CIS2750 - Securing Information Systems

Chapter 1, Introduction to Computer Security; Chapter 2, Networks and the Internet


This chapter presents a lot of material that I'd have expected in a later chapter, so let's do what we can to get through it. Objectives important to this lesson:

  1. Key concepts
  2. Risk management
  3. Vocabulary
  4. Perimeter defense, layered defense
  5. Research
Chapter 1

Our text begins by describing the technological state of the world, at the time of writing. The author is reminding us that there are more devices in more hands than ever before, and that leads to potential loss of data on those devices. Professionals and non-professionals need to protect their data. We are given a few examples of historic incidents and a caution that the problem of data security only gets worse.

The author tells us that many people do not believe they can have data loss until it happens to them. His caution is that we must secure the barn door before the horse is lost. I will suggest that we also must secure the door in a way that the horse does not open it. Having two horses who have proven that they can open doors, I understand that the system must be secured enough that it cannot be compromised by a part of itself. (In fact, the day he was born my new colt opened a sliding door to the tack room. He is his father's son. Isn't he cute?) We want to make sure that a system will not defeat itself even if it gets the silly idea that its mission now includes doing so.

5 Days Old

It would be good to mention at this point that we can think of information security as having three key requirements:

  • Confidentiality - information should only be accessible to users who have been granted access to it for valid reasons. Only authorized users can access data if it is protected properly, and if authorized users do not violate security policies.
  • Integrity - data may not be changed except by authorized users or processes. This means that data must be protected from alteration, deletion, or other changes that do not take it to its intended form.
  • Availability - authorized users can access data when they need to do so. Availability includes the idea that proper access methods are provided to only to authorized users, not to everyone. It also means, more intuitively, that those who should have access to the data can access it when their jobs require it, without delay.

The author continues with a discussion of assets and risks. Assets can be anything we care about, that we want to protect, that are valuable to our organization. This includes data, equipment, staff, and structures. The author makes a good point, saying that actual asset loss is not the only danger. If your organization is the victim of a Denial of Service (DoS) attack, the attacker seeks to prevent your organization from doing its business. The destruction of your system is one possibility, but the loss of its usefulness puts you in the position of having it held for ransom, which has grown much more common.

Most texts offer a discussion at this point that the author puts off for a bit. The idea is that you must identify your assets before you can identify the risks that can happen to them. If you don't inventory your assets, you can't say that you are protecting all of them. You don't know what "all" means. It's a bit like the image below, taken from another text:

Risk management flow chart

It is easy to misunderstand this graphic. Its lesson is that if you are going to manage risk, you have to commit to identification and control. The process of identification begins with an asset inventory. It continues with classifying assets and assignment of values to them. It only considers things that can go badly at the end of that process.

  • What are the assets?
  • What are they worth? What does it cost to replace them or restore them to use?
  • Are they critical, somewhat necessary, or just nice-to-have?

Note that these steps are the first, second and third things that are actually done in the risk assessment process, all before the risks are even considered. The graphic leads you to think that you conclude a process before you even start it, which is nonsense. Our author glosses over these steps a bit.

This is a set of terms that are commonly used in these discussions. A few definitions will help:

  • Asset - information, property, people or anything else that we care about
  • Threat - a potential form of loss or damage; many threats are only potential threats, but we plan for them because they might happen
  • Threat agent - a vector for the threat, a way for the threat to occur; could be a person, an event, or a program running an attack
  • Vulnerability - a weak spot where an attack is more likely to succeed
  • Exploit - a method of attack
  • Probability of occurrence - the odds that a particular threat will exploit a particular vulnerability successfully
  • Impact - the kind (e.g. money, productivity, customer confidence) and scale (usually expressed in dollars) of loss that an occurrence would have on an organization; a high score here means we should concentrate some of our limited budget on a particular asset
  • Risk - The text for Tactical Perimeter Defense defines this twice, the first time using words it defines later in its list. It is easier to understand the long definition after you look at the items above this one. It says risk is the probability that a particular threat will exploit a vulnerability causing harm to an organization.
    The second version says that we can quantify risk by saying it is the probability of an occurrence multiplied by the impact of that occurrence. Isn't it nice to be able to do math?
  • Control - A process that we put in place to reduce the impact and/or probability of a risk.

On page 5, the author discusses a couple of formulas that are used to calculate projected losses from successful attacks. This is a little brief. The discussion below explains the ideas better. You need to pay attention to each step, and do them all in order.

  • Asset Value (AV): the value that an asset has for the next several calculations; this value may be different depending on the context of its use; if your asset has not been assigned a value, do it now
  • Exposure Factor (EF): the percentage of the value that would be lost in a single successful attack/exploit/loss; this accommodates the idea that an entire asset is not always lost to an attack; look for accepted industry figures for the loss you are calculating
  • Single Loss Expectancy SLE): this is a number that can be obtained by multiplying AV times EF. How much do we stand to lose for one such loss?
    SLE = AV * EF
  • Frequency of Occurrence: this number tells you how many attacks to expect in some time period; this is ambiguous if we are not told whether this is the rate for all such attacks, or the rate for all such successful attacks
    We generally assume that the number given is the rate at which successful attacks occur.
  • Annualized Rate of Occurrence (ARO): often, frequency of occurrence may be expressed in terms of events per day or per hour, but the boss you report to may want the numbers expressed in events per year. This is understandable if, for example, we are talking about establishing a yearly budget for IT Security. Reporting is often done based on calendar or fiscal years, which is another argument for making this conversion.
  • Annualized Loss Expectancy (ALE): this is the big one; the final number stands for the currency value of our expected loss for a given asset in one year; provided you have calculated the numbers so far, ALE equals SLE times ARO.
    ALE = SLE * ARO

The chapter continues with discussion of the four classic answers to the question "What are we going to do about it?" The idea is to identify controls that can reduce or eliminate our risk. The text mentions four control strategies that are often considered. This list has five:

  • Defense - also called Avoidance, this means to use policies, training, and technology to avoid the situations that can be exploited.
  • Transferal - this means to hire expertise when you do not have it, or to pay a fee to another department or organization that is in the business of managing risk
  • Mitigation - this means to reduce the damage that will be done in a successful attack, such as not putting all assets of a given type in the same place, protected by the same defenses
  • Acceptance - this is when you decide that a risk is not as costly to us as the controls that might be used to avoid or mitigate that risk; shoplifting used to be handled this way, but some organizations are finding it too costly
  • Termination - this means that we decide to stop doing the things that put us at risk; we simply stop doing the things that use or produce the assets that a risk applies to

Page 7 gives us a list of threat types. The author expands on them on the following pages. It wouldn't be a computer text if the author didn't split every concept into a dozen others. Skim the list first, then read each section for details that you don't know yet.By the way, the list is not exhaustive.

