When the remote host responds, the router forwards the Echo Reply back to the local host, as shown in Figure 4-70.

If this ping is successful, the operation of a large piece of the internetwork can be verified. A successful ping across the internetwork confirms communication on the local network. It also confirms the operation of the router serving as the gateway, and the operation of all other routers that might be in the path between the local network and the network of the remote host.

Additionally, the functionality of the remote host can be verified. If the remote host could not communicate outside of its local network, it would not have responded.

This information can be used to locate a problematic router in the path. If the display shows high response times or data losses from a particular hop, this is an indication that the resources of the router or its connections may be overloaded.

Figures 4-71 through 4-78 demonstrate how traceroute takes advantage of TTL.

The first sequence of messages sent from traceroute will have a TTL field value of 1 (Figure 4-71). This causes the TTL to time out the IPv4 packet at the first router. This router then responds with an ICMPv4 message (Figure 4-72). Traceroute now has the address of the first hop.

Traceroute then progressively increments the TTL field (2, 3, 4...) for each sequence of messages (Figures 4-73 through 4-76). This provides the trace with the address of each hop as the packets timeout further down the path. The TTL field continues to be increased until the destination is reached, or it is incremented to a predefined maximum.

After the final destination is reached, the host responds with either an ICMP port unreachable message or an ICMP echo reply message instead of the ICMP time exceeded message (Figures 4-77 and 4-78).

ICMP uses message codes to differentiate between different types of ICMP messages. These are some common message codes:

• 0: Echo reply (response to a ping)

• 3: Destination Unreachable

• 5: Redirect (use another route to your destination)

• 8: Echo request (for ping)

• 11: Time Exceeded (TTL became 0)

As you will see later in the course, a cybersecurity analyst knows that the optional ICMP Payload field can be used in an attack vector to exfiltrate data.

• Physical address (the MAC address): This is used for Ethernet NIC to Ethernet NIC communications on the same network.

• Logical address (the IP address): This is used to send the packet from the original source to the final destination.

IP addresses are used to identify the address of the original source device and the final destination device. The destination IP address may be on the same IP network as the source or may be on a remote network.

Layer 2 or physical addresses, like Ethernet MAC addresses, have a different purpose. These addresses are used to deliver the data link frame with the encapsulated IP packet from one NIC to another NIC on the same network. If the destination IP address is on the same network, the destination MAC address will be that of the destination device.

Figure 4-80 shows the Ethernet MAC addresses and IP address for PC A sending an IP packet to the file server on the same network.

The Layer 2 Ethernet frame contains:

• Destination MAC address: This is the MAC address of the file server’s Ethernet NIC.

• Source MAC address: This is the MAC address of PC A’s Ethernet NIC.

The Layer 3 IP packet contains:

• Source IP address: This is the IP address of the original source, PC A.

• Destination IP address: This is the IP address of the final destination, the file server.

Using a postal analogy, this would be similar to a person taking a letter to their local post office. All they need to do is take the letter to the post office and then it becomes the responsibility of the post office to forward the letter on towards its final destination.

Figure 4-81 shows the Ethernet MAC addresses and IPv4 addresses for PC A sending an IP packet to a file server on a remote network. Routers examine the destination IPv4 address to determine the best path to forward the IPv4 packet. This is similar to how the postal service forwards mail based on the address of the recipient.

When the router receives the Ethernet frame, it de-encapsulates the Layer 2 information. Using the destination IP address, it determines the next-hop device, and then encapsulates the IP packet in a new data link frame for the outgoing interface. Along each link in a path, an IP packet is encapsulated in a frame specific to the particular data link technology associated with that link, such as Ethernet. If the next-hop device is the final destination, the destination MAC address will be that of the device’s Ethernet NIC.

How are the IPv4 addresses of the IPv4 packets in a data flow associated with the MAC addresses on each link along the path to the destination? This is done through a process called Address Resolution Protocol (ARP).

• Destination MAC address: The MAC address of the Ethernet NIC, which will be either the MAC address of the final destination device or the MAC address of the router.

• Source MAC address: The MAC address of the sender’s Ethernet NIC.

