Network Communications Protocols For Cyber Security: The Facts

Simply having a wired or wireless physical connection between end devices is not enough to enable communication. For communication to occur, devices must know “how” to communicate. Communication, whether face-to-face or over a network, is governed by rules called protocols. These protocols are specific to the type of communication method occurring.

For example, consider two people communicating face-to-face. Prior to communicating, they must agree on how to communicate. If the communication is using voice, they must first agree on the language. Next, when they have a message to share, they must be able to format that message in a way that is understandable. For example, if someone uses the English language, but has poor sentence structure, the message can easily be misunderstood.

Similarly, network protocols specify many features of network communication, as shown in the figure.

Network Protocols

Network protocols provide the means for computers to communicate on networks. Network protocols dictate the message encoding, formatting, encapsulation, size, timing, and delivery options. Networking protocols define a common format and set of rules for exchanging messages between devices. Some common networking protocols are Hypertext Transfer Protocol (HTTP), Transmission Control Protocol (TCP), and Internet Protocol (IP). As a cybersecurity analyst, you must be very familiar with the structure of protocol data and how the protocols function in network communications.
Note: IP in this course refers to both the IPv4 and IPv6 protocols. IPv6 is the most recent version of IP and will eventually replace the more common IPv4.

The TCP/IP Protocol Suite

Today, the TCP/IP protocol suite includes many protocols and continues to evolve to support new services. Some of the more popular ones are shown in the figure.

TCP/IP is the protocol suite used by the internet and the networks of today. TCP/IP has two important aspects for vendors and manufacturers:

Open standard protocol suite – This means it is freely available to the public and can be used by any vendor on their hardware or in their software.
Standards-based protocol suite – This means it has been endorsed by the networking industry and approved by a standards organization. This ensures that products from different manufacturers can interoperate successfully.

Click each button for a brief description of protocols at each layer.

Application Layer

Transport layer

Internet Layer

Network Access Layer

Application Layer
Name System

DNS – Domain Name System. Translates domain names such as cisco.com, into IP addresses.

Host Config

DHCPv4 – Dynamic Host Configuration Protocol for IPv4. A DHCPv4 server dynamically assigns IPv4 addressing information to DHCPv4 clients at start-up and allows the addresses to be re-used when no longer needed.
DHCPv6 – Dynamic Host Configuration Protocol for IPv6. DHCPv6 is similar to DHCPv4. A DHCPv6 server dynamically assigns IPv6 addressing information to DHCPv6 clients at start-up.
SLAAC – Stateless Address Autoconfiguration. A method that allows a device to obtain its IPv6 addressing information without using a DHCPv6 server.

Email

SMTP – Simple Mail Transfer Protocol. Enables clients to send email to a mail server and enables servers to send email to other servers.
POP3 – Post Office Protocol version 3. Enables clients to retrieve email from a mail server and download the email to the client’s local mail application.
IMAP – Internet Message Access Protocol. Enables clients to access email stored on a mail server as well as maintaining email on the server.

File Transfer

FTP – File Transfer Protocol. Sets the rules that enable a user on one host to access and transfer files to and from another host over a network. FTP is a reliable, connection-oriented, and acknowledged file delivery protocol.
SFTP – SSH File Transfer Protocol. As an extension to Secure Shell (SSH) protocol, SFTP can be used to establish a secure file transfer session in which the file transfer is encrypted. SSH is a method for secure remote login that is typically used for accessing the command line of a device.
TFTP – Trivial File Transfer Protocol. A simple, connectionless file transfer protocol with best-effort, unacknowledged file delivery. It uses less overhead than FTP.

Web and Web Service

HTTP – Hypertext Transfer Protocol. A set of rules for exchanging text, graphic images, sound, video, and other multimedia files on the World Wide Web.
HTTPS – HTTP Secure. A secure form of HTTP that encrypts the data that is exchanged over the World Wide Web.
REST – Representational State Transfer. A web service that uses application programming interfaces (APIs) and HTTP requests to create web applications.