  • malware
  • security breaches
  • Denial of Service attacks
  • web attacks
  • session hijacking (this one has a lot details to it)
  • insider threat
  • DNS poisoning

The text promises more discussion on these topics in later chapters.

The next section discusses more computer-related terms. It is divided into two parts, Hacker terms and Professional terms. Again, browse this section for what you do not already know, and take it with a grain of salt, some butter, and spread it on a nice roll. Food helps you get through anything. The terms that one person uses may be defined differently by another person, or by the next organization you work for. Make sure you understand what people mean when you read their words or listen to them. Again, the list is not exhaustive. There are more terms added with each change in technology.

The author describes the CIA triangle, which most people do not think of as a triangle. It is just three concepts that define system security. If you are missing any of them you do not have a secure system. In this version of the list, another author has added two more concepts which also make sense.

  • Confidentiality -think of the phrase "need to know" as a measure of this concept; we do not allow access to any resource unless there is a reason for that access
  • Integrity - making sure that no one changes data who has not been authorized to do so; this may be done by imposing limits on access, or by limiting the kinds or level of changes a user is allowed to make, such as restricting a user's view to data they actually own
  • Availability - data must be available to authorized users when they need it
  • Authentication - the security needs of the system must be matched by the level of confidence we have in a user's identity, perhaps requiring multifactor and biometric ID in some cases
  • Nonrepudiation - tracking events and file changes must prove that a particular user took action, authorized access or payment,or simply was on the system; this can include digital signatures being placed on everything a user processes

You can see how a different point of view can keep this from being a triangle. Or at least a non-Euclidean triangle. Rest easy, Mr. Euclid. Sir Isaac had to learn that there are non-Newtonian fluids.

The world is described in more detail, and we learn more about it.

The classic CIA concept defines security from the point of view of IT Security staff. The text explains that an expansion of this concept is called by several names, one being the McCumber Cube. It provides three different perspectives on security, which should be considered together to make better security decisions. This does not mean this tool covers all situations, but we should consider the ones it does cover:

  • IT Security perspective: Confidentiality, Integrity,Availability
    This is the perspective of the IT security staff. How do we protect the information, make sure it is not tampered with, and provide access to those who need it?
  • IT Operations perspective: Storage, Processing, Transmission
    This is the perspective of any IT staff who do not work for the security division. How do we perform the basic IT functions of storing, processing, and transmitting data? Under storage, we should include data collection and data entry.
  • Business perspective: Policy, Education, Technology
    This is the perspective of managers over the core operations of the business. How do we make the rules for employees about protecting information,educate our staff about protecting it, and safely use the technology we have to do our business?
It feels a bit off that the first two bullets above seem to relate to the primary activities of the respective entities, but the third does not. All three perspectives relate to IT security, from the point of view of that entity. Each is different from the others, and each should be considered a necessary aspect of the security process.If you don't consider all three dimensions in you security solution, you run the risk of having it fail one of more kinds of stakeholders.

On a similar topic, the author tells us about two approaches to security. Perimeter defense concentrates on the edges of your network, while layered defense adds to that with defensive measure for each system at risk. A layered defense is usually explained as providing more than one kind of defense wherever possible. This may be what our author would call defense in depth.

The chapter ends with a listing of some security based websites. If you don't have a list of favorites, this list is a good start.

Chapter 2, Networks and the Internet

  1. Understand network protocols
  2. Understand network connection methods
  3. Understand basic network and inter-network hardware
  4. Learn how networks work
  5. Learn basic network troubleshooting commands
  6. Learn the basics of the ISO-OSI network model
Chapter 2

Network Protocols

Let's start with a definition, then build on it. A network can be defined as two or more computers sharing information over a common medium. This can be done a number of ways, and how it is done can be defined by sets of rules for doing it. A set of such rules can be called a protocol. Unfortunately, the word "protocol" also means a particular program that runs on a computer to make information sharing possible. Networked computers run sets of software called suites, and each suite contains many protocols (second definition). Welcome to the rest of your life: a word that has a perfectly good definition will be given another definition by someone who may not have known the first one.

While we're at it, we should consider that the medium used to connect devices may be some form of wire, fiber optic cable, or one or more radio frequencies. Wireless connection is more common on many networks, accommodating users who come and go as needed.

Connection Methods

Let's think about media for a minute or two.

  • twisted pair - come in two types and several grades of each:
    • unshielded twisted pair - UTP does not have an EMI resistant sheath
    • shielded twisted pair - STP has an EMI resistant sheath, but the cable itself is thicker and harder to use
  • coaxial - coax similar to that used for cable TV
  • fiber optic - glass or plastic channels that conduct light, often red laser light

(For the purists among you, I will note that the speed of light through these media is about two thirds the speed of light in a vacuum. (If you don't trust me, check with Neil deGrasse Tyson.)

The graphic on the right shows several twisted pairs of wires. Each wire is covered with an insulator, and the two wires in the pair complete a circuit. These wires suffer from crosstalk, leakage of signal from one pair to another. The twists help cancel out such leaks. The illustration shows a typical UTP cable with eight wires in it, making four pairs.