To determine the destination MAC address, the device uses ARP, as shown in Figure 4-82. ARP resolves IPv4 addresses to MAC addresses, and maintains a table of mappings.

The sending device will search its ARP table for a destination IPv4 address and a corresponding MAC address. If the packet’s destination IPv4 address is on the same network as the source IPv4 address, the device will search the ARP table for the destination IPv4 address. If the destination IPv4 address is on a different network than the source IPv4 address, the device will search the ARP table for the IPv4 address of the default gateway.

In both cases, the search is for an IPv4 address and a corresponding MAC address for the device.

Each entry, or row, of the ARP table binds an IPv4 address with a MAC address. We call the relationship between the two values a map. It simply means that you can locate an IPv4 address in the table and discover the corresponding MAC address. The ARP table temporarily saves (caches) the mapping for the devices on the LAN.

If the device locates the IPv4 address, its corresponding MAC address is used as the destination MAC address in the frame. If no entry is found, then the device sends an ARP request, as shown in Figure 4-83.

The destination sends an ARP reply, as shown in Figure 4-84.

Commands may also be used to manually remove all or some of the entries in the ARP table. After an entry has been removed, the process for sending an ARP request and receiving an ARP reply must occur again to enter the map in the ARP table.

The ARP table on a Windows PC can be displayed using the arp -a command, as shown in Example 4-3.

Example 4-3 Host ARP Table

Click here to view code image

ARP vulnerabilities will be discussed in more detail later in the course.

At the destination, the transport layer must be able to reconstruct the pieces of data into a complete data stream that is useful to the application layer. The protocols at the transport layer describe how the transport layer header information is used to reassemble the data pieces into streams to be passed to the application layer.

Figure 4-90 shows that segmenting the data into smaller chunks enables many different communications, from many different users, to be interleaved (multiplexed) on the same network.

To identify each segment of data, the transport layer adds a header containing binary data organized into several fields. It is the values in these fields that enable various transport layer protocols to perform different functions in managing data communication.

The transport layer is also responsible for managing reliability requirements of a conversation. Different applications have different transport reliability requirements.

IP is concerned only with the structure, addressing, and routing of packets. IP does not specify how the delivery or transportation of the packets takes place. Transport protocols specify how to transfer messages between hosts. TCP/IP provides two transport layer protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), as shown in Figure 4-91. IP uses these transport protocols to enable hosts to communicate and transfer data.

TCP is considered a reliable, full-featured transport layer protocol, which ensures that all of the data arrives at the destination. However, this requires additional fields in the TCP header, which increases the size of the packet and also increases delay. In contrast, UDP is a simpler transport layer protocol that does not provide for reliability. It therefore has fewer fields and is faster than TCP.

TCP and UDP manage these multiple simultaneous conversations by using header fields that can uniquely identify these applications. These unique identifiers are the port numbers.

The source port number is associated with the originating application on the local host, as shown in Figure 4-92. The destination port number is associated with the destination application on the remote host.

For example, when a client specifies port 80 in the destination port, the server that receives the message knows that web services are being requested. A server can offer more than one service simultaneously such as web services on port 80 at the same time that it offers File Transfer Protocol (FTP) connection establishment on port 21.

The segments are then encapsulated within an IP packet. The IP packet contains the IP address of the source and destination. The combination of the source IP address and source port number, or the destination IP address and destination port number, is known as a socket. The socket is used to identify the server and service being requested by the client. A client socket might look like this, with 1099 representing the source port number: 192.168.1.5:1099

The socket on a web server might be: 192.168.1.7:80

Together, these two sockets combine to form a socket pair: 192.168.1.5:1099, 192.168.1.7:80

Sockets enable multiple processes, running on a client, to distinguish themselves from each other, and multiple connections to a server process to be distinguished from each other.

The source port number acts as a return address for the requesting application. The transport layer keeps track of this port and the application that initiated the request so that when a response is returned, it can be forwarded to the correct application.

For example, applications such as databases, web browsers, and email clients require that all data that is sent arrives at the destination in its original condition. Any missing data could cause a corrupt communication that is either incomplete or unreadable. These applications are designed to use TCP.

TCP transport is analogous to sending packages that are tracked from source to destination. If a shipping order is broken up into several packages, a customer can check online to see the order of the delivery.

