Cisco Certified CyberOps Associate 200-201 Certification Guide

By Glen D. Singh
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Chapter 1: Exploring Networking Concepts

About this book

Achieving the Cisco Certified CyberOps Associate 200-201 certification helps you to kickstart your career in cybersecurity operations. This book offers up-to-date coverage of 200-201 exam resources to fully equip you to pass on your first attempt.

The book covers the essentials of network security concepts and shows you how to perform security threat monitoring. You'll begin by gaining an in-depth understanding of cryptography and exploring the methodology for performing both host and network-based intrusion analysis. Next, you'll learn about the importance of implementing security management and incident response strategies in an enterprise organization. As you advance, you'll see why implementing defenses is necessary by taking an in-depth approach, and then perform security monitoring and packet analysis on a network. You'll also discover the need for computer forensics and get to grips with the components used to identify network intrusions. Finally, the book will not only help you to learn the theory but also enable you to gain much-needed practical experience for the cybersecurity industry.

By the end of this Cisco cybersecurity book, you'll have covered everything you need to pass the Cisco Certified CyberOps Associate 200-201 certification exam, and have a handy, on-the-job desktop reference guide.

Publication date:
June 2021
Publisher
Packt
Pages
660
ISBN
9781800560871

 

Chapter 1: Exploring Networking Concepts

As an up-and-coming cybersecurity professional, it is important to have a solid foundation of the understanding of networking concepts such as the types of devices, the underlying network layers, and the protocols that help transport messages from a source to a destination. Understanding networking concepts helps a security professional to better grasp the fundamentals of knowing how threat actors, such as hackers, are able to discover security flaws in applications, operating systems, and network protocols. Hackers use these vulnerabilities to assist in delivering their malicious payload into their targets.

Throughout this chapter, you will learn about various networking technologies, protocols, and services, and how they all work together to forward your messages, such as data, between your device and the destination. As a cybersecurity professional, it is essential to fully understand how network devices and protocols function. To put it simply, many network protocols were not designed with security in mind, and threat actors usually take advantage of the vulnerabilities found within these technologies. Upon completing this chapter, you will be able to fully understand the networking aspects of cybersecurity, which many professionals struggle to grasp.

In this chapter, we will cover the following topics:

  • The functions of the network layers
  • Understanding the purpose of various network protocols

Now that we are aware of the outcomes we are set to achieve, let's dive into the chapter!

 

Technical requirements

To follow along with the exercises in this chapter, please ensure that you have met the software requirement of having the Wireshark application installed on your computer. To obtain a copy of Wireshark, please visit https://www.wireshark.org.

Link for Code in Action video https://bit.ly/3ntp4jq

 

The functions of the network layers

Networking plays a vital role in everything we do on a daily basis. Whether your organization is using Slack or Microsoft Teams or traditional emails for internal communication between employees, your smartphone or computer is connected to a network. To fully understand how cyber-attacks and threats are able to infiltrate a system or network, you must first understand the fundamentals of networking.

Hackers are cunning; they are always looking for the easiest way to gain access to a system or network. They look for vulnerabilities, which are security weaknesses in a system, application, coding, or design, and try to take advantage by exploiting them. You may be wondering, what does this have to do with networking? To answer this question in a simple sentence, there are many network protocols that were not designed with any security in mind, thus allowing hackers to exploit their vulnerabilities.

To get a better understanding of the bigger picture of network protocols and applications, let's take a look at what happens when a device such as a computer sends a message such as data to a web server. Built into each modern operating system, whether it's Microsoft Windows, Apple macOS, or even the Android operating system, you will find a protocol suite, which is responsible for the encoding, formatting, and transmission of messages between a source and destination.

During the pre-internet age and the early stages of computer networks, many computer vendors created their own protocol suite to enable their devices to communicate on a network. The downside to such ideas was that each vendor made a protocol suite proprietary to their devices only. This means Vendor A devices would not be able to communicate with Vendor B devices if they were connected to the same physical network.

This concept was not scalable or adaptive. Eventually, two emerging protocol suites surfaced with promises to be interoperable with any vendor devices and networks. These two well-known protocol suites are as follows:

  • The Open Systems Interconnection (OSI) reference model
  • The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite

A protocol suite allows a device to format a message for delivery using a universal set of standards and protocols to ensure all devices along the path to the destination are able to read the addressing and data contents clearly. In other words, the protocol suite allows all devices to speak a common language on the network and the internet.

Each of these models has several layers that describe how a message is sent from one device to another and vice versa. In the following sub-sections, you will learn about the characteristics of both the OSI reference model and the TCP/IP protocol suite.

The OSI reference model

The OSI reference model was developed by the International Organization for Standardization (ISO) to be a protocol suite for operating systems in the 1970s. This model consisted of seven layers. Each layer was responsible for a unique role and function to help a device encode (format), send, and receive messages through a network.

