Foundation Certificate in Cyber Security (FCCS)
The course is part of this learning path
This course introduces the basic ideas of computing, networking, communications, security, and virtualization and will provide you with an important foundation for the rest of the course.
The objectives of this course are to provide you with and understanding of:
- Computer system components, operating systems (Windows, Linux & Mac), different types of storage, file systems (FAT & NTFS), memory management. The core concepts and definitions used in information security
- Switched networks, packet switching vs circuit switching, packet routing delivery, routing, internetworking standards, OSI model, and 7 layers. The benefits of information security
- TCP/IP protocol suite, types of addresses, physical address, logical address, IPv4, IPv6, port address, specific address, network access control, How an organization can make information security an integral part of its business
- Network fundamentals, network types (advantages & disadvantages), WAN vs LAN, DHCP
- How data travels across the internet. End to end examples for web browsing, send emails, using applications - explaining internet architecture, routing, DNS
- Secure planning, policies, and mechanisms, Active Directory structure, introducing Group Policy (containers, templates, GPO), security and network layers, IPSEC, SSL / TLS (flaws and comparisons) SSH, Firewalls (packet filtering, state full inspection), application gateways, ACL's
- VoIP, wireless LAN, Network Analysis and Sniffing, Wireshark
- Virtualisation definitions, virtualisation models, terminologies, virtual models, virtual platforms, what is cloud computing, cloud essentials, cloud service models, security & privacy in the cloud, multi-tenancy issues, infrastructure vs data security, privacy concerns
This course is ideal for members of cybersecurity management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on network communications, in particular the TCP/IP suite.
In this video, you’ll learn about the fundamental concepts involved with network communication and discuss the underpinnings of the TCP/IP suite. You’ll cover:
- The TCP/IP and compare it to the OSI 7 Layer Model
- Address Types
- Port Numbers
- DNS & NAT
The TCP/IP, or Transmission Control Protocol/Internet Protocol, Suite is a model used in computer networks that provides end-to-end data communication. It is similar to the OSI seven layer model for network communication, although it doesn’t exactly match it.
In a direct comparison with the OSI 7 layer model, you can see that 5 of the OSI layers are covered in the TCP/IP suite -physical & data link; network; transport; & the application layer. You may hear that the TCP/IP protocol suite has 4 layers, and sometimes 5 layers; both are correct.
The fundamental concept underpinning TCP/IP is that the IP address is the unique logical identifier for a device that is connected to the network.
This diagram shows a breakdown of the protocols available at the different layers of the TCP/IP suite. The Diagram shows how the 7 Layers of the OSI model are grouped in the TCP/IP model. As you can see, the OSI layers named Data Link and Physical are grouped together at the bottom. At the top, we can see that the OSI layers named Application, Presentation and Session are all grouped together, making up the Application layer in the TCP/IP suite.
Like the OSI model, each layer has a different purpose:
The Data Link/Physical layer, sometimes known as simply the Link Layer, is the lowest component layer in the suite. It is used to move data packets between the network later of two different hosts on the same link.
The Network (Internet) Layer is used to send data packets across networks.
The Transport Layer creates the data channels that applications use to exchange data.
The Application Layer contains the protocols that are used by applications to allow user services to exchange application data, such as websites and emails.
In the same way that the postal service functions by knowing street addresses, networks must have a way in which senders and recipients of communications data can be uniquely identified, to ensure that the data is delivered to the correct address.
There are several addressing schemes available, some of which have been already looked at, such as MAC addresses and IP addresses.
There are further address schemes that serve specific purposes. Port addresses are associated with applications and help in routing communications data to the correct application on the receiving computer. The Domain Name System, or DNS, is a way of mapping website addresses, which are in plain language that humans can understand, to IP addresses, which are numerical and can be understood by computers.
Windows Internet Naming Service, or WINS is a name resolution service for Windows networks that maps hostnames on a network to their network IP addresses. Again, this involves the conversion of one type of address to another. WINS converts NetBIOS names, which are the unique names (specific addresses) assigned to computers within a LAN, to IP addresses on a LAN or WAN
This diagram shows which types of address scheme can be applied at the different layers of the TCP/IP suite.
