mod3 mod3 Networking Fundamentals links ../mod3/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked idsl3_01 1 Welcome to the lesson on Networking Fundamentals. To effectively analyze Intrusion Detection Systems, or IDSes, you must first have a solid understanding of how networks operate and communicate with each other. When you have completed this lesson, you will be able to differentiate between two models of interoperability; differentiate between protocols that make up TCP/IP; identify the differences between two versions of Internet Protocol, or IP; recognize how socket pairs relate to Network Address Translation, or NAT, while identifying common protocols and services and the risks associated with those protocols and services. Finally, you will be able to identify the characteristics of Internet Relay Chat, or IRC, traffic, both malicious and non-malicious. There are five topics in this lesson. After you have completed the Introduction, you will learn about two interoperability models, the Open Systems Interconnection, or OSI, model, and the TCP/IP model. Then, you will learn about application layer protocols; network ports, ranges, and sockets; NAT; Request for Comments, or RFC, 1918 addresses; and common protocols and services, including Microsoft server services. Finally, you will learn about IRC traffic, and you will see examples of IRC commands and both malicious and non-malicious IRC traffic. Please use the up and down arrows to navigate through the Introduction to D O D I D S Analysis Course, Networking Fundamentals. For each screen you will hear a description. The description is cued by an audio tone. Complex screens are divided into several descriptions. Listen to the description, and then select the play audio narration button to continue. You can access the glossary and a list of resources at any time without losing your place in the course. Screen 1 of 27. Topic title: Introduction. Screen title: Objectives and Topics. Bulleted text and text boxes appear with objectives and topics in support of audio. Text box displays text References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products. idsl3_02 2 Computers and networks need to be able to communicate with each other despite their different components and technologies. This capability is known as interoperability. Protocols are critical to achieving interoperability between computers. Just as protocols provide the accepted rules and behavior for people to properly communicate, network protocols provide the agreed-upon rules and formats for computers to send and receive data. There are two models of interoperability: Open Systems Interconnection, or OSI, and Transmission Control Protocol/Internet Protocol, or TCP/IP. These models use a layered architecture model to provide standard formats and methods, or sets of protocols, and to define the message order and actions to be taken at each of the layers. The OSI model is a worldwide network communications standard that was developed by the International Organization for Standardization, or ISO. The OSI reference model answers questions about how to connect dissimilar systems with a set of standards, or protocols, which allow the systems to work together. The TCP/IP model was developed by a Department of Defense, or DoD, agency called Defense Advanced Research Projects Agency, or DARPA. Developed in the 1970s, TCP/IP predates OSI. It is the underlying protocol of the Internet the mega network of networks. Let's learn about how each of these models work. Screen 2 of 27. Topic title: Networking Basics. Screen title: Interoperability Models. Images of a server, computer workstation, fax, printer, and a laptop appear. Animations of lines interconnecting these devices appear. Text displays in support of audio. Image labeled O S I appears with a stack of seven text boxes appear from top to bottom as Application, Presentation, Session, Transport, Network, Data Link, and Physical. Another image labeled T C P slash I P appears with text boxes labeled from top to bottom Application, Transport, Internet, and Network Access. Images are highlighted, and text boxes and bullet points appear in support of audio. Rollovers display for O S I Open Systems Interconnection. I S O International Organization for Standardization. T C P slash I P Transmission Control Protocol Internet Protocol. And Darpa Defense Advanced Research Projects Agency. idsl3_03 3 Let's take a closer look at the OSI model. OSI involves a stack of seven layers that implement certain protocols and provide certain services. Each layer in the stack provides services to the layer above it and requests services from the layer below it. By services, we mean processes or groups of tasks that provide basic functionality and support for other programs. E-mail, file transfer, routing, and so on, are examples of services. Let's look at each of the seven layers, starting at the top of the stack. Layer number 7, Application, provides services to end-user applications, particularly those applications specifically designed to interact with servers, such as your Web browser. Your Web browser uses a service at the Application layer to communicate with the network server. Layer number 6, Presentation, has a relatively limited or specific functionality related to data formatting such as compression or encryption services. For example, different systems on a network, such as a PC and Macintosh, send data in different formats. Presentation layer services convert or reformat the data between different systems. Layer number 5, Session, allows systems to exchange data over an extended period of time, which is called a session. For example, for video streaming to work properly, the sent data must be synchronized with the received data or the user will see lip-synch problems. Layer number 4, Transport, is the liaison between the conceptual higher-level functions of the upper layers and the nuts-and-bolts of the lower layers. The transport layer is responsible for making sure that messages sent by multiple applications on a computer travel together and properly reach their destination computer. Layer number 3, Network, is the transition from the abstract, or software-oriented, services of the upper layers to the more hardware-oriented services of the Data Link and Physical layers. The Network layer has several jobs, including routing to get data across multiple networks, encapsulating messages from layers 4 through 7 into data packets or datagrams, fragmenting and reassembling data as needed, and handling and diagnosing errors. Layer number 2, Data Link, transfers data between two ends of a physical link, within the same local area network, or LAN. Layer number 1, Physical, provides the electrical and mechanical hardware for transmitting bits, or the electrical, light, or radio signal. You can use the mnemonic, All People Seem to Need Data Processing, to remember the seven OSI layer names. The government has mandated that vendors comply with OSI standards. This mandate increases the interoperability among networks sold by vendors around the world. Let's learn about how each of these models works. Screen 3 of 27. Topic title: Networking Basics. Screen title: What is O S I? Text boxes appear in support of audio. A stack of seven text boxes appear from the top down as 7 Application, 6 Presentation, 5 Session, 4 Transport, 3 Network, 2 Data Link, and 1 Physical. An animation of an arrow and the word Services appear moving up the stack, and then down the stack. Each layers text box is highlighted with accompanying images. Layer 7 Application appears highlighted with an image of a search window on a computer monitor with lines connecting to a server image. Layer 6 Presentation appears highlighted with a laptop image and a computer monitor image with an animation of x iz moving away from the laptop and turning into wize before they reach the other computer. Simultaneously an animation shows images of wize moving from the other computer and turning to x iz before reaching the laptop. Layer 5 Session appears with a workstation connected to a laptop with a digital timer counting time. Layer 4 Transport appears with two workstations exchanging data through a small pipe. Layers 3 and 2 appear highlighted together with bulleted text. Text boxes and an image of a Government building appear in support of audio. Rollover text for services displays Processes or groups of tasks that provide basic functionality and support for other programs. E mail, file transfer, routing, and so on are examples of services. idsl3_04 4 In the OSI Model, data flow begins at the client's Application layer and continues down the protocol stack to the Physical layer. From here, data flows across the network to the receiving server's Physical Layer and back up the server's protocol stack to this server's Application Layer. As the data passes through each layer within the client stack, informational headers are added to that data, or encapsulated inside the next lower layer's protocol, or format. These headers are then stripped off, or de-encapsulated, by the corresponding layer, on the server stack. A key attribute of OSI is that the information moves independently from layer to layer. Each layer packages the data to support its own services and passes the completed package as data to the next layer. In fact, each layer does not know of the existence of any other layer. It performs only its own task, and it thinks it is speaking directly to its corresponding layer in the other computer. This communication is a logical, not a physical, connection. The only physical connection is at the physical layer. The activity at each layer continues until it reaches the physical layer, where it is transferred into bits as electrical impulses, that is, into ones and zeroes. Screen 4 of 27. Topic title: Networking Basics. Screen title: O S I Reference Model Data Flow. Images of two O S I stacks appear one labeled client and other labeled server. An image of a network with two workstations and a server appears between the stacks. Animation shows an arrow coming down the client stack, passing through the network and going up the server stack. An animation