provides additional information regarding the Type value. For example, if the Type value is 3 destination unreachable , then the Code value explains the reason. Among the various supervisory functions refer to www. With it, a host station or router transmits echo requests to a target node to check its availability and network connectivity.

The response has two meanings: 1 the server is up and running, and 2 the link between the two communicating nodes works properly. Although intermediary devices, especially routers, respond to pinging, most server hosts are configured to ignore it these days out of cybersecurity concerns, such as, denial-of-service attacks see Chapter The following is a summary of key information elements shown in Figure 2.

For example, Figure 2. The command issues an ICMP packet three times to each router—shown as a hop number in the first column—on the way to the destination host.

Tracing the routing path becomes possible as each router along the way returns an error message i. Remember that each router reduces TTL by 1. Each record e. Visit the website www.

You can observe that the last is the IP address of www. Ping first three nodes routers to observe delays, and compare them with the results of tracert. The data link layer standard e. In other words, this layer is responsible for intranetworking e. In Chapter 1, it was stated that intranetworking relies on one or more intranetworking devices such as switches and wireless access points. In other words, when the delivery of an IP packet between two nodes e.

Referring to Section 2. The delivery of frames for intranetworking is called switching, and switching within a subnetwork is carried out purely based on MAC addresses. As an example, Figure 2. As a somewhat different example, think of a situation in Figure 2.

A data link relies on one LAN standard e. There are also times when more than one LAN technology is used to form a data link for intranetworking. In this scenario, the wireless access point does the conversion between Ethernet and WiFi frames for more details, see Chapter 8.

Remember that within a subnetwork, only a single delivery path therefore, only a single data link becomes active between any two nodes. This is true regardless of how many host stations and intermediary devices are in the subnetwork. Many subnetworks have more than one physical path available between two nodes to provide network redundancy and survivability. However, intermediary devices, especially switches, can figure out and disable redundant paths to ensure that there is only a single active path between any two stations at one point for more details, see Chapter 7.

For instance, as shown in Figure 2. How many data links can be formed from Laptop1? List them. How many data links can be formed from PC4? How many of the data links identified in Question 1 involve more than one intermediary device? How many of the data links identified in Question 2 involve more than one intermediary device? Do the addresses change while the frame goes through the wireless access point and SW3?

The data link concept applies to WAN connections as well, as illustrated in Figure 2. Then, the packet crosses three different data links separated by two border routers of R1 and R You can observe that data link 2 is a WAN connection. In Figure 2. Regardless of the distance, it is still a data link belonging to the enterprise network. Data links use different technologies for end-to-end connections e. As explained, the data link address is for intranetworking.

Creating a new frame in each subnetwork encapsulating the same IP packet resembles the real-life scenario of Figure 2. How many different data links can be formed from IP Phone? How many different data links can be formed from PC1? How many of the data links identified in Question 2 take more than one intermediary device?

How many data links are there for the end- to-end connectivity? How many data links are there for the end-to-end connectivity? Do the data link addresses change on the way to Server1? Remember that WiFi and Ethernet have different frame structures.

The physical layer functions are implemented in hardware devices, such as, network interface cards NICs that convert data link layer frames into electronic, radio, or light signals for propagation. The conversion process is called signaling. The high and low electronic states represent 0 and 1 bits, respectively.

Depending on the transmission medium used to connect network nodes, electronic signals through twisted pairs and coaxial cables , light signals through optical fibers , or radio signals through atmosphere are produced and propagated.

A number of conversion methods from bit streams to signals and vice versa have been introduced as industry standards. In fact, much more sophisticated encoding technologies than the one shown in Figure 2. More details of signaling are explained in Chapter 4. Assume that the WAN link between the two routers is one physical link.

How many physical links including the wireless connection are there for the end-to-end connection? Do you think the signaling features e. Note 2: Each WAN connection is counted as one physical link for the sake of simplicity. In reality, however, it generally takes multiple physical layer links interconnected by switches or routers to form end-to-end connectivity between two remotely separated routers e. The WAN details are explained in Chapter 9. For the reliable electronic, radio, or light signaling between two nodes, physical layer technologies have to be standardized.

