As an up-and-coming cybersecurity professional, it is important to have a solid foundation of the understanding of networking concepts such as the types of devices, the underlying network layers, and the protocols that help transport messages from a source to a destination. Understanding networking concepts helps a security professional to better grasp the fundamentals of knowing how threat actors, such as hackers, are able to discover security flaws in applications, operating systems, and network protocols. Hackers use these vulnerabilities to assist in delivering their malicious payload into their targets.
Throughout this chapter, you will learn about various networking technologies, protocols, and services, and how they all work together to forward your messages, such as data, between your device and the destination. As a cybersecurity professional, it is essential to fully understand how network devices and protocols function. To put it simply, many network protocols were not designed with security in mind, and threat actors usually take advantage of the vulnerabilities found within these technologies. Upon completing this chapter, you will be able to fully understand the networking aspects of cybersecurity, which many professionals struggle to grasp.
In this chapter, we will cover the following topics:
- The functions of the network layers
- Understanding the purpose of various network protocols
Now that we are aware of the outcomes we are set to achieve, let's dive into the chapter!
The functions of the network layers
Networking plays a vital role in everything we do on a daily basis. Whether your organization is using Slack or Microsoft Teams or traditional emails for internal communication between employees, your smartphone or computer is connected to a network. To fully understand how cyber-attacks and threats are able to infiltrate a system or network, you must first understand the fundamentals of networking.
Hackers are cunning; they are always looking for the easiest way to gain access to a system or network. They look for vulnerabilities, which are security weaknesses in a system, application, coding, or design, and try to take advantage by exploiting them. You may be wondering, what does this have to do with networking? To answer this question in a simple sentence, there are many network protocols that were not designed with any security in mind, thus allowing hackers to exploit their vulnerabilities.
To get a better understanding of the bigger picture of network protocols and applications, let's take a look at what happens when a device such as a computer sends a message such as data to a web server. Built into each modern operating system, whether it's Microsoft Windows, Apple macOS, or even the Android operating system, you will find a protocol suite, which is responsible for the encoding, formatting, and transmission of messages between a source and destination.
During the pre-internet age and the early stages of computer networks, many computer vendors created their own protocol suite to enable their devices to communicate on a network. The downside to such ideas was that each vendor made a protocol suite proprietary to their devices only. This means Vendor A devices would not be able to communicate with Vendor B devices if they were connected to the same physical network.
This concept was not scalable or adaptive. Eventually, two emerging protocol suites surfaced with promises to be interoperable with any vendor devices and networks. These two well-known protocol suites are as follows:
- The Open Systems Interconnection (OSI) reference model
- The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite
A protocol suite allows a device to format a message for delivery using a universal set of standards and protocols to ensure all devices along the path to the destination are able to read the addressing and data contents clearly. In other words, the protocol suite allows all devices to speak a common language on the network and the internet.
Each of these models has several layers that describe how a message is sent from one device to another and vice versa. In the following sub-sections, you will learn about the characteristics of both the OSI reference model and the TCP/IP protocol suite.
The OSI reference model
The OSI reference model was developed by the International Organization for Standardization (ISO) to be a protocol suite for operating systems in the 1970s. This model consisted of seven layers. Each layer was responsible for a unique role and function to help a device encode (format), send, and receive messages through a network.
The following diagram shows the OSI reference model with all its seven layers:
A simple method to always remember the layers of the OSI model from top to bottom is to learn this phrase, All People Seem To Need Data Processing, using the first letter of each layer to make an easy-to-remember sentence.
When a device such as a computer is sending a message, an application-layer protocol will create the message and pass it down to the lower layers until it is placed on the actual wired or wireless network. A sender creates the Protocol Data Unit (PDU) at Layer 7 – the application layer and works its way downward to Layer 1 – the physical layer where the message is sent on the network as an electrical, light, or radio-frequency signal. Keep in mind that when a device is receiving a message from a sender, the message enters Layer 1 – the physical layer and works its way upward to Layer 7 – the application layer.
In the following sections, you will learn about the role and function of each layer of the OSI reference model. Furthermore, you'll discover what happens to a message as it is created by an application-layer protocol and is passed down to the lower layers while it makes its way through the physical network to its destination.