The wires in each pair are twisted around each other. This type of cable comes in several varieties: two pair, three pair and four pair are common. Also, each variety may be available in grades, such as CAT 1 (Category 1) and CAT 5 (Category 5). There are several such categories, and a major difference between them is the number of twists per running foot in each pair. CAT 1 will have less than 5 twists per foot, CAT 5 will have 25 or more twists per foot (so it is better, and costs more). Note that the better the class of cable, the more bits per second can be passed across it.

Connecting a system with twisted pair wiring is easy. A possible problem is that the wiring closets in any building are often in need of being "cleaned up". The "closet" on each floor of a building contains punch-down blocks, patch panels, and hubs (or switches). Many are disorganized and messy. People who try to clean them up, however, must be careful not to disconnect circuits that are needed.

Comparison factors for UTP:

  • Cost - inexpensive
  • Installation - cheap and easy
  • Capacity - 1 to 100 Megabits per second (Mbps), but 1000 Mbps is common enough (1000 Mbps is a Gigabit per second)
  • Attenuation - nothing is perfect, so this is high (poor)
  • Immunity from EMI - also poor. Recommendation: run UTP lines perpendicular to fluorescent lights to avoid interference from them.

UTP cables are usually connected to devices with RJ-45 connectors. Your text does not show an RJ-45 connector (or any other) very well. In the enlarged picture on the right, note the eight gold-colored connections for the eight wires usually found in UTP cables. The wires are used in pairs to form circuits. 

IBM data connectorAn STP (Shielded Twisted Pair) cable is more expensive than unshielded cable, and is less flexible due to the stiff shielding. The shield, however, makes it more EMI resistant than UTP.It is rarely seen any more, but you should be able to recognize it if you see it in a legacy network.

An IBM Data connector is shown in the graphic on the right.

Coaxial cable is called that because it has two conductors, one wire in center and a conductive sheath around it, that share a "common axis". Most people have seen this style of cable used with cable television. This type of cable was used for many years before UTP and STP were commonly available.

The coaxial line is essentially a single bus, going from one station to the next. At each end of the line, the cable has to have a terminator (a device that prevents signal reflection) on it. At one end, it also has to be grounded. If using thin Ethernet, T-connectors are used. If using thick Ethernet, vampire taps are used. They are called vampire taps because little teeth bite into the cable (to contact the shield), and a big tooth bites deeper to contact the central conductor when you screw the clamp down. Note that the vampire tap provides a place to tap into the cable, and a transceiver to translate between the PC and the network. The workstation also needs a patch cable to connect to the tap.

The factors for Coax:

  • Cost - Relatively low to Moderately expensive (depending on thickness of the cable)
  • Installation - simple to install, hard to modify
  • Capacity - high rates are possible, but 10 Mbps is common
  • Attenuation - high, but less than twisted pair
  • Immunity from EMI - moderate

The connector example on the right shows a typical T-connector with BNC fittings. The fitting on the bottom of the image might attach to a port on a NIC that looks like the barrel on either end of the top of the T. Attachment is achieved by pushing the connector onto the barrel of the port, then twisting the collar of the connector to lock onto the pin that is part of the port. In other words, it mounts like a bayonet onto a rifle.

The next (enlarged) picture shows a BNC connector attached to a thin Ethernet cable. Such a connector would be used to attach to one of the T-connector barrels in the photo above. The other end of the cable would run to the next node on the network. (Making a continuous electrical bus connecting all devices in a given network segment.)

Fiber optic can be glass or plastic, and is meant to conduct light instead of electricity. The conductor is sometimes called a wave guide, and is covered with cladding, a material to reflect the signal back into the center of the conductor. Two configurations exist. Loose configuration has a liquid filler between the outer sheath and the conductor. Tight configuration has wire or stiff fibers around the conductor to add strength to the cable.

Fiber optic comes in two modes: single mode conducts a single signal, while multi-mode conducts many signals simultaneously. You may want to know that the most common type used is 62.5 micron core with 125 micron cladding, which is multi-mode.

Fiber optic is much harder to install and splice than electrical conductors. This type of connection requires two connectors for each station, a line in and a line out.

The factors for fiber optic:

  • Cost - Expensive, mostly for installation
  • Installation - difficult
  • Capacity - 100 Mbps at up to 20 kilometers per segment
  • Attenuation - very low
  • Immunity from EMI - immune. This is light, not electricity.

Ethernet hubs are not recommended except in very small networks. The term concentrator is often used for a hub, since the hub is used to collect connections at one point. Unfortunately, switches are also called concentrators for the same reason. Two types of hubs are worth knowing:

  • passive hub- a passive hub connects devices all devices that are plugged in to it, but does not regenerate outgoing signals
  • active hub - an active hub connects devices, and does regenerate signals. Regeneration reissues an incoming signal at full strength to all connected devices. It includes error correction, when possible.

Let's skip ahead to explain the differences between a hub, a switch, and a router.

  • Hubs and switches are network devices. They connect devices to networks. No one buys hubs any more. Switches are better. They can pass multiple signals to multiple devices at the same time, as long as the connections are to different devices. Hubs can't do that.
  • Routers are inter-network devices. They connect networks to other networks.
  • Repeaters are electrical compensators. Every kind of cable medium has a maximum effective length. UTP, for example is good up to 100 meters. As you approach that limit, you can use a repeater to send a new copy of the original signal onto the next run of cable.

It may be redundant to remind you that wireless media means that there is no cable of any sort between certain parts of the network. (There are still wires inside lots of components). Cell phones are wireless equipment. So are wireless access points, and anything else with a wireless network interface card in it.

Radio is the label used for frequencies from 10 KHz to 1 GHz. Several bands are used. Frequencies that are used for networks can be divided into regulated and unregulated frequencies. Only a few frequencies are unregulated in the United States. It is not possible to guarantee error free transmission in the unregulated frequencies. This is because anyone else can broadcast in those frequencies, causing errors in your transmissions. For this reason, broadcasts are usually limited to low power in unregulated bands, to minimize interference.

