Punit kumar

CHAPTER 1
Introduction to Networking
Introduction to Networking explains computer networking basics in terms that you can easily
understand, using concepts common to everyday, non-computing experience. A brief
introduction to networking history provides context, explaining how networks have become so
important to businesses and individuals. The course emphasizes networking fundamentals,
explaining the software and hardware that makes networking possible. The course stresses
understanding how and why networks work, rather than focusing on memorization of terms or
numbers.
1.1 What Is Network?
A network consists of two or more computers that are linked in order to share resources (such as
printers and CDs), exchange files, or allow electronic communications. The computers on a
network may be linked through cables, telephone lines, radio waves, satellites, or infrared light
beams.
1.2 Advantages of the networking
1. Easy Communication and Speed
It is very easy to communicate through a network. People can communicate efficiently using a
network with a group of people. They can enjoy the benefit of emails, instant messaging,
telephony, video conferencing, chat rooms, etc.
2. Ability to Share Files, Data and Information
This is one of the major advantages of networking computers. People can find and share
information and data because of networking. This is beneficial for large organizations to
maintain their data in an organized manner and facilitate access for desired people.
3. Sharing Hardware
Another important advantage of networking is the ability to share hardware. For an example, a
printer can be shared among the users in a network so that there’s no need to have individual
printers for each and every computer in the company. This will significantly reduce the cost of
purchasing hardware.
4. Sharing Software
Users can share software within the network easily. Networkable versions of software are
available at considerable savings compared to individually licensed version of the same software.
Therefore large companies can reduce the cost of buying software by networking their
computers.

5. Security
Sensitive files and programs on a network can be password protected. Then those files can only
be accessed by the authorized users. This is another important advantage of networking when
there are concerns about security issues. Also each and every user has their own set of privileges
to prevent them accessing restricted files and programs.
6. Speed
Sharing and transferring files within networks is very rapid, depending on the type of network.
This will save time while maintaining the integrity of files.
1.3 Disadvantagesofnetworking
1. Breakdowns and Possible Loss of Resources
One major disadvantage of networking is the breakdown of the whole network due to an issue of
the server. Such breakdowns are frequent in networks causing losses of thousands of dollars each
year. Therefore once established it is vital to maintain it properly to prevent such disastrous
breakdowns. The worst scenario is such breakdowns may lead to loss of important data of the
server.
2. Expensive to Build
Building a network is a serious business in many occasions, especially for large scale
organizations. Cables and other hardware are very pricey to buy and replace.
3. Security Threats
Security threats are always problems with large networks. There are hackers who are trying to
steal valuable data of large companies for their own benefit. So it is necessary to take utmost care
to facilitate the required security measures.
4. Bandwidth Issues
In a network there are users who consume a lot more bandwidth than others. Because of this
some other people may experience difficulties.
Although there are disadvantages to networking, it is a vital need in today’s environment. People
need to access the Internet, communicate and share information and they can’t live without that.
Therefore engineers need to find alternatives and improved technologies to overcome issues
associated with networking. Therefore we can say that computer networking is always beneficial
to have even if there are some drawbacks.

1.4 Different types of network
LAN(Local Area Networking)
Local Area Networking is used primarily in small areas such as schools, hospitals and office
buildings. Local Area Networking, is one of the older types of networks. TCP/IP is used as the
method of communication between computers in Local Area Networking. Due to its small size, it
is possible for one person to administrate a Local Area Network. Local Area Networks are viable
to quick change, using a bus network topology that allows for easy access to the Local Area
Network.
WLAN(Wireless LocalArea Networks)

Wireless Local Area Networks are much like LAN networks, except they do not require network
cables to connect each other. Radio and infrared signals are used to communicate between
machines whilst using a wireless local area network. Wireless Local Area Networks allow for
small amounts of mobility whilst being connected to the internet. Wireless Local Area Networks
work according to the IEEE 802.11 standards. Wireless Area Networks are commonly seen
being used by a WiFi internet connection. Wireless LAN connections offer a surprising amount
of mobility for users with laptops and smart phones while being able to stay connected to the
internet by different networking topology.
WAN(Wide Area Networks)
Wide Area Networks are used to connect server machines and computers across continents are
countries for constant information updates. Wide Area Networks, are used across the globe,
many networks connect with one another across continents to create one giant Wide Area
Network. Wide Area Networks use optic fibre as their communication medium. The largest
example of a Wide Area Network is the internet itself, which connects all users to the
information and data that is available on the the internet.
MAN(Metropolitan Area Networks)

Metropolitan Area Networks are not commonly used these days, they are used to create
communication between systems in an entire city. Hence a Metropolitan Area Network area falls
between the sizes Local Area Networks, and Wide Area Networks. Metropolitan Area Networks
are used by city specific businesses such as the New York Times in the state of New York.
1.5 Network Address
A network address is an identifier for a node or network interface of a telecommunications
network.Network addresses are often designed to be unique across the network, although some
networks allow for relative or local addresses that may not be unique.
More than one type of network address may be used in any one network.
In some cases terminal nodes may have more than one network address, for example, each link
interface may be uniquely identified. In addition, non terminal nodes are often one protocol's
network address can occur in any particular network interface or node.
1.6 Classes
Various classes are given below
I. Class A
II. Class B
III. Class C
IV. Class D
V. Class E
By viewing examples we know that where we use which class
i. Class A :- Network.Host.Host.Host.
ii. Class B :- Network.Network.Host.Host.
iii. Class C :- Network.Network.Network.Host.
iv. Class D :- Multicast.
v. Class E :- Research.
1.7 Subnetting
The Steps to identify the Network and Broadcast Address of a Subnet
Convert the IP Address and CIDR (or Netmask) to binary. In our lesson entitled Decimal and
Binary Conversion of IP Addresses we gave you the tools to convert any IP to Binary. If you
need additional help you can try our handy IP Conversion Calculators.
Use a Bitwise AND (IP & CIDR) Operator to return the corresponding values of the IP and
CIDR addresses. This gives you the Network Address (Network ID) A simple way to use the
Bitwise AND Operator in Binary is show in the following example:
IP Address: 192.168.1.15
CIDR: 24 (Netmask: 255.255.255.0)
Binary IP Address: 11000000.10101000.00000001.00001111
Binary CIDR: 11111111.11111111.11111111.00000000