The following diagram shows the OSI reference model with all its seven layers:

Figure 1.1 – OSI reference model

Figure 1.1 – OSI reference model

Tip

A simple method to always remember the layers of the OSI model from top to bottom is to learn this phrase, All People Seem To Need Data Processing, using the first letter of each layer to make an easy-to-remember sentence.

When a device such as a computer is sending a message, an application-layer protocol will create the message and pass it down to the lower layers until it is placed on the actual wired or wireless network. A sender creates the Protocol Data Unit (PDU) at Layer 7 – the application layer and works its way downward to Layer 1 – the physical layer where the message is sent on the network as an electrical, light, or radio-frequency signal. Keep in mind that when a device is receiving a message from a sender, the message enters Layer 1 – the physical layer and works its way upward to Layer 7 – the application layer.

In the following sections, you will learn about the role and function of each layer of the OSI reference model. Furthermore, you'll discover what happens to a message as it is created by an application-layer protocol and is passed down to the lower layers while it makes its way through the physical network to its destination.

Layer 7 – the application layer

The application layer exists closest to the user, such as yourself. Don't be mistaken – this is not the software or applications you are familiar with using on your computer, such as a web browser or email client such as Microsoft Outlook. The application layer contains many protocols, which allow the user to interact with network resources. A simple example is accessing Cisco's website to gather more information about this certification. You would open your favorite web browser and go to the www.cisco.com web address and the web page would be loaded onto your screen. In reality, your web browser (software) is able to interact with an application-layer protocol such as HyperText Transfer Protocol (HTTP) or HyperText Transfer Protocol Secure (HTTPS). Both HTTP and HTTPS are protocols that allow your computer to communicate with a web server.

Each application-layer protocol is unique in its role and function. When data is created by an application-layer protocol such as HTTPS, it can only be interpreted or understood by another device running the same protocol (HTTPS). Recall the previous example, where the web browser invokes the HTTPS protocol to exchange messages with a Cisco web server that is also using HTTPS.

There are many application-layer protocols that are very common and are used frequently by our devices. Some of the well-known protocols are as follows:

  • File Transfer Protocol (FTP)
  • Secure Shell (SSH)
  • Secure Copy (SCP)
  • Telnet
  • Simple Mail Transfer Protocol (SMTP)
  • Domain Name System (DNS)
  • Dynamic Host Configuration Protocol (DHCP)
  • Trivial File Transfer Protocol (TFTP)

At this layer, the application-layer protocol creates raw data known as a datagram. However, in the networking world, this PDU is best referred to as data. Once the application layer has finished creating its message, it parses the data down to the presentation layer.

Layer 6 – the presentation layer

As you know, application-layer protocols will create their messages (data) such that they can only be interpreted by the same protocol that created it. If the PDU from the application layer is parsed to the lower layers, those lower layers will not be able to interpret what the message is about and why it's being sent to them.

This is where the presentation layer comes in to fill this gap. The presentation layer is responsible for the following functions in the OSI reference model:

  • Formatting
  • Compression
  • Encryption
  • Decryption

The presentation layer will format the PDU that it receives from the application layer in a uniform format, thus allowing the lower layers to interpret the message clearly. Additionally, the presentation layer is responsible for compressing data for transmission, data encryption, and decryption as well.

At this stage, the PDU is still referred to as data and now it's time for it to be sent to the session layer for further processing.

Layer 5 – the session layer

At the session layer, the PDU (data) is not modified in any way but rather, this layer is responsible for the sessions that are created between the source and destination of the message. You can think of the session layer as the logical module, which is responsible for creating, maintaining, and terminating the logical sessions between your computer and the destination, such as a web server.

At the session layer, the PDU maintains its integrity and is not changed in any way. At this layer, the PDU is commonly referred to as data and it's then passed down to the transport layer.

Layer 4 – the transport layer

The transport layer plays a vital role in helping datagrams or PDUs to reach their corresponding application-layer protocol. The transport layer is responsible for the delivery and transportation of messages (datagrams) from a source device to the destination.

It does this by using the following transport-layer protocols to help messages reach their destination:

  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)

The application-layer protocols, such as HTTPS and DNS, rely on either of these transport-layer protocols to ensure their messages are delivered across the network.

Important note

In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of both TCP and UDP.

Let's imagine that on a network, there is Device-A, which is providing two services to its users: email and web services. For each of these services, an email server and web server applications must be installed on Device-A and be running. You may be thinking about the following questions:

  • How is Device-A able to identify the email traffic from the web traffic?
  • How does Device-A know to send the email traffic to the email application-layer protocol SMTP and not the web server?

