Network Connectivity

Network connectivity has become integral to our lives in today’s digital age. A reliable and efficient network is crucial, from staying connected with loved ones to conducting business operations. In this blog post, we will explore the significance of network connectivity and how it has shaped our world.

Over the years, network connectivity has evolved significantly. Gone are the days of dial-up connections and limited bandwidth. Today, we have access to high-speed internet connections, enabling us to instantly connect with people around the globe. This advancement has revolutionized communication, work, learning, and entertainment.

Network connectivity is the ability of devices or systems to connect and communicate with each other. It allows data to flow seamlessly, enabling us to access information, engage in online activities, and collaborate across vast distances. Whether through wired connections like Ethernet or wireless technologies such as Wi-Fi and cellular networks, network connectivity keeps us interconnected like never before.

Highlights: Network Connectivity

• Network and Security Components

To understand network connectivity, we will break networking down into layers. Then, we can fit the different networking and security components that make up a network into each layer. This is the starting point for understanding how networks work and carrying out the advanced stages of troubleshooting.

Networking does not just magically happen; we need to follow protocols and rules so that two endpoints can communicate and share information. These rules and protocols don’t just exist on the endpoint, such as your laptop; they also need to exist on the network and security components in the path between the two endpoints. 

• TCP/IP Suite and OSI Model

We have networking models to help you understand what rules and protocols we need on all components, such as the TCP/IP Suite and the OSI model. These networking models are like a blueprint for building a house. They allow you to follow specific patterns and have certain types of people, which are protocols in networking.

For example, to find the MAC address, when you know the IP address of the destination, we use Address Resolution Protocol (ARP). So, we have rules and standards that we need to follow. By learning these rules, you can install, configure, and troubleshoot the main networking components of routers, switches, and security devices.

Related: Useful links to pre-information

1. Network Security Components
2. IP Forwarding
3. Cisco Secure Firewall
4. Distributed Firewalls
5. Virtual Firewalls
6. IPv6 Attacks
7. Layer 3 Data Center
8. SD WAN SASE

Back to basics: What is Network Connectivity?

Types of Network Connectivity

1. Wired Connectivity: Wired connections provide reliable and high-speed data transmission. Ethernet cables, fiber optics, and powerline adapters are typical examples of wired network connectivity. They offer stability and security, making them ideal for tasks requiring consistent and fast data transfer.

2. Wireless Connectivity: Wireless network connectivity has revolutionized how we connect. Wi-Fi networks have become ubiquitous, allowing us to access the internet wirelessly within a specific range. Additionally, cellular networks enable us to stay connected on the go, providing internet access even in remote areas.

Despite its numerous benefits, network connectivity can face challenges. Signal interference, network congestion, and security threats can hinder smooth connectivity. However, advancements in technology have paved the way for solutions. Mesh networks, signal boosters, and encryption protocols are tools and techniques to overcome these challenges and ensure reliable connectivity.

Section 1: Understanding Wired Connections

Wired connections have a long-standing history and are widely used in various settings. They involve physical cables that connect devices to a network. Ethernet cables, for instance, are commonly used to establish wired connections. These cables transmit data through electrical signals, ensuring reliable and secure connections. Wired connections are often preferred when stability and speed are crucial, such as in offices, data centers, and gaming setups.

Section 2: Pros and Cons of Wired Connections

While wired connections offer several advantages, they also come with their own set of limitations. One notable advantage is the consistent and reliable speed that wired connections provide. They are less susceptible to interference and congestion, resulting in faster and more stable data transfer. However, the downside of wired connections lies in their lack of mobility. Users are tethered to the physical connection point, limiting their freedom to move while remaining connected.

Section 3: Embracing Wireless Technology

On the other hand, wireless connections have revolutionized how we connect to networks. They utilize radio waves to transmit data between devices without needing physical cables. Wi-Fi networks have become incredibly popular, enabling users to connect multiple devices simultaneously. Wireless connections offer the convenience of mobility, allowing users to move freely within the coverage area while staying connected.

Section 4: Pros and Cons of Wireless Connections

Wireless connections have undoubtedly brought us unparalleled convenience, but they have some drawbacks. One of the main advantages is their flexibility, allowing users to connect devices without the hassle of cables. Wireless networks also eliminate the need for physical infrastructure, making them more cost-effective and easier to set up. However, wireless connections can be affected by interference from other devices, walls, and distance limitations, leading to potential signal drops and slower speeds.

Lab Guide on Networking Scanning

PowerShell and TNC

There are multiple ways to scan a network to determine host and open ports. PowerShell is used with variables and can perform advanced scripting.  Below, I am using TNC to scan my own Ubuntu VM and the WAN gateway.

Note:

The command tnc stands for test network connection. This will display a summary of the request, and the output will show a timeout. The PingSucceeded value will equal False. This output can indicate port filtering or that the target machine is powered off. The different status can vary between operating systems even when the result appears to be the same.

You can scan for the presence of multiple systems on the network with the following 1..2 | % {tnc 192.168.0.$_}

Analysis:

• • This command will attempt to scan 2 IP addresses in the range 192.168.0.1 and 192.168.0.2. The number range 1..1 can be extended, for example, 1..200, although it will take longer to complete.
  • RDP is a prevalent protocol on machines within a corporate network for administrative purposes. This will display a summary of the request and will show a successful connection. The output will show TcpTestSucceeded equals False. This indicates the system is not running and active, and a service could be running on port 3389, which is typically used for administration and remote desktop access.