Three types of radio usage:

  • Low power, single frequency
  • High power, single frequency
  • Spread spectrum (multi-frequency)

The comparison factors for wireless media are different from those for wired media. The factors for low power, single frequency:

  • Frequency range - any frequency available, usually in the upper GHz
  • Cost - moderate
  • Installation - easy if using a preconfigured antenna
  • Capacity - 1 Mbps, sometimes up to 10 Mbps
  • Attenuation - relatively high
  • Immunity from EMI - low (poor) immunity.

The factors for high power, single frequency:

  • Frequency range - any frequency available, usually in the upper GHz
  • Cost - moderate, towers and repeaters increase the cost
  • Installation - complex
  • Capacity - 1 Mbps, sometimes up to 10 Mbps
  • Attenuation - relatively low
  • Immunity from EMI - low (poor) immunity.

Spread spectrum radio usage puts the incoming data stream on several frequencies at once. This discourages eavesdropping. Using direct sequence modulation, the signal is put on several frequencies, some of which may contain false signals. Using frequency hopping, the frequency being used is changed on a preset pattern, which the sender and receiver know. The factors for spread spectrum:

  • Frequency range - any frequency available, usually in the upper GHz
  • Cost - moderate
  • Installation - simple to moderately complex
  • Capacity - 2 Mbps to 6 Mbps
  • Attenuation - relatively high
  • Immunity from EMI - low (poor) immunity, but better immunity from eavesdropping

Microwave signals are used in two formats: terrestrial (earth-based) and satellite systems. Terrestrial systems are used in line of sight connections where it is not possible to put a wire, such as across several city blocks. The factors for terrestrial microwave:

  • Frequency range - 4 to 6 or 21 to 23 GHz
  • Cost - moderate to high
  • Installation - difficult
  • Capacity -1 Mbps to 10 Mbps
  • Attenuation - relatively high, varies with weather
  • Immunity from EMI - low

Satellite systems are used to connect sites that are widely separated. Usually, signals are sent to geosynchronous satellites, orbiting 22,300 miles above the earth. This orbit puts the satellite in the same part of the sky relative to a ground based observer at all times. The factors for satellite microwave:

  • Frequency range - 11 to 14 GHz
  • Cost - high
  • Installation - very difficult (Yes, someone has to be a rocket scientist.)
  • Capacity -1 Mbps to 10 Mbps
  • Attenuation - relatively high, varies with weather
  • Immunity from EMI - low

Infrared systems come in two types: point-to-point and broadcast. Point-to-point systems are like the remote controls we use for televisions. Some systems also use lasers. The factors for point-to-point infrared:

  • Frequency range - 100 GHz to 1000 THz
  • Cost - low to moderate
  • Installation - moderate to difficult
  • Capacity - 1 to 16 Mbps
  • Attenuation - varies with weather and light purity
  • Immunity from EMI - moderate

Broadcast infrared systems are used in single room settings, as these waves will bounce off walls, but not penetrate them. The advantage is that you can put a system in each room where required, and the users may move their machines around as they like. The factors for broadcast infrared:

  • Frequency range - 100 GHz to 1000 THz
  • Cost - low
  • Installation - simple
  • Capacity - up to 1 Mbps
  • Attenuation - high
  • Immunity from EMI - low

A lot of things happen on a network, and it is easier to think about those things in terms of a model, especially one that is made of logical parts. Our book tells us about the OSI model, which is introduced nicely in this video by Eli the Computer Guy. Trust me, he explains it in terms of what a professional uses it for and what it is good for.

The Internet was developed before the ISO-OSI model. The model used to construct it was the Department of Defense (DoD) model. The Department of Defense was instrumental in the construction of the Arpanet (Advanced Research Projects Agency Network), which became the Internet.

The DoD model is like a condensed version of the OSI model. The chart below shows how the two models relate to each other.

DOD and ISO Models
Functional Description DoD Layers OSI Layers
Upper Layer Processes Process/Application 7 Application
6 Presentation
5 Session
Reliable Connections Host-to-host 4 Transport
Internetwork Connections Internet 3 Network
Network Access 2 Data-Link
1 Physical

The four layers of the DoD model map to all the topics found in the OSI model. If you understand the OSI model, you already understand what's in the DoD model.If you don't understand the OSI model, you need to learn it. Play some more of Eli's video on it.

Page 36 begins a discussion of some of the major wireless protocols and security measures used since 1997.Security measures are notorious for needing periodic updates. As time goes by, old security protocols become easy to crack. Be ready to update them.

The discussion continues to include the TCP/IP Suite of protocols. Several are mentioned along with the ports generally associated with them. A port, in this case, is a numbered memory location associated with a program. There is also a good chart on the Wikipedia page behind that last link that mentions which layers in various network modes use this suite.

Port Service Service works with...
20 FTP, data TCP
21 FTP, control TCP
23 Telnet TCP
110 POP3 UDP

The chapter has a quick lesson on IPv4 addressing, as well as a method for converting a base 10 (decimal) number to a base 2 (binary) number. The method is a little short and unclear. The author does not explain where to start writing your 1s and 0s. If it strikes you the same way, try this one.

To pass some certification tests, you will need to be able to convert decimal notation to binary notation and vice versa. You will need to know a conversion method to pass the test that uses only pencil, paper, and what you know. A byte is generally understood to have 8 bits. Like decimal notation, the position of a bit in a number determines what its value represents. We assume that any number you convert to binary will be a number equal to or less than 255. If all the bits in a byte were turned on (set to 1) that byte would represent the number 255, the sum of all the position values.

Values of Positions in a Byte
Bit position: 7 6 5 4 3 2 1 0
Value of Position (if a 1 is in it): 128 64 32 16 8 4 2 1

When you convert a decimal number to binary, do a series of subtraction problems, one for each position in the byte, starting from the left. For example, let's convert 175 to binary.

