This lesson may be tough to follow for some folks. Please stick with us on it. Please post any questions you have and we will do our best to answer them.
We need to cover a few topics on how the internet works. It will make subsequent lessons more understandable.
The more you understand the fundamentals, the more you will understand what is safe, not safe, and how to layer defenses. We’ll keep it as short as possible. We will also begin to introduce terminology and the acronyms. Just like any subject, half the battle to mastering it is learning the language.
There is a diagram of Internet Topology below. Think of this as your Area of Operations, AO. It is the map of your digital battlefield. This lesson is an Intelligence Preparation of the Battlefield, IPB. There is a “Green Zone” (Your LAN) and there is Outside the Wire. What you go outside the wire to “do” will dictate your security posture for that activity / mission. You should never go outside the wire with at least some basic security in place.
Much of this may seem trivial or unimportant, but please take time to read it fully and understand it.
Here is why this is important:
You need to know what an IP Address is and how it identifies you
You use DNS every time you visit a website. You need to know how this lets your ISP see what you are browsing, how to protect against it, and what a DNS Leak is.
You need to know what a MAC address is and why to hide it.
Keep this simple picture in mind as we discuss this. There is a more comprehensive picture later on in this lesson.
How does Internet data move?
This section is provided for contrast against the next section, Packet Switching.
The public telephone network is an example of Circuit Switching. If you ring a friend, your telephone opens a direct connection (or circuit) between your home and theirs. You could theoretically mark a direct line, running along lots of miles of cable, all the way from your phone to the phone in your friend’s house. For as long as you’re on the phone, that circuit stays permanently open between your two phones.
Circuit switching is an inefficient way to use a network. All the time you’re connected to your friend’s house, no-one else can get through to either of you by phone, even if no one is saying anything. Even though you’re not actually sending information down the line, the circuit is still connected—and still blocking other people from using it.
Some of the internet is on the public telephone network. The Internet could, theoretically, work by circuit switching—and some parts of it still do. If you have a traditional “dialup” connection (modem or ISDN) to the Net (where your computer dials a telephone number to reach your Internet service provider), you’re using circuit switching to go online.
Most data today moves over the Internet in a completely different way called packet switching. Suppose you send an email to someone in China. Instead of opening up a long and convoluted circuit between your home and China and sending your email down it all in one go, the email is broken up into tiny pieces called packets. Each one is tagged with its ultimate destination and allowed to travel separately. In theory, all the packets could travel by totally different routes. When they reach their ultimate destination, they are reassembled to make an email again.
Packet switching is much more efficient than circuit switching. You don’t have to have a permanent connection between the two places that are communicating, for a start, so you’re not blocking an entire chunk of the network each time you send a message. Many people can use the network at the same time and since the packets can flow by many different routes, depending on which ones are quietest or busiest, the whole network is used more evenly—which makes for quicker and more efficient communication all round.
The concept of packets and multiple routes will be a recurring theme in future lessons.
How computers do different jobs on the Internet
Key Concepts & Terms: Client, Server, Router, Local Area Network (LAN), Firewall, Internet Service Provider (ISP)
Clients & Servers:
There are hundreds of millions of computers on the Net, and they have different jobs. Some of them are like electronic filing cabinets that simply store information and pass it on when requested, or provide services. These machines are called servers. Machines that hold ordinary documents are called file servers; ones that hold people’s mail are called mail servers; and the ones that hold Web pages are Web servers. There are tens of millions of servers on the Internet. Your printer at home is a print server.
A computer that gets information from a server is called a client. When your computer connects over the Internet to a mail server at your ISP (Internet Service Provider) so you can read your messages, your computer is the client and the ISP computer is the server. There are far more clients on the Internet than servers. Every Android and iPhone is a client.
Apart from clients and servers, the Internet is also made up of intermediate computers called routers, whose job is really just to make connections between different systems. If you have several computers at home or school, you probably have a single router that connects them all to the Internet. The router is like the mailbox on the end of your driveway: it’s your single point of entry to the worldwide network.
- Make connections
- Determine if traffic is internal to your Local Area Network (LAN, the computers in your home) or external (when you send mail or browse)
- “Route” the traffic appropriately (Internal or External)
- Act as a firewall to protect your LAN. Firewalls block unwanted traffic in or out.
EVERY piece of hardware has a unique address burned into it, called a MAC address. It is in your laptop’s network card, every server, every bluetooth earpiece, iPhone, router…everything. Think of it like a serial number burned into the chip. The MAC address is only visible on your LAN. If you are at home and you’ve secured your network (using passwords and strong router encryption), you are safe. However, if you at your friend’s house, a hotel, or are using Starbucks wifi, you are on their LAN. They can see your MAC address, and tie any browsing right to you. Luckily, there is an easy way to spoof your MAC address (Lesson 0006).
How the Net really works: TCP/IP and DNS
Key Concepts & Terms: TCP/IP, Protocol, DNS (Domain Name System), DNS Servers, MAC Address
If everything is sent by packet-sharing, and no-one really controls it, how does that vast mass of data ever reach its destination without getting lost?