With TCP, there are three basic operations of reliability:

• Numbering and tracking data segments transmitted to a specific host from a specific application

• Acknowledging received data

• Retransmitting any unacknowledged data after a certain period of time

Figures 4-95 through 4-98 demonstrate how TCP segments and acknowledgments are transmitted between sender and receiver.

In other cases, an application can tolerate some data loss during transmission over the network, but delays in transmission are unacceptable. UDP is the better choice for these applications because less network overhead is required. There is a trade-off between the value of reliability and the burden it places on network resources. Adding overhead to ensure reliability for some applications could reduce the usefulness of the application and can even be detrimental. In such cases, UDP is a better transport protocol. UDP is preferable for applications such as streaming live audio, live video, and Voice over IP (VoIP). Acknowledgments and retransmission would slow down delivery.

For example, if one or two segments of a live video stream fail to arrive, it creates a momentary disruption in the stream. This may appear as distortion in the image or sound, but may not be noticeable to the user. If the destination device had to account for lost data, the stream could be delayed while waiting for retransmissions, therefore causing the image or sound to be greatly degraded. In this case, it is better to render the best media possible with the segments received, and forego reliability.

UDP provides the basic functions for delivering data segments between the appropriate applications, with very little overhead and data checking. UDP is known as a best-effort delivery protocol. In the context of networking, best-effort delivery is referred to as “unreliable” because there is no acknowledgment that the data is received at the destination. With UDP, there are no transport layer processes that inform the sender of a successful delivery.

UDP is similar to placing a regular, non-registered, letter in the mail. The sender of the letter is not aware of the availability of the receiver to receive the letter. Nor is the post office responsible for tracking the letter or informing the sender if the letter does not arrive at the final destination.

Figures 4-99 and 4-100 demonstrate how UDP segments are transmitted from sender to receiver.

Figure 4-101 provides an overview and comparison of the features of TCP and UDP.

As shown in Figure 4-102, each TCP segment has 20 bytes of overhead in the header encapsulating the application layer data:

• Source Port (16 bits) and Destination Port (16 bits): These are used to identify the application.

• Sequence Number (32 bits): This is used for data reassembly purposes.

• Acknowledgment Number (32 bits): This indicates the data that has been received.

• Header Length (4 bits): This is known as “data offset.” It indicates the length of the TCP segment header.

There are 6 control bits:

• URG: This indicates that the segment should be classified as urgent.

• ACK: This indicates that the Acknowledgment Number field is significant. All segments in an established connection will have this bit set.

• PSH: This is the push function. It indicates that the segment should not be buffered but should be sent immediately to the receiving application.

• RST: This indicates that an unexpected condition has occurred and that the connection should be reset.

• SYN: This is used to initiate a connection. This should only be set in the initial segments in the connection establishment phase of data communication.

• FIN: This signals that no more data will be transferred and that the connection should be terminated.

UDP is a stateless protocol, meaning neither the client nor the server is obligated to keep track of the state of the communication session. If reliability is required when using UDP as the transport protocol, it must be handled by the application.

One of the most important requirements for delivering live video and voice over the network is that the data continues to flow quickly. Live video and voice applications can tolerate some data loss with minimal or no noticeable effect, and are perfectly suited to UDP.

The pieces of communication in UDP are called datagrams, as shown in Figure 4-103. These datagrams are sent as best-effort by the transport layer protocol. UDP has a low overhead of 8 bytes.

For example, a server running a web server application and a file transfer application cannot have both configured to use the same port (for example, TCP port 80). An active server application assigned to a specific port is considered to be open. This means that the transport layer running on the server accepts and processes segments addressed to that port. Any incoming client request addressed to the correct socket is accepted, and the data is passed to the server application. There can be many ports open simultaneously on a server, one for each active server application.

When establishing a connection with a server, the transport layer on the client establishes a source port to keep track of data sent from the server. Just as a server can have many ports open for server processes, clients can have many ports open for connections to multiple sockets. Local source ports are randomly allocated from a range of numbers that is usually from 49152 to 65535. Segments sent to the client from a server will use the client port number as the destination port for data from the socket.

