Networking plays a vital role in everything we do on a daily basis. Whether your organization is using Slack or Microsoft Teams or traditional emails for internal communication between employees, your smartphone or computer is connected to a network. To fully understand how cyber-attacks and threats are able to infiltrate a system or network, you must first understand the fundamentals of networking.
Hackers are cunning; they are always looking for the easiest way to gain access to a system or network. They look for vulnerabilities, which are security weaknesses in a system, application, coding, or design, and try to take advantage by exploiting them. You may be wondering, what does this have to do with networking? To answer this question in a simple sentence, there are many network protocols that were not designed with any security in mind, thus allowing hackers to exploit their vulnerabilities.
To get a better understanding of the bigger picture of network protocols and applications, let's take a look at what happens when a device such as a computer sends a message such as data to a web server. Built into each modern operating system, whether it's Microsoft Windows, Apple macOS, or even the Android operating system, you will find a protocol suite, which is responsible for the encoding, formatting, and transmission of messages between a source and destination.
During the pre-internet age and the early stages of computer networks, many computer vendors created their own protocol suite to enable their devices to communicate on a network. The downside to such ideas was that each vendor made a protocol suite proprietary to their devices only. This means Vendor A devices would not be able to communicate with Vendor B devices if they were connected to the same physical network.
This concept was not scalable or adaptive. Eventually, two emerging protocol suites surfaced with promises to be interoperable with any vendor devices and networks. These two well-known protocol suites are as follows:
- The Open Systems Interconnection (OSI) reference model
- The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite
A protocol suite allows a device to format a message for delivery using a universal set of standards and protocols to ensure all devices along the path to the destination are able to read the addressing and data contents clearly. In other words, the protocol suite allows all devices to speak a common language on the network and the internet.
Each of these models has several layers that describe how a message is sent from one device to another and vice versa. In the following sub-sections, you will learn about the characteristics of both the OSI reference model and the TCP/IP protocol suite.
The OSI reference model
The OSI reference model was developed by the International Organization for Standardization (ISO) to be a protocol suite for operating systems in the 1970s. This model consisted of seven layers. Each layer was responsible for a unique role and function to help a device encode (format), send, and receive messages through a network.
The following diagram shows the OSI reference model with all its seven layers:
Figure 1.1 – OSI reference model
Tip
A simple method to always remember the layers of the OSI model from top to bottom is to learn this phrase, All People Seem To Need Data Processing, using the first letter of each layer to make an easy-to-remember sentence.
When a device such as a computer is sending a message, an application-layer protocol will create the message and pass it down to the lower layers until it is placed on the actual wired or wireless network. A sender creates the Protocol Data Unit (PDU) at Layer 7 – the application layer and works its way downward to Layer 1 – the physical layer where the message is sent on the network as an electrical, light, or radio-frequency signal. Keep in mind that when a device is receiving a message from a sender, the message enters Layer 1 – the physical layer and works its way upward to Layer 7 – the application layer.
In the following sections, you will learn about the role and function of each layer of the OSI reference model. Furthermore, you'll discover what happens to a message as it is created by an application-layer protocol and is passed down to the lower layers while it makes its way through the physical network to its destination.
Layer 7 – the application layer
The application layer exists closest to the user, such as yourself. Don't be mistaken – this is not the software or applications you are familiar with using on your computer, such as a web browser or email client such as Microsoft Outlook. The application layer contains many protocols, which allow the user to interact with network resources. A simple example is accessing Cisco's website to gather more information about this certification. You would open your favorite web browser and go to the www.cisco.com web address and the web page would be loaded onto your screen. In reality, your web browser (software) is able to interact with an application-layer protocol such as HyperText Transfer Protocol (HTTP) or HyperText Transfer Protocol Secure (HTTPS). Both HTTP and HTTPS are protocols that allow your computer to communicate with a web server.
Each application-layer protocol is unique in its role and function. When data is created by an application-layer protocol such as HTTPS, it can only be interpreted or understood by another device running the same protocol (HTTPS). Recall the previous example, where the web browser invokes the HTTPS protocol to exchange messages with a Cisco web server that is also using HTTPS.
There are many application-layer protocols that are very common and are used frequently by our devices. Some of the well-known protocols are as follows:
- File Transfer Protocol (FTP)
- Secure Shell (SSH)
- Secure Copy (SCP)
- Telnet
- Simple Mail Transfer Protocol (SMTP)
- Domain Name System (DNS)
- Dynamic Host Configuration Protocol (DHCP)
- Trivial File Transfer Protocol (TFTP)
At this layer, the application-layer protocol creates raw data known as a datagram. However, in the networking world, this PDU is best referred to as data. Once the application layer has finished creating its message, it parses the data down to the presentation layer.
Layer 6 – the presentation layer
As you know, application-layer protocols will create their messages (data) such that they can only be interpreted by the same protocol that created it. If the PDU from the application layer is parsed to the lower layers, those lower layers will not be able to interpret what the message is about and why it's being sent to them.