shows ones and zeroes with a circle around them going down the client stack. As the image leaves the Application layer a circle forms around the ones and zeroes. Then an additional concentric circle is added to the image as it reaches each layer. The image moves through the network and up through the Server stack. At each layer one circle surrounding the ones and zeroes is removed. Starting at the top, each layer on the client stack is highlighted at the same time as the corresponding layer on the server stack. idsl3_05 5 The TCP/IP Model is composed of layers, similar to OSI. However, although both models of interoperability use protocol layers, TCP/IP uses four instead of seven. OSI layers five, six, and seven, Application, Presentation, and Session, are combined into a single Application layer in the TCP/IP model. The Transport layer retains its name in both models. The functionality of the Network layer of the OSI model is retained as the Internet layer in the TCP/IP model. OSI layers one and two, Physical and Data Link, are combined into one Network Access layer in TCP/IP. Despite their differences, both models have one thing in common: they both perform all the functions necessary to place a piece of application data into a data packet using a suite of protocols. Screen 5 of 27. Topic title: Networking Basics. Screen title: What is T C P I P ?. Image of a stack of four text boxes appears labeled Transmission Control Protocol slash Internet Protocol Model. Top down, text boxes are labeled Application, Transport, Internet, and Network Access. An image of the O S I model stack with seven layers appears labeled O S I model. Layers on each stack are highlighted in support of audio. idsl3_06 6 Knowledge Check 1 550 550 Which model comprises fewer protocol layers? OSI model TCP/IP model Correct. TCP/IP comprises four protocol layers, whereas OSI comprises seven layers. Incorrect. TCP/IP comprises four protocol layers, whereas OSI comprises seven layers. Presentation layer provides data formatting functions. OSI model TCP/IP model Correct. In the OSI model, the Presentation layer provides data formatting functions. In the TCP/IP model, the OSI model's Presentation, Session, and Application layers are consolidated into a single Application layer. Incorrect. In the OSI model, the Presentation layer provides data formatting functions. In the TCP/IP model, the OSI model's Presentation, Session, and Application layers are consolidated into a single Application layer. Internet layer encapsulates data into packets or datagrams – fragmenting and reassembling as needed. OSI model TCP/IP model Correct. The Internet layer of the TCP/IP model, like the Network layer of the OSI model, encapsulates data into packets or datagrams, fragmenting and reassembling packets as needed. Incorrect. The Internet layer of the TCP/IP model, like the Network layer of the OSI model, encapsulates data into packets or datagrams, fragmenting and reassembling packets as needed. Application layer is not responsible for data exchanges of extended time periods (e.g., video streams). OSI model TCP/IP model Correct. Unlike TCP/IP, the OSI model's Application layer is not responsible for data exchanges of extended time periods (e.g., video streams). This function is handled by the Session layer in the OSI model. Incorrect. Unlike TCP/IP, the OSI model's Application layer is not responsible for data exchanges of extended time periods (e.g., video streams). This function is handled by the Session layer in the OSI model. Physical layer sends the electrical, light or radio signals across the network/s OSI model TCP/IP model Correct. The OSI model's Physical layer is responsible for the hardware that sends the electrical, light or radio signals across the network/s. In TCP/IP model, this function occurs at the Network Access layer. Incorrect. The OSI model's Physical layer is responsible for the hardware that sends the electrical, light or radio signals across the network/s. In the TCP/IP model, this function occurs at the Network Access layer. Now check your knowledge of the OSI and TCP/IP models of interoperability. Screen 6 of 27. Topic title: Networking Basics. Screen title: Knowledge Check. This knowledge check presents five statements. For each statement there are two possible answers, O S I model or T C P I P model. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections. idsl3_07 7 The TCP/IP Model comprises a suite of protocols. Each protocol provides functionality or services associated with a layer in the protocol stack. At the Application layer, the protocols provide user-level functionality. The Transport layer protocols serve as a transition point from the abstract, software-oriented services to the more hardware-oriented services. As the name implies, Transport layer protocols are responsible for delivering data to the appropriate process on the host computer. This work includes forming data packets and adding port numbers as well as establishing and maintaining connections between software services on remote machines. The most well-known Transport layer protocol is the Transmission Control Protocol, or TCP. It is so well known, in fact, that the entire Internet Protocol suite, TCP/IP, gets its name from the TCP protocol. Another well-known Transport layer protocol is User Datagram Protocol, or UDP. The next two layers perform the nuts and bolts functions for getting data from the source to the destination. The protocols running at the Internet layer route data from the source to its destination across one or more networks. Internet Protocols transport data as packets or datagrams. The Internet Protocol, or IP, is the most well-known protocol at this layer. The Network Access layer protocols provide methods and standards for physical connections, or links, from the host computer to adjacent network devices, or nodes. Network Access layer protocols also provide services that go beyond physical components. For example, the Address Resolution Protocol, or ARP, performs addressing functions. It allows you to use a network device's IP address to determine its hardware address. Let's take a closer look at the Application layer, which is the layer closest to the end user in both the OSI and the TCP/IP interoperability models. Screen 7 of 27. Topic title: Networking Basics. Screen title: Suite of T C P I P Protocols. Animation shows four text boxes forming a stack, starting with the bottom most Network Access, followed by Internet, Transport, and Application. The stack is labeled T C P I P model. Each stack is highlighted while bulleted text appears in support of audio. At the same time names of protocols and services appear on each stack. Application box shows D N S, F T P, H T T P, I MAP, POP, and I R C. Transport box shows T C P, U D P. Internet box shows I P. Network Access box shows A R P. Rollover text for each layer appears. Application box rollovers are D N S Domain Name System. F T P File Transfer Protocol. H T T P shows Hyper Text Transfer Protocol, I MAP Internet Message Access Protocol, POP Post Office Protocol. I R C Internet Relay Chat. Transport box rollovers are T C P Transmission Control protocol and U D P User Datagram Protocol. Internet box rollover is I P Internet Protocol. Network Access box rollover is A R P Address Resolution Protocol. idsl3_08 8 In both the OSI and the TCP/IP models, the Application layer protocols provide user-level functionality to applications with which the end-user interacts, such as e-mail clients, Web browsers, chat clients, and others. Note that Application layer protocols provide services or functionality for applications with which the user interacts, not directly for the user. For example, a user interacts with their Web browser, which utilizes HTTP, an Application layer protocol that provides services to the Web browser. These protocols also provide services to Voice over Internet Protocol, or VoIP, and other client-to-client communication technologies and network shares, which are resources that can be accessed by remote computers. Application layer protocols include Domain Name System, or DNS; File Transfer Protocol, or FTP; HTTP; Internet Message Access Protocol, or IMAP; Post Office Protocol, or POP; and IRC; among others. Note that the protocols, services, and/or associated client software at this layer are often vulnerable to both client- and server-side attacks. Together, these protocols prepare data for being processed at the lower layers of the stack. Screen 8 of 27. Topic title: Networking Basics. Screen title: Application Layer. Image of T C P I P Model animates as four text boxes forming a stack, labeled from bottom to top Network Access, Internet, Transport, and Application. The Animation box is slightly separated from the stack in support of audio. Bulleted text appears. An image of a person using a computer appears with text V o I P network shares. Network shares rollover text displays Network shares, or shared resources, are devices or pieces of information that can be accessed and shared by remote computers. Examples include shared files, folders, printers, and scanners. idsl3_09 9 Internet Protocol, or IP, is a simple protocol running at the Internet layer. It is designed to route and carry data across networks, such as the Internet. IP relies on data from the upper layer protocols. Data from the upper layer protocols are encapsulated in packets, which are referred to as datagrams. The packets have two components: the packet header and the packet payload, or data. The IP packet header contains identifying information such as the IP version number and the source and destination addresses. The IP packet payload data is the essential data of the packet. It includes the Transport, or layer four, header that is, TCP, UDP, and so on along with data from the higher layer protocols that is, HTTP, FTP, and so on. Internet Protocol underlies the mega network known as the Internet. Its services include defining addresses and routing packets across one or more IP networks. IP is considered a connectionless protocol in that it does not guarantee receipt of packets. There are two versions of IP in use today: IPv4 and