The link layer uses the physical address, the network layer uses the logical address, the transport layer uses the port address and the application uses a specific address.
I will now move on to examining some of these address schemes in more detail.
Media Access Control, or a MAC address, is a unique identifier of a device to a Network Interface Controller (NIC); it is also known as the ‘Link address’. A MAC address is used as a local address; however, it is considered to be globally unique, as each NIC manufacturer should assign a unique address from its own pool of available addresses, to each NIC they manufacture. It’s included inside the frame used by the Data link layer and is the lowest-level address, working at the Data Link and Physical layers. The data packets from source to destination hosts pass through physical networks.
At this physical level, the IP address is not useful. However, the sending or receiving computers, and transited routers, are recognized by their MAC addresses.
The Logical address is required to facilitate universal communication in which different types of physical network can be involved. A universal addressing system is needed so that each host can be identified uniquely, regardless of the underlying physical network. The logical address is also called the Internet Protocol or IP address. The internet consists of many physical networks, interconnected via devices like routers.
The Internet is a packed, switched network that means the data from the source computer is sent in the form of small packets of data carrying the destination address upon them.
The original IP addressing scheme, IPv4, uses 32 bits of information, which is 4 bytes, to record the address of a network device. In theory, this allows for over 4 billion devices to have a unique IP address.
At the time of its inception, this was believed to be a more than adequate number for all of the potential network connected devices that could exist.
This led to some very wasteful practices in the allocation of IP address ranges, meaning that the actual number of available addresses was considerably less than 4 billion.
With the explosion of internet connected devices over the past 2 decades, an updated addressing scheme has become essential in order to allow for this expanded network usage.
IPv6 uses 128 bits of information, or 16 bytes, to provide addresses for networked devices. At first glance, this may not seem a huge jump in capacity; 16 bytes is only 4 times 4 bytes? In reality, this addressing scheme exponentially increases the number of potential addresses, pushing it to 340 undecillion adresses - this is 3.4 times 10 to the 38th power, or 34 followed by 37 zeroes.
Again, there are restrictions in the way that these addresses can be allocated, so it’s not possible to allocate all of these addresses. However, the number of addresses that can be allocated is so huge that it is in good stead for the future. However, some claim that these restrictions could mean that IPv6 addresses may not last as long as first thought.
As mentioned, IPv4 addresses use 32 bits, or 4 bytes, of storage. The 32-bit IP address is grouped into 8 bits, or 1 byte at a time, separated by dots, and represented in decimal format. This is known as dotted decimal notation. Each bit in the octet has a binary weight (128, 64, 32, 16, 8, 4, 2, 1). The minimum value for an octet is 0, and the maximum value for an octet is 255.
Theoretically, this gives us a usable IP address range of 0.0.0.0 to 255.255.255.255
IPv6 uses 128 bits, or 16 bytes of storage to define an address.
The diagram shows how the address is broken down.
The first 48 bits of the address are determined by the Internet Assigned Names Authority, or IANA.
The next 16 bits will identify a subnet, or smaller division of a network, with the final 64 bits being assigned to individual network devices within that subnet.
There are three different types of address:
- Unicast: A packet sent to a unicast address is delivered solely to the interface identified by that address
- Anycast: A packet sent to an Anycast address is delivered to one of the interfaces identified by that address (the "nearest" one, according to the routing protocols' measure of distance)
- Multicast: A packet sent to a multicast address is delivered to all interfaces identified by that address
I have previously mentioned that Port addresses are related to specific Applications, and that they are used to ensure communications data is routed to the correct application.
The IANA (Internet Assigned Numbers Authority) have designated ranges of the available ports, and these are divided in to 3 ranges:
Ports 0-1023 are called the ‘System ports’, but are most widely known as the ‘well known’ ports and as such are used by well-known services; The next screen details some of these.
Ports 1024 - 49,151 are known as the ‘User’ or registered ports. They are assigned by the IANA for a specific service upon application by a requesting entity. On most systems, user ports can be used by ordinary users.
