Chapter 2
Models, Ports, Protocols, and Network Services
This chapter covers the following official Network+ objectives:
Compare and contrast the Open Systems Interconnection (OSI) model layers and encapsulation concepts.- Explain common ports and protocols, their application, and encrypted alternatives.
- Explain the use and purpose of network services.
This chapter covers CompTIA Network+ objectives 1.1, 1.5, and 1.6. For more information on the official Network+ exam topics, see the “About the Network+ Exam” section in the Introduction.
One of the most important networking concepts to understand is the Open Systems Interconnection (OSI) reference model. This conceptual model, created by the International Organization for Standardization (ISO) in 1978 and revised in 1984, describes a network architecture that enables data to be passed between computer systems.
This chapter looks at the OSI and describes how it relates to real-world networking. It also examines how common network devices relate to the OSI model. Even though the OSI model is conceptual, an appreciation of its purpose and function can help you better understand how protocol suites and network architectures work in practical applications.
Note
The TCP/IP model, which performs the same functions as the OSI model, except in four layers instead of seven, is no longer a Network+ objective. Because this is the protocol suite predominantly in use today, it is still important to know it to understand the underlying principles of networking, and we refer to it where it is appropriate to do so.
The OSI Networking Model
Compare and contrast the Open Systems Interconnection (OSI) model layers and encapsulation concepts.
For networking, two models commonly are referenced: the OSI model and the TCP/IP model. Both offer a framework, theoretical and actual, for how networking is implemented. Objective 1.1 of the Network+ exam focuses only on the OSI model. A thorough discussion of it follows with a brief discussion of the TCP/IP model tossed in for further understanding.
The OSI Seven-Layer Model
As shown in Figure 2.1, the OSI reference model is built, bottom to top, in the following order: physical, data link, network, transport, session, presentation, and application. The physical layer is classified as Layer 1, and the top layer of the model, the application layer, is Layer 7.
ExamAlert
The OSI model can be used as a bottom-to-top troubleshooting tool. For example, troubleshooting a network interface card (NIC) or network wiring would begin at layer 1, the physical layer where electrical functions support physical connections. If the problem is not found there, then the next step would be run a loopback test on the NIC (moving up to layer 2), and so on.
FIGURE 2.1 The OSI seven-layer model
ExamAlert
On the Network+ exam, you might see an OSI layer referenced either by its name, such as network layer, or by its layer number. For instance, you might find that a router is referred to as a Layer 3 device. An easy mnemonic that you can use to remember the layers from top to bottom is: All People Seem To Need Data Processing.
Each layer of the OSI model has a specific function. The following sections describe the function of each layer, starting with the physical layer and working up the model.
Physical Layer (Layer 1)
The physical layer of the OSI model identifies the network’s physical characteristics, including the following specifications:
- Hardware: The type of media used on the network, such as type of cable, type of connector, and pinout format for cables.
- Topology: The physical layer identifies the topology to be used in the network. Common topologies include ring, mesh, star, bus, and hybrid.
Protocols and technologies such as USB, Ethernet, DSL, ISDN, T-carrier links (T1 and T3), GSM, and SONET operate at the physical layer.
In addition to these characteristics, the physical layer defines the voltage used on a given medium and the frequency at which the signals that carry the data operate. These characteristics dictate the speed and bandwidth of a given medium, as well as the maximum distance over which a certain media type can be used.
Data Link Layer (Layer 2)
The data link layer is responsible for getting data to the physical layer so that it can transmit over the network. The data link layer is also responsible for error detection, error correction, and hardware addressing. The term frame describes the logical grouping of data at the data link layer.
The data link layer has two distinct sublayers:
- Media Access Control (MAC) layer: The MAC address is defined at this layer. The MAC address is the physical or hardware address burned into each NIC. The MAC sublayer also controls access to network media. The MAC layer specification is included in the IEEE 802.1 standard.
- Logical Link Control (LLC) layer: The LLC layer is responsible for the error and flow-control mechanisms of the data link layer. The LLC layer is specified in the IEEE 802.2 standard.
Protocols and technologies such as High-Level Data Link Control (HDLC), Layer 2 Tunneling Protocol (L2TP), Point-to-Point Protocol (PPP), Point-to-Point Tunneling Protocol (PPTP), Spanning Tree Protocol (STP), and virtual LANs (VLANs) operate at the data link layer.
Network Layer (Layer 3)
The primary responsibility of the network layer is routing—providing mechanisms by which data can be passed from one network system to another. The network layer does not specify how the data is passed but rather provides the mechanisms to do so. Functionality at the network layer is provided through routing protocols, which are software components.
Protocols at the network layer are also responsible for route selection, which refers to determining the best path for the data to take throughout the network. In contrast to the data link layer, which uses MAC addresses to communicate on the LAN, network layer protocols use software-configured addresses and special routing protocols to communicate on the network. The term packet describes the logical grouping of data at the network layer.
When you’re working with networks, routes can be configured in two ways: statically or dynamically. In a static routing environment, routes are manually added to the routing tables. In a dynamic routing environment, routing protocols such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) are used. These protocols communicate routing information between networked devices on the network. Other important network layer protocols include Internet Protocol (IP), Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP), Asynchronous Transfer Mode (ATM), Intermediate System-to-Intermediate System (IS-IS), IP Security (IPSec), Internet Control Message Protocol (ICMP), and Multiprotocol Label Switching (MPLS).
Transport Layer (Layer 4)
The basic function of the transport layer is to provide mechanisms to transport data between network devices. Primarily, it does this in three ways:
- Error checking: Protocols at the transport layer ensure that data is correctly sent or received.
- Service addressing: A number of protocols support many network services. The transport layer ensures that data is passed to the right service at the upper layers of the OSI model.
- Segmentation: To traverse the network, blocks of data need to be broken into packets of a manageable size for the lower layers to handle. This process, called segmentation, is the responsibility of the transport layer.
Protocols that operate at the transport layer can either be connectionless, such as User Datagram Protocol (UDP), or connection oriented, such as Transmission Control Protocol (TCP).
The transport layer is also responsible for data flow control, which refers to how the receiving device can accept data transmissions. Two common methods of flow control are used:
- Buffering: When buffering flow control is used, data is temporarily stored and waits for the destination device to become available. Buffering can cause a problem if the sending device transmits data much faster than the receiving device can manage.
- Windowing: In a windowing environment, data is sent in groups of segments that require only one acknowledgment. The size of the window (that is, how many segments fit into one acknowledgment) is defined when the session between the two devices is established. As you can imagine, the need to have only one acknowledgment for every five segments, for instance, can greatly reduce overhead.
Session Layer (Layer 5)
The session layer is responsible for managing and controlling the synchronization of data between applications on two devices. It does this by establishing, maintaining, and breaking sessions. Whereas the transport layer is responsible for setting up and maintaining the connection between the two nodes, the session layer performs the same function on behalf of the application. Protocols that operate at the session layer include NetBIOS, Network File System (NFS), and Server Message Block (SMB).
Presentation Layer (Layer 6)
The presentation layer’s basic function is to convert the data intended for or received from the application layer into another format. Such conversion is necessary because of how data is formatted so that it can be transported across the network. Applications cannot necessarily read this conversion. Some common data formats handled by the presentation layer include the following:
- Graphics files: JPEG, TIFF, GIF, and so on are graphics file formats that require the data to be formatted in a certain way.
- Text and data: The presentation layer can translate data into different formats, such as American Standard Code for Information Interchange (ASCII) and Extended Binary Coded Decimal Interchange Code (EBCDIC).
- Sound/video: MPEG, MP3, and MIDI files all have their own data formats to and from which data must be converted.
Another important function of the presentation layer is encryption, which is the scrambling of data so that it can’t be read by anyone other than the intended recipient. Given the basic role of the presentation layer—that of data-format translator—it is the obvious place for encryption and decryption to take place. For example, the cryptographic protocol Transport Layer Security (TLS) operates at the presentation layer.
Application Layer (Layer 7)
In simple terms, the function of the application layer is to take requests and data from the users and pass them to the lower layers of the OSI model. Incoming information is passed to the application layer, which then displays the information to the users. Some of the most basic application layer services include file and print capabilities.
The most common misconception about the application layer is that it represents applications used on a system, such as a web browser, word processor, or spreadsheet. Instead, the application layer defines the processes that enable applications to use network services. For example, if an application needs to open a file from a network drive, the functionality is provided by components that reside at the application layer. Protocols defined at the application layer include Secure Shell (SSH), Border Gateway Protocol (BGP), Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Network Time Protocol (NTP), Real-time Transport Protocol (RTP), Session Initiation Protocol (SIP), Simple Mail Transfer Protocol (SMTP), Server Message Block (SMB), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), Internet Message Access Protocol (IMAP), and Post Office Protocol version 3 (POP3).
