CHAPTER 6: The OSI Model and Networking Protocols 266 to in some documentation as the NetBIOS protocol). NetBT supplies the programming interface provided for by NetBIOS along with communication protocols provided for by TCP. NetBT’s  name service allows host computers to attain and retain (or defend) a NetBIOS name. It also assists other hosts in locating a computer with a specific NetBIOS name. In addition, the name service resolves a specific NetBIOS name to an IP address. This process uses broadcast messages that are sent to all hosts on the network. The name service uses UDP Port 137. The  session service of NetBT provides for the reliable exchange of messages between two NetBIOS applications, typically on two different computers. The session service uses TCP Port 139. The  datagram service within NetBT provides connectionless, unreliable message delivery between NetBIOS applications via UDP Port 138. As mentioned earlier, when data length is short or reliability is not critical, the datagram service is a faster method than session-based communication. Together, the session and datagram services provide the NetBIOS applications with the capability to exchange information with one another. However, in an environment where Windows Vista and Windows 2008 are the desktop and network operating systems, NetBIOS or NetBT/IP are replaced by DNS, which has become the primary naming and name resolution provider. WINS WINS is a NetBIOS name server that NetBIOS clients can use to attain, register, and resolve NetBIOS names. WINS is specific to Microsoft networks and is not used (or available for use) on non-Microsoft operating system-based computers. Computers running UNIX, Linux, and other non-Microsoft operating systems typically use DNS for name resolution although there Exam Warning Remember the following for the Network exam: The name service uses UDP Port 137 The datagram service uses UDP Port 138 The session service uses TCP Port 139 Networking Protocols 267 are other, non-WINS NetBIOS name services available. Generally, other operating systems will be concerned with NetBIOS names only when they’re on a network with Microsoft machines; for example, when using SAMBA. WINS provides NetBIOS functionality but expands it by replicating this information for faster name resolution services across a large network. WINS generates a database that contains each NetBIOS name and its associated IP address. A WINS Server resolves NetBIOS names and provides the associated IP addresses when it receives requests. WINS is implemented in two parts: the Server service and the Client service. The Server service maintains the database containing both NetBIOS names and associated IP addresses. It also replicates the database to other WINS Servers for faster name resolution across a large network. This reduces network broadcast traffic because names can be acquired and defended using direct requests to the WINS Server rather than by using network broadcasts. The Client service runs on the individual computers and it uses WINS to register the computer name, as well as to provide name resolution services to the local applications and services. For backward compatibility, Windows-based clients and servers also provide support for using the LMHOST file. This plain text file is unique to Windows-based computers and provides a map of the computer’s NetBIOS name with an IP address. This static file was used prior to the implementation of dynamic Windows name resolution found in WINS. Server Message Block/Common Internet File System The Server Message Block (SMB) protocol was originally developed by IBM in the 1980s and later expanded upon by IBM, Microsoft, Intel, and 3Com. SMB was primarily used not only for file and print sharing but also used Exam Warning NetBIOS name resolution can be done via a centralized WINS server or a local lmhosts file, both of which will be able to keep traffic down on your network by mapping NetBIOS names to IP addresses. Exam Warning NetBIOS name resolution uses four different node types to resolve names to IP addresses: Broadcast (B-node), Peer-to-Peer (P-node), Mixed (M-node), and Hybrid (H-node). CHAPTER 6: The OSI Model and Networking Protocols 268 for sharing serial ports and abstract communications technologies such as named pipes and mailslots. SMB is also now known as Common Internet File System (CIFS); both names are used interchangeably. CIFS is a protocol that, like many application layer protocols, is operating system-independent. It evolved from SMB and NetBIOS file, and print sharing methods in earlier versions of the Windows operating system. It can be used by different platforms and operating systems and across different network/transport protocols; it is not TCP/IP-dependent. The connection from client to server can be made via NetBEUI or IPX/SPX. After the network connection from client to server is established, then SMB commands can be sent to the server so that the client can open, read, and write files, and so on. CIFS is being jointly developed by Microsoft and other vendors, but no published specification currently exists. UNIX and Linux clients can connect to SMB shares using smbclient from SAMBA or smbfs for Linux. Server implementations of SMB for non-Microsoft operating systems include SAMBA and LAN Manager for OS/2 and SCO. Internet Printing Protocol The Internet Printing Protocol (IPP) is related to SMB and CIFS. It provides the capability to perform various printing operations across the network (including an internetwork) using Hypertext Transport Protocol (HTTP) version 1.1. WinSock WinSock is a Microsoft Windows Application Programming Interface (API) that provides a standard