In the following example, we have a PowerShell code to create a variable called $ports by typing $ports = 22,53,80,445,3389 and pressing the Return key. This variable will store multiple standard ports found on the target system.

Then scan the machine using the new variable $ports with the command $ports | ForEach-Object {$port = $_; if (tnc 192.168.0.2 -Port $port ) {“$port is open” } else {“$port is closed”} }.

Analysis:

• • This code will scan the IP address 172.31.24.20 and test each port number within the previously created $ports variable. For each port found, an open port message is displayed.
  • For any port not found, the message port is closed is shown. Several ports should be opened on the machine according to the output.

Network Connectivity: Technical Details

Source and Destination

Networking, or computer networking, transports and exchanges data between nodes over a shared medium in an information system. It’s about moving information from your application across and within your network. Generally speaking, the essence of network connectivity exists as a source and a destination where we can communicate. T

There are different modes of communication, such as unicast, broadcast, and multicast. But for now, consider a network and the infrastructure used within a network to support communication between a single source and destination.

The source can be the application you use on your computer, such as your web browsers that use HTTP protocol. So, there are rules that your web browser software needs to follow, and the HTTP protocol specifies these. The destination could be elsewhere, such as an application hosted in the cloud or another network from your on-premise Local Area Network (LAN). In this case, we are moving from an on-premise network to a cloud network.

Lab Guide on IGMPv1

IGMPv1 is a network-layer protocol that enables hosts to join or leave multicast groups on an Internet Protocol (IP) network. It is primarily designed to manage multicast group membership within a local area network (LAN). Using IGMPv1, hosts can receive information from a single sender and distribute it to multiple receivers, optimizing network traffic and improving efficiency.

IGMP (Internet Group Management Protocol) version 1 is the first version hosts can use to announce to a router that they want to receive multicast traffic from a specific group. It’s a simple protocol that uses only two messages:

• Membership report
• Membership query

Below, we have one router and two hosts. We will enable multicast routing and IGMP on the router’s Gigabit 0/1 interface. All modern operating systems support IGMP,

1. First, we enabled multicast routing globally; this is required for the router to process IGMP traffic.
2. We enabled PIM on the interface. PIM is used for multicast routing between routers and is also required for the router to process IGMP traffic.

Network Connectivity with Edges of Control

In the world of computer networking and network connectivity, there are different types of edges of control. In this case, if you are sitting in your home network. The edge of control is our home router provided by a service provider in your area, along with a firewall device positioned at each of these perimeters, marking the points between internal and external networks.

In your home network, this parameter is static. However, the perimeter is more dissolved, especially in more extensive networks. You would need multiple firewalls and firewall types positioned in the local area network, creating a defense-in-depth approach to security.

One way to create the boundary between the external and internal networks is with a firewall. The example below shows a Cisco ASA firewall configured with zones. The zones create the border. Below, Gig0/0 is the internal zone with a security level of 0. By default, a higher-level area, such as the outside zone, with a security level of 100, cannot communicate with zones of lower numbering.

ASA security zones are virtual boundaries created within your network infrastructure to control and monitor traffic flow. These zones provide an added layer of defense, segregating different network segments based on their trust levels. Administrators can apply specific security policies and access controls by classifying traffic into zones, reducing the risk of unauthorized access or malicious activities.

Lab guide on DMVPN. Network connectivity over the WAN.

The lab guide below has a Dynamic Multipoint VPN topology based on a GRE tunnel. R12 is the hub, and R11 is the spoke. Usually, you would have additional spokes located across the WAN. DMVPN provides layer 3 network connectivity over the Wide Area Network; DMPVPN provides connectivity based on a Layer 3 overlay with GRE.

The underlay network connectivity is the SP network, and the overlay network connectivity is based on GRE. We can see the tunnel configuration with icon 1 in the diagram below. We have a tunnel source and destination with the tunnel protocol of point-to-point GRE.

Note:

DMVPN operates with different DMVPN phases. Point-to-point GRE on the spokes is DMVPN phase 1. Multipoint GRE on the spokes would illustrate DMVPN Phase 3. Icon 2 displays the routing protocol running over the GRE ( overlay tunnel ), and icon 3 shows the traceroute capture. We only see one hop as the TTL is encapsulated in the GRE tunnel.

Network Connectivity with Network Models

So, as I said, computer networks enable connected hosts—computers—to share and access resources. So when you think of a network, think of an area, and this area exists for sharing. The first purpose of network connectivity was to share printers, and it has not been expanded to many other devices to share, but in reality, the use case of sharing is still its primary use case.

You need to know how all the connections happen and all the hardware and software that enables that exchange of resources. We do this using a networking model. So, we can use network models to conceptualize the many parts of a network, relying primarily on the Open Systems Interconnection (OSI) seven-layer model to help you understand networking. 

Remember that we don’t implement the OSI; we implement the TCP/IP suite. However, the OSI is a great place to start learning, as everything is divided into individual layers. You can place the network and security components at each layer to help you understand how networks work. Let us start with the OSI model before we move to the TCP/IP suite.

Why use the OSI Model?

The open systems interconnection (OSI) model is based on splitting a communication system into seven abstract layers, each stacked upon the last. What can you use the OSI model for? Understanding OSI enables a tech to determine quickly at what layer a problem can occur. Second, the OSI model provides a common language techs use to describe specific network functions.

Understanding the functions of each OSI layer is very important when troubleshooting network components and network communication. Once you understand these functions and the troubleshooting tools available to you at the various layers of the model, troubleshooting network-related problems and understanding will be much easier.