IPv6. This course primarily refers to IPv4, but it also introduces IPv6. Select IPv4 and IPv6 to learn more about each version. idsl3_09_01 9 The most widely deployed Internet Protocol version is IPv4, which is a system of addresses used to identify entities on a network. The IPv4 addressing protocol consists of a series of four sets of numbers that represent 32 bits of address data in a dotted quad format, such as 192.168.10.13. The dotted quad format is for human convenience; computers see only 32 bits as a binary expression. Using IPv4, the maximum number of total possible addresses is 4.3 billion. This amount corresponds to roughly 55 percent of the current global population. It is clear that the IPv4 address space will soon be exhausted and will no longer be able to provide unique identifiers for each entity connected to the Internet. I P v 4Popup 1 of 2. Popup title: I P v 4. Image of a computer appears with ones and zeroes next to it. Image of a person using a keyboard appears with text equals 32 bits. Text and bullet points appear. idsl3_09_02 9 To address the inevitable shortage of IPv4 addresses, IPv6 has been developed as the next generation IP protocol. The IPv6 protocol increases address size from 32 bits to 128 bits, which represents more than 3.4 times 10 to the 38th possible addresses. This is a phenomenally large number that allows billions of IP addresses, 340 undecillion addresses to be specific, which is a one followed by 36 zeroes. An IPv6 address is shown as eight hexadecimal blocks that are separated by colons. Each block contains 16 bits of IP address information. Note that groups of zeroes can be simplified to a single zero or omitted altogether. Currently, IPv6 is slowly gaining support. As later adopters of the Internet are largely being left out of the acquisition of IPv4 addresses, Asia and Africa are leading in IPv6 implementation. I P v 6Popup 2 of 2. Popup title: I P v 6. Image of a computer appears with ones and zeroes next to it. Text and bullet points appear. Screen 9 of 27. Topic title: Networking Basics. Screen title: Internet Protocol I P. Image of T C P I P Model animates as a four text boxes forming a stack, labeled from bottom to top Network Access, Internet, Transport, and Application. The Internet box with I P on it is slightly separated from the stack in support of audio. Text boxes are highlighted. Animation of ones and zeroes coming from the Application and Transport boxes appears labeled datagram. Image splits and becomes two images, labeled header and payload. Bulleted text appears. Image of partial world globe appears with interconnecting lines and nodes. Additional text and bullet points appear. Text boxes I P v 4 and I P v 6 appear selectable as popups. Instructions appear to select each version of I P to learn more. idsl3_10 10 Without information provided by IP headers, data could not get from its source to its destination. It would be like mailing a letter in a blank envelope. How would the letter arrive at the destination? Protocols rely on data packet header information in much the same way. Select IPv4 Header and IPv6 Header to learn more about each. idsl3_10_01 10 Let's take a closer look at the IPv4 header, which contains 12 required fields. The first field, Version, contains the version number, four, referring to IPv4. The Internet Header Length, or IHL, field specifies the header size. The Type of Service field specifies how to prioritize information on its way to its destination, for example, with a preference for low delay or high reliability. This field provides an opportunity to improve service quality by prioritizing packets en route to their destination, according to their use and purpose. The Total Length field identifies the entire datagram size, including header and data. The minimum datagram length is 20 bytes, and the maximum is 65,535. The Identification field provides a unique value for a packet or datagram. This value is typically used by devices, such as routers, to identify the fragments that belong to the same packet or datagram. The Flags field determines whether routers are allowed to fragment a packet into segments. If fragmentation is allowed, then this field also identifies parts of the packet for the receiver. The next field, Fragment Offset, helps to reconstruct a fragmented packet at the next router in the link. The receiving system uses this field to identify the place of the fragment in the original datagram. The Time to Live, or TTL, field may also be referred to as a hop count. It tracks the datagram's length of life, or the number of times the packet can hop, or be forwarded, from router to router. The value in this field can prevent the packet from endlessly traversing a network. The Protocol field identifies the next encapsulated protocol. The Header Checksum field protects the IPv4 header by identifying whether errors or data corruption occurred during transmission. The Source Address field provides the IP address of the original sender. The Destination Address field provides the IP address of the intended receiver. I P v 4 headerPopup 1 of 2. Popup title: I P v 4 header. An image representing an I P v 4 header fields appears. Each field is highlighted in synch with audio. Text appears in support of audio. Rollover text for Version displays Version Contains the version number of the protocol. Internet header length rollover displays Specifies the header size. Type of Service rollover displays Specifies how to prioritize information on its way to its destination, for example, with a preference for low delay or high reliability. Total length rollover displays Identifies the entire datagram size, including header and data. The minimum datagram length is 20 bytes, and the maximum is 65 thousand 5 hundred 35. Identification rollover displays Provides a unique value for a packet or datagram. This value is typically used by devices, such as routers, to identify the fragments that belong to the same packet or datagram. Flags rollover displays Determines whether routers are allowed to fragment a packet into segments. If fragmentation is allowed, then this field also identifies parts of the packet for the receiver. Fragment Offset rollover displays Helps to reconstruct a fragmented packet at the next router in the link. The receiving system uses this field to identify the place of the fragment in the original datagram. T T L rollover displays The Time to Live field may also be referred to as a hop count. It tracks the datagram's length of life, or the number of times the packet can hop, or be forwarded, from router to router. The value in this field can prevent the packet from endlessly traversing a network. The protocol rollover displays Identifies the next encapsulated protocol. The header checksum rollover displays Protects the I P v 4 header by identifying whether errors or data corruption occurred during transmission. The source address rollover displays Provides the I P address of the original sender. The destination address rollover displays Provides the I P address of the intended receiver. idsl3_10_02 10 The IPv6 header comprises eight required fields. The Version field indicates the IP protocol version number, six, or IPv6. The Traffic Class, or Packet Priority, field differentiates packets according to priority. The Flow Label is new in IPv6. It labels a set of packets with the same origin and destination, or flow, thus allowing IPv6 routers to handle packets with the same flow in the same way. The Payload Length field specifies the length of the packet's data or payload. The Next Header field identifies the first field of the packet data, or payload, which immediately follows the packet header. This field usually indicates the packet's Transport layer protocol. Hop Limit specifies the number of possible times a packet may hop, or be forwarded, from router to router. This field helps to identify any routing errors that can lead to packets getting stuck in infinite loops. The maximum hop limit in IPv6 is 255. The Source Address in IPv6 is 128 bits. It contains the IPv6 address of the originating packet. The Destination Address is also 128 bits, and it contains the IPv6 address of the intended recipient of the packet. Let's compare the IPv4 header with the IPv6 header. The IPv6 header is twice as long as the IPv4 header. Generally, the IPv6 header is simpler. Certain fields in the IPv4 header no longer appear in the IPv6 header. The IPv6 header has a fixed length, so the IHL field is unnecessary. Fragmentation is handled very differently in IPv6, so the information in the Identification, Flags, and Fragment Offset fields is contained in a separate header. The Header Checksum field has been removed from the IPv6 header. And some fields have been renamed in IPv6. IPv4's Type of Service is called Traffic Class or Packet Priority in IPv6. This field identifies packets that belong to the same traffic class and distinguishes between packets that have different priorities. The Total Length field in IPv4 is called Payload Length in IPv6. The Protocol field in IPv4 is called Next Header field in IPv6. The Source Address and Destination Address fields are the same in both IPv4 and IPv6, except that the fields in IPv6 are four times longer. I P v 6 headerPopup 2 of 2. Popup title: I P v 6 header. An image representing an I P v 6 header fields appears. Each field is highlighted in synch with audio. Text appears in support of audio. Rollover for Version displays Contains the version number of the protocol, which is six, or I P v 6. Traffic class rollover displays Differentiates packets according to priority also called Packet Priority field. Rollover for Flow Label displays New in IPv6. It labels a set of packets with the same origin and destination, or flow, thus allowing IPv6 routers to handle packets with the same flow in the same way. Payload length rollover displays Specifies the length of the packet's data or payload. Next header rollover displays Identifies the first field of the packet data, or payload, which immediately follows the packet header. This field usually indicates the packet's Transport layer protocol. Hop limit rollover displays Specifies the number of