This is where the presentation layer comes in to fill this gap. The presentation layer is responsible for the following functions in the OSI reference model:
- Formatting
- Compression
- Encryption
- Decryption
The presentation layer will format the PDU that it receives from the application layer in a uniform format, thus allowing the lower layers to interpret the message clearly. Additionally, the presentation layer is responsible for compressing data for transmission, data encryption, and decryption as well.
At this stage, the PDU is still referred to as data and now it's time for it to be sent to the session layer for further processing.
Layer 5 – the session layer
At the session layer, the PDU (data) is not modified in any way but rather, this layer is responsible for the sessions that are created between the source and destination of the message. You can think of the session layer as the logical module, which is responsible for creating, maintaining, and terminating the logical sessions between your computer and the destination, such as a web server.
At the session layer, the PDU maintains its integrity and is not changed in any way. At this layer, the PDU is commonly referred to as data and it's then passed down to the transport layer.
Layer 4 – the transport layer
The transport layer plays a vital role in helping datagrams or PDUs to reach their corresponding application-layer protocol. The transport layer is responsible for the delivery and transportation of messages (datagrams) from a source device to the destination.
It does this by using the following transport-layer protocols to help messages reach their destination:
- Transmission Control Protocol (TCP)
- User Datagram Protocol (UDP)
The application-layer protocols, such as HTTPS and DNS, rely on either of these transport-layer protocols to ensure their messages are delivered across the network.
Important note
In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of both TCP and UDP.
Let's imagine that on a network, there is Device-A, which is providing two services to its users: email and web services. For each of these services, an email server and web server applications must be installed on Device-A and be running. You may be thinking about the following questions:
- How is Device-A able to identify the email traffic from the web traffic?
- How does Device-A know to send the email traffic to the email application-layer protocol SMTP and not the web server?
To put it simply, both TCP and UDP use logical network/service ports, which are built into all modern operating systems. There is a total of 65,535 logical network/service ports on any operating system, whether it's Linux, Windows, or even Android.
Important note
A service port can be either TCP or UDP. There are various application-layer protocols that use TCP over UDP.
These network ports operate as doorways for an operating system. If traffic is leaving a device, the operating system opens a doorway (source port) for the traffic to leave and to accept any returning messages. On a server running a web application (Apache, NGINX, or Microsoft IIS) or even an email server, these applications will open their corresponding default network ports for inbound traffic.
The following table shows the categories of service ports:
Figure 1.2 – Categories of service ports
The following is a brief list of application-layer protocols and their service ports:
The transport layer will encapsulate the PDU with a Layer 4 header. This header will contain both source and destination service port details, and the PDU will be known as a segment. The destination service port is needed to ensure the receiving device forwards the PDU to its corresponding application-layer protocol. For example, if you are sending a web request such as an HTTP GET message to a web server, the web server will have port 80
open for HTTP by default. Therefore, the destination port on the segment will be port 80
. When the segment is received by the web server, the transport layer will remove the Layer 4 header and forward the raw datagram to the HTTP protocol at the application layer.
The following is a diagram that shows a segment with its Layer 4 (transport) header:
Figure 1.3 – Segment
Once the transport layer has completed its encapsulation process, it passes the segment down to the network layer for further processing.
Layer 3 – the network layer
The network layer is perhaps the most popular layer throughout the entire reference model. At this layer, devices insert a Layer 3 header into the PDU, which contains both source and destination Internet Protocol (IP) addresses. As you know, IP addresses are like street addresses for a network. Without IP addresses, devices will not be able to communicate with each other on remote or foreign networks. Once the network layer encapsulates the Layer 3 header onto the PDU, it is known as a packet.
Important note
In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of the IP and its versions.
The network layer has the following functionality and roles in the OSI reference model:
- Responsible for the logical IP version 4 (IPv4) and IP version 6 (IPv6) addressing on packets
- The forwarding of packets between IP networks (routing)
- Encapsulating Layer 3 headers onto PDUs as they are passed down the OSI model
- De-encapsulating PDUs as they are passed upward to the application-layer protocols
The following diagram shows a packet with its Layer 3 header:
Figure 1.4 – Packet
Once the network layer of the OSI model has finished its encapsulation process, it will pass the packet down to the next layer, the data link layer, as more details need to be attached before it's sent out on the actual physical network.
Layer 2 – the data link layer
The data link layer bridges the gap between the operating system of a device and the actual physical network, whether it's a wired or wireless network. It is at this layer that the operating system is able to control how messages are placed on the physical network and how errors are detected and handled on incoming messages.
The data link layer is made up of two sub-layers:
- Logical Link Control (LLC)
- Media Access Control (MAC)
The LLC and MAC work together to ensure datagrams that are outgoing contain all the necessary details to help them reach their destination successfully. Additionally, these two sub-layers are also responsible for handling any incoming messages for a system.