Highlighting the OSI layers

• Layer 7 Application

The application layer provides the user interface. We have software applications like web browsers and email clients, to name a few, that rely on the application layer to initiate communications. Application layer protocols include HTTP and SMTP (Simple Mail Transfer Protocol is one of the protocols enabling email communications).

• Layer 6 Presentation

The presentation layer determines how data is represented to the user. This layer is primarily responsible for preparing data so the application layer can use it; in other words, layer 6 makes the data presentable for applications to consume. Encryption and compression work at this layer.

• Layer 5 Session

This layer is responsible for opening and closing communication between the two devices. The time between open and closed communication is known as the session. 

• Layer 4 Transport

Layer 4, the transport layer, is responsible for end-to-end communication between the two devices. These activities include taking data from the session layer and breaking it into segments before sending it to layer 3. Layer 4 is also responsible for flow control and error control. 

• Layer 3 Network

The network layer is responsible for facilitating data transfer between two different networks. The network layer is unnecessary if the two devices communicating are on the same network. 

• Layer 2 Data Link

The data link layer is very similar to the network layer, except the data link layer facilitates data transfer between two devices on the same network. The data link layer takes packets from the network layer and breaks them into smaller pieces called frames. 

• Layer 1 Physical

The physical layer defines physical properties for connections and communication: repeaters and hubs operate here. Wireless solutions are defined at the physical layer. 

Lab on the data link layer and MAC addresses

The following lab guide will explore Media Access Control (MAC) addresses. MAC address works at the data link layer of the OSI model. This address may also be called the physical address since it’s the identifier assigned to a Network Interface Card (NIC).

While this is typically a physical card or controller that you might plug the ethernet or fiber into, MACs are also used to identify a pseudo-physical address for logical interfaces. This example shows the MAC changes seen in virtual machines or docker containers. 

Note:

We have a Docker container running a web service and mapped port 80 on the container to 8000 on the Docker host. The Docker host is a Ubuntu VM. Also, notice the assigned MAC addresses; we will change these immediately. I’m also running a TCPDump. The TCPDump will start a packet capture on the Docker0.

Analysis:

• • For this challenge, we will focus on the virtual network between your local endpoint and a web application running locally inside a docker container. The docker0 interface is your endpoint’s interface for communication with docker containers. The “veth…” interfaces are the virtual interfaces for web applications.
  • Even though the MAC address is supposed to be a statically assigned identifier for the specific NIC, they are straightforward to change. We changed the MAC address in the following screenshots and brought down the Docker0.

Note:

Typically, attackers will spoof a MAC to mimic a desired type of device or use randomization software to mask their endpoint.

Now that you have seen how MAC addresses work, we can look at the ARP process.

Note:

When endpoints communicate across networks, they use logical IP addresses to track where the requests come from and the intended destination. Once a packet arrives internal to an environment, networking devices must convert that IP address to the more specific “physical” location the packets are destined for. That “physical” location is the MAC address you analyzed in the last challenge. The Address Resolution Protocol (ARP) is the protocol that makes that translation.

Analysis:

Let’s take this analysis step-by-step. When you send the curl request or any traffic, the first thing that must occur is to determine the intended destination. So we are giving the IP address as this, but we don’t know the Layer 2 MAC address. ARP is the process of finding this.

Where did the initial ARP request come from?

• • It looks like the first packet has a destination MAC of “ff:ff:ff:ff:ff:ff.”  Since your endpoint doesn’t know the destination MAC address, the first ARP packet is broadcast. Although this works, this is a bit of a security concern.
  • A broadcast packet will be sent to every host within the local network. Unfortunately, the ARP protocol was not developed with security in mind, so in most configurations, the first host to respond to the ARP request will be the “winner.” This makes it very simple if an attacker controls a host within an environment to spoof their own MAC, respond faster, and effectively perform a Man-In-The-Middle (MITM) attack. Notice we have “Request how has ” above.
  • The requesting IP address must be found in the payload of the packet. This is an important distinction since most packets are returned to the requesting IP address found in the IPv4 header. This allows adversaries to use attacks such as ARP spoofing and MAC flooding since the original requester doesn’t have to be the intended destination. Notice we have a “Reply” at the end of the ARP process.

Understanding ARP:

ARP bridges the Network Layer (Layer 3) and the OSI model’s Data Link Layer (Layer 2). Its primary function is to map an IP address to a corresponding MAC address, allowing devices to exchange data efficiently.

The ARP Process:

1. ARP Request:

When a device wants to communicate with another on the same network, it sends an ARP request broadcast packet. This packet contains the target device’s IP address and the requesting device’s MAC address.

2. ARP Reply:

Upon receiving the ARP request, the device with the matching IP address sends an ARP reply containing its MAC address. This reply is unicast to the requesting device.

3. ARP Cache:

Devices store the ARP mappings in an ARP cache to optimize future communications. This cache contains IP-to-MAC address mappings, eliminating the need for ARP requests for frequently accessed devices.

4. Gratuitous ARP:

In specific scenarios, a device may send a Gratuitous ARP packet to announce its presence or update its ARP cache. This packet contains the device’s IP and MAC address, allowing other devices to update their ARP caches accordingly.

Lab Guide on Host Enumeration

Linux Host Enumeration

In a Linux environment, it is common practice to identify the host network details. A standalone isolated machine is scarce these days, and most systems will be interconnected to other systems somehow. Run the following command to display IP information, saving the output to a text file instead of the popular methods of displaying text on the screen.

