Computers running UNIX, Linux, and other non-Microsoft operating systems typically use DNS for name resolution although there Exam warning Remember the following for the Network exam: T
Trang 1to in some documentation as the NetBIOS protocol) NetBT supplies the
programming interface provided for by NetBIOS along with communication protocols provided for by TCP
NetBT’s
■
■ name service allows host computers to attain and retain
(or defend) a NetBIOS name It also assists other hosts in locating
a computer with a specific NetBIOS name In addition, the name service resolves a specific NetBIOS name to an IP address This
process uses broadcast messages that are sent to all hosts on the
network The name service uses UDP Port 137
The
■
■ session service of NetBT provides for the reliable exchange
of messages between two NetBIOS applications, typically on two different computers The session service uses TCP Port 139
The
■
■ datagram service within NetBT provides connectionless,
unreliable message delivery between NetBIOS applications via UDP Port 138 As mentioned earlier, when data length is short or reliability is not critical, the datagram service is a faster method than session-based communication
Together, the session and datagram services provide the NetBIOS applications with the capability to exchange information with one another However, in an environment where Windows Vista and Windows 2008 are the desktop and network operating systems, NetBIOS or NetBT/IP are replaced by DNS, which has become the primary naming and name resolution provider
wINS
WINS is a NetBIOS name server that NetBIOS clients can use to attain,
register, and resolve NetBIOS names WINS is specific to Microsoft networks and is not used (or available for use) on non-Microsoft operating system-based computers Computers running UNIX, Linux, and other non-Microsoft operating systems typically use DNS for name resolution although there
Exam warning
Remember the following for the Network exam:
The name service uses UDP Port 137 The datagram service uses UDP Port 138 The session service uses TCP Port 139
Trang 2are other, non-WINS NetBIOS name services available Generally, other
operating systems will be concerned with NetBIOS names only when they’re
on a network with Microsoft machines; for example, when using SAMBA
WINS provides NetBIOS functionality but expands it by replicating
this information for faster name resolution services across a large network
WINS generates a database that contains each NetBIOS name and its
associated IP address A WINS Server resolves NetBIOS names and provides
the associated IP addresses when it receives requests
WINS is implemented in two parts: the Server service and the Client
service The Server service maintains the database containing both NetBIOS
names and associated IP addresses It also replicates the database to other
WINS Servers for faster name resolution across a large network This reduces
network broadcast traffic because names can be acquired and defended using
direct requests to the WINS Server rather than by using network broadcasts
The Client service runs on the individual computers and it uses WINS to
register the computer name, as well as to provide name resolution services
to the local applications and services
For backward compatibility, Windows-based clients and servers also
provide support for using the LMHOST file This plain text file is unique
to Windows-based computers and provides a map of the computer’s
NetBIOS name with an IP address This static file was used prior to the
implementation of dynamic Windows name resolution found in WINS
Server Message Block/Common Internet File System
The Server Message Block (SMB) protocol was originally developed by IBM
in the 1980s and later expanded upon by IBM, Microsoft, Intel, and 3Com
SMB was primarily used not only for file and print sharing but also used
Exam warning
NetBIOS name resolution can be done via a centralized WINS server or a local lmhosts
file, both of which will be able to keep traffic down on your network by mapping NetBIOS
names to IP addresses.
Exam warning
NetBIOS name resolution uses four different node types to resolve names to IP
addresses: Broadcast (B-node), Peer-to-Peer (P-node), Mixed (M-node), and Hybrid
(H-node).
Trang 3for sharing serial ports and abstract communications technologies such as
named pipes and mailslots SMB is also now known as Common Internet
File System (CIFS); both names are used interchangeably.