possible times a packet may hop, or be forwarded, from router to router. This field helps to identify any routing errors that can lead to packets getting stuck in infinite loops. The maximum hop limit in I P v 6 is 2 55. Source address rollover displays Contains the I P v 6 address of the originating packet. Destination address rollover displays Contains the I P v 6 address of the intended recipient of the packet. Screen 10 of 27. Topic title: Networking Basics. Screen title: I P Headers. Image of T C P I P Model animates as four text boxes forming a stack, labeled from bottom to top Network Access, Internet, Transport, and Application. The Internet box with I P on it appears slightly separated for emphasis. Animation shows a letter without an address on it going into a mailbox. T C P I P model image disappears and images labeled I P v 4 header and I P v 6 header appear. Images highlight each header's data fields in support of audio. idsl3_11 11 Knowledge Check 1 550 550 The most widely deployed Internet Protocol (IP) version. IPv4 IPv6 Correct. IPv4 is the most widely deployed Internet Protocol (IP) version. Incorrect. IPv4 is the most widely deployed Internet Protocol (IP) version. Contains 128 bits of address data, representing more than 3.4 x 10<font face="GG Superscript Sans">38</font> possible addresses. IPv4 IPv6 Correct. IPv6 contains 128 bits of address data, representing more than 3.4 x 10<font face="GG Superscript Sans">38</font> possible addresses. Incorrect. IPv6 contains 128 bits of address data, representing more than 3.4 x 10<font face="GG Superscript Sans">38</font> possible addresses. Has a simplified packet header. IPv4 IPv6 Correct. IPv6 has a simplified packet header. Incorrect. IPv6 has a simplified packet header. Packet fragment information is included in the header. IPv4 IPv6 Correct. Packet fragment information is included in the IPv4 header. Incorrect. Packet fragment information is included in the IPv4 header. Address space will be exhausted in the near future. IPv4 IPv6 Correct. IPv4 address space will be exhausted in the near future. Incorrect. IPv4 address space will be exhausted in the near future. Now check your knowledge of IPv4 and IPv6. Screen 11 of 27. Topic title: Networking Basics. Screen title: Knowledge Check. This knowledge check presents five statements. For each statement there are two possible answers, I P v 4 or I P v 6. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections. idsl3_12 12 IP is a simple protocol. It needs other protocols to perform certain tasks. For example, the Internet Control Message Protocol, or ICMP, is one of IP's helpers. In certain situations, without ICMP, IP would simply fail. ICMP helps by providing error and informational messages. The most common ICMP application is the ping utility. Ping uses ICMP to test whether a network node is up or down through a method of requests and replies. ICMP protocol services are essential when servers are down, services are closed, or links require fragmentation of large packets. Screen 12 of 27. Topic title: Networking Basics. Screen title: Internet Control Message Protocol I C M P. Image of T C P I P Model animates as a four text boxes forming a stack, labeled from bottom to top Network Access, Internet, Transport, and Application. The internet box separates slightly from the stack. Text and bullet points appear. Rollover for I C M P displays Internet Control Message Protocol. idsl3_13 13 Just as IP, at the Internet layer, is responsible for communications between computers, TCP, at the Transport layer, is responsible for communications between applications. The other difference is that TCP allows for reliable data delivery over a network. TCP relies on a three-way handshake that goes like this: First, a Web server listens to TCP port 80. Second, a client wishes to synchronize with the Web server and sends a synchronize, or SYN, packet to port 80 on the server. The server will then synchronize with the client and sends a synchronize/acknowledge or SYN/ACK packet to acknowledge the client's SYN. The handshake is completed when the client acknowledges the server's SYN/ACK packet by third, sending an acknowledge, or ACK, packet to the client. This three-way handshake enables TCP to provide full-duplex communication, which is like a conversation in which both parties can speak at the same time. Other features of TCP include the ability to detect missing packets and the ability to resequence packets that arrive out of order. Screen 13 of 27. Topic title: Networking Basics. Screen title: Transmission Control Protocol T C P. Image of T C P I P Model animates as four text boxes forming a stack, labeled from bottom to top Network Access, Internet, Transport, and Application. First the internet box separates slightly from the stack, then emphasis switches to the transport box which separates from the stack. Text and bullet points appear. Computer images labeled client and web server appear. Web server and client computer images display callouts and arrows animate between the two images in support of audio. Additional text and bullet points appear. idsl3_14 14 User Datagram Protocol, or UDP, is a simple alternative to the TCP protocol. UDP sends datagrams, or simple messages with small headers, to other IP hosts. Unlike the reliable TCP protocol, UDP is not reliable; that is, it is connectionless. It does not check the order of packet sequences or whether a packet reached its destination. UDP is useful for applications that need fast network transmission but can handle some packet or data loss, such as streaming audio and video, query and response services like DNS, or applications that implement their own state management protocols, such as online games. Screen 14 of 27. Topic title: Networking Basics. Screen title: User Datagram Protocol U D P. Image of T C P I P Model animates as four text boxes forming a stack, labeled from bottom to top Network Access, Internet, Transport, and Application. The transport box separates slightly from the stack. Text and bullet points appear. idsl3_15 15 Knowledge Check 1 550 550 Connectionless protocol for fast transmissions tolerant of some packet loss IP TCP UDP ICMP Correct. User Datagram Protocol (UDP) is a connectionless protocol for fast transmissions tolerant of some packet loss. It is useful for video and audio streaming. Incorrect. User Datagram Protocol (UDP) is a connectionless protocol for fast transmissions tolerant of some packet loss. It is useful for video and audio streaming. Simple protocol designed to carry data across networks IP TCP UDP ICMP Correct. Internet Protocol (IP) is a simple protocol designed to carry data across networks. Incorrect. Internet Protocol (IP) is a simple protocol designed to carry data across networks. Protocol with slower but more reliable transmissions IP TCP UDP ICMP Correct. The Transmission Control Protocol (TCP) has slower transmissions due to the overhead required for reliable transmissions. Incorrect. The Transmission Control Protocol (TCP) has slower transmissions due to the overhead required for reliable transmissions. Helper protocol for IP IP TCP UDP ICMP Correct. Internet Message Control Protocol (ICMP) is a helper protocol for IP. The most common application of ICMP is ping. Incorrect. Internet Message Control Protocol (ICMP) is a helper protocol for IP. The most common application of ICMP is ping. Now check your knowledge of different TCP/IP protocols. Screen 15 of 27. Topic title: Networking Basics. Screen title: Knowledge Check. This knowledge check presents four statements. For each statement there are four possible answers, I P, T C P, U D P, and I C M P. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections. idsl3_16 16 Everything on the Internet, such as e-mail, files, audio, and video, is sent and received as a set of individual data packets. Every data file is broken into smaller data packets, which are the smallest building blocks of information on networks. The typical data packet ranges from 1,000 to 1,500 bytes. Each packet contains a header and the payload it needs to reach its destination, where it is reassembled into the original file. The TCP header provides the source and destination ports, knows which network application to send the packet to, and provides a sequence number for putting the packets back into the correct order. IP adds a header to the packet that contains the source and destination IP addresses, among other information. IP uses the term packet, but different protocols may use their own names. For example, the UDP protocol uses the term datagram instead of packet. There is a lot of information in the TCP/IP packet headers. Source and destination IP addresses and ports are the fields most important for the analyst monitoring the security of a network. Select sections of the data packet to learn more about each one. Screen 16 of 27. Topic title: Networking Basics. Screen title: Data Packets. Image of an individual data packet appears. Image of a document with a gear on it appears. Animation shows small versions of the data packet image coming out of the document, and combining into one image that merges with the individual data packet image. Text appears. Portions of the data packet are highlighted and appear as sub images in support of audio. Instructions appear to select each data packet section to learn more. Sections include header of packet and data link, I P packet, U D P datagram, T C P packet, U D P datagram, and data and C R C. idsl3_17 17 The exponential growth of the Internet poses a unique challenge concerning IP addressing: It is causing a global shortage of unique IP addresses. These challenges are being addressed by IPv6 which, as discussed earlier, uses a 128 bit address scheme to increase the number of available addresses. But before IPv6, the concept of private address space was established. The private addressing effort is documented in the Request for Comments, or RFC, number 1918, which sets the standards for blocks of private network addresses that are referred to as RFC 1918 addresses. These addresses are non-publicly routable IP address space to be used on private networks, which means that