Note:

1. Below, you can see there is usually a lot of helpful information displayed with network information. In the screenshot, note the network device ens33, and the MAC address is also listed.

2. The hping3 is a command-line tool that can craft and send customized network packets. It offers various options and functionalities, making it an invaluable asset for various tasks such as network discovery, port scanning, and firewall testing.

3. One of the critical strengths of hping3 lies in its advanced features. From TCP/IP stack fingerprinting to traceroute mode, hping3 goes beyond basic packet crafting and provides robust network analysis and troubleshooting techniques.

Analysis:

• • The w command will show who, what, and where from; in the above screenshot, a user is connecting from a remote location, and this highlights how interconnected we are today; connection could be anywhere in the world. Other helpful information here shows the user has a terminal open bash and is running the w command.
  • Use the hping command to ping your machine seven times using. sudo hping3 127.0.0.1 -c 57.
  • The sudo is needed as elevated privileges are required to run hping3. The IP address 127.0.0.1 is the loopback address, meaning this is your machine. We work in a secure lab environment and cannot ping systems online.
  • In the screenshot, errors will be displayed if there are any connection issues on the network. Generally, ping helps identify interconnected systems on the network. Hping is a much more advanced tool with many features beyond this challenge; It can also do advanced techniques for testing firewall port scanning and help penetration testers look for weaknesses. A potent tool!

Highlighting the TCP/IP Suite: Protocols

TCP/IP is a protocol suite—meaning multiple protocols exist to provide network connectivity. Each protocol in the suite has a specific purpose and function, and protocols work at different layers. TCP/IP is a suite of protocols, the most popular of which are Transmission Control Protocol (TCP), User Data Protocol (UDP), Internet Protocol (IP), and Address Resolution Protocol (ARP).

IP performs logical addressing so your computer can be found and reached across different networks. ARP converts these logical addresses to a physical MAC address to be transmitted on the wire. We can use the ICMP protocol for troubleshooting and diagnostics, which is the status- and error-reporting protocol.  

The IP is the Internet’s address system and delivers packets of information from a source device to a target device. IP is the primary way network connections are made, and it establishes the basis of the Internet. IP does not handle packet ordering or error checking. Such functionality requires another protocol, often the TCP.

For example, when an email is sent over TCP, a connection is established, and a 3-way handshake is made. First, the source sends an SYN “initial request” packet to the target server to start the dialogue. Then, the target server sends a SYN-ACK packet to agree to the process. Lastly, the source sends an ACK packet to the target to confirm the process, after which the message contents can be sent.

• TCP/IP: Networking Model: 4-layer model vs. 7-layer OSI

The TCP/IP model is a four-layer model similar in concept to the seven-layer OSI Reference Model. To simplify life, the four layers of the TCP/IP model map to the seven layers of the OSI version. The TCP/IP model combines multiple layers of the OSI model, so when starting with networking. It’s good to start with the OSI, as none of the layers are combined.

Moving through Layers: Enabling Network Connectivity

Each OSI model layer is responsible for communicating with the layers directly above and below, receiving data from or passing it to its neighboring layers. For example, the presentation layer will receive information from the application layer, format it appropriately, which could be encryption, as we mentioned, or compression, and then pass it to the session layer. The presentation layer will never deal directly with the transport, network, data link, or physical layers. The same idea is valid for all layers regarding their communication with other layers.

OSI Layer Example: Computers communicate with a server.

Let’s look at the layers from the point of view of two computers sending data to each other. The data is called different things at each layer. This is due to the encapsulation process, but we will call it data for now.

So we have Host A and Host B that want to send files to each other and, therefore, will exchange data on the network. Or host B has a local web server, and host A in their browser types in the IP address of host B. So, for network connectivity, we need a source and a destination.

So, Host A is the sending computer, the source, and Host B is the receiving computer, the destination. The data exchange starts with Host A sending a request to Host B in the application layer. So we have Host A, that is initiating the request.

At the receiving end, the destination, on host B, the data moves back up through the layers to the application layer, which passes the data to the appropriate application or service on the system. Port numbers will identify the proper service.

• Starting to move through the layers

Network connectivity starts at the application layer of the OSI model, which will be on the sending system, which in our case is Host A, and works its way down through the layers to the physical layer. The information then passes the communication medium, physical cablings such as Copper or Fiber, or wireless, until it receives the far-end system, which operates back up the layers, starting at the physical layer until the application layer.  

• Action at one layer undone at another layer

When you think of two devices communicating, such as two computers, it is crucial to understand that whatever action is done at one layer of a sending computer is undone at the same layer on the receiving computer. For example, if the presentation layer compresses or encrypts traffic the information on the sending computer, the data is uncompressed or decrypted on the receiving computer.

Network Connectivity and Network Security

So, we have just looked at generic connectivity. But there will be two main functions carried out by these networking and security devices. First, there is the network connectivity side of things. 

So, we will have network devices that will need to forward your traffic so it can reach its destination. Traffic is delivered based on IP. Keep in mind there is not any guarantee with IP. Enabling reliable network connectivity is handled further up the stack. The primary version of IP used on the Internet today is Internet Protocol Version 4 (IPv4).

Due to size constraints with the total number of possible addresses in IPv4, a newer protocol was developed. The latest protocol is called IPv6. It makes many more addresses available and is increasing in adoption.