Using the Bitwise AND (&) Operator, compare the Binary IP Address to the Binary CIDR
Address. The result will be the Network Address of the IP Address we are using:
Binary IP: 11000000.10101000.00000001.00001111
Binary CIDR: 11111111.11111111.11111111.00000000
Binary Network: 11000000.10101000.00000001.00000000
The resultant Network Address is 11000000.10101000.00000001.00000000. Converting this
back to the format of an IPv4 Address gives us 192.168.1.0. This is our Network Address.
Therefore, 192.168.1.15 belongs to the 192.168.1.0/24 network.
To get the Broadcast Address we need to do a Binary inversion of the CIDR or Netmask
Address.
The inversion of the CIDR Address of 11111111.11111111.11111111.00000000 becomes:
00000000.00000000.00000000.11111111.
Now we use the Bitwise OR Operator on the Binary Network Address and the inverted CIDR
Address to get the Broadcast address.
Binary Network Address: 11000000.10101000.00000001.00000000
Inverted Binary CIDR: 00000000.00000000.00000000.11111111
Binary Broadcast Address: 11000000.10101000.00000001.11111111
We now convert 11000000.10101000.00000001.11111111 to IPv4 Decimal octet:
192.168.1.255.
The Broadcast Address for the 192.168.1.0/24 Subnet is 192.168.1.255.
Now that you have your feet wet, let's try a few more.
Identify the Network and Broadcast Addresses for each of the following examples:
1. 10.10.1.97/23
2. 192.168.0.3/25
3. 172.16.5.34/26
4. 192.168.11.17/28
Example one: Convert 10.10.1.97/23 to Binary.
IP Address: 00001010.00001010.00000001.01100001
CIDR Address: 11111111.11111111.11111110.00000000
Use Bitwise AND Operator (IP & CIDR):

IP Address: 00001010.00001010.00000001.01100001
CIDR Address: 11111111.11111111.11111110.00000000
Network Address: 00001010.00001010.00000000.00000000
Network Address: 10.10.0.0
Binary Inversion of CIDR:
Binary CIDR: 11111111.11111111.11111110.00000000
Use Bitwise OR Operator to get the Broadcast Address:
Binary Network: 00001010.00001010.00000000.00000000
Binary Broadcast: 00001010.00001010.00000001.11111111
Broadcast Address: 10.10.1.255
IP Address 10.10.1.97/23 belongs to the 10.10.0.0/23 Network. The network Address is
10.10.0.0 and the Broadcast Address is 10.10.1.255.
Example two: Convert 192.168.0.3/25 to Binary.
IP Address: 11000000.10101000.00000000.00000011
CIDR Address: 11111111.11111111.11111111.10000000
IP: 11000000.10101000.00000000.00000011
CIDR: 11111111.11111111.11111111.10000000
Network:11000000.10101000.00000000.00000000
Binary CIDR: 11111111.11111111.11111111.10000000
Binary Network: 11000000.10101000.00000000.00000000

Example three: Convert 172.16.5.34/26 to Binary.
IP Address: 11000000.10101000.00000000.00000011
CIDR Address: 11111111.11111111.11111111.10000000
IP: 10101100.00010000.00000101.00100010
CIDR: 11111111.11111111.11111111.11000000
Network:10101100.00010000.00000101.00000000
Binary CIDR: 11111111.11111111.11111111.11000000
Binary Network: 10101100.00010000.00000101.00000000
Example four: Convert 192.168.11.17/28 to Binary.
IP Address: 11000000.10101000.00001011.00010001
CIDR Address: 11111111.11111111.11111111.11110000

IP: 11000000.10101000.00001011.00010001
CIDR: 11111111.11111111.11111111.11110000
Network:11000000.10101000.00001011.00010000
Binary CIDR: 11111111.11111111.11111111.11110000
Binary Network: 11000000.10101000.00001011.00010000
1.8 HierarchicalIP Addressing Scheme
With more than four billion potential 32-bit IP addresses, Internet routers could not feasibly
maintain table entries for each one. Even a single byte per address would consume 4GB. Yet
paradoxically, routers must be capable of delivering data to any of those addresses. Their routing
tables must, at the least, be able to indicate the next step in the delivery process for each address.
The solution to this dilemma is to design the tables so that one entry can match multiple
addresses. The most common way to achieve this is to assign addresses in a hierarchical fashion,
so that addresses physically close together share a common address prefix.
Hierarchical addressing schemes are not unique to Internet IP addresses. Both the telephone
company and the postal service use hierachical schemes to manage large numbers of addresses.
A telephone switch in California isn't configured with the location of every telephone in
Virginia. Instead, the switch in California knows only that all telephone numbers beginning with
area code 703 should be sent to Virginia. The Virginia switches know that numbers beginning
with 703 555 all originate from a given switch. That particular telephone switch is configured
with the precise line to use for 703 555-1212.

