Firewalls and routers
Routers and firewalls are network connectivity devices that handle data packets on the network. The router will direct these data packets to their addressed destination on an internal as well as external scale. This is within or without the local area network (LAN). The firewall, on the other hand, is a hardware or software that secures a network against external threats. On their own, firewalls have no inbuilt intelligence as far as identifying or recognizing intrusions is concerned. These must therefore be used in conjunction with an intrusion detection system (IDS). It is therefore desirable that a competent network administrator should include all of these in their network management policy.
Subnetting
A subnet defines a physical part within the transmission control protocol and internet protocol (TCP/IP) environment. This process makes use of IP address that represents a distinct network ID. Normally one network ID by the InterNIC is issued to an organization (Holliday, 2003). When the network is divided into subnets, each segment should use a diverse subnet ID. Each segment therefore has a distinctive subnet formed by dividing into two parts the host ID bits. One part identifies the segment as a unique network, while the other identifies the hosts. This process is called subnetting.
Benefits of Subnetting
Organizations apply subnetting to create multiple physical segments across one network. This enables one to:
- Blend various technologies including Ethernet and token ring
- Overcome the current technology limitations like those placed on the maximum number of hosts per segment
- Reduce network overcrowding by re-directing traffic and minimizing broadcasting
The IP addressing system used for subnets is known as subnetting. Before one implements subnetting, he needs to resolve the current requirements. One should define the required host addresses corresponding to the physical segments available.
Each TCP/IP host must have a minimum of one IP address. Based on these a single subnet mask is sufficient for the whole network. A unique subnet ID must be defined for every physical part and thus a range of host IDs for each segment must be defined.
IP Addressing
All networks must have a way of uniquely identifying individual components in a way that the identifier may be in a name or number format. In the case of the TCP/IP protocol, a unique number called the IP address is used to recognize each host. The IP address defines a host position on the network (Day, 2008). The IP address is unique and has a standardized format. Every IP address identifies the network ID (network number) and Host ID (host number). The network ID represents the resources positioned on the same physical section of the network. The host ID represents a TCP/IP host like a workstation, server, and router located on the same segment. The IP address is 32 bit long and is subdivided into octets; a group of 8 bits separated by periods. The internet community derived and categorized the IP address into five classes to cater for different sizes of networks. The classes A, B and C are widely used in this classification. These classes of addresses identify the bits that represent the network ID and those which represent the host ID. It also gives the total figure of networks and hosts on each network. Class A network addresses cover networks having many hosts. This allocates 126 networks and roughly 17 million hosts for each network. Class B network addresses cover varied sized networks and thus can support 16,384 networks with about 65,000 hosts on each network. Class C addresses are suitable for local area networks (LANs), which are relatively small with approximately 2 million networks and 254 hosts per network.
Address Resolution Protocol (ARP)
When two machines communicate, an IP address identifies the destination machine. However, transmission of data must take place at the physical and data link layers. For this purpose, the physical address of the destination machine must be used. The address resolution process involves comparing IP and hardware addresses. Address resolution protocol (ARP) obtains the hardware address of broadcast based hosts on networks. ARP acquires the hardware address of the target host or gateway by using a local IP address broadcast of the destination (Athenaeum & Wetherall, 2005).
Immediately the hardware’s address is obtained they are stored as an entry within the ARP cache together with the IP addresses. This ARP cache is continuously scrutinized for the IP and hardware address mapping prior to starting an ARP request transmission. Prior to communication taking place between two hosts, the IP address of each host must be determined and mapped to the host’s bandwidth address. An ARP request and reply constitutes the address resolution process with the following steps:
- An ARP request is started anytime a host attempts to communicate with another host. In case an IP resolves that the IP address is local, it checks for hardware address in its cache for the destination address. If no match is found ARP constructs a request basing on the queries like, “who is the IP address; which is your IP address, ” etcetera.
- The source host’s IP and hardware addresses form part of the request. The ARP request is transmitted over the network so that all the hosts on the same network can receive and process it.
- Every host on the network gets the broadcast and compares it to its own IP address so that where there is no match, the request is ignored.