Network Security and TCPdump

Secondly, we will need to have network security devices. These devices allow traffic to pass through their interfaces if they deem it safe, and policy permits the traffic to pass through that zone in the network. The threat landscape is dynamic, and bad actors have many tools to disguise their intentions. Therefore, we have many different types of network security devices to consider.

Tcpdump is a powerful command-line packet analyzer that allows users to capture and examine network traffic in real time. It captures packets from a network interface and displays their content, offering a detailed glimpse into the intricacies of data transmission.

Getting Started with tcpdump

To utilize TCPdump effectively, it is crucial to understand its primary usage and command syntax. By employing a combination of command-line options, filters, and expressions, users can tailor their packet-capturing experience to suit their specific needs. We will explore various TCPdump commands and parameters, including filtering by source or destination IP, port numbers, or protocol types.

Analyzing Captured Packets

Once network packets are captured using TCPdump, the next step is to analyze them effectively. This section will explore techniques for examining packet headers payload data, and extracting relevant information. We will also explore how to interpret and decode different protocols, such as TCP, UDP, ICMP, and more, to understand network traffic behavior better.

Lab Guide on tcpdump

Capturing Traffic with tcpdump

Note:

Remember that starting tcpdump requires elevated permissions and initiates a continuous traffic capture by default, resulting in an ongoing display of network packets scrolling across your screen. To save the output of tcpdump to a file, use the following command:

sudo tcpdump -vw test.pcap

Tip: Learn tcpdump arguments

• sudo Run tcpdump with elevated permissions

• -v User verbose output

• -w write output to the file

Analysis:

• • Running TCPdump is an invaluable tool for network analysis and troubleshooting. It lets you capture and view the live traffic flowing through your network interfaces. This real-time insight can be crucial for identifying issues, understanding network behavior, and detecting security threats.

Next, to capture traffic from a specific IP address, at the terminal prompt, enter:

sudo tcpdump ip host 192.168.18.131

Tip: Learn tcpdump arguments

• ip the protocol to capture

• host <ip address> limit the capture to a single host’s IP address

To capture a set number of packets, type the following command:

sudo tcpdump -c20

Analysis:

• • Filtering tcpdump on a specific IP address streamlines the analysis by focusing only on the traffic involving that address. This targeted approach can reveal patterns, potential security threats, or performance issues related to that host.
  • Limiting the packet count in a tcpdump capture, such as 20 packets, creates a more focused and manageable dataset for analysis. This can be particularly useful in isolating incidents or behaviors without being overwhelmed by continuous information.
  • Tcpdump finds practical applications in various scenarios. Whether troubleshooting network connectivity issues, detecting network intrusions, or performing forensic analysis, tcpdump is an indispensable tool.

Conclusion:

In conclusion, tcpdump is an invaluable tool for network traffic analysis. Its versatility and powerful filtering capabilities empower network administrators and analysts to gain deep insights into their networks. By mastering tcpdump, you can troubleshoot issues, detect anomalies, and optimize network performance. So equip yourself with tcpdump and embark on a journey of network exploration!

Components for network connectivity

In general, we have routers forwarding the traffic based on IP, and they usually work with switches that help connect all the devices. Switches work with MAC addresses and not IP addresses. Then we have the security devices such as firewalls that help with the security side of things. Generally, a firewall device will allow all traffic to leave the network, but only traffic you permit can enter the network.

Starting with the Layer 3 Router

Routers, the magic boxes that act as the interconnection points, have all the built-in smarts to inspect incoming packets and forward them toward their eventual LAN destination.  Routers are, for the most part, automatic. A router is any hardware or software that forwards packets based on their destination IP address.

Routers work at the OSI model’s Network layer (Layer 3). Classically, routers are dedicated boxes with at least two connections, although many contain many more connections and offer various network connectivity options.

The router inspects each packet’s destination IP address and then sends the IP packet out to the correct port. To perform this inspection, every router has a routing table that tells the router exactly where to send the packets. This table is the key to understanding and controlling forwarding packets to their proper destination.

Starting with Switches

Then we have switches, which can control and only send frames to the proper destination and reduce the number of devices receiving the frame, reducing the chance of collisions. So when we have switches, we have a star topology but consider the links between the end host and the switch port to be point-to-point.

This allows full duplex communication that effectively disables the CSMA/CD process between the switch port and the attached device. Now, the ability to transmit and receive simultaneously only occurs between the switch port and the end station. So, consider full-duplex to be a 10x speed improvement over half-duplex. The switch port also acts as a boundary for collisions.

Building a small network: Network and Security Components

Information on Hub 

With the information you learned from the OSI, let’s look at some networking components in more detail. Networking started with hubs. A hub is an older network device you hopefully do not encounter on your networks because more effective and secure switches have replaced them. A network hub has three pitfalls: 

• No filtering 

When a system was to send data to another system, the hub would receive the data and then send the data to all other ports on the hub. A switch operating at Layer 2 will understand MAC addresses to make better forwarding decisions. 

• Collisions 

Because any data was sent to all other ports, and any system could send its data at any time, this resulted in many collisions on the network. A collision occurs when two data pieces collide, must be retransmitted, and will degrade application performance.

• Security For Hubs 

Because the data was sent to all ports on the hub, all systems receive all data. Systems look at the destination address in the frame to decide whether to process or discard the data. 

Packet Sniffer

But if someone were running a packet sniffer such as Wireshark or tcpdump on a system that used a hub, they would receive all packets and be able to read them.  Sniffers examine streams of data packets that flow between computers on a network, between networked computers, and the more extensive Internet.  This created a huge security concern.