ExamAlert
Be sure you understand the OSI model and its purpose. You will almost certainly be asked questions on it during the exam.
OSI Model Summary
Table 2.1 summarizes the seven layers of the OSI model and describes some of the most significant points of each layer.
TABLE 2.1 OSI Model Summary
OSI Layer |
Major Function |
|---|---|
Physical (Layer 1) |
Defines the physical structure of the network and the topology. |
Data link (Layer 2) |
Provides error detection and correction. Uses two distinct sublayers: the Media Access Control (MAC) and Logical Link Control (LLC) layers. Identifies the method by which media are accessed. Defines hardware addressing through the MAC sublayer. |
Network (Layer 3) |
Handles the discovery of destination systems and addressing. Provides the mechanism by which data can be passed and routed from one network system to another. |
Transport (Layer 4) |
Provides connection services between the sending and receiving devices and ensures reliable data delivery. Manages flow control through buffering or windowing. Provides segmentation, error checking, and service identification. |
Session (Layer 5) |
Synchronizes the data exchange between applications on separate devices. |
Presentation (Layer 6) |
Translates data from the format used by applications into one that can be transmitted across the network. Handles encryption and decryption of data. Provides compression and decompression functionality. Formats data from the application layer into a format that can be sent over the network. |
Application (Layer 7) |
Provides access to the network for applications. |
Comparing OSI to the Four-Layer TCP/IP Model
The OSI model does a fantastic job outlining how networking should occur and the responsibility of each layer. However, TCP/IP also has a reference model and has to perform the same functionality with only four layers. Figure 2.2 shows how these four layers line up with the seven layers of the OSI model.
FIGURE 2.2 The TCP/IP model compared to the OSI model
The network interface layer in the TCP/IP model is sometimes referred to as the network access or link layer, and this is where Ethernet, FDDI, or any other physical technology can run. The Internet layer is where IP runs (along with ICMP and others). The transport layer is where TCP and its counterpart UDP operate. The application layer enables any number of protocols to be plugged in, such as HTTP, SMTP, Simple Network Management Protocol (SNMP), DNS, and many others.
Identifying the OSI Layers at Which Various Network Components Operate
When you understand the OSI model, you can relate network connectivity devices to the appropriate layer of the OSI model. Knowing at which OSI layer a device operates enables you to better understand how it functions on the network. Table 2.2 identifies various network devices and maps them to the OSI model.
ExamAlert
For the Network+ exam, you are expected to identify at which layer of the OSI model certain network devices operate.
TABLE 2.2 Mapping Network Devices to the OSI Model
Device |
OSI Layer |
|---|---|
Hub |
Physical (Layer 1) |
Wireless bridge |
Data link (Layer 2) |
Switch |
Data link (Layer 2) or network (Layer 3) |
Router |
Network (Layer 3) |
NIC |
Data link (Layer 2) |
Access point (AP) |
Data link (Layer 2) |
Data Encapsulation/Decapsulation and OSI
As data moves down the model (and through the devices on that host), it is encapsulated with a header added to the beginning and a trailer to the end. Once the data arrives at the receiving host, it moves up the model (and through the devices) and is decapsulated in that the header and trailer are stripped off as it moves up.
Note
There are a great many topics beneath exam objective 1.1. In the interest of our discussion building in a logical way, the focus here is still on the networking model in order to complete the discussion of it. Later in this chapter, we visit headers again and some of the other topics the objectives include but that do not fit well with the dialogue yet.
ExamAlert
Adding protocol information to data as it passes through layers is known as encapsulation. Removing protocol information to data as it passes through layers is known as decapsulation.
In the encapsulation/decapsulation process, each layer on the receiving host does the opposite of what was done at that layer on the sending host: the receiving host’s network layer, for example, strips off what was added by the network layer on the sending host. Table 2.3 shows what encapsulation/decapsulation occurs at each of the layers of the OSI model.
TABLE 2.3 OSI Model Encapsulation/Decapsulation
OSI Layer |
Encapsulation/Decapsulation Function |
Representation |
|---|---|---|
Application (Layer 7) Presentation (Layer 6) Session (Layer 5) |
The data is created in the application(s) and passed to/from the Transport layer. |
DATA |
Transport (Layer 4) |
A segment header is added to, or removed from, the data. |
SEGMENT HEADER | DATA |
Network (Layer 3) |
A packet header is added to, or removed from, the data. |
PACKET HEADER | SEGMENT HEADER | DATA |
Data link (Layer 2) |
A frame header is added to, or removed from, the data. A frame trailer is added to, or removed from, the data. |
FRAME HEADER | PACKET HEADER | SEGMENT HEADER | DATA | FRAME TRAILER |
It should be noted that the Physical layer (Layer 1) does not appear in Table 2.3 because it does not add or remove anything, but sends what it has (on the sending host) and receives what comes to it (on the receiving host).
It should also be noted that the unit of data worked with at each layer of the model (such as a frame at layer 2 or a packet at layer 3) is called a protocol data unit (PDU).
Cram Quiz
1. At which OSI layer does an AP operate?
A. Network
B. Physical
C. Data link
D. Session
2. Which of the following are sublayers of the data link layer? (Choose two.)
A. MAC
B. LCL
C. Session
D. LLC
3. At which OSI layers can a switch operate? (Choose two.)
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
4. Which of the following OSI layers is responsible for establishing connections between two devices?
A. Network
B. Transport
C. Session
D. Data link
5. What happens to data as it moves from the upper to the lower layers of the OSI model on a host system?
A. The header and trailer are stripped off through decapsulation.
B. The data is sent in groups of segments that require two acknowledgments.
C. The data moves from the physical layer to application layer.
D. It is encapsulated with a header at the beginning and a trailer at the end.
Cram Quiz Answers
1. C. A wireless access point (AP) operates at the data link layer of the OSI model. An example of a network layer device is a router. An example of a physical layer device is a hub. Session layer components normally are software, not hardware.
2. A and D. The data link layer is broken into two distinct sublayers: Media Access Control (MAC) and Logical Link Control (LLC). LCL is not a valid term. Session is another of the OSI model layers.
3. B and C. A switch uses the MAC addresses of connected devices to make its forwarding decisions. Therefore, it is called a data link, or Layer 2, network device. It can also operate at Layer 3 or be a multilayer switch. Devices or components that operate at Layer 1 typically are media based, such as cables or connectors. Layer 4 components typically are software based, not hardware based.
4. B. The transport layer is responsible for establishing a connection between networked devices. The network layer is most commonly associated with route discovery and datagram delivery. Protocols at the session layer synchronize the data exchange between applications on separate devices. Protocols at the data link layer perform error detection and handling for the transmitted signals and define the method by which the medium is accessed.
5. D. As data moves down the model (and through the devices on that host), it is encapsulated with a header added to the beginning and a trailer to the end. Once the data arrives at the receiving host, it moves up the model (and through the devices) and is decapsulated in that the header and trailer are stripped off as it moves up. In a windowing environment, data is sent in groups of segments that require only one acknowledgment. On the sending host system, data moves from the application layer down to the physical layer. On the receiving system, data moves from the physical layer upwards to the application layer.
Ports and Protocols
- Explain common ports and protocols, their application, and encrypted alternatives.
When computers were restricted to standalone systems, there was little need for mechanisms to communicate between them. However, it wasn’t long before the need to connect computers for the purpose of sharing files and printers became a necessity. Establishing communication between network devices required more than a length of cabling; a method or a set of rules was needed to establish how systems would communicate. Protocols provide that method.
It would be nice if a single protocol facilitated communication between all devices, but this is not the case. You can use a number of protocols on a network, each of which has its own features, advantages, and disadvantages. What protocol you choose can have a significant impact on the network’s functioning and performance. This section explores some of the more common protocols you can expect to work with as a network administrator.
Connection-Oriented Protocols Versus Connectionless Protocols
Before getting into the characteristics of the various network protocols and protocol suites, you must first identify the difference between connection-oriented and connectionless protocols.
In a connection-oriented communication, data delivery is guaranteed. The sending device resends any packet that the destination system does not receive. Communication between the sending and receiving devices continues until the transmission has been verified. Because of this, connection-oriented protocols have a higher overhead and place greater demands on bandwidth.
ExamAlert
Connection-oriented protocols such as TCP can accommodate lost or dropped packets by asking the sending device to retransmit them. They can do this because they wait for all the packets in a message to be received before considering the transmission complete. On the sending end, connection-oriented protocols also assume that a lack of acknowledgment is sufficient reason to retransmit.