Likewise, a postman in Los Angeles doesn't need to know the location of every zip code in the
country. Any zip code beginning with 2 is somewhere on the other side of the country. The L.A.
postman only needs to know the exact locations of zip codes beginning with 902 - his particular
postal region.
What is unique about IP addresses is their use of a binary, rather than a decimal hierarchy. This
should not come as much of a surprise, but reemphasizes the need for a good grasp of binary
numbering
Like zip codes and telephone numbers, IP addresses are assigned in a hierarchical fashion.
Unlike zip codes and telephone numbers, IP addresses are designed to be interpreted by
computers, which operate on a binary numbering system, so IP addresses are organized into a
binary hierarchy.
Therefore, to understand IP addressing, it is necessary to convert IP addresses into binary, as in
this example with the address 128.8.74.1. Each of the four components in the dotted decimal IP
address is converted into eight binary bits.
The first sixteen bits, corresponding to the 128.8 portion of the address, are a unique prefix
identifying the University of Maryland. A router outside of the University would require only a
single routing table entry, indicating that any address beginning with the sixteen bits 10000000
00001000 (in decimal, 128.8) should be sent towards UMD.
Having reached the University of Maryland, a further routing decision must be made, using some
or all of the remaining bits. In this case, a routing table entry matches the first twenty four
bits 10000000 00001000 01001010 (128.8.74 decimal) and directs the packet towards
Worchester Hall.
The router at Worchester Hall discovers that one of its Ethernet interfaces (for example), is
configured to match the twenty four bit prefix 10000000 00001000 01001010. At this point, the
layer three routing process is complete, since the packet is now in the hands of a router with an
interface configured to match the destination address. The final destination should be directly
reachable via that interface, so the router relies on a layer two protocol such as ARP to resolve
the IP address into an Ethernet address and complete delivery.
IP address prefixes are patterns which match the first n binary bits of an IP address.
The standard syntax is to write the prefix bits that must match in dotted-quad format, followed
by a slash and then the number of bits in the prefix. Any trailing bits, not part of the prefix, are
written as zero. If an entire trailing byte is zero, it can be written explicitly, as in 128.8.0.0/16,
or omitted, as in 128.8/16. Since only the first sixteen bits are significant (in this example), it
would be meaningless to specify the remaining sixteen bits, so there's no ambiguity in omitting
them.
 128.8/16 means to match 10000000 00001000 as the first sixteen bits, and would
match 128.8.74.1, 128.8.8.8, and 128.8.0.0, but not 128.9.7.3

 10/10 means to match 00001010 00 as the first ten bits, and would
match 10.41.173.13, 10.10.10.10 and 10.13.94.1, but not 10.128.7.1 (pay attention
to the second number).
 208.130.28/24 means to match 11010000 10000010 00011100 as the first twenty four
bits, and would match 208.130.28.1, 208.130.28.255, and everything in between.
1.9 Types of IP Address
An Internet Protocol address (also known as an IP address) is a numerical label assigned to each
device (e.g., computer, printer) participating in a computer network that uses the Internet
Protocol for communication. An IP address serves two principal functions: host or network
interface identification and location addressing. Its role has been characterized as follows:
"A name indicates what we seek. An address indicates where it is. A route indicates how to get
there.
1.10 The ISO/OSIReference Model
The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and
standardizes the internal functions of a communication system by partitioning it into abstraction
layers. The model is a product of the Open Systems Interconnectionproject at the International
Organization for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.

The model groups communication functions into seven logical layers. A layer serves the layer
above it and is served by the layer below it. For example, a layer that provides error-free
communications across a network provides the path needed by applications above it, while it
calls the next lower layer to send and receive packets that make up the contents of that path. Two
instances at one layer are connected by a horizontal connection on that layer.
Physical (Layer 1)
the hardware means of sending and receiving data on a carrier, including defining cables, cards
and physical aspects. Fast Ethernet, RS232, and ATM are protocols with physical layer
components. This layer conveys the bit stream - electrical impulse, light or radio signal --
through the network at the electrical and mechanical level.
Data Link (Layer 2)
At this layer, data packets are encoded and decoded into bits. It furnishes transmission
protocol knowledge and management and handles errors in the physical layer, flow control and frame
synchronization. The data link layer is divided into two sub layers: The Media Access Control (MAC)
layer and the Logical Link Control (LLC) layer. The MAC sub layer controls how a computer on the
network gains access to the data and permission to transmit it. The LLC layer controls
frame synchronization, flow control and error checking.
Network (Layer 3)
This layer provides switching and routing technologies, creating logical paths, known as virtual
circuits, for transmitting data from node to node. Routing and forwarding are functions of this

layer, as well as addressing,internetworking, error handling, congestion control and packet
sequencing.
Transport (Layer 4)
This layer provides transparent transfer of data between end systems, or hosts, and is responsible
for end-to-end error recovery and flow control. It ensures complete data transfer.
Session(Layer5)
This layer establishes, manages and terminates connections between applications. The session
layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the
applications at each end. It deals with session and connection coordination.
Presentation(Layer 6)
This layer provides independence from differences in data representation (e.g., encryption) by
translating from application to network format, and vice versa. The presentation layer works to
transform data into the form that the application layer can accept. This layer formats and
encrypts data to be sent across a network, providing freedom from compatibility problems. It is
sometimes called the syntax layer.
Application (Layer 7)
This layer supports application and end-user processes. Communication partners are identified,
quality of service is identified, user authentication and privacy are considered, and any
constraints on data syntax are identified. Everything at this layer is application-specific. This
layer provides application services for file transfers, e-mail, and
other network software services. Telnet and FTP are applications that exist entirely in the
application level. Tiered application architectures are part of this layer.
1.11 The Internet
The Internet is a global system of interconnected computer networks that use the
standard Internet protocol suite (TCP/IP) to link several billion devices worldwide. It is
a network of networks that consists of millions of private, public, academic, business, and
government networks, of local to global scope, that are linked by a broad array of electronic,
wireless, and optical networking technologies. The Internet carries an extensive range of
information resources and services, such as the inter-linked hypertextdocuments
and applications of the World Wide Web (WWW), the infrastructure to support email, and peer-
to-peer networks for file sharing and telephony.

