NETWORKING BASICS

SNMP:

Simple Network Management Protocol (SNMP) is a networking protocol used for the
management and monitoring of network-connected devices in Internet Protocol
networks. The SNMP protocol is embedded in multiple local devices such as routers,
switches, servers, firewalls, and wireless access points accessible using their IP
address. SNMP provides a common mechanism for network devices to relay
management information within single and multi-vendor LAN or WAN environments. It is
an application layer protocol in the OSI model framework.

Typically, the SNMP protocol is implemented using the User Datagram Protocol (UDP).
UDP is a connectionless protocol that works like the Transmission Control Protocol
(TCP) but assumes that error-checking and recovery services are not required. Instead,
UDP continuously sends datagrams to the recipient whether they receive them or not.

SNMP Management Information Bases (called MIBs for short) are data structures that
define what can be collected from the local device and what can be changed and
configured.

Management information base (MIB):

This data structure is a text file (with a .mib file extension) that describes all data objects
used by a particular device that can be queried or controlled using SNMP including
access control. Inside the MIB there are many different managed objects which can be
identified by Object Identifiers. An Object Identifier (OID) is a MIB identifier that is used
to delineate between devices within the MIB. OIDs are uniquely generated as numeric
identifiers used for access to MIB objects.

Versions: There are three different versions of SNMP:

 SNMP version 1 (SNMPv1) -This was the first implementation, operating within
the structure management information specification, and described in RFC 1157.
 SNMP version 2 (SNMPv2) -This version was improved to support more efficient
error handling and is described in RFC 1901. It was first introduced as RFC
1441. It is often referred to as SNMPv2c.
 SNMP version 3 (SNMPv3) -This version improves security and privacy. It was
introduced in RFC 3410.

SNMP version 2 is the most commonly deployed SNMP protocol version today. The
most recent version, SNMP version 3, includes new security features that add support
for authentication and encryption of SNMP messages as well as protecting packets
during transit.
Internet Control Message Protocol (ICMP)?

The Internet Control Message Protocol (ICMP) is a network layer protocol used by
network devices to diagnose network communication issues. ICMP is mainly used to
determine whether or not data is reaching its intended destination in a timely manner.
Commonly, the ICMP protocol is used on network devices, such as routers. ICMP is
crucial for error reporting and testing, but it can also be used in distributed denial-of-
service (DDoS) attacks.

What is ICMP used for?

The primary purpose of ICMP is for error reporting. When two devices connect over the
Internet, the ICMP generates errors to share with the sending device in the event that
any of the data did not get to its intended destination. For example, if a packet of data is
too large for a router, the router will drop the packet and send an ICMP message back
to the original source for the data.

A secondary use of ICMP protocol is to perform network diagnostics; the commonly

used terminal utilities traceroute and ping both operate using ICMP. The traceroute
utility is used to display the routing path between two Internet devices. The routing path
is the actual physical path of connected routers that a request must pass through before
it reaches its destination. The journey between one router and another is known as a
‘hop,’ and a traceroute also reports the time required for each hop along the way. This
can be useful for determining sources of network delay.

The ping utility is a simplified version of traceroute. A ping will test the speed of the
connection between two devices and report exactly how long it takes a packet of data to
reach its destination and come back to the sender’s device. Although ping does not
provide data about routing or hops, it is still a very useful metric for gauging
the latency between two devices. The ICMP echo-request and echo-reply messages
are commonly used for the purpose of performing a ping.

Unfortunately network attacks can exploit this process, creating means of disruption
such as the ICMP flood attack and the ping of death attack.
How does ICMP work?

Unlike the Internet Protocol (IP), ICMP is not associated with a transport layer protocol
such as TCP or UDP. This makes ICMP a connectionless protocol: one device does not
need to open a connection with another device before sending an ICMP message.
Normal IP traffic is sent using TCP, which means any two devices that exchange data
will first carry out a TCP handshake to ensure both devices are ready to receive data.
ICMP does not open a connection in this way. The ICMP protocol also does not allow
for targeting a specific port on a device.

What is an ICMP packet?

An ICMP packet is a packet that uses the ICMP protocol. ICMP packets include an
ICMP header after a normal IP header. When a router or server needs to send an error
message, the ICMP packet body or data section always contains a copy of the IP
header of the packet that caused the error.

https://www.cloudflare.com/learning/ddos/glossary/internet-control-message-protocol-
icmp/

What Is Net Flow?

