Network models and standards play an important role in the telecommunications industry. You have already seen how standards for services such as DSL, ATM, 802.11 wireless, Bluetooth, and others make it much easier for developers to design interoperable equipment, ease the burden of networking, and develop security solutions. Two of the most widely discussed network models are discussed in the following sections. In case you haven't guessed, these are the Open Systems Interconnect (OSI) model and the Transmission Control Protocol/Internet Protocol (TCP/IP) model.
OSI Model
The International Standards Organization (ISO) developed the Open Systems Interconnect (OSI) model in 1984. The model is based on a specific hierarchy in which each layer builds upon the output of each adjacent layer. It is described in ISO 7498. Today it is widely used as a guide in describing the operation of a networking environment. What was once considered the universal communications standard now serves as a teaching model for all other protocols.
The OSI model is designed so that control is passed down from layer to layer. Information is put into the application layer and ends at the physical layer. Then it is transmitted over the mediumwire, coax, wirelesstoward the target device and then back up the stack to the application. The seven layers of the OSI model are the application, presentation, session, transport, network, data link, and physical layers. Most people remember this order by using one of the many acronyms that have been thought up over the years. My favorite one is based on the popular television show American Idol: "People Don't Need To See Paula Abdul." For a better understanding of how the OSI model works, we'll start at the bottom of the stack and work our way up. The OSI model is shown on Figure 6.4.
Figure 6.4. OSI model.
Physical Layer
Layer 1 is known as the physical layer. At Layer 1, bit-level communication takes place. The bits have no defined meaning on the wire, but the physical layer defines how long each bit lasts and how it is transmitted and received. Physical-layer components include these:
Data Link Layer
Layer 2 is known as the data link layer. It is focused on traffic within a single LAN. The data link layer is responsible for formatting and organizing the data before sending it to the physical layer. The data link layer organizes the data into frames. A frame is a logical structure in which data can be placed. When a frame reaches the target device, the data link layer is responsible for stripping off the data frame and passing the data packet up to the network layer. Data-linklayer components include these:
Network Layer
Layer 3 is known as the network layer. Whereas the bottom two layers of the OSI model are associated with hardware, the network layer is tied to software. This layer is concerned with how data moves from network A to network B; it makes sure frames from the data link layer reach the correct network. The network layer is the home of the Internet Protocol (IP), which acts as a postman in determining the best route from the source to the target network. Network-layer components include the following:
Transport Layer
Layer 4 is known as the transport layer. Whereas the network layer routes information to its destination, the transport layer ensures completeness by handling end-to-end error recovery and flow control. Transport-layer protocols include these:
Session Layer
Layer 5 is known as the session layer. Its purpose is to allow two applications on different computers to establish and coordinate a session. A session is simply a name for a connection between two computers. When a data transfer is complete, the session layer is responsible for tearing down the session. Session-layer protocols include these:
Presentation Layer
Layer 6 is known as the presentation layer. The presentation layer performs a job similar to that of a waiter in a restaurant: Its main purpose is to deliver and present data to the application layer. In performing its job, the data must be formatted in a way that the application layer can understand and interpret the data. The presentation layer is skilled in translation because its duties include encrypting data, changing, or converting the character set and handling protocol conversion.
Encapsulation is the process of adding headers to user data as it is handed from each layer to the next lower layer. |
Application Layer
Layer 7 is known as the application layer. Recognized as the top layer of the OSI model, this layer serves as the window for application services. This is the layer we, as users, work with. We send email or surf the Web and many times never think about all the underling processes that make it possible. Layer 7 is not the application itself, but rather the channel through which applications communicate.
TCP/IP
TCP/IP is the foundation of the Internet as we know it today. Its roots can be traced back to standards adopted by the U.S. government's Department of Defense (DoD) in 1982. TCP/IP is similar to the OSI model, but it consists of only four layers: the network access layer, the Internet layer, the host-to-host layer, and the application layer.
It is of critical importance to remember that the TCP/IP model was originally developed as a flexible, fault-tolerant network. Security was not the driving concern. The network was designed to these specifications to withstand a nuclear strike that might destroy key routing nodes. The designers of this original network never envisioned the Internet we use today. Therefore, most of TCP/IP is insecure, and many of the security mechanisms in use today are add-ons to the original protocol suite.
Network Access Layer
The network access layer loosely corresponds to Layers 1 and 2 of the OSI model. Some literature separates this layer into two and references them as physical access and data link. Whether viewed as one layer or two, this portion of the TCP/IP network model is responsible for the physical delivery of IP packets via frames.
Ethernet is the most commonly used LAN frame type. Ethernet frames are addressed with MAC addresses, which identify the source and destination devices. MAC addresses are 6 bytes long and are unique to the NIC card in which they are burned. Programs are available that allow attackers to spoof MAC addresses.