Layer 7 – the application layer
The application layer exists closest to the user, such as yourself. Don't be mistaken – this is not the software or applications you are familiar with using on your computer, such as a web browser or email client such as Microsoft Outlook. The application layer contains many protocols, which allow the user to interact with network resources. A simple example is accessing Cisco's website to gather more information about this certification. You would open your favorite web browser and go to the www.cisco.com web address and the web page would be loaded onto your screen. In reality, your web browser (software) is able to interact with an application-layer protocol such as HyperText Transfer Protocol (HTTP) or HyperText Transfer Protocol Secure (HTTPS). Both HTTP and HTTPS are protocols that allow your computer to communicate with a web server.
Each application-layer protocol is unique in its role and function. When data is created by an application-layer protocol such as HTTPS, it can only be interpreted or understood by another device running the same protocol (HTTPS). Recall the previous example, where the web browser invokes the HTTPS protocol to exchange messages with a Cisco web server that is also using HTTPS.
- File Transfer Protocol (FTP)
- Secure Shell (SSH)
- Secure Copy (SCP)
- Simple Mail Transfer Protocol (SMTP)
- Domain Name System (DNS)
- Dynamic Host Configuration Protocol (DHCP)
- Trivial File Transfer Protocol (TFTP)
At this layer, the application-layer protocol creates raw data known as a datagram. However, in the networking world, this PDU is best referred to as data. Once the application layer has finished creating its message, it parses the data down to the presentation layer.
Layer 6 – the presentation layer
As you know, application-layer protocols will create their messages (data) such that they can only be interpreted by the same protocol that created it. If the PDU from the application layer is parsed to the lower layers, those lower layers will not be able to interpret what the message is about and why it's being sent to them.
The presentation layer will format the PDU that it receives from the application layer in a uniform format, thus allowing the lower layers to interpret the message clearly. Additionally, the presentation layer is responsible for compressing data for transmission, data encryption, and decryption as well.
At this stage, the PDU is still referred to as data and now it's time for it to be sent to the session layer for further processing.
Layer 5 – the session layer
At the session layer, the PDU (data) is not modified in any way but rather, this layer is responsible for the sessions that are created between the source and destination of the message. You can think of the session layer as the logical module, which is responsible for creating, maintaining, and terminating the logical sessions between your computer and the destination, such as a web server.
Layer 4 – the transport layer
The transport layer plays a vital role in helping datagrams or PDUs to reach their corresponding application-layer protocol. The transport layer is responsible for the delivery and transportation of messages (datagrams) from a source device to the destination.
- Transmission Control Protocol (TCP)
- User Datagram Protocol (UDP)
The application-layer protocols, such as HTTPS and DNS, rely on either of these transport-layer protocols to ensure their messages are delivered across the network.
In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of both TCP and UDP.
Let's imagine that on a network, there is Device-A, which is providing two services to its users: email and web services. For each of these services, an email server and web server applications must be installed on Device-A and be running. You may be thinking about the following questions:
- How is Device-A able to identify the email traffic from the web traffic?
- How does Device-A know to send the email traffic to the email application-layer protocol SMTP and not the web server?
To put it simply, both TCP and UDP use logical network/service ports, which are built into all modern operating systems. There is a total of 65,535 logical network/service ports on any operating system, whether it's Linux, Windows, or even Android.
These network ports operate as doorways for an operating system. If traffic is leaving a device, the operating system opens a doorway (source port) for the traffic to leave and to accept any returning messages. On a server running a web application (Apache, NGINX, or Microsoft IIS) or even an email server, these applications will open their corresponding default network ports for inbound traffic.
The following table shows the categories of service ports:
- FTP –
- SSH –
- SCP –
- Telnet –
- SMTP –
- DNS –
- DHCP –
- TFTP –
- HTTP –
- HTTPS –
- Post Office Protocol (POP) –
- Internet Message Access Protocol (IMAP) –
For a full listing of service ports, please visit https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.
The transport layer will encapsulate the PDU with a Layer 4 header. This header will contain both source and destination service port details, and the PDU will be known as a segment. The destination service port is needed to ensure the receiving device forwards the PDU to its corresponding application-layer protocol. For example, if you are sending a web request such as an HTTP GET message to a web server, the web server will have port
80 open for HTTP by default. Therefore, the destination port on the segment will be port
80. When the segment is received by the web server, the transport layer will remove the Layer 4 header and forward the raw datagram to the HTTP protocol at the application layer.