programming interface for accessing TCP/IP in Windows. Sockets were originally developed at the University of California Note There are a large number of Request for Comments (RFCs) that define different specifications for IPP. For more information, see the IEEE’s Printer Working Group (PWG) Web site at www.pwg.org/ipp/ Note For more detailed information about SMB, see http://samba.anu.edu.au/cifs/docs/what- is-smb.html Networking Protocols 269 in Berkeley, and Microsoft developed Winsock to work specifically in the Windows operating system environment. Vendors who develop software that runs on Windows can use this API to access standard TCP/IP functionality. Many built-in Windows tools rely on WinSock, including Packet InterNet Groper (ping) and Trace Route (tracert). In addition, the FTP and DHCP servers and clients use WinSock, as does the Telnet client. Telnet Telnet is a terminal emulation protocol that allows you to log onto a remote computer. The remote computer must be using TCP/IP and have the Telnet Server service running. To connect to a remote host, you must start the Telnet client and must possess a username and password for the remote host computer. In Windows Server 2003, the Telnet Server service is present but must be started to service Telnet clients. If you have never used the command prompt in Windows, here’s how: click Start | Run and type cmd in the dialog box (in Windows operating systems prior to Windows 98, the 16-bit command was command. In Windows 98 and beyond, the 32-bit command, cmd, is supported). This will open a command window. Type telnet at the prompt. Type help for a list of commands and quit to close Telnet. Use exit to close the command prompt window. DHCP The DHCP is used to automatically (or dynamically) assign IP addresses to host computers on a network running TCP/IP. Prior to DHCP, network administrators had to assign IP addresses to host computers manually. This was not only a time-consuming endeavor but also made it easy for errors (either in IP assignment or in entering in the IP address) to creep in and cause network problems. Why is DHCP so important? Because each host must have a unique IP address, and a problem occurs when two hosts have the same IP address. Exam Warning Remember that Telnet uses port 23 (both TCP and UDP) for communication, Secure Shell (SSH and is essentially encrypted Telnet) runs on port 22 (also TCP and UDP). Telnet information is sent in plaintext so it’s very easy to capture packets and read the contents such as usernames and passwords. CHAPTER 6: The OSI Model and Networking Protocols 270 DHCP was devised as an efficient method to alleviate both the problems caused by errors and the time it took to assign and resolve errors. It does this by maintaining a database of the assigned addresses, ensuring that there will never be duplicate addresses among the DHCP clients. DHCP is implemented as both a Server and a Client service. The DHCP Server service is responsible for assigning the IP address to indi- vidual hosts and for maintaining the database of IP address information, including IP addresses that are assigned, IP addresses that are available, and other configuration information that can be conveyed to the client along with the IP address assignment. The DHCP client service interacts with the Server service in requesting an IP address and in configuring other related information including the subnet masks and default gate- way (both are discussed in detail later in the Chapter 7, “TCP/IP and Routing”). SMTP The SMTP is used to transfer e-mail messages and attachments. SMTP is used to transmit e-mail messages between servers and from clients (such as Microsoft Outlook or Linux’s sendmail) to e-mail servers (such as Microsoft Exchange). However, most e-mail clients use other protocols, such as POP3 or IMAP4, to retrieve e-mail from the server. These two server applica- tions (SMTP and POP or IMAP) may exist on the same physical server machine. As with the other protocols and services discussed in this section, SMTP operates at the application layer and relies on the services of the underlying layers of the TCP/IP suite to provide the actual data transfer services. POP POP is a widely used e-mail application protocol that can be used to retrieve e-mail from an e-mail server for the client application, such as Microsoft Outlook. The current version of POP is POP3. POP servers set up mailboxes (actually directories or folders) for each e-mail account name. The server receives the mail for a domain and sorts it into these individual folders. Then a user uses a POP client program (such as Outlook or Eudora) to connect to the POP server and download all the mail in that user ’s folder to the user’s computer. Usually, when the Exam Warning Remember that SMTP uses port 25 for communication. Networking Protocols 271 mail messages are transferred to the client machine, they are deleted from the server. IMAP IMAP, like POP, is used to retrieve e-mail from a server and creates a mailbox for each user account. It differs from POP in that the client program can access the mail and allow the user to read, reply to, and delete it while it is still on the server. Microsoft Exchange functions as an IMAP server. This is convenient for users because they never have to download the mail to their client computers (saving space on their hard disks), but especially because they can connect to the server and have all their mail available to them from any computer, anywhere. When you use POP to retrieve your mail, old mail that you’ve already down- loaded is on the computer you were using when you retrieved it, so if you’re using a different computer, you won’t be able