Data Link Layer

Primary Purpose: Supporting and Connecting to Upper Layer

Two basic functions:
 Allows the upper layers to access the media using framing.
 Controls how data is placed on the media and received from the media using media
access control (MAC) and error detection.

Services provided by the data link layer:

1. Framing: Frames are the streams of bits received from the network layer into
manageable data units. This division of stream of bits is done by Data Link Layer.
2. Physical Addressing: The Data Link layer adds a header to the frame in order to
define physical address of the sender or receiver of the frame, so the frames are to be
distributed to different systems on the network.
3. Flow Control: A flow control mechanism avoids a fast transmitter from running a
slow receiver by buffering the extra bit is provided by flow control. This prevents
traffic jam at the receiver side.
4. Error Control: Error control is achieved by adding a trailer at the end of the frame.
Duplication of frames are also prevented by using this mechanism.
5. Access Control: Protocols of this layer determine which of the devices has control
over the link at any given time, when two or more devices are connected to the same
link.

Logical Link Control LLC – Data Link Sublayer

• Handles communication between upper and lower layers
• Takes the network protocol data from the network layer and adds control information
to help deliver packets to the destination. (Flow Control)
• The LLC provides a single data link control protocol for all IEEE LANs. (Contrast
this with the MAC layer where we have different protocol versions for different
LANs.
• The LLC header contains a control field like HDLC (High-level Data Link Control)
and is used for flow and error control.

Media Access Control MAC – Data Link Sublayer

• In standard Ethernet, the MAC sub layer looks after the operation of the access
method.
• It also frames data received from the upper layer and passes them to the physical
layer.
• It provides an abstraction of the physical layer to the LLC and upper layers of the OSI
network.
• It is responsible for encapsulating frames so that they are suitable for transmission via
the physical medium.
• It resolves the addressing of source station as well as the destination station, or groups
of destination stations.
• It determines the channel access methods for transmission.
• It also performs collision resolution and initiating retransmission in case of collisions.
• It generates the frame check sequences and thus contributes to protection against
transmission errors.
 • CSMA/CD
• CSMA/CD stands for Carrier Sense Multiple Access / Collision Detection is
a network protocol for carrier transmission.
• It is operated in the medium access control layer.
• It senses if the shared channel is busy for broadcasting and interrupts the
broadcast until the channel is free.
• In CSMA/CD collision is detected by broadcast sensing from the other
stations. Upon collision detection in CSMA/CD, the transmission is stopped,
and a jam signal is sent by the stations and then the station waits for a random
time context before retransmission.
• CSMA/CA
• CSMA/CA stands for Carrier Sense Multiple Access / Collision
Avoidance is a network protocol for carrier transmission.
• Like CSMA/CD it is also operated in the medium access control layer.
• Unlike CSMA/CD(that is effective after a collision) CSMA / CA is effective
before a collision. 

Network Layer
• The network layer, or OSI Layer 3, provides services to allow end devices to
exchange data across networks.
• IP version 4 (IPv4) and IP version 6 (IPv6) are the principal network layer
communication protocols.

Network layer protocols perform four basic operations:

• Addressing end devices - End devices must be configured with a unique IP address
for identification on the network.
• Encapsulation - The network layer encapsulates the protocol data unit (PDU) from
the transport layer into a packet. The encapsulation process adds IP header
information, such as the IP address of the source (sending) and destination (receiving)
hosts. The encapsulation process is performed by the source of the IP packet.
• Routing - The network layer provides services to direct the packets to a destination
host on another network. To travel to other networks, the packet must be processed by
a router. The role of the router is to select the best path and direct packets toward the
destination host in a process known as routing. A packet may cross many routers
before reaching the destination host. Each router a packet crosses to reach the
destination host is called a hop.
• De-encapsulation - When the packet arrives at the network layer of the destination
host, the host checks the IP header of the packet. If the destination IP address within
the header matches its own IP address, the IP header is removed from the packet.
After the packet is de-encapsulated by the network layer, the resulting Layer 4 PDU is
passed up to the appropriate service at the transport layer. The de-encapsulation
process is performed by the destination host of the IP packet.