- The destination host identifies the request’s IP address it has received and matches it to its own address. It then sends an ARP reply consisting of hardware address directly to the source host.
- The destination’s host ARP cache is then updated with the IP and hardware addresses which are matching with those of the source host. After the reply, the source host establishes the communication.
An ARP broadcast can generate considerable traffic on a network hence reducing network performance. To optimize this process, the results of an ARP broadcast are held in a cache for two minutes, and if the entry is not used within the two minutes, the entry is held for a further ten minutes within the cache before it is deleted. Entries in the ARP cache are automatically timed out in case hardware addresses change or if a network card is replaced.
IP Routing
Routing involves choosing a path to use in sending packets over a network. Routing takes place at an IP router or host when it transmits IP packets. A routing table stored within the memory of the host or router is consulted during the routing process. The table consists of entries with the router IP addresses to additional networks which are used during communication. A configured router is only able to send packets to certain networks. During an inter-host communication, IP initially determines whether the location of the host is local or remote. If it is remote, the IP then verifies the routing table for a path to the remote network or host. The IP may use an IP address for the router to transfer a packet over the network. The routing table is referenced continuously for the addresses of the remote network or host. If the path is unavailable, an error message is send back to the source.
Static and Dynamic IP Routing
Static routers make use of routing tables which are constructed and updated manually. When a route is changed, static routers have no ability to share this information amongst themselves nor do they exchange routing information with dynamic routers.
Dynamic routing, on the other hand, is a function accomplished by the routing information protocol (RIP). Similarly, open shortest path first (OSPF) may also be used. Dynamic routers periodically share routing information during dynamic routing process.
TCP/IP Services
What we call E-mailing or electronic mailing is the transmission of messages pr a message over a communication network. Most e-mail systems consist of a basic text editor used to compose, edit and send the messages. The messages are addressed using specific email address, which must be unique to the recipient. Electronic mail boxes store the sent messages until the intended recipient retrieves them. All online services and internet service providers (ISPs) offer gateway functions as well as e-mail although most of them support the exchange of mail with users on other systems
Simple Mail Transfer Protocol (SMTP)
Simple Mail Transfer Protocol (SMTP) specifies how a mail is delivered from one system to the other. It is a relatively straight forward protocol that makes the connections from the sender’s server to that of the recipient and then transfers the message.
SMTP is used for:
- Delivering messages from the email client to the SMTP server
- Transferring messages between various SMTP servers
SMTP is not used for transferring the message from SMTP server from a recipient to its client email because it requires both the source and destination to be connected to the internet.
Post Office Protocol 3 (POP3)
Post Office Protocol 3 (POP3) is a typical messaging protocol that is used in receiving e-mail. This protocol, which operates in the client server setup, ensures that e-mail is delivered and stored by an internet server. One can then proceed to check their mail box and download the mail. The internet message access protocol (IMAP) is an alternative protocol to POP3, which is used to view e-mail at the server as though it were on the client computer. Both POP3 and IMAP protocols are involved in receiving e-mails. However, they differ from SMTP used to transfer email across the internet.
Hypertext Transfer Protocol (HTP)
This protocol defines the basis of the web, where most information is stored in a hierarchical or two dimensional sequences. However, the hypertext formatted documents will allow information to be accessed in any order and from any direction by using links from one document to the other. These links are embedded into the documents, and contain the uniform resource locator (URL) address, to another location. This is then used as the addressing system on the internet. This URL is unique because it contains all the information required to locate any internet resource. Typically the URL address consists of five parts; the left most part defines the name of the protocol and a fully qualified domain name (FQDN) of the server contains the resources in question. The third portion of the URL corresponds to the port address followed by the directory path. Then the directory path to the resource is followed by the file name with the suitable extension.
File Transfer Protocol (FTP)
This is a connection oriented protocol which is considered useful especially when transferring files between different operating systems. This protocol may be used to relocate files in both directions between an FTP server and client. An FTP site can be password restricted meaning that one would require a username and a password to access it. The FTP operation involves logging on to the distant computer, browsing directories and then transferring the required files. Browser software such as internet explorer makes this procedure much simpler by automatically logging one on to the FTP server, provided anonymous connections can be allowed. FTP also supports the process of copying files to a server from the client computer thus it is more suitable for the transfer of files than HTTP.