Refer to Figures 4-104 through 4-108 to see the typical allocation of source and destination ports in TCP client-server operations.

The three-way handshake accomplishes three things:

• It establishes that the destination device is present on the network.

• It verifies that the destination device has an active service and is accepting requests on the destination port number that the initiating client intends to use.

• It informs the destination device that the source client intends to establish a communication session on that port number.

A TCP connection is established in three steps, as shown in Figure 4-109:

1. The initiating client requests a client-to-server communication session with the server.

2. The server acknowledges the client-to-server communication session and requests a server-to-client communication session.

3. The initiating client acknowledges the server-to-client communication session.

To close a connection, the Finish (FIN) control flag must be set in the segment header. To end each one-way TCP session, a two-way handshake, consisting of a FIN segment and an Acknowledgment (ACK) segment, is used. Therefore, to terminate a single conversation supported by TCP, four exchanges are needed to end both sessions, as shown in Figure 4-110.

The 6 bits in the Control Bits field (Figure 4-111) of the TCP segment header are also known as flags. A flag is a bit that is set to “on” or “off.” For our purposes, four flags are important: SYN, ACK, FIN, and RST. The RST flag is used to reset a connection when an error or timeout occurs.

TCP segments may arrive at their destination out of order. For the original message to be understood by the recipient, the data in these segments is reassembled into the original order. Sequence numbers are assigned in the header of each packet to achieve this goal. The sequence number represents the first data byte of the TCP segment.

During session setup, an initial sequence number (ISN) is set. This ISN represents the starting value of the bytes for this session that is transmitted to the receiving application. As data is transmitted during the session, the sequence number is incremented by the number of bytes that have been transmitted. This data byte tracking enables each segment to be uniquely identified and acknowledged. Missing segments can then be identified.

Segment sequence numbers indicate how to reassemble and reorder received segments, as shown in Figure 4-112.

The receiving TCP process places the data from a segment into a receiving buffer. Segments are placed in the proper sequence order and passed to the application layer when reassembled. Any segments that arrive with sequence numbers that are out of order are held for later processing. Then, when the segments with the missing bytes arrive, these segments are processed in order.

Figure 4-113 shows an example of window size and acknowledgments.

The window size is the number of bytes that the destination device of a TCP session can accept and process at one time. In this example, PC B’s initial window size for the TCP session is 10,000 bytes. Starting with the first byte, byte number 1, the last byte PC A can send without receiving an acknowledgment is byte 10,000. This is known as PC A’s send window. The window size is included in every TCP segment so the destination can modify the window size at any time depending on buffer availability.

The initial window size is agreed upon when the TCP session is established during the three-way handshake. The source device must limit the number of bytes sent to the destination device based on the destination’s window size. Only after the source device receives an acknowledgment that the bytes have been received can it continue sending more data for the session. Typically, the destination will not wait for all the bytes for its window size to be received before replying with an acknowledgment. As the bytes are received and processed, the destination will send acknowledgments to inform the source that it can continue to send additional bytes.

The process of the destination sending acknowledgments as it processes bytes received and the continual adjustment of the source’s send window is known as sliding windows.

If the availability of the destination’s buffer space decreases, it may reduce its window size and inform the source to reduce the number of bytes it should send without receiving an acknowledgment.

A useful discussion of TCP sequence and acknowledgment numbers can be found here.

Therefore, UDP simply reassembles the data in the order that it was received and forwards it to the application, as shown in Figure 4-114. If the data sequence is important to the application, the application must identify the proper sequence and determine how the data should be processed.

Like TCP-based applications, UDP-based server applications are assigned well-known or registered port numbers, as shown in Figure 4-115.

When these applications or processes are running on a server, they accept the data matched with the assigned port number. When UDP receives a datagram destined for one of these ports, it forwards the application data to the appropriate application based on its port number.

As with TCP, client-server communication is initiated by a client application that requests data from a server process. The UDP client process dynamically selects a port number from the range of port numbers and uses this as the source port for the conversation. The destination port is usually the well-known or registered port number assigned to the server process.

After a client has selected the source and destination ports, the same pair of ports is used in the header of all datagrams used in the transaction. For the data returning to the client from the server, the source and destination port numbers in the datagram header are reversed.