The remaining ports (49,152 -65,535) contain dynamic or private ports that cannot be registered with IANA.
This range is used for custom or temporary purposes and for automatic allocation of ephemeral ports. An ephemeral port is the temporary port assignment for the client end of a client-server communication to a well-known port on a server.
We have already established that network devices need to have a physical (MAC) address, along with a logical (IP) address if they wish to communicate over the network. The port address is a further addition to these requirements, ensuring that data is routed correctly on its arrival, and that many applications are able to use the network connection at once, without their data becoming mixed up.
The following are some of the common ports numbers and what they are used for:
- Port 21: File Transfer Protocol (FTP)
- Port 22: Secure Shell (SSH)
- Port 23: Telnet remote login service
- Port 25: Simple Mail Transfer Protocol (SMTP)
- Port 53: Domain Name System (DNS) service
- Port 80: Hypertext Transfer Protocol (HTTP) used in the World Wide Web
Some applications have user-friendly addresses that are designed for that specific address.
The most familiar network address is the now ubiquitous website address; this is technically known as Uniform or Universal Resource Locator, or URL for short.
The reason that we use URLs to locate websites is that humans are able to remember them; we are not so good at remembering the specific IP address for Google, for example.
By typing a web address in to a web browser, you are taken directly to the desired website. Behind the scenes, a lot of work is being done by your computer to make sure that this happens, including working out the port and IP address required to make sure that you can view the website. This process will be explored later.
The other easily recognizable network address is an e-mail address. E-mail is short for Electronic mail, and this almost perfectly describes what it does. You compose an electronic letter, address it to the person to whom we wish to send it and commit it to the electronic postal service to deliver it on your behalf.
In order for applications to communicate over a network, the applications have to be aware of exactly how they wish to achieve this.
They need to know the format for the messages they wish to exchange, prepare these messages in this format, and then dispatch them to the network via protocols lower down the system of layers; this way they can be dispatched to the physical wires of the network. The application layer protocol defines what the messages will include, such as knowing what type of message it is: Whether the message was sent or received, how the message is structured, what the information inside that structure actually means and a set of rules defining how and when messages should be sent or responded to.
Previously discussed was the concept of how each network device needs both a physical network address, and a logical IP address. I examined how IP addresses are structured, and how many are available to be issued at any one time, and are, unless changed, manually static. As IPv4 addresses can have limited availability, there needs to be some way in which the allocation of IP addresses can be managed to ensure the minimum wastage of IP addresses; the need to make sure that only machines that actually need an IP address right at that moment, have one. The answer is to employ Dynamic Host Configuration Protocol, or DHCP. This protocol allows IP addresses to issue only to machines that are switched on and in use. Dynamic assignment of IP addresses is desirable for several reasons: IP addresses are assigned on-demand, it Avoids manual IP configuration and supports the mobility of laptops, particularly as remote working is on the rise.
In a DHCP Network, when a user switches their computer on and wants to connect to the network, a number of exchanges of information occur between the machine and the DHCP server.
The machine first issues a Discovery request to the DHCP server. The server responds to this with an Offer of an IP address. The machine replies, requesting that the IP address be allocated to it, and finally the server acknowledges that request.
DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). UDP was introduced in 1980 and is one of the oldest network protocols in existence. It's a simple OSI transport layer protocol for client/server network applications. It's based on IP and is the main alternative to TCP.
DHCP is implemented with two UDP port numbers for its operations. UDP port number 67 is the destination port of a server, UDP port number 68 is used by the client. One further solution to the potential lack of available IP addresses is to use Network Address Translation, or NAT.
The diagram shows NAT in process. How does it work?
When a router receives a packet from an internal machine that needs to communicate with a machine across the Internet, the router removes the internal IP address and port number from the packet and replaces it with its own, Internet routable IP address and port values. This data is recorded in the device memory (NAT table) and then the packet is forwarded across the Internet to its destination.
When the data returns, the router interrogates its NAT table for the correct Internal IP address and port to send the data to, swaps the IP and port data back to the internal, mapped values and passes it to the host machine.
