The network is an accumulation of PCs and other networking devices such as databases, servers, and firewalls interconnected with each other through a communication channel that permits sharing of information among them. Network Fundamentals help to understand how to configure a functional network. This network may be either deployed locally or spread over a wide area.
The most widely recognized system types are:
- Local Area Networks(LANs)
- Wide Area Network(WAN).
A noticeable distinction between these two is that a LAN is restricted to a constrained land territory, while a WAN covers a huge geological zone. Most WANs comprise of a few associated LANs. Furthermore, a network can also be classified into the following additional types:
- Metropolitan Area Network (MAN)
- Personal Area Network (PAN)
- Storage Area Network (SAN)
Network Fundamental focuses on incorporating WANs’ innovations, basic security, wireless concepts, routing, and switching fundamentals, and designing a simple network.
To understand the concept of networking, you must understand about how devices communicate across the network. There are two layered models for internet, namely; TCP/IP and OSI model.
OSI stands for Open Systems Interconnection model which consists of 7 layers; whereas TCP/IP model depends upon 4 layers. TCP/IP model is named because of its foundational protocols: Transmission Control Protocol (TCP) and Internet Protocol (IP).
Both OSI and TCP/IP models are very important frameworks for understanding network operations and processes.
|Layers||Functions||Protocols and specifications||Devices|
|7. Application layer||Services for end user Applications||Telnet, HTTP, FTP, SMTP, POP3, VoIP, SNMP||PC, Firewall, intrusion detection systems, hosts|
|6. Presentation layer||Formats the data (Data Encryption and Decryption||Telnet, HTTP, FTP, SMTP, POP3, VoIP, SNMP||PC, Firewall, intrusion detection systems, hosts|
|5. Session layer||Establishes or ends connection between two hosts||NetBIOS, PPTP Telnet, HTTP, FTP, SMTP, POP3, VoIP, SNMP||PC, Firewall, intrusion detection systems, hosts|
|4.Transport layer||Responsible for data delivery to another computer (for instance, error recovery and flow control).||TCP, UDP||Hosts, firewalls|
|3.Network layer||The network layer defines three main features: logical Addressing, routing and path determination||IP||Routers,
|2. Data link layer||Learn the MAC address from the data packet||Ethernet(IEEE 802.3), HDLC, Frame Relay, PPP||LAN switch, wireless access point, cable modem, DSL|
|1. Physical layer||Send data on to the physical wire||RJ-45, EIA/TIA-232, V.35, Ethernet (IEEE 802.3)||LAN hub,
LAN repeater, cables
Table 1-01: Function of OSI layers
TCP/IP model was proposed by the U.S Dept. Of Defence by combining the OSI Layer Model and DOD. The Transmission Control Protocol (TCP) and the Internet Protocol (IP) are two of the fundamental protocols of TCP/IP model. Table 2 demonstrates the OSI and TCP/IP layers.
|TCP/IP Layers||OSI layers||Description|
|4. Application Layer||7. Application Layer||Network services for application processes, such as file, print, messaging, database services|
|6. Presentation Layer||Formats the data (Data Encryption and Decryption)|
|5. Session Layer||Inter-host communication. Establishes, manages and terminates connection between applications|
|3. Transport Layer||4. Transport Layer||Responsible for data delivery to another computer (for instance, error recovery and flow control).|
|2. Internet Layer||3. Network Layer||Logical addressing and path determination. Routing. Reporting delivery errors|
|1. Network Access Layer||2. Data Link Layer||Physical addressing and access to media. Two sublayers: Logical Link Control (LLC) and Media Access Control (MAC)|
||Binary transmission of signals and encoding. Layout of pins, voltages, cable specifications, modulation|
Table 1-02: TCP/IP and OSI Layers
|Application Layer||Consists of application/programs and process that use the network|
|Transport Layer||Provides end to end data delivery services|
|Internet Layer||Resposible for transmission between source to destination, Routing, Error handling, fragmentation, and Reassembly.|
|Link Layer||Consists of routines for accessing the media access|
Table 1-03: Function of TCP/IP Layers
The following table demonstrates the basic difference between OSI and TCP/IP layer model:
|OSI(Open System Interconnection)||TCP/IP (Transmission Control Protocol/Internet Protocol)|
|1. OSI is a generic, protocol independent standard, acting as a communication gateway between the network and end user.||1. TCP/IP model is based on standard protocols around which the Internet has been developed. It is a communication protocol, which allows connection of hosts over a network.|
|2. In OSI model the transport layer guarantees the delivery of packets.||2. In TCP/IP model the transport layer does not guarantee delivery of packets. Still, the TCP/IP model is more reliable.|
|3. Follows a horizontal approach.||3. Follows a vertical approach.|
|4. OSI model has a separate Presentation layer and Session layer.||4. TCP/IP does not have a separate Presentation layer or Session layer.|
|5. OSI is a reference model around which the networks are built. Generally, it is used as a guidance tool.||5. TCP/IP model is, in a way, implementation of the OSI model.|
|6. Network layer of OSI model provides both connection oriented and connectionless service.||6. The Network layer in TCP/IP model provides connectionless service.|
Table 1-04: Comparison of OSI and TCP/IP Layers
Figure 1-01: Mind map of OSI, TCP/IP, and DOD Model
Protocol in a computer network is a set of rules which allows two or more entities to communicate. There are different types of protocols such as routing protocols and control protocols. These protocols may either be enforced via hardware, software or via combining both of them. When a PC communicates with another PC within a network, it requires multiple protocols to communicate.
