TCP/IP Explained

Here is some important terminology you should understand:

• Protocol - is a set  of rules that govern how systems communicate.  This means how data is transferred from one system to another.  This basically means that the computers speak the same language.  
• Protocol Suite - is a collection of protocols that are designed to work together.
• TCP/IP - Transmission Control Protocol / Internet Protocol - the most widely used protocol
• IPX/SPX - Internetwork Packet Exchange / Sequenced Packet Exchange - used on some older, legacy systems

There are 4 layers in TCP/IP:  

1. The Network Layer, which is concerned with physically moving electrons across a medium.
2. The Internet Layer, which is responsible for routing packets by using IP addresses.
3. The Transport Layer, which is concerned with the flow of data, sequencing packets for reassembly, and encapsulating the segment with a TCP or User Diagram Protocol (UDP) header.
4. The Application Layer, which is where applications and protocols, such as HTTP and Telnet, operate.

Application Layer This layer includes network services and client software

Transport Layer TCP/UDP Services This layer is responsible for getting data packets to and from the Application Layer by using port numbers.  TCP also verifies packet delivery by using acknowledgements.

Internet Layer This layer uses IP addresses to route packets to the correct destination network.

Network Layer This layer represents the physical network pathway and the network interface card.

Now, let's dive in a little deeper.

The Application Layer is the layer that you can see and touch.  Application layer protocols are the front-end to the lower-layer protocols in the TCP/IP stack.  Programs include:  HTTP, FTP, SMTP, SNMP, SSH, IRC, Telnet.      

The Transport Layer is where data is encapsulated into segments.  Each segment can use TCP or UDP as its method for connecting to and forwarding data to a destination node.  TCP is a connection based protocol, meaning the sender doesn't send any data to the destination node until the destination node acknowledges that it is listening to the sender.  This is done with a 3-way handshake.  

1. Host A sends a TCP packet with a SYN flag set to Host B.  (SYN packet)
2. After receiving the packet, Host B sends its own SYN packet with an ACK flag set.  (SYN-ACK packet)
3. In response to the SYN-ACK packet, Host A sends Host B a TCP packet with the ACK flag set.  (ACK packet)                                                 

TCP Segment Headers - A critical components of a TCP header:  TCP flags, the initial sequence number, source and destination port numbers.  Hackers may send a SYN-ACK flag set even though a SYN packet wasn't sent first.

TCP Flags - Each TCP flag occupies one bit of the TCP segment and can be set to 0 (off) or 1 (on).  These are the 6 flags of the TCP segment:

1. SYN Flag - the synch flag indicates the beginning of a session
2. ACK Flag - the acknowledgement flag acknowledges a connection and is sent by a host after receiving a SYN-ACK packet.
3. PHS Flag - the push flag is used to deliver data directly to an application.  Data isn't buffered; it is sent immediately.
4. URG Flag - used to signify urgent data.
5. RST Flag - reset flag that resets or drops a connection.
6. FIN Flag - finish flag that signifies the connection is finished.

Initial Sequence Number (ISN) - a 32 bit number that tracks packets received by a node and allows reassembling of large packets that have been broken up into smaller packets.  ISN is sent in steps 1 & 2 of the three way handshake - so it is sent with the SYN packet from Host A and the SYN-ACK packet from Host B.  (Session hijacking is a hacking technique where the hacker guesses the ISN of TCP packets.)

TCP Ports - A port is a logical, not physical, component of a TCP connection.  A port identifies the service that is running.  

• HTTP uses port 80 by default
• FTP uses ports 20 and 21.  
• SMTP - Simple Mail Transfer Protocol uses port 25
• DNS - Domain Name System uses port 53
• TFTP - Trivial File Transfer Protocol uses port 69
• POP3 - Post Office Protocol 3 uses port 110
• Network News Transfer Protocol uses port 119
• RPC - Remote Procedure Call uses port 135
• NetBIOS - uses port 139
• IMAP4 - Internet Message Access Protocol 4 uses port 143

UDP - User Datagram Protocol - is a fast but unrealiable delivery protocol.  It operates on the transport layer.  UDP doesn't need to verify that the receiver is ready to accept the packets.  It is a connectionless delivery protocol.

The Internet Layer is responsible for routing a packet to its destination address.  Routing is done using an IP address.  ICMP - Internet Control Message Protocol is used to send messages related to network operations.  A "Destination Unreachable"  error is seen if a packet can't reach its destination.  You can troubleshoot network connectivity problems using the PING command and you can track the route a packet transverses using the TRACEROUTE command.  Security professionals use ICMP codes to block ICMP packets from entering or leaving a network.  

IP Addressing - An IP address consists of 4 bytes divided into 2 components:  a network address and a host address.  Based on the starting decimal number, you can classify an IP address as Class A, B, or C.  

Address Class	Range	Address Bytes	Number of Networks	Host Bytes	Number of Hosts
Class A	1-126	1	126	3	16,777,214
Class B	128-191	2	16,128	2	65,534
Class C	192-223	3	2,097,152	1	254

In addition to a unique network address, each network must be assigned a subnet mask, which helps distinguish the network address bits from the host address bits.  

IP Addressing must be planned.  When IP addresses are assigned, companies need to assign a unique network address to each network segment that’s separated by a router.  The router’s job is to take packets destined for a computer on a different network segment from the sending computer and send them on their way.  In a subnetted network, it might be easy to mistake a broadcast address as a valid host address, a major blunder that could cause a denial-of-service attack after thousands of packets are sent to all hosts on a network instead of to the one host you were trying to reach.