Module I (10 lecture)

Internet overview
The Internet is a giant network of networks.

• A network may include PCs, and other devices leikrev esrs or printers.

• A network is connected through a communication cnheal.n

• Early research was performed by the US Departmfe Dnte ofense in 1962. This research group
established ARPAnet (Advanced Research Project cAyg)e in order to connect the US Defense
Department network.

What did the Internet come from?

• Original aim was to create a network that wouldo wa llusers of a research computer at one
university to be able to ‘talk to’ research comprsu taet other universities.

A side benefit of ARPAnet’s design was that, becea musessages could be routed or rerouted in
•
more than one direction, the network could cont intou efunction even if parts of it were
destroyed in the event of a military attack or or tdhiesaster .

• The users of the Internet took a direction of t hoewirn.

History of the Internet

• The first long distance communication took plac e1 9in65 between a computer in MIT and
California.

• In 1969, four computers clients were connectedt htoegre via ARPAnet.

How old is the Internet ?

• Leonard Kleinrock is accredited with the idea ocf kpeat switching, which describes how data
can be sent across a network. The Ethernet waslo dpevde by Xerox during this period. This
was inspired by Robert Metcalfe’s PhD on ‘packetwt noerks’.

An Ethernet is a protocol for describing how comeprsu tcan be connected in a LAN (Local Area
•
network).
 • Through the use of Ethernet and ARPAnet the US wabelre to develop a working network.

• In the late 1970s and early 1980s other networkrse wdeveloped, e.g. CSNET, USNET and
BITNET. In 1973 Vint Cerf and Bob Kahn created TthCeP /IP communication protocols.
TCP/IP: Transfer Control Protocol/Internet Proto ciso la set of rules that describe how
•
computers can communicate over a network.
To send information over the Internet, a compuatecrk ps data into Internet Protocol (IP) packets
• and labels them with the correct address. They thaeren sent across a packet switched
interconnected network.

Introduction to Data Communication

The term telecommunication means communication adti staance. The word data refers to
information presented in whatever form is agreeodn u bpy the parties creating and using the data. Data
communications are the exchange of data betwee nd etwvioces via some form of transmission medium
such as a wire cab le.

Computer Network
A network is a set of devices (often referred t on oadses) connected by communication links. A node can be
a computer, printer, or any other dee cvaicpable of sending and/or receiving data gende rate by other nodes
on the network.

Software modules in one system are used to comcmatuen wiith one or more software modules
in the distance System. Such interfaces across tan dcie are termed as “peer-to-peer” interfaces ; and
the local interfaces are termed as “service” inatceersf. The modules on each end are organized as a
sequence of functions called “layers”. The set ofd mules organized as layers is also commonly called
a “protocol stack”.

Over the years, some layered models have beend asrdtaizned. The ISO Open Systems
Interconnection (ISO/OSI) layered model has sevaeyne rls and was developed by a set of committees
under the auspices of International Standards Oizragtaionn (ISO).

Classification of Computer Networks

1.Based on Transmission Mod e
Transmission mode defines the direction of signloawl fbetween two linked devices. There are three
types of transmission modes.

Simplex

In simplex mode, the communication is unidirectilo. nAamong the stations only one can transmit and
the other can only receive.

Half-Duplex

In half-Duplex mode, the communication is bidireocntail. In this both station can sent and receive but
not at the same time.

Full-Duplex

In Full-Duplex mode, both stations can transmit raencdeive simultaneously.

2. Based on Time in Transmission Type

• Synchronous Transmission

In synchronous Transmission both the sender an d rethceiver use the same time cycle forthe
transmission. We send bits one after another wti thsotaurt/stop bits or gaps. It is the responsiyb iolift
the receiver to group the bits. Bit stream is deerleivd with a fixed delay and given error rate. Ebaict h
reaches the destination with the same time deltaeyr laefaving the sourc e.

• Asynchronous Transmission

In Asynchronous Transmission we send one starat tb tiht e beginning and one stop bit at the end of each byte.
There may be a gap between each bytt es.t rBeaim is divided into packets. Packets are received with varying
delays, so packets can a rorivuet of order. Some packets are not received correctly.
3. Based on Authentication

• Peer to Peer Connectio n

In peer-to-peer networks, there are no dedicatervde rsse. All the computers are equal and,
therefore, are termed as peers. Normally, each uctoemr pfunctions as both a client and a server.
No one can control the other computers.
 • Server Based Connection
Most networks have a dedicated server. A dedicsaetervde r is a computer on a network which
functions as a server, and cannot be used as nat colri ea workstation. A dedicated server is optimized
to service requests from network clie nAts s.erver can control the clients for its services.