Telnet
Another way of accessing information from servers is to log on to the remote computer using telnet. This service provider terminal emulation software supports a remote connection to another computer. However telnet has a disadvantage where one must know how to issue commands to the computer they are logged in. Moreover, the computer must be in a position to grant access to the server and should be able to run the telnet demon service.
Simple Network Management Protocol (SNMP)
This is a constituent of TCP/IP originally developed to monitor and troubleshoot routers and bridges. SNMP provides the ability to monitor and communicate status information between terminal servers, wiring hubs, routers and gateways, and computers running Windows NT and LAN manager servers. In its structure, the SNMP has two components agents and management systems on a distributed architecture.
Ports
Application processes using TCP/IP for transport have unique identification numbers known as ports. These ports specify the communication path between a client and the server part of the application where all applications, on servers, have pre-assigned port numbers. This assignment is carried out by the internet assigned numbers authority (IANA) ranging between 0 and 1023.
The Table 1 below denotes some of the well known port numbers with their corresponding services. These port assignments are documented in RFC 1700.
Table 1: Ports numbers and corresponding process names
User datagram protocol (UDP) and TCP indicate source and destination as port numbers within packet headers. The network operating system software broadcasts data from various applications to the network, and recaptures incoming packets from the network. It then matches them to their corresponding packet IP addresses. “Firewalls are devices configured on the network to distinguish between packets, based on the source, and destination port numbers, services in this case, associate with the transport protocol ports using sockets” (Day, 2008, p.67). A socket is a software oriented set up identified as the transport point on a particular network. In summary the 256 values, categorized in the documentation for the port numbers and their associated services, are outlined below:
- 0 to 63 reserved for network wide standard functions
- 64 to 127 which covers the host specific functions
- 128 to 239 reserved for future use while 240 to 255 was for any experimental functions
Ethernet
Ethernet is a term used to refer to a variety of local area network (LAN) technologies. Ethernet contains various wiring and signal standards that focus on the physical layer. This standard was developed, by Xerox PARC, in 1975 (Blanc, 1974). Currently Ethernet is a pattern describing a connection scheme for computers and data systems through a shared cable. The Ethernet specification covers similar functions as the open standards interconnection (OSI), physical and data link layers of data communication.
Some of the typical features of Ethernet include:
- The use of linear bus or star topology
- The signal mode baseboard
- Access method carrier that senses multiple access with collision detection CSMA/ CD
- The transfer speed that ranges between 10Mbps to 100Mbps
- The Cable that is used is thicknet, thinnet or unshielded twisted pair (UTP)
- The maximum frame size is 1518 bytes
- The media is passive drawing power from the computer and therefore will not stop working unless the media is improperly terminated or physically cut.
Ethernet arranges data in frames, which defines a data unit transmitted individually The frame itself has a length of between 64 and 1518 bytes, including the typical Ethernet frame, which is 18 bytes long. Generally, the data portion in this frame is 46 to1500 bytes long.
Ethernet was formerly based on the concept of computers exchanging data using coaxial as the media. This coaxial would traverse every building to interconnect the computers. In order to manage collisions on the medium a scheme carrier, that senses multiple access with collision detection (CSMA/CD), was introduced. “This scheme carrier was preferred because it was simpler than the token competing technologies which the computers used special kind of transceiver called attachment unit interfaces (AUIs) to provide connection to the cable” (Day, 2008, p.5). The Ethernet cable length was considered a limitation at that time. It was not possible to build very large networks using Ethernet and thus Ethernet repeaters were developed. The invention of Ethernet repeaters greatly improved signal strength over long distance transmissions.
Ethernet Standards
10 Base T
This Ethernet standard implies a transmission speed of 10Mbps on base band when utilizing the twisted pair cable. It is an Ethernet standard that uses unshielded twisted pair (UTP) for connection purposes. The 10Base T is physically wired as a star but the logical topology is a bus. Usually, the hub of a 10Base T network can be used as a multi-port repeater and is often situated at the end of a cable linked to the hub. Every computer is connected using two pairs of wire, with one pair in use to receive data, while the other for transmitting data.