these addresses are for internal use only and are not routed on the Internet. In RFC 1918, the Internet Engineering Task Force, or IETF, directed the Internet Assigned Numbers Authority, or IANA, to reserve three blocks, or ranges, of IPv4 addresses for private networks. These include a 16-bit block for all IPs from 192.168.0.0 to 192.168.255.255, a 20-bit block for all IPs from 172.16.0.0 to 172.31.255.255, and a 24-bit block for all IPs from 10.0.0.0 to 10.255.255.255. Screen 17 of 27. Topic title: Networking Basics. Screen title: R F C 19 18 Addresses. Image of world globe appears with interconnected lines. Text and bullet points appear in support of audio. Rollover text for R F C displays Request for Comments. Rollover text for I anna displays Internet Assigned Numbers Authority. idsl3_18 18 For communication between systems, an IP address is not enough. The IP address must be accompanied by a port number. The IP address and port number go together like a telephone number and its extension number. To reach someone in an office that uses extension numbers, you would need both the main number and the extension to call the person. A network port identifies the application or service to be used for receiving the data packet. Without the port number, the message will not be properly received or processed. Applications listen on specific ports associated with the application or service, based on convention. For example, two commonly known ports and services are TCP/UDP. port 53 for DNS services; and TCP port 80 for HTTP. Port numbers are commonly described as either well-known ports or ephemeral ports. Select each port range to learn more about it. idsl3_18_01 18 The Well Known ports are assigned by IANA and specified in RFC 1700. The Well Known ports range from 0 through 1023. These ports are reserved for system and/or root processes and applications with the required privileges. Well KnownPopup 1 of 2. Popup title: Well Known. Text and bullet points appear. Rollover for Well Known displays Common Well Known Port Numbers. Port number Description 21 File Transfer Protocol F T P. 22 Secure Shell S S H. 23 Terminal Emulation Over a Network Telnet. 25 Simple Mail Transfer Protocol S M T P. 53 Domain Name System D N S. 80 Hypertext Transfer Protocol H T T P. 137-139 Net Bye OSe. 443 S S L H T T P S. 4 45. Server Message Block S M B. idsl3_18_02 18 The Ephemeral ports are a range of port numbers reserved by the IANA for short-lived or temporary use. Ephemeral port numbers range from 1024 through 65,535. These ports are reserved for use by the client end of client-server communications. The Ephemeral port is used only for the duration of the connection. Once the communication session is completed, the Ephemeral port again becomes available for use by other clients. Any client can use any Ephemeral port. But clients must specify a port number to connect with the server. However, if the client does not have a socket bound to a specific port, its IP stack assigns an Ephemeral port. EphemeralPopup 2 of 2. Popup title: Ephemeral. Text and bullet points appear. Rollover for socket displays A socket is the combination of an IP address and a port. Screen 18 of 27. Topic title: Ports, Protocols, and Services. Screen title: Network Ports and Port Ranges. Text and bullet points appear. Instructions appear to Select each port range Ephemeral and Well Known to learn about it. idsl3_19 19 Individually, the IP address and the port number still do not provide enough information for a message to reach and be usable by the destination system. In order to deliver incoming data packets to the appropriate application process, the IP address and port number must be combined into a single expression called a network socket. A network socket is the combination of an IP address and a port number. A network socket may also be the combination of a host name and a port, such as www.yourwebsite.com:80. In this case DNS would resolve www.yourwebsite.com to an IP address. A connection between a source IP address and source port, and a destination IP address and a destination port, is called a socket pair. A socket pair describes a unique connection on a network. Screen 19 of 27. Topic title: Ports, Protocols, and Services. Screen title: Network Sockets. Image of computer work station appears with a router image next to it. An animation shows 10 dot 2 3 6 dot 2 dot 4 traveling a round about path to the router but being blocked by text saying not enough in foe. Text displays 10 dot 2 3 6 dot 2 dot 4 colon 80. Animation shows this text and the blocked characters moving smoothly to the router. Additional text appears in support of audio. idsl3_20 20 Network address translation, or NAT, is an Internet standard that allows a device, such as a computer designated for NAT or a firewall, to serve as an intermediary between the Internet and a local network. This standard was developed in the mid-1990s to address the shortage of IPv4 addresses. The NAT allows a group of private IP addresses, that is, RFC 1918 addresses, to hide behind one IP address, often a public one. Most private networks use NAT to connect to the Internet. The most common use of NAT is through port address translation, or PAT. As the name implies, PAT translates both the IP address and the port number. Let's look at an example of a typical small office or home office router. In our example, the Juniper SSG 5 is our NAT device. Assume the digital subscriber line, or DSL, provider gives a user a public IP address of 200.100.50.25, and the user has two laptops that share this IP address. The router uses NAT to translate 192.168.1.100 to 200.100.50.25. The router interface 0/0 is the public interface. All other interfaces are private. The router's internal interface is at 192.168.1.1. The router runs a Dynamic Host Configuration Protocol, or DHCP, server, serving addresses from 192.168.1.100 to 192.168.1.254. All internal hosts use NATing to translate to 200.100.50.25 when connecting to the Internet. Assume that both laptops connect to a web server at 4.4.4.4 over port 80 and that they share the same public source IP and the same destination IP port. How does the router keep the connections separate? The answer is that the router uses socket pairs to keep the connections separate. The router remaps the connections using a many-to-one NAT, which is also called PAT: 192.168.1.100:1025 -> 4.4.4.4:80 which maps to 200.100.50.25:1030 -> 4.4.4.4:80 and 192.168.1.101:1025 -> 4.4.4.4:80 which maps to 200.100.50.25:1031 -> 4.4.4.4:80 These socket pairs are unique on both the private and public sides. Screen 20 of 27. Topic title: Ports, Protocols, and Services. Screen title: What is a NAT? Images appear of a nat device, internet cloud, and three workstations connected to a server which is connected to another workstation. Text and bullet points appear in support of audio. The text Small office slash home office router example appears. A larger image of a NAT device appears with several ports. An arrow labeled 2 hundred dot 1 hundred dot 50 dot 25 goes from port to an internet cloud image labeled untrusted. An arrow labeled 1 9 2 dot 1 6 8 dot 1 dot 100 goes from another port to a laptop image. And an arrow labeled 1 9 2 dot 1 6 8 dot 1 dot 1 0 1 goes from another port to a laptop image. idsl3_21 21 Knowledge Check 1 600 550 The Application layer provides service-to-service communications and interacts directly with user applications and programs. True False Correct. The Application layer provides service-to-service communications and interacts directly with user applications and programs. Incorrect. The Application layer provides service-to-service communications and interacts directly with user applications and programs. Application layer ports such as DNS and HTTP are not specific to applications and services. True False Correct. Application layer ports such as DNS and HTTP are not specific to applications and services. Incorrect. Application layer ports such as DNS and HTTP are not specific to applications and services. The Ephemeral port range is used for random and temporary port allocations. True False Correct. Ephemeral ports are allocated randomly, lasting only for the duration of the communication session. Incorrect. Ephemeral ports are allocated randomly, lasting only for the duration of the communication session. Sockets are the combination of an IP address and a port. True False Correct. Sockets are the combination of an IP address and a port. Incorrect. Sockets are the combination of an IP address and a port. NAT is often used to translate private IP addresses into a public IP address for homes and offices. True False Correct. A NAT is commonly used to translate private IP addresses into a public IP address for homes and offices. Incorrect. A NAT is commonly used to translate private IP addresses into a public IP address for homes and offices. Now check your knowledge of ports, port ranges, and sockets. Screen 21 of 27. Topic title: Networking Basics. Screen title: Knowledge Check. This knowledge check presents four statements. For each statement there are four possible answers, I P, T C P, U D P, and I C M P. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections. idsl3_22 22 Let's take a look at a few common application layer protocols and services that make up the models of interoperability. Remember that a protocol defines the format of data sent to another system, including syntax, message sequencing, and character sets. A service is a process, program, or routine that usually starts automatically and provides basic functions to other processes. Before you can identify potentially malicious communications, it is important to recognize common networking protocols and services. Select each highlighted protocol or service to learn more about it. idsl3_22_01 22 The File Transfer Protocol, or FTP, is a protocol used to exchange files across TCP networks. The process works something like this: The server opens port 21 and listens for inbound connections. The client connects to port 21 to initiate file transfer operations. FTP uses two parallel connections: one for command and control, and the second for data transport. FTP servers transfer usernames and passwords in plain text. However, some FTP servers allow anonymous FTP access. In this case, users log into the service with an anonymous account when prompted for a username. The server could then be used to host malicious or illicit content. F T PPopup 1 of 12. Popup title: F T P. Text and bullet points appear in support of audio. Images of three connected workstations, an internet cloud, and another group of connected workstations appear. An animated line connects one network to the other through the internet cloud. Rollover for F T P displays File Transfer Protocol. idsl3_22_04 22 Secure Shell, or SSH, is a network protocol that allows data to be exchanged by two computers over a secure channel. SSH provides encryption, as it was designed to provide a secure option for Telnet and other remote-access services that send information such as passwords and usernames. Because version one of SSH is susceptible to man-in-the-middle attacks, where messages are intercepted by the attacker, version two is recommended. SSH can circumvent network security designs via tunneling. Tunneling is when SSH tunnels are set up to transfer data through an encrypted channel. When using SSH, beware of password brute-force attacks, which involve systematically searching for user passwords to hack into a system. S S HPopup 2 of 12. Popup title: S S H. Text and bullet points appear in support of audio. Rollover for S S H displays Secure Shell. Rollover for encryption displays The process of changing plaintext unencrypted information into ciphertext data in its encrypted form for the purpose of security or privacy. Source: C N S S Instruction Number 4 0 0 9. Rollover for man in the middle attack displays An attacker intercepts communications between two systems and makes independent connections with each to masquerade as the end point for the other. The goal is to inject false information or data. idsl3_22_03 22 Terminal emulation over a network, or Telnet, is a client-server protocol that allows users to remotely log on to, and access the command lines of another computer on a TCP network. Telnet is commonly used for firewall or router administration. Telnet is vulnerable in that all data, including usernames and passwords, are sent in clear text. And, default Telnet servers may use well-known or blank usernames and/or passwords. Telnet is inherently insecure and Secure Shell, or SSH, should be used in most cases where Telnet is a consideration. TelnetPopup 3 of 12. Popup title: Telnet. Text and bullet points appear in support of audio. An image of ones and zeroes and the word Telnet appears. A null sign overlays Telnet in support of audio. Rollover for Telnet displays Terminal Emulation over a Network. idsl3_22_05 22 Simple Mail Transfer Protocol, or SMTP, is a protocol for sending and receiving mail messages. Clients typically use SMTP to send messages to mail servers. Other protocols are used for retrieving e-mail by the receiving mail client. SMTP is designed to trust senders; it simply relays all incoming messages and does not have the ability to authenticate senders. All access control and authentication must be done at the server level. SMTP does not have the ability to authenticate senders and does not perform access control. As a result, SMTP servers tend to be overloaded and are highly susceptible to denial of service, or DoS, attacks, which are attempts to bring down servers by deliberately flooding the servers with messages. Spammers use SMTP to forward mass mailings of unwanted e-mail. Standard SMTP commands can be exploited to reveal information about the server or the user mail accounts. SMTP accounts are prime candidates for pivoting, a technique for using an initial foothold on a network to further compromise the network. S M T PPopup 4 of 12. Popup title: S M T P. Text and bullet points appear in support of audio. Rollover text displays S M T P Simple Mail Transfer Protocol. Encryption is The process of changing plaintext or unencrypted information into cipher text or data in its encrypted form for the purpose of security or privacy. Source: C N S S Instruction No. 4 0 0 9. Man in the Middle Attack. An attacker intercepts communications between two systems and makes independent connections with each to masquerade as the end point for the other. The goal is to inject false information or data. idsl3_22_07 22 Domain Name System, or DNS, translates domain, or host, names, which are generally intended to be user-friendly, into IP addresses, which are numerical. Without DNS, people would have to type strings of numbers, IP addresses, instead of words to access Web pages or send emails. DNS is vulnerable to DNS cache poisoning, in which the attacker tricks the DNS server into thinking it has received data from an authoritative DNS resource. When a DNS cache is poisoned, incorrect information is provided to client machines. The misinformation is then used to redirect users to a Web site of the attacker's choosing or to block the gateway access to the Internet. DNS is also vulnerable to hijacking, in which the goal is to control some aspect of the DNS name space. The attacker can achieve this goal by compromising an upstream name server or creating a counterfeit name server. Similar to DNS cache poisoning, DNS hijacking can be combined with fake or phishing Web sites. D N SPopup 5 of 12. Popup title: D N S. Text and bullet points appear in support of audio. Rollover for D N S displays Domain Name Service. Rollover for phishing displays Phishing is a type of social engineering that uses e mail or a Web site to trick users into disclosing personal or sensitive information, such as credit card numbers, bank account information, Social Security numbers, or passwords. idsl3_22_02 22 The Trivial File Transfer Protocol, or TFTP, is a very simple version of FTP. However, TFTP does not use a username or password, has no directory structure, and does not provide encryption. TFTP runs on Windows and Linux Unix. It uses UDP port 69. TFTP files are read or written from one base directory, and the syntax for TFTP usage is straightforward. Attackers often use a built-in TFTP client on a victim's system to download additional malware. T F T PPopup 6 of 12. Popup title: T F T P. Text and bullet points appear in support of audio. Images of three connected workstations, an internet cloud, and another group of connected workstations appear. An animated line connects one network to the other through the internet cloud. Rollover for T F T P displays Trivial File Transfer Protocol. idsl3_22_08 22 The Hypertext Transfer Protocol, commonly known as HTTP, is the underlying protocol of the World Wide Web. It determines how servers, clients, and browsers communicate, and it defines the format and transmission of messages. Web servers are consistently one of the top ten targeted ports according to trend analysis. A number of factors make Internet Web servers a frequent target for attackers. They provide a public presence for organizations on the Web. They serve as front ends to back-end databases and custom applications. And they are an excellent conduit for attackers to mount application-level attacks. Several other factors also contribute to making Web servers a sought-after target. First, the code for Web-based hacking is readily available for hackers to exploit. There is widespread proliferation of worms and trojans, such as Nimda and Code Red, which are still active on the Internet years later. Second, hackers can use HTTP commands to manipulate server, client, or back-end resources. For example, GET, PUT, and POST are particularly exploited HTTP commands. And finally, HTTP header fields can be easily manipulated to gain authentication credentials. H T T PPopup 7 of 12. Popup title: H T T P. Text and bullet points appear in support of audio. Rollover for H T T P displays Hyper text Transfer Protocol. Rollover text for Phishing displays Phishing is a type of social engineering that uses e-mail or a Web site to trick users into disclosing personal or sensitive information, such as credit card numbers, bank account information, Social Security numbers, or passwords. idsl3_22_09 22 Remote Procedure Calls, or RPC, over port 135, are a mechanism that allows a program on one computer, the client, to execute code on a remote system, the server, without the programmer having to write specific code for the remote communication. RPC is initiated at the client computer who sends a request to the network server, where a vital part of RPC, called RPC endpoint mapping, occurs. RPC endpoint mapping refers to how the server listens for incoming client requests and maps each request to its destination server process. To do this, an endpoint mapper, or EPM, resides on the receiving server. The EPM assigns and tracks the port numbers of all of its clients' services. Whenever a service starts, it registers with the EPM, and requests a port number. The EPM assigns a port number, which changes every time the service starts up. When the EPM receives an RPC client request, it provides the client with the port number for the requested service. RPC is one of the most targeted services by attackers. RPC endpoint mapping is exploited by Blaster and Nachi worms. And well-known rootkits, which are software kits that help hackers to hide their intrusions, use ports to download malware. R P C Endpoint MappingPopup 8 of 12. Popup title: R P C Endpoint Mapping. Text and bullet points appear in support of audio. Rollover text displays R P C Remote Procedure Call and E P M endpoint mapping. idsl3_22_10 22 The Network Basic Input/Output System, or NetBIOS, is a Windows-based application programming interface, or API, that allows applications on different machines to communicate via a local area network, or LAN. NetBIOS provides three distinct services: name service for registration and resolution on port 137; file sharing support for connectionless communication on port 138; and support for connection-oriented communication on port 139. The default settings in NetBIOS create a security risk. Querying ports can be used to footprint a machine. And shared folders can lead to unauthorized