Internet Protocol (IP) is the most popular open-system protocol. It was developed in 1970s and is used for communicating across interconnected networks. IP is a primary network layer (layer 3) protocol which carries addressing and control information for routing the packets. There are two versions of Internet protocol:
An IPv4 address is a 32 bits’ logical address which uniquely identifies the device on a network. These 32-bits are divided into four octets in decimals, separated with dots. For example, consider an IP address 172.16.0.100; It’s binary bit representation will be:
The first sub-field is a 16-bit packet identifier, which allows fragments that share a common packet identifier value to be identified as fragments of the same original packet.
The second sub-field is a 3-bit vector of flags.
- The first bit is unused.
- The second is the Don’t Fragment flag. If this flag is set, the packet cannot be fragmented and must be discarded when it cannot be forwarded.
- The third bit is the More-Fragments-field. It is set for all fragments packets except the final fragment.
The third sub-field is the fragmentation-offset value, it specifies the offset of fragmented packets relative to the original un-fragmented packet. Fragmentation offset field is 13-bit value.
|Option + Padding|
An IPv6 address is a 128 bits’ logical address which uniquely identifies the device on a network.
|Payload Length (16-bit)||Next Header (8-bit)||Hop Limit (8-bit)|
|Source Address (128-bit)|
|Destination Address (128-bit)|
You present the subnet mask in prefix notation only. For example, an IPv6 address, that uses the first 64 bits to represent the network could be shown as:
|Class||1st Octet Decimal Range||1st Octet High Order Bits||Default Subnet Mask||Number of Networks||Hosts per Network (Usable Addresses)|
|A||1 – 126*||0||255.0.0.0||126 (27 – 2)||16,777,214 (224 – 2)|
|B||128 – 191||10||255.255.0.0||16,382 (214 – 2)||65,534 (216 – 2)|
|C||192 – 223||110||255.255.255.0||2,097,150 (221 – 2)||254 (28 – 2)|
|D||224 – 239||1110||Reserved for Multicasting|
|E||240 – 254||1111||Reserved for Experimental use|
Table 1-05: IPv4 Address Classes
Note: Class A addresses ranging from 127.0.0.0 to 127.255.255.255 can’t be assigned and is reserved for loopback and analytics.
Private IPv4 Address
|Class||Private Networks||Subnet Mask||Address Range|
|A||10.0.0.0||255.0.0.0||10.0.0.0 – 10.255.255.255|
|B||172.16.0.0 – 172.31.0.0||255.240.0.0||172.16.0.0 – 172.31.255.255|
192.168.0.0 – 192.168.255.255
Table 1-06: Private IPv4 Address Classes
IPv6 Address Types:
Aggregate-able Global Address
This Aggregate-able Global Address contains a global routing prefix, subnet ID and Interface ID. They have a global unicast prefix. These addresses are used on those links which are aggregated upward eventually to ISPs. The initial 3 bits are set from 001 to 111 hence, ranges from 2000::/3 to E000::/3 having 64 bit EUI.
Figure 1-02: Aggregate-able Global Address
Link Local Address
Link local is the Unicast IPv6 address that is automatically assigned to any interface using link local prefix FE80::/10 and EUI-64. Link-local addresses are used for Stateless Auto-Configuration and Neighbour Discovery Protocol.
Figure 1-03: Link Local Address
IPv4-Compatible IPv6 Address
In this IPv6 unicast address, padding of higher 96bits with zeros along with IPv4 address of 32 bits transforms a 128bits IPv4 compatible IPv6 address. These addresses are assigned to those nodes, which support both IPv4 as well as IPv6, and is also used in automatic tunnels.
Figure 1-04: IPv4 Compatible IPv6 Address
Unique Local Address
A unique Local address is the unique global Unicast address that can be routed over the internet.
Figure 1-05: Unique Local Address
Extended Unique Identifier (EUI) is an IPv6 feature that allows the host to assign IPv6 EUI-64 to itself. EUI is of 64 bits. It eliminates the need of manual configuration and DHCP as a key benefit over IPv4. EUI-64 is formed by 48 bits MAC address including 16bit FFFE in the middle of the OUI and NIC.