Then, hardware products from different manufacturers remain compatible as long as they comply with the standards. The following are the selected physical layer details that require standardization see Figure 2.

Properties of signals e. There are also application layer protocols, such as, DNS and DHCP that are not necessarily tied to a particular user application, but play a critical role in enabling networking. It shows the list of applications and processes.

Processes are instances of an application program, and an application can have one or more associated processes. The data link and physical layer functions of a host are built into the NIC. In other words, the NIC implements a data link protocol such as Ethernet or WiFi and interfaces with the transmission medium e. In summary, exchanging application layer data e. It is again highlighted that all five layer functions are performed within a host computer, but only a subset of five layers are performed on intermediary devices.

Intermediary devices, such as, switches and routers have their own operating systems e. The standard network architecture represents a framework or reference model that broadly defines primary necessary network functions in a multilayer structure.

The protocol, as a standard, specifies rules of communication between software programs. There are syntactic i. The PDU is a discrete message unit produced in each layer, except the physical layer. The transport layer is in charge of three functions: provision of data integrity, session management, and port management. The internet or network layer is responsible for internetworking. For this, it creates IP packets and performs their routing across subnetworks conjoined by one or more routers.

The routing of packets presumes that there are multiple delivery paths between two communicating hosts. The data link layer transports IP packets between any two nodes within a subnetwork, which is also called intranetworking.

Application layer protocols are built into client and server programs. The transport and internet layer functions are embedded in the operating system. The data link and physical layer functions are handled by the NIC.

FIN Internet Protocol IP Request for Comments RFC SYN Window size field Windows Task Manager Chapter Review Questions 1. Which two layer functions are generally built into an operating system such as Windows and Linux? Physical and transport layers 2. Transport and internet layers 3. Internet and data link layers 4. Physical and internet layers 5. Transport and data link layers 5.

Which statement is true? IP is a connection-oriented protocol. UDP is a reliable protocol. IP is a reliable protocol. TCP is a reliable protocol. E TCP is a connectionless protocol. The TCP port is used to 1. FIN 2. ACK 3. SYN 4. CON 5. SEQ 9. Which is NOT accurate in terms of layer functions? Application layer—to establish sessions or handshaking 2. Transport layer—to provide message or data integrity 3.

Internet layer—to execute packet routing 4. Data link layer—to conduct frame switching 5. Physical layer—for actual transportation of frames in signals Physical layer only 2.

Data link layer only 3. Physical layer and data link layer 4. Physical layer, data link layer, and internet layer 5. Physical layer, data link layer, internet layer, and transport layer Emails 2.

Internet surfing with a web browser 3. Online credit card authorization for Internet shopping 4. File transfer using FTP 5. Three-way video conferencing over the Internet Defined layer Transport Internet B. Require handshaking Yes Yes C. Require acknowledgment Yes Yes D. Burden on communicating hosts Low Low E. Burden on the network High Low. A standard protocol should define either semantics or syntax, but not both.

The semantics of a protocol is about how to interpret PDUs exchanged. A reliable protocol detects transmission errors, but it does not correct them. All standard protocols of the application layer are reliable protocols.

Assume that an email should cross three subnetworks for its delivery to a destination host. How many different packets are produced along the way? TCP segment 3. UDP datagram 4. ICMP packet DHCP server 3. DNS server For a Windows host, becomes a well-known port number. Port numbers are divided into well-known and unknown ones. If a Linux machine sends a TCP segment with source port and destination port , then the host must be an email server.

Well-known port numbers are generally assigned to server applications. Well-known port numbers are also called ephemeral port numbers. Choose a mismatch between a standard and its corresponding layer. Which PDU type generally has a header and a trailer?

Data 2. Segment 3. Packet 4. Frame 5. Bit When the command tracert www. What are they? The others perform more specialized functions including the production and propagation of electronic and light signals over the WAN connection e. The AP is another ubiquitous device type briefly mentioned here but covered in depth in Chapter 8. The primary objectives of this chapter are to learn the following:. As shown in Table 3. For example, the router is an internet layer device, and the ordinary switch runs in the data link layer.

Table 3. Among them, the technical details of layer 3 switches are largely beyond the scope of this book, but will be briefly introduced in this chapter. As briefly explained in Chapter 2, intermediary devices also conduct encapsulation and de-encapsulation to forward application layer data.