dissemination of data. Conficker, the most wide-spread worm since 2003, exploited vulnerabilities in NetBIOS. Net BiosePopup 9 of 12. Popup title: Net Biose. Text and bullet points appear in support of audio. Rollover text displays Net Biose Network Basic Input slash Output System. Footprint is A method to discover what software, applications, and services are on a targeted machine or device. And A P I Application programming interface is an interface that allows software programs to interact with each other. idsl3_22_06 22 Post Office Protocol, or POP, and Internet Message Access Protocol, or IMAP, are services used by clients to retrieve e-mail from servers. Of these two services, POP is the more common service. The main difference between these services is that when retrieving e-mail, POP, by default, downloads the e-mail to the client's machine and deletes it from the server. IMAP, on the other hand, keeps the e-mail on the server of the Internet service provider, or ISP. Both services have vulnerabilities. They both allow buffer overflows, where specially crafted packets cause a program to overrun its buffer boundary. This can cause the program to behave irregularly, produce errors, and even crash. Both protocols also may allow attackers to remotely execute malicious code or cause a denial of service attack against the mail client process, two exploits that could give the attacker root access to the system. Neither service encrypts transmissions, and usernames and passwords are transmitted in clear text. POP and I MapPopup 10 of 12. Popup title: POP and I Map. Text and bullet points appear in support of audio. Rollover text displays POP Post Office Protocol. I Map Internet Message Access Protocol. Application programming interface is an interface that allows software programs to interact with each other. Footprint is a method to discover what software, applications, and services are on a targeted machine or device. idsl3_22_11 22 Server Message Block, or SMB, is a protocol and service that allows network devices to share files. SMB over TCP on port 445 replaced NetBIOS on post-Windows NT operating systems. SMB is another commonly attacked service exploited by the worms Nimda and Sasser, which are based on NetBIOS. SMB is also vulnerable to attacks that remotely execute code on a network device. These kinds of attacks may attempt to compromise and commandeer the victim machine; use SMB as a way to change attack strategies, including pivoting; or incorporate the machine as part of a botnet. S M BPopup 11 of 12. Popup title: S M B. Text and bullet points appear in support of audio. Rollover text displays S M B Server Message Block. Botnet. A bot refers to malicious code that is installed on a computer to take command and control of the computer for the attacker's own purposes. The controlled computer becomes a zombie, or member of a botnet, which can be used to steal data, host malicious content, and launch other attacks, including worms and viruses, to send spam. Advanced bots can be programmed to, among other things, look through a Web cam, listen to a microphone, log key strokes, and capture screen shots. Botnets are collections of bots controlled by a bot herder. idsl3_22_12 22 The Internet Relay Chat, commonly known as IRC, is a multi-user multi-channel chat system that is neither client nor network specific. IRC allows one or more individuals or groups of people to send and receive messages in real time via the IRC servers and channel to which they are connected. Examples of IRC include instant messaging, or IM, chat rooms, and virtual meeting places. IRC services are regularly used for legitimate purposes but are often used by attackers as a C2 network for botnets and to host malware. I R CPopup 12 of 12. Popup title: I R C. Text and bullet points appear in support of audio. Image of a part of a world globe appears with animations of lines connecting workstations located around the globe. Rollover for I R C displays Internet Relay Chat. Screen 22 of 27. Topic title: Networking Basics. Screen title: Common Protocols and Services. Text appears in support of audio. A list of protocols and or services appears with associated ports and protocols. F T P service port 21 and 22 protocol T C P. S S H service port 22 protocol t c p u d p. Telnet service port 23 port t c p. S M T P mail service port 25 t c p protocol. D N S service port 53 t c p u d p protocol. h t t p web service port 80 t c p u d p protocol. pop 3 mail service port 1 ten protocol t c p. R P C service port 1 35 t c p u d p protocol. net biose service ports 1 37 through 1 39 p c p u d p protocol. I map service port 1 43 t c p u d p protocol. h t t p over s s l port 4 43 t c p protocol. s m b protocol service port 4 4 5 t c p protocol. my s q l protocol service port 33 0h 6 t c p u d p protocol. bit torrent 68 81 through 68 89 t c p u d p protocol. aim protocol service port 5 31 and 51 90 t c p protocol. yahoo messenger protocol service port 50 50 t c p protocol. m s n messenger 68 91 through 69 hundred t c p u d p protocol. jabber port 52 22 t c p protocol. world of warcraft protocol service 37 24 and 61 12 t c p u d p protocol. ka zaa protocol service port 12 14 t c p protocol. nutella protocol service port 63 46 t c p u d p protocol. I r c protocol service port 66 67 t c p protocol. m i r c protocol service port 66 60 through 66 69 t c p protocol. Instructions appear to select a protocol and or service to learn more about it. The following services protocols are selectable: f t p, s s h, telnet, s m t p mail, d n s, t f t p, h t t p web, pop 3 mail, r p c, net biose, I map, s m b, and I r c. idsl3_23 23 Microsoft has a suite of Microsoft-based protocols, and associated ports, over which services are offered. These services should be configured to use established ports and it is important to both recognize and be knowledgeable as to what is legitimate traffic for these services. Many of these services are enabled by default on Windows. Screen 23 of 27. Topic title: Ports, Protocols, and Services. Screen title: Common Microsoft Server Services. Text displays Microsoft Based T C P I P Protocols and Services. Two column format displays Protocol slash service in the first column and Ports in the second column. Microsoft based T C P I P protocols and services and their ports include active directory l sass ports 32 69, 32 68, 3 89, 6 36, 1 35, and 88. Computer browser or net biose ports 1 37 through 1 39. D H C P server port 67 and 25 35. D com port 1 35. Exchange server and or client ports 25, 1 10, 1 35, 1 43, 4 43 or 80, 9 93, 995, 60 oh 1 through 60 oh 4. M S S Q L ports 14 33 through 14 34. Net logon ports 1 37 through 1 39 and 4 45. Share point portal server ports 80 and 4 43. System Center configuration manager or system management server ports 27 oh 1 through 27 oh 4. T C P I P Print server port 5 15. Remote desktop port 33 89. Windows Internet name service or wins port 42 and 1 37. and Internet Information Service ports 80 and 4 43. Rollover for Active Directory displays Active directory technology is responsible for offering network security services, such as authentication, interoperation with other system directories, Domain Name System or D N S naming, and a central storage repository for application data. Computer browser service rollover displays Computer Browser service is the mechanism that collects and distributes the list of workgroups and domains and the servers within them. It provides backward compatibility with computers running earlier versions of Windows that must use Net BIOSe over T C P I P and are not Active Directory capable. D H C P rollover displays Dynamic Host Configuration Protocol Server is a service that allows a server to dynamically distribute I P addressing and configuration information to clients. Normally the D H C P server provides the client with at least the basic information of I P address, subnet mask, and default gateway. D com rollover displays Distributed Component Object Model is part of a family of technologies that allow software components to communicate across network boundaries. Exchange server client displays The port list includes a conglomeration of ports and services utilized by Microsoft Exchange for the sending and receiving of email messages. Microsoft Standard Query Language is the Microsoft implementation of the S Q L relational database model. Net logon rollover displays The Net Logon service verifies logon requests while registering, authenticating, and locating domain controllers. Share point portal server rollover displays Microsoft Share Point Server works with Microsoft I I S web server to produce sites intended for collaboration, file sharing, web databases, social networking and web publishing. Systems Center Configuration Manager rollover displays Systems Center Configuration Manager is systems management software that provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. Formerly known as Systems Management Server, or S M S. T C P I P Printing Service rollover displays The T C P I P Printing Service, also called Unix Printing, integrates print services for Windows based machines into Unix environments. Remote desktop rollover displays Remote desktop is a session virtualization capability that allows users access to remote computers using the Remote Desktop Protocol. Wins rollover displays Windows Internet Name Service is a Microsoft implementation of Net BIOSe that provides mapping of client names to I P addresses as assigned by a D H C P server. Internet Information Service rollover displays Microsoft developed web server. idsl3_24 24 Knowledge Check 1 450 550 File-exchange services FTP/TFTP RPC/EPM SSH/Telnet HTTP/DNS NetBIOS/SMB/AD SMTP/POP/IMAP Correct. File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) both provide a file-exchange service. However, TFTP is simpler and does not use a username or password, has no directory structure, and does not provide encryption. Incorrect. File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) both provide a file-exchange service. However, TFTP is simpler and does not use a username or password, has no directory structure, and does not provide encryption. Remote