Chapter 4 Network Protocols and Services

Cybersecurity analysts work to identify and analyze the traces of network security incidents. These traces consist of
records of network events. These events, recorded in log files from various devices, are primarily composed of details
of network protocol operations. Addresses identify which hosts connected to each other, within an organization, or to
distant hosts on the Internet. Addresses held in log files also identify which hosts connected with, or attempted to
connect with, hosts within an organization. Other traces, in the form of protocol addresses, identify what the network
connections attempted to do, and whether this behavior was normal, suspicious, or damaging. Finally, network traces
are recorded for the applications that enable us to receive and use information from the network. From all of these
traces, cybersecurity analysts detect threats to the security of organizations and their data.

Cybersecurity analysts must understand the network on which normal data travels so that they can detect the
abnormal behavior that is created by hackers, malevolent software, and dishonest users of the network. Protocols are
at the heart of network communications and network services support the tasks that we perform using the network.
This chapter provides an overview of how networks normally behave through a discussion of the protocols in the
TCP/IP suite of protocols, and associated services that enable us to accomplish tasks on computer networks

1.1. Views of the Network

Networks come in all sizes. They can range from simple networks consisting of two computers to networks
connecting millions of devices. Click the plus signs (+) in the figure to read about networks of different sizes.

Home office networks and small office networks are often set up by individuals that work from a home or a
remote office and need to connect to a corporate network or other centralized resources. Additionally, many self-
employed entrepreneurs use home office and small office networks to advertise and sell products, order supplies
and communicate with customers.

In businesses and large organizations, networks can be used on an even broader scale to provide consolidation,
storage, and access to information on network servers. Networks also allow for rapid communication such as
email, instant messaging, and collaboration among employees. In addition to internal benefits, many
organizations use their networks to provide products and services to customers through their connection to the
Internet.

The Internet is the largest network in existence. In fact, the term Internet means a ‘network of networks’. The
Internet is literally a collection of interconnected private and public networks.

1.2. Client Server Communications

All computers that are connected to a network and that participate directly in network communication are
classified as hosts. Hosts are also called end devices, endpoints, or nodes. Much of the interaction between end
devices is client-server traffic. For example, when you access a web page on the Internet, your web browser (the
client) is accessing a server. When you send an email message, your email client will connect to an email server.

Servers are simply computers with specialized software. This software enables servers to provide information to
other end devices on the network. A server can be single-purpose, providing only one service, such as web
pages. A server can be multipurpose, providing a variety of services such as web pages, email, and file
transfers.

Client computers have software installed, such as web browsers, email, and file transfers. This software enables
them to request and display the information obtained from the server. A single computer can also run multiple
types of client software. For example, a user can check email and view a web page while listening to Internet
radio. Click the plus signs (+) in the figure to read about different clients in a client-server networks.

1.3. A Typical Session

 A typical network user at school, at home, or in the office, will normally use some type of computing device to
establish many connections with network servers. Those servers could be located in the same room or around
the world. Let’s look at a few typical network communication sessions.

Terry is a high school student whose school has recently started a “bring your own device” (BYOD) program.
Students are encouraged to use their cell phones or other devices such as tablets or laptops to access learning
resources. Terry has just been given an assignment in language arts class to research the effects of World War I
on the literature and art of the time. She enters the search terms she has chosen into a search engine app that
she has opened on her cell phone.

Terry has connected her phone to the school Wi-Fi network. Her search is submitted from her phone to the
school network wirelessly. Before her search can be sent, the data must be addressed so that it can find its way
back to Terry. Her search terms are then represented as a string of binary data that has been encoded into radio
waves. Her search string is then converted to electrical signals that travel on the school’s wired network until they
reach the place at which the school’s network connects to the Internet Service Provider’s (ISP) network. A
combination of technologies take Terry’s search to the search engine website.

For example, Terry’s data flows with the data of thousands of other users along a fiber-optic network that
connects Terry’s ISP with the several other ISPs, including the ISP that is used by the search engine company.
Eventually, Terry’s search string enters the search engine company’s website and is processed by its powerful
servers. The results are then encoded and addressed to Terry’s school and her device.

All of these transitions and connections happen in a fraction of a second, and Terry has started on her path to
learning about her subject.

1.4. A Typical Session : Gamer

Michelle loves computer games. She has a powerful gaming console that she uses to play games against other
players, watch movies, and play music. Michelle connects her game console directly to her network with a
copper network cable.

Michelle’s network, like many home networks, connects to an ISP using a router and a cable modem. These
devices allow Michelle’s home network to connect to a cable TV network that belongs to Michelle’s ISP. The
cable wires for Michelle’s neighborhood all connect to a central point on a telephone pole and then connect to a
fiber-optic network. This fiber-optic network connects many neighborhoods that are served by Michelle’s ISP.

