1. PROTOCOL ANALYSIS
1.1. TCP/IP SUIT PROTOCOL
1.1.1. STANDS FOR TRANSMISSION CONTROL PROTOCOL/INTERNET PROTOCOL,THE SUITE OF COMMUNICATION PROTOCOLS USED TO CONNECT HOST ON THE INTERNET
1.1.2. A DE FACTO STANDARD ON THE INTERNET AND HAS BECOME THE PROTOCOL OF CHOICE ON LANS AND WANS
1.1.3. WOULD NOT HAVE BECOME SO POPULAR IF IT WEREN'T ROUTABLE .PROTOCOLS HAT CAN SPAN MORE THAN ONE LANS(OR LAN SEGMENT) ARE ROUTABLE BECAUSE THEY CARRY NETWORK LAYER ADDRESSING INFORMATION THAT CAN BE INTERPRETED BY A ROUTER
1.1.4. TCP OPERATES IN THE TRANSPORT LAYER OF THE OSI MODEL AND PROVIDES RELIABLE DATA DELIVERY SERVICES
1.2. TCP INTERFACES
1.2.1. EACH LAYER'S MAJOR FUNCTION ARE DISTINCT FROM ALL THE OTHERS BUT LAYERS CAN BE COMBINED FOR PERFORMANCE REASONS
1.2.2. EACH IMPLEMENTED LAYER HAS AN INTERFACE WITH THE LAYERS ABOVE AD BELOW IT(EXCEPT FOR THE APPLICATION AND PHYSICAL LAYER)
1.2.3. SERVICE INTERFACE BETWEEN EACH LAYER BUT THESE ARE NOT STANDARDIZED AND VARY WIDELY BY OPERATING SYSTEM
1.3. PROBLEM RELATED TO TCP
1.3.1. PACKET REPLICATION
1.3.1.1. PACKETS ARE RETRANSMITTED OVER THE NETWORK IF THERE IS CONGESTION OR IF THE PACKET LOST
1.3.1.2. WHEN THE PACKET IS RESTRANSMITTED, THE PACKET IS REPLICATED
1.3.2. CHECKSUM SERVER
1.3.2.1. PART OF THE TCP HEADER FIELD
1.3.2.2. A FAILED CHECKSUM INDICATES A PROBLEM WITH THE DATA IN A PACKET
1.3.2.3. IN THIS CASE, THE PACKET HAS TO BE RETRANSMITTED
1.3.3. PACKET LOSS
1.3.4. BOTTLENECK BANDWIDTH
1.3.4.1. A PHENOMENON WHERE THE PERFOMANCE OF A NETWORK IS LIMITED BECAUSE NOT ENOUGH BANDWIDTH IS AVAILABLE TO ENSURE THAT ALL DATA DATA PACKETS IN THE NETWORK REACH THEIR DESTINATION
1.3.4.2. RATE AT WHICH ALL BANDWIDTH IS USED AND EVEN A SINGLE ADDITIONAL PACKET CANNOT BE ACCOMODATED
1.4. IP DATAGRAM
1.4.1. MAXIMUM TRANSFER UNIT (MTU)
1.4.1.1. LARGEST SIZE PACKET OR FRAME, SPECIFIED IN OCTETS(EIGHT-BIT BYTES
1.4.1.2. IT CAN BE SENT IN A PACKET OR FRAME-BASED NETWORK SUCH AS THE INTERNET
1.4.1.3. THE INTERNET'S TCP USES THE MTU TO DETERMINE THE MAXIMUM SIZE SIZE OF EACH PACKET IN ANY TRANSMISSION
1.4.2. FRAGMENTATION
1.4.2.1. AN INTERNET PROTOCOL(IP) PROCESS THAT BREAKS DATAGRAMS INTO SMALLER PIECES (FRAGMENTS)
1.4.2.2. SO THAT PACKETS MAY BE FORMED THAT CAN PASS THROUGH A LINK WITH A SMALLER MAXIMUM TRANSMISSION UNIT(MTU) THAN THE ORIGINAL DATAGRAM SIZE
1.4.2.3. CAN BE DONE AT THE SENDER OR AT INTERMEDIATE ROUTERS
1.4.2.4. THE SAME DATAGRAM CAN BE FRAGMENTED SEVERAL TIMES
1.4.3. ENCAPSULATION
1.4.3.1. WHEN DATA MOVES FROM UPPER LAYER TO LOWER LEVEL OF TCP/IP (OUTGOING TRANSMISSION) EACH LAYER INCLUDES A BUNDLE OF RELEVANT INFORMATION CALLED A HEADER ALONG WITH THE ACTUAL DATA