The following is a diagram that shows a segment with its Layer 4 (transport) header:
Layer 3 – the network layer
The network layer is perhaps the most popular layer throughout the entire reference model. At this layer, devices insert a Layer 3 header into the PDU, which contains both source and destination Internet Protocol (IP) addresses. As you know, IP addresses are like street addresses for a network. Without IP addresses, devices will not be able to communicate with each other on remote or foreign networks. Once the network layer encapsulates the Layer 3 header onto the PDU, it is known as a packet.
In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of the IP and its versions.
- Responsible for the logical IP version 4 (IPv4) and IP version 6 (IPv6) addressing on packets
- The forwarding of packets between IP networks (routing)
- Encapsulating Layer 3 headers onto PDUs as they are passed down the OSI model
- De-encapsulating PDUs as they are passed upward to the application-layer protocols
The following diagram shows a packet with its Layer 3 header:
Once the network layer of the OSI model has finished its encapsulation process, it will pass the packet down to the next layer, the data link layer, as more details need to be attached before it's sent out on the actual physical network.
Layer 2 – the data link layer
The data link layer bridges the gap between the operating system of a device and the actual physical network, whether it's a wired or wireless network. It is at this layer that the operating system is able to control how messages are placed on the physical network and how errors are detected and handled on incoming messages.
- Logical Link Control (LLC)
- Media Access Control (MAC)
The LLC and MAC work together to ensure datagrams that are outgoing contain all the necessary details to help them reach their destination successfully. Additionally, these two sub-layers are also responsible for handling any incoming messages for a system.
The LLC sub-layer will allow further encapsulation to the packets it has received from the network layer, simply by inserting a Layer 2 header that contains the source and destination MAC addresses. A trailer is inserted at the end of the datagram. This is used to check for any errors in incoming messages. The trailer contains a Frame Check Sequence (FCS) and inside the FCS, there's a Cyclic Redundancy Check (CRC). The CRC is a one-way cryptographic hash representation of the entire datagram. Devices that receive these datagrams use the CRC value to verify the integrity of the message, such as whether it was modified or corrupted during transmission. With the new Layer 2 header and trailer added to the datagram, the PDU is now known as a frame.
The MAC sub-layer is responsible for the actual Layer 2 addressing as well as the source and destination MAC address for the frame. The MAC address is considered to be a physical address that is embedded on a Network Interface Card (NIC). Sometimes, the MAC address is referred to as a Burned-In Address (BIA) because it cannot be changed conventionally.
Additionally, a Preamble is inserted at the beginning of the frame to indicate the start of the frame and sequencing details to help with the re-assembling of the message on the destination device. The preamble has a lot of significance. Before the data link layer passes the frame to the next layer, it cuts the raw data into smaller pieces called bits. Each bit will contain the Layer 2 header and trailer details, then the data link layer will send those bits to the physical layer.
The MAC address is 48 bits or 6 bytes in length, which is written in hexadecimal values. These values are 0 1 2 3 4 5 6 7 8 9 A B C D E F. Various operating system vendors usually present the MAC address value in one of the following formats:
The first 24 bits in MAC addresses can be used to identify a vendor of a device. This portion of the MAC address is known as the Organization Unique Identifier (OUI). The last 24 bits, however, are unique and assigned by the vendor, therefore the entire 48-bit MAC address is unique globally.
To check the MAC address on a Cisco IOS router, use the
show interfaces interface-ID command as shown here:
On Linux-based devices, the
ether field is used to indicate the MAC address of the interface, as seen in the previous screenshot.
To view the MAC address on a Windows device, use the
ipconfig /all command in Windows Command Prompt as shown here:
- Go to https://www.wireshark.org/tools/oui-lookup.html.
- Copy the MAC address from your device. For this exercise, you can copy this MAC address:
- Enter it into the OUI search field and click on Find, as shown in the following screenshot:
The online tool was able to profile the first 24 bits of the MAC address and indicated the address belongs to a VMware device. Fortunately, this MAC address was taken from one of my demo virtual machines in my personal lab.
While networking professionals are taught that MAC addresses are unchangeable (burned-in), a cybersecurity professional or hacker is able to change the MAC address easily on their NIC to avoid detection.
Being able to quickly profile MAC addresses can help you eliminate rogue and unauthorized devices that are connected to your network.