CIFS is a protocol that, like many application layer protocols, is operating system-independent It evolved from SMB and NetBIOS file, and print sharing methods in earlier versions of the Windows operating system It can be used by different platforms and operating systems and across different network/transport protocols; it is not TCP/IP-dependent The connection from client to server can be made via NetBEUI or IPX/SPX After the network connection from client to server is established, then SMB commands can be sent to the server so that the client can open, read, and write files, and so on
CIFS is being jointly developed by Microsoft and other vendors, but
no published specification currently exists UNIX and Linux clients can
connect to SMB shares using smbclient from SAMBA or smbfs for Linux
Server implementations of SMB for non-Microsoft operating systems include SAMBA and LAN Manager for OS/2 and SCO
Internet printing protocol
The Internet Printing Protocol (IPP) is related to SMB and CIFS It provides
the capability to perform various printing operations across the network
(including an internetwork) using Hypertext Transport Protocol (HTTP)
version 1.1
winSock
WinSock is a Microsoft Windows Application Programming Interface (API)
that provides a standard programming interface for accessing TCP/IP in Windows Sockets were originally developed at the University of California
Note
There are a large number of Request for Comments (RFCs) that define different specifications for IPP For more information, see the IEEE’s Printer Working Group (PWG) Web site at www.pwg.org/ipp/
Note
For more detailed information about SMB, see http://samba.anu.edu.au/cifs/docs/what-is-smb.html
Trang 4in Berkeley, and Microsoft developed Winsock to work specifically in the
Windows operating system environment
Vendors who develop software that runs on Windows can use this API to
access standard TCP/IP functionality Many built-in Windows tools rely on
WinSock, including Packet InterNet Groper (ping) and Trace Route (tracert)
In addition, the FTP and DHCP servers and clients use WinSock, as does
the Telnet client
Telnet
Telnet is a terminal emulation protocol that allows you to log onto a remote
computer The remote computer must be using TCP/IP and have the Telnet
Server service running To connect to a remote host, you must start the
Telnet client and must possess a username and password for the remote host
computer In Windows Server 2003, the Telnet Server service is present but
must be started to service Telnet clients
If you have never used the command prompt in Windows, here’s how:
click Start | Run and type cmd in the dialog box (in Windows operating
systems prior to Windows 98, the 16-bit command was command In
Windows 98 and beyond, the 32-bit command, cmd, is supported) This
will open a command window Type telnet at the prompt Type help for a
list of commands and quit to close Telnet Use exit to close the command
prompt window
dhCp
The DHCP is used to automatically (or dynamically) assign IP addresses
to host computers on a network running TCP/IP Prior to DHCP, network
administrators had to assign IP addresses to host computers manually This
was not only a time-consuming endeavor but also made it easy for errors
(either in IP assignment or in entering in the IP address) to creep in and
cause network problems
Why is DHCP so important? Because each host must have a unique IP
address, and a problem occurs when two hosts have the same IP address
Exam warning
Remember that Telnet uses port 23 (both TCP and UDP) for communication, Secure
Shell (SSH and is essentially encrypted Telnet) runs on port 22 (also TCP and UDP)
Telnet information is sent in plaintext so it’s very easy to capture packets and read the
contents such as usernames and passwords.
Trang 5DHCP was devised as an efficient method to alleviate both the problems caused by errors and the time it took to assign and resolve errors It does this
by maintaining a database of the assigned addresses, ensuring that there will never be duplicate addresses among the DHCP clients
DHCP is implemented as both a Server and a Client service The DHCP Server service is responsible for assigning the IP address to indi-vidual hosts and for maintaining the database of IP address information, including IP addresses that are assigned, IP addresses that are available, and other configuration information that can be conveyed to the client along with the IP address assignment The DHCP client service interacts with the Server service in requesting an IP address and in configuring
other related information including the subnet masks and default
gate-way (both are discussed in detail later in the Chapter 7, “TCP/IP and
Routing”)
SMTp
The SMTP is used to transfer e-mail messages and attachments SMTP is used to transmit e-mail messages between servers and from clients (such as Microsoft Outlook or Linux’s sendmail) to e-mail servers (such as Microsoft Exchange) However, most e-mail clients use other protocols, such as POP3
or IMAP4, to retrieve e-mail from the server These two server
applica-tions (SMTP and POP or IMAP) may exist on the same physical server machine
As with the other protocols and services discussed in this section, SMTP operates at the application layer and relies on the services of the underlying layers of the TCP/IP suite to provide the actual data transfer services
pop
POP is a widely used e-mail application protocol that can be used to retrieve e-mail from an e-mail server for the client application, such as Microsoft Outlook The current version of POP is POP3
POP servers set up mailboxes (actually directories or folders) for each e-mail account name The server receives the mail for a domain and sorts
it into these individual folders Then a user uses a POP client program (such as Outlook or Eudora) to connect to the POP server and download all the mail in that user’s folder to the user’s computer Usually, when the
Exam warning
Remember that SMTP uses port 25 for communication.