In contrast to connection-oriented communication, connectionless protocols such as User Datagram Protocol (UDP) offer only a best-effort delivery mechanism. Basically, the information is just sent; there is no confirmation that the data has been received. If an error occurs in the transmission, there is no mechanism to resend the data, so transmissions made with connectionless protocols are not guaranteed. Connectionless communication requires far less overhead than connection-oriented communication, so it is popular in applications such as streaming audio and video, where a small number of dropped packets might not represent a significant problem.
ExamAlert
As you work through the various protocols, keep an eye out for those that are connectionless and those that are connection oriented. Also, look for protocols such as TCP that guarantee delivery of data and those such as UDP that are a fire-andforget or best-delivery method.
Internet Protocol
Internet Protocol (IP), which is defined in RFC 791, is the protocol used to transport data from one node on a network to another. IP is connectionless, which means that it doesn’t guarantee the delivery of data; it simply makes its best effort to do so. To ensure that transmissions sent via IP are completed, a higher-level protocol such as TCP is required.
Note
In this chapter and throughout the book, the term Request For Comments (RFC) is used. RFCs are standards published by the Internet Engineering Task Force (IETF) and describe methods, behaviors, research, or innovations applicable to the operation of the Internet and Internet-connected systems. Each new RFC has an associated reference number. Looking up this number gives you information on the specific technology. For more information on RFCs, look for the Internet Engineering Task Force online.
ExamAlert
IP operates at the network layer of the OSI model.
In addition to providing best-effort delivery, IP also performs fragmentation and reassembly tasks for network transmissions. Fragmentation is necessary because the maximum transmission unit (MTU) size is limited in IP. In other words, network transmissions that are too big to traverse the network in a single packet must be broken into smaller chunks and reassembled at the other end. Another function of IP is addressing. IP addressing is a complex subject. Refer to Chapter 3, “Addressing, Routing, and Switching,” for a complete discussion of IP addressing.
Transmission Control Protocol
Transmission Control Protocol (TCP), which is defined in RFC 793, is a connection-oriented transport layer protocol. Being connection-oriented means that TCP establishes a mutually acknowledged session between two hosts before communication takes place. TCP provides reliability to IP communications. Specifically, TCP adds features such as flow control, sequencing, and error detection and correction. For this reason, higher-level applications that need guaranteed delivery use TCP rather than its lightweight and connectionless brother, UDP.
How TCP Works
When TCP wants to open a connection with another host, it follows this procedure:
It sends a message called a SYN to the target host.
The target host opens a connection for the request and sends back an acknowledgment message called an ACK (or SYN ACK).
The host that originated the request sends back another acknowledgment, saying that it has received the ACK message and that the session is ready to be used to transfer data.
When the data session is completed, a similar process is used to close the session. This three-step session establishment and acknowledgment process is called the TCP three-way handshake.
ExamAlert
TCP operates at the transport layer of the OSI model.
TCP is a reliable protocol because it has mechanisms that can accommodate and handle errors. These mechanisms include timeouts, which cause the sending host to automatically retransmit data if its receipt is not acknowledged within a given time period.
User Datagram Protocol
User Datagram Protocol (UDP), which is defined in RFC 768, is the brother of TCP. Like TCP, UDP is a transport protocol, but the big difference is that UDP does not guarantee delivery like TCP does. In a sense, UDP is a “fire-and-forget” protocol; it assumes that the data sent will reach its destination intact. The checking of whether data is delivered is left to upper-layer protocols. UDP operates at the transport layer of the OSI model.
Unlike TCP, with UDP no session is established between the sending and receiving hosts, which is why UDP is called a connectionless protocol. The upshot of this is that UDP has much lower overhead than TCP. A TCP packet header has 14 fields, whereas a UDP packet header has only 4 fields. Therefore, UDP is much more efficient than TCP. In applications that don’t need the added features of TCP, UDP is much more economical in terms of bandwidth and processing effort.
ExamAlert
Remember that TCP is a connection-oriented protocol and UDP is a connectionless protocol.
Internet Control Message Protocol
Internet Control Message Protocol (ICMP), which is defined in RFC 792, is a protocol that works with the IP layer to provide error checking and reporting functionality. In effect, ICMP is a tool that IP uses in its quest to provide best-effort delivery.
ICMP can be used for a number of functions. Its most common function is probably the widely used and incredibly useful ping utility, which can send a stream of ICMP echo requests to a remote host. If the host can respond, it does so by sending echo reply messages back to the sending host. In that one simple process, ICMP enables the verification of the protocol suite configuration of both the sending and receiving nodes and any intermediate networking devices.
However, ICMP’s functionality is not limited to the use of the ping utility. ICMP also can return error messages such as “Destination unreachable” and “Time exceeded.” (The former message is reported when a destination cannot be contacted and the latter when the time to live [TTL] of a datagram has been exceeded.)
In addition to these and other functions, ICMP performs source quench. In a source quench scenario, the receiving host cannot handle the influx of data at the same rate as the data is sent. To slow down the sending host, the receiving host sends ICMP source quench messages, telling the sender to slow down. This action prevents packets from dropping and having to be re-sent.
ICMP is a useful protocol. Although ICMP operates largely in the background, the ping utility makes it one of the most valuable of the protocols discussed in this chapter.
IPSec
The IP Security (IPSec) protocol is designed to provide secure communications between systems. This includes system-to-system communication in the same network, as well as communication to systems on external networks. IPSec is an IP layer security protocol that can both encrypt and authenticate network transmissions. In a nutshell, IPSec is composed of two separate protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides the authentication and integrity checking for data packets, and ESP provides encryption services.
ExamAlert
IPSec relies on two underlying protocols: AH and ESP. AH provides authentication services, and ESP provides encryption services.
Using both AH and ESP, data traveling between systems can be secured, ensuring that transmissions cannot be viewed, accessed, or modified by those who should not have access to them. It might seem that protection on an internal network is less necessary than on an external network; however, much of the data you send across networks has little or no protection, allowing unwanted eyes to see it.
Note
The Internet Engineering Task Force (IETF) created IPSec, which you can use on both IPv4 and IPv6 networks.
IPSec provides three key security services:
- Data verification: Verifies that the data received is from the intended source
- Protection from data tampering: Ensures that the data has not been tampered with or changed between the sending and receiving devices
- Private transactions: Ensures that the data sent between the sending and receiving devices is unreadable by any other devices
IPSec operates at the network layer of the Open Systems Interconnection (OSI) reference model and provides security for protocols that operate at the higher layers. Thus, by using IPSec, you can secure practically all TCP/IP-related communications.
Generic Routing Encapsulation
Generic Routing Encapsulation (GRE) is a Cisco-created tunneling protocol. It is an encapsulating protocol used to wrap data and securely send it across VPNs and Point-to-Point (or point-to-multipoint) links.
File Transfer Protocol
As its name suggests, File Transfer Protocol (FTP) provides for the uploading and downloading of files from a remote host running FTP server software. As well as uploading and downloading files, FTP enables you to view the contents of folders on an FTP server and rename and delete files and directories if you have the necessary permissions. FTP, which is defined in RFC 959, uses TCP as a transport protocol to guarantee delivery of packets.
FTP has weak security mechanisms used to authenticate users. However, rather than create a user account for every user, you can configure FTP server software to accept anonymous logons. When you do this, the username is anonymous, and the password normally is the user’s email address. Most FTP servers that offer files to the general public operate in this way. Even when logins are used, FTP is still considered insecure in today’s environment. SFTP/SSH should be used in its place in almost every scenario.
In addition to being popular as a mechanism for distributing files to the general public over networks such as the Internet, FTP can also be used by organizations that need to frequently exchange large files with other people or organizations. Such a system can be used when the files being exchanged are larger than can be easily accommodated using email. A number of apps/programs are available that simplify the process. For example, FileZilla is a cross-platform graphical FTP, SFTP, and FTPS file management tool for Windows, Linux, macOS, and more (more information on FileZilla can be found at https://sourceforge.net/projects/filezilla/).
ExamAlert
Remember that FTP is an application layer protocol. FTP uses ports 20 and 21 and sends information unencrypted, making it unsecure.
All the common network operating systems offer FTP server capabilities; however, whether you use them depends on whether you need FTP services. All popular workstation operating systems offer FTP client functionality, although it is common to use third-party utilities such as FileZilla (mentioned earlier), CuteFTP, or SmartFTP instead. By default, FTP operates on ports 20 and 21.