1.4.3.2. THE DATA PACKET CONTAINING THE HEADER AND DATA FORM TE UPPER LAYER THEN BECOMES THE DATA THAT IS REPACKAGED AT THE NEXT LOWER LEVEL WITH LOWER LAYER'S HEADER
1.4.3.3. HEADER IS THE SPPLEMENTAL DATA PLACED AT THE BEGINNING OF A BLOCK OF DATA WHEN IT IS TRANSMITTED
1.4.3.4. THIS SUPPLEMENTAL DATA IS USED AT THE RECEIVING SIDE TO EXTRACT THE DATA FROM THE ENCAPSULATED DATA PACKET
1.4.3.5. THIS PACKING OF DATA AT EACH LAYER IS KNOWN AS DATA ENCAPSULATION
1.5. MODES IN ENCAPSULATING SECURITY PAYLOAD(ESP)
1.5.1. TYPICALLY IN AN IP NETWORK PACKET, THE ESP HEADER IS PLACED AFTER THE IP HEADER
1.5.2. THE COMPONETNS OF AN ESP HEADER INCLUDE SEQUENCE NUMBER,PAYLOAD DATA,PADDING,NEXT HEADER,AN INTEGRITY CHECK AND SEQUENCED NUMBER
1.5.3. TUNNEL MODE
1.5.3.1. PROTECT THE INTERNAL ROUTING INFORMATION BY ENCRYPTING THE IP HEADER OF THE ORIGNIAL PACKET
1.5.3.2. ADDITIONAL HEADERS ARE ADDED TO THE PACKET SO PAYLOAD MSS IS LESS
1.5.3.3. THE ENTIRE IP PACKET IS ENCRYPTED AND/OR AUTHENTICATED
1.5.4. TRANSPORT MODE
1.5.4.1. PROTECTS THE INTENA ROUTING INFORMATION BY ENCRYPTING THE IP HEADER OF THE ORIGINAL PACKET
1.5.4.2. THE ORIGINAL PACKET IS ENCAPSULATED BY A ANOTHER SET OF IP HEADERS
1.5.4.3. ADDITIONAL HEADERS ARE ADDED TO THE PACKET SO PAYLOAD MSS IS LESS
1.5.4.4. ONLY THE PAYLOAD OF THE IP PACKET IS USUALLY ENCRYPTED AND/OR AUTHENTICATED
1.6. IPV6 HEADER FORMAT
1.7. COMMON PROTOCOLS AND STANDARDS
1.7.1. DOMAIN NAME SERVER SECURITY(DNSSEC)
1.7.1.1. CREATED TO ADDRESS ULNERABILITIES IN THE DOMAIN NAME SYSTEM(DNS) AND PROTECT IT FROM ONLINE THREATS
1.7.1.2. THE PURPOSE OF DNSSEC IS TO INCREASE THE SECURITY OF THE INTERNET AS A WHOLE BY ADDRESSING DNS SECURITY WEAKNESSES
1.7.1.3. ADD AUTHENTICATION TO DNS TO MAKE THE SYSTEM MORE SECURE
1.7.2. GENERIC SECURITY SERVICES API(GSSAPI)
1.7.2.1. APPLICATION PROGRAMMING INTERFACE FOR PROGRAMS TO ACCESS SECURITY SERVICES
1.7.2.2. PROBLEM OF MANY SIMILAR BUT INCOMPATIBLE SECURITY SERVICES IN USE TODAY
1.7.2.3. PROVIDES AN AUTHENTICATION,KEY EXCHANGE AND ENCRYPTION INTERFACE TO DIFFERENT CRYPTOGRAPHIC ALGORITHMS AND SYSTEMS
1.7.2.4. GSSAPI INTERFACE PROVIDES INTO 5 GROUPS OF SERVICES -CREDENTIAL MANAGEMENT SERVICES -CONTEXT-LEVEL SERVICES -AUTHENTICATION SERVICES -CONFIDENTIALITY SERVICES -SUPPORT SERVICES
1.7.3. SECURE HYPERTEXT TRANSFER PROTOCOL(SHTTP)
1.7.3.1. AN EXTENSION TO THE HYPERTEXT TRANSFER PROTOCOL(HTTP) THAT ALLOWS THE SECURE EXCHANGE OF FILES ON THE WORLD WIDE WEB
1.7.3.2. EACH S-HTTP FILE IS EITHER ENCRYPTED CONTAINS A DIGITAL CERTIFICATE OR BOTH
1.7.3.3. A MAJOR DIFFERENCE IS THAT S-HTTP ALLOWS THE CLIENT TO SENT A CERTIFICATE TO AUTHENTICATE THE USER
1.7.4. SECURITY TOKENS