Trang 6mail messages are transferred to the client machine, they are deleted from
the server
IMAp
IMAP, like POP, is used to retrieve e-mail from a server and creates a mailbox
for each user account It differs from POP in that the client program can access
the mail and allow the user to read, reply to, and delete it while it is still on the
server Microsoft Exchange functions as an IMAP server This is convenient for
users because they never have to download the mail to their client computers
(saving space on their hard disks), but especially because they can connect to the
server and have all their mail available to them from any computer, anywhere
When you use POP to retrieve your mail, old mail that you’ve already
down-loaded is on the computer you were using when you retrieved it, so if you’re
using a different computer, you won’t be able to see it IMAP is preferred for
users who use different computers (for example, a home computer, an office
computer, and a laptop) to access their e-mail at different times
hTTp
HTTP is the protocol used to transfer files used on the Internet to display
Web pages When you type an Internet address (a URL) into your browser’s
Address field, it uses the HTTP protocol to retrieve and display the files
located at that address
A URL typically contains a server name, a second-level domain name,
and a top-level domain name, with the parts of the address separated by
dots Individual folder and file names may follow, separated by slashes
For example, www.syngress.com/index.htm indicates an HTML document
(Web page) on a Web server named www in the syngress.com domain The
first part of the URL may also be entered as an IP address if it is known
HTTP was defined and used as early as 1990 However, there were no
published specifications for HTTP in the beginning and different vendors
modified HTTP as they saw fit As the World Wide Web continued to
Exam warning
Remember that POP3 uses port 110 for communication.
Exam warning
Remember that IMAP4 uses Port 143 (both TCP and UDP) for communication.
Trang 7evolve and grow to be the enormous resource that it is today, additional functionality was needed in HTTP The first formal definition was labeled HTTP/1 and it was later replaced by HTTP/1.1
NNTp
The NNTP is similar to SMTP in that it allows servers and clients to exchange information In this case, however, the information is exchanged
in the form of news articles This feature originally was implemented in the Internet’s predecessor network, ARPANet Network bulletins were exchanged using this protocol Today, there are thousands of newsgroups devoted to discussion of every topic imaginable Usenet has grown into a huge network of news servers hosting newsgroups Newsgroups differ from other forums such as Internet mailing lists (in which all messages posted come into your inbox if you’re a member) and Web discussion boards (which are accessed through the browser)
NNTP is now implemented as an application layer client/server protocol The news server (for example, msnews.microsoft.com) manages news articles and news clients A news client is an application that runs on a client computer and is used to both read and compose news articles Outlook Express contains
a newsreader component For more information about Usenet newsgroups, see the Usenet FAQ and references at www.faqs.org/usenet/
FTp
The FTP is used to transfer files from one host to another, regardless of the hosts’ physical locations It is one of the oldest application layer protocols and was used on ARPANet to transfer files from one mainframe to another Still in use today, FTP is widely used on the Internet to transfer files One of the problems with FTP is that it transmits users’ passwords in clear text, so
it is not a secure protocol
In contrast to the single connections used by NNTP, HTTP, and SMTP, two separate connections are established for an FTP session One transmits
Exam warning
Remember that NNTP uses port 119 for communication.
Exam warning
Remember that HTTP uses port 80 for communication Do not confuse this with https://, which is Secure Sockets Layer (SSL) encrypted Web traffic running on port 443.
Trang 8commands and replies and the other transmits the actual data The
command and control information is sent, by default, via TCP port 21 The
data, by default, are sent via TCP port 20
dNS
The DNS is used to resolve a hostname to an IP address to facilitate the
delivery of network data packets As mentioned previously, DNS is now
the primary method used in Microsoft Windows Server 2003 to resolve
hostnames to IP addresses DNS is also the protocol used on the Internet to
resolve hostnames (such as those in URLs) to IP addresses
Prior to DNS, hostname-to-IP resolution was accomplished via a text file
called hosts In the days of ARPANet, this file was compiled and managed
by the Network Information Center at the Stanford Research Institute This
plain text file contained the name and address of every single computer, but
there were only a handful of computers on the network at the time When
a new computer was added or a computer changed its IP address, the file
had to be edited manually and distributed to all the other computers As
computers and networks proliferated, another, more automated solution
had to be devised and the specifications for a distributed naming system,
called the DNS, were developed.