Protocols
The standards for the architectural design of the Internet systems are produced by the Internet
Engineering Task Force(IETF).[53] The IETF conducts work groups, open to any individual,
about the various aspects of Internet architecture. Resulting discussions and standards are
published in a series of publications, each called a Request for Comments (RFC), freely available
on the IETF web site.
The principal methods of networking that enable the Internet are contained in specially
designated RFCs that constitute theInternet Standards. Other less rigorous documents are simply
informative, experimental, or historical, or document the best current practices (BCP) when
implementing Internet technologies.
The Internet standards describe a framework known as the Internet protocol suite. This is a
model architecture that divides methods into a layered system of protocols, originally
documented in RFC 1122 and RFC 1123. The layers correspond to the environment or scope in
which their services operate. At the top is the application layer, the space for the application-
specific networking methods used in software applications. For example, a web browser program
uses the client-serverapplication model and a specific protocol of interaction between servers and
clients, while many file-sharing systems use apeer-to-peer paradigm. Below this top layer,
the transport layer connects applications on different hosts with a logical channel through the
network with appropriate data exchange methods.
1.12 Network design
Network planning process involves three main steps:
Topological design: This stage involves determining where to place the components and how to
connect them. The (topological) optimisation methods that can be used in this stage come from
an area of mathematics called Graph Theory. These methods involve determining the costs of
transmission and the cost of switching, and thereby determining the optimum connection
matrix and location of switches and concentrators.

Network-synthesis: This stage involves determining the size of the components used, subject
to performance criteria such as the Grade of Service (GOS). The method used is known as
"Nonlinear Optimisation", and involves determining the topology, required GoS, cost of
transmission, etc., and using this information to calculate a routing plan, and the size of the
components.
Network realization: This stage involves determining how to meet capacity requirements, and
ensure reliability within the network. The method used is known as "Multicommodity Flow
Optimisation", and involves determining all information relating to demand, costs and reliability,
and then using this information to calculate an actual physical circuit plan.
1.13 Some used equipment in networking
Ethernet cables
An Ethernet cable is one of the most popular forms of network cable used on wired networks.
Ethernet cables connect devices on local area networks such as PCs, routers and switches
Types of Ethernet Cables
Ethernet cables normally support one or more industry standards including Category 5
(CAT5) and Category 6 (CAT6)
A crossover cable is a special type of Ethernet cable specially designed for connecting two
computers to each other. By contrast, most Ethenet cables are designed to connect one computer
to a router or switch.
Ethernet cables are physically manufactured in two basic forms called solid and stranded. Solid
Ethernet cables tend to offer better performance and protection against electrical interference,
while stranded cables are less prone to physical cracks and breaks making them more suitable for
travelers and portable devices

Limitations of Ethernet Cables
A single Ethernet cable, like an electric power cord, can extend only limited distances due to
their electrical transmission characteristics.
Alternatives to Ethernet Cables for Computer Networking
Wireless technologies like Wi-Fi and Bluetooth have replaced Ethernet on many home and
business networks.
Hub
An Ethernet hub, active hub, network hub, repeater hub, multiport repeater or hub is a device for
connecting multipleEthernet devices together and making them act as a single network segment.
It has multiple input/output (I/O) ports, in which asignal introduced at the input of
any port appears at the output of every port except the original incoming.[1] A hub works at
the physical layer (layer 1) of the OSI model.[2] Repeater hubs also participate in collision
detection, forwarding a jam signal to all ports if it detects a collision.
Some hubs may also come with a BNC and/or Attachment Unit Interface (AUI) connector to
allow connection to legacy10BASE2 or 10BASE5 network segments. The availability of low-
priced network switches has largely rendered hubs obsolete but they are still seen in 20th century
installations and more specialized applications.
Ethernet extender
An Ethernet extender (also network extender or LAN extender) is any device used to extend
an Ethernet or network segment beyond its inherent distance limitation which is approximately

100 metres (330 ft) for most common forms of twisted pair Ethernet. These devices employ a
variety of transmission technologies and physical media (wireless, copper wire, fiber-optic cable,
coaxial cable).
The extender forwards traffic between LANs transparent to higher network-layer protocols over
distances that far exceed the limitations of standard Ethernet.
Switch
A network switch (sometimes known as a switching hub) is a computer networking device that is
used to connect devices together on acomputer network by performing a form of packet
switching. A switch is considered more advanced than a hub because a switch would only send a
message to the device that needs or requests it, rather than broadcasting the same message out of
each of its ports.
A switch is a multi-port network bridge that processes and forwards data at the data link
layer (layer 2) of the OSI model. Some switches have additional features, including the ability
to route packets. These switches are commonly known as layer-3 or multilayer
switches.Switches exist for various types of networks including Fibre Channel, Asynchronous
Transfer Mode, InfiniBand, Ethernet and others. The first Ethernet switch was introduced
by Kalpana in 1990.
Router
A router is a device that forwards data packets between computer networks. This creates an
overlay internetwork, as a router is connected to two or more data lines from different networks.
When a data packet comes in one of the lines, the router reads the address information in the
packet to determine its ultimate destination. Then, using information in its routing

