If there is anything to know about network security, the significance of TCP/IP protocols is one of the most important topics to study. When dealing with one’s network, the terms TCP/IP often get thrown around, as well as the mentioning of “packets”, “firewalls”, and “routers”. But what does this all mean in relation to Cybersecurity? In this module, the functions of TCP/IP will be covered in depth, as well as the intersectional dependencies that exist for TCP/IP concepts on the network.
WHAT IS AN IP?
Often when mentioning the existence of an IP (Internet Protocol), users will immediately go to the assumption that IP means the tracking of their IP address. An IP address is a 32-bit series of numbers that uniquely identifies a system or device on the network. The typical format of an IP address follows a four-part pattern of digits. For example: 192.168.0.0 is an identifying value of a computer, phone, tablet, or IoT device that is connected to the network. An Internet Protocol (IP) governs the format of data that is to be sent over the network and communicates data from system to system, providing the service of delivery for packets. IP’s primary role is to send the data over the network, but it is also responsible for logical addressing and routing.
An IP header includes information about a packet and aids a packet in arriving at its supposed destination. The following is a list of such parts that make up an IP header:
Version- 4-bit field identifying the version of an IP that is being used.
Header length- 4-bit field indicating the size of the header.
Type of Service- 8-bit field indicating how the system should handle the packet (following instructions of care).
Total Length- 16- bit field indicating size of the header.
Identification- 16-bit field that uniquely identifies a fragment when a packet is broken down.
IP flags- 3-bit field that specifies how fragments of a packet are going to be handled.
Time to Live (TTL)- 8-bit field specifying when the packet is to be discarded when no longer in use (when TTL reaches 0, the packet itself becomes expired).
Protocol- 8-bit field specifying which layer-4 protocol a packet should be in use of (TCP or UDP).
Header checksum- 16-bit field verifying the integrity (trustworthiness) of the IP header in use.
For a visual display, please refer to the diagram below:
WHAT IS TCP?
According to the CompTIA Security+ Certification Study Guide, Transmission Control Protocol (TCP) is “responsible for providing connection-oriented communication and for ensuring delivery of data” (A.K.A. reliable delivery). For a real connection to take place on a network, a connection must be established between two systems and both systems must ensure that any data sent from one source always arrives at the destination. This can easily be thought of as using a “can-telephone” (or string telephone) to chat with another individual within a room. If a message (or data) is not received or heard at the other end, TCP ensures that the message is retransmitted again. For a TCP connection to be satisfied, the recipient must acknowledge that they have received the transmission in an acknowledgment message (known as the ACK acronym) along with an assigned sequence number.
A sequence number in a TCP connection is a number assigned to each piece of data that gets sent over the network, and is part of the acknowledgement mechanism. After a recipient of data has acknowledged that they have received the message, the sequence number gets sent back as a reply of acknowledgment to the original sender. This process is also known as a “three-way handshake”.
HOW DOES A TCP “THREE-WAY HANDSHAKE” WORK?
A three-way handshake is the method by which a system can communicate using TCP transmissions on a network. To establish a connection to any system, three phases must be completed in order for communication to take place:
The SYN flag is used in the first phase of the handshake to assign packets on the network an individual sequence number. As stated before, the sequence number is a unique identifier which the sending system employs to alert the receiving system that data is being sent and needs to be acknowledged.
The second phase of the three-way handshake is the step of acknowledgement by the receiving system while also indicating the initial sequence number. The receiving system sends back to the original source acknowledging that it has received the data, but also specifies that the sequence number obtained is indeed the original ISN (Initial Sequence Number).
The final phase of the three-way handshake involves the receiving system sending an acknowledgement message to the original system source verifying that it has received the data.
Flags are often used to identify significant types of packets on a network. Since networks tend to be highly busy and convoluted in their activity, it is important to be aware of the type of information that is being sent or received to an individual user. As discussed with the previous flags of SYN and ACK, the following are additional common TCP flags that should be known:
PSH- The PSH flag stands for “push” and is used to force data onto an application.
URG- The URG flag stands for “urgent” and is used to alert when a packet is of urgent significance (needing to be first prioritized).
FIN- The “finish” flag specifies when one system would like to end the connection or communication. This is the equivalent of ending a phone call politely with a proper farewell.
RST- the “reset” flag does the opposite in ending a TCP conversation. Instead of saying farewell, a system will end communication abruptly without further “words”.