When an IPv4, DHCP-configured device boots up or connects to the network, the client broadcasts a DHCP discover (DHCPDISCOVER) message to identify any available DHCP servers on the network. A DHCP server replies with a DHCP offer (DHCPOFFER) message, which offers a lease to the client, as shown in Figure 4-116.

The offer message contains the IPv4 address and subnet mask to be assigned, the IPv4 address of the DNS server, and the IPv4 address of the default gateway. The lease offer also includes the duration of the lease.

The client may receive multiple DHCPOFFER messages if there is more than one DHCP server on the local network. Therefore, it must choose between them, and sends a DHCP request (DHCPREQUEST) message that identifies the explicit server and lease offer that the client is accepting. A client may also choose to request an address that it had previously been allocated by the server.

Assuming that the IPv4 address requested by the client, or offered by the server, is still available, the server returns a DHCP acknowledgment (DHCPACK) message that acknowledges to the client that the lease has been finalized. If the offer is no longer valid, then the selected server responds with a DHCP negative acknowledgment (DHCPNAK) message. If a DHCPNAK message is returned, then the selection process must begin again with a new DHCPDISCOVER message being transmitted. After the client has the lease, it must be renewed prior to the lease expiration through another DHCPREQUEST message. Figures 4-117 and 4-118 illustrate the steps in DHCPv4 operation.

The DHCP server ensures that all IP addresses are unique (the same IP address cannot be assigned to two different network devices simultaneously). Most Internet providers use DHCP to allocate addresses to their customers.

DHCPv6 has similar set of messages to those used for DHCP for IPv4. The DHCPv6 messages are SOLICIT, ADVERTISE, INFORMATION REQUEST, and REPLY.

Figure 4-119 shows the format of a DHCPv4 message with the following fields:

The Domain Name System (DNS) was developed to provide a reliable means of managing and providing domain names and their associated IP addresses. DNS consists of a global hierarchy of distributed servers that contain databases of name to IP address mappings. The client computer in Figure 4-120 will send a request to the DNS server to get the IP address for www.cisco.com.

A recent analysis of network security threats discovered that over 90% of the malicious software that is used to attack networks uses the DNS system to carry out attack campaigns. A cybersecurity analyst should have a thorough understanding of the DNS system and the ways in which malicious DNS traffic can be detected through protocol analysis and the inspection of DNS monitoring information.

• Resolver: A DNS client that sends DNS messages to obtain information about the requested domain name space.

• Recursion: The action taken when a DNS server is asked to query on behalf of a DNS resolver.

• Authoritative server: A DNS server that responds to query messages with information stored in Resource Records (RRs) for a domain name space stored on the server.

• Recursive resolver: A DNS server that recursively queries for the information asked in the DNS query.

• FQDN: A fully qualified domain name is the absolute name of a device within the distributed DNS database.

• RR: A resource record is a format used in DNS messages that is composed of the following fields: NAME, TYPE, CLASS, TTL, RDLENGTH, and RDATA.

• DNS Zone: A database that contains information about the domain name space stored on an authoritative server.

When attempting to resolve a name to an IP address, a user host, known in the system as a resolver, will first check its local DNS cache. If the mapping is not found there, a query will be issued to the DNS server or servers that are configured in the network addressing properties for the resolver. These servers may be present at an enterprise or ISP. If the mapping is not found there, the DNS server will query other higher-level DNS servers that are authoritative for the top-level domain in order to find the mapping. These are known as recursive queries.

Because of the potential burden on authoritative top-level domain servers, some DNS servers in the hierarchy maintain caches of all DNS records that they have resolved for a period of time. These caching DNS servers can resolve recursive queries without forwarding the queries to higher-level servers. If a server requires data for a zone, it will request a transfer of that data from an authoritative server for that zone. The process of transferring blocks of DNS data between servers is known as a zone transfer.

Figures 4-122 through 4-127 display the steps involved in DNS resolution.

The DNS server stores different types of RRs used to resolve names. These records contain the name, address, and type of record. Here is a list of some of these record types:

• A: An end device IPv4 address

• NS: An authoritative name server

• AAAA: An end device IPv6 address (pronounced quad-A)

• MX: A mail exchange record

When a client makes a query, the server’s DNS process first looks at its own records to resolve the name. If it is unable to resolve the name using its stored records, it contacts other servers to resolve the name. After a match is found and returned to the original requesting server, the server temporarily stores the numbered address in the event that the same name is requested again.