Figure 1-6: EUI-64
IP’s major responsibilities include:
- Ensuring connectionless and best-effort delivery of datagrams
- Fragmentation and reassembly of datagrams with different Maximum-Transmission Units (MTU)
There are two types of IP (Internet protocol) traffic: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP belongs to Transport layer protocol (layer 4). It is a connection-oriented protocol which ensures end-to-end reliable packet delivery with an efficient flow control, full-duplex operation, multiplexing, and data streaming services.
To ensure reliable communication, TCP establishes a connection-oriented session with the destination node. This connection establishment is performed by using “Three-way Handshaking.” Connection establishment synchronizes both nodes of the connection and allows to communicate. Similarly, at the end, the session is terminated.
Following diagram shows the TCP header:
Figure 1-07: TCP Header
Flag filed in the TCP header is of 9 bits. Which includes the following 6 TCP flags:
|SYN||Initiates a connection between two hosts to facilitate communication.|
|ACK||Acknowledges the receipt of a packet.|
|URG||Indicates that the data contained in the packet is urgent and should be processed immediately.|
|PSH||Instructs the sending system to send all buffered data immediately.|
|FIN||Tells the remote system about the end of the communication. In essence, this gracefully closes a connection.|
|RST||Reset a connection.|
Table 1-07: TCP Flags
There is three-way handshaking while establishing a TCP connection between hosts. This handshaking ensures successful, reliable and connection-oriented session between these hosts. The process of establishment of a TCP connection includes three steps as shown in the figure below:
Figure 1-08: TCP Connection Handshaking
Consider that Host A wants to communicate with Host B. A TCP Connection establishes when host A sends a Sync packet to host B. Host B upon receipt of Sync packet from Host A, replies to Host A with Sync+Ack packet. Host A replies with Ack packet when it receives Sync+Ack packet from host B. Successful handshaking results in the establishment of a TCP connection.
U.S Dept of defence proposed the TCP/IP model by combining OSI Layer Model and DOD. The Transmission Control Protocol (TCP) and the Internet Protocol (IP) are two of the network standards that define the Internet. IP defines the process of how computers can transfer data to each other over a routed, interconnected set of networks. TCP defines how applications can create reliable channels of communication across such networks. IP defines addressing and routing, while TCP defines how to have a communication across the link without garbling or losing data. Layers in TCP/IP model perform similar functions with similar specifications like those in an OSI model. The only difference is that they combine top three layers into a single Application Layer.
UDP (User datagram protocol) is another type of Transport Layer (Layer 4) protocol. It is very efficient for the multicast or broadcast type of network transmission. UDP is a connectionless protocol. Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery functions to IP. UDP is used in several well-known application-layer protocols, including Domain Name System (DNS), Simple Network Management Protocol (SNMP), Network File System (NFS), and Trivial File Transfer Protocol (TFTP).
Figure 1-09: TCP Connection Handshaking
Compare and contrast TCP and UDP protocols
There are two types of IP traffic, either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). TCP is a connection oriented protocol. Once a connection is established, data can be sent bidirectional. UDP is a simpler, connectionless internet protocol. Multiple messages are sent as packets in chunks using UDP. Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery functions to IP packets. Because of UDP’s simplicity, UDP headers contain fewer bytes and consume less network overhead than TCP.
The following table demonstrates the comparison of TCP and UDP protocol:
|Parameters||TCP(Transmission control protocol TCP)||UDP(User datagram protocol)|
|Connection||Connection-oriented protocol.||Connectionless protocol|
|Usage||For applications which require high reliability, with relatively less critical transmission time.||Suitable for applications that require streaming or efficient transmission, such as games. UDP’s stateless nature is also useful for servers that answer small queries from a huge number of clients.|
|Function||This is connection based protocol.
It fist establishes the connection, then starts communication.