Characteristics of IP
IP was designed as a protocol with low overhead. It provides only the functions that are
necessary to deliver a packet from a source to a destination over an interconnected system of
networks.
The protocol was not designed to track and manage the flow of packets.
These are the basic characteristics of IP:
• Connectionless - There is no connection with the destination established before
sending data packets, meaning that no dedicated end-to-end connection is created by
IP before data is sent.
• Best Effort - IP is inherently unreliable because packet delivery is not guaranteed.
With no pre-established end-to-end connection, senders are unaware whether
destination devices are present and functional when sending packets, nor are they
aware if the destination receives the packet, or if the destination device is able to
access and read the packet.
• Media Independent - Operation is independent of the medium (i.e., copper, fiber-
optic, or wireless) carrying the data.

Default Gateway
The default gateway is the network device (i.e., router or Layer 3 switch) that can route
traffic to other networks.
On a network, a default gateway is usually a router with these features:
• It has a local IP address in the same address range as other hosts on the local
network.
• It can accept data into the local network and forward data out of the local network.
• It routes traffic to other networks.

Router Packet Forwarding Decision

When a host sends a packet to another host, it consults its routing table to determine where to
send the packet. If the destination host is on a remote network, the packet is forwarded to the
default gateway, which is usually the local router.

What happens when a packet arrives on a router interface?

• The router examines the destination IP address of the packet and searches its
routing table to determine where to forward the packet.
• The routing table contains a list of all known network addresses (prefixes) and
where to forward the packet.
• These entries are known as route entries or routes. The router will forward the
packet using the best (longest) matching route entry.

Subnet Mask- This is used to identify the network/host portion of the IPv4 address. It’s a 32-
bit number that is used to divide a larger network into smaller sub-networks, and it works by
defining the network and host portions of an IP address.
For end devices to communicate in a network, several elements are required:
 Network Interface Card (NIC): A NIC is a hardware component that enables the end
device to connect to the network. It acts as a physical interface between the device
and the network medium (e.g. Ethernet cable, Wi-Fi).
 IP Address: An IP address is a unique identifier assigned to each end device in a
network. It is used to route data packets between devices on the network.
 Network Protocols: Network protocols such as TCP/IP, UDP, and ICMP are used to
govern communication between end devices in a network. These protocols define the
rules and standards for communication, including the format of data packets, error
handling, and flow control.
 Router: A router is a device that connects multiple networks together and forwards
data packets between them. It uses the IP address and network protocol information to
determine the best path for data to travel.
 Switch: A switch is a network device that connects end devices together and enables
them to communicate with each other. It forwards data packets based on the
destination MAC address.
 Media Access Control (MAC) Address: A MAC address is a unique identifier
assigned to each NIC. It is used by the switch to forward data packets to the correct
destination device.

Wireshark Layers
 Ethernet II, Src – Data Link
 Internet Protocol Version 4 – Network
 Transmission Control Protocol – Transport
 Hypertext Transfer Protocol – Application
 Internet Control Message Protocol – Network
 Radiotap Header v,0 Length 40 – Physical
 802.11 radio information – Physical
 IEEE 802.11 005 – Data Link
 Logical-Link Control – Data Link
 PPI version 0, 84 bytes - Physical

MAC Address
The MAC address, also known as the Media Access Control address, is a unique identifier
assigned to each Network Interface Card (NIC) in a device. It is used by the local network to
identify and communicate with specific devices. It operates at the Data Link layer of the OSI
model and is considered to be a hardware address, meaning that it is unique to the physical
Network Interface Card (NIC) and is not affected by IP address changes or other network
configurations. The first three bytes (24 bits) of a MAC address are assigned by the IEEE and
are used to identify the manufacturer of the NIC. The last three bytes (24 bits) are assigned by
the manufacturer and are used to identify the specific NIC within the manufacturer's range.