table or routing policy, it directs the packet to the next network on its journey. Routers perform
the "traffic directing" functions on the Internet. A data packet is typically forwarded from one
router to another through the networks that constitute the internetwork until it reaches its
destination node.
The most familiar type of routers are home and small office routers that simply pass data, such as
web pages, email, IM, and videos between the home computers and the Internet. An example of
a router would be the owner's cable or DSL router, which connects to the Internet through
an ISP. More sophisticated routers, such as enterprise routers, connect large business or ISP
networks up to the powerfulcore routers that forward data at high speed along the optical
fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices,
use of software-based routers has grown increasingly common
Chapter 2
Network Security & Security Devices
Network security consists of the provisions and policies adopted by a network administrator to
prevent and monitor unauthorizedaccess, misuse, modification, or denial of a computer
network and network-accessible resources. Network security involves the authorization of access
to data in a network, which is controlled by the network administrator. Users choose or are
assigned an ID and password or other authenticating information that allows them access to
information and programs within their authority. Network security covers a variety of computer
networks, both public and private, that are used in everyday jobs conducting transactions and
communications among businesses, government agencies and individuals. Networks can be
private, such as within a company, and others which might be open to public access. Network
security is involved in organizations, enterprises, and other types of institutions. It does as its title
explains: It secures the network, as well as protecting and overseeing operations being done. The
most common and simple way of protecting a network resource is by assigning it a unique name
and a corresponding password

2.1 Types and sources of network threat
There are at least seven types of network attacks.
1. Spoofing.
2. Sniffing.
3. Mapping.
4. Hijacking.
5. Trojans.
6. DoS and DDoS.
7. Social engineering.
1. Spoofing (Identity spoofing or IP Address Spoofing)
Any internet connected device necessarily sends IP datagrams into the network. Such
internet data packets carry the sender's IP address as well as application-layer data. If the
attacker obtains control over the software software running on a network device, they can
then easily modify the device's protocols to place an arbitrary IP address into the data
packet's source address field. This is known as IP spoofing, which makes any payload appear
to come from any source. With a spoofed source IP address on a datagram, it is difficult to
find the host that actually sent the datagram
2. Sniffing

. Packet sniffing is the interception of data packets traversing a network. A sniffer program
works at the Ethernet layer in combination with network interface cards (NIC) to capture all
traffic traveling to and from internet host site. Further, if any of the Ethernet NIC cards are in
promiscuous mode, the sniffer program will pick up all communication packets floating by
anywhere near the internet host site. A sniffer placed on any backbone device, inter-network link
or network aggregation point will therefore be able to monitor a whole lot of traffic. Most of
packet sniffers are passive and they listen all data link layer frames passing by the device's
network interface. There are dozens of freely available packet sniffer programs on the internet.
The more sophisticated ones allow more active intrusion.
The key to detecting packet sniffing is to detect network interfaces that are running in
promiscuous mode. Sniffing can be detected two ways:
Host-based : Software commands exist that can be run on individual host machines to tell if the
NIC is running in promiscuous mode.
Network-based : Solutions tend to check for the presence of running processes and log files,
which sniffer programs consume a lot of. However, sophisticated intruders almost always hide
their tracks by disguising the process and cleaning up the log files.
The best countermeasure against sniffing is end-to-end or user-to-user encryption.
3. Mapping (Eavesdropping)

Before attacking a network, attackers would like to know the IP address of machines on the
network, the operating systems they use, and the services that they offer. With this information,
their attacks can be more focused and are less likely to cause alarm. The process of gathering this
information is known as mapping.
In general, the majority of network communications occur in an unsecured or "clear text" format,
which allows an attacker who has gained access to data paths in your network to "listen in" or
interpret the traffic. When an attacker is eavesdropping on your communications, it is referred to
as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the
biggest security problem that administrators face in an enterprise.
4. Hijacking (man-in-the-middle attack)
This is a technique that takes advantage of a weakness in the TCP/IP protocol stack, and the way
headers are constructed. Hijacking occurs when someone between you and the person with
whom you are communicating is actively monitoring, capturing, and controlling your

communication transparently. For example, the attacker can re-route a data exchange. When
computers are communicating at low levels of the network layer, the computers might not be
able to determine with whom they are exchanging data.
Man-in-middle attacks are like someone assuming your identity in order to read your message.
The person on the other end might believe it is you, because the attacker might be actively
replying as you, to keep the exchange going and gain more information.
5. Trojans
These are programs that look like ordinary software, but actually perform unintended or
malicious actions behind the scenes when launched. Most remote control spyware programs are
of this type. The number of trojan techniques are only limited by the attacker's imagination. A
torjanizes file will look, operate, and appear to be the same size as the compromised system file.
The only protection is early use of a cryptographic checksum or binary digital
signature procedure
6. Denial-of-Service attack(DoS)and Distributed-Denial-of-Service
(DDoS)
A denial of service attack is a special kind of Internet attack aimed at large websites. It is a type
of attack on a network that is designed to bring the network to its knees by flooding it with
useless traffic. Denial of Service can result when a system, such as a Web server, has been

flooded with illegitimate requests, thus making it impossible to respond to real requests or taks.
Yahoo! and e-bay were both victims of such attacks in February 2000.
A Dos attack can be perpetrated in a number of ways. There are three basic types of attack.
 Consumption of computational resources, such as band width, disk space or CPU time.
 Disruption of configuration information, such as routing information.
 Disruption of physical network components.
The consequences of a DoS attack are the following:
 Unusually slow network performance.
 Unavailability of a particular web site.
 Inability to access any web site.
 Dramatic increase in the amount of spam you receive in your account.
Common forms of denial of service attacksare,
a) Buffer Overflow Attacks
The most common kind of DoS attack is simply to send more traffic to a network address than
the programmer's expectation on size of buffers. A few of the better known attacks based on the
buffer characteristics of a program or system include:
 Sending e-mail messages that have attachments with 256 character file names to Netscape
and Microsoft mail programs.