4. Based on Geographical location

• Local Area Networks (LAN)
LAN is a small high speed network. In LAN few numrsb eof systems are interconnected with
networking device to create network. As the diseta increases between the nodes or system it
speed decreases. So it is limed to few meters oNnelytw.orks which cover close geographical
area. LAN used to link the devices in a single coef,f ibuilding or campus. It provides high
speeds over short distance. Systems are connedcirteincgtl y to Network. The LAN is owned by
private people.

• Wide Area Network (WAN)

WAN is collection of network (or LAN). This netwo rskpeed is less than the LAN network
speed.WAN network connect systems indirectly. WApNre sad over the world may be spread
over more than one city country or continent. Smyst ein this network are connected indirectly.
Generally WAN network are slower speed than LANT’sh.e WAN network are owned or
operated by network providers. If it is owned bys inag le owner then it is called Enterprise
network. Often these types have combination of m thoaren one topolog y.

• MAN (Metropolitan Area Network)

Metropolitan area network is an extension of loacraela network to spread over the city. Itmay be a
single network or a network in which more thoanne local area network canshare their resources.

5. Based on Reliability
Reliability is maintained by authentication.
• Connection-oriented
 This type of communication establishes a sessionn eccotion before data can be sent. This
method is often called a "reliable" network serv. iIct ecan guarantee that data will arrive in
the same orde r.

• Connection less
This type of communication does not require a soens scionnection between sender and receiver
for data transfer. The sender simply ss tsaertnding packets to the destination. A connectionless
network provides minimal servi ces.

Topology
Topology refers to physical layout including comteprus, cables, and other resources; it
determines how components communicate with eacehr .o th

Today’s network designs are based on three topieosl:o g

• Bus consists of series of computers connected aalo sninggle cable segment
• Star connects computers via central connectiont poor ihnub
• Ring connects computers to form a loop
All computers, regardless of topology, communi cabtye addressing data to one or more
computers and transmitting it across cable as reolneict signals. Data is broken into packets and asse nt
electronic signals that travel on the cable. Ohnely ctomputer to which the data is addressed acict.e pts

Protocol
Protocols mean set of rules. It is a formal desticornip of message formats and the rules two or more machines
has follow to exchange messages. The lekmeye nets of a protocol are syntax, semantics and timing.

• Syntax
Syntax refers to the structure or format of thea ,d amteaning the order in which they
arepresented.
• Semantics
Semantics refers to the meaning of each sectiobnit so.f
•
Timing
Timing refers to when data should be sent and fhaoswt i t can be sent.
 Internetworking Technologies
Internetworking Technologies tell how the Inter naectcommodating multiple underlying
hardware technologies and how they are interconende catnd formed the network, and set of
communication standard which the network used tteor -ionperate.

The lowercase internet means multiple networksn ecoctned together, using a commonprotocol
suite. The uppercase Internet refers to the coiollne cotf hosts around the world that can communicate
with each other using TCP/IP. While the Interne at nis internet, the reverse is not true.

Network Infrastructure or Transmission Infrastructure:

Network infrastructure is divided into two parts.

1. Access Networks
An access network is the part of a telecommunincast nioetwork which connects end system to the first
router or subscribers to their immediate servicoev ipdrer as shown in figure 1.

Figure 1 Network Infrastructure

It is different from core network which connectsl t ahel routers to each other and ISP(Internet se rvic
provider). An access network may be a so-calleadl laorcea network within a company or university, a
dial telephone line with a modem, or a high-speaebdle c-based or phone-based access network.
Access networks can be loosely divided into threea tcegories:
• Residential access networks, connecting a homes yesntedm into the network.

• Institutional access networks, connecting an ensdte smy in a business or educational institution into
the network.
Mobile access networks, connecting a mobile entde msy sinto the network
•

Core Networks:
Core network connects all the routers to eachr oathned ISP (Internet service provider). It is a
main back bone for internet. Core network usesu icti rcswitching and packet switching for data
transmission.

ISPs:(Internet Service Provider)

In internet bottom-to-top the hierarchy consistfs eond systems (PCs, workstations,
etc.)connected to local Internet Service Provid(eISrsP s). The local ISPs are in turn connected to
regional ISPs, which are in turn connected to natli oand international ISPs. The national and
international ISPs are connected together at tghhee hsit tier in the hierarchy.