The answer is called TCP/IP, which stands for Transmission Control Protocol/Internet Protocol. “Protocols” are really just standard sets of rules or processes for various activities on the internet. There are many different protocols. Some handle your mail (SMTP – Simple Mail Transfer Protocol), some serve up web pages (HTTP – Hyper Text Transfer Protocol), and some control the packets of data (TCP/IP). There are many others.
TCP/IP is the Internet’s fundamental “control system” and it’s really two systems in one. So what do TCP and IP actually do?
Transmission Control Protocol (TCP), sorts out how packets of data move back and forth between one computer (in other words, one IP address) and another. It’s TCP that figures out how to get the data from the source to the destination, arranging for it to be broken into packets, transmitted, resent if they get lost, and reassembled into the correct order at the other end.
Internet Protocol (IP) is simply the Internet’s addressing system. All the machines on the Internet—yours, mine, and everyone else’s—are identified by an IP address that takes the form of a series of digits separated by dots or colons. If all the machines have numeric addresses, every machine knows exactly how (and where) to contact every other machine.
DNS & IP
When it comes to websites, we usually refer to them by easy-to-remember names (like http://www.secret.com) rather than their actual IP addresses. There’s a relatively simple system called DNS (Domain Name System) that enables a computer to look up the IP address for any given website. Think of DNS as a phone book. You know someone’s name, and you need the number to connect with them – the IP Address.
In the original version of IP, known as IPv4, addresses consisted of four pairs of digits, such as 22.214.171.124 or 126.96.36.199. The rapid growth in Internet use meant that all possible addresses were used up by January 2011. That has prompted the introduction of a new IP system with more addresses, which is known as IPv6, where each address is much longer and looks something like this: 123a:b716:7291:0da2:912c:0321:0ffe:1da2
Packets, IP’s and TCP
Each piece of data you send out is broken down into packets. Imagine mailing your friend a book, page by page. Each page will have to carry your friend’s address and the page number to let him know what order it goes in. It should also let him know how many pages there are, so he knows when he has it all. They should also have your address, so if the mail person can’t deliver it, they know where it came from.
So, each packet carries the intended IP address, a number to determine where the packet fits back into the data sent, how many packets to expect, as well as your IP address. It has more than that, but that’s the really important stuff. Check it out in the packet header below where these items are highlighted in green.
As we already stated, each packet doesn’t necessarily go down the same set of wires to its destination. A router sends the packet to the nearest available router that is closer to that destination, and, hopefully, isn’t too congested. It figures that out based on the numbers in your IP address. The first three numbers identify a large area, and the rest make it more specific. Yet again, just like a phone number. This is known as ‘best-effort-delivery’.
So one packet may get routed through Virginia and another may go through Vancouver on their way to the same server in Hong Kong. This also means that packet A might get there later than packet B, or not at all!
When the packets arrive at the destination, the server or computer receiving it compiles it into something cohesive (using TCP), or it puts the book back together, to carry on that metaphor. Now the computer receiving all the packets sends back a message to the originating computer to say, in effect, “Thanks! Good-bye.” Thus the communication ends.
So think about this. If you want to go to www.freefor.com, you need to hit a DNS server to get the IP address. That means that if that DNS server is operated by your ISP, the ISP now knows, by virtue of your DNS lookup, which website you are visiting. It also means that the webpage you visit sees your IP address, and that is problematic as well. Each packet contains your IP and the destination IP. These are privacy problems we will show you how to address.
Putting it all together – Network Topology
Let’s stop there so you can see what this looks like. The diagram below might seem complicated, but let’s walk through it. There are 5 clouds: Your LAN (Green Zone), your ISP, the Internet, the webpage’s ISP, and the LAN of the webserver. This is a basic internet topology.
The first thing that should stand out to you is how many servers and companies are involved in handling your data.
We didn’t talk about the modem, but that is really part of your ISP’s network. It is the gateway that your Home Router connects to so you can talk to your ISP. Note that you do not connect to the Internet directly, it goes through your ISP. Think of it as the mail truck that picks up your mail and delivers it to the local postal facility.
Routers are used at every level to route traffic along to the final destination. Note that in the diagram above, there is a print request for 192.168.1.109, your home printer. “192.168” is reserved for LAN’s, and your router has a rule that says 192.168.x.x should stay internal and go to your printer instead of out to the ISP.
Notice also the firewall. That is an important function of your home router. It keeps out intruders. Or, it keeps programs inside your LAN from communicating out (like your teenage son visiting restricted sites, or a trojan trying to call back out). The Firewall is your perimeter security.
Think about that for a minute.
If your router blocks attacks from directly entering your network, then the only other ways it can get it in is if:
1) someone has access to your hardware (unlikely), or
2) You LET them in by downloading unsafe software, not running virus scans, not keeping up with patches, clicking on links, misconfiguring your router or browser, or not running encryption on your wifi.
We will continue to add to this diagram in future lessons to show all the attack points, and how to harden against them.
That’s enough head spinning for now. Please read through this a couple times, and try some of these easy tools to see how your IP is visible to the Internet and your DNS leaks.
LESSON ID=> 0016