ITS 4550 - Fraud Prevention and Deterrence

Chapter 2, TCP/IP Review

This lesson presents material from chapter 2. Objectives important to this lesson:

  1. The ISO-OSI network reference model
  2. Details about the seven layers
Chapter 2

The text begins by referring to the ISO-OSI Reference Model by only a portion of its name. Many people have been taught to call it the Open Systems Interconnect model, which is correct, but it is only part of the story. The ISO part is that it was created by the International Organization for Standardization. Yes, I know that the three letter acronym does not match the name. Maybe that's why some people stopped mentioning it. Maybe some people were never taught it. Lucky you, I have been doing this long enough that I know about it. At some point in the past, this rather important organization decided just to call itself ISO, which is the Greek prefix for "equal", which makes sense for an organization that promotes standards.

This chapter is called a review, so it assumes you already know this model. If that is so, we can cover most of it in less time. (If that is not so, follow this link to a more detailed discussion of the material. Yes, really. You need to learn this sometime.)

The seven layers of the model are usually written in a list, numbering the top as layer seven and the bottom as layer one.

Layer Number ISO Layer Functional Description
7 Application services and programs
6 Presentation translation across networks
5 Session setting up and ending connections
4 Transport guarantee delivery
3 Network find other networks
2 Data-Link media access
1 Physical wiring, bit transmission, sending and receiving network signals

Several mnemonic sentences exist to help us remember the proper order. I recommend "Please Do Not Throw Sausage Pizza Away", because this is in the correct numeric order (bottom to top, 1 to 7). If you want one that goes from top to bottom, try "All People Studying This Need Drastic Psychotherapy".  On any certification test that covers this model, you MUST remember the correct order, the correct numbers, and the correct details for each layer.

In the chart above, I have given each layer a different color. However, layers 1 and 2 are shades of green, layers 3 and 4 are shades of blue, and the upper three layers are related shades of yellow and orange. The reason is that layers 1 and 2 are typically related to hardware, layers 3 and 4 are related to finding networks and passing traffic across them, and the upper three layers are related to the user and the applications being used by the computer the user is operating. The text points out that the distinction about layers 1 and 2 is less accurate when using virtual devices, but there is actually still hardware involved someplace.

The processes that happen in each layer communicate with the next layer. Which way is next, up or down? It depends whether data is being passed out of the stack (down) or into it (up). Typically, a computer generates a request starting at the top layer, and working down. The request is passed across the network (probably to a server) and the received request is passed up the layers. When a response is generated, the process reverses. The path through the layers of a response resembles the path followed by the original request. Let me explain it better.

Imagine the following list of steps as a stack of protocols being used to send a signal out onto the Internet.

  • As I prepare this signal to go, I start at the Application layer, where the message is packaged by Application layer rules, then passed down to the Presentation layer.
  • The Presentation layer receives the message,  repackages it as needed by its rules, keeping the information from the Application layer inside the packets it makes, then hands its packets off to the Session layer.
  • The Session layer negotiates a connection with the next machine it needs to send to, which it does while it takes the received Presentation packets and repackages them as Session packets. These are handed off to the Transport layer.
  • The Transport layer continues the pattern: it adds its magic, wraps it around the received packets, and puts them all in its own message units called segments. The segments are handed off to the Network layer.
  • The Network layer continues: it does its thing, adds IP addresses for source and destination, rewraps the segments as datagrams, and hands them to the Data Link layer.
  • The Data Link layer does not change what is in the datagrams, but it adds MAC addresses for source and destination. (Some real magic happens here. If the author never gets to it, I will tell you later.) The datagrams are rewrapped as frames, and they are pushed to a network by processes on the Physical layer.
  • The Physical layer takes the frames, which are perceived as a stream of bits, moves them as needed to the next device, again and again, until the stream is processed by a NIC on a receiving machine, which may be the final destination or a router along the way.

    That's what happens, from layers 7 through 1, in the machine sending a message. On the final destination machine, the received message is processed through the layers from layers 1 through 7, until the message is received by a program that knows what to do with it. That is why there are IP packets inside the frames that the Network layer opens. They were put there by the Network layer processes of the sending machine. And this is why we usually explain this process from the top down instead of from the bottom up.

