Fundamentals of Cybersecurity Unit 5
Retirado do Curso do RIT da edX
Abstract— Upon completion of this unit, you will be able to:
• Describe how data travels within a network or an Au-
tonomous System.
I. P ORTS
The way network communication goes in and out of a
machine, physically, is through the NIC, Network Interface
Card. The way network communication goes in and out of a
machine logically though, is through a program or service.
A service is a program that runs in the background
independent of the logon that provides functionalities
to a system. Windows client machines for instance, will
have a workstation service running in the background that
allows for connections to remote network resources. It’s not
tied to a single user logon and is always running in the
background. When you start a web server, you’re starting
a specific server service that isn’t tied to a specific user
logon, either. This way, when the server reboots, the service
automatically starts before anyone logs on. In the world
of Linux services are known as daemons. Well, how
does network communication go in and out of a program
or service? Let’s say a single machine is running both an
FTP, File Transfer Protocol server as well as a web server.
If they both are accessible by the same IP address, how
does the traffic for the FTP server get to the FTP server
and the traffic for the web server get to the web server?
Think about an apartment building with a mailbox grid in
the lobby. The man in apartment 21 checks his mail with
a key to box 21 and the woman in apartment 80 check her
mail with a key to box 80. The mailman brought their mail to
the same building. They both live in the same building with
the same street address. This is like two different servers
that are accessible through the same IP address, however
when traffic is destined for the man in apartment 21, it is
noted on the front of the envelope. And the same goes for
the mail addressed to the woman in apartment 80. Similarly,
the way into and out of a program or service is through a
port, which is a logical number. So, in addition to source
and destination Mac addresses and source and destination
IP addresses, there are, in fact, source and destination ports.
Mac addresses are found in frames that layer two of the
OSI model. IP addresses are found in packets at layer three.
Port numbers are found in either TCP segments or UDP
datagrams at layer four. Based on the destination port, the
destination machine knows which program or service to send
the data to. The same way that the mailman knows to put the
mail for apartment 21 in the box for apartment 21. And the
mail for apartment 80 in the box for apartment 80. Ports are
organized into three categories. Well known ports from
0 to 1,023 or used by major protocols and services. For
instance, FTP servers listen on port 21 and web servers
listen on port 80. Registered ports from 1,024 to 49,151 are
assigned by IANA, the Internet Assigned Numbers Authority,
for specific companies that want a common port to be used
for their programs or protocols. However, these ports can be
used by any system that is currently not in use. Registered
ports are locally significant to a system. It’s not like using
a registered IP address which has global scope. Dynamic
ports from 49,152 to 65,535 are used by client applications
on an as-needed basis. For example, your browser might
open up port 60,000 to send the request to a web server
that will be listening for requests on port 80 unencrypted
HTTP. The web server’s response is sourced from port 80
and is destined for the port that your browser opened up.
After the communication between your browser and the
web server is complete, your browser closes up the port
it opened but the web server’s port remains open for new,
incoming connections. Your browser will subsequently open
up a different port and in that dynamic range for traffic to
and from the same or a different website.
II. TCP AND UDP
One of two protocols will be used at layer four of the
OSI model to encapsulate the data coming from layers
five, six, and seven. TCP, Transmission Control Protocol
segments, or UDP, User Datagram Protocol Datagrams,
will be selected by an application that’s sending data. TCP
establishes a connection between the source and destination
devices for reliable data transfer and flow control, sending
data at an acceptable rate, both to the source and destination.
UDP is connectionless and has no flow control. All bytes sent
with TCP are ordered and sequenced. TCP guarantees
that every single byte sent will be received with integrity
and processed in the correct order. So actually there are in
fact three things that are guaranteed in life; death, taxes,
and TCP. TCP segments are acknowledged so the sender
knows the destination got the traffic. If an acknowledgement
specifically referencing byte numbers of the data sent doesn’t
come back TCP resends the unacknowledged bytes; UDP
doesn’t do this. So which one is better? Well it depends.
TCP is used for things like file transfers, email, and going
on websites. In those cases accuracy is important. If bytes
are lost or corrupted the whole message could be destroyed.
UDP is used for real time communications; conferencing and
streaming. Furthermore, two major protocols coming up in
a future module, DNS and DHCP, both use UDP. If every
byte sent needed to be acknowledged on a VoIP call over the
web there could be problems with lost acknowledgements.