 Sending over sized Internet Control Message Protocol (ICMP) packets.
b) Smurf Attack
In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet
specifies that, it is broadcast to a number of hosts within the receiving site's local network. The
packet also indicates that the request is from another site, which is the target site that is to receive
the denial of service attack. The result will be lots of ping replies flooding back to the innocent,
spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or
distinguish real traffic
c) SYN floods
When a computer wants to make a TCP/IP connection to another computer, usually a server, an
exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting
the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the
server if it can connect. If the server is ready, it sends a TCP/SYN-ACK packet back to the client
to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to
respond with a TCP/ACK packet. In a SYN flood, the address of the client is often forged so that
when the server sends a TCP/SYN-ACK packet back to the client, the message is never received

from client because the client either doesn't exist or wasn't expecting the packet and subsequently
ignores it. This leaves the server with a dead connection, reserved for a client that will never
respond. Usually this is done to one server many times in order to reserve all the connections for
unresolved clients, which keeps legitimate clients from making connections
Distributed Denial-of-Service attacks (DDoS)
A distributed denial of service attack (DDoS) occurs when multiple compromised sysrems or
multiple attackers flood the band width or resources of a targeted system with useless traffic.
These systems are compromised by attackers using a variety of methods.
In DDoS attacks, the attacker first gains access to user accounts on numerous hosts across the
Internet. The attacker then installs and runs a slave program at each compromised site that
quietly waits for commands from a master programs running, the master program then contacts
the slave programs, instructing each of them to launch a denial-of-service attack directed at the
same target host. The resulting coordinated attack is particularly devastating, since it comes from
so many attacking hosts at the same time.
7. SocialEngineering

Social engineering is the use of persuasion or deception to gain access to information systems.
The medium is usually a telephone or e-mail message. The attacker usually pretends to be a
director or manager in the company traveling on business with a deadline to get some important
data left on their network drive. They pressure the help desk to give them the toll-free number of
the RAS server to dial and some times get their password reset. The main purpose behind social
engineering is to place the human element in the network-breaching loop and use it as a weapon.
The human element has been referred to as the weakest link in network security.
Examples of social engineering.
1. Faked Email : The social engineer sends a message to one or more users in a domain that
"this is the system administrator and your password must be reset to user 123 " for a
temporary period of time. The hacker then continuously monitors for the change and then
exploits the whole system.
2. Fictitious Competition : The social engineer manipulates a group of users to participate in
some fake competition for a jackpot prize, with the ultimate purpose of eventually
extracting confidential information about network and password security.
3. The Helpful Help Desk : The help desk gets a call from the social engineer impersonating a
user reporting a forgotten password. In many cases the help desk will change the user's
password over the phone. The hacker now has a legitimate user name and password to work
with.
2.2 Firewall

In computing, a firewall is a software or hardware-based network security system that controls the
incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier
between a trusted, secure internal network and another network (e.g., the Internet) that is not
assumed to be secure and trusted.[1]
Many personal computer operating systems include software-based firewalls to protect against
threats from the public Internet. Many routers that pass data between networks contain firewall
components and, conversely, many firewalls can perform basic routing functions.
2.3 Virtual Private Network

A virtual private network (VPN) extends a private network across a public network, such as
the Internet. It enables a computer to send and receive data across shared or public networks as if it
is directly connected to the private network, while benefiting from the functionality, security and
management policies of the private network.[1] A VPN is created by establishing a virtual point-to-
point connection through the use of dedicated connections, virtual tunneling protocols, or traffic
encryptions.
A virtual private network connection across the Internet is similar to a wide area network (WAN) link
between sites. From a user perspective, the extended network resources are accessed in the same
way as resources available within the private network.[2]
VPNs allow employees to securely access their company's intranet while traveling outside the office.
Similarly, VPNs securely connect geographically disparate offices of an organization, creating one
cohesive network. VPN technology is also used by Internet users to connect to proxy servers for the
purpose of protecting personal identity and location.
3.4 Network Address Translation

Network address translation (NAT) is a methodology of modifying network address information
in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing
device for the purpose of remapping one IP address space into another.
Network address translation was originally used to map every address of one address space to a
corresponding address in another space, such as when an enterprise changed Internet service
providers without having a facility to announce a public route to the network. Most often today,
NAT is used in conjunction with IP masquerading which is a technique that hides an entire IP
address space, usually consisting of private network IP addresses (RFC 1918), behind a single IP
address in another, usually public address space. This mechanism is implemented in a routing
device that uses stateful translation tables to map the "hidden" addresses into a single IP address
and readdresses the outgoing Internet Protocol packets on exit so they appear to originate from
the routing device. In the reverse communications path, responses are mapped back to the
originating IP addresses using the rules ("state") stored in the translation tables. The translation
table rules established in this fashion are flushed after a short period unless new traffic refreshes
their state.
The method enables communication through the router only when the conversation originates in
the masqueraded network, since this establishes the translation tables. For example, a web
browser in the masqueraded network can browse a website outside, but a web browser outside
could not browse a web site hosted within the masqueraded network. However, most NAT
devices today allow the network administrator to configure translation table entries for
permanent use. This feature is often referred to as "static NAT" or port forwarding and allows
traffic originating in the "outside" network to reach designated hosts in the masqueraded
network.
Because of the popularity of this technique to conserve IPv4 address space, the term NAT has
become virtually synonymous with the method of IP masquerading.
As network address translation modifies the IP address information in packets, it has serious
consequences on the quality of Internet connectivity and requires careful attention to the details
of its implementation. NAT implementations vary widely in their specific behavior in various
addressing cases and their effect on network traffic. The specifics of NAT behavior is not
commonly documented by vendors of equipment containing implementations.
Chapter 3
Intusion Detection System(IDS) & Intusion prevention System(IPS)
Used in computer security, intrusion detection refers to the process of monitoring computer and
network activities and analyzing those events to look for signs of intrusion in your system. The