Net Flow is a network protocol system created by Cisco that collects active IP network traffic
as it flows in or out of an interface. The Net Flow data is then analyzed to create a picture of
network traffic flow and volume — hence the name: Net Flow.

The Net Flow protocol is used by IT professionals as a network traffic analyzer to determine
its point of origin, destination, volume and paths on the network. Before Net Flow, network
engineers and administrators used Simple Network Management Protocol (SNMP) for
network traffic analysis and monitoring.

While SNMP was effective for network monitoring and capacity planning, it didn’t provide
detailed insight into bandwidth usage.
How Does Net Flow Work?

Net Flow follows a simple process of data collecting, sorting and analysis. The main
components include:

IP Flow

An IP flow consists of a group of packets that contain the same IP packet attributes. As a
packet is forwarded within a router or switch, it is examined for a set of attributes, including
IP source address, IP destination address, source port, destination port, Layer-3 protocol
type, class of service and router or switch interface.

Net Flow Cache

The Net Flow cache is a database of condensed information where Net Flow data is stored
once the packets have been examined.

Command Line Interface

The Command Line Interface (CLI) is one of two Net Flow connection methods to access
Net Flow data. It provides an immediate view of your network traffic and is useful for
troubleshooting.

Net Flow Collector

The second option to access Net Flow data is to export the data to a Net Flow collector. A
Net Flow collector is a reporting server that collects and processes traffic and the exported
data so that it is easy to analyze. These Net Flow collectors fall into two categories:
hardware-based collectors and software-based collectors, with software solutions being
more common than hardware devices.

https://blog.gigamon.com/2018/01/08/what-is-netflow/
What is network telemetry?
A subset of telemetry, network telemetry is the collection, measurement and analysis of
data related to the behavior and performance of a network. It involves gathering
information about routers, switches, servers and applications to gain insights into how
they function and how data moves through them.
To achieve this, network telemetry employs different methods. One common approach
is network monitoring tools that capture and analyze traffic data. These tools provide
information about network bandwidth, latency, packet loss, and other performance
metrics.
Telemetry also includes protocols like SNMP (Simple Network Management Protocol) or
Net Flow that enable data collection from network devices and routers. This data can
then be processed and visualized to:

 Identify patterns
 Troubleshoot issues
 Optimize network performance

With network telemetry, you can detect and address network bottlenecks, security
threats or anomalies that might impact the network's efficiency. It’ll help you make
informed decisions, optimize network resources, and ensure a smooth and reliable
network experience for users.
The network telemetry framework has four modules. Each module has three
components for data configuration, encoding, and instrumentation. The framework uses
uniform data mechanisms and types, making it easy to manage and locate data in the
system.

Top-level modules

There are four categories of network telemetry's top-level modules:

1) The Management plane includes protocols like SNMP and syslog through which
network elements interact with a network management system (NMS). This telemetry
must address data subscription, structured data, high-speed transport and congestion
avoidance to ensure efficient automatic network operation.
2) Control plane telemetry monitors the health of different network control protocols. It
helps to detect, localize, and predict network issues. This method also allows for real-
time and detailed network optimization.
3) Forwarding plane telemetry system functions depending on the data that the
network device can provide. Ensuring that data meets the quality, quantity, and timing
standards can be challenging for devices in the network's data plane where the data
originates.
4) In external data telemetry, external events are an essential data source. They can
be detected by hardware or software. There are a few challenges in this telemetry:

 The data must meet strict timing requirements.

 Current and future devices and applications must quickly adopt the schema
external detectors use.
 Counter-measures are needed to avoid congestion.

Second-level components:

Each plane's telemetry module has five different parts.