Transport layer

Connection-Oriented

TCP – Transmission Control Protocol. Enables reliable communication between processes running on separate hosts and provides reliable, acknowledged transmissions that confirm successful delivery.

Connectionless

UDP – User Datagram Protocol. Enables a process running on one host to send packets to a process running on another host. However, UDP does not confirm successful datagram transmission.

Internet Layer

Internet Protocol

IPv4 – Internet Protocol version 4. Receives message segments from the transport layer, packages messages into packets, and addresses packets for end-to-end delivery over a network. IPv4 uses a 32-bit address.
IPv6 – IP version 6. Similar to IPv4 but uses a 128-bit address.
NAT – Network Address Translation. Translates IPv4 addresses from a private network into globally unique public IPv4 addresses.

Messaging

ICMPv4 – Internet Control Message Protocol for IPv4. Provides feedback from a destination host to a source host about errors in packet delivery.
ICMPv6 – ICMP for IPv6. Similar functionality to ICMPv4 but is used for IPv6 packets.
ICMPv6 ND – ICMPv6 Neighbor Discovery. Includes four protocol messages that are used for address resolution and duplicate address detection.

Routing Protocols

OSPF – Open Shortest Path First. Link-state routing protocol that uses a hierarchical design based on areas. OSPF is an open standard interior routing protocol.
EIGRP – EIGRP – Enhanced Interior Gateway Routing Protocol. An open standard routing protocol developed by Cisco that uses a composite metric based on bandwidth, delay, load and reliability.
BGP – Border Gateway Protocol. An open standard exterior gateway routing protocol used between Internet Service Providers (ISPs). BGP is also commonly used between ISPs and their large private clients to exchange routing information.

Powered by Inline Related Posts

Network Access Layer

Address Resolution

ARP – Address Resolution Protocol. Provides dynamic address mapping between an IPv4 address and a hardware address.Note: You may see other documentation state that ARP operates at the Internet Layer (OSI Layer 3). However, in this course we state that ARP operates at the Network Access layer (OSI Layer 2) because it’s primary purpose is the discover the MAC address of the destination. A MAC address is a Layer 2 address.

Data Link Protocols

Ethernet – Defines the rules for wiring and signaling standards of the network access layer.
WLAN – Wireless Local Area Network. Defines the rules for wireless signaling across the 2.4 GHz and 5 GHz radio frequencies.

Message Formatting and Encapsulation

When a message is sent from source to destination, it must use a specific format or structure. Message formats depend on the type of message and the channel that is used to deliver the message.

Analogy
A common example of requiring the correct format in human communications is when sending a letter. Click Play in the figure to view an animation of formatting and encapsulating a letter.
An envelope has the address of the sender and receiver, each located at the proper place on the envelope. If the destination address and formatting are not correct, the letter is not delivered.
The process of placing one message format (the letter) inside another message format (the envelope) is called encapsulation. De-encapsulation occurs when the process is reversed by the recipient and the letter is removed from the envelope.

Message Size

Another rule of communication is message size.

Analogy
Click Play in the figure to view an animation of message size in face-to-face communications.
When people communicate with each other, the messages that they send are usually broken into smaller parts or sentences. These sentences are limited in size to what the receiving person can process at one time, as shown in the figure. It also makes it easier for the receiver to read and comprehend.

Message Timing

Message timing is also very important in network communications. Message timing includes the following:

Flow Control – This is the process of managing the rate of data transmission. Flow control defines how much information can be sent and the speed at which it can be delivered. For example, if one person speaks too quickly, it may be difficult for the receiver to hear and understand the message. In network communication, there are network protocols used by the source and destination devices to negotiate and manage the flow of information.
Response Timeout – If a person asks a question and does not hear a response within an acceptable amount of time, the person assumes that no answer is coming and reacts accordingly. The person may repeat the question or instead, may go on with the conversation. Hosts on the network use network protocols that specify how long to wait for responses and what action to take if a response timeout occurs.
Access method – This determines when someone can send a message. Click Play in the figure to see an animation of two people talking at the same time, then a “collision of information” occurs, and it is necessary for the two to back off and start again. Likewise, when a device wants to transmit on a wireless LAN, it is necessary for the WLAN network interface card (NIC) to determine whether the wireless medium is available.