  1. Ask yourself this question for each bit position: Can I subtract the place value of this bit from the current number? You must be able to do it without getting a negative result. Remainders are okay.
    So, can you subtract 128 (the left-most bit position value) from 175 (our current number)? Yes, you can. So you write a one in the 128 bit position, and do the math: 175 - 128 = 47.
  2. Can you subtract 64 from 47? No, so you write a zero in the 64 bit position.
  3. Can you subtract 32 from 47? Yes, so write a one in the 32 bit position, and do the math: 47 - 32 = 15.
  4. Can you subtract 16 from 15? No, so you write a zero in the 16 bit position.
  5. Can you subtract 8 from 15? Yes, so write a one in the 8 bit position, and do the math: 15 - 8 = 7.
  6. Can you subtract 4 from 7? Yes, so write a one in the 4 bit position, and do the math: 7 - 4 = 3.
  7. Can you subtract 2 from 3? Yes, so write a one in the 2 bit position, and do the math: 3 - 2 = 1.
  8. When you have 1 left, write a one in the 1 bit position. This will always be done for odd numbers.
    If there is no remainder at any of the steps, write a zero in each of the remaining bit positions.
Conversion to Binary
Bit position: 128 64 32 16 8 4 2 1
Conversion of 175 (above) 1 0 1 0 1 1 1 1

We will talk about hexadecimal numbers another time.

If you are not aware of it, all IPv4 addresses have two parts: a network address, and a host address. You know what a network is. A host is any device attached to an IP network that has its own address.

Subnet Masks

Subnetting works by borrowing bits from the host portion of an address, and using those bits to identify subsections of your network. The use of borrowed bits only works because of subnet masks. A subnet mask tells hosts on a network which bits in an address are network address bits and which bits are host address bits. It does it by the use of 1s and 0s. Consider the table below:

Subnet Masks for Classes A, B, and C

Decimal Mask Binary Mask
Class A 11111111.00000000.00000000.00000000
Class B 11111111.11111111.00000000.00000000
Class C 11111111.11111111.11111111.00000000

Network devices read a mask to learn how to interpret addresses. Address positions marked by 1s in a mask are considered network address positions. Address positions marked by 0s in a mask are considered host address positions. Another way of saying this is that certain address bits are considered to be network address bits and the rest are considered host address bits. The actual method used involves Boolean math, but understanding it is not critical to understanding or using the concept. When a device reads an actual IP address, the rule from the subnet mask is applied, and the device understands which bits are the net address and which are the host address.

If you need another metaphor, think about this one. A router on a class C network might receive traffic bound for device When received, that address would look like this:
(No dots. Computers don't put dots in addresses.)

A subnet mask is like a filter that only shows a portion of an address to a device. Routers only care about the network portion of an address. Imagine a pair of glasses that has one red lens and one blue lens. Imagine that the subnet mask colors all the bits of an incoming address so that the network bits are red and the host bits are blue. On a class C network, the subnet mask is, so the address would look like this:

The router would look at the address through a filter that would show it only the network address portion. This would be like looking through the blue lens, hiding the host portion of the address.

If this traffic were received by a device that cared only about the host portion of the address, it would be like looking through the red lens.


By borrowing one bit, two subnets are theoretically possible. However, as a general rule, subnet numbers using all 1s and all 0s are not used, so borrowing one bit will usually not yield any usable subnet addresses. This is why the traditional formula for number of usable subnets is:
2N - 2 = number of subnets (where N is the number of bits borrowed).

Your text tells us that this limitation can be overcome with Cisco routers, but does not explain it for several pages. The router command to accomplish it is IP subnet-zero. This command allows us to borrow one bit, so this would eliminate the need to subtract 2 from the number of possible subnets.

Assume we borrow two bits in each of the three classes above. Borrowed bits are shown in red in the resulting subnet mask numbers below:

Subnet Masks if Borrowing 2 Bits

Decimal Mask Binary Mask
Class A 11111111.11000000.00000000.00000000
Class B 11111111.11111111.11000000.00000000
Class C 11111111.11111111.11111111.11000000

Note that the subnet masks above do not match the standard masks from the previous table. The standard masks are classful masks, because they match the intended use of class address schemes. The masks above are classless, because they do not match any network class.

Be aware that routers on the Internet only use the network bits of an address for routing. Routers connecting subnets within a network must use the network, subnet, and host bits for routing. For devices that understand it, you can override an existing subnet mask with CIDR notation. A transmitted address can be followed by a forward slash (/) and a decimal number signifying how many digits in that address identify network information. In the subnet examples in the table above, the CIDR notations would be /10, /18, and /26.

The author spends half a page discussing IPv6. This should be a whole chapter. I will not torture you with it at this time.

Moving on to useful utilities on page 49, the text discusses several utilities found on most Windows and UNIX workstations..