Figure 3. The two data link layer technologies are not compatible e. Remember that the Internet Protocol IP packet stays the same during the end-to-end delivery. When an Ethernet frame arrives at a LAN port, the router removes i. Then, the packet is handed over to the data link layer where the IP packet is encapsulated within a PPP frame for transportation over the WAN connection.

As can be seen, routers should support popular LAN e. Exercise 3. Develop a drawing similar to Figure 3. The switch is a layer 2 device for intranetworking see Figure 1. Intermediary devices, except for pure physical layer devices e. Because of its functional specialization, the operating system is relatively small.

With the compact size, the operating system of an intermediary device can be stored in the nonvolatile flash memory, which affords much faster access for reading files and also does not lose its content even if the device is turned off. When a switch or router is powered on, the operating system in the flash memory is copied into its random access memory RAM during the boot-up process.

This process is significantly faster than that of the traditional computer as its operating system e. To configure parameters of an intermediary device, its operating system needs to be accessed through CLI see, e. GUI is more user-friendly as interactions with the operating system are primarily through a web browser, and thus, it allows quick and intuitive configurations, monitoring, and troubleshooting of an intermediary device.

As an example, Figure 8. CLI is preferred by many IT professionals in managing enterprise-class devices because of its flexibility. The console port is dedicated for device management. With no IP configuration initially, the intermediary device is not accessible through the network.

The host workstation uses a terminal program e. Once in the OS, an IP address can be assigned to the intermediary device. No device is network enabled without an IP address.

Also, a login name and a password should be set up so that only authorized people can access the OS. Telnet uses plaintext and is vulnerable to eavesdropping. Note: Although a layer 2 device, a switch can be given an IP address to allow access of its OS over the network. The IP address assigned is, therefore, purely for device management, and it has nothing to do with the switching function of layer 2 frames. Commands Used Meaning of Each Command line console 0 To set up an access privilege of the console port.

This device, therefore, does not need an OS. On receiving a frame, the hub broadcasts it out to all connected ports, except for the entry port see Figure 3. Then, the end station that has a matching destination MAC address copies the frame into its network interface card NIC memory and processes it, while the other hosts drop the frame because of MAC address mismatch.

Because of its simple relay function, the hub is also known as a multiport repeater. This shared media environment that allows restricted network access results in ineffective usage of network capacity.

Because of its broadcasting behavior, hub ports operate in the half-duplex mode in which frames flow in only one direction at a time. Using the hub, the network becomes more vulnerable to collisions when two or more hosts accidently release frames at the same time. The risk gets higher as the number of hosts attached to the network increases, and collisions result in lower throughput and higher latency in data delivery. Another major drawback is that host stations are more exposed to security risks when the hub broadcasts their frames as it is relatively easy to eavesdrop.

It is not difficult to see that, though used for a good cause e. Due to the drawbacks of weak security and ineffective use of available network capacity, hubs have been largely replaced by switches in the corporate network.

Network segmentation is to resolve growing pains of a network. Bridges, switches, and routers, all can segment a network into more manageable sizes and control the flow of unnecessary traffic from one segment to another. The hub, however, is not a segmentation device because of its inability to filter frames.

The bridge examines the MAC address of every frame arriving at its port, and either passes or filters it by referring to its bridge table see Figure 3.

The bridging process is highly intuitive, that is, in the unicast mode, if the destination MAC address of an incoming frame is in the same network segment, then the frame is filtered blocked. In Figure 3. Such frame filtering improves network response time by cutting down unnecessary traffic flows.

However, if a frame is broadcasted instead of being unicasted by the source host, the bridge relays the frame through all ports rather than blocking it.

As a result, although the bridge does a good job of isolating unicast traffic, it is unable to contain the flow of broadcasting to other segment s. The traditional bridge shown in Figure 3. Bridges are either transparent or nontransparent see Figure 3. Transparent bridges interconnect network segments running the same standard e. Being transparent, thus, means that the bridge simply relays frames as they are. When network segments running on different standards e. It is also called translational bridge, as it performs frame conversion from one type to another.

