This blog is the first of three in a series to go over some basic networking fundamentals that every security professional should know. These blogs are geared towards the absolute beginner and will cover a lot of different topics at a high level. These blog posts are designed to be an entry into the networking realm and definitely not the end all be all of everything you should know. If you are new, I would advise you to, after you’re done with this blog, continue to learn more about each of these technologies. The more you understand about how they work, the more they can be used to your advantage!
Pretty much every application or business function is reliant on the network layer in some way, shape, or fashion. Whether we have a webpage being served across the public internet, or we have a workstation internally running sql queries to a server at a data center, or our CISO is sitting on a beach in Italy checking his email and complaining about latency, all of these activities and much more cannot be done without small and large scale computer networks. Due to so much of what is done with computers these days being reliant on networks, I believe it is important that not just every security professional, but every IT professional have at least a basic understanding of networking fundamentals.
The OSI Model gives a visual representation of the seven layers that computer systems utilize to communicate over a network. While the modern internet is based on the simpler TCP/IP model, the OSI model is still widely used, as it helps visualize how networks operate, and allows networking engineers to isolate and troubleshoot network related issues.
I will go ahead and describe each OSI layer from a bottom-up approach. It is important to note that each layer cannot function without the layer under it being fully functional. Example the Data Link layer will never function if the Physical layer is not working correctly.
• Physical Layer – The physical layer covers the physical layer that is required for each device on a network to communicate with one another. This can include ethernet, fiber optics, or radio signals being used to transmit wireless.
• Data Link Layer – The data link layer establishes and ends a connection between two physically connected end points on a network. The two major protocols at this layer are Media Access Control (MAC) which is how endpoints address each other on a network, and Logical Link Control (LLC) which identifies other network protocols and performs error checking.
• Network Layer – The network layer uses Internet Protocol (IP) Addresses to route packets across computer networks.
• Transport Layer – The transport layer handles flow control, error checking, and re-requesting data if it was sent/received incorrectly.
• Session Layer – The session layer creates sessions between devices. It is responsible for maintain a session with data is transferred and then closing the connection when the data transfer ends.
• Presentation Layer – The presentation layer handles how applications should compress, encode, or encrypt data before transmission.
• Application Layer – The application layer is what is used by end users. These are things like email clients, web browsers, games, etc.
On each layer, there exists specific network protocols. A protocol takes the large scale process of sending data from one endpoint to another and breaks it down into smaller functions that devices can use as a blueprint to communicate with each other. Without protocols in place different device manufacturers and software programmers would have a heck of a time trying to communicate with other devices since they would each be trying to communicate in a different way. Here are some common protocols in use today:
- IEEE 802.x Suite – Covers the physical transmission standards for computer networking. Both wired and wireless.
- Internet Protocol Version 4 (IPv4) – Fourth version of IP and is the core protocol of internetworking as we know it today.
- Internet Protocol Version 6 (IPv6) – Updated version of IPv4. Intended to replace IPv4… at some point. More address space, additional security & configuration.
- Transmission Control Protocol (TCP) – Provides reliable, ordered, and error checked delivery of data.
- User Datagram Protocol (UDP) – Connectionless datagram that prioritizes time over reliability.
- Transport Layer Security (TLS) – cryptographic protocols designed to provide secure communication over a computer network.
- Domain Name System (DNS) – naming system for computers, services, or other resources connected to the Internet or a private network.
- Dynamic Host Configuration Protocol (DHCP) – protocol used for assigning IP addresses and other network parameters to devices on a network.
In computer networking a port is what an operating system uses as a logical construct to identify a certain process or service running on the machine. While there is nothing that says a service has to run on a specific port, oftentimes most people and organizations opt to use standard ports for many common services. We can often quickly identify what services might be running on an endpoint by finding what ports it has open. Here is a list of a few common ports:
- 20 – File Transfer Protocol (FTP) Data Transfer
- 21 – File Transfer Protocol (FTP) Command Control
- 22 – Secure Shell (SSH)
- 23 – Telnet
- 25 – Simple Mail Transfer Protocol (SMTP)
- 53 – Domain Name System (DNS)
- 80 – Hypertext Transfer Protocol (HTTP)
- 88 – Kerberos
- 110 – Post Office Protocol (POP3)
- 123 – Network Time Protocol (NTP)
- 139 – Network Basic Input Output System (NetBIOS)
- 161 – Simple Network Management Protocol (SNMP)
- 389 – Lightweight Directory Access Protocol (LDAP)
- 443 – Hyper Text Transfer Protocol Secure (HTTPS)
- 445 – Server Message Blocks (SMB) over IP
- 3389 – Remote Desktop Protocol (RDP)
One of the most common relationship between two endpoints is a client-server relationship. This setup is where a client makes a service request from a server. For example, consider when a user goes to access a webpage. A client can access a specific webserver by using it’s Internet Protocol (IP) address and then using the HTTP protocol on port 80 or the HTTPS protocol on port 443. So if I wanted to access the Red Siege website, I could do so by opening a web browser and typing https://18.104.22.168:443 into the address bar. The web server where the Red Siege site is hosted is waiting for a client to initiate a request on port 443 so that the data transfer can begin. It is up to the server in a server/client relationship to manage the content and it is up to a client to initiate the connection.
When a client and a server first initiate a connection it begins what is commonly referred to as a three-way handshake. The TCP protocol uses this handshake to initiate a connection before data transference begins.
In the first step when a client wants to establish a connection with a server, it begins by sending Synchronize Sequence Number (SYN) packet. This SYN packet lets the server know that a client is ready to start communication and what sequence number it should begin with.
The second step happens when the server responds to the client’s request with a SYN-ACK packet. The SYN packet in response tells the client what sequence number return data should begin with. The Acknowledgement(ACK) packet acknowledges that the server is ok with the sequence number that the client initiated.
The third step is the final part of the three way handshake in which the client sends an ACK packet back to the server acknowledging that the sequence numbers from the server are ok. Once the third step completes successfully, communication is established, and data transfer can be initiated.
To continue getting up to date information on all of the live events, discussions, educational webcasts and giveaways – Please subscribe to the Red Siege Email list.
Related StoriesView More
Attacking SAML implementations
By Red Siege | November 2, 2021
SAML and SAML Attacks Recently a client mentioned that they wanted me to pay particular attention to the SAML authentication on an app I was going to be testing. It’s […]Learn More
Bypassing Signature-Based AV
By Red Siege | August 25, 2021
If you want to execute arbitrary code on an endpoint during a penetration test, red team, or assumed breach, chances are you’ll have to evade some kind of antivirus solution. […]Learn More
Sans Core Netwars Tournament of Champions Europe
By Red Siege | August 9, 2021
From Justin Palk, Security Consultant: I’ll be honest, it feels good to win. Popping a shell sends a shiver down my spine. But getting into a duel with another team […]Learn More