Other variants of the Ethernet standards are 10Base 5 and 10Base F, which are implemented over the Cat5 and fiber optic cable respectively. The 10Base 5 standard is a standard Ethernet implementation that uses a thick coaxial. Regardless of the physical star topology, Ethernet uses repeaters which enforce a half duplex and CSMA/CD schemes. The repeater, which is normally limited in capacity, also has the signal enforcing collisions function that deals with packet collision. “The total through-put by the repeater depends on a single link and hence a uniform operating speed” (Day, 2008, p.5). Connectivity devices like repeaters define Ethernet parts, but they forward all data to other connected devices. This becomes problematic because the entire network becomes one collision domain. Therefore, order to address this issue, switching and bridging can be implemented to enable communication at the data link layer.
“The bridge, at this level, discovers the port address and forwards network traffic addressed to these ports” (Halsal, 1989, p.21). The use of bridges further enhances mixing of speeds and results in the interconnection of more segments. As a result of this, fast Ethernet was introduced. This was introduced due to increased demands for greater bandwidth because of faster server processors, innovative applications and more challenging environments that required superior network data transfer rates than those provided by the existing LANs. As networks grow, there are more users catered for through server application approaches. As a result of this, there is increased network traffic. One inevitable effect is that the average file server is strained in the through-put typical of today’s LANs. Current data demanding applications, which include voice and video with network server backups, demand reduced latency with enhanced data transmission speeds and reliability.
The popularity of 10Mbps LANs and their expanse makes them a suitable springboard for faster networking technologies. Some of the key features of the fast Ethernet will include:
- Its basing on CSMA/CD protocol that defines the traditional Ethernet access technology. However, this standard decreases the duration of time that each bit is broadcasted by a factor of ten. This raises the packet speed from 10Mbps to 100Mbps while requiring minimal changes to the network system. The challenging factor for implementing this technology is the collision detection function. While the bandwidth increases ten fold, the collision gap shrinks to one tenth.
- Data is transmitted between Ethernet and fast Ethernet, devoid of protocol conversion, because fast Ethernet includes the old error control functions, the frame format and length.
- These standards can use twisted pair and fiber optic as media.
- Fast Ethernet can be categorized into 100Base TX; 100BaseT4 and 100Base FX.
Other technologies that have competed Ethernet can also be mentioned here. The most common of these is the token ring.
Token Ring
This was developed in 1984 to cover the complete collection of IBM computers. The objective of developing token ring was to allow for the use of twisted pair cable to connect a computer to a LAN using a wall socket. The wiring structure for this scheme is centralized. The features of the token ring scheme include:
- Star ring wired network topology.
- The ring is logically implemented on a central hub
- Token passing is utilized as the access method
- Can use shielded and unshielded twisted pair as well as fiber optic cabling
- Have transfer rates that range from 4 to 16 Mbps. The 16Mbps token ring reduces delay by placing the token back on the ring immediately after the data frame has been transmitted. Token ring switches, which support full duplex, may support speeds of up to 32Mbps by simultaneously transmitting and receiving.
- Baseband transmission with a maximum cable segment length of computers within a space of between 45 and 200 meters.
- A frame based technology with a maximum frame size of approximately 5,000 bytes.
Fiber distributed data interface (FDDI)
The fiber distributed data interface (FDDI) is a 100Mbps network that uses token passing and fiber optic media. It was released in 1986 and was used as; a metropolitan area network (MAN), campus area network (CAN) and local area network (LAN) technology. It provides a high speed backbone and is either a physical star or ring where the logical layout represents a ring. Its media access control scheme is token passing. A copper distributed data interface (CDDI) is often used as a migration path to FDDI. The system can use existing twisted pair cabling thus functioning in the same manner as FDDI. The specification of fiber distributed data interface (FDDI), is similar to 802.5 (token ring) but it supports higher bandwidth and maximum segment distance of 100 kilometers. The FDDI – 2 provides sound and video handling and can use dual counter rotating rings to protect against media failure. Incase a failure occurs in such a setup the node, known as dual attached stations (DASs) on either side of the break, re-establishes a ring by using a back up ring.