To put it simply, both TCP and UDP use logical network/service ports, which are built into all modern operating systems. There is a total of 65,535 logical network/service ports on any operating system, whether it's Linux, Windows, or even Android.

Important note

A service port can be either TCP or UDP. There are various application-layer protocols that use TCP over UDP.

These network ports operate as doorways for an operating system. If traffic is leaving a device, the operating system opens a doorway (source port) for the traffic to leave and to accept any returning messages. On a server running a web application (Apache, NGINX, or Microsoft IIS) or even an email server, these applications will open their corresponding default network ports for inbound traffic.

The following table shows the categories of service ports:

Figure 1.2 – Categories of service ports

Figure 1.2 – Categories of service ports

The following is a brief list of application-layer protocols and their service ports:

The transport layer will encapsulate the PDU with a Layer 4 header. This header will contain both source and destination service port details, and the PDU will be known as a segment. The destination service port is needed to ensure the receiving device forwards the PDU to its corresponding application-layer protocol. For example, if you are sending a web request such as an HTTP GET message to a web server, the web server will have port 80 open for HTTP by default. Therefore, the destination port on the segment will be port 80. When the segment is received by the web server, the transport layer will remove the Layer 4 header and forward the raw datagram to the HTTP protocol at the application layer.

The following is a diagram that shows a segment with its Layer 4 (transport) header:

Figure 1.3 – Segment

Figure 1.3 – Segment

Once the transport layer has completed its encapsulation process, it passes the segment down to the network layer for further processing.

Layer 3 – the network layer

The network layer is perhaps the most popular layer throughout the entire reference model. At this layer, devices insert a Layer 3 header into the PDU, which contains both source and destination Internet Protocol (IP) addresses. As you know, IP addresses are like street addresses for a network. Without IP addresses, devices will not be able to communicate with each other on remote or foreign networks. Once the network layer encapsulates the Layer 3 header onto the PDU, it is known as a packet.

Important note

In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of the IP and its versions.

The network layer has the following functionality and roles in the OSI reference model:

  • Responsible for the logical IP version 4 (IPv4) and IP version 6 (IPv6) addressing on packets
  • The forwarding of packets between IP networks (routing)
  • Encapsulating Layer 3 headers onto PDUs as they are passed down the OSI model
  • De-encapsulating PDUs as they are passed upward to the application-layer protocols

The following diagram shows a packet with its Layer 3 header:

Figure 1.4 – Packet

Figure 1.4 – Packet

Once the network layer of the OSI model has finished its encapsulation process, it will pass the packet down to the next layer, the data link layer, as more details need to be attached before it's sent out on the actual physical network.

Layer 2 – the data link layer

The data link layer bridges the gap between the operating system of a device and the actual physical network, whether it's a wired or wireless network. It is at this layer that the operating system is able to control how messages are placed on the physical network and how errors are detected and handled on incoming messages.

The data link layer is made up of two sub-layers:

  • Logical Link Control (LLC)
  • Media Access Control (MAC)

The LLC and MAC work together to ensure datagrams that are outgoing contain all the necessary details to help them reach their destination successfully. Additionally, these two sub-layers are also responsible for handling any incoming messages for a system.

The LLC sub-layer will allow further encapsulation to the packets it has received from the network layer, simply by inserting a Layer 2 header that contains the source and destination MAC addresses. A trailer is inserted at the end of the datagram. This is used to check for any errors in incoming messages. The trailer contains a Frame Check Sequence (FCS) and inside the FCS, there's a Cyclic Redundancy Check (CRC). The CRC is a one-way cryptographic hash representation of the entire datagram. Devices that receive these datagrams use the CRC value to verify the integrity of the message, such as whether it was modified or corrupted during transmission. With the new Layer 2 header and trailer added to the datagram, the PDU is now known as a frame.

The MAC sub-layer is responsible for the actual Layer 2 addressing as well as the source and destination MAC address for the frame. The MAC address is considered to be a physical address that is embedded on a Network Interface Card (NIC). Sometimes, the MAC address is referred to as a Burned-In Address (BIA) because it cannot be changed conventionally.

The following is a simplified diagram that shows a frame with both its Layer 2 header and trailer:

Figure 1.5 – Contents of a frame

Figure 1.5 – Contents of a frame

Additionally, a Preamble is inserted at the beginning of the frame to indicate the start of the frame and sequencing details to help with the re-assembling of the message on the destination device. The preamble has a lot of significance. Before the data link layer passes the frame to the next layer, it cuts the raw data into smaller pieces called bits. Each bit will contain the Layer 2 header and trailer details, then the data link layer will send those bits to the physical layer.