  • arp - ARP stands for Address Resolution Protocol. In standard Ethernet networks, machines may communicate inside the network with their MAC addresses. Communications across networks are more likely to use IP addresses. An ARP cache is a table that lists the IP addresses and MAC addresses of devices on a network. This table is consulted to change from one kind of addressing to the other. For example, I have just issued the command
    ARP -a
    to my workstation. It has responded with the contents of its ARP cache: its own IP and MAC addresses, and those of my default router.
  • hostname - This command will respond with the name of your device in your domain.
  • ipconfig - shows useful information on Windows NT and later machines, like the IP address, default router, and subnet mask. More information is shown if the command is entered as
    • ipconfig /all
    • ipconfig /release will release the currently held IP address to the DHCP server that gave it
    • ipconfig /renew will obtain a new lease from the DHCP server for an IP address
  • winipcfg - Like a light version of IPCONFIG, found on Windows 95, 98, and Me computers.
  • ifconfig - a Linux command that can be used to view or configure the network interface settings for a workstation
  • nbtstat - The name of this utility is NetBIOS over TCP/IP Statistics. Not very enlightening. You need to know that your computer will typically hold the names and IP addresses of several devices in memory. Sometimes those devices go offline, and others come online. This may make it desirable to check what is in memory:
    nbtstat -a
    or tell the computer to reload this information from standard sources:
    nbtstat -R
    (Note that the case of the letter R in the command above is required to be capital.)
    nbtstat IP_address This version lets you check the tables in memory of the device specified by the IP address
  • netstat - Can be used to view the status of current connections using TCP, UDP, ICMP, and IP. The status messages are a bit cryptic, so you will want to keep a reference for them handy when using this command.
  • nslookup - This can be used to report the IP address of a DNS name. It does not send a ping to the named device. This command checks what is stored in your DNS server about the name in question. A response to the command may take this format:
    Server: server name
    Address: IP address
    Name: DNS name
    Address: IP address
    The first pair of responses are about the DNS server on your network. The second pair are about the DNS name you are looking up. When I tried this with nslookup., I received two IP addresses in the line about Microsoft's server. Not unexpected, since a busy network will have more than one server responding to requests.
  • DIG - used on Linux and Windows platforms, but must be installed on a Windows platform. The link provided goes to an IBM site that tells us DIG stands for Domain Information Groper. It digs information out of a DNS server. Think of it as a tool for troubleshooting DNS servers and services.
  • ping - can be issued on a command line, and has an extensive list of options. Usually, the options are unnecessary. You can ping the address, which stands for the IP stack on the machine you are using. You may also want to ping the IP address you think you have, with your network cable unplugged. Pinging the local loopback proves you have a working IP stack. Pinging your actual address, when unplugged, proves you have that address.
    Be aware that you can ping an IP address or a DNS name.
  • tracert (Linux: traceroute) - This command will show how long each link in a route takes, as well as showing links that fail to pass packets to the next link. Successful transfers of data will report the total time to the destination. You can limit the trace to a specific number of hops with the command
    tracert -h hop_limit
    where hop_limit is a number.
  • route - all devices on an IP network have routing information tables in their memory. ROUTE allows you to view that information, and to modify that information. The reason you would want to modify it is you need to do so when routing tables are static and they need to be changed.

The author finally gets to a discussion of the OSI model at the end of the chapter. It is not much. I remember a class that had a separate chapter about each of the seven layers of the model. The rest of the notes for this chapter are from another, more complete book.

The seven layers of the model are usually written in a list, numbering the top as layer seven and the bottom as layer one.

Layer Number ISO Layer Functional Description
7 Application services and programs
6 Presentation translation across networks
5 Session setting up and ending connections
4 Transport guarantee delivery
3 Network find other networks
2 Data-Link media access
1 Physical wiring, bit transmission, sending and receiving network signals

Several mnemonic sentences exist to help us remember the proper order. I recommend "Please Do Not Throw Sausage Pizza Away", because this is in the correct numeric order (bottom to top, 1 to 7). If you want one that goes from top to bottom, try "All People Studying This Need Drastic Psychotherapy".  On any certification test that covers this model, you MUST remember the correct order, the correct numbers, and the correct details for each layer.

The processes that happen in each layer communicate with the next layer. Which way is next, up or down? It depends whether data is being passed out of the stack (down) or into it (up). Typically, a computer generates a request starting at the top layer, and working down. The request is passed across the network (probably to a server) and the received request is passed up the layers. When a response is generated, the process reverses.

Traffic on a network is broken into packets, smaller message units that are transmitted more easily on a network. Each packet must hold at least two addresses: that of the sender and that of the recipient. They also hold data, and numbers that tell the receiving device how to reassemble the pieces of the message. Chapter 2 is mainly about one network model, the ISO-OSI model, which is a logical (as opposed to physical) model that explains how networks handle their packets and perform other useful functions. The text only calls this the OSI, or Open Systems Interconnect model. ISO, the International Organization for Standardization, is another trade association that sets standards for the computer industry. Note that ISO is not an acronym. It is based on the Greek word isos, which means same, and stands for their goal of standardization.

The ISO-OSI model gives us a framework for discussing what happens on a network, and what happens at specific devices. So, we can start explaining the model by telling you some of the things associated with it.

  1. In the Physical layer, we pick a communications medium, which is usually UTP (unshielded twisted pair) cable, because it is inexpensive, easy to use, and it works well. The author mentions hubs in this layer. A hub can also be called a concentrator, because it is where lots of wires come together (concentrate). Another author confuses the description by saying that a hub is like a telephone switchboard, which most of you have probably never seen, but Wikipedia has decent pictures. A hub is like a switchboard in that lots of wires from different devices come together there. It is also NOT like a switchboard, in that any signal sent into a hub will come out on ALL the other wires. On a telephone switchboard, like those shown on Wikipedia, a telephone operator determined what circuit you needed to be connected to, made the connection, and your signal only went on that circuit. That's why we don't use hubs any more: we use switches, which do what the operator did.

    A lot of other topics are covered by the physical layer of the OSI model. In the chart below, you can see that this layer has more topics that any other. We may talk about them more as we go along.

  2. The Network Interface Card (NIC) can be used as a reason to go to the Data-Link layer. Network cable connects to the NIC, which connects a computer to the network. NICs belong on the Data-Link layer because they have addresses that are hard coded (burned in) to them. This kind of address is also called a physical address, but that does not place the NIC on the Physical layer. A better name for the address is a MAC address, because the address is used for Media Access Control, which has to do with how devices share the medium. Before we can make them share, we have to tell them apart, so we use addresses. The text shows an example of a MAC address written two ways: as twelve hexadecimal characters with no breaks, and as six pairs of hexadecimal characters with hyphens between them. (Sometimes they use colons instead of hyphens.) The paired format is easier to read, and if you see a lot of them, it makes it easier to notice that the first six characters in a MAC address identify a manufacturer. (Large manufacturers have lots of six character sequences assigned to them.)

    Computers and NICs may send signals with electricity, light, or radio waves. From there, we can turn to a new idea: frames. I already said that we break signals into packets. Well, you should know that we also collect data into usable clumps or clusters and call them by different names on different layers. On the Data Link layer, where NICs live, those clusters are called frames. Many frame types have been created over the years. For any two devices on the same network to communicate, they must send and receive frames of the same type. (Devices that connect one network to another can translate frames from one type to another.) One year I ran into several new computers that were configured with a default frame type (802.3) that was not the type our network used. Guess what? Users could not log in to the network on those computers until they were reconfigured to use Ethernet II frames. Once I diagnosed the problem, I told my staff what to do, and it was a ten minute fix for every device that had the problem.