|UDP is also a protocol used in message transport or transfer. This is not connection based which means that one program can send a load of packets to another and that would be the end of the relationship.|
|Reliability||There is absolute guarantee that the data transferred remains intact and arrives in the same order in which it was sent.||There is no guarantee that the messages or packets sent would reach at all.|
|Use by other protocol||HTTP, HTTPs, FTP, SMTP, Telnet||DNS, DHCP, TFTP, SNMP, RIP, VOIP.|
|Header Size||20 bytes||8 bytes.|
|Speed of transfer||TCP is slower than UDP.||UDP is faster because error recovery is not attempted. It is a “best effort” protocol.|
|Error Checking||TCP does error checking and error recovery. Erroneous packets are retransmitted from the source to the destination.||UDP does error checking but simply discards erroneous packets. Error recovery is not attempted.|
|Common Header Fields||Source port, Destination port, Check Sum||Source port, Destination port, Check Sum|
|Streaming of data||Data is read as a byte stream; no distinguishing indications are transmitted to signal message (segment) boundaries||Packets are sent individually and are checked for integrity only if they arrive. Packets have definite boundaries, which are honored upon receipt, meaning a read operation at the receiver socket will yield an entire message as it was originally sent.|
|Weight||TCP is heavyweight. TCP requires three packets to set up a socket connection before any user data can be sent. TCP handles reliability and congestion control.||UDP is lightweight. There is no ordering of messages, any tracking connections, etc. It is a small transport layer designed on top of IP.|
|Data Flow Control||TCP does Flow Control. TCP requires three packets to set up a socket connection before any user data can be sent. TCP handles reliability and congestion control||UDP does not have an option for flow control|
|Ordering of data packets||TCP rearranges data packets in the order specified.||UDP has no inherent order, as all packets are independent of each other. If ordering is required, it has to be managed by the application layer.|
|Fields||1. Sequence Number,
2. AcK number,
3. Data offset,
5. Control bit,
7. Urgent Pointer
10. Check Sum,
11. Source port,
12. Destination port
2. Source port,
3. Destination port,
4. Check Sum
|Acknowledgement||Acknowledgement segments||No Acknowledgment|
|Handshake||SYN, SYN-ACK, ACK||No handshake (connectionless protocol)|
Table 1-08: Comparison of TCP and UDP
Figure 1-10: TCP and UDP working
ICMP (Internet Control Message Protocol) is the simplest protocol in the TCP/IP protocol suite. Furthermore, it is a network layer convention that provides investigating, control and blunder message administrations. It is utilized as a part of a working framework for arranged PCs, where it transmits mistake messages. It has two adaptations: ICMPv4 and ICMPv6. Moreover, it is also called RFC 792.
ICMP is listed as a supporting protocol in Internet Protocol suite and used to send error and informational messages. Following are the major functions of ICMP protocol:
- Inform end-system or originator of IP packet about the status of the transmitted packet (delivered or dropped)
- Calculate the roundtrip time by calculating the route taken by the IP packet
ICMP messages are mostly used by attackers and hackers to obtain configuration and other information. Network administrator mostly blocks ICMP messages through firewall. However, this would cause other efficient network utilities such as ping and trace route to not function properly.
Basic format of an ICMP message is demonstrated in the following figure:
Figure 1-11: General ICMP Format
Code: 1 byte represents type of ICMP message
Type: 1 byte represents subtype of ICMP message
Checksum: 2 bytes calculated over entire ICMP message
Following table shows ICMP messages which are frequently seen and used:
Table 1-09: Frequent ICMP Messages
ICMP messages are used in both IPv4 (ICMP4) and IPv6 networks (ICMP6):
ICMPv4 message is encapsulated by IPv4 packet and transmitted over IP packet “data” field with protocol field set to 1 which represents ICMPv4 message.
The following figure demonstrates the structure of an ICMPv4 packet:
Figure 1-12: ICMPv4 Packet Structure
ICMPv6 messages can be used for several purposes other than just error reporting and providing information. Following are the features supported by ICMPv6:
- Neighbor Discovery
- Router Discovery
- Multicast Management
- Managing hand-offs in Mobile IPv6
- ICMPv6 can be analyzed by next header value, set to 58.
- ICMP supports an ECHO function which just sends packets on a round-trip between two hosts.
- Traceroute is a tool which maps network routes by sending packets with small TTL values and watching the ICMP timeout announcement.
The Address Resolution Protocol(ARP) is a protocol for finding a physical address of a machine known as Media Access Control (MAC) address from its known IP address. ARP table or cache maintains the records of mapped MAC addresses to IP addresses translation. ARF is defined in RFC 826.
Network Devices including Layer 3 Switch utilize ARP to delineate IP locations to MAC and to deliver and empower IP bundles to be sent over the Network. Before a device sends Packet to another device, it looks in its ARP cache for any MAC address and its associated IP address for a destination node.
In case if there is no map, the source will send a broadcast to all nodes. Just the node with a coordinating MAC address for that IP will answer to the demand with the packet that involves the MAC address mapping.
At that point the source will add the L3 to L2 mapping of that node to its ARP table for future reference, it makes the L2 header and trailer, which encapsulates the packet and furthermore continues to exchange information. Figure below demonstrates the broadcast and the reply procedure of the ARP.
If the required host is on a remote network, (another broadcast domain), the procedure is comparative. The device, which sends the information, sends the packet to the default gateway asking for the destination L2 address. Gateway will forward the request on its behalf by changing the source address in the packet and send it to that broadcast domain in which the destination is located. This process will complete when the destination sends back the response by including its L2 address. The gateway starts a similar procedure to send the information back to the sender.