The MAC address is 48 bits or 6 bytes in length, which is written in hexadecimal values. These values are 0 1 2 3 4 5 6 7 8 9 A B C D E F. Various operating system vendors usually present the MAC address value in one of the following formats:

  • 12:34:56:78:9A:BC
  • 12-34-56-78-9A-BC
  • 1234.568.9ABC

The first 24 bits in MAC addresses can be used to identify a vendor of a device. This portion of the MAC address is known as the Organization Unique Identifier (OUI). The last 24 bits, however, are unique and assigned by the vendor, therefore the entire 48-bit MAC address is unique globally.

To check the MAC address on a Cisco IOS router, use the show interfaces interface-ID command as shown here:

Figure 1.6 – Viewing the MAC address on a Cisco router

Figure 1.6 – Viewing the MAC address on a Cisco router

To view the MAC address on a Linux device, use the ifconfig command in the Linux Terminal as shown here:

Figure 1.7 – Viewing the MAC address on a Linux device

Figure 1.7 – Viewing the MAC address on a Linux device

On Linux-based devices, the ether field is used to indicate the MAC address of the interface, as seen in the previous screenshot.

To view the MAC address on a Windows device, use the ipconfig /all command in Windows Command Prompt as shown here:

Figure 1.8 – Viewing the MAC address on a Windows device

Figure 1.8 – Viewing the MAC address on a Windows device

To perform a MAC OUI lookup, use the following steps:

  1. Go to https://www.wireshark.org/tools/oui-lookup.html.
  2. Copy the MAC address from your device. For this exercise, you can copy this MAC address: 00-0C-29-A0-B0-6A.
  3. Enter it into the OUI search field and click on Find, as shown in the following screenshot:
Figure 1.9 – Performing a MAC vendor lookup

Figure 1.9 – Performing a MAC vendor lookup

The online tool was able to profile the first 24 bits of the MAC address and indicated the address belongs to a VMware device. Fortunately, this MAC address was taken from one of my demo virtual machines in my personal lab.

Important note

While networking professionals are taught that MAC addresses are unchangeable (burned-in), a cybersecurity professional or hacker is able to change the MAC address easily on their NIC to avoid detection.

Being able to quickly profile MAC addresses can help you eliminate rogue and unauthorized devices that are connected to your network.

Layer 1 – the physical layer

The physical layer is the actual wired and wireless network; it's the actual media that is used to transmit bits from one device to another. At this layer, you will find various types of cables, such as Cat 6 or even fiber optics, and wireless media such as radio frequency, whether it be Wi-Fi or 5G technologies that are used to transport the actual signals (bits) between a source and a destination.

Now that you have an idea about the OSI reference model, let's take a look at the importance of the TCP/IP protocol suite in the next section. The various layers of the OSI reference model are mapped to the layers of the TCP/IP protocol suite. It's important as a security professional that you have the knowledge to identify the characteristics of a datagram as it passes through each of these layers.

The TCP/IP protocol suite

TCP/IP was created by the United States Department of Defense (US DoD) and has been implemented in all operating systems to enable network connectivity. Unfortunately, the ISO OSI model did not get the traction it needed to be approved as an official protocol suite and therefore became a reference model where both network and security professionals use each layer for reference purposes.

TCP/IP is the universal language spoken on all computer-based networks; whether it's a Local Area Network (LAN) or the internet, all devices use TCP/IP to communicate. As mentioned earlier, the protocol suite simply defines how a system such as a computer is able to send and receive messages through a network.

With TCP/IP, there are five layers in this protocol suite. The following diagram shows how each layer of the OSI reference model maps directly to each layer of the TCP/IP protocol suite:

Figure 1.10 – TCP/IP protocol suite

Figure 1.10 – TCP/IP protocol suite

In comparison to both models, the top three layers of the OSI model (the application, presentation, and session layers) are mapped to the application layer of TCP/IP. This means the application layer in TCP/IP contains all the functions as described in the top three layers of the OSI reference model.

In this section, you have learned about the function of each network layer of the OSI reference model and how they are mapped to the TCP/IP protocol suite. This knowledge is useful when performing network traffic analysis on an enterprise network. In the next section, you will discover the purpose of various network protocols, such as IP, TCP, and UDP.

 

Understanding the purpose of various network protocols

In the networking world, TCP and IP are the most popular and frequently used protocols to transport and deliver data to and from the application layer, hence the name of the protocol suite, TCP/IP. However, some application-layer protocols use UDP over TCP for many reasons. In this section, you will explore the characteristics of all three protocols and how they work together to ensure devices are able to exchange messages.

Transmission Control Protocol

The application-layer protocols of the TCP/IP protocol suite do not have any capabilities to ensure their datagram (data) is successfully delivered to their destination. The application-layer protocols are designed to interpret the messages or data that are being sent and received by a device. Unfortunately, there are no mechanisms that are built into them. This is where the transport-layer protocols come in to save the day.