Unicast, Multicast, and Broadcast

A message can be delivered in different ways. Sometimes, a person wants to communicate information to a single individual. At other times, the person may need to send information to a group of people at the same time, or even to all people in the same area.
Hosts on a network use similar delivery options to communicate. These methods of communication are called unicast, multicast, and broadcast.

Unicast

Multicast

Broadcast

A one-to-one delivery option is referred to as a unicast, meaning there is only a single destination for the message.

The Benefits of Using a Layered Model

You cannot actually watch real packets travel across a real network the way you can watch the components of a car being put together on an assembly line. so, it helps to have a way of thinking about a network so that you can imagine what is happening. A model is useful in these situations.
Complex concepts such as how a network operates can be difficult to explain and understand. For this reason, a layered model is used to modularize the operations of a network into manageable layers.
These are the benefits of using a layered model to describe network protocols and operations:

Assisting in protocol design because protocols that operate at a specific layer have defined information that they act upon and a defined interface to the layers above and below
Fostering competition because products from different vendors can work together
Preventing technology or capability changes in one layer from affecting other layers above and below
Providing a common language to describe networking functions and capabilities

As shown in the figure, there are two-layered models that are used to describe network operations:

Open System Interconnection (OSI) Reference Model
TCP/IP Reference Model

The OSI Reference Model

The OSI reference model provides an extensive list of functions and services that can occur at each layer. This type of model provides consistency within all types of network protocols and services by describing what must be done at a particular layer, but not prescribing how it should be accomplished.
It also describes the interaction of each layer with the layers directly above and below.

The TCP/IP protocols discussed in this course are structured around both the OSI and TCP/IP models. The table shows details about each layer of the OSI model. The functionality of each layer and the relationship between layers will become more evident throughout this course as the protocols are discussed in more detail.

OSI Model Layer	Description
7 – Application	The application layer contains protocols used for process-to-process communications.
6 – Presentation	The presentation layer provides for common representation of the data transferred between application layer services.
5 – Session	The session layer provides services to the presentation layer to organize its dialogue and to manage data exchange.
4 – Transport	The transport layer defines services to segment, transfer, and reassemble the data for individual communications between the end devices.
3 – Network	The network layer provides services to exchange the individual pieces of data over the network between identified end devices.
2 – Data Link	The data link layer protocols describe methods for exchanging data frames between devices over a common media
1 – Physical	The physical layer protocols describe the mechanical, electrical, functional, and procedural means to activate, maintain, and de-activate physical connections for a bit transmission to and from a network device.

Powered by Inline Related Posts

Note: Whereas the TCP/IP model layers are referred to only by name, the seven OSI model layers are more often referred to by number rather than by name. For instance, the physical layer is referred to as Layer 1 of the OSI model, the data link layer is Layer 2, and so on.

The TCP/IP Protocol Model

The TCP/IP protocol model for internetwork communications was created in the early 1970s and is sometimes referred to as the internet model. This type of model closely matches the structure of a particular protocol suite. The TCP/IP model is a protocol model because it describes the functions that occur at each layer of protocols within the TCP/IP suite. TCP/IP is also used as a reference model. The table shows details about each layer of the OSI model.

TCP/IP Model Layer	Description
4 – Application	Represents data to the user, plus encoding and dialog control.
3 – Transport	Supports communication between various devices across diverse networks.
2 – Internet	Determines the best path through the network.
1 – Network Access	Controls the hardware devices and media that make up the network.