FTP assumes that files uploaded or downloaded are straight text (that is, ASCII) files. If the files are not text, which is likely, the transfer mode must be changed to binary. With sophisticated FTP clients, such as CuteFTP, the transition between transfer modes is automatic. With more basic utilities, you must manually perform the mode switch.
Unlike some of the other protocols discussed in this chapter that perform tasks transparent to the user, FTP is an application layer service frequently called upon. Therefore, it can be useful to know some of the commands supported by FTP. If you use a client such as CuteFTP, you might never need to use these commands, but they are useful to know in case you use a command-line FTP client. Table 2.4 lists some of the most commonly used FTP commands.
ExamAlert
You might be asked to identify the appropriate FTP command to use in a given situation.
TABLE 2.4 Commonly Used FTP Commands
Command |
Description |
|---|---|
ls |
Lists the files in the current directory on the remote system |
cd |
Changes the working directory on the remote host |
lcd |
Changes the working directory on the local host |
put |
Uploads a single file to the remote host |
get |
Downloads a single file from the remote host |
mput |
Uploads multiple files to the remote host |
mget |
Downloads multiple files from the remote host |
binary |
Switches transfers into binary mode |
ascii |
Switches transfers into ASCII mode (the default) |
Secure Shell
Created by students at the Helsinki University of Technology, Secure Shell (SSH) is a secure alternative to Telnet. SSH provides security by encrypting data as it travels between systems. This makes it difficult for hackers using packet sniffers and other traffic-detection systems. It also provides more robust authentication systems than Telnet.
Two versions of SSH are available: SSH1 and SSH2. Of the two, SSH2 is considered more secure. The two versions are incompatible. If you use an SSH client program, the server implementation of SSH that you connect to must be the same version. By default, SSH operates on port 22.
Although SSH, like Telnet, is associated primarily with UNIX and Linux systems, implementations of SSH are available for all commonly used computing platforms, including Windows and macOS.
ExamAlert
Remember that SSH uses port 22 and is a more secure alternative to Telnet.
Secure File Transfer Protocol
One of the big problems associated with FTP is that it is considered unsecure. Even though simple authentication methods are associated with FTP, it is still susceptible to relatively simple hacking approaches. In addition, FTP transmits data between sender and receiver in an unencrypted format. By using a packet sniffer, a hacker could easily copy packets from the network and read the contents. In today’s high-security computing environments, you need a more robust solution.
That solution is the Secure File Transfer Protocol (SFTP), which, based on Secure Shell (SSH) technology, provides robust authentication between sender and receiver. It also provides encryption capabilities, which means that even if packets are copied from the network, their contents remain hidden from prying eyes.
SFTP is implemented through client and server software available for all commonly used computing platforms. SFTP uses port 22 (the same port SSH uses) for secure file transfers.
Telnet
Telnet, which is defined in RFC 854, is a virtual terminal protocol. It enables sessions to be opened on a remote host, and then commands can be executed on that remote host. For many years, Telnet was the method by which clients accessed multiuser systems such as mainframes and minicomputers. It also was the connection method of choice for UNIX systems. Today, Telnet is still used to access routers and other managed network devices. By default, Telnet operates on port 23.
One of the problems with Telnet is that it is not secure. As a result, remote session functionality is now almost always achieved by using alternatives such as SSH.
ExamAlert
Telnet is used to access UNIX and Linux systems. Telnet uses port 23 and is insecure. SSH is considered the secure replacement for Telnet.
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol (SMTP), which is defined in RFC 821, is a protocol that defines how mail messages are sent between hosts. SMTP uses TCP connections to guarantee error-free delivery of messages. SMTP is not overly sophisticated and requires that the destination host always be available. For this reason, mail systems spool incoming mail so that users can read it later. How the user then reads the mail depends on how the client accesses the SMTP server. The default port used by SMTP is 25.
Note
SMTP can be used to both send and receive mail. Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4 (IMAP4) can be used only to receive mail.
Domain Name System (DNS)
Domain Name System (DNS)—also known as Domain Name Service—resolves hostnames, such as www.pearsonitcertification.com, to IP addresses, such as 168.146.67.180. By default, DNS operates on port 53 and it constitutes one of the few network services that CompTIA wants you to know quite a bit about. As such, it is discussed in more detail in the third section of this chapter.
Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP) is defined in RFC 2131. It enables ranges of IP addresses, known as scopes, or predefined groups of addresses within address pools to be defined on a system running a DHCP server application. When another system configured as a DHCP client is initialized, it asks the server for an address and is leased one. By default, DHCP uses ports 67 and 68. Figure 2.3 shows an example of a configuration interface for DHCP on a SOHO router.
FIGURE 2.3 Configuring DHCP on a SOHO router
Note
DNS, DHCP, and NTP appear in the exam objectives for this section, but also appear in much more depth in the next set of objectives. To avoid overlap with the discussion of the objectives, all three are discussed in more depth later in this chapter.
Trivial File Transfer Protocol
A variation on FTP is Trivial File Transfer Protocol (TFTP), which is also a file transfer mechanism. However, TFTP does not have the security capability or the level of functionality that FTP has. TFTP, which is defined in RFC 1350, is most often associated with simple downloads, such as those associated with transferring firmware to a device such as a router and booting diskless workstations.
Another feature that TFTP does not offer is directory navigation. Whereas in FTP, commands can be executed to navigate and manage the file system, TFTP offers no such capability. TFTP requires that you request not only exactly what you want but also the particular location. Unlike FTP, which uses TCP as its transport protocol to guarantee delivery, TFTP uses UDP. By default, TFTP operates on port 69.
ExamAlert
TFTP is an application layer protocol that uses UDP, which is a connectionless transport layer protocol. For this reason, TFTP is called a connectionless file transfer method.
Hypertext Transfer Protocol
Hypertext Transfer Protocol (HTTP), which is defined in RFC 2068, is the protocol that enables text, graphics, multimedia, and other material to be downloaded from an HTTP server. HTTP defines what actions can be requested by clients and how servers should answer those requests.
In a practical implementation, HTTP clients (that is, web browsers) make requests on port 80 in an HTTP format to servers running HTTP server applications (that is, web servers). Files created in a special language such as Hypertext Markup Language (HTML) are returned to the client, and the connection is closed.
ExamAlert
Make sure that you understand that HTTP is a connection-oriented protocol that uses TCP as a transport protocol. By default, it operates at port 80.
Today, HTTP over port 80 is considered insecure and often replaced by HTTPS (over port 443). Both HTTP and HTTPS use a uniform resource locator (URL) to determine what page should be downloaded from the remote server. The URL contains the type of request (for example, http:// or https://), the name of the server contacted (for example, www.microsoft.com or just microsoft.com since the web portion is the default), and optionally the page requested (for example, /support). The result is the syntax that Internet-savvy people are familiar with: https://support.microsoft.com/.
Network Time Protocol (NTP)
Network Time Protocol (NTP), which is defined in RFC 958, is the part of the TCP/IP protocol suite that facilitates the communication of time between systems. NTP operates over UDP port 123.
Post Office Protocol Version 3/Internet Message Access Protocol Version 4
Both Post Office Protocol Version 3 (POP3), which is defined in RFC 1939, and Internet Message Access Protocol Version 4 (IMAP4), the latest version of which is defined in RFC 1731, are mechanisms for downloading, or pulling, email from a server. They are necessary because although the mail is transported around the network via SMTP, users cannot always immediately read it, so it must be stored in a central location. From this location, it needs to be downloaded or retrieved, which is what POP3 and IMAP4 enable you to do.
POP3 and IMAP4 are popular, and many people access email through applications that are POP3 and IMAP4 clients. The default port for POP3 is 110, and for IMAP4, the default port is 143.
One of the problems with POP3 is that the password used to access a mailbox is transmitted across the network in clear text. This means that if people want to, they could determine your POP3 password with relative ease. This is an area in which IMAP4 offers an advantage over POP3. It uses a more sophisticated authentication system, which makes it more difficult for people to determine a password.
ExamAlert
POP3 and IMAP4 can be used to download, or pull, email from a server, but they cannot be used to send mail. That function is left to SMTP, which can both send and receive. Also remember, POP3 uses port 110 and IMAP4 uses port 143.
Note
Although accessing email by using POP3 and IMAP4 has many advantages, such systems rely on servers to hold the mail until it is downloaded to the client system. In today’s world, a more sophisticated solution to anytime/anywhere email access is needed. For many people, that solution is web-based mail. Having an Internet-based email account enables you to access your mail from anywhere and from any device that supports a web browser. Recognizing the obvious advantages of such a system, all the major email systems have, for some time, included web access gateway products.