Layer 1 – the physical layer
The physical layer is the actual wired and wireless network; it's the actual media that is used to transmit bits from one device to another. At this layer, you will find various types of cables, such as Cat 6 or even fiber optics, and wireless media such as radio frequency, whether it be Wi-Fi or 5G technologies that are used to transport the actual signals (bits) between a source and a destination.
Now that you have an idea about the OSI reference model, let's take a look at the importance of the TCP/IP protocol suite in the next section. The various layers of the OSI reference model are mapped to the layers of the TCP/IP protocol suite. It's important as a security professional that you have the knowledge to identify the characteristics of a datagram as it passes through each of these layers.
The TCP/IP protocol suite
TCP/IP was created by the United States Department of Defense (US DoD) and has been implemented in all operating systems to enable network connectivity. Unfortunately, the ISO OSI model did not get the traction it needed to be approved as an official protocol suite and therefore became a reference model where both network and security professionals use each layer for reference purposes.
TCP/IP is the universal language spoken on all computer-based networks; whether it's a Local Area Network (LAN) or the internet, all devices use TCP/IP to communicate. As mentioned earlier, the protocol suite simply defines how a system such as a computer is able to send and receive messages through a network.
With TCP/IP, there are five layers in this protocol suite. The following diagram shows how each layer of the OSI reference model maps directly to each layer of the TCP/IP protocol suite:
In comparison to both models, the top three layers of the OSI model (the application, presentation, and session layers) are mapped to the application layer of TCP/IP. This means the application layer in TCP/IP contains all the functions as described in the top three layers of the OSI reference model.
In this section, you have learned about the function of each network layer of the OSI reference model and how they are mapped to the TCP/IP protocol suite. This knowledge is useful when performing network traffic analysis on an enterprise network. In the next section, you will discover the purpose of various network protocols, such as IP, TCP, and UDP.
Understanding the purpose of various network protocols
In the networking world, TCP and IP are the most popular and frequently used protocols to transport and deliver data to and from the application layer, hence the name of the protocol suite, TCP/IP. However, some application-layer protocols use UDP over TCP for many reasons. In this section, you will explore the characteristics of all three protocols and how they work together to ensure devices are able to exchange messages.
Transmission Control Protocol
The application-layer protocols of the TCP/IP protocol suite do not have any capabilities to ensure their datagram (data) is successfully delivered to their destination. The application-layer protocols are designed to interpret the messages or data that are being sent and received by a device. Unfortunately, there are no mechanisms that are built into them. This is where the transport-layer protocols come in to save the day.
One such Layer 4 protocol to help with the delivery of datagrams is TCP. TCP is known as a connection-oriented protocol, which ensures messages are delivered to their destination. For TCP to provide such reassurance and guarantee of delivery, a TCP three-way handshake is established between a source and destination before exchanging messages (data). For a TCP three-way handshake to be established, two devices must exchange a series of TCP synchronization and TCP acknowledgement messages before they can exchange data.
The following diagram shows two devices establishing a TCP three-way handshake:
After the TCP three-way handshake has been established between the two devices, they will begin to send data between each other. During a TCP connection, for every message a device sends to a destination, an acknowledgment is expected to be returned indicating the message was successfully delivered. If the sender does not receive an acknowledgment from the destination after a period of time, the sender will retransmit the data until the destination returns an acknowledgment. This is how TCP provides the guaranteed delivery of messages between a source and destination on a network.
To get a better understanding of how devices see the TCP three-way handshake, let's take a look at the following HTTP traffic capture on Wireshark:
- As you can see, the sender (Device-A) with the IP address
188.8.131.52is sending a TCP SYN packet over to Device-B at
184.108.40.206. The TCP SYN message simply informs the destination device that the sender wants to initiate a TCP three-way handshake and exchange some messages.
The following snippet shows the details of packet #1:
- When Device-B receives the TCP SYN message, it will then respond with a TCP SYN/ACK message back to the sender, Device-A, indicating it would like to establish a session and acknowledges the SYN message. In a single packet, both the SYN and ACK flags will be set. We can see this in the following screenshot:
- Lastly, when Device-A receives the TCP SYN/ACK message, it will then respond with a TCP ACK message. This is the final stage in establishing the TCP three-way handshake. From this point forward, for all other messages that are exchanged between Device-A and Device-B, a TCP ACK message is returned to the sender to confirm that the message has been successfully delivered.