The DNS Client service on Windows PCs also stores previously resolved names in memory. The ipconfig /displaydns command displays all of the cached DNS entries.

Dynamic DNS (DDNS) allows a user or organization to register an IP address with a domain name as in DNS. However, when the IP address of the mapping changes, the new mapping can be propagated through the DNS almost instantaneously. For this to occur, a user obtains a subdomain from a DDNS provider. That subdomain is mapped to the IP address of the user’s server, or home router connection to the Internet. Client software runs on either the router or a host PC that detects a change in the Internet IP address of the user. When a change is detected, the DDNS provider is immediately informed of the change and the mapping between the user’s subdomain and the Internet IP address is immediately updated, as shown in Figure 4-129.

DDNS does not use a true DNS entry for a user’s IP address. Instead, it acts as an intermediary. The DDNS provider’s domain is registered with the DNS, but the subdomain is mapped to a totally different IP address. The DDNS provider service supplies that IP address to the resolver’s second level DNS server. That DNS server, either at the organization or ISP, provides the DDNS IP address to the resolver.

These private addresses are used within an organization or site to allow devices to communicate locally. However, because these addresses do not identify any single company or organization, private IPv4 addresses cannot be routed over the Internet. To allow a device with a private IPv4 address to access devices and resources outside of the local network, the private address must first be translated to a public address, as shown in Figure 4-131.

A NAT router typically operates at the border of a stub network. A stub network is a network that has a single connection to its neighboring network, one way in and one way out of the network. In the example in Figure 4-132, R2 is a border router. As seen from the ISP, R2 forms a stub network.

When a device inside the stub network wants to communicate with a device outside of its network, the packet is forwarded to the border router. The border router performs the NAT process, translating the internal private address of the device to a public, outside, routable address.

With PAT, multiple addresses can be mapped to one or to a few addresses, because each private address is also tracked by a port number. When a device initiates a TCP/IP session, it generates a TCP or UDP source port value or a specially assigned query ID for ICMP, to uniquely identify the session. When the NAT router receives a packet from the client, it uses its source port number to uniquely identify the specific NAT translation. The PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session.

Figure 4-133 illustrates the PAT process. PAT adds unique source port numbers to the inside global address to distinguish between translations.

As R2 processes each packet, it uses a port number (1331 and 1555, in this example) to identify the device from which the packet originated. The source address (SA) is the inside local address with the TCP/IP assigned port number added. The destination address (DA) is the outside local address with the service port number added. In this example, the service port is 80, which is HTTP.

For the source address, R2 translates the private address (known as an inside local address) to an outside global public address with the port number added. The destination address is not changed, but is now referred to as the outside global IPv4 address. When the web server replies, the path is reversed.

NAT/PAT can complicate cyber-operations because it can hide addressing information in the log files created by network security and monitoring devices.

As Figure 4-134 illustrates, to successfully transfer data, FTP requires two connections between the client and the server, one for commands and replies, the other for the actual file transfer:

1. The client establishes the first connection to the server for control traffic using TCP port 21, consisting of client commands and server replies.

2. The client establishes the second connection to the server for the actual data transfer using TCP port 20. This connection is created every time there is data to be transferred.

The data transfer can happen in either direction. The client can download (pull) data from the server, or the client can upload (push) data to the server.

FTP was not designed to be a secure application layer protocol. For this reason, SSH File Transfer Protocol, which is a secure form of FTP that uses the Secure Shell protocol to provide a secure channel, is the preferred file transfer implementation.

SMB messages can start, authenticate, and terminate sessions, control file and printer access, and allow an application to send or receive messages to or from another device.

SMB file sharing and print services have become the mainstay of Microsoft networking, as shown in Figure 4-136.

Email clients communicate with mail servers to send and receive email. Mail servers communicate with other mail servers to transport messages from one domain to another. An email client does not communicate directly with another email client when sending email. Instead, both clients rely on the mail server to transport messages.