Simple Network Management Protocol
The Simple Network Management Protocol (SNMP) uses port 161 to send data and port 162 to receive it. It enables network devices to communicate information about their state to a central system. It also enables the central system to pass configuration parameters to the devices.
ExamAlert
SNMP uses ports 161 and 162. It is a protocol that facilitates network management functionality. It is not, in itself, a network management system (NMS), simply the protocol that makes NMS possible.
Components of SNMP
In an SNMP configuration, a central system known as a manager acts as the central communication point for all the SNMP-enabled devices on the network. On each device to be managed and monitored via SNMP, software called an SNMP agent is set up and configured with the manager’s IP address. Depending on the configuration, the SNMP manager then communicates with and retrieves information from the devices running the SNMP agent software. In addition, the agent can communicate the occurrence of certain events to the SNMP manager as they happen. These messages are known as traps. Figure 2.4 shows how an SNMP system works.
FIGURE 2.4 How SNMP works
As Figure 2.4 illustrates, there are a number of components to SNMP. The following discussion looks at the management system, the agents, the management information base, and communities.
SNMP Management Systems
An SNMP management system is a computer running a special piece of software called a network management system (NMS). These software applications can be free, or they can cost thousands of dollars. The difference between the free applications and those that cost a great deal of money normally boils down to functionality and support. All NMS applications, regardless of cost, offer the same basic functionality. Today, most NMS applications use graphical maps of the network to locate a device and then query it. The queries are built in to the application and are triggered by pointing and clicking. You can issue SNMP requests from a command-line utility, but with so many tools available, this is unnecessary.
Note
Some people call SNMP managers or NMSs trap managers. This reference is misleading, however, because an NMS can do more than just accept trap messages from agents.
Using SNMP and an NMS, you can monitor all the devices on a network, including switches, hubs, routers, servers, and printers, as well as any device that supports SNMP, from a single location. Using SNMP, you can see the amount of free disk space on a server in Jakarta or reset the interface on a router in Helsinki—all from the comfort of your desk in San Jose. Such power, though, brings with it some considerations. For example, because an NMS enables you to reconfigure network devices, or at least get information from them, it is common practice to implement an NMS on a secure workstation platform such as a Linux or Windows server and to place the NMS PC in a secure location.
SNMP Agents
Although the SNMP manager resides on a PC or server, each device that is part of the SNMP structure also needs to have SNMP functionality enabled. This is performed through a software component called an agent.
An SNMP agent can be any device that can run a small software component that facilitates communication with an SNMP manager. SNMP agent functionality is supported by almost any device designed to be connected to a network.
In addition to providing a mechanism for managers to communicate with them, agents can tell SNMP managers when a threshold is surpassed. When this happens, on a device running an SNMP agent, a trap is sent to the NMS, and the NMS then performs an action, depending on the configuration. Basic NMS systems might sound an alarm or flash a message on the screen. Other more advanced products might dial a cell phone or send an email message.
Management Information Bases
Although the SNMP trap system might be the most commonly used aspect of SNMP, manager-to-agent communication is not a one-way street. In addition to reading information from a device using the SNMP commands Get and Get Next, SNMP managers can issue the Set command. If you have a large sequence of Get Next commands to perform, you can use the Walk command to automatically move through them. The purpose of this command is to save a manager’s time: you issue one command on the root node of a subtree, and the command “walks” through, getting the value of every node in the subtree.
To demonstrate how SNMP commands work, imagine that you and a friend each have a list on which the following four words are written: four, book, sky, and table. If you, as the manager, ask your friend for the first value, she, acting as the agent, can reply “four.” This is analogous to an SNMP Get command. Now, if you ask for the next value, she would reply “book.” This is analogous to an SNMP Get Next command. If you then say “set green,” and your friend changes the word book to green, you have performed the equivalent of an SNMP Set command. Sound simplistic? If you can imagine expanding the list to include 100 values, you can see how you could navigate and set any parameter in the list, using just those commands. The key, though, is to make sure that you and your friend have exactly the same list—which is where Management Information Bases (MIBs) come in.
SNMP uses databases of information called MIBs to define what parameters are accessible, which of the parameters are read-only, and which can be set. MIBs are available for thousands of devices and services, covering every imaginable need.
To ensure that SNMP systems offer cross-platform compatibility, MIB creation is controlled by the International Organization for Standardization (ISO). An organization that wants to create a MIB can apply to the ISO. The ISO then assigns the organization an ID under which it can create MIBs as it sees fit. The assignment of numbers is structured within a conceptual model called the hierarchical name tree.
SNMP Communities
Another feature of SNMP that enables manageability is communities. SNMP communities are logical groupings of systems. When a system is configured as part of a community, it communicates only with other devices that have the same community name. In addition, it accepts Get, Get Next, or Set commands only from an SNMP manager with a community name it recognizes. Typically, two communities are defined by default: a public community, intended for read-only use, and a private community, intended for read-and-write operations.
ExamAlert
For the exam, you should understand the SNMP concepts of Get, Trap, Walk, and MIBS.
Whether you use SNMP depends on how many devices you have and how distributed your network infrastructure is. Even in environments that have just a few devices, SNMP can be useful because it can act as your eyes and ears, notifying you if a problem on the network occurs.
SNMPv3
SNMP, which runs by default on port 161, is now on its third version, and this version has some significant differences. One of the most noticeable changes is that, unlike SNMPv1 and SNMPv2, SNMPv3 supports authentication and encryption:
- Authentication: Authentication protocols ensure that the message is from a valid source.
- Encryption: Encryption protocols ensure that data cannot be read by unintended sources.
ExamAlert
You might be asked to know the differences between SNMPv2 and SNMPv3. Remember, SNMPv3 supports authentication and encryption.
Lightweight Directory Access Protocol
Lightweight Directory Access Protocol (LDAP) is a protocol that provides a mechanism to access and query directory services systems. LDAP uses port 389. In the context of the Network+ exam, these directory services systems are most likely to be UNIX/Linux based or Microsoft Active Directory based. Although LDAP supports command-line queries executed directly against the directory database, most LDAP interactions are via utilities such as an authentication program (network logon) or locating a resource in the directory through a search utility.
Hypertext Transfer Protocol Secure
One of the downsides of using HTTP is that HTTP requests are sent in clear text. For some applications, such as e-commerce, this method to exchange information is unsuitable—a more secure method is needed. The solution is Hypertext Transfer Protocol Secure (HTTPS), which encrypts the information sent between the client and host (changing the port from 80 to 443). The data is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.
For HTTPS to be used, both the client and server must support it. All popular browsers now support HTTPS, as do web server products, such as Microsoft Internet Information Services (IIS), Apache, and almost all other web server applications that provide sensitive applications. When you access an application that uses HTTPS, the URL starts with https rather than http—for example, https://www.mybankonline.com.
Server Message Block
Server Message Block (SMB) is used on a network for providing access to resources such as files, printers, ports, and so on that are running on Windows. If you were wanting to connect Linux-based hosts to Windows-shared printers, for example, you would need to implement support for SMB; it runs, by default, on port 445.
One of the most common ways of implementing SMB support is by running Samba.
Syslog
Most UNIX/Linux-based systems include the capability to write messages (either directly or through applications) to log files via syslog. This can be done for security or management reasons and provides a central means by which devices that otherwise could not write to a central repository can easily do so (often by using the logger utility). The default port is 514.
SMTP TLS
SMTP TLS, more commonly known as SMTPS (Simple Mail Transfer Protocol Secure) uses transport layer security (TLS) to provide authentication of the communication partners along with data integrity and confidentiality by wrapping SMTP data in TLS. This is similar to how HTTPS wraps HTTP data inside TLS. The default port is 587.
Note
Some implementations of SMTP with security use port 465. This port was proposed for SMTP with SSL and was never officially approved. It is good practice to avoid using this port and to use 587 instead.
LDAPS
Lightweight Directory Access Protocol over SSL (LDAPS), also known as Secure LDAP, adds an additional layer of security to LDAP. It operates at port 636 and differs from LDAP in two ways: (1) upon connection, the client and server establish a TLS session before any LDAP messages are transferred (without a start operation) and (2) the LDAPS connection must be closed if TLS closes.
ExamAlert
Remember that LDAP uses port 389, and LDAPS (secure LDAP) uses port 636.
IMAP over SSL
When security is added to IMAP, through the use of SSL/TLS, the default port changes from 143 to 993.
POP3 over SSL
When security is added to POP3, through the use of SSL/TLS, the default port changes from 110 to 995.