Using TCP seems to be the preferred transport-layer protocol, right? To put it simply, TCP has some drawbacks in certain situations and various application-layer protocols. The following are some well-known disadvantages of using TCP:
- TCP has more overhead on a network. For each bit of data sent, an acknowledgment message must be returned. Imagine streaming a video on YouTube. For each message the media server sends to you, your computer has to send an acknowledgment packet back to the server. This additional network traffic will eventually flood and congest the network as more users stream media from YouTube.
- TCP does not work well for time-sensitive traffic types. Traffic types such as Voice over IP (VoIP) and Video over IP rely heavily on the speed of a network to ensure both the sender and receiver are experiencing the conversation in real time. Imagine, during a VoIP call, the sender has to wait for the acknowledgment packets for each message it has sent to the destination before the sender is able to forward more messages to the destination.
Now that you have a clear idea about the functionality and role TCP plays in a network, let's take a look at the features of UDP in the next section.
User Datagram Protocol
UDP is described as a connectionless transport-layer protocol. Connectionless means UDP does not establish any logical sessions between a sender and receiver; it simply sends the messages to the destination without any prior checks like TCP. Imagine you are sending physical mail via your local courier service to a friend. You deposited the letter containing all the proper addressing information at the local postbox. From that point onward, you don't have any tracking information or confirmation of delivery for the letter. What if the person has moved to another location? How will you be notified? Similarly, this is how UDP works. It sends messages without establishing a session and it does not provide a guarantee of delivery.
If you recall in the previous section, TCP will resend a message if the sender does not receive an acknowledgment from the destination. UDP will send messages as quickly as the protocol is receiving PDUs from the application layer, even if the messages are sent out of order. UDP uses best-effort when sending messages across a network.
Both the TCP and UDP protocols are vital to ensure the next protocol, IP, is able to carry the actual data to its intended destination. In the next section, you will learn about the fundamentals of IP.
Without the IP, a device will not be able to communicate across networks. The transport-layer protocols, such as TCP and UDP, support the IP with its delivery of messages between a sender and receiver. IP is the driving force behind all computer-based networks and is used to carry messages between devices.
- IP is connectionless and does not establish a session between the sender and receiver devices prior to forwarding any messages.
- IP also forwards network traffic using best-effort and does not provide any sort of reassurance to the sender that its messages will be successfully delivered to the destination or even in sequential order.
- IP is designed to operate independently from the network media. To put it simply, the contents of an IP packet are not affected by the type of network cabling or radio frequencies that are used at the physical layer of a network.
Now that you have learned about the characteristics of the IP, let's take a deeper dive to learn more about IPv4 addressing schemes and their structure in the next section.
In the early 1980s, IPv4 address spaces were made available to organizations, which enabled them to assign a unique IPv4 address to each device on their network and the internet for communication and the sharing of resources. The Internet Assigned Numbers Authority (IANA) created and manages the IP address spaces for the entire world.
In the computing world, devices are able to understand ones (1s) and zeros (0s), which are commonly referred to as bits. These are physically represented in the form of an electrical signal being high (1) or low (0) on a system. Each device on a network requires a logical address to communicate with one another – this address is an IP address. An IPv4 address has a total length of 32 bits. This address is written in the following decimal format, which most of us are familiar with:
The preceding address is written in decimal format. However, notice how each number is separated by a period (
.). Each of those numbers within the IPv4 address is known as an octet. An octet is made up of 8 bits in the range 00000000 – 11111111. This means an octet ranges from 0 to 255 in decimal notation.
In the IPv4 world, the IANA has designed some addresses that can be allocated for private use, while another group of addresses was allocated for usage on the internet. The private IPv4 addresses are non-routable on the internet. This means any device that has a private IPv4 address assigned to it will not be able to communicate with any device on the public address space, which is the internet.
The following table shows the classes of private IPv4 address spaces:
Each class of private IPv4 address can be assigned to devices on a private network. Additionally, this address space does not have to be unique between organizations simply because they are non-routable on the internet. Company A can implement any of the private IPv4 classes within their network and so can other organizations without creating any issues or conflict.
The following are the classes of public IPv4 address spaces:
The addresses shown in the preceding table are those that can be used on the internet and are routable on public networks. Each device that is directly connected to the internet, such as your firewall or edge router, must be assigned a unique public IPv4 address. The assignment of a public IPv4 address to an organization's edge devices is usually done by their Internet Service Provider (ISP). Keep in mind, the missing IPv4 address spaces shown in Figure 1.16 belong to the IPv4 private address space.