The ISO-OSI model gives us a framework for discussing what happens on a network, and what happens at specific devices. So, we can start explaining the model by telling you some of the things associated with it. I will switch to another color scheme here, which will be used in a chart farther down the page.

  1. In the Physical layer, we pick a communications medium, which is usually UTP (unshielded twisted pair) cable, because it is inexpensive, easy to use, and it works well. A previous author mentioned hubs as hardware associated with this layer. A hub can also be called a concentrator, because it is where lots of wires come together (concentrate). That author confused the description by saying that a hub is like a telephone switchboard, which most of you have probably never seen, but Wikipedia has decent pictures. A hub is like a switchboard in that lots of wires from different devices come together there. It is also NOT like a switchboard, in that any signal sent into a hub will come out on ALL the other wires. On a telephone switchboard, like those shown on Wikipedia, a telephone operator determined what circuit you needed to be connected to, made the connection, and your signal only went on that circuit. That's why we don't use hubs any more: we use switches, which do what the operator did. Switches do not live on this layer, because they do a lot more.

    A lot of other topics are covered by the physical layer of the OSI model. In the chart below, you can see that this layer has more topics that any other. We will talk about them more as we go along.

  2. A Network Interface Card (NIC) can be used as a reason to go to the Data-Link layer. Network cable connects to the NIC, which connects a computer to the network. NICs belong on the Data-Link layer because they have addresses that are hard coded (burned in) to them. This kind of address is also called a physical address, but that does not place the NIC on the Physical layer. A better name for the address is a MAC address, because the address is used for Media Access Control, which has to do with how devices share the transmission medium. Before we can make them share, we have to tell them apart, so we use addresses. A MAC address is often written in one of two ways: as twelve hexadecimal characters with no breaks, or as six pairs of hexadecimal characters with hyphens or colons between them. The paired format is easier to read, and if you see a lot of them, it makes it easier to notice that the first six characters in a MAC address identify a manufacturer. (Large manufacturers have lots of six character sequences assigned to them.)

    Computers and NICs may send signals with electricity, light, or radio waves. From there, we can turn to a new idea: frames. I already said that we break signals into packets. Well, you should know that we also collect data into usable clumps or clusters and call them by different names on different layers. On the Data Link layer, where NICs live, those clusters are called frames. Many frame types have been created over the years. For any two devices on the same network to communicate, they must send and receive frames of the same type. (Devices that connect one network to another can translate frames from one type to another.)

    In most networks, every device on a network can see every frame that is transmitted on it. There are exceptions, especially when we start breaking networks into subnets, but in this simple example the statement is true. The point is that a frame is usually addressed to a particular NIC, because frames use MAC addresses. (They hold the MAC addresses of the sender and the receiver.)  Because of this, only the device whose MAC address matches a frame will process that frame. There are two exceptions to this rule. First, a frame sent to the broadcast address (FF-FF-FF-FF-FF-FF) of a network will be processed by all devices. That address, by the way, is the broadcast address for frames on any network, not just a particular one. In the second case, a network admin may set the NIC on device to work in promiscuous mode, which means that it processes all frames, which is useful in monitoring activity on a network. An attacker may do the same, but the monitoring is likely to have a less official purpose.

    Regarding the broadcast MAC address, that address can be used to make a general request to all devices on a system, asking them to respond with their MAC addresses and some kind of device name. There are several systems of naming. Your text mentions that the Address Resolution Protocol (ARP) can be used to request the MAC address of a device whose IP address is known. Reverse Address Resolution Protocol (RARP) was used for the opposite process on a given machine, and Inverse Address Resolution Protocol (InARP) is still used to request the IP address of a machine associated with a known MAC address.

    The Data Link layer used to be the only OSI layer with sublayers. (Wireless networking has caused us to add sublayers to the Physical layer as well.) The sublayers are the MAC sublayer (Media Access Control) and the LLC sublayer (Logical Link Control). Your book does not mention them. It does mention that flow control is important on this layer, as it is on others. Flow control is meant to avoid situations in which the flow of packets overwhelms the hardware and software of the network, as happens in some Denial of Service attacks.