Frame relay
This is a high speed transmission scheme that uses wide area network (WAN) protocol. A Frame relays is implemented at the physical and data link layers with reference to the open systems interconnection (OSI) model. It can suitably work on integrated service digital network (ISDN) interfaces. Moreover, it is a packet switching technique that is still in use over a variety of other network interfaces (Stallings, 2006). In line with this set up, some users are permitted to use the available bandwidth during idle periods. As a packet switching technology, frame relay makes use of two techniques. The variable length packet technique, that supports a more efficient and elastic data transfer process and the statistical multiplexing technique, when implementing controls network access. This allows for more flexible and efficient use of the available bandwidth. Today most local area networks (LANs) support the packet switching technique.
Asynchronous transfer mode (ATM)
Asynchronous transfer mode (ATM), unlike the frame relay, is a cell relay technique. The ATM scheme uses tiny packets of fixed size called cells to transmit data, video or voice applications. The networks rely on an already existing link between a transmitter and a receiver. These networks will achieve very high speeds of data transmission typically between 155Mbps to 622Mbps. An ATM network implements cell switching and multiplexing technologies. This is mandatory in order to maximize the benefits of circuit switching. Circuit switching supports guaranteed capacity and constant transmission delay. Alternatively, packet switching has more flexibility and efficiency for irregular traffic than any other network. ATM networks can also implement scalable bandwidth and this makes them more efficient than time division multiplexing, which is an example of synchronous technologies. Therefore, TM can be used with varied media such as coaxial, twisted pair and fiber optics cable which are intended for other communication systems.
Integrated services digital network (ISDN)
This is a service offered by telephone carriers to transmit digital data. In ISDN, digital signals are transmitted over the existing telephone network. The signals include text, voice, music, data, graphics and video, which are digitized and then transmitted over existing telephone wires (Stallings, 2006). This is currently used to implement telecommuting, high-speed file transfer, and video conferencing among other applications.
Synchronous optical network (SONET)
Synchronous optical network (SONET) wide area network oriented technology that is implemented using fiber optic as the key medium. The network transmits voice, data and video at high speeds. The synchronous transport signals (STS) and the synchronous digital hierarchy, are the American and European equivalent versions of this technology respectively.
Cable modem
This technology is implemented using the cable modem, which acts like a bridge, and is able to support bi-directional data communication. This is implemented by use of radio frequency implemented over hybrid fiber-coaxial (HFC) and RFoG infrastructures. The cable modem is suitable for implementing broadband internet access because it supports high bandwidth infrastructures. Cable modem also comes in handy with the advent of protocols such as voice over internet protocol (VoIP), because it can be implemented as a telephone within such as setup
VGAny LAN
This technology combines Ethernet and token ring. It is also known as 100 VGAny LAN, 100Base VG and has the following specifications:
- 100Mbps bandwidth
- Can be used to implement a cascaded star topology using category 3,4 and 5 twisted pair and fiber optic cable
- The demand priority access method supports two priority levels low and high
- Can be used to implement an option to filter individually addressed frames at the hub thereby enhancing privacy
Wireless Local Area Networks (IEEE.802.11)
A WLAN uses wireless transmission media, where 802.11 is used as a standard to implement wireless local area networks (LANs). The WLANs are applied in LAN extensions, building interconnections, nomadic access and on demand networks. They are also suitable for connecting devices on large open areas. In most cases, WLAN is not known to work in isolation and therefore it will be linked to a wired LAN at some point hence becoming a LAN extension. The typical WLAN setup will include a control module, which serves as the interface to the wireless LAN and which can either be a bridge or router linking the wireless LAN to a backbone (Mittag, 2007). The control module works by polling and token passing in regulating access to the network. User modules on the other hand could be hubs interconnecting a wired LAN, workstations or a server. Whenever various wireless devices are placed in the same range grouping, connoting a single control module, this is called a single cell wireless LAN. For the cross building interconnect, a point to point wireless link can be implemented between buildings. Typically, bridges or routers could be used to connect devices in this case. The nomadic access approach involves a LAN hub and a number of mobile data terminal equipment such as laptops. Both devices must be within operation range for transmission to succeed. An adhoc network is a WLAN that is peer to peer in nature and which is established to meet an immediate need. WLANs requirements will include the following:
- A medium access scheme needed to optimize the use of available medium.