For each class of IPv4 address, there's an associated subnet mask address. The subnet mask has a very important role; it's also 32 bits in length, and helps the computer or device to determine which portion of the IPv4 address is the network portion and which is the host portion.
The following table shows the subnet mask for each class of IPv4 address:
An IP address is made up of two portions: the network and the host portion. The network portion of an IP address is like the community address of your neighborhood – everyone has the same community address as you but your house/apartment number is unique to your residents. The host portion of the IP address is unique to the host device on the network; therefore, overall, the entire IP address is unique on the network.
In the following snippet, you will notice that we have converted both an IP address and subnet mask into binary notation, such that each bit within the IP address and subnet mask is aligned. The 1s in the subnet mask are used to represent the network portion of the IP address, while the 0s are used to represent the host portion:
As shown in the preceding figure, we use a Class C IPv4 address,
192.168.1.10, with its default subnet mask of
255.255.255.0, which allows us to determine the network and host portions of the IPv4 address.
A subnet mask can be written in a shortened version known as a network prefix. The network prefix is a simplified representation of the number of ones in a subnet mask. Therefore, a subnet such as
255.255.255.0 contains a total of 24 ones, so we can represent this subnet mask by simply writing it as
/24. Another example: let's imagine a computer has an IPv4 address of
172.16.2.2 with a subnet mask of
255.255.0.0. This entire address can be represented in the format
If you are interested in learning more about IPv4 subnetting and techniques, be sure to check out this tutorial: https://hub.packtpub.com/understanding-address-spaces-and-subnetting-in-ipv4-tutorial/.
Furthermore, the subnet mask is used to help end devices determine whether the destination for the messages exists on the same network as the sender or on a remote network. The subnet mask is also used to determine the network ID of the sender and compare it with the destination IP address. The network ID is simply the community that a device resides on. If the network IDs of the sender and the destination match, the sender will forward the message to the destination directly by inserting the destination's IP address and its MAC address in the message.
The following snippet shows the routing table on a Windows 10 computer:
If the network IDs of the source and destination do not match, the sender will insert the destination's IP address in the Layer 3 header of the packet and the default gateway's MAC address as the destination MAC address of the Layer 2 header in the frame. Therefore, the sender will forward its message to the default gateway, which will inspect the destination IP address in the Layer 3 header and forward it to the intended destination.
To determine the network ID, the process of ANDing the IP address and subnet mask is required. The following are the laws of ANDing:
1 AND 1 = 1 1 AND 0 = 0 0 AND 1 = 0 0 AND 0 = 0
To apply this technique, let's use an example such as determining the network ID of a computer with an IP address of
192.168.1.10 and a subnet mask of
The network ID is
192.168.1.0/24. This process happens each time the source wants to send a message to another device. It has to determine whether the destination host is on the same network as the source or on another IP subnet.
The IPv4 public address space was destined to eventually be exhausted as more devices came online. This happened a bit sooner than expected. In 2013, it was announced that IPv6 had started making its way onto the internet to support newly connected devices with the new address scheme. On the positive side of things, IPv6 was designed to be lightweight compared to the structure of an IPv4 packet.
An IPv6 address is 128 bits in length and is written using hexadecimal characters that range from 0 to 9 and A to F. The following is an example of an IPv6 address:
A colon (
:) is used to separate the hextets from one another. A hextet is made up of 16 bits, therefore 8 hextets x 16 bits per hextet = 128 bits in total. Unlike IPv4, IPv6 has a lot more available addresses with an approximate value of 10^36 IPv6 addresses in the world. With this large number, there is no need for public or private address spaces in the IPv6 world. Devices are assigned a global unicast IPv6 address that is routable on the internet as a public IPv4 address.
The default subnet mask for an IPv6 address is
/64 bit is the global prefix on IPv6 that corresponds to the network address of IPv4.
Keep in mind that IPv6 and IPv4 exist in two different logical spaces and therefore, they are unable to talk to each other natively. However, various networking technologies and IP services, such as NAT64, tunneling (6to4 and 4to6), and dual stacking, make it possible for devices to communicate on both an IPv4 and IPv6 network.
The Internet Control Message Protocol
Another important network-layer protocol is the Internet Control Message Protocol (ICMP). ICMP is designed to provide error reporting details to networking professionals such that a network administrator or engineer can use various tools, such as ping and traceroute, which utilize ICMP to validate the causes of network connectivity issues. A cybersecurity professional also uses various security tools, such as Nmap, to assist in profiling and determining security configurations on target systems such as end devices and security appliances.