  3. When the world was new and there were only four computers that were about to be connected to what would become the Internet, the kind of networking that only used layers 1 and 2 may have been enough.

    As soon as it became a goal to connect separate networks together, the ARPANET/Internet planners decided it would be necessary to use a method that named networks as well as the devices on them. Several methods of accomplishing this have been devised by different vendors. The method that has become dominant is the one that is used on the Internet, IP addressing.

    In the section about the Network layer, the author tells us that Internet Protocol (IP) is used for an addressing scheme that includes a reference to an individual device, and to the network it is on. IP lives on the Network layer, Layer 3. On an IP network, each device (node) is known as a host, and every host must have an address.

    IP addresses, and any addresses associated with the Network layer, are logical addresses. This means they are not permanently associated with a piece of hardware like a MAC address and a NIC. A logical address is assigned to a device by an administrator, by a user, or by a network device assigned to do so. A standard router used in a home is an example of a device that would assign an IP address to any other device that is connected to one of its switch ports. It does so because it acts like a switch (connecting devices to a small network), like a router (connecting your network to your Internet Service Provider's network), and like a Dynamic Host Configuration Protocol (DHCP) server, which is a device or program that assigns IP addresses to devices on a network. The DHCP service makes note of the MAC address of each device it gives an IP address to, to make sure it does not give out the same IP address to two currently connected devices. Giving the same address to two devices would keep at least one of them from being able to use the network. The text presents a small diagram of a network subdivided into several logical subnets. In the graphic on page 26, the objects that look like hot-cross hockey pucks represent routers. You will find this shape and lots of others on this Cisco page.

  4. Layer 4 is the Transport layer. One of the processes of this layer is called segment development. What that means is actually simple: large messages that won't fit in one segment are broken down and the pieces are placed in two or more segments. Sometimes a message is very small, in which case the segment it is placed into would not be full. Segments are required to be full, so extra bits are generated to be used as filler.

    More importantly, the TCP protocol operates on the Transport layer, which makes this layer associated with the word reliable. If a packet is lost or received in a damaged state, a replacement copy of the packet is requested. This is one aspect of reliable, guaranteed delivery.

    Just to make things complicated, layer 4 is also where the User Datagram Protocol (UDP) lives. If TCP is like sending a registered letter to a recipient (we know it is going to get there), UDP is like sending a postcard with our best guess at an address. UDP is quick and easy, but it may not get the job done. TCP is sometimes called a connection-oriented service. UDP is called a connectionless service. Quick tip: If you need to remember whether a protocol is connection-oriented or connectionless, look at the first letter of the protocol name. If it is a consonant, it is connection-oriented. If it is a vowel, it is connectionless. This is only true for protocols for which we care about this concept.

  5. Layer 5 is the Session layer, which the text explains as being useful when any device is doing more than one thing at a time on the network. Have you ever had two browser windows open at once? When you click something in one of those windows (or tabs), how does the computer know where to put the response to that click? Each of those windows is assigned a different session ID, which is used in any requests that are sent from it. This assignment of session IDs takes place for other kinds of connections as well, for any program that establishes a connection to a service (on another machine) across a network.

  6. Layer 6 is the Presentation layer, which formats data into files that can be read and stored by the applications on the current system. Files may be stored by different methods on mainframes as opposed to PC or macOS based servers, bytes can be sent across a wire most significant digit first or last, and most importantly files can be encrypted. Encryption services also live on the Presentation layer.

  7. The Application layer is layer 7, the top layer in the OSI model. The author makes the point that this layer is about the network interfaces that exist so that application programs can use network services, like file service, print services, and message services.

A table appears on page 29 that maps commonly seen protocols and applications to the layers of the OSI model. You should take a look at it. As you use various protocols and applications, the table will help put them in context.

The text switches to another network model, the TCP/IP model, which is very similar to the Department of Defense (DoD) model. That's the point, really. Once you understand the OSI model, you understand the next one, too. You just need to know what the next model calls things. In the chart at the end of this notes page, I have included a column for the TCP/IP model layers, and another for the OSI layers. The topics and methods for the two models are the same.

