The very backbone of communication between two or more computers is - you guessed it, packets and ports. This region of operation is where most firewalls will be looking for abnormalities.
From malicious packet data, to suspicious ports - this is where the majority of all attacks originate. Let's explore this more fully.
Communicating with Packets and Packet Headers
Packets are simply small blocks of data. When we send a message to another computer, the data must be broken down into smaller blocks, since we can’t always send the entire message at once. Packets contain packet headers, which contain vital information about the packet. The destination address is stored in the header, to tell devices such as routers or switches where to send the information. This destination address is simply made up of the IP address of the receiving computer. The source address is of course the sending computer’s IP address.
This data in the packet header can’t always be relied on. If it could, security would be much easier to deal with! There are several ways to use IP spoofing to “cover up” the source address - or even make it appear as someone else is sending the data instead! The IP address is also covered up through legitimate means - such as through Network Address Translation, or NAT. The NAT is a technique used by system administrators to “hide” networks. With this technique, the IP address of the sending computer is never given - just the network’s address.
While the packet header does contain other information, such as error handling and packet length data, we aren’t usually concerned with these features. The destination address is also not usually of concern when trying to improve security - the majority of the focus will be at the source address. After all, if we can’t see who’s attacking our network, how do we fight back?
Transporting Data on the Transport Layer
Actually sending the data is a little more complex. We use what is called a transport layer protocol to make sure the data is sent properly. There are two main protocols: UDP and TCP.
Transmission Control Protocol (TCP)
Transmission control protocol, or TCP, is what the majority of communication will rely on. This is because it is considered a “reliable” connection. When data is sent from one computer, this protocol ensures that the data is received. If it wasn’t, a request to resend the data is made. This functionality is seen in many download managers - when a certain piece of information isn’t received, it will request the data before trying to execute the file.
TCP uses the three-way handshake to achieve this stability. Through this handshake, both computers will agree on things such as how many packets to send at once, how fast, and so on. The data is then sent to the receiving computer and reassembled correctly to form the entire message. Pretty reliable isn’t it? Let’s take a look at TCP’s not-so-reliable cousin, UDP.
User Datagram Protocol (UDP)
User datagram protocol, or UDP, is the opposite of TCP. It is often referred to as an “unreliable” protocol, since it doesn’t check that sent data is received. Unlike TCP, UDP is considered to be “connectionless”, which means that the sending computer will broadcast the message regardless as to whether or not there are problems receiving it.
UDP does have its places, however. Think of it in terms as listening to online radio. If you used UDP, missing data wouldn’t have to be accounted for. This means that the transmission would be constant, and stopping to request lost data wouldn’t be an issue. TCP, on the other hand, would be a poor choice. If any data were to be lost, we would much rather prefer the loss of data over a scrambled transmission, wouldn’t we?
Sending and Receiving Data via Ports
Thanks to the advent of ports, we can communicate with more than one device at a time. Ports are numbers that correspond to two things: where did the packet come from on the sender’s computer, and where should it go to on the receiver’s computer? The internet is most commonly accessed through port 80 when using TCP, the port designated for web servers. When you are online, this is the port number you are using to communicate with websites.
Other services such as file transfer protocol, or FTP, use more than one port: 20 and 21. UDP uses separate port numbers, but you will most likely not come into contact with them very much. There are, however, six certain TCP ports that firewall technicians need to know about.
HTTP, or HyperText Transfer Protocol, is actually something we have already learned - port 80. This port will allow you to view most websites. Keep in mind that this is a standard port - it isn’t necessarily used by every web server. If one wished to hide their server from the rest of the world, for instance, the port number could be changed to another port.
As we learned in the previous section, the HTTP port operates from IP addresses, but more specifically through DNS.
DNS, domain name system, was reviewed in the previous section. In a nutshell, it translates IP addresses into domain names, so users don’t have to memorize an IP address instead of something such as www.Google.com. The DNS port is port 53.
POP3 and SMTP
SMTP, or simple mail transfer protocol, is used to send email from an SMTP server. This protocol uses port 25. When trying to retrieve email messages from a mail server, POP3 is used. This protocol, Post office protocol version 3, uses port 110.
Telnet is a standard application that lets a host connect to a Telnet server directly, through a console window. This is especially handy to firewall administrators who want to test the security of a certain port. Keep in mind that Telnet is unsecure, and that passwords used via Telnet can theoretically be captured over a network. Telnet uses port 23.
File transfer protocol is a means of sending files to a remote server. Interestingly, FTP uses both ports 20 and 21 when in use. FTP programs such as SmartFTP or WS_FTP have made FTP quite easy to use - but keep in mind this port can be a security threat too, and should be under watch of a firewall.
The six key ports that exist will usually come as second nature to most system administrators. Don’t fret if you can’t remember them yet, you will most likely get practice in due time. Right now, just understand that the most popular connection method is TCP, and be sure to re-read the information on this protocol and the information on packets in particular.
Finally, we are done with theory! We can start to get our hands dirty with the inner-workings of firewalls. We will learn how to protect our network with some of the latest security techniques - onward to the next section!