1.7.4.1. A SMALL HARDWARE DEVICE THAT THE OWNER CARRIES TO AUTHORIZE ACCESS TO A NETWORK SERVICE
1.7.4.2. SECURITY TOKENS PROVIDE AN EXTRA LEVEL OF ASSURANCE THROUGH A METHOD KNWON AS TWO-FACTOR AUTHENTICATION-THE USER HAS A PERSONAL IDETIFICATION NUMBER(pin)
1.7.4.3. WHICH AUTHORIZE THEM AS THE OWNER OF THAT PARTICULAR DEVICE
1.7.5. BLACKDUCK
1.7.5.1. ATTEMPS TO ADDRESS THAT QUESTION WITH BLACK DUCK HUB, A SYSTEM THAT ALLOWS ENTERPRISE DEVELOPERS AND CODE AUDITORS TO CONTINUOUSLY AUDIT THE USE OF THIRD-PARTY OPEN SOURCE FOR KNOWN VULNERABILITIES
1.7.6. OPENLOGIC
1.7.6.1. ENABLE ENTERPRISES SAFELY AND SECURELY ACQUIRE,MANAGE AND CONTROL OPEN SOURCE SOFTWARE AND THEREBY REALIZE SIGNIFICANTLY HIGHER SAVINGS
1.7.7. SECURE SOCKETS LAYER(SSL)
1.7.7.1. COMPUTER NETWORKING PROTOCOL FOR SECURING CONNECTIONS BETWEEN NETWORK APPLICATION CLIENTS AND SERVERS OVER AN INSECURE NETWORK,SUCH AS THE INTERNET
2. KEY ELEMENTS IN A NETWORK
2.1. NODES
2.1.1. CAN BE A COMPUTER,PRINTER OR ANY OTHER DEVICE CAPABLE OF SENDING AND/OR RECEIVING DATA GENERATED BY OTHER NODES ON THE NETWORK
2.2. NETWORK BACKBONE
2.2.1. PART OF COMPUTER NETWORK THAT INTERCONNECTS VARIOUS PIECES OF NETWORK,PROVIDING A PATH FOR THE EXCHANGE OF INFORMATION BETWEEN DIFFERENT LANS OF SUBNETWORKS
2.3. SEGMENTS
2.3.1. A SMALL SECTION OF A NETWORK
2.4. SUBNETS
2.4.1. A LOGICALLY VISIBLE SUBDIVISION OF AN IP NETWORK
3. IP AND VIRTUAL ADDRESSES
3.1. IP ADDRESS
3.1.1. A NUMERICAL LABEL ASSIGNED TO EACH DEVICE (E.G.-COMPUTER, PRINTER) PARTICIPATING IN A COMPUTER NETWORK THAT USES THE INTERNET PROTOCOL FOR COMMUNICATION
3.2. INTERNET SERVICE PROTOCOL VERSION 4(IPV4)
3.2.1. CONSISTS OF FOUR SECTIONS
3.2.2. EACH SECTION IS 8 BITS LONG
3.2.3. EACH SECTION CAN RANGE FROM 0 TO 255
3.2.4. EXAMPLE : 198.121.2.1
3.2.5. CONSISTS OF 32 BITS
3.3. INTERNET SERVICE PROTOCOL VERSION 6(IPV6)
3.3.1. BEING DEPLOYED TO FULFILL THE NEED FOR MORE INTERNET ADDRESSES
3.3.2. CONSISTS OF 128 BITS
3.3.3. ALLOW FOR APPROXIMATELY THREE HUNDRED AND FORTY TRILLION, TRILLION UNIQUE IP ADDRESSES
3.3.4. EXAMPLE : FDEC : BA98 : 7654 : 3210 : ADBF : BBFF : 2922 : FFFF
3.4. VIRTUAL IP ADDRESS
3.4.1. AN IP ADDRESS THAT IS SHARED AMONG MULTIPLE DOMAIN NAMES OR MULTIPLE SERVERS
3.4.2. ELIMINATES A HOST'S DEPENDENCY UPON INDIVIDUAL NETWORK INTERFACES
3.4.3. INCOMING PACKETS ARE SENT TO THE SYSTEM'S VIPA ADDRESS BUT ALL PACKETS TRAVEL THROUGH THE REAL NETWORK INTERFACES
4. CATEGORIES AND FUNCTION OF GATEWAYS
4.1. GATEWAY
4.1.1. CATEGORIES
4.1.1.1. -WEB SERVER -WORKSTATION
4.1.2. FUNCTION
4.1.2.1. JOINS TWO NETWORKS SO THE DEVICES ON ONE NETWORK CAN COMMUNICATE WITH TH DEVICES ON ANOTHER NETWORK