Network Security
Network security refers to any activities designed to protect your network, which protect the
usability, reliability, integrity, and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or spreading on your
network.
▪ Security should be considered balance between protection and availability
▪ Impossible to obtain perfect security—it is a process, not an absolute
▪ To achieve balance, level of security must allow reasonable access, yet protect against
threats

Threats
▪ Threat: an object, person, or other entity that represents a constant danger to an asset
▪ Management must be informed of the different threats facing the organization
▪ By examining each threat category, management effectively protects information through
policy, education, training, and technology controls

Attacks
▪ Act or action that exploits vulnerability (i.e., an identified weakness) in controlled system
▪ Accomplished by threat agent which damages or steals organization’s information

▪ Malicious code: includes execution of viruses, worms, Trojan horses, and active Web
scripts with intent to destroy or steal information
▪ Back door: gaining access to system or network using known or previously unknown/newly
discovered access mechanism
▪ Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address
▪ Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them
back into network
▪ Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging
as a vector for some attacks
▪ Denial-of-service (DoS): attacker sends large number of connection or information requests
to a target
▪ Target system cannot handle successfully along with other, legitimate service requests
▪ May result in system crash or inability to perform ordinary functions
▪ Distributed denial-of-service (DDoS): coordinated stream of requests is launched against
target from many locations simultaneously

Phishing - Phishing is a type of cybercrime that involves tricking individuals into revealing
sensitive information, such as passwords, credit card numbers, or Social Security numbers.
This is typically accomplished by disguising as a trustworthy entity, such as a bank, a well-
known company, or a government agency, and sending a fake email or website link that
appears to be legitimate.
Email phishing: An attacker sends an email that appears to be from a trustworthy source and
contains a link to a fake website designed to steal information.

TCP SYN Flood

TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that targets a
victim's server by overwhelming it with a large number of TCP SYN (Synchronize) requests..
In a TCP SYN flood attack, the attacker sends a large number of fake SYN requests to the
victim's server from a large number of compromised devices. The victim's server responds to
each SYN request with a SYN-ACK (Synchronize-Acknowledgment) response, but the
attacker never sends the final ACK (Acknowledgment) to complete the handshake. As a
result, the server's resources become exhausted by the large number of half-open connections,
and it can no longer handle legitimate traffic.

Firewalls
▪ Prevent specific types of information from moving between the outside world (untrusted
network) and the inside world (trusted network)
▪ May be separate computer system; a software service running on existing router or server;
or a separate network containing supporting devices
Firewalls Categorized by Processing Modes
▪ Packet filtering - Packet filtering firewalls examine header information of data packets
Three subsets of packet filtering firewalls:
▪ Static filtering: requires that filtering rules governing how the firewall decides which
packets are allowed and which are denied are developed and installed
▪ Dynamic filtering: allows firewall to react to emergent event and update or create
rules to deal with event
▪ Stateful inspection: firewalls that keep track of each network connection between
internal and external systems using a state table
Packet filtering can be performed by a router, firewall, or other network device, and it is
typically used to block unwanted traffic and allow only authorized traffic to pass through.
▪ Application gateways ▪ Circuit gateways
Provide security by inspecting the contents of individual application-layer data packets. An
application gateway is typically implemented as a proxy server and acts as an intermediary
between the client and the server. The application gateway inspects the contents of the data
packets to ensure that they comply with security policies and to prevent malicious activity
▪ MAC layer firewalls ▪ Hybrids

In summary, packet filtering is used to block traffic based on network-layer information, such
as IP address and port number, while application gateways provide security by examining the
contents of application-layer data packets.

Virtual Private Networks (VPNs)

▪ Private and secure network connection between systems; uses data communication
capability of unsecured and public network
▪ Securely extends organization’s internal network connections to remote locations beyond
trusted network.

VPN must accomplish:

▪ Encapsulation of incoming and outgoing data ▪ Encryption of incoming and outgoing data
▪ Authentication of remote computer and (perhaps) remote user as well

DMZ
A DMZ, or Demilitarized Zone, is used to create a secure area within a network that separates
internal network resources from the public internet. The purpose of a DMZ is to provide an
additional layer of security by ensuring that sensitive internal resources are protected from
direct exposure to external threats, such as hacking attempts, malware, and other security
threats. In a typical DMZ configuration, a firewall is used to control access between the
internal network, the DMZ, and the public internet. By configuring a DMZ, organizations can
provide external access to necessary services, such as a web server, while minimizing the risk
of exposing sensitive internal resources to external threats.
In summary, a DMZ is a security practice that provides a secure environment for public-
facing network services while protecting sensitive internal resources from external threats.