One such Layer 4 protocol to help with the delivery of datagrams is TCP. TCP is known as a connection-oriented protocol, which ensures messages are delivered to their destination. For TCP to provide such reassurance and guarantee of delivery, a TCP three-way handshake is established between a source and destination before exchanging messages (data). For a TCP three-way handshake to be established, two devices must exchange a series of TCP synchronization and TCP acknowledgement messages before they can exchange data.

The following diagram shows two devices establishing a TCP three-way handshake:

Figure 1.11 – TCP three-way handshake

Figure 1.11 – TCP three-way handshake

After the TCP three-way handshake has been established between the two devices, they will begin to send data between each other. During a TCP connection, for every message a device sends to a destination, an acknowledgment is expected to be returned indicating the message was successfully delivered. If the sender does not receive an acknowledgment from the destination after a period of time, the sender will retransmit the data until the destination returns an acknowledgment. This is how TCP provides the guaranteed delivery of messages between a source and destination on a network.

To get a better understanding of how devices see the TCP three-way handshake, let's take a look at the following HTTP traffic capture on Wireshark:

Figure 1.12 – Observing a TCP three-way handshake in Wireshark

Figure 1.12 – Observing a TCP three-way handshake in Wireshark

The following are the details of the transactions that occur in the first three packets in the preceding capture:

  1. As you can see, the sender (Device-A) with the IP address 145.254.160.237 is sending a TCP SYN packet over to Device-B at 65.208.228.223. The TCP SYN message simply informs the destination device that the sender wants to initiate a TCP three-way handshake and exchange some messages.

    The following snippet shows the details of packet #1:

    Figure 1.13 – Observing the SYN flag

    Figure 1.13 – Observing the SYN flag

  2. When Device-B receives the TCP SYN message, it will then respond with a TCP SYN/ACK message back to the sender, Device-A, indicating it would like to establish a session and acknowledges the SYN message. In a single packet, both the SYN and ACK flags will be set. We can see this in the following screenshot:
    Figure 1.14 – Observing SYN and ACK flags in a packet

    Figure 1.14 – Observing SYN and ACK flags in a packet

  3. Lastly, when Device-A receives the TCP SYN/ACK message, it will then respond with a TCP ACK message. This is the final stage in establishing the TCP three-way handshake. From this point forward, for all other messages that are exchanged between Device-A and Device-B, a TCP ACK message is returned to the sender to confirm that the message has been successfully delivered.

Using TCP seems to be the preferred transport-layer protocol, right? To put it simply, TCP has some drawbacks in certain situations and various application-layer protocols. The following are some well-known disadvantages of using TCP:

  • TCP has more overhead on a network. For each bit of data sent, an acknowledgment message must be returned. Imagine streaming a video on YouTube. For each message the media server sends to you, your computer has to send an acknowledgment packet back to the server. This additional network traffic will eventually flood and congest the network as more users stream media from YouTube.
  • TCP does not work well for time-sensitive traffic types. Traffic types such as Voice over IP (VoIP) and Video over IP rely heavily on the speed of a network to ensure both the sender and receiver are experiencing the conversation in real time. Imagine, during a VoIP call, the sender has to wait for the acknowledgment packets for each message it has sent to the destination before the sender is able to forward more messages to the destination.

Now that you have a clear idea about the functionality and role TCP plays in a network, let's take a look at the features of UDP in the next section.

User Datagram Protocol

UDP is described as a connectionless transport-layer protocol. Connectionless means UDP does not establish any logical sessions between a sender and receiver; it simply sends the messages to the destination without any prior checks like TCP. Imagine you are sending physical mail via your local courier service to a friend. You deposited the letter containing all the proper addressing information at the local postbox. From that point onward, you don't have any tracking information or confirmation of delivery for the letter. What if the person has moved to another location? How will you be notified? Similarly, this is how UDP works. It sends messages without establishing a session and it does not provide a guarantee of delivery.

If you recall in the previous section, TCP will resend a message if the sender does not receive an acknowledgment from the destination. UDP will send messages as quickly as the protocol is receiving PDUs from the application layer, even if the messages are sent out of order. UDP uses best-effort when sending messages across a network.

Both the TCP and UDP protocols are vital to ensure the next protocol, IP, is able to carry the actual data to its intended destination. In the next section, you will learn about the fundamentals of IP.

Internet Protocol

Without the IP, a device will not be able to communicate across networks. The 
transport-layer protocols, such as TCP and UDP, support the IP with its delivery of messages between a sender and receiver. IP is the driving force behind all computer-based networks and is used to carry messages between devices.