The LLC sub-layer will allow further encapsulation to the packets it has received from the network layer, simply by inserting a Layer 2 header that contains the source and destination MAC addresses. A trailer is inserted at the end of the datagram. This is used to check for any errors in incoming messages. The trailer contains a Frame Check Sequence (FCS) and inside the FCS, there's a Cyclic Redundancy Check (CRC). The CRC is a one-way cryptographic hash representation of the entire datagram. Devices that receive these datagrams use the CRC value to verify the integrity of the message, such as whether it was modified or corrupted during transmission. With the new Layer 2 header and trailer added to the datagram, the PDU is now known as a frame.
The MAC sub-layer is responsible for the actual Layer 2 addressing as well as the source and destination MAC address for the frame. The MAC address is considered to be a physical address that is embedded on a Network Interface Card (NIC). Sometimes, the MAC address is referred to as a Burned-In Address (BIA) because it cannot be changed conventionally.
The following is a simplified diagram that shows a frame with both its Layer 2 header and trailer:
Figure 1.5 – Contents of a frame
Additionally, a Preamble is inserted at the beginning of the frame to indicate the start of the frame and sequencing details to help with the re-assembling of the message on the destination device. The preamble has a lot of significance. Before the data link layer passes the frame to the next layer, it cuts the raw data into smaller pieces called bits. Each bit will contain the Layer 2 header and trailer details, then the data link layer will send those bits to the physical layer.
The MAC address is 48 bits or 6 bytes in length, which is written in hexadecimal values. These values are 0 1 2 3 4 5 6 7 8 9 A B C D E F. Various operating system vendors usually present the MAC address value in one of the following formats:
12:34:56:78:9A:BC
12-34-56-78-9A-BC
1234.568.9ABC
The first 24 bits in MAC addresses can be used to identify a vendor of a device. This portion of the MAC address is known as the Organization Unique Identifier (OUI). The last 24 bits, however, are unique and assigned by the vendor, therefore the entire 48-bit MAC address is unique globally.
To check the MAC address on a Cisco IOS router, use the show interfaces interface-ID
command as shown here:
Figure 1.6 – Viewing the MAC address on a Cisco router
To view the MAC address on a Linux device, use the ifconfig
command in the Linux Terminal as shown here:
Figure 1.7 – Viewing the MAC address on a Linux device
On Linux-based devices, the ether
field is used to indicate the MAC address of the interface, as seen in the previous screenshot.
To view the MAC address on a Windows device, use the ipconfig /all
command in Windows Command Prompt as shown here:
Figure 1.8 – Viewing the MAC address on a Windows device
To perform a MAC OUI lookup, use the following steps:
- Go to https://www.wireshark.org/tools/oui-lookup.html.
- Copy the MAC address from your device. For this exercise, you can copy this MAC address:
00-0C-29-A0-B0-6A
.
- Enter it into the OUI search field and click on Find, as shown in the following screenshot:
Figure 1.9 – Performing a MAC vendor lookup
The online tool was able to profile the first 24 bits of the MAC address and indicated the address belongs to a VMware device. Fortunately, this MAC address was taken from one of my demo virtual machines in my personal lab.
Important note
While networking professionals are taught that MAC addresses are unchangeable (burned-in), a cybersecurity professional or hacker is able to change the MAC address easily on their NIC to avoid detection.
Being able to quickly profile MAC addresses can help you eliminate rogue and unauthorized devices that are connected to your network.
Layer 1 – the physical layer
The physical layer is the actual wired and wireless network; it's the actual media that is used to transmit bits from one device to another. At this layer, you will find various types of cables, such as Cat 6 or even fiber optics, and wireless media such as radio frequency, whether it be Wi-Fi or 5G technologies that are used to transport the actual signals (bits) between a source and a destination.
Now that you have an idea about the OSI reference model, let's take a look at the importance of the TCP/IP protocol suite in the next section. The various layers of the OSI reference model are mapped to the layers of the TCP/IP protocol suite. It's important as a security professional that you have the knowledge to identify the characteristics of a datagram as it passes through each of these layers.
The TCP/IP protocol suite
TCP/IP was created by the United States Department of Defense (US DoD) and has been implemented in all operating systems to enable network connectivity. Unfortunately, the ISO OSI model did not get the traction it needed to be approved as an official protocol suite and therefore became a reference model where both network and security professionals use each layer for reference purposes.
TCP/IP is the universal language spoken on all computer-based networks; whether it's a Local Area Network (LAN) or the internet, all devices use TCP/IP to communicate. As mentioned earlier, the protocol suite simply defines how a system such as a computer is able to send and receive messages through a network.
With TCP/IP, there are five layers in this protocol suite. The following diagram shows how each layer of the OSI reference model maps directly to each layer of the TCP/IP protocol suite:
Figure 1.10 – TCP/IP protocol suite
In comparison to both models, the top three layers of the OSI model (the application, presentation, and session layers) are mapped to the application layer of TCP/IP. This means the application layer in TCP/IP contains all the functions as described in the top three layers of the OSI reference model.
In this section, you have learned about the function of each network layer of the OSI reference model and how they are mapped to the TCP/IP protocol suite. This knowledge is useful when performing network traffic analysis on an enterprise network. In the next section, you will discover the purpose of various network protocols, such as IP, TCP, and UDP.