Internet Layer
The Internet layer maps to OSI Layer 3. This layer contains the information needed to make sure that data can be routed through an IP network and that the network can differentiate hosts. Currently, most organizations use IPv4. IPv6 is its planned replacement, with better security and support for 128-bit IP addresses instead of the current 32-bit addresses. IPv4 uses a logical address scheme or IP address. Whereas MAC addresses are considered a physical address, an IP address is considered a logical address. IP addresses are laid out in dotted-decimal notation format. The IPv4 address format is four decimal numbers separated by decimal points. Each of these decimal numbers is 1 byte in length, to allow numbers to range from 0 to 255.
Not all of the addresses shown can be used on the Internet. Some addresses are reserved for private use and are considered nonroutable. These addresses include the following:
IP security issues include fragmentation, source routing, and DoS attacks, such as a teardrop. The Internet layer contains not only the Internet Protocol (IP), but also Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and the Internet Group Management Protocol (IGMP). ICMP and IGMP are IP support, error, and diagnostic protocols that handle problems such as error messages and multicast messages. ARP is used to resolve unknown MAC addresses to known IP addresses.
IP addresses are required because physical addressees are tied to the physical topology used. Some LANs use Ethernet, but others are connected to ATM or Token Ring networks. Because no common format or structure exists, the IP protocol is used to bind these dissimilar networks together. |
Internet Control Message Protocol (ICMP)
One of the protocols residing at the Internet layer is ICMP. Its purpose is to provide feedback used for diagnostics or to report logical errors. Even though ICMP resides at the Internet layer, it is a separate protocol and is distinctly different from IP.
All ICMP messages follow the same basic format. The first byte of an ICMP header indicates the type of ICMP message. The following byte contains the code for each particular type of ICMP. Eight of the most common ICMP types are shown in Table 6.4.
Type |
Code |
Function |
---|---|---|
0/8 |
0 |
Echo Response/Request (Ping) |
3 |
015 |
Destination Unreachable |
4 |
0 |
Source Quench |
5 |
03 |
Redirect |
11 |
01 |
Time Exceeded |
12 |
0 |
Parameter Fault |
13/14 |
0 |
Time Stamp Request/Response |
17/18 |
0 |
Subnet Mask Request/Response |
One of the most common ICMP types is a ping. Although ICMP can be very helpful, it is also valued by attackers and can be manipulated and used for a variety of attacks, including the ping of death, Smurf, timestamp query, netmask query, source routing, and redirects.
Address Resolution Protocol (ARP)
ARP's two-step resolution process is performed by first sending a broadcast message requesting the target's physical address. If a device recognizes the address as its own, it issues an ARP reply containing its MAC address to the original sender. The MAC address is then placed in the ARP cache and used to address subsequent frames. Proxy ARPs can be used to extend a network and allow one device to communicate with a device on an adjunct node. Attackers can manipulate ARP because it is a trusting protocol. Bogus ARP responses are accepted as valid, which can allow attackers to redirect traffic on a switched network. ARP attacks play a role in a variety of man-in-the middle attacks, spoofing, and session-hijack attacks.
Remember that ARP is unauthenticated. Therefore, an attacker can send unsolicited ARP replies, poison the ARP table, and spoof another host. |
Host-to-Host Layer
The host-to-host layer corresponds to OSI Layers 4 and 5. The host-to-host layer provides end-to-end delivery. Two primary protocols are located at the host-to-host layer: the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
TCP
TCP enables two hosts to establish a connection and exchange data reliably. TCP does this by performing a three-step handshake before data is sent. During the data-transmission process, TCP guarantees delivery of data by using sequence and acknowledgment numbers. At the completion of the data-transmission process, TCP performs a four-step shutdown that gracefully concludes the session. At the heart of TCP is a 1-byte flag field. Flags help control the TCP process. Common flags include synchronize (SYN), acknowledgment (ACK), push (PSH), and finish (FIN). See Figure 6.5 for additional details on the flags and the startup/shutdown process. TCP security issues include TCP sequence number attacks, session hijacking, and SYN flood attacks.
Figure 6.5. TCP operation.
UDP
UDP performs none of the handshaking processes that we see performed with TCP. So although that makes it considerably less reliable than TCP, it does offer the benefit of speed. It is ideally suited for data that requires fast delivery and is not sensitive to packet loss but is easier to spoof by attackers because it does not use sequence and acknowledgment numbers. Figure 6.6 details the operation of UDP.
Figure 6.6. UDP operation.
Application Layer
The application layer sits at the top of the protocol stack and maps loosely to OSI Layers 6 and 7. This layer is responsible for application support. Applications are typically mapped not by name, but by their corresponding port. Ports are placed into TCP and UDP packets so the correct application can be passed to the required protocols. Although applications can be made to operate on nonstandard ports, the established port numbers serve as the de facto standard. There are approximately 65,000 ports, divided into well-known ports (01024), registered ports (102449151), and dynamic ports (4915265535). Some well-known applications and their associated ports are as follows:
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
Acknowledgments
We Want to Hear from You!
Introduction
Self-Assessment
The CISSP Certification Exam
Physical Security
Security-Management Practices
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Operations Security
Business Continuity Planning
Law, Investigations, and Ethics
Cryptography
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2