Home > Articles

This chapter is from the book

The TCP/IP Protocol Suite

The Transmission Control Protocol/Internet Protocol Suite (TCP/IP) has become the de facto standard for the Internet, and most organizations use it for network communications. TCP/IP includes both network-communication and application-support protocols. As stated earlier, the TCP/IP protocol suite was developed and in use before the ISO/OSI model was developed and, as such, does not match directly with the layers of the OSI model.

The TCP/IP protocol is defined as follows:

  • Remote Terminal Control Protocol (Telnet)—This terminal-emulation protocol enables users to log into remote systems and use resources as if they were connected locally.

  • File Transfer Protocol (FTP)—FTP enables users and systems to transfer files from one computer to another on the Internet. FTP allows for user and anonymous login based on configuration. FTP can be used to transfer a variety of file types and does not provide secure communication (encryption) during login or file transfer.

  • Simple Mail Transfer Protocol (SMTP)—This protocol provides standard electronic (email) transfer services.

  • Domain Name Service (DNS)—This protocol resolves hostnames to IP addresses and IP addresses to hostnames. That is, www.lmisol.com would resolve to IP address 66.33.202.245. DNS servers have hierarchal distributed database systems that are queried for resolution. The service enables users to remember names instead of having to remember IP addresses.

  • Network File System (NFS)—This protocol allows a computer to access files over a network as if they were on its local disk.

  • Transmission Control Protocol (TCP)—This transport-layer protocol establishes a reliable, full-duplex data-delivery service that many TCP/IP applications use. TCP is a connection-oriented protocol, which means that it guarantees the delivery of data and that the packets will be delivered in the same order as they were sent.

  • User Datagram Protocol (UDP)—This transport-layer protocol provides connectionless delivery of data on the network. UDP does not provide error-recovery services and is primarily used for broadcasting data on the network.

  • Internet Protocol (IP)—This protocol specifies the format of packets (datagrams) that will be transported on the network. IP only defines the format of packets, so it is generally combined with a transport protocol such as TCP to affect delivery.

  • Internet Control Message Protocol (ICMP)—This protocol is an extension of the Internet Protocol (IP). It supports packets that contain error, control, and informational messages. The ping command, used to test network connectivity, uses the ICMP protocol.

  • Address Resolution Protocol (ARP)—This network-layer protocol is used to convert an IP address (logical address) into a physical address (DLC or MAC address). When a host on the network wants to obtain a physical address, it broadcasts an ARP request. The host on the network that has the IP address replies with the physical address.

  • X.25—This is a data communications interface specification developed to describe how data passes into and out of switched packet networks. The X.25 protocol suite defines protocol Layers 1–3.

Firewalls

A firewall is a device (hardware/software) that restricts access between networks. These networks might be a combination of an internal and external network (organization’s LAN and the Internet) or might be within internal networks (accounting network and the sales network). A firewall is implemented to support the organizational security policy, in that specific restrictions or rules are configured within the firewall to restrict access to services and ports. If configured correctly, the firewall is the gateway through which all traffic will flow. The network traffic (or packets) then is monitored as it comes into the firewall and compared against a set of rules (filters). If the traffic does not meet the requirements of the access control policy, it is not allowed access and might be discarded or redirected.

Firewalls started out as perimeter security devices and protected the organization’s internal networks from external (such as, from the Internet) networks, similar to the way a moat was used to protect a castle. Often you will hear of this type of network security that "the network is hard and crunchy on the outside (perimeter firewall), and soft and chewy on the inside (organization’s internal network). Perimeter security is an important component of a comprehensive security infrastructure, but it is not the complete answer. Perimeter security assumes that a vast majority of the threats are external to the organization, which is not always the case.

It is important to keep in mind that the firewall can be considered a "choke point" on the network because all traffic must be checked against the rules before gaining access. As a result, the rules that are created for the network must take into account performance as well as security. Firewalls can filter traffic based on a variety of the parameters within the packet:

  • Source and destination addresses—The firewall can look at the source or destination address in the packet (or both).

  • Source and destination ports—The firewall can look at the source or destination port identifier of the service or application being accessed.

  • Protocol types—The firewall might not let certain protocol types access the network.

The level of granularity and types of rules that can be implemented vary among vendors. As an auditor, you will find that a wide variety of parameters can be configured, based on vendor implementation. A number of risk indicators are associated with firewalls:

  • The organization does not employ firewalls.

  • The firewall is poorly configured or misconfigured (affecting performance/security).

  • No audit or testing processes/procedures exist for monitoring firewall security.

  • The organization relies too much on perimeter firewall security.

  • Not all network traffic passes through the firewall (rogue modems, network connectivity, and so on).

Packet-Filtering Firewalls

The first generation of firewalls is known as packet-filtering firewalls, or circuit-level gateways. This type of firewall uses an access control list (ACL) applied at OSI layer 3. An ACL is a set of text-based rules on the firewall that the firewall can apply against incoming packets. A simple access control list could stipulate that all packets coming from a particular network (source address) 192.168.0.0 must be denied and discarded. In this instance, the firewall might have a text-based rule DENY ALL 192.168.0.0. Another type of rule might state that all packets trying to access a particular port, such as a web page request (port 80), be routed to a particular server, in this case, 172.168.1.1. In this instance, the firewall might have a rule that looks like PERMIT FORWARD ALL TCP Port 80 172.168.1.1.