SQL, SQLnet, and MySQL
The SQL database server uses port 1433 by default, while Oracle’s SQLnet uses port 1521 and the default port for MySQL is 3306. The most common language used to speak to databases is Structured Query Language (SQL). SQL allows queries to be configured in real time and passed to database servers. This flexibility causes a major vulnerability when it isn’t implemented securely.
Note
Most commercial relational database management systems (Oracle, Microsoft SQL Server, MySQL, PostgreSQL, and so forth) use SQL. A NoSQL database is a relatively new phenomenon—it is a relational database that does not use SQL. These databases are less common than relational databases but often used where scaling is important.
Remote Desktop Protocol
Remote Desktop Protocol (RDP) is used in a Windows environment for remote connections. It operates, by default, on port 3389. Remote Desktop Services (RDS, formerly known as Terminal Services) provides a way for a client system to connect to a server, such as Windows Server, and, by using RDP, operate on the server as if it were a local client application. Such a configuration is known as thin client computing, whereby client systems use the resources of the server instead of their local processing power.
Windows Server products and recent Windows client systems have built-in support for remote connections using the Windows program Remote Desktop Connection. The underlying protocol used to manage the connection is RDP. RDP is a low-bandwidth protocol used to send mouse movements, keystrokes, and bitmap images of the screen on the server to the client computer. RDP does not actually send data over the connection—only screenshots and client keystrokes.
Session Initiation Protocol
Long-distance calls are expensive, in part because it is costly to maintain phone lines and employ technicians to keep those phones ringing. Voice over IP (VoIP) provides a cheaper alternative for phone service. VoIP technology enables regular voice conversations to occur by traveling through IP packets and via the Internet. VoIP avoids the high cost of regular phone calls by using the existing infrastructure of the Internet. No monthly bills or expensive long-distance charges are required. But how does it work?
Like every other type of network communication, VoIP requires protocols to make the magic happen. For VoIP, one such protocol is Session Initiation Protocol (SIP), which is an application layer protocol designed to establish and maintain multimedia sessions, such as Internet telephony calls. This means that SIP can create communication sessions for such features as audio/videoconferencing, online gaming, and person-to-person conversations over the Internet. SIP does not operate alone; it uses TCP or UDP as a transport protocol. Remember, TCP enables guaranteed delivery of data packets, whereas UDP is a fire-and-forget transfer protocol. The default ports for SIP are 5060 and 5061.
ExamAlert
SIP operates at the application layer of the OSI model and is used to maintain a multimedia session. SIP uses ports 5060 and 5061.
Tip
SIP also includes a suite of security services, which include denial-of-service (DoS) prevention, authentication (both user-to-user and proxy-to-user), integrity protection, and encryption and privacy services.
Understanding Port Functions
As protocols were mentioned in this chapter, the default ports were also given. Each TCP/IP or application has at least one default port associated with it. When a communication is received, the target port number is checked to determine which protocol or service it is destined for. The request is then forwarded to that protocol or service. For example, consider HTTPS, whose assigned port number is 443. When a web browser forms a request for a secure web page, that request is sent to port 443 on the target system. When the target system receives the request, it examines the port number. When it sees that the port is 443, it forwards the request to the web server application.
TCP/IP has 65,535 ports available, with 0 to 1023 labeled as the well-known ports. Although a detailed understanding of the 65,535 ports is not necessary for the Network+ exam, you need to understand the numbers of some well-known ports. Network administration often requires you to specify port assignments when you work with applications and configure services. Table 2.5 shows some of the most common port assignments.
ExamAlert
You should concentrate on the information provided in Table 2.5 and apply it to any port-related questions you might receive on the exam. For example, the exam may present you with a situation in which you can’t access a particular service; you may have to determine whether a port is open or closed on a firewall.
TABLE 2.5 TCP/UDP Port Assignments for Commonly Used Protocols
Protocol |
Port Assignment |
|---|---|
TCP Ports |
|
FTP |
20/21 |
SSH/SFTP |
22 |
Telnet |
23 |
SMTP |
25 |
DNS |
53 |
HTTP |
80 |
POP3 |
110 |
IMAP4 |
143 |
LDAP |
389 |
HTTPS |
443 |
SMB |
445 |
SMTP TLS |
587 |
LDAPS |
636 |
IMAP over SSL |
993 |
POP3 over SSL |
995 |
SQL Server |
1433 |
SQLnet |
1521 |
MySQL |
3306 |
RDP |
3389 |
SIP |
5060/5061 |
UDP Ports |
|
DNS |
53 |
DHCP (and BOOTP server) |
67 |
DHCP (and BOOTP client) |
68 |
TFTP |
69 |
NTP |
123 |
SNMP |
161/162 |
Syslog |
514 |
RDP |
3389 |
SIP |
5060/5061 |
ExamAlert
The term well-known ports identifies the ports ranging from 0 to 1023. If/when an exam question refers to “well-known ports,” this is what it refers to.
Note
You might have noticed in Table 2.5 that two ports are associated with FTP (and some other protocols, as well). With FTP, port 20 is considered the data port, and port 21 is considered the control port. In practical use, FTP connections use port 21. Port 20 is rarely used in modern implementations.
Cram Quiz
1. TCP is an example of what kind of transport protocol?
A. Connection oriented
B. Connection reliant
C. Connection dependent
D. Connectionless
2. Which of the following are considered transport protocols? (Choose the two best answers.)
A. TCP
B. IP
C. UDP
D. THC
3. What is the function of NTP?
A. It provides a mechanism for the sharing of authentication information.
B. It is used to access shared folders on a Linux system.
C. It is used to communicate utilization information to a central manager.
D. It is used to communicate time synchronization information between systems.
4. Which of the following protocols offers guaranteed delivery?
A. FTP
B. POP
C. IP
D. TCP
5. By default, which protocol uses port 68?
A. DHCP
B. DNS
C. SMB
D. SMTP
6. What are SNMP databases called?
A. HOSTS
B. MIBs
C. WINS
D. Agents
7. What are logical groupings of SNMP systems known as?
A. Communities
B. Pairs
C. Mirrors
D. Nodes
8. What are two features supported in SNMPv3 and not previous versions?
A. Authentication
B. Dynamic mapping
C. Platform independence
D. Encryption
Cram Quiz Answers
1. A. TCP is an example of a connection-oriented transport protocol. UDP is an example of a connectionless protocol. Connection reliant and connection dependent are not terms commonly associated with protocols.
2. A and C. Both TCP and UDP are transport protocols. IP is a network protocol, and THC is not a valid protocol.
3. D. NTP is used to communicate time-synchronization information between devices. Network File System (NFS) is a protocol typically associated with accessing shared folders on a Linux system. Utilization information is communicated to a central management system most commonly by using SNMP.
4. D. TCP is a connection-oriented protocol that guarantees delivery of data. FTP is a protocol used to transfer large blocks of data. POP stands for Post Office Protocol and is not the correct choice. IP is a network layer protocol responsible for tasks such as addressing and route discovery.
5. A. DHCP uses port 68 by default (along with 67). DNS uses port 53, SMB uses 445, and SMTP uses port 25.
6. B. SNMP uses databases of information called MIBs to define what parameters are accessible, which of the parameters are read-only, and which can be set.
7. A. SNMP communities are logical groupings of systems. When a system is configured as part of a community, it communicates only with other devices that have the same community name.
8. A and D. SNMPv3 supports authentication and encryption.
Network Services
- Explain the use and purpose of network services.
Network services provide functionality enabling the network to operate. There are a plethora of services available, but three you need to know for the exam are DNS, DHCP, and NTP.
Domain Name Service (DNS)
DNS performs an important function on TCP/IP-based networks. It resolves hostnames, such as www.quepublishing.com, to IP addresses, such as 209.202.161.67. Such a resolution system makes it possible for people to remember the names of and refer to frequently used hosts using easy-to-remember hostnames rather than hard-to-remember IP addresses. By default, DNS operates on port 53.
Note
Like other TCP/IP-based services, DNS is a platform-independent protocol. Therefore, it can be used on Linux, UNIX, Windows, and almost every other platform.
In the days before the Internet, the network that was to become the Internet used a text file called HOSTS to perform name resolution. The HOSTS file was regularly updated with changes and distributed to other servers. Following is a sample of some entries from a HOSTS file:
192.168.3.45 server1 s1 #The main file and print server 192.168.3.223 Mail mailserver #The email server 127.0.0.1 localhost
Note
A comment in the HOSTS file is preceded by a hash symbol (#).
As you can see, the host’s IP address is listed, along with the corresponding hostname. You can add to a HOSTS file aliases of the server names, which in this example are s1 and mailserver. All the entries must be added manually, and each system to perform resolutions must have a copy of the file.
