Packets & Protocols
Anyone who has tried to move his or her household via mail knows that you can't simply put all your belongings into one large box and then ship it. Instead, you have to separate your items into smaller boxes and then mail your belongings in these separate boxes—hoping, of course, that the Postal Service will manage to reunite them with you at their destination. This process involves many people, from the workers at the post office to mail truck drivers to airplane pilots to their counterparts at the destination city.
The process of sending data from one network to another works in a similar fashion. Instead of trying to send the entire contents of an email message all at once, the message is broken up into small sections, called packets, that are then transmitted individually and reassembled at their destination. Just as there are many different people involved in moving your boxes each step of the way, there are many different electronic processes involved in network transmissions. A well-known guideline for the different network processes, known as the Open Systems Interconnection (OSI) Reference Model, defines seven layers of functionality in data communications.
The application layer provides support for network applications and protocols such as HTTP. The application layer is the originator and recipient of network transmissions.
The presentation layer manipulates data, such as compressing and encrypting it.
The session layer enables users to establish sessions across a network between machines.
The transport layer makes sure a packet gets to its destination through a complex series of acknowledgements.
The network layer establishes connections between nodes and routes data packets.
The data link layer receives bits from the physical layer and provides some error correction.
The physical layer transmits raw bits via mechanical and electrical means.
For more information on the OSI Model, see Understanding the OSI Reference Model.
Each of these layers relies on standards known as protocols that specify how software written for that layer must be constructed and behave. There are many, many network protocols in existence; two of the most important are the TCP and IP protocols, or TCP/IP. TCP stands for Transmission Control Protocol, IP for Internet Protocol. IP is responsible for creating connections between devices or computers, routing data packets to the appropriate "post offices" by means of IP addresses, and handing off packets to the data link and physical layers. TCP is responsible for breaking up data into packets for delivery, coordinating the communication process, monitoring packets as they are sent through the OSI layers (protocol stack), and asking for acknowledgements that packets have been received without corruption or loss. Together, they are responsible for the delivery of a large portion of network packets.
A network packet consists of two basic parts: a header and the body. Just like our moving boxes, a network packet has an address that is contained in the packet's header. The body contains the content of the messages—just like the contents of the boxes. Here the analogy ends, for unlike US Postal Service items which are handed off intact to each person in the mailing process, each network process layer adds its own header with its own protocol information to the packet as it moves through the protocol stack.
Eventually, a packet will have not just one header, but several. This process is known as encapsulation. Each of these various headers contain useful information. Of special importance to a firewall administrator are the TCP/IP headers, which give the source and destination IP address, source and destination TCP ports, and TCP flags.
Ports are labels—ways to identify services (programs that have a particular task to do or function to perform, such as network communication, that run without user input) that are running on particular machines. Ports have identification numbers that are included with every packet. Services that are running on a machine are programmed to be on the alert to "listen" for packets that arrive from other computers that have the same port number as they do. The more ports a server has open, the easier it is to connect to that server. In addition, the types of ports your server has open can give away a lot of information about it to attackers.
TCP flags are part of an intricate process called a three-way handshake, used by the TCP protocol to ensure that a reliable connection between the endpoints of a transmission has been established. TCP flags are similar to words that are used when establishing a phone conversation, such as "hello," "are you there?" and "goodbye." Improper use of TCP flags can be an important clue that an attack is occurring or is about to occur. For more on TCP flags see Introduction to TCP.