Figure 1-13: Address Resolution Protocol
Domain Name System (DNS) is a name mapping system over the internet which maps and records the names of hosts (domain names) and their mapped IP addresses. For example, there are a number of subdomains connected to the internet which belong to IPSpecialist. All these systems have names within the IPSpecialist.net domain.
Domain name servers are used in an Internetwork to maintain a directory of domain names with mapped IP addresses. A domain name server resolves domain names to an IP address from its database. DNS can be located anywhere in the network, and customer’s internet access significantly depends upon its location and speed. DNS servers are configured as either any of the following two roles:
- Primary DNS: Servers which resolve domain name addresses to IP address
- Secondary DNS: Act as a backup server in primary DNS failure
Following are two general record types of DNS:
- A-record: Returns 32 bit IP address
- AAAA-record: Returns 128 bit IP address
DHCP is a protocol which automates the process of manually assigning IP addresses to each client connected to a network. The DHCP client requests for an IP address by communicating to the DHCP Server deployed either within a network or on a remote network. DHCPD is a discover message sent by the client to find the DHCP server. The customer is offered with an IP address when a DHCP server replies with a DHCP Offer message containing an IP address and other configurations.
- DHCP client broadcasts the DHCPDISCOVER request to locate the DHCP server.
- If DHCP Server is located in the LAN, it receives the request and responds. If DHCP Server is located on a remote network, DHCP Relay agent forwards the packets between the client and the DHCP Server. DHCP server offers configuration parameters to the client by sending DHCPOFFER unicast packet.
- DHCP client returns the request for the offered IP address to DHCP Server with a DHCPREQUEST broadcast packet.
- DHCP Server confirms the IP address’ allocation with a DHCPACK unicast packet.
A Router is the most important computer networking device which operates on Network layer (Layer 3). Router is an intelligent device capable of routing data packets across the network. It learns the routing path and forwards these packets by selecting an appropriate path from its routing table. A router consists of two components:
- Control plane: A router maintains a routing table that lists which route should be used to forward a data packet, and through which physical interface connection.
- : The router forwards data packets between incoming and outgoing interface connections. It forwards them to the correct destination network using the control information that the packet contains in the FIB supplied by the control plane.
How does it work?
Basic functionality of a router is to connect multiple networks to ensure interconnectivity. It learns routing paths either by static routes or dynamic routing protocols. This route learning capability helps to take decisions based on information in a layer 3 IP packet to forward towards the destination address. Once a route is found, the IP packet is encapsulated in a layer-2 data link frame for the outgoing interface.
A switch, with regards to systems administration, is a high- speed device that gets approaching information bundles and diverts them to their goal on a neighborhood (LAN). A LAN switch works at the data link layer (Layer 2) or the network layer of the OSI Model and, thus it can bolster a wide range of bundle conventions.
A few switches intended for using in server farms and other particular systems bolster a method of task called slice through exchanging, in which the parcel sending process starts before the whole bundle is perused into support memory. The objective is to decrease the time required to forward a parcel through the switch.
How does it work?
Switches enable distinctive gadgets on a system to impart. Switches enable distinctive systems to impart. A Router, likewise, associates organized PCs to the Web, so various clients can share an association. Moreover, a router goes about as a dispatcher.
When referring to a network, a hub is the most fundamental networking device that connects various PCs or other system gadgets together. Dissimilar to a network switch or switch, a network hub has no directing tables or knowledge on where to send data and communicates all network information over every association.
A hub, likewise called a network hub, is a typical association point for gadgets in a system. The hub contains numerous ports. At the point when a bundle touches base at one port, it is duplicated to alternate ports with the goal that all fragments of the LAN can see all parcels.
Difference between hub and switch?
A switch is utilized to interface different system sections. A Network switch is a little equipment device that combines various PCs inside one neighbourhood (LAN). A hub interfaces numerous Ethernet devices together, influencing them to go about as a solitary section.
Bridge is a networking device which connects two separate Ethernet networks. It forwards packets between networks. Bridging can be used for preventing unnecessary traffic from crossing onto other network segments.
An is a device that creates a wireless local area network (WLAN) by providing connectivity to end users via a wireless medium such as Wi-Fi. An access point is commonly found in every home and office. An access point connects to a wired router, switch, or hub via an Ethernet cable, and provides connectivity to the clients through a wireless medium such as Wi-Fi signal to a designated area. For example, if you want to enable Wi-Fi access in your company’s reception area but don’t have a router within range, you can install an access point near the front desk and run an Ethernet cable through the ceiling back to the server room.
Wireless LAN Controller is an important device in a Wireless Secure Network Architecture. These Wireless LAN Controllers are deployed with Light Weight Access Points. These WLC controls wireless access points. On the other end, these access points are connected directly (next hop) or indirectly (through the network) to the Wireless LAN Controller. Wireless LAN Controllers offer HTTP or HTTPS Web User interface for configuring and monitoring WLC. Command Line Interface is also available with Wireless LAN Controllers. Main Functions of Wireless LAN Controllers are Monitoring and Controlling of Endpoint Clients and Monitoring of Access point if any rogue access point is connected.