TCP/IP Layer name OSI Layer name Topics & Methods
Application Application
(layer 7)

  • Network Services
    • File services
    • Print services
    • Message services
    • Application services
    • Database services
  • Service Advertisement - how services become known
  • Service Use - how services are obtained
  • Data cluster type: Messages
(layer 6)

  • Translation - bit translation, byte translation, character code translation, file translation
  • Encryption - cipher, private key, or public key
  • Data cluster type: Packets
(layer 5)
  • Dialog Control - simplex, half-duplex and duplex
  • Session Administration - connection establishment, data transfer, and connection release
  • Data cluster type: Packets
Host-to-Host Transport
(layer 4)
  • Address/name Resolution
  • Addressing
  • Segment Development - breaking large messages into segments,
    combining small messages into segments
  • Connection Services
  • Data cluster type: Segments
Internet Network
(layer 3)
  • Addressing - network addresses. 2 methods:
    • Logical Network
    • Service
  • Switching - route creation for packets, messages and circuits. 3 methods:
    • Packet switching
    • Message switching
    • Circuit switching
  • Route Discovery - finding a route. 2 methods:
    • Distance vector
    • Link-state
  • Route Selection - choosing a route. 2 methods:
    • Static
    • Dynamic
  • Connection Services - flow control, error control and packet sequence control. 3 methods:
    • Network-layer flow control
    • Error control
    • Packet sequence control
  • Data cluster type: Datagrams
Network Access Data Link
(layer 2)

  • MAC sublayer
    • Logical Topology - 2 methods:
      • Bus
      • Ring
    • Media Access - 3 methods:
      • Contention
      • Token Passing
      • Polling
    • Addressing - 1 method:
      • Physical Device Address - the MAC address
  • LLC sublayer
    • Transmission Synchronization - 3 methods:
      • Synchronous
      • Asynchronous
      • Isochronous
    • Connection Services - 3 methods:
      • Unacknowledged Connectionless
      • Connection Oriented
      • Acknowledged Connectionless
  • Data cluster type: Frames
(layer 1)

  • Connection Type - 2 methods:
    • Point-to-Point
    • Multipoint
  • Physical Topology - 5 methods:
    • Bus
    • Ring
    • Star
    • Mesh
    • Cellular
  • Digital Signaling - 2 methods:
    • Current State
    • State Transition
  • Analog Signaling - 2 methods:
    • Current State
    • State Transition
  • Bit Synchronization - 2 methods:
    • Synchronous
    • Asynchronous
  • Bandwidth Usage - 2 methods:
    • Baseband
    • Broadband
  • Multiplexing - 3 methods:
    • Frequency Division
    • Time Division
    • Statistical Time Division
  • No data clusters, just bits

On page 32, the text mentions the use of ARP as an attack venue. On networks in which it is still used by devices to learn the MAC addresses of devices from their IPv4 addresses, requests for such addresses can be answered by attackers who want to impersonate the real owners of those addresses. The text tells us that ARP requests have been replaced by Neighbor Discovery Protocol (NDP), which we are told is more secure, but we are also told that it sends ICMP messages in clear text, which are open to interception and eavesdropping.

Page 33 lists several attacks that can be associated with OSI Layer 1 and Layer 4.

  • Spoofing MAC addresses - As noted above, an attacker can send signals marked with the MAC address of a known network device. The text points out that this can be useful in wired and wireless networks. The text does not mention that signals sent inside a network, that do not have to pass across routers, may only have to rely on physical addresses.
  • Defeating/Poisoning MAC address resolution - Any device on a network that sees ARP information will update its tables with that information, despite its being sent by an attacker.
  • Wiretapping - This once meant the interception of telephone or telegraph signals, but it has been extended to include network signals as well. It includes interception of wireless signals, as well as those passing across a wired network. This can lead to interception and falsification, or it may only be eavesdropping and monitoring.

The text makes it clear that eavesdropping involves only the unauthorized capture of signals. It does not elaborate on the idea that interception is the same thing, but it may include modification or replacement of the data in the signals.

