Reading 01 - theSam1998/ops-301-Reading-Notes GitHub Wiki

#Reading 01

statement addressing why this topic matters as it relates to what you are studying in this module:

What does “OSI” stand for?

  • Open Systems Interconnection. it is a 7 layer architecture meant for transmitting data from one point to another across the globe. Though the TCP/IP protocol is the layout on which the internet was developed, while the OSI provides a new option that makes it more effective for providing thorough documentation, specifications and modularity, enabling you to view threats throughout the entire system easily.

List the 7 layers of the OSI model and what each one is responsible for.

Lower Layers:

  • The physical layer is the lowest level layer, and is responsible for the physical connection between two devices. The physical layer stores information in the form of bits, and transmits those bits from one node to the next. When this layer receives data, it converts it into 1s and 0s and sends them to the data link layer. The physical layer synchronizes bits by using an internal clock, defines the data transmission rate, provides the topology for the whole network and defines how data will be transmitted between the two devices by using different types of nodes (simplex, half duplex and full duplex)
  • The data link layer is responsible for the delivery of data from one node to another. It primarily serves to ensure that the process of data transmission is smooth and error free. When a packet arrives in a network, it is the responsibility of the data link layer (DLL) to send it to the host via the MAC address. The DLL is divided into two sub-layers, the logical link control (LLC) and the media access control (MAC). The packets received are divided into frames, which have special bit patterns attached to their beginnings and ends by the DLL in order to convert the data into something meaningful to the recipient. The DLL also serves to attach MAC addresses of the sender and recipient to the header of each frame, retransmits damaged or lost frames, controls the amount of data that can be sent before receiving an acknowledgement (flow control), and provides access control, determining which device has control over the channel at any given time.
  • The network layer helps to transmit data between hosts on different networks. It selects the shortest path available from the source to the destination (routing). It places the sender and receiver's IP addresses in the header, distinguishing each device uniquely and universally.

Heart:

  • The transport layer provides data from the network layer to the application layer, essentially governing the delivery of completed data to the recipient. It acknowledges proper data transmission and will resend any data where an error is found. The transport layer reassembles packets from the lower layers into completed data, and disassembles completed data sent by the session layer. It includes the service point address in the header to ensure the data is delivered to the correct port. This layer operates in two forms, connected service and connectionless service. Connectionless service does not provide acknowledgement of packet receipt at either end, and is faster but less reliable. Connected service is the opposite, providing acknowledgement and thus reliability, but is slower. Data in the transport layer is called "segments" and the transport layer is regarded as the heart of the OSI model.

Upper Layers:

  • The session layer is responsible for establishing and maintaining the connection between endpoints, as well as providing authentication and security and the ability to terminate the connection. This layer allows a process to add synchronization points in the data, which helps to ensure data is resynchronized properly so that data loss does not occur.
  • The presentation layer takes data from the application layer and converts it into the required format for network transmission. It can translate data from one character encoding standard to another (e.g. ASCII to EBCDIC), can encrypt or decrypt data by converting it into another form of code, and reduces the amount of bits needed to transmit the data over the network.
  • The Application layer is implemented by the network applications (e.g. browsers, facebook messenger app, etc). It is the highest level layer, providing an interface for humans to use to create the data that needs to be transmitted to begin with. This layer serves as a gateway for the application services to access the network.

Distinguish which layers are the “hardware layers”, and which layers are the “software layers”. What does that even mean?

  • the hardware layers are the lowest three, the physical, data link and network layers. these layers are responsible for the physical connection between devices and direct interactions with the hardware, breaking data down into language the computer can understand at the base level, 1s and 0s. the software layers are the latter three, the session, presentation and application layer, all of which are oriented around either putting data together to be used by the application layer, or breaking it down to be sent to the hardware layers.

How can the OSI model be used in troubleshooting?

  • The OSI model provides the benefit of multiple levels of authentication and acknowledgement, and greater visibility of interactions throughout the entire system. This can make it easier to view threats buried deep within the lower layers of the network, nestled securely in the higher layers or riding along through the data transmission process. I may be understanding this wrong, but it seems as though the OSI model is a designed to provide this greater level of visibility and records keeping, though I have noticed several sources mention that the TCP/IP protocol should be used for overall security and stability in most cases. I believe this greater level of visibility and control over the data transmission process would make it easier to identify exactly where issues are stemming from, thus resolving their root cause more efficiently and decreasing the likelihood of a repetitive error.

What is Wireshark?

  • Wireshark is a lovely piece of software native to kali linux that is designed to capture packets being transmitted on a network for analysis. Wireshark listens to a network connection in real time and grabs entire streams of packets, and provides you with the ability to rifle through these packets efficiently using filters. This allows you to monitor the traffic on a network easily and thoroughly, observing entire conversations taking place on the network or even tiny, specific individual pieces of data.

What is a packet?

  • A packet is a small segment of data that is part of a larger transmission. Data is broken down into packets to allow for efficient transmission across a network.

What 3 high-level things does Wireshark accomplish? How could these be used for nefarious purposes? For benevolent purposes?

  • First off, I'll start with the obvious: Wireshark actively captures packets of data being transmitted across the network. This means communication can be observed; for bad actors, this provides them with the opportunity to steal sensitive data from the network, or even watch your activity on the network. On the other hand, pros like ourselves can use this ability to detect issues and unauthorized activity on our networks, helping to ensure smooth functionality and provide swift troubleshooting for problems that may be hard to determine the cause of otherwise. It also allows you to view the encrypted data of these packets, but does not provide a tool for decryption. For good purposes, this could be used to troubleshoot network issues by determining the encryption standard two points are using to communicate to each other, e.g. the youtube troubleshooting example provided in https://www.comptia.org/content/articles/what-is-wireshark-and-how-to-use-it. On the other hand, bad actors could use this same ability to determine the encryption standard and decrypt the data using a separate tool, again leading to the theft of your sensitive data. Also, Wireshark allows you to view the types of interactions that are occurring between two endpoints, e.g. a failed attempt to communicate with your home router would lead to port unavailable errors visible within wireshark. An obvious benefit of this is allowing an IT pro or a skilled user to quickly resolve complex issues on their network, by determining where errors are occurring. On the other end of this spectrum, bad actors could use this ability to identify vulnerable points within your network that they can exploit using other methods.

Things I want to know more about:

  • what exactly are nodes? I've heard this term mentioned in my studies on neural networks, and I haven't gone far enough in to fully understand what they really are yet.
  • What are some of the most likely use cases for wireshark in the field?
  • What (if there are any) are some high profile attacks in which the attackers have utilized wireshark in their arsenal.