to see it. IMAP is preferred for users who use different computers (for example, a home computer, an office computer, and a laptop) to access their e-mail at different times. HTTP HTTP is the protocol used to transfer files used on the Internet to display Web pages. When you type an Internet address (a URL) into your browser’s Address field, it uses the HTTP protocol to retrieve and display the files located at that address. A URL typically contains a server name, a second-level domain name, and a top-level domain name, with the parts of the address separated by dots. Individual folder and file names may follow, separated by slashes. For example, www.syngress.com/index.htm indicates an HTML document (Web page) on a Web server named www in the syngress.com domain. The first part of the URL may also be entered as an IP address if it is known. HTTP was defined and used as early as 1990. However, there were no published specifications for HTTP in the beginning and different vendors modified HTTP as they saw fit. As the World Wide Web continued to Exam Warning Remember that POP3 uses port 110 for communication. Exam Warning Remember that IMAP4 uses Port 143 (both TCP and UDP) for communication. CHAPTER 6: The OSI Model and Networking Protocols 272 evolve and grow to be the enormous resource that it is today, additional functionality was needed in HTTP. The first formal definition was labeled HTTP/1 and it was later replaced by HTTP/1.1. NNTP The NNTP is similar to SMTP in that it allows servers and clients to exchange information. In this case, however, the information is exchanged in the form of news articles. This feature originally was implemented in the Internet’s predecessor network, ARPANet. Network bulletins were exchanged using this protocol. Today, there are thousands of newsgroups devoted to discussion of every topic imaginable. Usenet has grown into a huge network of news servers hosting newsgroups. Newsgroups differ from other forums such as Internet mailing lists (in which all messages posted come into your inbox if you’re a member) and Web discussion boards (which are accessed through the browser). NNTP is now implemented as an application layer client/server protocol. The news server (for example, msnews.microsoft.com) manages news articles and news clients. A news client is an application that runs on a client computer and is used to both read and compose news articles. Outlook Express contains a newsreader component. For more information about Usenet newsgroups, see the Usenet FAQ and references at www.faqs.org/usenet/. FTP The FTP is used to transfer files from one host to another, regardless of the hosts’ physical locations. It is one of the oldest application layer protocols and was used on ARPANet to transfer files from one mainframe to another. Still in use today, FTP is widely used on the Internet to transfer files. One of the problems with FTP is that it transmits users’ passwords in clear text, so it is not a secure protocol. In contrast to the single connections used by NNTP, HTTP, and SMTP, two separate connections are established for an FTP session. One transmits Exam Warning Remember that NNTP uses port 119 for communication. Exam Warning Remember that HTTP uses port 80 for communication. Do not confuse this with https://, which is Secure Sockets Layer (SSL) encrypted Web traffic running on port 443. Networking Protocols 273 commands and replies and the other transmits the actual data. The command and control information is sent, by default, via TCP port 21. The data, by default, are sent via TCP port 20. DNS The DNS is used to resolve a hostname to an IP address to facilitate the delivery of network data packets. As mentioned previously, DNS is now the primary method used in Microsoft Windows Server 2003 to resolve hostnames to IP addresses. DNS is also the protocol used on the Internet to resolve hostnames (such as those in URLs) to IP addresses. Prior to DNS, hostname-to-IP resolution was accomplished via a text file called hosts. In the days of ARPANet, this file was compiled and managed by the Network Information Center at the Stanford Research Institute. This plain text file contained the name and address of every single computer, but there were only a handful of computers on the network at the time. When a new computer was added or a computer changed its IP address, the file had to be edited manually and distributed to all the other computers. As computers and networks proliferated, another, more automated solution had to be devised and the specifications for a distributed naming system, called the DNS, were developed. DNS servers on the Internet store copies of the DNS database. Because of the explosive growth of the Internet in the past decade, DNS databases are specialized. For instance, a set of databases is responsible for top-level domain information only. Examples of top-level domains are .com, .gov, .edu, .net, .org, and so on. All requests for an address ending with .com will be CONFIGURING AND IMPLEMENTING… FTP Ports Understanding the configuration and implementation of FTP is important for a number of reasons. FTP ports 20 and 21 are used for FTP data and FTP control, respectively. It is possible to modify the ports used for data and control transmissions when developing or implementing an application. However, by default, a program interface that uses FTP listens at TCP port 21 for FTP traffic. Thus, if your application is sending TCP control information on a different port, the other application interface may not hear the FTP traffic. TCP ports 20 and 21 are well-known port numbers and hackers often try to exploit these ports. As a security measure, all servers that are