A WLAN controller provides centralized management and monitoring of Cisco WLAN solution. WLAN is integrated with Cisco Identity Service Engine to enforce the authorization and authentication on end-point devices.
Figure 1-14: Wireless LAN Controller
A firewall is a network security device or a system security software that monitors the incoming and outgoing network traffic and filters it as per the defined set of rules and conditions either to permit or deny them from entering or leaving the device. Firewalls are joined into a wide assortment of arranged gadgets to channel movement and lower the hazard that malevolent parcels going over the general population web can cause to the security of a private system. Firewalls may likewise be bought as solitary programming applications.
While the two primary types of firewalls are host-based and network-based firewalls. A host-based firewall is introduced in light of individual servers and screens approaching and friendly flags. A network-based firewall can be incorporated with the cloud’s foundation, or it can be a virtual firewall benefit.
Although the above features provide isolation in some sense, the following are the few reasons a dedicated firewall appliance (either in hardware or software) is preferred to be deployed at the gateway to public internet in a production environment:
|Risks||Protection by firewall|
|Access by untrusted entities||Firewalls try to categorize the network into different portions. One portion is considered as a trusted portion of internal LAN. Public internet and interfaces assigned as outside interfaces are considered as an untrusted portion. Similarly, servers accessed by untrusted entities are placed in a special segment known as a demilitarized zone (DMZ). By allowing only specific access to these servers, like port 90 of the web server, firewall hide the functionality of network device which makes it difficult for an attacker to understand the physical topology of the network.|
|Deep Packet Inspection and protocols exploitation||One of the interesting features of the dedicated firewall is their ability to inspect the traffic more than just IP and port level. By using digital certificates, Next Generation Firewalls available today can inspect traffic up to layer 7. A firewall can also limit the number of established as well as half-open TCP/UDP connections to mitigate DDoS attacks|
|Access Control||By implementing local AAA or by using ACS/ISE servers, the firewall can permit traffic based on AAA policy.|
|Antivirus and protection from infected data||By integrating IPS/IDP modules with firewall, malicious data can be detected and filtered at the edge of the network to protect the end-users|
Table 1-10: Firewall Risk Mitigation Features
Types of Firewall
- Packet Filtering Firewall
Packet Filtering Firewall includes the use of access-lists to permit or deny traffic based on layer 3 and layer 4 information. Whenever a packet hits an ACL configured layer 3 device’s interface, it checks for a match in an ACL (starting from the first line of ACL). Using an extended ACL in Cisco device, the following information can be used for matching traffic:
● Source address
● Destination address
● Source port
● Destination port
● Some extra features like TCP established sessions etc.
This table shows the advantages and disadvantages of using packet filtering techniques:
|Ease of implementation by using permit and deny statements.||Cannot mitigate IP spoofing attacks. An attacker can compromise the digital assets by spoofing IP source address to one of the permit statements in the ACL|
|Less CPU intensive than deep packet inspection techniques||Difficult to maintain when ACLS size grows|
|Configurable on almost every Cisco IOS||Cannot implement filtering based on session states.|
|Even a mid-range device can perform ACL based filtering||Scenarios in which dynamic ports are used, a range of ports will be required to be opened in ACL which may also be used by malicious users|
Table 1-11: Advantages and Disadvantages of Packet Filtering Techniques
- Circuit-Level Gateway Firewall
Circuit Level gateway firewall operates at the session layer of the OSI model. They capture the packet to monitor TCP Handshaking, in order to validate if the sessions are legitimate. Packets forwarded to the remote destination through a circuit-level firewall appear to have originated from the gateway.
- Application-Level Firewall
Application Level Firewall can work at layer 3 up to the layer 7 of OSI model. Normally, a specialized or open source software running on high-end server acts as an intermediary between client and destination address. As these firewalls can operate up to layer 7, more granular control of packets moving in and out of network is possible. Similarly, it becomes very difficult for an attacker to get the topology view of inside or trusted network because connection requests terminate on Application/Proxy firewalls.