Let's begin at the top of the hierarchy and wourkr woay down. Residing at the very top of the
hierarchy are the national ISPs, which are caNlleadti onal Backbone Provider (NBPs) .The NBPs
form independent backbone networks that span NAomrthe rica (and typically abroad as well). Just as
there are multiple long-distance telephone compsa ninie the USA, there are multiple NBPs that
compete with each other for traffic and customTehrse. existing NBPs include internetMCI, SprintLink,
PSINet, UUNet Technologies, and AGIS. The NBPsc taylplyi have high-bandwidth transmission links,
with bandwidths ranging from 1.5 Mbps to 622 Mbpnsd ahigher. Each NBP also has numerous hubs
which interconnect its links and at which regioInSaPl s can tap into the NB P.

The NBPs themselves must be interconnected tho oetahcer. To see this, suppose one regional ISP, say
MidWestnet, is connected to the MCI NBPd another regional ISP, say EastCoastnet, is connected to Sprint's
NBP. How can traffic be sfreonmt MidWestnet to EastCoastnet? The solution is to introduce switching
centers, called Network Ascsc ePoints (NAPs), which interconnect the NBPs,
thereby allowing each regional ISP to pass tratfofi ca ny other regional ISP. To keep us all confu sed,
some of the NAPs are not referred to as NAPs bsutet aind asM AEs (Metropolitan Area Exchanges) .

Component of Internet:
A network (or internet) is formed using Hardwaroer (network device) and network software or
Application and protocols.
Hardware or Network device:
1. Hub:

• It is uses to connect systems or nodes or netw orks.

• It has direct connection to a node (point to pocoinnt nection).
• It suffers from high collision of data, resultsd taot a loss.
• A hub takes data from input port and retransmiets i nthput data on output port.

2. Repeater:
• A repeater is a device which regenerates or amesp litfhie data or signal so that it can be
travel to the other segment of cable.
•
It is use to connect two networks that uses samchen otelogy and protocol.
•
It does not filter or translate any data.
•
Work in physical layer.

3. Bridge:

• It is used to connect two networks.

• It divides the collision domain based on numbepr oorft s or interface present in a bridge.
• It uses the packet switches that forward and ftihlter frames using LAN destination address.
• Bridge examines the destination address of framde foarnwards it to the interface or port
• which leads to the destination.
• It uses the routing table for routing frame frome onnode to other using MAC address.
It works in Data Link Layer.

4. Switch :

• It is similar to bridge. It has more number of irnfateces as compared to bridge.

• It allows direct communication between the nodes.
 • It works in Data Link Layer.
• It uses MAC address for data transmission and conmicmatuion.
5. Router:

• It is used to connect different types of networykp e(ts- architecture/ Protocol).

• It work similar to bridge but it uses IP addresrs rfoouting data.
• Router can't be used for connecting Systems.
• It works in Network Layer.
6. Gateways:
Gateways make communication possible between ssys theamt use different communication
protocols, data formatting structures, languageds arnchitectures. Gateways repackage data
going from one system to another. Gateways arel luy sdueadicated servers on a network and are
task-specific .

System, Software and Protocols:

Basically two types of system are used in Internet
• Client system: User which access data from inte. rnet
• Server System: Host data for users using HTML .f iles

Software or Applications and protocols:

• Chat- IRC (Internet Relay Chat) is used for livsec duissions on the Interne t.

• Ecommerce - Taking orders for products and ser voicne tshe Internet.

• E-mail - Exchanging electronic letters, messagneds ,s amall files.

• FTP - File Transfer Protocol is the most common hmode tof transferring files between
computers via the Internet.
• Hosting - Making information available to others tohne Internet.

• Search Engines - These tools are really a parht eo fW torld Wide Web and are often used when
looking for information because the Web has growon lasrge and is without any inherent
organizational structure.

Telnet - Creation of a dumb terminal session too ast hcomputer in order to run software
• applications on the host system.
 • World Wide Web - This is largest, fastest growinpga,r t of the Internet, the part for which
Internet browsers like Netscape’s Navigator andr oMsiocft’s Explorer were designed. Business
is the leading factor fueling the rapid growth hoef tWeb making information, advertising, and
product ordering readily available to everyone w Witheb access.
TCP/IP
•
Browser
•

WAN Protocols
• Frame Relay
Frame relay is used to connect large number ofs sinite the network because it is
relatively inexpensive to do so. The service preorv idgives you a frame relay circuit and is
charged for the amount of data and the bandwiduth u ysoe as oppose to T1 circuit that charges
with a flat monthly rate whether you use partianl dbwaidth or the full bandwidth regardless.
Frame relay is a high performance WAN protocol tohpaetrates at the Data Link layer and the
Physical layer of the OSI model.