The definitions of the standard and the TCP/IP protocols are discussed in a public forum and defined in a publicly available set of IETF request for comment (RFC) documents. An RFC is authored by networking engineers and sent to other IETF members for comments.

Facts About Network Communication Process

Networks of Many Sizes

First and foremost, networks come in all sizes. They range from simple networks that consist of two computers to networks connecting millions of devices. Simple home networks let you share resources, such as printers, documents, pictures, and music, among a few local end devices. In this article, I want to discuss some facts about a network communication process.

Small office and home office (SOHO) networks allow people to work from home or a remote office. Many self-employed workers use these types of networks to advertise and sell products, order supplies and communicate with customers.
Businesses and large organizations use networks to provide consolidation, storage, and access to information on network servers. Networks provide email, instant messaging, and collaboration among employees. Many organizations use their network’s connection to the internet to provide products and services to customers.
The internet is the largest network in existence. In fact, the term internet means a “network of networks”. It is a collection of interconnected private and public networks.
In small businesses and homes, many computers function as both servers and clients on the network. This type of network is called a peer-to-peer network.

Small Home Networks

Small home networks connect a few computers to each other and to the internet.

Client-Server Communications

All computers that are connected to a network and that participate directly in network communication are classified as hosts. Hosts are also called end devices, endpoints, or nodes. Much of the interaction between end devices is client-server traffic. For example, when you access a web page on the internet, your web browser (the client) is accessing a server. When you send an email message, your email client will connect to an email server.

Servers are simply computers with specialized software. This software enables servers to provide information to other end devices on the network. A server can be single-purpose, providing only one service, such as web pages. A server can be multipurpose, providing a variety of services such as web pages, email, and file transfers.

Client computers have software installed, such as web browsers, email clients, and file transfers applications. This software enables them to request and display the information obtained from the server. A single computer can also run multiple types of client software. For example, a user can check email and view a web page while listening to the internet radio.

File Server – The file server stores corporate and user files in a central location.
Web Server – The web server runs web server software that allows many computers to access web pages.
Email Server – The email server runs email server software that enables emails to be sent and received.

The File Server stores corporate and user files in a central location. The client devices access these files with client software such as Windows Explorer.
The Web Server runs web server software and clients use their browser software, such as Windows Microsoft Edge, to access web pages on the server.
The Email Server runs email server software and clients use their mail client software, such as Microsoft Outlook, to access email on the server.

Typical Sessions

A typical network user at school, at home, or in the office, will normally use some type of computing device to establish many connections with network servers. Those servers could be located in the same room or around the world. Let’s look at a few typical network communication sessions.

Student

Terry is a high school student whose school has recently started a “bring your own device” (BYOD) program. Students are encouraged to use their cell phones or other devices such as tablets or laptops to access learning resources. Terry has just been given an assignment in language arts class to research the effects of World War I on the literature and art of the time. She enters the search terms she has chosen into a search engine app that she has opened on her cell phone.

Terry has connected her phone to the school Wi-Fi network. Her search is submitted from her phone to the school network wirelessly. Before her search can be sent, the data must be addressed so that it can find its way back to Terry. Her search terms are then represented as a string of binary data that has been encoded into radio waves. Her search string is then converted to electrical signals that travel on the school’s wired network until they reach the place at which the school’s network connects to the Internet Service Provider’s (ISP) network. A combination of technologies takes Terry’s search to the search engine website.

For example, Terry’s data flow with the data of thousands of other users along with a fibre-optic network that connects Terry’s ISP with several other ISPs, including the ISP that is used by the search engine company. Eventually, Terry’s search string enters the search engine company’s website and is processed by its powerful servers. The results are then encoded and addressed to Terry’s school and her device.
All of these transitions and connections happen in a fraction of a second, and Terry has started on her path to learning about her subject.

Gamer

Michelle loves computer games. She has a powerful gaming console that she uses to play games against other players, watch movies, and play music. Michelle connects her game console directly to her network with a copper network cable.