log on capability FTP/TFTP RPC/EPM SSH/Telnet HTTP/DNS NetBIOS/SMB/AD SMTP/POP/IMAP Correct. Telnet (Terminal Emulation Over a Network) allows users to remotely log on to a computer, sending usernames and passwords in clear text. Secure Shell (SSH) uses encryption and provides more secure remote access. Incorrect. Telnet (Terminal Emulation Over a Network) allows users to remotely log on to a computer, sending usernames and passwords in clear text. Secure Shell (SSH) uses encryption and provides more secure remote access. WWW message format definition and transmission/IP address to domain name translation FTP/TFTP RPC/EPM SSH/Telnet HTTP/DNS NetBIOS/SMB/AD SMTP/POP/IMAP Correct. Hypertext Transfer Protocol (HTTP) underlies the World Wide Web by defining message format and transmission, while the Domain Name System (DNS) translates domain or host names into IP addresses. Incorrect. Hypertext Transfer Protocol (HTTP) underlies the World Wide Web by defining message format and transmission, while the Domain Name System (DNS) translates domain or host names into IP addresses. Windows-based services FTP/TFTP RPC/EPM SSH/Telnet HTTP/DNS NetBIOS/SMB/AD SMTP/POP/IMAP Correct. Network Basic Input/Output System (NetBIOS), Server Message Block (SMB), and Active Directory (AD) are all based on Microsoft Windows. Incorrect. Network Basic Input/Output System (NetBIOS), Server Message Block (SMB), and Active Directory (AD) are all based on Microsoft Windows. Remote code execution, and assigning and tracking client service port numbers FTP/TFTP RPC/EPM SSH/Telnet HTTP/DNS NetBIOS/SMB/AD SMTP/POP/IMAP Correct. Remote procedure call (RPC) endpoint mapper enables a program on one computer to execute code on a remote system. It assigns and tracks the port numbers of all its clients' services. Incorrect. Remote procedure call (RPC) endpoint mapper enables a program on one computer to execute code on a remote system. It assigns and tracks the port numbers of all its clients' services. Server-to-server message transmission/email services FTP/TFTP RPC/EPM SSH/Telnet HTTP/DNS NetBIOS/SMB/AD SMTP/POP/IMAP Correct. Simple Mail Transfer Protocol (SMTP) sends messages to servers, Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) receives messages from servers. Each method has its advantages and disadvantages. Incorrect. Simple Mail Transfer Protocol (SMTP) sends messages to servers, Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) receives messages from servers. Each method has its advantages and disadvantages. Now check your knowledge about the functionality of common protocols and services. Screen 24 of 27. Topic title: Ports, Protocols, and Services. Screen title: Knowledge Check. This knowledge check presents six statements. For each statement there are six possible answers, F T P slash T F T P, R P C SLASH E P M, S S H SLASH TELNET, H T T P SLASH D N S, NET BIOSE SLASH S M B SLASH A D, S M T P SLASH POP SLASH I MAP.. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections. idsl3_25 25 Recall that the Internet Relay Chat, or IRC, is a multi-user multi-channel chat system that is neither client nor network specific. IRC communication occurs over a global network of IRC servers and is typically used by millions of simultaneous clients. In addition to IM, IRC networks provide channels, or virtual meeting places that are sometimes called chat rooms. Each IRC network may have thousands of channels dedicated to different types of discussions. For example, people may use channel #weather to discuss weather-related events and issues. IRC servers should use port 6667, but often use non-standard ports. IRC is used for legitimate purposes, but it is also commonly used by malware to "phone home" to receive additional commands and instructions. Phoning home refers to when a client reports information about its location on a network, the current users login status, or other types of information to the attacker. Once a bot has phoned home, attackers often use IRC as a C2 network for the array of bots and botnets under their control. Because malware often abuses IRC networks, as an analyst of intrusion detection systems, it is critical to not only be able to identify basic IRC commands and how they are used, but also to recognize examples of both non-malicious and malicious IRC traffic. Select IRC Command Examples to learn basic IRC commands. Select Malicious and Non-malicious IRC Traffic to see examples of each. idsl3_25_01 25 One of the first things an IRC user does is to assign a nickname, or nick, by which they will be known while they are connected to the network. The user types /nick followed by their nickname, for example, "/nick student." The IRC client then sends "nick student" to the IRC server. Let's look at an example of how to join an IRC channel. IRC channels begin with a hash mark. Our example is called #kubuntu. The #kubuntu IRC channel is the main support and chat channel for the Kubuntu operating system, which was built by a worldwide development team as an alternative to Microsoft Windows and Office. To join, type /join, space, and a hash mark immediately followed by the channel's name. The IRC client sends "join #kubuntu" to the server. When you join a channel, in this case, #kubuntu, whatever anyone says is preceded by their nickname, so everyone can identify who is writing what. Other IRC commands include mode, ping, pong, user, and who, among others. Using Basic I R C CommandsPopup 1 of 3. Popup title: Using Basic I R C Commands. Text and bullet points appear in support of audio. Sample I R C traffic is displayed. idsl3_25_02 25 When you look at non-malicious IRC traffic, it looks like regular chat room activity. When you see IRC commands, such as nick, join, ping, and who, realize that these commands are usually normal and benign examples of an IRC conversation. Non Malicious I R C TrafficPopup 2 of 3. Popup title: Non Malicious I R C Traffic. Text and bullet points appear in support of audio. Sample I R C traffic is displayed with callouts in support of audio. idsl3_25_03 25 This example shows bots joining the C2 IRC network as part of a larger botnet. First, notice that the nick command is used to assign a seemingly random nickname. This is not the kind of nickname people normally use. Quite likely, this is the sign of a newly infected client, now a bot, setting its user nickname. This suspicion is confirmed when you look further down the conversation and see a similar-looking nickname with a random number set. Here, the bot uses the nick to report the location and connection speed to the bot herder with a unique identifier. The bot uses the join command to actually join #trees IRC channel. Notice that the join command is used repeatedly. Then, another bot joins the channel and announces a new infection. Notice the infection vector, which tells the bot herder how the bots are spreading. Examine the traffic for additional evidence of malicious content. This kind of abnormal IRC traffic would clearly indicate malicious IRC traffic when it is combined with other supporting evidence, such as executable downloads, unusual traffic to commonly abused ports, or other indicators. Malicious I R C TrafficPopup 3 of 3. Popup title: Malicious I R C Traffic. Text and bullet points appear in support of audio. Sample I R C traffic is displayed with callouts in support of audio. Screen 25 of 27. Topic title: Identifying I R C Traffic. Screen title: What is I R C? Text and bullet points appear in support of audio. Instruction display Select Using Basic I R C Commands to see command examples. Select malicious and non malicious I R C traffic to see examples. idsl3_26 26 Knowledge Check 1 600 550 IRC is a global network of IRC servers that provides instant messaging and chat room services. True False Correct. IRC is a global network of IRC servers that provides instant messaging and chat room services. Incorrect. IRC is a global network of IRC servers that provides instant messaging and chat room services. IRC is not an inherently benign technology. True False Correct. IRC is a benign technology. However, it is often abused by malicious users. Incorrect. IRC is a benign technology. However, it is often abused by malicious users. Whenever you see "nick" or "join" in IRC traffic, you can be sure the traffic is malicious. True False Correct. "nick" and "join" are examples of normal, non-malicious IRC traffic. However, when you see these commands, be alert for possible malware. Incorrect. "nick" and "join" are examples of normal, non-malicious IRC traffic. However, when you see these commands, be alert for possible malware. The join command is used to assign a nickname. True False Correct. The join command is used to join a channel. The nick command is used to assign a nickname. Incorrect. The join command is used to join a channel. The nick command is used to assign a nickname. IDS analysts need to be skilled in recognizing IRC traffic. True False Correct. It is critical for IDS analysts to be skilled in recognizing IRC traffic. Incorrect. It is critical for IDS analysts to be skilled in recognizing IRC traffic. Now check your knowledge of IRC. Screen 26 of 27. Topic title: Identifying I R C Traffic. Screen title: Knowledge Check. This knowledge check presents five statements. For each statement there are two possible answers, true or false. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections. idsl3_27 27 Congratulations! You have completed the Networking Fundamentals lesson. You should now be able to differentiate between the two models of interoperability, and between protocols that make up TCP/IP. You should also be able to identify the differences between the two versions of IP. You should be able to identify two types of ports, as well as common protocols and services and the risks associated with those protocols and services. Finally, you should be able to identify the characteristics of IRC traffic, and recognize examples of IRC commands and malicious and non-malicious IRC traffic. Screen 27 of 27. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text and bullet points display lesson objectives. Bullet points turn into checkmarks in synch with audio.