The solution to the hub problem was to replace network hubs with switches with better filtering capabilities and the capability to carve a switch into multiple switches using VLANs. This improves both security and performance.

Lab Guide Networking Scanning with Python

Python and NMAP

I am scanning my local netowrk in this lab guide, looking for targets and potential weaknesses. Knowing my shortcomings will help strengthen the overall security posture. I am scanning and attempting to gain access to services with Python.

Network scanning is identifying and mapping the devices and resources within a network. It helps in identifying potential vulnerabilities, misconfigurations, and security loopholes. Python, a versatile scripting language, provides several modules and libraries for network scanning tasks.

Note:

1. Python offers various libraries and modules that can be used with Nmap for network scanning. One such library is “python-nmap,” which provides a Pythonic way to interact with Nmap. By leveraging this library, we can easily automate scanning tasks, customize scan parameters, and retrieve results for further analysis.
2. The code will import the nmap library used to provide nmap functionality. Then the most basic default scan will be performed against the Target 1 virtual machine.

Steps:

1. Using the nano editor, create a new text file called scannetwork.py by typing nano scannetwork.py. This is where the Python script will be created.
2. With nano open, enter the following Python code to perform a basic default port scan using nmap with Python. Add your IP address for the Target 1 virtual machine to the script.
   import nmap
   import subprocess
   nm = nmap.PortScanner()
   print(‘Perform default port scan’)
   nm.scan(‘add.ip.address.here’)
   print(nm.scaninfo())

Note: The code will import the nmap library used to provide nmap functionality, then the most basic default scan will be performed against the Target 1 virtual machine.

Analysis:

• • Scan results may vary. The following output shows many numbers, signifying port numbers, with the scan completing quickly. With this type of full scan without arguments and the speed at which Python returns, the results will likely produce errors.
  • Remember that you need to have NMAP installed first.

Conclusion:

Python network scanning has numerous real-world applications. From security audits to vulnerability assessments, Python-based network scanning tools can greatly assist in identifying potential risks and strengthening overall network security. Additionally, network administrators can automate routine scanning tasks, saving time and effort.

Python and tools like Nmap empower network security professionals to conduct comprehensive and efficient network scans. By automating the scanning process and leveraging Python’s flexibility, developers can create robust solutions tailored to their specific needs. Whether for security auditing or network exploration, Python network scanning opens up a world of possibilities.

Network connectivity: Start with switches 

At layer 2, we can have switches that reduce collisions, optimize traffic, and are better from a security point of view. LAN Switch Switches are one of the most common devices used on networks today. All other devices connect to the switch to gain access to the network.  For example, you will connect workstations, servers, printers, and routers to a switch so that each device can send and receive data to and from other devices. The switch acts as the central network connectivity point for all devices on the network. 

• Layer 2 Switch: How switches work

The switch tracks every device’s MAC address (the physical address burned into the network card) and then associates that device’s MAC address with the port on the switch to which the device is connected. The switch stores this information in a MAC address table in memory on the switch. The switch then acts as a filtering device by sending data only to the port that the data is destined for.

Collision Domains and Broadcast Domains 

• Collision Domain: Hub – Single Collision Domain 

In a collision domain, data transmission collisions can occur. For example, suppose you are using a hub to connect 10 systems to a network. Because traffic is sent to all ports on the hub, the data could collide on the network if several systems send data simultaneously. For this reason, all network ports on a hub (and any devices connected to those ports) are considered parts of a single collision domain. This also means that when you cascade a hub of another, all hubs are part of the same collision domain. Do you connect 100 hubs, and even though they are different physical devices, it is still one collision domain?

• Switches: Break down Collision Domains

If you were using a switch to connect the ten systems, each port on the switch would create its network segment. When data is sent by a system connected to the switch, the switch sends the data only to the port on which the destination system resides. For this reason, if another system were to send data simultaneously, the data would not collide. As a result, each port on the switch creates a separate collision domain.

Controlling Broadcast Domain

A broadcast domain is a group of systems that can receive one another’s broadcast messages. When using a hub to connect five systems in a network environment, if one system sends a broadcast message, the message is received by all other systems connected to the hub. For this reason, all ports on the hub create a single broadcast domain. Likewise, if all five systems were connected to a switch and one sent a broadcast message, all other systems on the network would receive the broadcast message. 

Therefore, all ports are part of the same broadcast domain when using a switch. If you wanted to control which systems received broadcast messages, you would have to use a router that does not forward broadcast messages to other networks. You could also use virtual LANs (VLANs) on a switch, with each VLAN being a different broadcast domain.

Network Connectivity: Starting with Routers

A switch connects all systems in a LAN setup, but what if you want to send data from your network to another network or across the Internet? That is the job of a router. Routers work at Layer 3 of the OSI model. A router sends or routes data from one network to another until the data reaches its final destination. Note that although switches look at the MAC address to decide where to forward a frame, routers use the IP address to determine what network to send the data to. 

Network Connectivity with Network Routing

Network routing is selecting a path across one or more networks. Routing principles can apply to any network, from telephone to public transportation. In packet-switching networks, such as the Internet, routing selects the paths for Internet Protocol (IP) packets to travel from origin to destination. These Internet routing decisions are made by specialized network hardware called routers.  

Routing Tables and Layer 3 Connectivity

Routers refer to internal routing tables to decide how to route packets along network paths. A routing table records the paths packets should take to reach every destination the router is responsible for. The router has a routing table listing all the networks it can reach. Routing protocols populate routing tables. Routing protocols can be dynamic or static.