Powered by Inline Related Posts

Michelle’s network, like many home networks, connects to an ISP using a router and a cable modem. These devices allow Michelle’s home network to connect to a cable TV network that belongs to Michelle’s ISP. The cable wires for Michelle’s neighbourhood all connect to a central point on a telephone pole and then connect to a fibre-optic network. This fibre-optic network connects many neighbourhoods that are served by Michelle’s ISP.

All those fibre-optic cables connect to telecommunications services that provide access to high-capacity connections. These connections allow thousands of users in homes, government offices, and businesses to connect to internet destinations around the world.

Michelle has connected her game console to a company that hosts a very popular online game. Michelle is registered with the company, and its servers keep track of Michelle’s scores, experiences, and game assets. Michelle’s actions in her game become data that is sent to the gamer network. Michelle’s moves are broken up into groups of binary data that each consists of a string of zeros and ones. Information that identifies Michelle, the game she is playing, and Michelle’s network location are added to the game data. The pieces of data that represent Michelle’s gameplay are sent at high speed to the game provider’s network. The results are returned to Michelle in the form of graphics and sounds.

All of this happens so quickly that Michelle can compete with hundreds of other gamers in real-time.

Surgeon

Dr Ismael Awad is an oncologist who performs surgery on cancer patients. He frequently needs to consult with radiologists and other specialists on patient cases. The hospital that Dr Awad works for subscribes to a special service called a cloud. The cloud allows medical data, including patient x-rays and MRIs to be stored in a central location that is accessed over the internet. In this way, the hospital does not need to manage paper patient records and X-ray films.

When a patient has an X-ray taken, the image is digitized as computer data. The X-ray is then prepared by hospital computers to be sent to the medical cloud service. Because security is very important when working with medical data, the hospital uses network services that encrypt the image data and patient information. This encrypted data cannot be intercepted and read as it travels across the internet to the cloud service provider’s data centres. The data is addressed so that it can be routed to the cloud provider’s data centre to reach the correct services that provide storage and retrieval of high-resolution digital images.

Dr. Awad and the patient’s care team can connect to this special service, meet with other doctors in audio conferences and discuss patient records to decide on the best treatment that can be provided to the patient. Dr Awad can work with specialists from diverse locations to view the medical images and other patient data and discuss the case.

All of this interaction is digital and takes place using networked services that are provided by the medical cloud service.

Tracing the Path

We tend to think about the data networks we use in our daily lives as we think about driving a car. We do not really care what happens in the engine as long as the car takes us where we want to go. However, just like a car’s mechanic knows the details of how a car operates, cybersecurity analysts need to have a deep understanding of how networks operate.

When we connect to a website to read social media or shop, we seldom care about how our data gets to the website and how data from the website gets to us. We are not aware of the many technologies that enable us to use the internet. A combination of copper and fibre-optic cables that go over land and under the ocean carry data traffic. High-speed wireless and satellite technologies are also used. These connections connect telecommunications facilities and internet service providers (ISP) that are distributed throughout the world, as shown in the figure.

These global Tier 1 and Tier 2 ISPs connect portions of the internet together, usually through an Internet Exchange Point (IXP). Larger networks will connect to Tier 2 networks through a Point of Presence (PoP), which is usually a location in the building where physical connections to the ISP are made. The Tier 3 ISPs connect homes and businesses to the internet.

Because of different relationships between ISPs and telecommunications companies, traffic from a computer to an internet server can take many paths. The traffic of a user in one country can take a very indirect path to reach its destination. The traffic might first travel from the local ISP to a facility that has connections to many other ISPs. A user’s internet traffic can go many hundreds of miles in one direction only to be routed in a completely different direction to reach its destination. Some of the traffic can take certain routes to reach the destination, and then take completely different routes to return.

Cybersecurity analysts must be able to determine the origin of traffic that enters the network and the destination of traffic that leaves it. Understanding the path that network traffic takes is essential to this.