All those fiber-optic cables connect to telecommunications services that provide access to the high-capacity
connections. These connections allow thousands of users in homes, government offices, and businesses to
connect Internet destinations around the world.

Michelle has connected her game console to a company that hosts a very popular online game. Michelle is
registered with the company, and its servers keep track of Michelle’s scores, experiences, and game assets.
Michelle’s actions in her game become data that is sent to the gamer network. Michelle’s moves are broken up to
groups of binary data that each consist of a string of zeros and ones. Information that identifies Michelle, the
game she is playing, and Michelle’s network location are added to the game data. The pieces of data that
represent Michelle’s game play are sent at high speed to the game provider’s network. The results are returned
to Michelle in the form of graphics and sounds.

All of this happens so quickly that Michelle can compete with hundreds of other gamers in real-time.

1.5. A Typical Session : Surgeon

Dr. Ismael Awad is an oncologist who performs surgery on cancer patients. He frequently needs to consult with
radiologists and other specialists on patient cases. The hospital that Dr. Awad works for subscribes to a special
service called a cloud. The cloud allows medical data, including patient x-rays and MRIs to be stored in a central
location that is accessed over the Internet. In this way, the hospital does not need to manage paper patient
records and X-ray films.
 When a patient has an X-ray taken, the image is digitized as computer data. The X-ray is then prepared by
hospital computers to be sent to the medical cloud service. Because security is very important when working with
medical data, the hospital uses network services that encrypt the image data and patient information. This
encrypted data cannot be intercepted and read as it travels across the Internet to the cloud service provider’s
data centers. The data is addressed so that it can be routed to the cloud provider’s data center to reach the
correct services that provide storage and retrieval of high-resolution digital images.

Dr. Awad and the patient’s care team can connect to this special service, meet with other doctors in audio
conferences and discuss patient records to decide on the best treatment that can be provided to the patient. Dr.
Awad can work with specialists from diverse locations to view the medical images and other patient data and
discuss the case.

All of this interaction is digital and takes place using networked services that are provided by the medical cloud
service.

1.6. Tracing the Path

We tend to think about the data networks we use in our daily lives as we think about driving a car. We do not
really care what happens in the engine as long as the car takes us where we want to go. However, just like a
car’s mechanic knows the details of how a car operates, cybersecurity analysts need to have a deep
understanding of how networks operate.

When we connect to a website to read social media or shop, we seldom care about how our data gets to the
website and how data from the website gets to us. We are not aware of the many technologies that enable us to
use the Internet. A combination of copper and fiber-optic cables that go over land and under the ocean carry data
traffic. High-speed wireless and satellite technologies are also used. These connections connect
telecommunications facilities and ISPs that are distributed throughout the world, as shown in the figure. These
global Tier 1 and Tier 2 ISPs connect portions of the Internet together, usually through an Internet Exchange
Point (IXP). Larger networks will connect to Tier 2 networks through a Point of Presence (PoP), which is usually
a location in the building where physical connections to the ISP are made. The Tier 3 ISPs connect homes and
businesses to the Internet.

Because of different relationships between ISPs and telecommunications companies, traffic from a computer to
an Internet server can take many paths. The traffic of a user in one country can take a very indirect path to reach
its destination. The traffic might first travel from the local ISP to a facility that has connections to many other
ISPs. A user’s Internet traffic can go many hundreds of miles in one direction only to be routed in a completely
different direction to reach its destination. Some of the traffic can take certain routes to reach the destination, and
then take completely different routes to return.

Cybersecurity analysts must be able to determine the origin of traffic that enters the network, and the destination
of traffic that leaves it. Understanding the path that network traffic takes is essential to this.

1.7. What are The Protocols

Simply having a wired or wireless physical connection between end devices is not enough to enable
communication. For communication to occur, devices must know “how” to communicate. Communication,
whether by face-to-face or over a network, is governed by rules called protocols. These protocols are specific to
the type of communication method occurring.

For example, consider two people communicating face-to-face. Prior to communicating, they must agree on how
to communicate. If the communication is using voice, they must first agree on the language. Next, when they
have a message to share, they must be able to format that message in a way that is understandable. For
example, if someone uses the English language, but poor sentence structure, the message can easily be
misunderstood. Figure 1 shows an example of communication not adhering to protocols for grammar and
language.

Network protocol communication is the same way. Network protocols provide the means for computers to
communicate on networks. Network protocols dictate the message encoding, formatting, encapsulation, size,
 timing, and delivery options, as shown in Figure 2. As a cybersecurity analyst, you must be very familiar with
structure of protocols and how they are used in network communications.

1.8. A
1.9. a
1.10.