Port address translation (PAT) is a function that allows multiple users within a private network to make use of a minimal number of IP addresses. Its basic function is to share a single IP public address between multiple clients who need to use the Internet publicly. It is an extension of network address translation (NAT).
I have previously mentioned the Domain Name System (DNS) when talking about URLs, and the reason that we use URLs rather than IP addresses to access websites.
DNS translates human readable, Internet domain and host names to IP addresses and vice versa. DNS is a client/server network communication system; DNS clients send requests to and receive responses from DNS servers. These requests contain a name, and result in an IP address being returned from the server.
These types of requests are called DNS lookups.
Requests containing an IP address and resulting in a name being returned are called reverse DNS lookups.
DNS implements a distributed database to store names and last-known address information for all public hosts on the Internet.
DNS is one of the fundamental building blocks of the World Wide Web. On the web, DNS automatically converts between the names we type in our Web browser address bar to the IP address of Websites.
Larger organizations also use DNS to manage their own intranet. Home networks use DNS when accessing the Internet, but do not use it for managing the names of home devices.
Home broadband routers and other network gateway devices store primary, secondary and tertiary DNS server IP addresses for the network and assign them to client devices as needed.
Administrators can choose to enter addresses manually or obtain them from DHCP. Addresses can also be updated on a client device via its operating system configuration menus.
This simple diagram shows how a DNS request is made, and serviced.
The user of the computer is only comfortable using the familiar website address – in this case google.com. The DNS server does the work to ascertain the IP address for that website, and return that information to the users computer, allowing that machine to make a connection to the Google webserver, and retrieve information.
One final concept that needs to be discussed when considering network communications is that of the socket.
A network socket is one endpoint in a communication flow between two programs running over a network.
A process sends and receives messages to and from its socket.
You can consider a socket as a door. The sending process shoves the message out of the door, and assumes that a transport infrastructure exists on the other side of door, which can bring the message to the socket at the receiving process.
Having discussed how devices connect to a network, it’s useful to look at how unwanted devices can be prevented from attaching to networks.
Network Access Control, or NAC, is an approach to computer and network security that denies network access to any machines that do not meet expected standards. NAC can deny network access to non-compliant devices, place them in a quarantined area, or give them only restricted access to computing resources, keeping unsecure devices from accessing the network.
NAC solutions help organizations control access to their networks through the following capabilities:
- Policy lifecycle management: NAC enforces policies for all operating scenarios without requiring separate products or additional modules
- Profiling and visibility: NAC recognizes and profiles users and their devices before malicious code can cause damage
- Guest networking access: NAC can manage guests through a customizable, self-service portal that includes guest registration, guest authentication, guest sponsoring, and a guest management portal
- Security posture check: NAC evaluates security-policy compliance by user type, device type, and operating system
- Incidence response: NAC mitigates network threats by enforcing security policies that block, isolate, and/or repair noncompliant machines without administrator attention
- Bidirectional integration: NAC can integrate with other security and network solutions through the open or RESTful API
That brings us to the end of this video.
About the Author
Paul began his career in digital forensics in 2001, joining the Kent Police Computer Crime Unit. In his time with the unit, he dealt with investigations covering the full range of criminality, from fraud to murder, preparing hundreds of expert witness reports and presenting his evidence at Magistrates, Family and Crown Courts. During his time with Kent, Paul gained an MSc in Forensic Computing and CyberCrime Investigation from University College Dublin.
On leaving Kent Police, Paul worked in the private sector, carrying on his digital forensics work but also expanding into eDiscovery work. He also worked for a company that developed forensic software, carrying out Research and Development work as well as training other forensic practitioners in web-browser forensics. Prior to joining QA, Paul worked at the Bank of England as a forensic investigator. Whilst with the Bank, Paul was trained in malware analysis, ethical hacking and incident response, and earned qualifications as a Certified Malware Investigator, Certified Security Testing Associate - Ethical Hacker and GIAC Certified Incident Handler. To assist with the teams malware analysis work, Paul learnt how to program in VB.Net and created a number of utilities to assist with the de-obfuscation and decoding of malware code.