- A substantial number of nodes
- A connection to a wired LAN backbone
- Restricted surface area of a diameter that ranges between 100 and 300 meters.
- Available battery power source to power the mobile nodes.
- Well defined transmission robustness and security to deter eavesdropping
- Dynamic configuration to manage MAC addressing and network management
- Roaming capabilities to enable mobile user modules to move from one cell to the other.
WLAN is generally categorized based on the transmission technologies used. The three main categories are:
- Infrared LANs whose expanse is limited to a single room
- Spread spectrum LANs which will generally require no licensing to operate
- Narrow band microwave which operates at frequencies that may require licensing.
The following table 2 summarizes the wireless technologies available today.
Table 2: Wireless technologies.
The spread spectrum is becoming the most commonly used and dependable form of encoding for wireless communication. As such, the use of the spread spectrum will ultimately improve reception while reducing the jamming and interception incidences. The basic idea used in spread spectrum involves modulating a signal in order to boost the signal bandwidth to be transmitted. There are basically three approaches worth mentioning for the spread spectrum. Frequency hopping spread spectrum: This is where the signal is broadcasted over various radio frequencies hopping between these frequencies at some defined interval of time.
Direct sequence spread spectrum: This is where every signal bit is translated into numerous bits for the transmission. This process is accomplished by use of a spreading code.
Code division multiple access: This is where several users make use of the same bandwidth with limited interference.
802.11 Architecture
A basic service set (BSS) constitutes the basic unit within a WLAN. This BSS involves various stations which run the same MAC protocol and share the same medium of transmission. The BSS can be standalone or interconnected to a distribution system (DS), via an access point (AP). The access point here acts as a bridge and the BSS is what is commonly known as a cell.
802.11 Architecture terminologies:
- Access point (AP): This is a station or node on a WLAN that offers access to the distribution system.
- Basic service set (BSS): These are a number of stations under a single operational command.
- Distribution system (DS): This is the interconnection that exists between BSS and integrated LANs.
- Extended service set (ESS): Consists of integrated LANs and BSSs that appear singularly at the logical link control (LLC) layer.
- MAC protocol data unit (MPDU): This is a data unit transmitted between two devices.
- MAC service data unit (MSDU): The unit of information shared between two users.
802.11 Services
A total of nine services are provided by the WLAN. These services are implemented at an access point or another special purpose device. These services are summarized in the table below.
Table 3: Wireless LAN services.
- Association: This service defines the connection between a station and the access point device.
- Re-association: This is the transfer of an association between two access points.
- Disassociation: The notification between two access points that a connection is about to be ended.
- Authentication: Set up the distinctiveness of each stations to the other
- De-authentication: The termination of an authentication service.
- Privacy: Established to stop the messages contents from being read by an unauthorized receiver.
WLAN Switches
“These devices are used to implement a link to the access points through a wired connection. The switches act like gateways to the wired network” (Halsal, 1989, p.21). Initially, in WLAN deployment, all the access points were autonomous. However, a centralized architecture has gained popularity providing the administrator with a structured method of network management. In WLAN, a controller carries out management, configuration and control of the network. A most recent innovation in WLAN is the Fit Access Points (FitAps). This setup supports encryption while establishing the desired exchange. This is then supported by the new on-market chipsets, which support WPA2. Within FitAps, there is also dynamic host configuration protocol (DHCP) relay. Additionally, other functions like VLAN tagging, which relies on service set identifiers (SSID), are implemented in the FitAps.