Still on page 33, the text makes some observations about attempts to make a network less vulnerable to these attacks:

  • Use fiber optic cable - Of the various cable types, this is the most secure. It does not radiate signals, and it is difficult to cut a line with the intention of placing an undetectable monitor or a false host on the network. This is obviously a Layer 1 remedy. The recommendation is real, but is probably not practical. Most networks are wired with UTP because it is cheap and it works well. Security is not usually the concern of the network planner.
  • WEP, WPA, and WPA2 - The text wastes a little space recommending the first two, since they have both been hacked, and have been superseded by WPA2. One day, before long, we will need whatever comes next. For the moment, WPA2 is a standard on wireless networks. Perhaps we can say that all security is like glory.

  • Point-to-Point Tunneling Protocol (PPTP) - An improvement over PPP or SLP, PPTP provides encryption of traffic.
  • Challenge Handshake Authentication Protocol (CHAP) - An authentication protocol that providdes encryption. (See a pattern forming here?)

The text moves on to the OSI Network layer, which is its layer 3. (The TCP/IP model calls it the Internet layer, which is its layer 2. I know it's confusing. I made you a chart.) The device that stands for this layer is the router, because that is the device that connects networks to each other. The text offers some quick features of routers:

  • Routers don't forward broadcast packets - Usually. Assume you have three networks at your site, linked by a router or two. Now assume you have only one DHCP server. A DHCP request is a broadcast request, and in this case it needs to be forwarded to the network where the DHCP server lives. Sometimes it is good to forward some broadcast packets.
  • Routers do forward multicast packets.
  • Routers can make routing decisions for each packet depending on current conditions.
  • Routers have latency. They receive packets, examine them, then decide what to do with them. This causes delay, but provides a necessary service.

The text offers a summary of routing methods, explaining why the older Distance Vector method protocols like Routing Information Protocol (RIP and RIPv2) have been replaced by protocols that use the Link State method, such as Open Shortest Path First (OSPF) protocol. (Mnemonic: Distance Vector = Darth Vader = Bad. Link State = Luke Skywalker = Good.)

Well, in some cases, Distance Vector was good. It just wasn't up to routes that need more than 15 hops. (On a route, a hop is when the packet crosses a router to go to another network. Luke hopped a lot more than Darth Vader could.) The Internet presents a need for an almost unlimited number of hops.

The text discusses the basics of IPv4 addresses and subnet masks. Remember that a subnet mask tells us (and tells network devices) which parts of an address are network identification bits, and which parts are host identification bits. The text describes IPv6 addresses, but does not give us any examples. We are told that we need to use IPv6 addresses because there are not enough version 4 addresses for all the devices in the world already. This is so, but IPv4 continues to be used, thanks to Network Address Translation (NAT).

The text discusses the use of Internet Control Message Protocol (ICMP), which is most commonly used to ping another system, verifying that it is active and reachable. At least, it is useful for that when ping responses have not been disabled on the target device. Disabling responses to pings prevents an attacker from gathering information from them. It is more likely that an attacker who has gained access to your network will be using a sniffer, as discussed on page 38. Note that we can do this ourselves, with permission, by first installing a program to enable promiscuous mode on your NIC (the ability to capture all packets passing by), and second, by installing and running a packet sniffer program. The text mentions Wireshark, but there are others. The text also mentions that you enable promiscuous mode by a different method on different operating systems.

The text turns to controls that relate to this network layer:

  • IPSecurity (IPSec) - The text tells us to use it, but does not explain what it does very well. Take a look at this video for a good discussion with good graphics. Thanks, Keith. (As usual, you might want to speed up the player if you are familiar with the process.)

  • Packet filters - This is explained oddly in the text. What he is talking about are firewall rules, typically on a Cisco router. I wish people would call them that, so there would be less confusion with permission filters on AD objects, which are also called access control lists. Cisco calls their lists of rules "access control lists", but the command that uses them says "access-list", so that would be a better, more accurate term. Take a look at this recent Cisco page about filtering IP packets for short lesson in syntax. If that doesn't do it for you, here is an ancient lesson (2008) I taught in Advanced Routers and Routing.
  • Network Address Translation (NAT) - I mentioned this in the notes above. The text hints that we can do anything we want to do on our own networks, such as using private addressing schemes. A popular approach is using IPv4 addresses that start with a 10, then subnetting as needed. That is very flexible, and it allows Internet access if you use NAT when you send packets to your ISP. The text mentions that NAT is not necessary for IPv6 addressing schemes.