Even when the Internet was growing at a relatively slow pace, such a mechanism was both cumbersome and prone to error. It was obvious that as the network grew, a more automated and dynamic method of performing name resolution was needed. DNS became that method.
Tip
HOSTS file resolution is still supported by most platforms. If you need to resolve just a few hosts that will not change often or at all, you can still use the HOSTS file for this.
DNS solves the problem of name resolution by offering resolution through servers configured to act as name servers. The name servers run DNS server software, which enables them to receive, process, and reply to requests from systems that want to resolve hostnames to IP addresses. Systems that ask DNS servers for a hostname-to-IP address mapping are called resolvers or DNS clients. Figure 2.5 shows the DNS resolution process. In this example, the client asks to reach the first server at mycoltd.com; the router turns to the DNS server for an IP address associated with that server; and after the address is returned, the client can establish a connection.
FIGURE 2.5 The DNS resolution process
Because the DNS namespace (which is discussed in the following section) is large, a single server cannot hold all the records for the entire namespace. As a result, there is a good chance that a given DNS server might not resolve the request for a certain entry. In this case, the DNS server asks another DNS server if it has an entry for the host.
Note
One of the problems with DNS is that, despite all its automatic resolution capabilities, entries and changes to those entries must still be manually performed. A strategy to solve this problem is to use Dynamic DNS (DDNS), a newer system that enables hosts to be dynamically registered with the DNS server. When changes are made in real time to hostnames, addresses, and related information, there is less likelihood of not finding a server or site that has been recently added or changed.
ExamAlert
You might be asked to identify the difference between DNS and DDNS.
To speed up resolution, the client will often store the results of resolution locally (in the browser quite often) so that it does not have to query again if the same resolution needs to be done. This is known as DNS caching, and this is also done by caching nameservers (also known as recursive nameservers). Since it is possible that values change (a different IP address issued to a host than it previously had), caches typically come with TTL (time to live) values and time out after a while.
The DNS Namespace
DNS operates in the DNS namespace. This space has logical divisions hierarchically organized. At the top level are domains such as .com (commercial) and .edu (education), as well as domains for countries, such as .uk (United Kingdom) and .de (Germany). Below the top level are subdomains or second-level domains associated with organizations or commercial companies, such as Red Hat and Microsoft. Within these domains, hosts or other subdomains can be assigned. For example, the server ftp.redhat.com would be in the redhat.com domain. Figure 2.6 shows a DNS hierarchical namespace.
FIGURE 2.6 A DNS hierarchical namespace
ExamAlert
The domain name, along with any subdomains, is called the fully qualified domain name (FQDN) because it includes all the components from the top of the DNS namespace to the host.
Note
Many people refer to DNS as resolving FQDNs to IP addresses. An example of an FQDN is www.comptia.org, where www is the host, comptia is the second-level domain, and org is the top-level domain.
The lower domains are largely open to use in whatever way the domain name holder sees fit. However, the top-level domains are relatively closely controlled. Table 2.6 lists a selection of the most widely used top-level DNS domain names. Recently, a number of top-level domains were added, mainly to accommodate the increasing need for hostnames. While root DNS servers directly answer requests for records in the root zone, and answer other requests, they also return lists of the authoritative name servers for the top-level domain (TLD) being sought.
TABLE 2.6 Selected Top-Level Domains in the DNS Namespace
Top-Level Domain Name |
Intended Purpose |
|---|---|
com |
Commercial organizations |
edu |
Educational organizations/establishments |
gov |
U.S. government organizations/establishments |
net |
Network providers/centers |
org |
Not-for-profit and other organizations |
mil |
Military |
arpa |
Reverse DNS lookup |
de |
A country-specific domain—in this case, Germany* |
*In addition to country-specific domains, many countries have created subdomains that follow roughly the same principles as the original top-level domains (such as co.uk and gov.nz).
Although the assignment of domain names is supposed to conform to the structure shown in Table 2.6, the assignment of names is not as closely controlled as you might think. It’s not uncommon for some domain names to be used for other purposes, such as .org or .net being used for business.
Note
Although the primary function of DNS is to resolve hostnames to IP addresses, you can also have DNS perform IP address-to-hostname resolution. This process is called reverse lookup, which is accomplished by using pointer (PTR) records.
ExamAlert
For the exam, know that PTR records are used for reverse lookup functions.
Two other words often used with DNS queries are iterative and recursive. An iterative lookup is one in which the client just keeps querying the server. A recursive lookup is one in which the server does not have the answer the client is looking for and forwards the request on to another DNS server in search of the answer. To use a silly analogy, an iterative lookup would be similar to asking your mother every five minutes if you can go outside and getting the same “no” answer over and over, while a recursive lookup would be her telling you to go ask your father.
Types of DNS Entries
Although the most common entry in a DNS database is an A (address) record, which maps a hostname to an IP address, DNS can hold numerous other types of entries as well. Some are the MX record, which can map entries that correspond to mail exchanger systems, and CNAME (canonical record name), which can create alias records for a system. A system can have an A record and then multiple CNAME entries for its aliases. A DNS table with all these types of entries might look like this:
fileserve.mycoltd.com IN A 192.168.33.2 email.mycoltd.com IN A 192.168.33.7 fileprint.mycoltd.com IN CNAME fileserver.mycoltd.com mailer.mycoltd.com IN MX 10 email.mycoltd.com
As you can see, rather than map to an actual IP address, the CNAME and MX record entries map to another host, which DNS in turn can resolve to an IP address.
DNS Records
Each DNS name server maintains information about its zone, or domain, in a series of records, known as DNS resource records. There are several DNS resource records; each contains information about the DNS domain and the systems within it. These records are text entries stored on the DNS server. Some of the DNS resource records include the following:
- Start of Authority (SOA): This is a record of information containing data on DNS zones and other DNS records. A DNS zone is the part of a domain for which an individual DNS server is responsible. Each zone contains a single SOA record.
- Name Server (NS): This record stores information that identifies the name servers in the domain that store information for that domain.
- Service Locator (SRV): This is a generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
- Canonical Name (CNAME): This record stores additional hostnames, or aliases, for hosts in the domain. A CNAME specifies an alias or nickname for a canonical hostname record in a Domain Name Service (DNS) database. CNAME records give a single computer multiple names (aliases).
- Pointer (PTR): This record is a pointer to the canonical name, which is used to perform a reverse DNS lookup, in which case the name is returned when the query originates with an IP address.
ExamAlert
The most common type of DNS zone is the forward lookup zone, which allows DNS clients to obtain information such as IP addresses that correspond to DNS domain names. Remember that a reverse lookup zone maps from IP addresses back to DNS domain names.
- IPv6 Address (AAAA): This record stores information for IPv6 (128-bit) addresses. It is most commonly used to map hostnames to an IP address for a host.
- IPv4 Address (A): This record stores information for IPv4 (32-bit) addresses. It is most commonly used to map hostnames to an IP address for a host.
- Text (TXT): This field was originally created to carry human-readable text in a DNS record, but that purpose has long since passed. Today, it is more common that it holds machine-readable data, such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
- Mail Exchange (MX): This record stores information about where mail for the domain should be delivered.
ExamAlert
The exam objectives specifically list DNS records. You should expect to see a question about records A, MX, AAAA, CNAME, NS, SRV, TXT, or PTR.
DNS in a Practical Implementation
In a real-world scenario, whether you use DNS is almost a nonissue. If you have Internet access, you will most certainly use DNS, but you are likely to use the DNS facilities of your Internet service provider (ISP) rather than have your own internal DNS server—this is known as external DNS. However, if you operate a large, complex, multiplatform network, you might find that internal DNS servers are necessary. The major network operating system vendors know that you might need DNS facilities in your organization, so they include DNS server applications with their offerings, making third-party/cloud-hosted DNS a possibility. Google, for example, offers Cloud DNS, which is “low latency, high availability and is a cost-effective way to make your applications and services available to your users” (for more information, see https://cloud.google.com/dns/).
It is common practice for workstations to be configured with the IP addresses of two DNS servers for fault tolerance (configured via the Alternate Configuration tab in Windows, for example). The importance of DNS, particularly in environments in which the Internet is heavily used, cannot be overstated. If DNS facilities are not accessible, the Internet effectively becomes unusable, unless you can remember the IP addresses of all your favorite sites.
Domain Name System Security Extensions (DNSSEC) is a suite of IETF specifications for securing certain kinds of information provided by DNS. As it was originally designed, DNS did not include any security features. DNSSEC not only adds security features to DNS but is also designed to be backward compatible.