Packet-filtering firewalls can compare the header information in packets only against their rules. As a result, they provide relatively low security compared to other options. The creation of rules in packet filtering involves both permit (or allow) and deny (or block) statements. Permit statements allow packets to be forwarded; deny statements discard the packet. Access lists are sequential: Statements are processed from the top of the list down until a statement condition that matches a packet is found. When the statement is found, no further statements are processed. As an IS auditor, you should review the access lists for completeness and correctness. This example shows both a correct and an incorrect access list:

Access list A (correct):

access-list 1 permit host 192.168.32.1
access-list 1 permit host 192.168.32.2

Access list B (incorrect):

access-list 1 deny 192.168.32.0 0.0.0.255 
access-list 1 permit 192.168.32.1
access-list 1 permit 192.168.32.2
access-list 1 deny 192.168.40.0 0.0.255.255

In this scenario, we want to permit two IP addresses access to the internal network while denying the remainder of the subnet. In access list A, we allow both 192.168.32.1 and 192.168.32.2 to access the network. By default, routers and firewalls that can be configured to filter based on IP source or destination addresses deny traffic by default, and will not allow traffic unless it has been explicitly permitted. This default characteristic is referred to as the "implicit deny" statement at the end of every access control list. The list will be read in sequence from top to bottom, and because of the implicit deny statement at the end of the access list, any IP addresses that do not meet the criteria of the rules will be denied. In access list B, we are denying the entire subnet of 192.168.32.0, which includes 192.168.32.1 and 192.168.32.2. Because the first statement in access list B would technically match hosts 192.168.32.1 and 192.168.32.2, the later permit statements meant for these hosts would not be processed, and the packets from these source hosts would be discarded. Granular statements must precede global statements. The last rule in access list B is redundant with the first rule in the access list. Because no valid permit statements exist in access list B, no traffic from any source will be permitted due to the implicit deny statement at the end of every access list.

Stateful Packet-Inspection Firewalls

Stateful packet-inspection firewalls are considered the third generation of firewall gateways. They provide additional features, in that they keep track of all packets through all 7 OSI layers until that communication session is closed. The first-generation packet-filtering firewalls receive a packet and match against their rules; the packet is forwarded/discarded and forgotten.

Remember from the discussion of the OSI model that a single communication (such as sending an email) can be broken down into several packets and forwarded to the receiving station. A stateful firewall is a bit more sophisticated because it tracks communications (or sessions) from both internal and external sources. A first-generation packet-filtering firewall can be set up to deny all packets from a particular network (as in the previous example), but a stateful firewall with the same rules might allow packets from that denied network if the request came from the internal network.

Proxy Firewalls

Proxy firewalls, or application-layer gateways, are used as the "middlemen" in network communications. The difference between a proxy-based firewall and packet filtering is that all packets passing to the network are delivered through the proxy, which is acting on behalf of the receiving computer. The communication is checked for access authorization according to a rulebase, and then passed to the receiving system or discarded. In essence, a proxy impersonates the internal (receiving) system to review packets before forwarding. Any communication that comes from the receiving computer is passed back to the proxy before it is forwarded externally. The actual process that takes place is that the proxy receives each packet, reviews it, and then changes the source address to protect the identity of the receiving computer before forwarding.

Proxies are application-level gateways. They differ from packet filtering in that they can look at all the information in the packet (not just header) all the way to the application layer.

The firewall architecture for the organization depends on the type of protection the organization needs. The architecture might be designed to protect internal networks from external; it might be used to segment different internal departments and might include packet filtering, stateful packet inspection, proxy/application gateways, or a combination of these.

In general, there are three basic types of firewall configurations:

  • Bastion host—A basic firewall architecture in which all internal and external communications must pass through the bastion host. The bastion host is exposed to the external network. Therefore, it must be locked down, removing any unnecessary applications or services. A bastion host can use packet filtering, proxy, or a combination; it is not a specific type of hardware, software, or device. Figure 3.5 shows a basic bastion host configuration.

  • Figure 3.5

    Figure 3.5 Bastion host configuration.

  • Screened host—A screened host configuration generally consists of a screening router (border router) configured with access control lists. The router employs packet filtering to screen packets, which are then typically passed to the bastion host, and then on to the internal network. The screened host (the bastion host in this example) is the only device that receives traffic from the border router. This configuration provides an additional layer of protection for the screened host. Figure 3.6 shows a screened host configuration.

  • Figure 3.6

    Figure 3.6 Screened host configuration.

  • Screened subnet—A screened subnet is similar to a screened host, with two key differences: The subnet generally contains multiple devices, the bastion host is sandwiched between two routers (the exterior router and the interior router). In this configuration, the exterior router provides packet filtering and passes the traffic to the bastion. After the traffic is processed, the bastion passes the traffic to the interior router for additional filtering. The screened subnet, sometimes called a DMZ, provides a buffer zone between the internal and external networks. This configuration is used when an external population needs access to services (web, FTP, email) that can be allowed through the exterior router, but the interior router will not allow those requests to the internal network. Figure 3.7 shows a screened subnet configuration.

Figure 3.7

Figure 3.7 Screened subnet configuration.

Firewall architecture is quite varied. The organization might decide on hardware- or software-based firewalls to provide network protection. In the case of software-based firewalls, it is important to remember that they will be installed on top of commercial operating systems, which may have their own vulnerabilities. This type of implementation requires the IT organization to ensure that the operating system is properly locked down and that there is a process in place to ensure continued installation of security patches. Any unnecessary services or applications, as well as unneeded protocols, must be removed or disabled from the operating system.

Because the objective of a firewall is to protect a trusted network from an untrusted network, any organization that uses external communications must implement some level of firewall technology. The firewall architecture should take into consideration the functions and level of security the organization requires. Firewalls are potential bottlenecks because they are responsible for inspecting all incoming and outgoing traffic. Firewalls that are configured at the perimeter of the network provide only limited protection, if any protection, from internal attacks; misconfigured firewall rules could allow unwanted and potentially dangerous traffic on the network.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020