TCP/IP Protocol Framework

Notes from week 1

Introduction to TCP/IP Framework

Regular routers and some firewalls utilize the stateless way of filtering packets. Stateless means that each packet is inspected one at a time with no knowledge of previous packets. No session table is maintained, so each packet is inspected independently of all other packets.

Main Uses

To protect routing engine resources.
To control traffic going in or out, at your organization.
For troubleshooting purposes.
To control traffic routing (through the use of routing instances).
To perform QoS/CoS (marking the traffic).

Stateful Inspection

Means that each packet is inspected with knowledge of all the other packets that have been sent or received from the same session. A session consists of all the packets exchanged between parties during an exchange. Sessions have a number of elements like the source IP address, the destination IP address, the source port, the destination port, and in some cases, there's an identifier for the instance if, for example, your router supports virtualization.

So what happens if we have both a stateless and stateful inspection? The stateless inspection is going to be performed first and then the stateful data will be evaluated.

Firewall Filters - IDS and IPS Systems

IDS - Intrusion Detection System

An IDS is a tool for detecting vulnerabilities in network security. It passively monitors traffic without taking direct action. Typically, an IDS is a server linked to a switch, which sends all traffic to the IDS for scrutiny. If suspicious activity is spotted, an alert is sent to the administrator.

Modern IDSs can, however, be set up to automatically trigger actions like blocking IP addresses. Yet, generally, they just notify the administrator to decide the next steps.

IPS - Intrusion Prevention System

An IPS actively takes action upon detecting irregularities. Unlike an IDS that merely receives a copy of network traffic, all traffic must pass through an IPS, leading to a potential delay in the network flow. Typically, an IPS is placed right after network devices like routers or firewalls, and some firewalls even double as an IPS.

Both IDS and IPS rely on various detection methods, with a common one being signature-based detection. This involves comparing network traffic patterns against a database of known threat signatures, alerting administrators if a match is found that might indicate malware presence.

Differences between IPS and IDS

Network Address Translation

Method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
Gives you an additional layer of security.
Allows the IP network of an organization to appear from the outside to use a different IP address space than what it is actually using. Thus, NAT allows an organization with non- globally routable addresses to connect to the Internet by translating those addresses into a globally routable address space.
It has become a popular and essential tool in conserving global address space allocations in face of IPv4 address exhaustion by sharing one Internet-routable IP address of a NAT gateway for an entire private network.

Types of NAT

Static address translation (static NAT): Allows one-to-one mapping between local and global addresses.
Dynamic address translation (dynamic NAT): Maps unregistered IP addresses to registered IP addresses from a pool of registered IP addresses.
Overloading: Maps multiple unregistered IP addresses to a single registered IP address (many to one) using different ports. This method is also known as Port Address Translation (PAT). By using overloading, thousands of users can be connected to the Internet by using only one real global IP address.

Network Protocols over Ethernet and Local Area Network

Local Area Network (LAN)

The two different addressing schemas just mentioned are shown here. One on Layer 2, the data link layer of the OSI model, and the other on Layer 3, the network layer. The data link layer, uses MAC addresses, while the network layer uses IP addresses, which could be IPv4 or IPv6 format.

in order to deliver a message to any computer within our LAN, whether the packet originated from a computer within the LAN or was routed to our LAN from an outside network, we need to know the MAC address that was associated with a destination IP address.

ping -c 1 www.google.com

Pinging www.google.com [2800:3f0:4003:c01::6a] with 32 bytes of data:
Reply from 2800:3f0:4003:c01::6a: time=21ms
Reply from 2800:3f0:4003:c01::6a: time=20ms
Reply from 2800:3f0:4003:c01::6a: time=15ms
Reply from 2800:3f0:4003:c01::6a: time=17ms

Ping statistics for 2800:3f0:4003:c01::6a:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 21ms, Average = 18ms

Ethernet and LAN - Ethernet Operations

This could be wired using an ethernet cable for example, or it could be a wireless connection. The frame or header of layer to the data link layer contains the source and destination MAC IP addresses, the protocol type, whatever we're using IPV4 or IPV6, etc.