TCP on the source would think the destination didn’t get the
message and would resend it again. So the destination would
hear hello and send its acknowledgement back to the source.
Let’s say that the acknowledgement got lost; the destination
would hear the subsequent words from the voice call that
were already sent by the source, how are you doing today,
but then the source would send hello back again. That would
be a very frustrating phone call; you’d have the past coming
back into the current conversation. You’d have to imagine
though that all audio and video, real time and streaming
over the internet in UDP datagrams still has to be ordered
to ensure their processed in the correct order. RTSP, real
time streaming protocol which exists at layer seven, does
the ordering for UDP. Using RTSP just for the ordering
of the UDP datagrams involves significantly less overhead
than TCP would require. If TCP was used a connection
would have to be established and maintained, flow control
would need to be added, and acknowledgements would need
to be sent. The communication could slow down based on
these and other factors. With UDP if bytes are lost we don’t
care; they’re just a fleeting moment in time. You might not
even notice. One might notice a slight degradation in image
quality or sound quality, but even if that’s the case we just
accept it instead of slowing down the entire communication
for the additional overhead that TCP requires. TCP has much
more overhead than UDP and is deliberately slower striving
for accuracy and integrity. UDP has no overhead and is
quicker, striving for efficiency. When querying your DNS
server to resolve a name to an IP address or your DHCP
server to get or renew a lease for an IP address if no reply
comes back to the client your client will simply ask again.
There’s no need for additional overhead.
III. H OW SWICHTS WORK
¿¿ Let’s now take a closer look at those switches we were
talking about in an earlier module. Switches connect devices
of the same network together. They can connect into other
switches and routers as well. Switches and PCs connected
between router interfaces are considered to be on the same
network. When a PC sends an Ethernet frame into a switch,
the switch checks the destination MAC address to see if
it knows which interface that MAC address is connected
to. If the switch knows where the device with that MAC
address is, the switch sends it out, just that interface. If the
switch doesn’t know where a destination MAC address is,
the switch floods the frame out of all interfaces except the
interface on which the frame originated. So now the obvious
question is how does the switch learn where MAC addresses
are in the first place? The switch actually starts off knowing
nothing, but as frames are sent into the switch, the switch
starts learning. If host A sends a frame for host B into the
first interface on the switch, the switch says I know that
the MAC address of host A can now be associated with the
interface on which it was heard. The switch will make a
note of it through a table in memory called SAT, Source
Address Table. Since the switch doesn’t know where host
B is, it floods the frame out of all the interfaces except the
one the frame originated on. When host B replies, the frame
goes into the switch. And the switch learns that host B can
be found on the second interface. The switch then adds the
MAC address of host B and the interface it was heard on into
its source address table as well. The logic works the same for
switches that are connected together. Each switch maintains
its own source address table. You’ll notice that hosts E, F,
G, and H are known to switch two on interfaces one, two,
three, and four, respectively. But as far as switch one goes,
hosts E, F, G, and H are all accessible through interface five
which connects to switch two. Hosts A, B, C, and D are
known to switch one on interfaces one, two, three, and four,
respectively. But as far as switch two goes, hosts A, B, C,
and D are accessible through interface five which connects to
switch one. So if host C sends a frame to host E, it goes into
switch one on interface three. Switch one consults its source
address table and realizes host E is accessible out of interface
five. Therefore, switch one sends the frame out of interface
five where it’s picked up by switch two. Switch two now
looks at the destination MAC address in the frame which is
still the MAC address of host E. In an earlier module, we
learned that routers reframe packets at each hop. Switches,
on the other hand, are transparent and don’t change a single
part of the frame. After consulting its source address table,
switch two sends the frame out of interface one where host
D gets it. In addition to flooding unknown unicasts when the
switch doesn’t know where a destination MAC address is,
the switch will also flood multi-casts and broadcasts out of
all interfaces, except the interface that the frame originated
on. Remember, all ARP requests are always broadcasts. If
there are 20 connected switches in a network with 20 PCs
connected to each of those switches, a single ARP request
by one of the PCs will be read by the other 399.
IV. AUTONOMOUS S YSTEMS
¿¿ Routers don’t connect devices of the same network
together. They connect different networks together. So you
wouldn’t ever see a PC connected to a router. Connected
to a router you’d find either a switch, or another router.