Some of the advantages and disadvantages of using application/proxy firewalls are:
|Granular control over the traffic is possible by using information up to layer 7 of OSI model.||As proxy and application, firewalls run in software. A very high-end machine may be required to fulfill the computational requirements.|
|The indirect connection between end devices makes it very difficult to generate an attack.||Just like NAT, not every application has support for proxy firewalls and few amendments may be needed in current applications architecture.|
|Detailed logging is possible as every session involves the firewall as an intermediary.||Another software may be required for logging feature which takes extra processing power.|
|Any commercially available hardware can be used to install and run proxy firewalls on it.||Along with computational power, high storage may be required in different scenarios.|
Table 1-12: Advantages and Disadvantages of Application/Proxy Firewalls
- Stateful Multilayer Inspection Firewall
As the name depicts, this saves the state of current sessions in a table known as a stateful database. Stateful inspection and firewalls using this technique normally deny any traffic between trusted and untrusted interfaces. Whenever an end-device from trusted interface wants to communicate with some destination address attached to the untrusted interface of the firewall, its entry will be made in a stateful database table containing layer 3 and layer 2 information. Following table compares different features of stateful inspection-based firewalls.
|Helps in filtering unexpected traffic||Unable to mitigate application layer attacks|
|Can be implemented on a broad range of routers and firewalls||Except for TCP, other protocols do not have well-defined state information to be used by the firewall|
|Can help in mitigating denial of service (DDoS) attacks||Some applications may use more than one port for successful operation. Application architecture review may be needed in order to work after the deployment of stateful inspection based firewall.|
Table 1-13: Advantages and Disadvantages of Stateful Inspection based Firewalls
- Transparent firewalls
Most of the firewalls discussed above work on layer 3 and beyond. Transparent firewalls work exactly like above-mentioned techniques, but the interfaces of the firewall itself are layer 2 in nature. IP addresses are not assigned to any interface, think of it as a switch with ports assigned to some VLAN. The only IP address assigned to the transparent firewall is for management purposes. Similarly, as there is no addition of extra hop between end-devices, the user will not be able to be aware of any new additions to network infrastructure and custom-made applications may work without any problem.
- Next Generation (NGFW) firewalls
NGFW is relatively a new term used for latest firewalls with the advanced feature set. These kind of firewalls provide in-depth security features to mitigate known threats and malware attacks. An example of next-generation firewalls is Cisco ASA series with FirePOWER services. NGFW provides complete visibility into network traffic users, mobile devices, virtual machine (VM) to VM data communication, etc.
- Personal Firewalls
Personal Firewall is also known as a desktop firewall, which helps the end-users’ personal computers to prevent general attacks from intruders. Such firewalls appear to be a great security line of defense for users who are constantly connected to the internet via DSL or cable modems. Personal firewalls help by providing inbound and outbound filtering, controlling internet connectivity to and from the computer (both in a domain based and workgroup mode) and altering the user for any attempts of intrusions.
As the awareness of cyber and network security is increasing day by day, it is very important to understand the core concepts of Intrusion Detection/Defense System (IDS) as well as Intrusion Prevention System(IPS). IDS and IPS often create confusion as both modules are created by multiple vendors and different terminologies used to define the technical concepts are also same. Sometimes the same technology may be used for detection and prevention of some threat.
Just like other products, Cisco also has developed a number of solutions for implementing IDS/IPS for the security of the network. In the first phase of this section, different concepts will be discussed before moving to the different implementation methodologies.
The placement of sensor within a network differentiates the functionality of IPS over the IDS. When a sensor is placed in line with the network, i.e., the common in/out of specific network segment terminates on a hardware or logical interface of the sensor and goes out from second hardware or logical interface of the sensor, then every single packet will be analyzed and pass through sensor only if does not contain anything malicious. By dropping the traffic malicious traffic, the trusted network or a segment of it can be protected from known threats and attacks. This is the basic working of Intrusion Prevention System (IPS). However, the inline installation and inspection of traffic may result in a slighter delay. IPS may also become a single point of failure for the whole network. If ‘fail-open’ mode is used, the good and malicious traffic will be allowed in case of any kind of failure within IPS sensor. Similarly, if ‘fail-close’ mode is configured, the whole IP traffic will be dropped in case of sensor’s failure.
Figure 1-15: In-line Deployment of IPS Sensor
If a sensor is installed in the position as shown below, a copy of every packet will be sent to the sensor to analyze any malicious activity.
Figure 1-16: Sensor deployment as IDS
In other means, the sensor, running in promiscuous mode will perform the detection and generate an alert if required. As the normal flow of traffic is not disturbed, no end-to-end delay will be introduced by implementing IDS. The only downside of this configuration is that IDS will not be able to stop malicious packets from entering the network because IDS is not controlling the overall path of traffic.