• Integrated Services Digital Network (ISDN)

Integrated Services Digital Network (ISDN) is denseigd to run over existing telephone
networks. It can deliver end to end digital ser vcicaerrying voice and data. ISDN operates at
OSI model, physical layer, data link layer and noertkw layer. It can carry multimedia and
graphics with all other voice, data services. ISDsuNp ports all upper layer protocols and you
can choose PPP, HDLC or LAPD as your encapsulaptriotno col. It has two offerings, Primary
rate which is 23B+D channels. 23, 64 kbps and o4nkeb p6s mainly used for signaling. The other
is the Basic Rate which has 2B+D channels two 6s4 kabnpd one 16kbps. At data link layer
ISDN supports two protocols; LAPB and LAPD. LAPB uised to mainly transfer data from
upper layers and has three types of frames. I-Fsr acmarery upper layer information and carries
out sequencing, flow control, error detection aencdo rvery. S- Frames carry control information
for the I-frame. LAPD provides an additional mulletixping function to the upper layers enabling
number of network entities to operate over a si npghleysical access. Each individual link
procedure acts independently of others. The muelxti plrocedure combines and distributes the
data link channels according to the address infotiormn aof the frame. Each link is associated
with a specific Service Access Point (SAP), whisc hid ientified in the part of the address fie ld.
 • High Level Data Link Control (HDLC)
High Level Data Link Control (HDLC) is a bit orieendt data link layer frame protocol
that has many versions similar to LAP, LAPB, andP LDA. CISCO routers default encapsulation
is HDLC, but it is proprietary to CISCO .

OSI model
OSI (Open System Interconnection), developed by Inthternational Organizationfor
Standardization (ISO), was the solution designe pdr otomote interoperabilitybetween vendors. It
defines architecture for communications that sutp dpiosrtributed processing.
The OSI model describes the functions that alloswt esmysto communicate successfully
over a network. Using what is called a layeredaapcphro, communications functions are broken
down into seven distinct layers.

Figure 2 Interaction between layers in OSI model.

 The seven layers, beginning with the bottom layfe rth oe OSI model, are shown in
figure 2.Routers are used as intermediate node to creaintke bae ltween A and B end system.
OSI model layers are dependent on each other. lEaaycehr serves the upper layer and
also depends upon the services from the lower .l ayer
OSI model also provide the layer abstraction. Lsa yaerre dependent on each other for
services but in terms of protocol they are indedpeennt.
In each layer information is added into originalt ad as header but in data link layer
trailer is added into the data as shown in figxuxrxex xxx

Figure 3 Exchange of data using OSI model

OSI Model Layer

Layer 1: Physical Layer
▪ It defines the transmission of data across the cuonmicmations medium and
translation of binary data into signals.
▪ Mode of transmission over the link i.e Simplex oarl fH Duplex or Full Duplex
▪ It defines the transmission rate of bits per se.c ond
 Layer 2: Data Link Layer
▪ It divides the data into number of fram es.
▪ It uses the MAC address for sending frames from n oondee to othe r.
▪ It provides flow control, error control and accecsosn trol.
Layer 3: Network Layer
▪ It divides data into number of packe ts.
▪ It uses IP address for routing packets to theitri ndaetsion.
▪ It provides end to end connecti on.
Layer 4: Transport Layer
▪ It divides message into segments and also reases etmheb lsegments to create
original message .
▪ It can be either connection-oriented or connecetisosn .l
▪ It uses service-point address or port address foror cepssto process
communication .
▪ Flow control and error control also provided byn tsrpaort layer .
Layer 5: Session Layer
▪ Session Layer establishes, maintains and syncherso ntihze interaction among
communicatingsystems.
Layer 6: Presentation Layer
▪ It is concerned with the syntax and semantics of e th
informationexchangedbetweentwo syste ms.
▪ It translates information from text/numeric intot sbtiream .
▪ It also encrypts the information for security pusrep oand compress the
information to reduce the number of bits in theo rinmfation .
Layer 7: Application Layer
▪ It provides the interface to the end user and srutsp pfor services such as Email,
file transfer and distributed information serv ice.