point of looking for unauthorized intrusions is to alert IT professionals and system administrators
within your organization to potential system or network security threats and weaknesses.
IDS — A Passive SecuritySolution
An intrusion detection system (IDS) is designed to monitor all inbound and outbound network
activity and identify any suspicious patterns that may indicate a network or system attack from
someone attempting to break into or compromise a system. IDS is considered to be a passive-
monitoring system, since the main function of an IDS product is to warn you of suspicious
activity taking place − not prevent them. An IDS essentially reviews your
network traffic and data and will identify probes, attacks, exploits and other vulnerabilities. IDSs
can respond to the suspicious event in one of several ways, which includes displaying an
alert,logging the event or even paging an administrator. In some cases the IDS may be prompted
to reconfigure the network to reduce the effects of the suspicious intrusion.
An IDS specifically looks for suspicious activity and events that might be the result of
a virus, worm or hacker. This is done by looking for known intrusion signatures or attack
signatures that characterize different worms or viruses and by tracking general variances which
differ from regular system activity. The IDS is able to provide notification of only known
attacks.
The term IDS actually covers a large variety of products, for which all produce the end result of
detecting intrusions. An IDS solution can come in the form of cheaper shareware or freely
distributedopen source programs, to a much more expensive and secure
vendor software solution. Additionally, some IDSs consist of both software applications
and hardware appliances and sensor devices which are installed at different points along your
network.
There are several ways to categorize an IDS system:
Misuse Detectionvs. Anomaly Detection
In misuse detection, the IDS analyzes the information it gathers and compares it to
large databases of attack signatures. Essentially, the IDS looks for a specific attack that has
already been documented. Like a virus detection system, detection software is only as good as
the database of intrusion signatures that it uses to compare packets against. In anomaly detection,
the system administrator defines the baseline, or normal, state of the network's traffic load,
breakdown, protocol, and typical packet size. The anomaly detector monitors network segments
to compare their state to the normal baseline and look for anomalies.
Passive Vs. Reactive Systems
In a passive system, the IDS detects a potential security breach, logs the information and signals
an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or
by reprogramming the firewall to block network traffic from the suspected malicious source.
Network-basedvs. Host-basedIDS

Intrusion detection systems are network or host based solutions. Network-based IDS systems
(NIDS) are often standalone hardware appliances that include network intrusion detection
capabilities. It will usually consist of hardware sensors located at various points along the
network or software that is installed to system computers connected to your network, which
analyzes data packets entering and leaving the network. Host-based IDS systems (HIDS) do not
offer true real-time detection, but if configured correctly are close to true real-time.
Host-based IDS systems consist of software agents installed on individual computers within the
system. HIDS analyze the traffic to and from the specific computer on which the intrusion
detection software is installed on. HIDS systems often provide features you can't get with a
network-based IDS. For example, HIDS are able to monitor activities that only
an administrator should be able to implement. It is also able to monitor changes to key
system files and any attempt to overwrite these files. Attempts to
install Trojans or backdoors can also be monitored by a HIDS and stopped. These specific
intrusion events are not always seen by a NIDS.
While it depends on the size of your network and the number of individual computers which
require intrusion detection system, NIDS are usually a cheaper solution to implement and it
requires less administration and training − but it is not as versatile as a HID. Both systems will
require Internet access (bandwidth) to ensure they system is kept up-to-date with the latest virus
and worm signatures.
Is IDS the Same as Firewall?
The quick answer is no. Unfortunately, IDS is commonly mistaken for a firewall or as a
substitute for a firewall. While they both relate to network security, an IDS differs from a
firewall in that a firewall looks out for intrusions in order to stop them from happening. The
firewall limits the access between networks in order to prevent intrusion and does not signal an
attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place
and signals an alarm. An IDS also watches for attacks that originate from within a system. The
network-based intrusion protection system can also detect malicious packets that are designed to
be overlooked by a firewall's simplistic filtering rules.
An IDS is not a replacement for either a firewall or a good antivirus program. An IDS should be
considered a tool to use in conjunction with your standard security products (like anti-virus and a
firewall) to increase your system specific or network-wide security.
IPS — An Active Security Solution
IPS or intrusion prevention system, is definitely the next level of security technology with its
capability to provide security at all system levels from the operating system kernel to network
data packets. It provides policies and rules for network traffic along with an IDS for alerting
system or network administrators to suspicious traffic, but allows the administrator to provide the
action upon being alerted. Where IDS informs of a potential attack, an IPS makes attempts to
stop it. Another huge leap over IDS, is that IPS has the capability of being able to prevent known
intrusion signatures, but also some unknown attacks due to its database of generic attack