The receiving computer takes the data and moves it back up the stack one layer at a time. Layer one converts the electronic signals to digital bits and forwards the frame to layer two, the data link layer.

Layer two checks to make sure the destination MAC address matches its own MAC address, and if it does, it strips off the layer two header and forwards the data as a packet to layer three, the network layer.

Layer three checks to make sure the destination IP address matches its IP address. If it does, it strips off the layer three header and sends the packet on up to layer four. If either the destination MAC address or the destination IP address do not match the receiving computers MAC and IP address, the packet will be discarded as not being intended for this system.

Ethernet and LAN - Network Devices

Two of the more common cables you'll see in networking are the coaxial cable and the twisted pair cable. Coaxial cables normally use an F type connector, while twisted pair cables usually use an RJ-45 connector.

Twisted Pair Cabling

Are the most common cables used in local area networks, where the length of the cable doesn't need to exceed 100 meters.

Twisted pair ethernet cables are rated for both speed and link using a cat rating system. Cat5 for example, is rated for transmission speeds of 100 megabit per second for up to 100 meters. Cat6 and cat6a on the other hand are rated for network speeds of 1 and 10 gigabit per second respectively over the same distance.

Coaxial Cables

Types of networks

Bridge are old networks that does not permit the devices to send and receive data at the same time, Switch by the other hand, are the most common modern network that can allow that. Remember, collision avoidance protocols are not critical to the smooth operation of modern networks.

Still, Switches have limitations:

Network loops are still a problem
Might not improve performance with multicast and broadcast traffic
Cannot connect geographically dispersed network

Basics of Routing and Switching, Network Packets and Structures

Layer 2 and Layer 3 - Network Addressing

When the packet is sent from one computer to another, the packet header will contain both the layer 2 and The layer 3 address. The packet is actually delivered to the layer 2 or MAC address, and the computer then verifies that the layer 3 or IP address in the header matches its own assigned IP address.

The system then checks to make sure the layer 2 MAC address in the packet header matches that of the system, and if it does, it will start processing the packet. When we talk about broadcast domains, we're talking about the segment of the network that are computer is on.

Address Resolution Protocol

To get more details about the protocol, you can use wireshark to see what is being used in each command.

> ip neigh show
192.168.65.5 dev eth0 lladdr 3a:bf:21:d6:bc:41 REACHABLE

The first segment is the IP, and the second one the MAC address, this requests uses ARP Protocol.

If a network server have more than one "Network Intarface Card", the server will have assigned the same amount of MAC addresses

> ping -c 1 192.168.65.5

PING 192.168.65.5 (192.168.65.5) 56(84) bytes of data.
64 bytes from 192.168.65.5: icmp_seq=1 ttl=64 time=0.093 ms

--- 192.168.65.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.093/0.093/0.093/0.000 ms

The previous command uses ICMP protocol.

> ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:cc:38:b4:67 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
7: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether ba:30:87:3d:26:a1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.65.4 peer 192.168.65.5/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::b830:87ff:fe3d:26a1/64 scope link
       valid_lft forever preferred_lft forever

At the point 7: we can see that the IP address really comes from the network called eth0, in other words, our own device.

Routers and Routing Tables

When we think of routing tables, it's natural to assume that there just for routers. In reality though, each and every computer connected to any network, whether it's an endpoint or a server, will have its own routing table. You can explore your own Routing Table by using the command:

> netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.65.5    0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.65.5    0.0.0.0         255.255.255.255 UH        0 0          0 eth0

Here we have a broadcast domain called Network 1 which is connected to a Layer 3 device, in this case a router, but it could be a firewall or a switch. This router is also connected to Network 2,, which is also Broadcast Domain 2. And Network 2 is connected by a second router to Network 3, which of course is a third Broadcast Domain.

So if a computer in Network 1 wants to send a packet to a device in Network 3, it only needs to have a default route configured pointing to its default gateway, which is port 1 of the first router. This router will check if the device 1.8 wants to send a packet to device 3.6 IN Network 3 for example.

The default gateway have the purpose of forwarding messages coming from, or going to, external network.

And, to keep in mind, the Direct connection works in a way that the message is being sent to a computer that is identified in the computer's routing table.