IP has the following characteristics and functionality on a TCP/IP network:

  • IP is connectionless and does not establish a session between the sender and receiver devices prior to forwarding any messages.
  • IP also forwards network traffic using best-effort and does not provide any sort of reassurance to the sender that its messages will be successfully delivered to the destination or even in sequential order.
  • IP is designed to operate independently from the network media. To put it simply, the contents of an IP packet are not affected by the type of network cabling or radio frequencies that are used at the physical layer of a network.

Now that you have learned about the characteristics of the IP, let's take a deeper dive to learn more about IPv4 addressing schemes and their structure in the next section.

IPv4

In the early 1980s, IPv4 address spaces were made available to organizations, which enabled them to assign a unique IPv4 address to each device on their network and the internet for communication and the sharing of resources. The Internet Assigned Numbers Authority (IANA) created and manages the IP address spaces for the entire world.

In the computing world, devices are able to understand ones (1s) and zeros (0s), which are commonly referred to as bits. These are physically represented in the form of an electrical signal being high (1) or low (0) on a system. Each device on a network requires a logical address to communicate with one another – this address is an IP address. An IPv4 address has a total length of 32 bits. This address is written in the following decimal format, which most of us are familiar with: 192.168.1.10.

The preceding address is written in decimal format. However, notice how each number is separated by a period (.). Each of those numbers within the IPv4 address is known as an octet. An octet is made up of 8 bits in the range 00000000 – 11111111. This means an octet ranges from 0 to 255 in decimal notation.

In the IPv4 world, the IANA has designed some addresses that can be allocated for private use, while another group of addresses was allocated for usage on the internet. The private IPv4 addresses are non-routable on the internet. This means any device that has a private IPv4 address assigned to it will not be able to communicate with any device on the public address space, which is the internet.

The following table shows the classes of private IPv4 address spaces:

Figure 1.15 – Private IPv4 address spaces

Figure 1.15 – Private IPv4 address spaces

Each class of private IPv4 address can be assigned to devices on a private network. Additionally, this address space does not have to be unique between organizations simply because they are non-routable on the internet. Company A can implement any of the private IPv4 classes within their network and so can other organizations without creating any issues or conflict.

The following are the classes of public IPv4 address spaces:

Figure 1.16 – Public IPv4 address spaces

Figure 1.16 – Public IPv4 address spaces

The addresses shown in the preceding table are those that can be used on the internet and are routable on public networks. Each device that is directly connected to the internet, such as your firewall or edge router, must be assigned a unique public IPv4 address. The assignment of a public IPv4 address to an organization's edge devices is usually done by their Internet Service Provider (ISP). Keep in mind, the missing IPv4 address spaces shown in Figure 1.16 belong to the IPv4 private address space.

For each class of IPv4 address, there's an associated subnet mask address. The subnet mask has a very important role; it's also 32 bits in length, and helps the computer or device to determine which portion of the IPv4 address is the network portion and which is the host portion.

The following table shows the subnet mask for each class of IPv4 address:

Figure 1.17 – Subnet masks

Figure 1.17 – Subnet masks

An IP address is made up of two portions: the network and the host portion. The network portion of an IP address is like the community address of your neighborhood – everyone has the same community address as you but your house/apartment number is unique to your residents. The host portion of the IP address is unique to the host device on the network; therefore, overall, the entire IP address is unique on the network.

The subnet mask is used to help a device such as a router or even your computer to determine which portion of the IP address belongs to the network and which portion belongs to the host.

In the following snippet, you will notice that we have converted both an IP address and subnet mask into binary notation, such that each bit within the IP address and subnet mask is aligned. The 1s in the subnet mask are used to represent the network portion of the IP address, while the 0s are used to represent the host portion:

Figure 1.18 – Determining the network and host portions of an IP address

Figure 1.18 – Determining the network and host portions of an IP address

As shown in the preceding figure, we use a Class C IPv4 address, 192.168.1.10, with its default subnet mask of 255.255.255.0, which allows us to determine the network and host portions of the IPv4 address.

A subnet mask can be written in a shortened version known as a network prefix. The network prefix is a simplified representation of the number of ones in a subnet mask. Therefore, a subnet such as 255.255.255.0 contains a total of 24 ones, so we can represent this subnet mask by simply writing it as /24. Another example: let's imagine a computer has an IPv4 address of 172.16.2.2 with a subnet mask of 255.255.0.0. This entire address can be represented in the format 172.16.2.2/16.

Tip

If you are interested in learning more about IPv4 subnetting and techniques, be sure to check out this tutorial: https://hub.packtpub.com/understanding-address-spaces-and-subnetting-in-ipv4-tutorial/.

Furthermore, the subnet mask is used to help end devices determine whether the destination for the messages exists on the same network as the sender or on a remote network. The subnet mask is also used to determine the network ID of the sender and compare it with the destination IP address. The network ID is simply the community that a device resides on. If the network IDs of the sender and the destination match, the sender will forward the message to the destination directly by inserting the destination's IP address and its MAC address in the message.