Routing tables can either be static or dynamic. Static routing tables do not change. A network administrator manually sets up static routing tables. This sets in stone the routes data packets take across the network unless the administrator manually updates the tables. Dynamic routing tables update automatically. 

Dynamic routers use various routing protocols (see below) to determine the shortest and fastest paths. They also make this determination based on how long it takes packets to reach their destination. Dynamic routing requires more computing power, so that smaller networks may rely on static routing. However, dynamic routing is much more efficient for medium-sized and large networks.

Understanding NAT Static

NAT static, also known as static NAT, maps an internal private IP address to a specific public IP address. Unlike dynamic NAT, which dynamically assigns public IP addresses from a pool, NAT static uses a fixed mapping configuration. This means that the private IP address is consistently associated with the same public IP address, ensuring reliable.

One of the critical advantages of NAT static is enhanced security. A one-to-one mapping between private and public IP addresses creates a clear separation between internal and external networks. This adds a layer of protection against potential cyber threats. Moreover, NAT static enables organizations to host services or applications on internal servers by exposing them to the public using a dedicated public IP address.

Implementation of NAT Static

Implementing NAT static requires configuration settings on a network device, typically a router or firewall. The process involves specifying the mapped internal IP address and the corresponding public IP address. Port forwarding rules can also be set up to direct incoming traffic to specific services or applications within the internal network.

NAT static finds valuable applications in various scenarios. For instance, it is widely used in organizations that require external access to internal resources, such as web servers, FTP servers, or VPN gateways. By utilizing NAT static, these resources can be accessed securely from the internet while maintaining the privacy of the internal network.

Lab Guide on Static NAT in Cisco IOS

Below in the following lab guide, you see 3 routers called Host, NAT, and Web1. There are two segments to this network—an internal and an external segment. The NAT device creates the network boundary. In our case, this is a Cisco IOS router. In the production network, this would be a Firewall. Imagine our host is on our LAN, and the web server is somewhere on the Internet. Our NAT router in the middle is our connection to the Internet.

Note:

1. Disabling “routing” on a router that turns it into a typical host that requires a default gateway is possible. This is very convenient because it will save you the hassle of connecting real computers/laptops to your lab.

2. Use no ip routing to disable the routing capabilities.

3. I use debug ip packet to see the IP packets that I receive. Don’t do this on a production network, or you’ll be overburdened with debug messages!

Analysis:

• • You can use the show ip nat translations command to verify our configuration. The web server’s packet from the host has a source IP address of 192.168.23.2.
  • And when it responds to the destination, the IP address is 192.168.23.2. Now we know that static NAT is working.

Conclusion:

In conclusion, NAT static offers a reliable and secure method of connecting internal networks to the external world. With its fixed mapping configuration and enhanced security features, organizations can confidently expose services and applications while protecting their network infrastructure.

What is Dynamic NAT?

Dynamic NAT, also known as NAPT (Network Address Port Translation), translates private IP addresses to public ones on a network. Unlike Static NAT, which uses one-to-one mapping, Dynamic NAT allows multiple private IP addresses to share a single public IP address. This dynamic mapping is based on the availability of public IP addresses in the NAT pool.

When a device from a private network initiates a connection to the internet, Dynamic NAT dynamically assigns a public IP address from the NAT pool to that device. This dynamic mapping is stored in a NAT translation table, which keeps track of the private IP address, the assigned public IP address, and the associated ports. As the connection terminates, the mapping is released, making the public IP address available for other devices.

Benefits and Use Cases of Dynamic NAT

Dynamic NAT offers several advantages, making it a popular choice for organizations and network administrators. Firstly, it allows the conservation of public IP addresses by sharing them among multiple devices. This scalability is particularly useful for large networks with limited public IP resources. Additionally, Dynamic NAT provides an additional layer of security as private IP addresses are not exposed to the internet directly. This makes it an ideal solution for securing internal networks.

Use cases for Dynamic NAT range from small office setups to large enterprise networks. It is commonly used in scenarios where there is a need for multiple devices to access the internet simultaneously while sharing a limited number of public IP addresses. This includes home networks, small businesses, and service providers managing large-scale networks.

Implementing Dynamic NAT

Implementing Dynamic NAT involves configuring NAT policies on networking devices such as routers or firewalls. These policies define the NAT pool, which includes the range of public IP addresses available for dynamic mapping. Additionally, access control lists (ACLs) can be used to specify which devices are eligible for Dynamic NAT. Careful planning and network design are essential to ensure smooth operation and efficient utilization of available resources.

Lab Guide on Dynamic NAT

It’s time to configure dynamic NAT, where we use a pool of IP addresses for translation. I’ll use a fairly simple topology with two hosts and one router performing NAT. We have 2 host routers on the left side this time, and I’m using another subnet. The subnet 192.168.123.0/24 is the internal network, and 192.168.23.0 is the external network.

Note:

• The ip nat pool command lets us create a pool. I’m called “MYPOOL,”. For this pool, I’m using IP address 192.168.23.10 up to 192.168.23.20. We can now select the hosts we want to translate, which is done with the access list.
• The access list above matches network 192.168.123.0 /24. That’s where host1 and host2 are located. The last step is to put the access list and pool together:
• The command above selects access-list 1 as the source, and we will translate it to the pool called “MYPOOL.” This ensures that host1 and host2 are translated to an IP address from our pool.  Remember that the unmanaged switch is just used for port connectivity and has no VLAN configuration.

