Understanding Network Technology to Avoid Peeking into Messages

When you use a web browser, all 7 OSI layers are taken care of for you. We just focus on browsing. There’s no need to for us to understand the networking protocols, or how the messages are sent back and forth to pull, and display information.

However, from security perspective, it is very easy to peak into these messages in transit, and falsify the information in order to manipulate the system. Therefore, it’s critical to understand network operations and technology to improve security.

Initially, the computer exerts an influence over you. The more you use it, the more it alters the way you work. Now that we are suddenly more reliant on services that allow us to work and learn from home, this reminds me of Marshall McLuhan’s statement, “the medium is the message” celebrating the transformative power of communication technologies. When new medium comes along, people are mesmerised by the content it carries.  

For example, you care about the opinion piece in the Financial Times, or your favourite song on Spotify, or that show on Netflix, or the conversation with that particular person on Messenger. But the technology on what powers the medium is not discussed or even highlighted. It’s just there in the background with the eventual understanding that technology has caused disruption, and leads to “democratization” of culture.

So, let’s focus on understanding specific layers of the network model:

• Hardware (Layers 1, 2)
• Internet Protocol (Layer 3)
• Transport (Layer 4 which is TCP, UDP)
• Application (Layer 5 to 7)

What Happens in Each Layer

Sockets exist on session layer (5) providing an interface to send data from one host to another. TCP on Transport Layer (4) provides reliability and transport control. IP on Network Layer (3) provides addressing and packet - level communication, Ethernet on Data Link Layer (2) provides addressing between Ethernet ports, suitable for LAN. Wires and protocols on Physical Layer (1) is used to send bits from one device to another.

On TCP/IP network, every device must have an IP address. But just an IP address is not sufficient if computer runs multiple applications, or services. Just as IP address identifies computer, the port identifies the application / service running on the computer. So, the use of ports allows computers / devices to run multiple services / applications.

So IP address + Port number = socket

And a connection between two computers uses a socket. Because the primary responsibility of this Layer (5) is to manage communication sessions between end-user applications and their processes. For example, Remote Procedure Call (RPC) utilises Layer 5 protocol.

The whole process between layers can be easily explained as follows:

Each layer has a Gatekeeper. This Gatekeeper only understands language and protocol of that layer. As data packets are transmitted, each Gatekeeper performs necessary duties of particular layer:

• Put packet in an envelope
• Write header on the outside
• Pass it to Gatekeeper of next layer

At the next layer, the other Gatekeeper puts entire envelope into another envelope, writes the header on the outside, and passes it on.

• Each layer provides services only to the layers above it
• Each layer depends only on the layer below it

Ethernet (Layer 2)

Use MAC address for forwarding decisions. This is a 48-bit globally unique address assigned to a device during manufacturing process.

Ethernet has changed a lot over the years, except for frame size and format. 

Frame characteristics are 14 bytes header, and is 64 to 1518 bytes long.

Contains:

• Destination MAC address
• Source MAC address
• Field to indicate payload type in header
• Trailing checksum (frame check sequence)

Ethernet host interface operation

The interface receives all frames on the LAN segment

Interface checks destination MAC address. Then it goes through if-then-else type conditions

• Passes frame to host if MAC address is same as interface preconfigured MAC address
• Else passes frame to host if the MAC address is the broadcast address
• Else passes frame to host if the MAC address is in a list of configured multicast MAC addresses
• Else, frame is discarded.

Ethernet is now always a cascaded star network. This means direct connections from end nodes to switches. And switches can be interconnected.

It is not CSMA/CD. The rules of CSMA used to define how long a device should wait if data collision occurs. This is no longer needed since the send and receive channels are separate, and can run simultaneously.

Ethernet switch operation looks at source addresses in all frames, and forwards frames. 

Ethernet switch operation is consistently learning. Looks at source address, and adds address to database.

Ethernet switch features transparent operation, frame only goes where it needs to go. This is good security advantage - but can be spoofed by node sending forged source address.

Ethernet can also create multiple virtual LANs on same physical LAN. So, a VLAN tag is added to Ethernet frame. After this, the device and switch configured will only pay attention to frames with specific VLAN tags.

There is good security advantage to creating VLANs. Network admins have control over each port and user. An unauthorised user cannot just plug their laptop into any switch port and sniff the network traffic. VLANs can create and control broadcast domains, and restrict access.

Multi Input Multi Output (MIMO)

Send data on multi channels where there are simultaneous multiple paths. Increased data throughput with same spectrum. This was big breakthrough for wireless devices. Essentially enables wireless access point to send out data to multiple wifi devices at the same time.

Wifi Architecture

Hosts connect to local access points. Radio transceivers connected to wired network Networks named with SSID (service set identifier). This is inserted in frame header.

Wifi uses CSMA/CA - Carrier Sense Multiple Access with Collision Avoidance

No synchroniser required. Steps are as follows:

• Listen for idle network
• Send frame
• Wait for ACK

But there are concerns with wifi technology from security perspective:

• Easily monitored - it supports link level encryption
• Easily disrupted
• Easily spoofed

802.1x mitigates many of these issues. 802.1x is used by access point to implement Wifi Protected Access (WPA).

Enterprise Layer 3 Technology

• Operates at network layer
• Frame includes (L3) addresses
• Use L3 addresses in forwarding decisions
• Need to map L3 addresses to L2 addresses. This is important because packets are delivered on L2 network to the L2 address.

Mapping L3 to L2 addresses

IPv4 (Address Resolution Protocol) - Send LAN broadcast packet asking “are you IP address a.b.c.d?” This will also include the MAC address. 

The purpose of the ARP is to translate 32-bit addresses to 48-bit addresses. This is because IP addresses are 32 bits long, and MAC addresses are 48-bits long. ARP works between Layers 2 and 3. MAC address is on Layer 2, and IP address is on Layer 3.

There are security concerns with ARP, primarily ARP spoofing. Essentially this means hacker is broadcasting false ARP messages to link hacker’s MAC address with IP address of authorised legitimate PC or server within the network. Unfortunately, this can create other problems such as man in the middle attacks, session hijacking attacks, and denial of service attacks.

Internet Protocol (IP) - most valuable in Layer 3

Use IP addresses for forwarding decisions

• Address is administratively assigned when device configured
• Automatically assigned on device startup (DHCP)

Layer 3 Network Concepts

• Network divided into subnets
• Range of IP addresses assigned to single L2 network
• L3 Frame Delivery on LAN
• L3 address used to forward frame between LANs
• L2 address required for LAN delivery

Host or router must encapsulate L3 packet in a L2 packet with the MAC address of the L2 destination.

Routers

• L3 forwarding device
• Exchange reachability information with other routers to maintain a routing table
• Used in Enterprises and ISPs
• Enterprises assumed to be in same trust domain
• ISPs assumed to interconnect across trust domains

Routers necessary when you need to connect two or more IP networks. Routers can access IP packets carried to them in frames, so they can make forwarding decisions based on IP destination address. The forwarding of packets is called packet switching.

Router Operation is as follows:

• Process frames sent to routers MAC address
• Look at IP destination address in L3 frame. Send frame to router’s CPU if address is the routers
• Decrement TTL and recalculate checksum. Send error message and discard frame if TTL =0. TTL is Time To Live counter that discards the packet if it has been in the network too long.
• Find best match address range in routing table
• Build new L2 frame around L3 frame
• Send frame on LAN to next hop on path to destination
• Frame is modified during forwarding

The conceptual layers provide lots of value in trying to understand how networks, and protocols operate, as well as the security concerns to address.