The following snippet shows the routing table on a Windows 10 computer:

Figure 1.19 – Checking the Windows 10 routing table

Figure 1.19 – Checking the Windows 10 routing table

If the network IDs of the source and destination do not match, the sender will insert the destination's IP address in the Layer 3 header of the packet and the default gateway's MAC address as the destination MAC address of the Layer 2 header in the frame. Therefore, the sender will forward its message to the default gateway, which will inspect the destination IP address in the Layer 3 header and forward it to the intended destination.

To determine the network ID, the process of ANDing the IP address and subnet mask is required. The following are the laws of ANDing:

1 AND 1 = 1
1 AND 0 = 0
0 AND 1 = 0
0 AND 0 = 0

To apply this technique, let's use an example such as determining the network ID of a computer with an IP address of 192.168.1.10 and a subnet mask of 255.255.255.0:

Figure 1.20 – Determining a network ID

Figure 1.20 – Determining a network ID

The network ID is 192.168.1.0/24. This process happens each time the source wants to send a message to another device. It has to determine whether the destination host is on the same network as the source or on another IP subnet.

IPv6

The IPv4 public address space was destined to eventually be exhausted as more devices came online. This happened a bit sooner than expected. In 2013, it was announced that IPv6 had started making its way onto the internet to support newly connected devices with the new address scheme. On the positive side of things, IPv6 was designed to be lightweight compared to the structure of an IPv4 packet.

An IPv6 address is 128 bits in length and is written using hexadecimal characters that range from 0 to 9 and A to F. The following is an example of an IPv6 address:

2001:0DB8:0000:1111:0000:0000:0000:0200

A colon (:) is used to separate the hextets from one another. A hextet is made up of 16 bits, therefore 8 hextets x 16 bits per hextet = 128 bits in total. Unlike IPv4, IPv6 has a lot more available addresses with an approximate value of 10^36 IPv6 addresses in the world. With this large number, there is no need for public or private address spaces in the IPv6 world. Devices are assigned a global unicast IPv6 address that is routable on the internet as a public IPv4 address.

Important note

The default subnet mask for an IPv6 address is /64. Additionally, /64 bit is the global prefix on IPv6 that corresponds to the network address of IPv4.

Keep in mind that IPv6 and IPv4 exist in two different logical spaces and therefore, they are unable to talk to each other natively. However, various networking technologies and IP services, such as NAT64, tunneling (6to4 and 4to6), and dual stacking, make it possible for devices to communicate on both an IPv4 and IPv6 network.

The Internet Control Message Protocol

Another important network-layer protocol is the Internet Control Message Protocol (ICMP). ICMP is designed to provide error reporting details to networking professionals such that a network administrator or engineer can use various tools, such as ping and traceroute, which utilize ICMP to validate the causes of network connectivity issues. A cybersecurity professional also uses various security tools, such as Nmap, to assist in profiling and determining security configurations on target systems such as end devices and security appliances.

ICMP operates by sending an ICMP echo request message from the sender device over to the destination. Once the destination device receives the message, it will process it and respond with an ICMP echo reply back to the sender. This is an indication that there is network connectivity between the sender and destination devices.

The following diagram shows a visual representation of this concept:

Figure 1.21 – ICMP messages between two devices

Figure 1.21 – ICMP messages between two devices

To get a better understanding of how ICMP works, let's take a look at an ICMP packet structure and break down the fields to understand their purpose. The following diagram shows a simplified representation of an IP packet and its respective fields:

Figure 1.22 – ICMP packet structure

Figure 1.22 – ICMP packet structure

The following is a description of each field in the ICMP packet structure:

  • IP Header: This is used to indicate the protocol type using an identifier, such that protocol 1 will indicate to the destination that the packet is an ICMP message.
  • Type: This is usually a numerical value such as 0 – Echo Reply, 3 – Destination Unreachable, 5 – Redirect, 8 – Echo Request, and 11 – Time Exceeded. Each of these Type codes is used to provide the sender with specific error reporting details about the network connectivity between a source and destination.
  • Code: This is also a numerical value, which is associated with the Type value. Code is used to provide more specific details about the type of ICMP message that is sent back and forth between devices on a network.

    The following table shows a breakdown of the ICMP Type and Code:

Figure 1.23 – ICMP types and codes

Figure 1.23 – ICMP types and codes

  • Checksum: This is used to represent a one-way cryptographic hash value of the entire packet. The hash value is used by the destination device to check the integrity of the packet, such as whether it was modified or corrupted during transmission.
  • ICMP Data: This field usually contains additional ICMP information about the packet.

Next, you will learn how to use Wireshark, a network protocol analyzer, to inspect ICMP messages.