That little box we have at home that everyone calls a router,
actually has switched functionality built inside of it. If you’ve
ever connected a desktop to an interface on that router,
you actually plug the cable into the switch interface, even
though we call that little box router. As we’ve discussed
earlier, when a router gets a packet to send to a destination
IP address, the router consults its routing table to see if it
has knowledge of the destination network, and if so, which
router interface should get the packet next. If the router has
no knowledge of the destination network, it might have a
default route of its own to send the packet to. Without either
knowledge of a destination network, or a default route for a
router to send all packets with unknown destinations to, the
router will drop the packet and send an error message back
to the source through a protocol known as ICMP. Today’s
internet backbone routers are approaching three-quarters of
a million, 750,000 routes in the routing cables. On internal
autonomous systems, there are much less. An autonomous
system represents a collection of networks under one admin- each router forms an idea of the topology and determines
istrative control, like an ISP, or major entity like RIT. Here at the best way to get to it a destination network. Metrics
RIT, we have a collection of internal networks. Remember, are values that the routers use to determine the best way
a network refers simply to a collection of switches and to get to a destination network when there are multiple
PCs between two router interfaces. Why would a bunch of paths available. Nowadays, the two main IGPs are OSPF,
networks be preferred to a single network? Well, for one, Open Shortest Path First and Cisco’s EIGRP, Enhanced
think back to our arc stories, arc requests and all other Interior Gateway Routing Protocol. The main metric used
broadcast traffic will always reach and be processed by every by OSPF and EIGRP to determine the best way to get to
single device on a network. One reason why we might want a destination network is bandwidth although they calculate
multiple networks interconnected by routers instead of one this metric very differently. Using OSPF or EIGRP, a router
big flat network is to reduce the size of the broadcast domain. might choose a path to a destination network with more
Instead of broadcasts tying up the bandwidth in processing, hops over a path with fewer hops based on the bandwidth.
of all devices on a network, we’ve now lowered the amount Sending a packet over a greater number of links is preferred
of broadcasts that will proliferate through a network and if those links and their bandwidth can get the packet to
the amount of devices that can hear them. It’s why here its destination quicker than a smaller number of links. We
at RIT each class is taught in a room by itself. If we make these decisions all the time ourselves. Sometimes I’d
had one homogenous auditorium and had all classes there rather drive more miles on the highway to get somewhere
simultaneously, my students would have to listen and try to quicker than less miles on local streets with fewer lanes,
understand all the other professors and classes. That would traffic lights, and a lower speed limit. An EGP, Exterior
take their attention away from me and my lessons. Another Gateway Protocol, is a routing protocol that allows routers
reason why multiple networks are preferred to one big flat from different autonomous systems to communicate with
network is for security purposes. Security at the router level each other and exchange routing information. The only EGP
in the form of an access control list, can be used to filter in usage today, which is used across the entire Internet, is
traffic by source IP address, destination IP address, protocols, BGP, Border Gateway Protocol.
and even ports. This allows you to control access to and from
certain devices and resources much better than if everything
was on the same network. It’s also a way to hierarchically
design an internetwork and even makes the troubleshooting
process easier by isolating traffic to a certain network.
V. DYNAMIC ROUTING
Entities like RIT registered for and received their own
ASN, Autonomous System Number. They became au-
tonomous systems of their own, independent of ISPs. This
allowed them to maintain routing tables and exchange rout-
ing information with multiple ISPs. As traffic is ready to
leave the autonomous system, the routers decide which ISP
and which ISP connection to send the traffic to for the most
efficient packet delivery. At home, we don’t have to exchange
any information about networks with our ISP. There is a
default route in our router that basically says any traffic for
anywhere but my local home network, send it to the ISPs
router. Why would we want the overhead of exchanging
routes? If the connection to our ISP goes down, we’re not
sending any communication off our network anyway. Be-
sides, our home routers don’t have the memory or processing
power for 750,000 routes. However, inside a company, within
an autonomous system, there needs to be a dynamic way
in which the routers can exchange information about the
internal networks as well as how to get to the company’s
edge router that connects to the ISP for packets destined
for an external network. This is where routing protocols
come into play. An IGP, Interior Gateway protocol, is a
routing protocol that allows routers within an autonomous
system to communicate with each other. Sharing information
about the networks they’re directly or indirectly connected
to. After these messages are passed between the routers,