Network Address Translation (NAT)
This process involves the dynamic address modification of IP packet headers which is carried out within a routing device. “The one to one network address translation process focuses on the IP addresses, the header checksum and other checksums which have the IP address of the packet that needs to be changed” (Holliday, 2003, p.1). Alternatively, the one to many NAT alters TCP/IP port information in the outgoing packets while maintaining a translation table. In this case returned packets can be correctly translated back using the information in the translation table. The one to many NAT is also referred to as network address and port translation (NAPT). The NAT process often occurs in the router. A number of ways are available for port translation and the full cone NAT is most common of these and supports a one to one transmission mode.
At this juncture, the internal address is matched to an external one and as such, any external host is capable of sending packets through the internal address port as well as the external address of the port. For the restricted cone translation, once the internal and external addresses of the ports have been mapped, an external host sends packets to internal address only if the internal address had initially communicated to the external address. For the port restricted NAT, once the internal and external addresses have been mapped, an external host can transmit packets to the internal address by broadcasting them to the external port address if the internal port address had beforehand send a packet via the external host port. (Stallings, 2006, p.89)
Public and Private Addressing
Private networks that do not have a link to the internet can use any host addresses. Public addressing does not permit two network nodes to have the same IP address. Private addresses are available to tackle the decreasing public IP addresses and thus they can be used for different nodes directly interconnected to each other.
Domain Name Service (DNS)
The TCP/IP protocol uses the binary version of the IP address for locating hosts on a network. The dotted decimal notation is used for configuration purposes but it is not particularly intuitive for humans to remember. This led to a unique friendly name being assigned to each host on a TCP/IP network. This consists of two types of names:
- Host name: The administrator assigns an alias to a computer. Originally, a local file was held on each host to provide a lookup table to match host names with corresponding IP addresses.
- Fully qualified domain names (FQDNs) are used to provide a unique identity for the host to avoid duplicate host names.
Fully qualified domain names must adhere to the following rules:
- The host name must be unique within the domain.
- “The total length of the fully qualified domain name must be 255 characters or less with each node (part of the name defined by a period) having not more than 64 characters” (Holliday, 2003, p.1).
- The FQDNs supports alphanumeric and hyphen characters only.
FQDN and their corresponding IP addresses are held on a domain name service (DNS) server, although a local host file can be used. Each domain must provide an authoritative DNS server to hold information relating to that domain. Host names and FQDNs are used for PING and other TCP/IP utilities instead of the IP addresses. To make use of these friendly names, there has to be a system for resolving a host name to its IP address and also ensuring the names are unique. Prior to domain name services, a host file called HOSTs was used. Resolving host names to IP addresses involved the InterNIC, which is the central authority maintaining a text file of host names and IP address mappings. Whenever a site required to add a new internet based host, the site administrator would dispatch an email to InterNIC giving the host name to IP address mapping; a process that was carried out manually. Downloading and copying the latest HOSTs file and installing it on each host was the task of the network administrator. Each host then performed name resolution by looking up a host name within a copy of the HOSTs file and locating matching address. Maintaining completeness and accuracy of the file became too difficult as hosts increased leading to the development of DNS.
The DNS has a hierarchical and distributed structure for name resolution to IP addresses. DNS uses a distributed database system which contains information related to domains and hosts found in those domains. Information is distributed amongst name servers that hold a portion of the database. Maintenance of the system is delegated and the loss of one DNS server does not prevent name resolution from being performed because of the distributed nature of the system. The DNS system has its own network of servers that are consulted in turn until the correct resolution is returned for every request. The hierarchical structure of the domain name system (DNS) is such that at the top, there are nine root servers (A to I).
Immediately, underneath the root lies the top level domain labeled by the type of organization. In some countries, the top level domains are organized using the ISO country codes which include uk for United Kingdom, nl for Netherlands and de for Germany. Beneath this level is the second level domain that covers companies and governments with extensions such as com. or gov. By tracing records from the root, and traversing the hierarchy, one can find information about a particular domain.