    In most networks,
    every device on a network can see every frame that is transmitted on it. There are exceptions, especially when we start breaking networks into subnets, but in this simple example the statement is true. The point is that a frame is usually addressed to a particular NIC, because frames use MAC addresses. (They hold the MAC address of the sender and the receiver.)  Because of this, only the device whose MAC address matches a frame will process that frame. There are two exceptions to this rule. First, as the author explains, a frame sent to the broadcast address (FF-FF-FF-FF-FF-FF) of a network. will be processed by all devices. That address, by the way, is the broadcast address for frames on any network, not just a particular one. In the second case, a network admin may set the NIC on device to work in promiscuous mode, which means that it processes all frames, which is useful in monitoring activity on a network.

    Regarding the broadcast MAC address, that address can be used to make a general request to all devices on a system, asking them to respond with their MAC addresses and some kind of device name. There are several systems of naming, which we will see in a later chapter.

    The Data Link layer used to be the only OSI layer with sub-layers. Wireless networking has caused us to add sub-layers to the Physical layer as well. The sub-layers are the MAC sub-layer and the LLC sub-layer. Several topics that belong there:
    • MAC sub-layer
      • Logical Topology - 2 methods:
        • Bus - passes frames to all devices at once
        • Ring - passes frames from one device to the next in a circular path
      • Media Access - 3 methods:
        • Contention - devices transmit when they need to, if the line is clear
        • Token Passing - devices take turns transmitting
        • Polling - devices are asked if they need to transmit
      • Addressing - 1 method:
        • Physical Device Address - the MAC address
    • LLC sub-layer
      • Transmission Synchronization - 3 methods:
        • Synchronous - devices send markers for signal timing in each conversation
        • Asynchronous - devices send markers for signal timing in each frame
        • Isochronous - devices use a common network timing signal
      • Connection Services - 3 methods:
        • Unacknowledged Connectionless - no guarantee of delivery
        • Connection Oriented - guaranteed delivery
        • Acknowledged Connectionless - usually point-to-point, so connection services not needed
    • Data cluster type: Frames

  3. When the world was new and there were only four computers that were about to be connected to what would become the Internet, the kind of networking that only used layers 1 and 2 may have been enough.

    When it was first turned on (1969), the ARPANET connected computer networks at only four locations: UCLA, Stanford University, UC Santa Barbara, and the University of Utah. When the first message was sent on it, the connection failed before the first word was completely sent. Things got better.

    As soon as it became a goal to connect separate networks together, the ARPANET planners knew it would be necessary to use a method that named networks as well as the devices on them. Several methods of accomplishing this have been devised by different vendors. The method that has become dominant is the one that is used on the Internet, IP addressing.

    In this section about the Network layer, the author tells us that TCP and IP are only two protocols out of a much larger suite of protocols. Internet Protocol (IP) is used for an addressing scheme that includes a reference to an individual device, and to the network it is on. IP lives on the Network layer, Layer 3. On an IP network, each device (node) is known as a host, and every host must have an address.

    The addresses we discuss first are actually IP version 4 addresses. (IPv6 addresses are 16 bytes, or 128 bits long.) IP version 4 addresses are numeric addresses, stored as four bytes, which is equal to 32 bits. For example: an IP v.4 address might be Each of the four numbers is held on one byte, which means no number can be bigger than 255. IP addresses contain two parts: one part of the address identifies the network a host is on, and the other part identifies the host itself. Every network is assigned an address which could take up one, two, or three bytes, depending on the class of the network (A, B, or C). The remaining byte or bytes are typically used for hosts on networks. (It gets more complex: this is how we start.)

    In the example above, the 10 (in the first byte) might be the network identifier, or it might be the 10 and the 45 (in the first two bytes) or it could be the 10, the 45,and the 17 (in the first three bytes), depending whether we are treating this network as a class A, B, or C network. Or we could treat it as a classless network, in which case it gets messy. We'll worry about that later.

    IP addresses, and any addresses associated with the Network layer, are logical addresses. This means they are not permanently associated with a piece of hardware like a MAC address and a NIC. A logical address is assigned to a device, by an administrator, by a user, or by a network device assigned to do so. The text shows a picture of a router on page 24, which appears to be a typical consumer device you might buy from most electronic stores. This is an example of a device that would assign an IP address to any other device that is connected to one of its switch ports. It does so because it acts like a switch (connecting devices on a small network), like a router (connecting your network to your Internet Service Provider's network), and like a Dynamic Host Configuration Protocol (DHCP) server, which is a device or program that assigns IP addresses to devices on a network. The DHCP service makes note of the MAC address of each device it gives an IP address to, to make sure it does not give out the same IP address to two currently connected devices. Giving the same address to two devices would keep at least one of them from being able to use the network.

    Imagine the diagram below as the stack of protocols being used to send a signal out onto the Internet.
    • As I prepare this signal to go, I start at the Application layer, where the message is packaged by Application layer rules, then passed down to the Presentation layer.
    • The Presentation layer receives the message,  repackages it as needed by its rules, keeping the information from the Application layer inside the packets it makes, then hands its packets off to the Session layer.
    • The Session layer negotiates a connection with the next machine it needs to send to, which it does while it takes the received Presentation packets and repackages them as Session packets. These are handed off to the Transport layer.
    • The Transport layer continues the pattern: add your magic, wrap it around the received packets, and put them all in your own message units called segments. The segments are handed off to the Network layer.
    • The Network layer continues: it does its thing, adds IP addresses for source and destination, rewraps the segments as datagrams, and hands them to the Data Link layer.
    • The Data Link layer does not change what is in the datagrams, but it adds MAC addresses for source and destination. (Some real magic happens here. If the author never gets to it, I will tell you later.) The datagrams are re-wrapped as frames, and they are pushed to a network on the Physical layer.
    • The Physical layer takes the frames, which are perceived as a stream of bits, moves them as needed to the next device, again and again, until the stream is processed by a NIC on a receiving machine, which may be the final destination or a router along the way.