The author has been calling layers by their OSI names, but the next section calls the next layer the Host-to-Host layer, which is the TCP/IP model name for what the OSI model calls layer 4, the Transport layer. It is known for the reliable, guaranteed delivery service of TCP which is based in this layer. This layer, as I have already mentioned, is also home to UDP, which is not unreliable, but it is connectionless and is not guaranteed. The text tells us that UDP is "optimized for applications that require fast delivery and are not sensitive to packet loss", which puzzles me. What services are not sensitive to packet loss? The text mentions DNS service, but that seems as reliant on good packet delivery as anything else.

Three threats are listed for this layer:

  • Port scanning - Ports are numbered service addresses. A port scanner attempts to contact them, one by one, to determine which ports are responsive on a server.
  • Session hijack - This is like a man-in-the-middle attack, except that the attacker simply takes over a session established by a real user. TCP services do not typically require reauthentication during a session, which makes this possible.
  • SYN attack - The text explains how TCP connection sessions are begun. Let's take a minute and review a bit more than we are offered in the book.
    A session begins with a TCP three-way handshake. Note that only two participants are involved.
    • The requester sends a synchronize (SYN) packet to a server.
    • The server responds with a synchronization acknowledgment (SYN ACK) message.
    • The requester sends an acknowledgment (ACK) packet, confirming the connection.

    The text does not describe terminating the TCP session, which could be initiated by either party in the session.
    • The device requesting to end the session sends a packet saying I'm finished, please acknowledge (FIN ACK).
    • The second device sends an acknowledge (ACK) packet.
    • The second device then sends a packet like the first one, saying I'm finished, please acknowledge (FIN ACK).
    • The first device sends an acknowledge (ACK) packet. This closes the session on both ends.

    The text does not mention that this process can vary. In this discussion on the wireshark site, it is noted that a web browser might send a connection reset packet (RST) if there is no graceful closure dialog completion. Graceful, in IT, typically means that something is being done formally, methodically, and with every party in the transaction aware and acknowledging what is happening. This introduces a new problem, that the connection could be hijacked by an interception of the second FIN ACK (assuming it came from the server), and an impersonation of the original client by the hacker.

    Why do you need to know all this? To understand that sending a continuous stream of SYN requests from multiple devices is an attack. It will cause the victim device to consume all its resources for connections, causing it to be unable to do its job.

The text offers some controls relating to its proposed threats:

  • Secure Sockets Layer (SSL) - a security protocol that is often seenn on commercial web pages. The text mentions that it can be used with other protocols as well, such as FTP and Telnet.
  • Transport Layer Security (TLS) - An improvement over SSL, it can be used instead of SSL for better security.

The text concludes the chapter with a discussion about the Application layer, which is a TCP/IP model name for what the OSI model calls its three upper layers: the Session layer (5), the Presentation layer (6), and the Application layer (7).

The text presents a selection of services on page 43 that can be associated with specific ports and protocols. We are told that not all services are likely targets for attack, but the advice offered is to deny all packets from the Internet (or suspect networks), allowing only traffic to services and ports we intend to make available to specific kinds of traffic.The text calls this a deny-all principle. It is also called an implicit deny approach, denying everything that is not specifically allowed by one of our rules.

The text presents a short list of services and protocols that may have security issues:

  • DNS
  • FTP
  • HTTP
  • SNMP
  • Telnet
  • SMTP
  • TFTP

The text presents a list of some of the threats that apply to this layer (or group of layers), but they all fall into two categories:

  • Malicious software
  • Denial of Service attacks

Controls suggested by the text for this section of the network:

  • Malware scanners - This is obvious: get some protection!
  • SSH - This was proposed in another layer.
  • Pretty Good Privacy (PGP) - The text is really suggesting using a Public Key encryption scheme.
  • Secure/Multipurpose Internet Mail Extension - A secure version of the MIME extension for email.


This week you need to complete Assignment 1 and Part 1 of an ongoing course project. Both of these are due in one week.