ICMP operates by sending an ICMP echo request message from the sender device over to the destination. Once the destination device receives the message, it will process it and respond with an ICMP echo reply back to the sender. This is an indication that there is network connectivity between the sender and destination devices.
The following diagram shows a visual representation of this concept:
To get a better understanding of how ICMP works, let's take a look at an ICMP packet structure and break down the fields to understand their purpose. The following diagram shows a simplified representation of an IP packet and its respective fields:
The following is a description of each field in the ICMP packet structure:
- IP Header: This is used to indicate the protocol type using an identifier, such that protocol 1 will indicate to the destination that the packet is an ICMP message.
- Type: This is usually a numerical value such as 0 – Echo Reply, 3 – Destination Unreachable, 5 – Redirect, 8 – Echo Request, and 11 – Time Exceeded. Each of these Type codes is used to provide the sender with specific error reporting details about the network connectivity between a source and destination.
- Code: This is also a numerical value, which is associated with the Type value. Code is used to provide more specific details about the type of ICMP message that is sent back and forth between devices on a network.
The following table shows a breakdown of the ICMP Type and Code:
- Checksum: This is used to represent a one-way cryptographic hash value of the entire packet. The hash value is used by the destination device to check the integrity of the packet, such as whether it was modified or corrupted during transmission.
- ICMP Data: This field usually contains additional ICMP information about the packet.
Lab – inspecting ICMP messages with Wireshark
To get a better idea of how ICMP works, let's use the ping utility within the Windows operating system to test the connectivity between your local machine and Google's public DNS servers. Additionally, we will be using Wireshark to analyze network traffic.
To complete this exercise, use the following steps:
- To download Wireshark, go to https://www.wireshark.org/. Once the file has been downloaded onto your system, install it using all the default settings.
- Open Wireshark and double-click on your NIC to begin capturing traffic:
- Once the capture has started, in the Display Filter bar, type
icmpand hit Enter. This will show only ICMP messages on Wireshark, as shown here:
- In Windows, open Command Prompt. Enter the
ping 220.127.116.11command and hit Enter, as shown here:
- Your computer sent four ICMP echo request messages. Each of these messages contains ICMP Type 8 Code 0 details. To inspect this packet, select the first ICMP packet and take a look at the packet details, as shown here:
- Next, select the next ICMP packet. This should be an ICMP echo reply. This packet contains an ICMP Type 0 Code 0 in its details:
- Lastly, click the red square icon at the top left of the Wireshark interface to stop the capture.
Now that you have completed this section, you have gained the fundamental knowledge of being able to describe the functions of each network layer of both the OSI reference model and the TCP/IP protocol suite.
Having completed this chapter, you have learned about the need for a protocol suite on computer networks and the internet. Furthermore, you saw how a message such as a raw datagram is encapsulated with various header information, such as source and destination details, as it is created by an application protocol and passed down to the physical network. Understanding the operations of each network layer will further help you understand various types of vulnerabilities and cyber-attacks in the later chapters of this book.
I hope this chapter has been informative for you and is helpful in the journey toward learning the foundations of cybersecurity operations and gaining your Cisco Certified CyberOps Associate certification.
In the next chapter, Chapter 2, Exploring Network Components and Security Systems, you will learn how to get started with using a cybersecurity approach to secure your assets.
The following is a short list of review questions to help reinforce your learning and help you identify areas that require some improvement. The answers to the questions can be found in the Assessments section at the end of this book:
- Which layer of the TCP/IP suite is responsible for IP addressing?
D. Data link
- Which protocol establishes a session before sending messages to a destination?
- When a device does not know the MAC address of the destination host and wants to send a message, what does the source device do?
A. Sends a TCP message
B. Sends a ping message
C. Sends an ICMP request
D. Sends an ARP request
- Which command on a Cisco router allows you to view the MAC address of a specific interface?
- Which of the following protocols does not operate at the application layer?
- Which of the following protocols is associated with the service port
- Which command can be used to verify the MAC address on a Windows system?
The following link is recommended for additional reading:
- Understanding network port numbers: https://hub.packtpub.com/understanding-network-port-numbers-tcp-udp-and-icmp-on-an-operating-system/