Each packet comes with a specific header assigned to it identifying certain information. The typical design of a TCP header is as follows:
Source port- 16-bit field identifying the port number of the sending system.
Destination port- 16-bit field identifying the number of the port that the packet is supposed to be sent to.
Sequence number- 32-bit field identifying the sequence number (identifier) of the packet.
Acknowledgement number- 32-bit field identifying the packet that the sending packet is acknowledging for transmission.
Offset- 4-bit field indicating where the data message starts.
Reserved- 6-bit field that is always set to 0 and saved for future use of information.
Flags- 6-bit field where the TCP flags are located and stored for use in packets.
Window Size- 16-bit field determining the amount of information that can be sent over the network before acknowledgement is expected by the receiving system.
Checksum- this is an important 16-bit field that is used to verify the integrity (trustworthiness) of the TCP header, verifying that all information is accurate and reliable.
Urgent pointer- 16-bit field used when in use of the URG flag, indicating that a piece of data is important and should be taken in priority.
Options- variable length field that indicates any other additional settings possibly needed in the TCP header.
SIGNIFICANCE WITHIN THE OSI MODEL
The OSI (Open Systems Interconnection) model is a highly important concept within network security that must be known as well as the front from the back of any security professional’s hand. According to forcepoint.com, the OSI model is a “conceptual framework used to describe the functions of a networking system”, outlining the various uses, features, and determining aspects of each layer as it relates to another.
IP resides on the third layer of the OSI Model, known as the “Network layer”. The Network layer is responsible for receiving frames from the second layer of the model (data link layer) and delivering the frames to their destination. IP addresses are what travel along this part of the framework. TCP resides on the fourth layer of the OSI model. The fourth layer of the OSI model is the Transport layer, which involves the delivery and error checking of packets (hence the significance of TCP checking the reliability of each packet and ensuring whether a transmission was received).
Each layer within the OSI model has a specific function that must be carried out in order for a network to truly succeed in its tasks. If one layer of the model is not functioning to its required extent, all other layers are duly affected. Therefore, the functioning of IP and TCP in relation to the overall well-being of a network is truly vital and essential to ensuring communicative success with separate systems.
SIGNIFICANCE WITH CYBERSECURITY
In pertaining to the vast and often complex realm of Cybersecurity, one cannot go without knowing the essential functions of IP and TCP protocols. A strong foundation and understanding of network security is needed for all cyber professionals because of the vastly expanding size and importance of the global Internet. As billions of IoT devices are being added to the cloud and the implementation of 5-G networks are starting to take flight, it is important to understand how these technological advancements will affect the largest network in the world and what those changes will mean for the users involved. Cybersecurity is all about protecting users; whether it be their personal information, mere data, or ensuring the physical privacy and safety of a user themselves. Such protection can easily become compromised when IP or TCP aspects of a network become compromised. Numerous vulnerabilities can exist in the OSI framework, often relating to the network and transport layers in which IP and TCP protocols exist.
SIGNIFICANCE WITH FIREWALLS
A firewall is a device that controls the kind of traffic that is authorized to enter or leave a network. A firewall is employed to filter network traffic (usually determined by the parameters imposed by a user or network admin). Depending on its configuration and protocols (of TCP/IP or UDP), a firewall can refuse to authorize the entry of malicious packets that will disrupt a network from acting as it should. In this way, TCP/IP protocols are important in relation to Cybersecurity for the ability to stop trouble before it happens in the midst of a network interaction.
To truly understand the full concept of TCP/IP protocols, it is beneficial to practice the activity of capturing packets in real time. Resources such as Wireshark (downloadable from wireshark.org) or Network Monitor (downloadable from microsoft.com) enable a user to capture TCP/IP packets on their network and analyze their activity. Overall, the topic of TCP/IP protocols can become quite extensive when considering the larger relation and importance to Cybersecurity. The Internet is a vast plethora of information, so in order to protect information, it is essential to know about important pieces like TCP/IP protocols.
forcepoint.com, “What is the OSI Model? The OSI Model Defined, Explained, and Explored”. https://www.forcepoint.com/cyber-edu/osi-model. Accessed June 9, 2021.
Glen E. Clarke, CompTIA Security+ Certification Study Guide Third Edition (Exam SY0-501). McGraw Hill Education.