1. Data query, analysis and storage components issue data requirements,

receive and process returned data and initiate further data queries. It can be
centralized or distributed in network devices or remote controllers.
2. Data configuration and subscription components manage data queries and
subscriptions on devices, including configuring desired data and determining
protocols and channels for data acquisition. Subscription data can be described
through models, templates, or programs.
3. Data encoding and export components control how telemetry data is sent to the
storage component. But the encoding and transport may vary based on the
export location.
4. Data generation and processing component capture, filter, and process data in
network devices from raw sources. Sometimes it's done through in-network
computing and processing on fast or slow paths.
5. Data object and source component identifies the objects being monitored and
their original data sources. Data sources provide raw data, which may require
further processing. And some sources are dynamic, while others are
static.

https://www.splunk.com/en_us/blog/learn/network-telemetry.html

OSI Model:
The open systems interconnection (OSI) model is a conceptual model created by the
International Organization for Standardization which enables diverse communication
systems to communicate using standard protocols. In plain English, the OSI provides a
standard for different computer systems to be able to communicate with each other.

The OSI Model can be seen as a universal language for computer networking. It is
based on the concept of splitting up a communication system into seven abstract layers,
each one stacked upon the last.

Physical Layer

The lowest layer of the OSI Model is concerned with electrically or optically transmitting
raw unstructured data bits across the network from the physical layer of the sending
device to the physical layer of the receiving device. It can include specifications such as
voltages, pin layout, cabling, and radio frequencies. At the physical layer, one might find
“physical” resources such as network hubs, cabling, repeaters, network adapters or
modems.

Data Link Layer

At the data link layer, directly connected nodes are used to perform node-to-node data
transfer where data is packaged into frames. The data link layer also corrects errors that
may have occurred at the physical layer.

The data link layer encompasses two sub-layers of its own. The first, media access
control (MAC), provides flow control and multiplexing for device transmissions over a
network. The second, the logical link control (LLC), provides flow and error control over
the physical medium as well as identifies line protocols.

Network Layer

The network layer is responsible for receiving frames from the data link layer, and
delivering them to their intended destinations among based on the addresses contained
inside the frame. The network layer finds the destination by using logical addresses,
such as IP (internet protocol). At this layer, routers are a crucial component used to
quite literally route information where it needs to go between networks.

Transport Layer
The transport layer manages the delivery and error checking of data packets. It
regulates the size, sequencing, and ultimately the transfer of data between systems and
hosts. One of the most common examples of the transport layer is TCP or the
Transmission Control Protocol.

Session Layer

The session layer controls the conversations between different computers. A session or
connection between machines is set up, managed, and terminated at layer 5. Session
layer services also include authentication and reconnections.

Presentation Layer

The presentation layer formats or translates data for the application layer based on the
syntax or semantics that the application accepts. Because of this, it at times also called
the syntax layer. This layer can also handle the encryption and decryption required by
the application layer.

Application Layer

At this layer, both the end user and the application layer interact directly with the
software application. This layer sees network services provided to end-user applications
such as a web browser or Office 365. The application layer identifies communication
partners, resource availability, and synchronizes communication.

https://www.forcepoint.com/cyber-edu/osi-model

TCP/IP Model:

The transmission control protocol/internet protocol (TCP/IP) model finds its origins in the
ARPANET reference model. The architecture of TCP has evolved from studies in
methods for connecting multiple packet-switched networks. The central aim of the
TCP/IP model is to enable the sending of data packets to one application on a single
computer. The TCP/IP model is an internet-capable set of protocols.

The TCP/IP model sets out how packets exchange information through the web. This
set of communication protocols determines how data is to be broken, addressed,
transferred, routed and received for sharing. The server-client model is the
communication model for this set.
The TCP/IP model describes how to construct communication lines for applications. It
also manages to divide a message into packets before it is sent across and
reassembled. IP outlines how packets are addressed and routed to make sure that the
data reaches the right destination. The current internet architecture uses this network
concept.

The TCP/IP model has four layers:

 Application Layer
 Transport Layer
 Network Layer
 Physical Layer

Application Layer

The application layer is a combination of the application, presentation, and session

layers. This layer is responsible for interaction between the user and the application.
Here, data is formatted, converted, encrypted, decrypted, and set to the user.

Protocols used by the application layer are:

HTTP

Hypertext transfer protocol allows the users to interact with the World Wide Web
through browser applications.

SMTP

Simple mail transfer protocol is used to send mails.

FTP

File transfer protocol is used for transmitting files from one system to another.
DNS

Domain name system is the phonebook of the internet.

TELNET

Teletype network acts as a client-server protocol. It is used to provide bidirectional

connection.

Transport Layer

The transport layer is responsible for end-to-end communication and provides error-free
delivery of data. This layer can transport the data through a connection-oriented or
connectionless layer.