behaviors. Thought of as a combination of IDS and an application layer firewall for protection,
IPS is generally considered to be the "next generation" of IDS.
Currently, there are two types of IPSs that are similar in nature to IDS. They consist of host-
based intrusion prevention systems (HIPS) products and network-based intrusion prevention
systems (NIPS).
Network-basedvs. Host-basedIPS
Host-based intrusion prevention systems are used to protect
both servers and workstations through software that runs between your system's applications and
OS kernel. The software is preconfigured to determine the protection rules based on intrusion
and attack signatures. The HIPS will catch suspicious activity on the system and then, depending
on the predefined rules, it will either block or allow the event to happen. HIPS monitors activities
such as application or data requests, network connection attempts, and read or write attempts to
name a few.
Network-based intrusion prevention systems (often called inline prevention systems) is a
solution for network-based security. NIPS will intercept all network traffic and monitor it for
suspicious activity and events, either blocking the requests or passing it along should it be
deemed legitimate traffic. Network-based IPSs works in several ways. Usually package- or
software-specific features determine how a specific NIPS solution works, but generally you can
expect it to scan for intrusion signatures, search for protocol anomalies, detect commands not
normally executed on the network and more.
One interesting aspect of NIPS is that if the system finds an offending packet of information it
can rewrite the packet so the hack attempt will fail, but it means the organization can mark this
event to gather evidence against the would be intruder, without the intruder's knowledge. As
with all technology, NIPS is not perfect. In some instances you may end up blocking a legitimate
network request.
While host-based IPSs are considered to be more secure than network-based intrusion prevention
systems, the cost to install the software to each and every server and workstation within your
organization may be quite costly. Additionally, the HIPS on each system must be frequently
updated to ensure the attack signatures are up-to-date.
Problems associated with implementing NIPS exist as well. We already mentioned the
possibility of blocking legitimate traffic, and you also have to take network performance into
consideration. Since all data moving through the network will pass through the IPS it could cause
your network performance to drop. To combat this problem, network-based IPSs that consist of
appliance or hardware and software packages are available today (at a larger cost), but it will
take most of the load from running a software-based NIPS off your network.
IDS vs. IPS
While many in the security industry believe IPS is the way of the future and that IPS will take
over IDS, it is somewhat of an apples and oranges comparison. The two solutions are different in
that one is a passive detection monitoring system and the other is an active prevention system.
The age-old debate of why you want to would be passive when you could be active comes into
play. You can also evaluate the implementation of a more mature IDS technology, versus the
younger, less established IPS solutions. The drawbacks mentioned regarding IDS can largely be
overcome with proper training, management, and implementation. Plus, overall an IDS solution

will be cheaper to implement. Many, however, look at the added benefits of the intuitive IPS
systems and believing that IPS is the next generation of IDS choose to use the newer IPSs as
opposed to the IDSs. Adding to the muddle, of course, will be your initial decision of choosing
host-based or network-based systems for either IDS or IPS security solutions.
Much like choosing between standard security devices like routers and firewalls, it is important
to remember that no single security device will stop all attacks all the time. IPS and IDS work
best when integrated with additional and existing security solutions.
Chapter 4
Analysis and Discussion
The market for Intrusion Detection System/Intrusion Prevention System (IDS/IPS) comprises of
both Intrusion Prevention and Intrusion Detection System. Intrusion Prevention Systems are the
advancement of IDS and has expanded the total IDPS market. The market is divided into three
submarkets, which include Network based, Host based, and Wireless technologies.
Network based IDS/IPS: these systems are standalone hardware appliances having intrusion
detection capabilities.

Host based IDS/IPS: these are the software agents installed on individual computers having
Intrusion detection capabilities.
Wireless: these network devices monitor the radio spectrum for the presence of unauthorized
access points.
Out of these three; Host based IDS/IPS is gaining traction very fast. The Intrusion Detection
System/Intrusion Prevention System market is build upon three components, hardware, software
and services; the hardware market includes both physical and virtual appliances. These solutions
can be deployed either through cloud or on-premise deployment.
Moreover, the global Intrusion Detection System market has also been classified on the basis of
industry verticals and regions. Based on the industry verticals the Intrusion Prevention system
market is segmented into Aerospace, defense and intelligence, Government and public utilities,
BFSI, IT and Telecommunication, Healthcare and Life sciences; Retail, and Transportation.
Based on the regions the global Intrusion Detection System/Intrusion Prevention System security
market has been segmented into five regions namely North America, Europe, MEA, APAC and
Latin America. At present in 2014 North America is the biggest market for intrusion detection
and prevention system, but the growing economies of Europe and Asia such as Germany,
Norway, Indonesia, China, India, Korea and others are a good opportunity for this market.
The growth of the intrusion detection system market is based on a number of driving forces, the
major drivers for the Prevention System security market are the continuous sophistication of the
cyber attacks, security threats and hacking attempts increasing governmental pressure on security
compliance and regulations and increasing spending on IT security solutions and services.
Driven by these factors IDS/IPS market is evolving and gaining maturity and now moving
towards its advanced stage which is the “Next Generation IDS/IPS”
All these factors have boosted the IDPS market and it is expected that this market will grow up
to $5.04 billion in 2019 from $2.71 billion in 2014 with a CAGR of 13.2%.
The Intrusion Detection system market is a diversified and competitive market, with a large
number of players. It is dominated by various players, depending on their core competencies.
The key player in this market are Corero (Massachusetts), Dell (Texas), Extreme Networks
(California), IBM (New York), Check point (Israel). Whereas key players providing the next
generation IPS solutions are HP Tipping Point (California), CISCO-Sourcefire (California), and
McAfee (California).
Scope of the Report
This research report categorizes the global intrusion prevention systems security market to
forecast the revenues and analyze the trends in each of the following submarkets:
On the basis of IDS/IPS security market by types:
 Network based
 Host based
 Wireless
On the basis of security market by components:

 Hardware
 Software
 Services
 Consulting
 Managed Services
 Design and Integration
 Training and Education
On the basis of security market by deployment model:
 Cloud Deployment
 On-Premise Deployment
On the basis of market by industry verticals:
 Aerospace, Defense and Intelligence
 Government (excluding defense) & Public Utilities
 IT & Telecommunication
 Healthcare & Life sciences
 BFSI
 Others
On the basis of security market segmentation by regions:
 NA
 EU
 APAC
 MEA
 LA

Punit kumar

In this document

More Related Content

What's hot

Similar to Punit kumar

Recently uploaded

Punit kumar