Analysis:

• • And as you can see, host2 has been translated to IP address 192.168.2.11.
  • As you can see above, host1 has been translated to IP address 192.168.23.10.
  • Inside global is the IP address on the outside interface of your router performing NAT.
  • Inside local is the IP address of one of your inside hosts translated with NAT.
  • Outside local is the IP address of the device you are trying to reach, in our example, the web server (Web1).
  • Outside global is also the IP address of the device you are trying to reach, such as the webserver (Web1).

Why are the outside local and outside global IP addresses the same? With NAT, it’s possible to translate more than just from “inside” to “outside.” It’s possible to create an entry in our NAT router that whenever one of the hosts sends a ping to an IP address (say 10.10.10.10), it will be forwarded to Web1. In this example, the “outside webserver” is “locally” seen by our hosts as 10.10.10.10, not 192.168.23.3.

Conclusion:

Dynamic NAT serves as a versatile and efficient solution for network address translation. Allowing multiple devices to share a single public IP address offers scalability, security, and optimized resource utilization.

Network Connectivity: Starting with Firewalls 

A firewall is a security system that monitors and controls network traffic based on security rules. Firewalls usually sit between trusted and untrusted networks, often the Internet. For example, office networks often use a firewall to protect their network from online threats—Firewalls control which traffic is allowed to enter a network or system and which traffic should be blocked.

When configuring a firewall, you create the rules for allowing and denying traffic based on the traffic protocol, port number, and direction. Firewalls work at Layer 3 and Layer 4 of the OSI model. We know now that Layer 3 is the Network Layer where IP works. Then we have Layer 4, the Transport Layer, where TCP and UDP work. 

• Packet filtering firewall 

A packet-filtering firewall can filter traffic based on the source and destination IP addresses, the source and destination port numbers, and the protocol used. The downfall of a simple packet-filtering firewall is that it needs to understand the context of the conversation, making it easy for a bad actor to craft a packet to pass through the firewall.   

• Stateful packet inspection

Stateful packet inspection firewalls. Like a packet filtering firewall, a stateful packet inspection firewall filters traffic based on source and destination IP addresses, the source and destination port numbers, and the protocol in use. Still, it also understands the context of a conversation. Stateful firewalls rely on a lot of contexts when making decisions.

For example, if the firewall records outgoing packets on one connection requesting a certain kind of response, it will only allow incoming packets on that connection if they provide the requested type of response. Stateful firewalls can also protect ports* by keeping them all closed unless incoming packets request access to a specific port. This can mitigate an attack known as port scanning.

• A key point: Lab Guide on Traffic flow and NAT

NAT operates as a middleman between a local network and the internet. When a device within a private network wants to communicate with an external device on the internet, NAT translates the private IP address of the sending device into the public IP address assigned to the network.

This translation process allows the device to establish a connection and send data packets across the internet. In the below example, while traffic flows from R1 to R2, the ASAv performs NAT. R1 is in an internal zone, while R2 is outside.

• Next-generation firewall 

Next-generation firewall A next-generation firewall (NGFW) is a layer seven firewall that can inspect the application data and detect malicious packets. A regular firewall filters traffic based on it being HTTP or FTP traffic (using port numbers), but it cannot determine if there is malicious data inside the HTTP or FTP packet. 

An application-layer NGFW can inspect the application data in the packet and determine whether there is questionable content inside. NGFWs are firewalls with the capabilities of traditional firewalls but also employ a host of added features to address threats on other OSI model layers. Some NGFW-specific features include: 

1. Deep packet inspection (DPI) – NGFWs perform much more in-depth inspection of packets than traditional firewalls. This deep inspection can examine packet payloads and which application the packet access. This allows the firewall to enforce more granular filtering rules. 
2. Application awareness – Enabling this feature makes the firewall aware of which applications are running and which ports those applications use. This can protect against certain types of malware that aim to terminate a running process and then take over its port. 
3. Identity awareness lets a firewall enforce rules based on identity, such as which computer is being used, which user is logged in, etc. 
4. Sandboxing – Firewalls can isolate pieces of code associated with incoming packets and execute them in a “sandbox” environment to ensure they are not behaving maliciously. The results of this sandbox test can then be used as criteria when deciding whether or not to let the packets enter the network.

Web Application Firewalls (WAF)

While traditional firewalls help protect private networks from malicious web applications, WAFs help protect web applications from malicious users. A WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It protects web applications from attacks like cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection.

Intrusion Prevention System 

An intrusion prevention system (IPS) is a security device that monitors activity, logs any suspicious activity, and then takes corrective action. For example, if someone is doing a port scan on the network, the IPS would discover this suspicious activity, log the action, and then disconnect the system performing the port scan from the network.

In conclusion, network connectivity is the lifeline of our interconnected world. It empowers us to access information, communicate across borders, and unlock endless opportunities. From wired to wireless connections, overcoming challenges to embracing future advancements, network connectivity continues to shape our present and pave the way for a connected future.

• About
• Latest Posts

Matt Conran: The Visual Age

Public Speaker, Author and Consultant at Conran Insight

Matt Conran has more than 25 years of networking and security industry with entrepreneurial start-ups, government organizations, and others. He now focuses on public speaking, authoring content, consulting, and creating Elearning courses.

Latest posts by Matt Conran: The Visual Age (see all)

• Fortinet’s new FortiOS 7.4 enhances SASE - April 5, 2023
• Comcast SD-WAN Expansion to SMBs - April 4, 2023
• Cisco CloudLock - April 4, 2023