Dynamic Host Configuration Protocol
One method to assign IP addresses to hosts is to use static addressing. This process involves manually assigning an address from those available to you and allowing the host to always use that address. The problems with this method include the difficulty in managing addresses for a multitude of machines and efficiently and effectively issuing them.
ExamAlert
Be sure to know the difference between static and dynamic IP addressing as you study for the Network+ exam.
DHCP, which is defined in RFC 2131, enables ranges of IP addresses, known as scopes or predefined groups of addresses within address pools to be defined on a system running a DHCP server application. When another system configured as a DHCP client is initialized, it asks the server for an address. If all things are as they should be, the server assigns an address from the scope to the client for a predetermined amount of time, known as the lease or lease time.
At various points during the TTL of the lease time (normally the 50 percent and 85 percent points), the client attempts to renew the lease from the server. If the server cannot perform a renewal, the lease expires at 100 percent, and the client stops using the address.
In addition to an IP address and the subnet mask, the DHCP server can supply many other pieces of information; however, exactly what can be provided depends on the DHCP server implementation. In addition to the address information, the default gateway is often supplied, along with DNS information.
In addition to having DHCP supply a random address from the scope, you can configure scope options, such as having it supply a specific address to a client. Such an arrangement is known as a reservation (see Figure 2.7). Reservations are a means by which you can still use DHCP for a system but at the same time guarantee that it always has the same IP address. When based on the MAC address, this is known as MAC reservations. DHCP can also be configured for exclusions, also called IP exclusions. In this scenario, certain IP addresses are not given out to client systems.
FIGURE 2.7 DHCP reservations
The advantages of using DHCP are numerous. First, administrators do not need to manually configure each system. Second, human error, such as the assignment of duplicate IP addresses, is eliminated. Third, DHCP removes the need to reconfigure systems if they move from one subnet to another, or if you decide to make a wholesale change in the IP addressing structure. The downsides are that DHCP traffic is broadcast based and thus generates network traffic—albeit a small amount. Finally, the DHCP server software must be installed and configured on a server, which can place additional processor load (again, minimal) on that system. From an administrative perspective, after the initial configuration, DHCP is about as maintenance-free as a service can get, with only occasional monitoring normally required.
ExamAlert
DHCP is a protocol-dependent service and is not platform dependent. This means that you can use, for instance, a Linux DHCP server for a network with Windows clients or with Linux clients. Although the DHCP server offerings in the various network operating systems might slightly differ, the basic functionality is the same across the board. Likewise, the client configuration for DHCP servers running on a different operating system platform is the same as for DHCP servers running on the same base operating system platform.
The DHCP Process
To better understand how DHCP works, spend a few minutes looking at the processes that occur when a DHCP-enabled client connects to the network. When a system configured to use DHCP comes onto the network, it broadcasts a special packet that looks for a DHCP server. This packet is known as the DHCPDISCOVER packet. The DHCP server, which is always on the lookout for DHCPDISCOVER broadcasts, picks up the packet and compares the request with the scopes it has defined. If it finds that it has a scope for the network from which the packet originated, it chooses an address from the scope, reserves it, and sends the address, along with any other information, such as the lease duration, to the client. This is known as the DHCPOFFER packet. Because the client still does not have an IP address, this communication is also achieved via broadcast. By default, DHCP operates on ports 67 and 68.
ExamAlert
Remember that DHCP operates on ports 67 and 68.
When the client receives the offer, it looks at the offer to determine if it is suitable. If more than one offer is received, which can happen if more than one DHCP server is configured, the offers are compared to see which is best. Best in this context can involve a variety of criteria but normally is the length of the lease. When the selection process completes, the client notifies the server that the offer has been accepted, through a packet called a DHCPREQUEST packet. At this point the server finalizes the offer and sends the client an acknowledgment. This last message, which is sent as a broadcast, is known as a DHCPACK packet. After the client system receives the DHCPACK, it initializes the TCP/IP suite and can communicate on the network.
DHCP and DNS Suffixes
In DNS, suffixes define the DNS servers to be used and the order in which to use them. DHCP settings can push a domain suffix search list to DNS clients. When such a list is specifically given to a client, the client uses only that list for name resolution. With Linux clients, this can occur by specifying entries in the resolve.conf file.
ExamAlert
Know that DHCP can provide DNS suffixes to clients.
DHCP Relays and IP Helpers
On a large network, the DHCP server can easily get bogged down trying to respond to all the requests. To make the job easier, DHCP relays help make the job easier. A DHCP relay is nothing more than an agent on the router that acts as a go-between for clients and the server. This feature is useful when working with clients on different subnets, because a client cannot communicate directly with the server until it has the IP configuration information assigned to it.
One level above DHCP relay is IP helper. These two terms are often used as synonyms, but they are not; a better way to think of it is with IP helper being a superset DHCP relay. IP helper will, by default, forward broadcasts for DHCP/BOOTP, TFTP, DNS, TACACS/TACACS+, the time service, and the NetBIOS name/datagram service (ports 137–139). You can disable the additional traffic (or add more), but by default IP helper will do more than a DHCP relay.
ExamAlert
Know that an IP helper can do more than a DHCP relay agent.
Network Time Protocol
Network Time Protocol (NTP) is one of the oldest Internet protocols in current use. It is the part of the TCP/IP protocol suite that facilitates the communication of time between systems. NTP operates over UDP port 123. The idea is that one system configured as a time provider transmits time information to other systems that can be both time receivers and time providers for other systems.
Time synchronization is important in today’s IT environment because of the distributed nature of applications. Two good examples of situations in which time synchronization is important are email and directory services systems. In each of these cases, having time synchronized between devices is important because without it there would be no way to keep track of changes to data and applications.
NTP uses a hierarchical, semi-layered system of time sources wherein each level of the hierarchy is termed a stratum. Each stratum/level is assigned a number starting with zero for the reference clock at the top and incrementing from there with the number representing the distance from the reference clock: this means that a server synchronized to a stratum n server runs at stratum n + 1. This numbering is used to prevent cyclical dependencies in the hierarchy, but stratum is not always an indication of quality or reliability. It is possible to find a stratum server with a higher number (for example, 3) that is of higher quality than a stratum 2 time source.
In many environments, external time sources such as radio clocks, Global Positioning System (GPS) devices, and Internet-based time servers are used as sources of NTP time. In others, the system’s BIOS clock is used. Regardless of what source is used, the time information is communicated between devices by using NTP.
Note
Specific guidelines dictate how NTP should be used. You can find these “rules of engagement” at http://support.ntp.org/bin/view/Servers/RulesOfEngagement. Note that the site uses HTTP, as opposed to HTTPS, and should not be considered secure.
ExamAlert
Remember that NTP is used for time synchronization and is implemented over UDP port 123.
NTP server and client software is available for a variety of platforms and devices. If you want a way to ensure time synchronization between devices, look to NTP as a solution.
Cram Quiz
1. One of the programmers has asked that DHCP always issue his workstation the same IP address. What feature of DHCP enables you to accomplish this?
A. Stipulation
B. Rider
C. Reservation
D. Provision
2. Which of the following is not a common packet sent during the normal DHCP process?
A. DHCPACK
B. DHCPPROVE
C. DHCPDISCOVER
D. DHCPOFFER
3. During a discussion with your ISP’s technical support representative, she mentions that you might have been using the wrong FQDN. Which TCP/IP-based network service is she referring to?
A. DHCP
B. WINS
C. SNMP
D. DNS
4. Which DNS record stores additional hostnames, or aliases, for hosts in the domain?
A. ALSO
B. ALIAS
C. CNAME
D. PTR
5. Which DNS record is most commonly used to map hostnames to an IP address for a host with IPv6?
A. A
B. AAAA
C. MX
D. PTR
Cram Quiz Answers
1. C. Reservations are specific addresses reserved for clients.
2. B. DHCPPROVE is not a common packet. The other choices presented (DHCPACK, DHCPDISCOVER, and DHCPOFFER) are part of the normal process.
3. D. DNS is a system that resolves hostnames to IP addresses. The term FQDN is used to describe the entire hostname. None of the other services use FQDNs.
4. C. The CNAME record stores additional hostnames, or aliases, for hosts in the domain. There is not an ALSO record or ALIAS, and PTR is used for reverse lookups.
5. B. The AAAA record is most commonly used to map hostnames to an IP address for a host with IPv6. The A record is not used for this purpose. MX identifies the mail exchanger, and PTR is used for reverse lookup.
What’s Next?
The TCP/IP suite is the most widely implemented protocol on networks today. As such, it is an important topic on the Network+ exam. Chapter 3, “Addressing, Routing, and Switching,” starts by discussing one of the more complex facets of TCP/IP: IP addresses.