Email supports three separate protocols for operation: Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), and Internet Message Access Protocol (IMAP). The application layer process that sends mail uses SMTP. A client retrieves email, however, using one of the two application layer protocols: POP3 or IMAP.

When a client sends email, the client SMTP process connects with a server SMTP process on well-known port 25. After the connection is made, the client attempts to send the email to the server across the connection. When the server receives the message, it either places the message in a local account, if the recipient is local, or forwards the message to another mail server for delivery, as shown in Figure 4-138.

The destination email server may not be online or may be busy when email messages are sent. Therefore, SMTP spools messages to be sent at a later time. Periodically, the server checks the queue for messages and attempts to send them again. If the message is still not delivered after a predetermined expiration time, it is returned to the sender as undeliverable.

The server starts the POP3 service by passively listening on TCP port 110 for client connection requests. When a client wants to make use of the service, it sends a request to establish a TCP connection with the server. When the connection is established, the POP3 server sends a greeting. The client and POP3 server then exchange commands and responses until the connection is closed or aborted.

With POP3, email messages are downloaded to the client and removed from the server, so there is no centralized location where email messages are kept. Because POP3 does not store messages, it is undesirable for a small business that needs a centralized backup solution.

Unlike POP3, when the user connects to an IMAP-capable server, copies of the messages are downloaded to the client application. The original messages are kept on the server until manually deleted. Users view copies of the messages in their email client software.

Users can create a file hierarchy on the server to organize and store mail. That file structure is duplicated on the email client as well. When a user decides to delete a message, the server synchronizes that action and deletes the message from the server.

First, the browser interprets the three parts of the URL:

• http (the protocol or scheme)

• www.cisco.com (the server name)

• index.html (the default home page is requested)

As shown in Figure 4-142, the browser then checks with a name server to convert www.cisco.com into a numeric IP address, which it uses to connect to the server.

Using HTTP requirements, the browser sends a GET request to the server and asks for the index.html file. The server, as shown in Figure 4-143, sends the HTML code for this web page to the browser.

Finally, as shown in Figure 4-144, the browser deciphers the HTML code and formats the page for the browser window.

• GET: A client request for data. A client (web browser) sends the GET message to the web server to request HTML pages, as shown in Figure 4-146.

  

  Figure 4-146 HTTP Using GET

• POST: Submits data to be processed by a resource.

• PUT: Uploads resources or content to the web server such as an image.

• DELETE: Deletes the resource specified.

• OPTIONS: Returns the HTTP methods that the server supports.

• CONNECT: Requests that an HTTP proxy server forward the HTTP TCP session to the desired destination.

Although HTTP is remarkably flexible, it is not a secure protocol. The request messages send information to the server in plaintext that can be intercepted and read. The server responses, typically HTML pages, are also unencrypted.

Much confidential information, such as passwords, credit card information, and medical information, is transmitted over the Internet using HTTPS.

• 1xx: Informational

• 2xx: Success

• 3xx: Redirection

• 4xx: Client Error

• 5xx: Server Error

An explanation of some common status codes is shown in Table 4-6.

Ethernet operates at Layer 2 of the OSI model. Ethernet is responsible for encapsulating the upper layer data in a frame, which includes source and destination MAC addresses. MAC addresses are used on the LAN to locate either the destination or the default gateway.

IP operates at Layer 3 of the OSI model. IP comes in two versions: IPv4 and IPv6. Although IPv4 is being replaced by IPv6, IPv4 is still prevalent on today’s networks. IPv4 uses a 32-bit address space represented in dotted-decimal format, such as 192.168.1.1. IPv6 uses a 128-bit address space represented in hexadecimal format. In IPv6, you can omit leading zeros in each hextet and omit one “all zeros” segment, such as 2001:0DB8:0000:1111:0000:0000:0000:0200 represented as 2001:DB8:0:1111::200.

ICMP is used primarily for testing end-to-end connectivity from source to destination. ICMP for IPv4 is different than ICMP for IPv6. ICMP for IPv6 includes router and neighbor solicitations, router and neighbor advertisements, and duplicate address detection. The ping and traceroute utilities both use a feature of ICMP. Ping is used to test connectivity between two hosts but does not provide information about the details of devices between the hosts. Traceroute (tracert) is a utility that generates a list of hops that were successfully reached along the path.