Intrusion: type of attack on information assets in which instigator attempts to gain entry into
or disrupt system with harmful intent

Intrusion Detection Systems (IDSs)

▪ Detects a violation of its configuration and activates alarm
▪ Many IDSs enable administrators to configure systems to notify them directly of trouble via
e- mail or pagers
▪ Systems can also be configured to notify an external security service organization of a
“break-in”

Intrusion Prevention System (IPS): An IPS is an evolution of the IDS technology and
provides an added layer of protection by actively blocking detected intrusions. An IPS
operates by analysing network traffic in real-time, and when it detects suspicious activity, it
takes immediate action to prevent the intrusion by blocking the malicious traffic.

They differ in their purpose and operation:

Intrusion Detection System (IDS): The IDS operates by analysing network traffic and
comparing it against a set of predefined security rules and intrusion signatures to detect any
malicious activity. It does not take any active measures to stop the intrusion, but instead, it
generates alerts and logs the activity for review and further analysis.
Intrusion Prevention System (IPS): An IPS operates by analysing network traffic in real-time,
and when it detects suspicious activity, it takes immediate action to prevent the intrusion by
blocking the malicious traffic.
In summary, the main difference between IDS and IPS is that an IDS detects security threats
and generates alerts, while an IPS not only detects but also prevents security threats by
actively blocking them in real-time. An IPS is typically considered to provide a higher level
of security compared to an IDS, but it can also introduce false positives and block legitimate
traffic, making it important to carefully configure and manage IPS systems.

▪ Honey pots: decoy systems designed to lure potential attackers away from critical systems
and encourage attacks against the themselves
▪ Honey nets: collection of honey pots connecting several honey pot systems on a subnet
▪ Honey pots are designed to:
▪ Divert attacker from accessing critical systems ▪ Collect information about
attacker’s activity
 ▪ Encourage attacker to stay on system long enough for administrators to document
event and, perhaps, respond

Cryptographic Algorithms
▪ Often grouped into two broad categories, symmetric and asymmetric; today’s popular
cryptosystems use hybrid combination of symmetric and asymmetric algorithms
▪ Symmetric and asymmetric algorithms distinguished by types of keys used for encryption
and decryption operations

Symmetric encryption: uses same “secret key” to encipher and decipher message
▪ Encryption methods can be extremely efficient, requiring minimal processing
▪ Both sender and receiver must possess encryption key
▪ If either copy of key is compromised, an intermediate can decrypt and read messages

Asymmetric Encryption (public key)

encryption)
▪ Uses two different but related keys; either key can encrypt or decrypt message
▪ If Key A encrypts message, only Key B can decrypt
▪ Highest value when one key serves as private key and the other serves as public key

Digital Certificates
A digital certificate is an electronic document that is used to authenticate the identity of a
network device, and to secure communications over the network. Digital certificates are
issued by a trusted third-party organization, and they contain information about the identity of
the certificate holder. The main purpose of digital certificates is to establish trust and ensure
secure communications between network devices. A digital certificate has both an issue date
and an expiration date. The issue date is the date on which the certificate was issued by a
certificate authority (CA), and it indicates the start of the validity period for the certificate.
The expiration date is the date on which the certificate becomes invalid and can no longer be
used to authenticate the identity of the certificate holder.

Handshaking Protocol
Handshaking is a protocol used to establish a communication session between two devices. It
is a series of exchanges between the devices that ensures that they are both available,
compatible, and ready to communicate with each other.

 Connection initiation: The first device initiates the handshaking process by sending a
request to the second device to establish a communication session.
 Connection request: The second device receives the request and sends a response
indicating that it is available and willing to establish a connection.
 Negotiation: The two devices exchange information about their capabilities and
preferences, such as the type of encryption to be used, the preferred communication
speed, and any other relevant parameters.
 Connection establishment: If the negotiation is successful, the two devices establish a
communication session, and data can be exchanged between them.
 Connection termination: When the communication session is no longer needed, the
two devices follow a set of steps to close the connection and terminate the
handshaking protocol.