The two protocols used in the transport layer are user datagram protocol (UDP) and
TCP.

UDP

This protocol provides connectionless service and end-to-end delivery of transmission.

It is considered an unstable protocol because it discovers the errors but does not
specify them.

TCP

It provides all transport services to the application layer. TCP is a dependable protocol
for error detection and retransmission. It assures that all segments must be received
and recognized before completing the transmission and discarding the virtual circuit.

Network Layer

The network layer provides host addressing and chooses the best path to the
destination network. This layer maintains the quality of service and offers
connectionless end-to-end networking.
The protocols in the network layer are:

IPV4

Internet protocol version 4 is employed for packetizing, forwarding, and delivery of

packets. IP is an unreliable datagram protocol.

ICMPV4

Interrupt control message protocol controls all errors. These mistakes are handled
by ICMP protocol during the delivery of the message to target problems.

IGMP

Internet group management protocol helps in multicasting.

Physical Layer

The physical layer interacts with the top level of the TCP/IP model application. This
layer is the nearest end-user TCP/IP layer. It means that the consumers can connect
with other software apps.

https://intellipaat.com/blog/what-is-tcp-ip-model/

IP addressing
An (IP) address is a unique identifier that assists in the recognition of different devices
present over the network. Through IP addressing, we can send and receive data
packets across the internet without trouble-free.
IP format
An IP address is a 32-bit numerical address separated by periods (.)(.) represented in
dotted decimal notation. It is expressed in a set of four pairs, where each set ranges
from 00 to 255255. Slash notation (/)(/) identifies the number of network bits reserved
for the allocated IP address.

The parts of an IP address

The IP address has two parts: the network address and the host address. The
network address is essential for the recognition of the network. In the host address part,
we always reserve the first address for the network address, and the last address for
the broadcast address. The broadcast address transmits data to all the hosts present
in the network at once.

Sub netting
Sub netting is a process of partitioning a complex network into multiple smaller logical
sub-networks, or subnets.

Subnet masks
A subnet mask is a 3232-bit number that divides the existing IP into network and host
addresses.

Example

To find the subnet mask of a particular IP address, let's set all network bits to 11s and
the host bits to 00s. The given IP address has 24 bits reserved as a network address.
So, its default subnet mask is 255.255.255.0255.255.255.0.

Note: The IP address space for a network is globally allocated by the Internet
Assigned Numbers Authority (IANA). The network administrator is responsible for
managing the IP addresses within the allocated address space.

The importance of sub netting

As networks grow larger and more complex day by day, traffic also requires fast and
efficient routes. Sub netting provides a mechanism named route aggregation that
limits the size of the routing table that each router has to maintain. This not only helps
maintain efficient network speed, but also enhances performance.

https://www.educative.io/answers/what-is-ip-addressing-and-subnetting
Basics of DNS and AD:
Domain Name System (DNS) is a name resolution method that is used to resolve
hostnames to IP addresses. It is used on TCP/IP networks and across the internet. DNS
is a namespace. Active Directory is built on DNS. DNS namespace is used internet-
wide while the Active Directory namespace is used across a private network. The
reason behind the choice of DNS is that it is highly scalable and it is an internet
standard.

In the case of Active Directory, DNS maintains a database of services that are running
on that network. The list of services running is maintained in the form of service records
(SRV). Service records allow a client in an active directory environment to locate any
service it needs such as a printer. These SRV records are used to identify the domain
controllers also.

A single DNS server cannot help in resolving a resource record. Several DNS servers
are used in the process. Each DNS server queries its own database to find an address
corresponding to a record. If the requested information is not available, then it forwards
the query to another DNS server. For example, a name resolution may first query an
Internet root server, then the first–level domain server, and then the second–level
domain server, and so on to resolve the name to its associated address.

Every time the computer’s IP address changes, making manual entries into the DNS
database is time-consuming and might result in some entries being left out. Hence
Dynamic DNS is required to make these updates automatic. Any newly installed server
can also automatically register its IP address and SRV records with the DNS server.
Active Directory supports such Dynamic updates to be made.

AD depends on DNS for name resolution and locating resources on a network. DNS
has a database that maintains resource records, which helps identify various servers,
domains, and services on the network.

https://www.windows-active-directory.com/dns-and-active-directory.html