ARP operates between Layer 2 and Layer 3, mapping MAC addresses to IP addresses. Before a host can send traffic to a remote network, it must know the MAC address for the default gateway. The host already knows the IP address for the default gateway. For example, a host with an IP address 192.168.1.10 might have a default gateway configured of 192.168.1.1. The host uses an ARP request to ask “Who is 192.168.1.1?” The default gateway will reply with its own MAC address. At that point, the host has mapped the IP address to the default gateway’s MAC address and can now construct the frame to send data to a remote network.

The transport layer is responsible for separating the data from the application layer into segments that can be sent down to the network layer. TCP is the transport layer protocol used when all the data must arrive at the destination in the correct order. UDP is the transport layer protocol used when the application can tolerate some data loss during transmission.

At the application layer, there are several important network services that the cybersecurity analysts should be aware of:

• DHCP: This automates the assignment of IPv4 addresses, subnet masks, gateways, and other IPv4 networking parameters.

• DNS: This provides a reliable means of managing and providing domain names and their associated IP addresses.

• NAT: This translates between private and public IPv4 addresses.

• File Transfer: Applications such as FTP, TFTP, and SMB can be used to transfer files from one host to another.

• Email: This requires several applications and services including POP3, IMAP, and SMTP.

• HTTP: This protocol is used to send and receive web pages.

1. Which message does an IPv4 host use to reply when it receives a DHCPOFFER message from a DHCP server?

1. DHCPACK

2. DHCPREQUEST

3. DHCPDISCOVER

4. DHCPOFFER

2. What OSI layer is responsible for establishing a temporary communication session between two applications and ensuring that transmitted data can be reassembled in proper sequence?

1. Session

2. Transport

3. Network

4. Data link

3. PC1 and PC3 are on different networks separated by a router, RT1. PC1 issues an ARP request because it needs to send a packet to PC3. In this scenario, what will happen next?

1. RT1 will forward the ARP request to PC3.

2. RT1 will drop the ARP request.

3. RT1 will send an ARP reply with its own MAC address.

4. RT1 will send an ARP reply with the PC3 MAC address.

4. What addresses are mapped by ARP?

1. Destination IPv4 address to the source MAC address

2. Destination IPv4 address to the destination hostname

3. Destination MAC address to the source IPv4 address

4. Destination MAC address to a destination IPv4 address

5. Which statement is true about FTP?

1. The client can download data from or upload data to the server.

2. The client can choose if FTP is going to establish one or two connections with the server.

3. FTP is a peer-to-peer application.

4. FTP does not provide reliability during data transmission.

6. Which two OSI model layers have the same functionality as two layers of the TCP/IP model? (Choose two.)

1. Session

2. Transport

3. Network

4. Data link

5. Physical

7. Which statement is true about the TCP/IP and OSI models?

1. The TCP/IP transport layer and OSI Layer 4 provide similar services and functions.

2. The TCP/IP network access layer has similar functions to the OSI network layer.

3. The OSI Layer 7 and the TCP/IP application layer provide identical functions.

4. The first three OSI layers describe general services that are also provided by the TCP/IP Internet layer.

8. What is the most compressed representation of the IPv6 address 2001:0000:0000:abcd:0000:0000:0000:0001?

1. 2001::abcd::1

2. 2001:0:abcd::1

3. 2001::abcd:0:1

4. 2001:0:0:abcd::1

5. 2001:0000:abcd::1

9. What three application layer protocols are part of the TCP/IP protocol suite? (Choose three.)

1. ARP

2. DHCP

3. DNS

4. FTP

5. NAT

6. PPP

10. If the default gateway is configured incorrectly on the host, what is the impact on communications?

1. The host is unable to communicate on the local network.

2. There is no impact on communications.

3. The host can communicate with other hosts on remote networks, but is unable to communicate with hosts on the local network.

4. The host can communicate with other hosts on the local network, but is unable to communicate with hosts on remote networks.

11. Which message delivery option is used when all devices need to receive the same message simultaneously?

1. Duplex

2. Unicast

3. Multicast

4. Broadcast