TCP/IP Protocol Framework
Notes from week 1
Last updated
Notes from week 1
Last updated
Regular routers and some firewalls utilize the stateless way of filtering packets. Stateless means that each packet is inspected one at a time with no knowledge of previous packets. No session table is maintained, so each packet is inspected independently of all other packets.
To protect routing engine resources.
To control traffic going in or out, at your organization.
For troubleshooting purposes.
To control traffic routing (through the use of routing instances).
To perform QoS/CoS (marking the traffic).
Means that each packet is inspected with knowledge of all the other packets that have been sent or received from the same session. A session consists of all the packets exchanged between parties during an exchange. Sessions have a number of elements like the source IP address, the destination IP address, the source port, the destination port, and in some cases, there's an identifier for the instance if, for example, your router supports virtualization.
So what happens if we have both a stateless and stateful inspection? The stateless inspection is going to be performed first and then the stateful data will be evaluated.
An IDS is a tool for detecting vulnerabilities in network security. It passively monitors traffic without taking direct action. Typically, an IDS is a server linked to a switch, which sends all traffic to the IDS for scrutiny. If suspicious activity is spotted, an alert is sent to the administrator.
Modern IDSs can, however, be set up to automatically trigger actions like blocking IP addresses. Yet, generally, they just notify the administrator to decide the next steps.
An IPS actively takes action upon detecting irregularities. Unlike an IDS that merely receives a copy of network traffic, all traffic must pass through an IPS, leading to a potential delay in the network flow. Typically, an IPS is placed right after network devices like routers or firewalls, and some firewalls even double as an IPS.
Both IDS and IPS rely on various detection methods, with a common one being signature-based detection. This involves comparing network traffic patterns against a database of known threat signatures, alerting administrators if a match is found that might indicate malware presence.
Method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
Gives you an additional layer of security.
Allows the IP network of an organization to appear from the outside to use a different IP address space than what it is actually using. Thus, NAT allows an organization with non- globally routable addresses to connect to the Internet by translating those addresses into a globally routable address space.
It has become a popular and essential tool in conserving global address space allocations in face of IPv4 address exhaustion by sharing one Internet-routable IP address of a NAT gateway for an entire private network.
Static address translation (static NAT): Allows one-to-one mapping between local and global addresses.
Dynamic address translation (dynamic NAT): Maps unregistered IP addresses to registered IP addresses from a pool of registered IP addresses.
Overloading: Maps multiple unregistered IP addresses to a single registered IP address (many to one) using different ports. This method is also known as Port Address Translation (PAT). By using overloading, thousands of users can be connected to the Internet by using only one real global IP address.
The two different addressing schemas just mentioned are shown here. One on Layer 2, the data link layer of the OSI model, and the other on Layer 3, the network layer. The data link layer, uses MAC addresses, while the network layer uses IP addresses, which could be IPv4 or IPv6 format.
in order to deliver a message to any computer within our LAN, whether the packet originated from a computer within the LAN or was routed to our LAN from an outside network, we need to know the MAC address that was associated with a destination IP address.
This could be wired using an ethernet cable for example, or it could be a wireless connection. The frame or header of layer to the data link layer contains the source and destination MAC IP addresses, the protocol type, whatever we're using IPV4 or IPV6, etc.
The receiving computer takes the data and moves it back up the stack one layer at a time. Layer one converts the electronic signals to digital bits and forwards the frame to layer two, the data link layer.
Layer two checks to make sure the destination MAC address matches its own MAC address, and if it does, it strips off the layer two header and forwards the data as a packet to layer three, the network layer.
Layer three checks to make sure the destination IP address matches its IP address. If it does, it strips off the layer three header and sends the packet on up to layer four. If either the destination MAC address or the destination IP address do not match the receiving computers MAC and IP address, the packet will be discarded as not being intended for this system.
Two of the more common cables you'll see in networking are the coaxial cable and the twisted pair cable. Coaxial cables normally use an F type connector, while twisted pair cables usually use an RJ-45 connector.
Are the most common cables used in local area networks, where the length of the cable doesn't need to exceed 100 meters.
Twisted pair ethernet cables are rated for both speed and link using a cat rating system. Cat5 for example, is rated for transmission speeds of 100 megabit per second for up to 100 meters. Cat6 and cat6a on the other hand are rated for network speeds of 1 and 10 gigabit per second respectively over the same distance.
Bridge are old networks that does not permit the devices to send and receive data at the same time, Switch by the other hand, are the most common modern network that can allow that. Remember, collision avoidance protocols are not critical to the smooth operation of modern networks.
Still, Switches have limitations:
Network loops are still a problem
Might not improve performance with multicast and broadcast traffic
Cannot connect geographically dispersed network
When the packet is sent from one computer to another, the packet header will contain both the layer 2 and The layer 3 address. The packet is actually delivered to the layer 2 or MAC address, and the computer then verifies that the layer 3 or IP address in the header matches its own assigned IP address.
The system then checks to make sure the layer 2 MAC address in the packet header matches that of the system, and if it does, it will start processing the packet. When we talk about broadcast domains, we're talking about the segment of the network that are computer is on.
To get more details about the protocol, you can use wireshark to see what is being used in each command.
The first segment is the IP, and the second one the MAC address, this requests uses ARP Protocol.
If a network server have more than one "Network Intarface Card", the server will have assigned the same amount of MAC addresses
The previous command uses ICMP protocol.
At the point 7: we can see that the IP address really comes from the network called eth0, in other words, our own device.
When we think of routing tables, it's natural to assume that there just for routers. In reality though, each and every computer connected to any network, whether it's an endpoint or a server, will have its own routing table. You can explore your own Routing Table by using the command:
Here we have a broadcast domain called Network 1 which is connected to a Layer 3 device, in this case a router, but it could be a firewall or a switch. This router is also connected to Network 2,, which is also Broadcast Domain 2. And Network 2 is connected by a second router to Network 3, which of course is a third Broadcast Domain.
So if a computer in Network 1 wants to send a packet to a device in Network 3, it only needs to have a default route configured pointing to its default gateway, which is port 1 of the first router. This router will check if the device 1.8 wants to send a packet to device 3.6 IN Network 3 for example.
The default gateway have the purpose of forwarding messages coming from, or going to, external network.
And, to keep in mind, the Direct connection works in a way that the message is being sent to a computer that is identified in the computer's routing table.