Lab – inspecting ICMP messages with Wireshark

To get a better idea of how ICMP works, let's use the ping utility within the Windows operating system to test the connectivity between your local machine and Google's public DNS servers. Additionally, we will be using Wireshark to analyze network traffic.

To complete this exercise, use the following steps:

  1. To download Wireshark, go to https://www.wireshark.org/. Once the file has been downloaded onto your system, install it using all the default settings.
  2. Open Wireshark and double-click on your NIC to begin capturing traffic:
    Figure1.24 – Selecting an NIC on Wireshark

    Figure1.24 – Selecting an NIC on Wireshark

  3. Once the capture has started, in the Display Filter bar, type icmp and hit Enter. This will show only ICMP messages on Wireshark, as shown here:
    Figure 1.25 – ICMP filter on Wireshark

    Figure 1.25 – ICMP filter on Wireshark

  4. In Windows, open Command Prompt. Enter the ping 8.8.8.8 command and hit Enter, as shown here:
    Figure 1.26 – Testing connectivity using ping

    Figure 1.26 – Testing connectivity using ping

  5. Your computer sent four ICMP echo request messages. Each of these messages contains ICMP Type 8 Code 0 details. To inspect this packet, select the first ICMP packet and take a look at the packet details, as shown here:
    Figure 1.27 – Observing ICMP echo request messages

    Figure 1.27 – Observing ICMP echo request messages

  6. Next, select the next ICMP packet. This should be an ICMP echo reply. This packet contains an ICMP Type 0 Code 0 in its details:
    Figure 1.28 – Inspecting ICMP reply messages

    Figure 1.28 – Inspecting ICMP reply messages

  7. Lastly, click the red square icon at the top left of the Wireshark interface to stop the capture.

Having completed this lab, you have gained the essential skills to perform the inspection of various types of ICMP messages, their types, and the code within each packet.

Now that you have completed this section, you have gained the fundamental knowledge of being able to describe the functions of each network layer of both the OSI reference model and the TCP/IP protocol suite.

 

Summary

Having completed this chapter, you have learned about the need for a protocol suite on computer networks and the internet. Furthermore, you saw how a message such as a raw datagram is encapsulated with various header information, such as source and destination details, as it is created by an application protocol and passed down to the physical network. Understanding the operations of each network layer will further help you understand various types of vulnerabilities and cyber-attacks in the later chapters of this book.

I hope this chapter has been informative for you and is helpful in the journey toward learning the foundations of cybersecurity operations and gaining your Cisco Certified CyberOps Associate certification.

In the next chapter, Chapter 2, Exploring Network Components and Security Systems, you will learn how to get started with using a cybersecurity approach to secure your assets.

 

Questions

The following is a short list of review questions to help reinforce your learning and help you identify areas that require some improvement. The answers to the questions can be found in the Assessments section at the end of this book:

  1. Which layer of the TCP/IP suite is responsible for IP addressing?

    A. LLC

    B. Network

    C. Internet

    D. Data link

  2. Which protocol establishes a session before sending messages to a destination?

    A. ICMP

    B. TCP

    C. UDP

    D. ARP

  3. When a device does not know the MAC address of the destination host and wants to send a message, what does the source device do?

    A. Sends a TCP message

    B. Sends a ping message

    C. Sends an ICMP request

    D. Sends an ARP request

  4. Which command on a Cisco router allows you to view the MAC address of a specific interface?

    A. show interface

    B. show running-config

    C. show version

    D. show startup-config

  5. Which of the following protocols does not operate at the application layer?

    A. HTTPS

    B. TCP

    C. HTTP

    D. SSH

  6. Which of the following protocols is associated with the service port 53?

    A. DHCP

    B. SMTP

    C. HTTP

    D. DNS

  7. Which command can be used to verify the MAC address on a Windows system?

    A. ifconfig

    B. ipconfig

    C. ipconfig /all

    D. ifconfig /all

 

Further reading

The following link is recommended for additional reading:

About the Author

  • Glen D. Singh

    Glen D. Singh is a cybersecurity instructor and an InfoSec author. His areas of expertise are cybersecurity operations, offensive security tactics, and enterprise networking. He is a holder of many certifications, including CEH, CHFI, PAWSP, and 3xCCNA (in CyberOps, Security, and Routing and Switching). Glen loves teaching and mentoring others and sharing his wealth of knowledge and experience as an author. He has written many books that focus on vulnerability discovery and exploitation, threat detection, intrusion analysis, incident response, implementing security solutions, and enterprise networking. As an aspiring game-changer, Glen is passionate about increasing cybersecurity awareness in his homeland, Trinidad and Tobago.

    Browse publications by this author
Cisco Certified CyberOps Associate 200-201 Certification Guide
Unlock this book and the full library FREE for 7 days
Start now