The root servers have complete information about the top level domain servers. In turn, these servers have information relating to servers for second level domains. Records within the DNS tell them where the missing information can be found. FQDN reflect the hierarchy from most specific (host), to the least specific (a top level domain). The user types in a uniform resource location, which is an address the browser, will ask the DNS client software to determine the IP address. The local DNS client software then requests the DNS server for the resolution of the submitted address to an IP address. The request is transmitted to the root domain where the server provides the IP address requested. This address is then returned and stored in a local cache and the IP address is also retransmitted back to the DNS client software. This address is then forwarded to the browser which establishes the connection and opens the corresponding web page. This process only takes a few seconds.
Network security management
Computer system security remains very important in order to guard the integrity of the information stored. The file system has the mechanism needed for storing and accessing data and programs within the computer system. Resident file information system is vital and needs to be monitored in order to detect unauthorized and unexpected changes thereby providing protection for the system against intrusion. The most effective process to detect host-based intrusions is by noting changes to the file system. In any network platform, the process of monitoring such changes becomes quite a challenge for the administrator. Online threats remain a reality for today’s businesses, especially those relying on the internet. Active and passive attack incidents are escalating every day and network administrators are having a daunting task of detecting, controlling, or minimizing the effects of such attacks. One of the common methods to secure the facility includes the common access control and auditing procedures. Perimeter systems, that are sensitive to intrusions, can be set up to boost physical security. An intrusion detection system (IDS) is one of the tools in the organization’s network security armory that also includes a firewall and an antivirus. The IDS will compliment a firewall to ensure desirable network security for any organization.
In today’s enterprise networks and the internet, there is a gap between the theoretical understanding of information security best practices and the reality of implementation. Much of this is due to inability of network management staff to communicate this approach such that non-technical influencers and decision makers can grant executive sponsorship. The approach of layered defense in depth policy procedures and tools is well accepted as best practice for information security. The pressure for return on security investment (ROSI) has further exacerbated the difficulty of implementing technology. Since 9-11, security has been elevated to an area of critical liability for many business continuity providers. Based on this approach, service and business continuity providers such as Cisco have questioned how to protect the integrity of mission critical operations without limiting the flow of business. Corporate information security officers have for a long time now been asking this question.
Intrusion detection systems (IDS)
These form part of the amalgamation of tools known as the intrusion detection system (IDS). The IDS constitutes an application software and associated hardware that is capable of monitoring network activities. This is for the sake of detecting malicious activities or any other violations relating to policy and procedures. The system actively monitors and reports back to the network administrator. Intrusion detection systems will address intrusion prevention, which is the process of attempting to stop likely incidences after performing an intrusion. Generally, IDS, besides establishing a record of intrusion activities and generating appropriate notification to the administrator, these systems can also rebuff threats causing the intended threats to fail. IDS will broadly cover two main categories.
The network intrusion detection system (NIDS), which consists of an infrastructure of hardware as well as software, can identify intrusions through the examination of host activities as well as network traffic. “This is made possible through established connections to a network hub or switch or otherwise a configuration that can enable network tapping or the establishment of port mirrors” (Stallings, 2006, p.93). Often, the administrator will establish network borders using sensors or set up choke points. These are employed to capture traffic on the network. Snort is an example of an NIDS used to capture and analyze individual packet content in order to establish malicious traffic.
The host based intrusion detection system (HIDS) defines the other intrusion detection system type involving an agent. Here the agent will analyze system calls as well as application logs.
References
Athenaeum, A., & Wetherall, D.J. (2005). Computer networks (5th ed.). Upper Saddle River, New Jersey: Prentice Hall.
Blanc, R.P. (1974). Review of computer networking technology. National bureau of statistics, 1-136.
Day, J. (2008). Patterns in network architecture. Upper Saddle River, New Jersey: Prentice hall.
Halsal, F. (1989). Data communications, computer networks and OSI (2nd ed.). Boston MA: Addison Wesley.
Holliday, M.A. (2003). Animation of computer networking concepts. Journal on Educational Resources in Computing, 3(2), 1.
Mittag, L. (2007). Fundamentals of 802.11 protocols. Web.
Stallings, W. (2006). Data and computer communications (8th ed.). Upper Saddle River, New Jersey: Prentice hall.