The following table summarizes and compares various features of IDS and IPS.
|Positioning||In-line with the network. Every packet goes through it.||Not in-line with the network. It receives the copy of every packet.|
|Delay||Introduces delay because every packet is analyzed before forwarded to the destination||Does not introduce delay because it is not in-line with the network.|
|Point of failure?||Yes. If the sensor is down, it may drop as well as malicious traffic from entering the network, depending on one of the two modes configured on it, namely fail-open or fail-close||No impact on traffic as IDS is not in-line with the network|
|Ability to mitigate an attack?||Yes. By dropping the malicious traffic, attacks can be readily reduced on the network. If deployed in TAP mode, then it will get a copy of each packet but cannot mitigate the attack||IDS cannot directly stop an attack. However, it assists some in-line device like IPS to drop certain traffic to stop an attack.|
|Can do packet manipulation?||Yes. Can modify the IP traffic according to a defined set of rules.||No. As IDS receive mirrored traffic, so it can only perform the inspection.|
Table 1-14: IDS/IPS Comparison
Ways to Detect an Intrusion
When a sensor is analyzing traffic for something strange, it uses multiple techniques base on the rules defined in the IPS/IDS sensor. Following tools and techniques can be used in this regard:
- Signature-based IDS/IPS
- Policy-based IDS/IPS
- Anomaly-based IDS/IPS
- Reputation-based IDS/IPS
Cisco Advanced Malware Protection (AMP) is an integrated advance malware analysis and protection solution which ensure a comprehensive security of the network before, during and after an attack.
Global threat intelligence update from Cisco TALOS and Research Group and Threat Grid strengthen the layer of defense and protect against emerging threats. During an attack, Cisco AMP secure the network by comparing the traffic with known file signatures, performing dynamic malware analysis and sandboxing techniques.
Cisco offers Web Security Appliance (WSA) which is combined integrated solution of Strong Defense and Web protection, Visibility and Controlling Solutions.
Cisco Web Security Appliance (WSA) is integrated Solution of the following Security Solution
- Advanced Malware Protection (AMP)
- Cognitive Threat Analytics (CTA)
- Application Visibility and Control (AVC)
- Secure Mobility
Email Spam which is also known as Junk Email is the unsolicited number of Emails. Email users normally face this problem of receiving spam emails. These spam emails may be based on advertising of something as well as containing malware and malicious objects that can be downloaded if the user clicks the object in these spam emails.
Email Spamming are of different types. Spamming is typically used for frauds, promoting inexpensive things like pharmaceutical drugs, shopping, jobs, and others. Free rewards and offers of discount coupons get the attention of email receivers. A spam sender does this through a fake process and story asking the victims for payments.
Another Spam Email are phishing emails, which are disguised as official organizations email. For example, a Spam email disguised as the email from a bank may lead the receiver to submit its login credentials by clicking the fake (but exactly the same as official web page is). Users should avoid these spam email and don’t click on any link in the spam emails.
Figure 1-17: Cisco Email Security Appliance Portal Page
An Email security solution will become useless and non-effective if spam & unsolicited emails—is not filtered properly. In every corporate network of organizations, requirement of Email is necessary. It is required to filter irrelevant emails from the email traffic including legitimate emails which belong to the corporate network. Spam Filter is a software program that is used to detect spam email and prevent unwanted email. Certain threshold or criteria is needed to be set for filtering Email. Using Anti-spam solution to inspect and filter these spam email not provide complete solution from preventing spam. False positive and incorrect detection of emails can block legitimate mail and can also allow spam. Reducing the threshold of filtering will user responsible to identify spam email manually. Use of Anti-spam solution is not as reliable as to rely only over it.
Figure 1-18: Basic Email Filtering using Spam Filter
Cisco IronPort Email Security Appliance (ESA) provide protection of Emails and Employees using Email infrastructure. Cisco ESA can be easily integrated into deployed network with high flexibility. Email security Appliance can be deployed as single interface filtering Emails of internal Mail server. Another deployment method includes two interfaces, one for Emails from internet and another from internal Servers.
Figure 1-19: Cisco Email Security Appliance (ESA) deployed Email Security Solution
Spam Filtering using Cisco Email Security Appliance (ESA)
Spam Filtering can be done by using Reputation based filtering or Context based filtering.
- Reputation based Filtering
- Context based Filtering
Reputation based Filtering
Reputation based Filtering offers front line protection or first layer of defense to the network. Reputation based filtering can defend against spam and phishing based of reputation checking and inspection. If the server identifies the spam sender of the malicious emails, it will block the emails from that sender. This solution positively classifies the spam emails, malicious emails and unsolicited emails from untrusted and potentially harmful hosts. Inspection of malwares and malicious activity in email is inspected using Anti-Virus scanning. Reputation filtering compare the reputation data from Cisco SenderBase. Cisco SenderBase global repository for Email Security which records reputation of Hosts. When any Host is involved in Malicious or Potentially harmful activities, it lowers the reputation of that host. Comparing the information from Cisco SenderBase, by Reputation filtering supported device such as Cisco Email Security Appliance ESA legitimate Emails are proceeded to the next level of inspection and filtering. Email with lower reputation are discarded. Email which are still suspicious, (Emails in between positive email which passes reputation filter and Negative Emails which do not pass), are inspected before delivering.