The AP or hotspot is a translational bridge that is most prevalent these days. Ethernet and WiFi have their own frame structures with different information fields, and thus, APs are responsible for frame conversion to bridge the LANs.

APs are explained in more detail in Chapter 8. Remember that the MAC addresses are in hexadecimal. The description of each column is as follows:. Output port: What is the port through which a frame will be forwarded? Receiving hosts: Which host s gets the frame, although it may not be picked up and processed? Hint: When the destination address of a frame is composed of all 1s in other words, 48 ones or is not found on the bridge table, the frame is broadcasted.

FFFF An Ethernet LAN switch comes with a number of RJ ports for twisted pair connectivity, and depending on the product model, it has additional high-speed ports for fiber links.

Each port is assigned a permanent MAC address. The switch shown in Figure 3. Unlike the hub that broadcasts frames to all ports, the switch forwards an incoming frame only to the port that directly or indirectly via other switches leads to its destination host. This one-to-one correspondence between an input and an output port e. If two frames are heading to the same host concurrently, the switch places one frame in the waiting queue until the delivery of the other frame is completed.

A switch can have a queue assigned to each port or alternatively have a common queue shared by all ports. It is very interesting study to survey of various attacks and threats of day to day life of cyber access and how to prevent them with security. It is also. Introduction to Network Security. Introductory textbook in the important area of network security for undergraduate and graduate students Comprehensively covers fundamental concepts with newer t.

Unlike data communications of the past, today's networks consist of numerous devices that handle the data as it passes from the sender to the receiver. This book provides you w. Introduction to cyber security: stay safe online. This hour free course introduced online security: how to recognise threats and take steps to reduce the chances that they will occur. This book will help you increase your understanding of potential threats, learn how to apply practical mitigation options, and react to attacks quickly.

The aim of the attacker is to exploit the weakness of the judge and the jury in technology matters. Passive attacks are two types: Release of message contents and Traffic analysis. Release of message contents is quite simple to understand. Other, the contents of the message are released against our wishes to someone else.

Using certain security mechanisms, we can prevent Release of message contents. For example, we can encode message, using a code language, so that only the desired parties understand the contents of a message, because only they know the code language. However , if many message are passing through , a passive attacker could try to figure out similarities between them to come up with some sort of pattern the provides her some class regarding the communication that is taking place.

Such attempts of analyzing message to come up with likely patterns are the work of the traffic analysis attack. Masquerade is caused when an unauthorized entity pretends to be another entity. In this attacks, an entity poses an another entity.

In this attacks, usually some other forms of active attacks are also embedded. In a Replay attacks , a user captures a sequence of events or some data units and re-sends them. Alteration of message involves some change to the original message. For instance , an unauthorized user might send too many login requests to a server using random user ids one after the other quick succession, so as to flood the network and deny other legitimate user from using the network facilities.

The Practical Side of Attacks: Security attacks can happen at the application level or network level. These attacks generally make attempt to either slow down or completely bring to halt, a computer network. Program That Attacks: Let us discuss a few programs that attacks computer systems to cause damage or to create confusion. A worm does not perform any destructive actions and instead, only consumes system resources to bring it down.

However, the purpose of a Trojan horse is different. A Trojan horse allows an attacker to obtain some confidential information about a computer or a network. A packet, like a postal envelope contains the actual data to be sent and the addressing information.

Attackers target these packets , as they travel from the source computer to the destination computer over the internet. These attacks take two forms. An attacker need not hijack a conversation, but instead, can simply observe packets needs to be protected in some ways.

This can be done at two level : 1. The data that is traveling can be encoded some ways. The transmission link itself can be can be encoded. To read a packet , the computer via which the traffic goes through. Usually, this is a router. However , routers are highly protected resources. Therefore , an attacker might not be able to attack a less protected computer on the same path.

When this happens, the receiver would inadvertently send replies back to this forged address are not to the attacker. This can lead to three possible cases: 1. The attacker can intercept the reply- If the attacker is between the destination and forged source, the attacker can see the reply and use that information for hijacking attacks. IV Security Services There following categories of security services: 1. Authentication: The assurance that the communicating entity is the one that is claims to be.

Access Control : In the context of network security , access control is the ability to limit and control the access to host systems and application via communications links.