not running the FTP Server service should have TCP ports 20 and 21 disabled. This prevents attackers from exploiting these ports to gain unauthorized access to the server and perhaps to the entire network. RFC 1579, “Firewall-Friendly FTP” is definitely worth a read if you want even more information in depth on how FTP uses ports. This information is not related to the exam but may be interesting for you in futures in the security field. www.ietf.org/rfc/rfc1579.txt. CHAPTER 6: The OSI Model and Networking Protocols 274 forwarded to a particular set of DNS servers. These servers will query their databases to find the specific .com domain requested (for example, microsoft. com). DNS databases are replicated periodically to refresh the data. Routing Information Protocol As the name implies, the Routing Information Protocol (RIP) is used to exchange routing information among IP routers. RIP is a basic routing protocol designed for small- to medium-sized networks. It does not scale well to large IP-based networks (including the Internet). Windows Server 2003 computers can function as routers, and as such, they support RIP. Routing is covered in more depth in Chapter 7, where WAN standards and remote access are covered. Network Time Protocol Network Time Protocol (NTP) is a protocol that provides a very reliable way of transmitting and receiving an accurate time source over TCP/IP-based networks. NTP, defined in RFC 1305 (www.ietf.org/rfc/rfc1305.txt), is useful for synchronizing the internal clock of the computers to a common time source. Network operating systems such as Netware and Windows rely on a time source to keep things running right. For system maintenance, troubleshooting of issues, and documentation, it is important that all systems be time-synchronized. In addition, for prosecution of security breaches or attacks, security logs need to be accurate, and so on. NTP, when used properly, can have a hierarchical disaster recovery system designed into it, with primary sources of time as well as secondary sources. Having the correct time on your system(s) is very important. Many problems can surface if networked machines are not time-synchronized. SNMP The SNMP is used for communications between a network manage- ment console and the network’s devices, such as bridges, routers, and hubs. This protocol facilitates the sharing of network control information Exam Warning Remember that NTP uses port 123 for communication. Do not confuse this with NNTP, which uses port 119. Exam Warning Remember that DNS uses port 53 for communication. Summary of Exam Objectives 275 with the management console. SNMP uses a management system/agent framework to share relevant network management information. This information is stored in a Management Information Base (MIB) and con- tains a set of objects, each of which represents a particular type of network information such as an event, an error, or an active session. SNMP uses UDP datagrams to send messages between the management console and the agents. Now we have covered the OSI model (as well as the DoD model) in depth. You should now have a good idea of the importance of it, and why it’s so important to know for the Network exam. This modular approach to network communications makes development less time-consuming and more consistent across vendors, networks, and systems. As a result, new application layer protocols are constantly being developed. This section is not meant to serve as an exhaustive look at the wide array of application protocols available today but to give you a better idea of the more common protocols and services that operate at this layer and provide an understand- ing of how the layered approach works. We’ve reviewed the seven layers of the OSI model (starting from the lowest level, physical, data link, network, transport, session, presentation, and application) and the four layers of the DARPA (TCP/IP) model (Network Interface, Internet, Host-to-Host, and Application), and we’ve learned how these layers map to one another. We’ve examined many of the common networking protocols that work at each layer and looked the services and functions that each provides. In the next chapter, you’ll learn in depth about the IP protocol and how it is used to send data to the correct location, no matter where the destination host resides. SUMMARY OF EXAM OBJECTIVES In this chapter, we covered the OSI model in depth. For those of you unfam- iliar with network models, it should be clear now that working with them can bring many benefits, such as ease of development and troubleshooting. Networking models can be very helpful to you. In this chapter, we cov- ered three of them in particular, the OSI model, the DoD model, and the Microsoft model, all of which are similar, share common core elements, but have differences as well. From the DARPA experiment came the understanding that networking would become increasingly common, and increasingly complex. The OSI model was developed, based on the original DoD DARPA model, and approved by the OSI subcommittee of the ISO. The OSI model defined seven . and provides the associated IP addresses when it receives requests. WINS is implemented in two parts: the Server service and the Client service. The Server service maintains the database containing. typically contains a server name, a second-level domain name, and a top-level domain name, with the parts of the address separated by dots. Individual folder and file names may follow, separated by. indicates an HTML document (Web page) on a Web server named www in the syngress.com domain. The first part of the URL may also be entered as an IP address if it is known. HTTP was defined and used as