DNS servers on the Internet store copies of the DNS database Because
of the explosive growth of the Internet in the past decade, DNS databases
are specialized For instance, a set of databases is responsible for top-level
domain information only Examples of top-level domains are com, gov, edu,
.net, org, and so on All requests for an address ending with com will be
CoNFIGurING ANd IMplEMENTING…
FTp ports
Understanding the configuration and implementation
of FTP is important for a number of reasons FTP ports
20 and 21 are used for FTP data and FTP control,
respectively It is possible to modify the ports used for
data and control transmissions when developing or
implementing an application However, by default, a
program interface that uses FTP listens at TCP port
21 for FTP traffic Thus, if your application is sending
TCP control information on a different port, the other
application interface may not hear the FTP traffic.
TCP ports 20 and 21 are well-known port numbers and hackers often try to exploit these ports As a security measure, all servers that are not running the FTP Server service should have TCP ports 20 and 21 disabled This prevents attackers from exploiting these ports to gain unauthorized access to the server and perhaps to the entire network RFC 1579, “Firewall-Friendly FTP” is definitely worth a read if you want even more information
in depth on how FTP uses ports This information is not related to the exam but may be interesting for you in futures in the security field www.ietf.org/rfc/rfc1579.txt.
Trang 9forwarded to a particular set of DNS servers These servers will query their databases to find the specific com domain requested (for example, microsoft com) DNS databases are replicated periodically to refresh the data
routing Information protocol
As the name implies, the Routing Information Protocol (RIP) is used to exchange routing information among IP routers RIP is a basic routing protocol designed for small- to medium-sized networks It does not scale well to large IP-based networks (including the Internet) Windows Server
2003 computers can function as routers, and as such, they support RIP Routing is covered in more depth in Chapter 7, where WAN standards and remote access are covered
Network Time protocol
Network Time Protocol (NTP) is a protocol that provides a very reliable way
of transmitting and receiving an accurate time source over TCP/IP-based networks NTP, defined in RFC 1305 (www.ietf.org/rfc/rfc1305.txt), is useful for synchronizing the internal clock of the computers to a common time source Network operating systems such as Netware and Windows rely
on a time source to keep things running right For system maintenance, troubleshooting of issues, and documentation, it is important that all systems be time-synchronized In addition, for prosecution of security breaches or attacks, security logs need to be accurate, and so on NTP, when used properly, can have a hierarchical disaster recovery system designed into it, with primary sources of time as well as secondary sources Having the correct time on your system(s) is very important Many problems can surface if networked machines are not time-synchronized
SNMp
The SNMP is used for communications between a network manage-ment console and the network’s devices, such as bridges, routers, and hubs This protocol facilitates the sharing of network control information
Exam warning
Remember that NTP uses port 123 for communication Do not confuse this with NNTP, which uses port 119.
Exam warning
Remember that DNS uses port 53 for communication.
Trang 10with the management console SNMP uses a management system/agent
framework to share relevant network management information This
information is stored in a Management Information Base (MIB) and
con-tains a set of objects, each of which represents a particular type of network
information such as an event, an error, or an active session SNMP uses
UDP datagrams to send messages between the management console and
the agents
Now we have covered the OSI model (as well as the DoD model) in
depth You should now have a good idea of the importance of it, and why
it’s so important to know for the Network exam This modular approach
to network communications makes development less time-consuming and
more consistent across vendors, networks, and systems As a result, new
application layer protocols are constantly being developed This section is
not meant to serve as an exhaustive look at the wide array of application
protocols available today but to give you a better idea of the more common
protocols and services that operate at this layer and provide an
understand-ing of how the layered approach works
We’ve reviewed the seven layers of the OSI model (starting from the
lowest level, physical, data link, network, transport, session, presentation,
and application) and the four layers of the DARPA (TCP/IP) model (Network
Interface, Internet, Host-to-Host, and Application), and we’ve learned how
these layers map to one another
We’ve examined many of the common networking protocols that work at
each layer and looked the services and functions that each provides In the
next chapter, you’ll learn in depth about the IP protocol and how it is used
to send data to the correct location, no matter where the destination host
resides
SuMMAry oF ExAM oBJECTIvES
In this chapter, we covered the OSI model in depth For those of you unfam-
iliar with network models, it should be clear now that working with them
can bring many benefits, such as ease of development and troubleshooting
Networking models can be very helpful to you In this chapter, we
cov-ered three of them in particular, the OSI model, the DoD model, and the
Microsoft model, all of which are similar, share common core elements, but
have differences as well
From the DARPA experiment came the understanding that networking
would become increasingly common, and increasingly complex The OSI
model was developed, based on the original DoD DARPA model, and
approved by the OSI subcommittee of the ISO The OSI model defined seven