      That's what happens, from layers 7 through 1, in the machine sending a message. On the final destination machine, the received message is processed through the layers from layers 1 through 7, until the message is received by a program that knows what to do with it. That is why there are IP packets inside the frames that the Network layer opens. They were put there by the Network layer processes of the sending machine. And this is why we usually explain this process from the top down instead of from the bottom up.

  4. Layer 4 is the Transport layer. Its data units are called segments, and one of the processes of this layer is called segment development. What that means is actually simple: large messages that won't fit in one segment are broken down and the pieces are placed in two or more segments. Sometimes a message is very small, in which case the segment it is placed into would not be full. Segments are required to be full, so for those segments extra bits are generated to be used as filler.

    The text tells us that the segments of a larger message are given numbers so they can be reassembled at their destination. This is not unique to this layer. Any layer that packages things into packets does the same thing.

    The text does not mention that the TCP protocol operates on the Transport layer, which makes this layer associated with the word reliable. The author almost says this in the last sentence in this section. What he means to say is that if a packet is lost or received in a damaged state, a replacement copy of the packet is requested. This is one aspect of reliable, guaranteed delivery.

  5. Layer 5 is the Session layer, which the text explains as being useful when any device is doing more than one thing at a time on the network. Have you ever had two browser windows open at once? When you click something in one of those windows (or tabs), how does the computer know where to put the response to that click? Each of those windows is assigned a different session ID, which is used in any requests that are sent from it. This assignment of session IDs takes place for other kinds of connections as well, for any program that establishes a connection to a service across a network.

  6. Layer 6 is the Presentation layer, which some authors seem to think does nothing, since all files are stored in common formats in the 21st century. I think those authors and I had different teachers for this course. Files can still be stored by different methods on mainframes as opposed to PC based servers, bytes can still be sent across a wire most significant digit first or last, and most importantly files can be encrypted. Encryption services live on the Presentation layer.

  7. The Application layer is layer 7, the top layer in the OSI model. The author makes the point that this layer is about the network interfaces that exist so that application programs can use network services, like file service, print services, and message services.
DoD layer name
(and TCP/IP name)
OSI Layer name Topics & Methods
Process/Application layer
(Application layer)
(layer 7)
  • Network Services
    • File services
    • Print services
    • Message services
    • Application services
    • Database services
  • Service Advertisement - how services become known
  • Service Use - how services are obtained
  • Data cluster type: Messages
(layer 6)
  • Translation - bit translation, byte translation, character code translation, file translation
  • Encryption - cipher, private key, or public key
  • Data cluster type: Packets
(layer 5)
  • Dialog Control - simplex, half-duplex and duplex
  • Session Administration - connection establishment, data transfer, and connection release
  • Data cluster type: Packets
Host-to-Host layer
(Transport layer)
(layer 4)
  • Address/name Resolution
  • Addressing
  • Segment Development - breaking large messages into segments,
    combining small messages into segments
  • Connection Services
  • Data cluster type: Segments
Internet layer
(Internet layer)
(layer 3)
  • Addressing - network addresses. 2 methods:
    • Logical Network
    • Service
  • Switching - route creation for packets, messages and circuits. 3 methods:
    • Packet switching
    • Message switching
    • Circuit switching
  • Route Discovery - finding a route. 2 methods:
    • Distance vector
    • Link-state
  • Route Selection - choosing a route. 2 methods:
    • Static
    • Dynamic
  • Connection Services - flow control, error control and packet sequence control. 3 methods:
    • Network-layer flow control
    • Error control
    • Packet sequence control
  • Data cluster type: Datagrams
Network Access layer
(Link layer)
Data Link
(layer 2)
  • MAC sub-layer
    • Logical Topology - 2 methods:
      • Bus
      • Ring
    • Media Access - 3 methods:
      • Contention
      • Token Passing
      • Polling
    • Addressing - 1 method:
      • Physical Device Address - the MAC address
  • LLC sub-layer
    • Transmission Synchronization - 3 methods:
      • Synchronous
      • Asynchronous
      • Isochronous
    • Connection Services - 3 methods:
      • Unacknowledged Connectionless
      • Connection Oriented
      • Acknowledged Connectionless
  • Data cluster type: Frames
(layer 1)
  • Connection Type - 2 methods:
    • Point-to-Point
    • Multipoint
  • Physical Topology - 5 methods:
    • Bus
    • Ring
    • Star
    • Mesh
    • Cellular
  • Digital Signaling - 2 methods:
    • Current State
    • State Transition
  • Analog Signaling - 2 methods:
    • Current State
    • State Transition
  • Bit Synchronization - 2 methods:
    • Synchronous
    • Asynchronous
  • Bandwidth Usage - 2 methods:
    • Baseband
    • Broadband
  • Multiplexing - 3 methods:
    • Frequency Division
    • Time Division
    • Statistical Time Division
  • No data clusters, just bits

You should know some things about hubs, switches, and routers.


Think about it like this. A switch is a networking device: it allows hosts to connect to your network. A router is an internetworking device: is allows your network to connect to another network. A hub does a job that is similar to what a switch does, but it does not allow more than one transmission at a time across all the devices connected to it.

  • A hub is a device that has several RJ-45 ports. You can plug in as many devices as you have ports, then every signal that is transmitted by any device that is plugged in to that hub will be passed on to the rest of the devices plugged in to that hub. Some hubs can retransmit (amplify) the signals, but none of them decide where to send a signal. Any incoming signal goes back out all ports except for the one the hub received the signal on. This means only one of those devices can transmit at any given time.
  • A switch learns which devices are reachable on which ports by noticing the sender's MAC address on each incoming packet and making a list, called a Source Address Table (SAT). If a switch knows that a message is meant for a device connected to port 7, that's the only port that signal will be sent through. All other ports are available for other traffic. This is much more efficient. It should be clear that switches increase the bandwidth inside a network by connecting only the devices that need to be connected at any given moment.