OSI Model and Protocol stack

Layer Protocol
 Application HTTP, FTP, SMTP,TELNET
Presentation JPG, GIF, MPEG,
Session TCP 3-way Handshaking
Transport TCP, UDP
Network IP, IPX
Data Link Ethernet, Token Ring, HDLC
Physical X.21, RS-232, DS, DS3

TCP/IP model
• TCP/IP protocol suite was developed before the mOoSdI el.
• TCP/IP is a set of protocols developed to allow pceoroating computers to share resources
across a networ k.
• In 1969 the Defense Advanced research projects cAyg e(DnARPA) funded a research and
development project to create an experimental pt ascwkeitching network. This network is
called ARPANET.
• In 1975 the ARPANET was converted from an experitmale network to an operational
network, and the responsibility for administerinhge tnetwork was given to the Defense
Communication Agency (DCA).
• The TCP/IP protocols were adopted as Military Satardnsd (MIL STD) in 1983, and all hosts
connected to the network were required to convoe trht et new protocols.

• DARPA funded to implement TCP/IP in BerkelyUnix.

• In 1983, the old ARPANET was divided into MILNET da nsmaller ARPANET. The Internet
was used to refer to the entire network; MILNET aAnRdPANET.

Advantages of TCP/IP
Open protocol standards, freely available and doepveedl independently from any specific
computer hardware or operating system. A commonre asdsding scheme which is enable to connect the
most widely used networks. It may use any proto. cIot lsconnects dissimilar systems. It provides
client/server framework. It provides access toI nthter net

Differences of the OSI and TCP/IP models

 TCP/IP combines the presentation and session ilnatyoe rit s application layer. TCP/IPcombines
the OSI data link and physical layers into one rl.a yTeCP/IP appears simpler because it has fewer layers.
TCP/IP transport layer using UDP does nlwoat yas guarantee reliable deliveryof packets as the transport layer
in the OSI model do es.

Packet Switching fundamentals

A network is a collection of inter connected sys.t eImn a network we have in one to one
communication. To resolves this one of the solu itsio tno make point to point connection between each pair of
system(using mesh topology)or connectienngt rcalized system to every other system(using star topology). But
still this is not a cost effectives anumber of system grows and it is limited to s mall distance between inter
connected system.

Figure 4 Switched Network

A solution to the above problem is switching. A tscwheid network consists of a series of

interlined device called switches (shown in figu2r)e. It is a device which can create a temporary
connections between two or more system linked eto s wthitch. In switched network some of the nodes
are system and other are used for routing.

The end systems (communicating devices) are lda bAe,l eB, C, D, and so on, and the switches
are labeled I, II, III, IV, and V. Each switch ios ncnected to multiple links.

There are three method of switching

1. Circuit Switched Networks
 2. Packet Switched Networks
A. Datagram Networks
B. Virtual- circuit Networks
3. Message Switched Networks

1. Circuit Switched Network:

• In circuit-switched networks, a dedicated path eise dned for communication between the end systems
are reserved for the duration of the session.
•
Each connection uses only one dedicated channeal cohn link.
•
Each link is divided into n channels by using FDfMre q(uency division Multiplexing) or TDM (Time
Division multiplexing).

Figure 5A trivial circuit-switched network

In the above figure one link is divided into n cnhealn (here n=3).A circuit switched network requires
following three phase during the session.

1. Setup Phase : First of all two system needs to create dedic actiercduit or path for
communication. For example in figure xxx when esyms tA needs to connect to system M, it
sends a setup request that includes the addressyss toefm M, to switch I. Switch I finds a
channel between itself and switch II that can bdei cdaeted for this purpose. Switch I then
sends the request to switch II, which finds a daetdeidc channel between itself and switch III.
Switch III informs system M of about system A.
To establish a path system M must send an acknogwemleednt for the request of A. Only after system
A receives this acknowledgement the connections tiasb elished. Only end to end addressing is required
for establishing connection between two end sys.t ems

2. Data Transfer Phase

After the establishment of the dedicated path (nchealsn), the two systems can transfer data.
3. Teardown Phase
When one of the systems needs to disconnect, a l sisig nsent to each switch to release the
resources.

Not efficient because the link is reserved and tc bane’ used by other system during the connection.
Minimum delay in data transfer.

Example:Let us consider how long it takes to send a file6 4o0f Kbits from host A to host B over a

circuit-switched network. Suppose that all link st hine network use TDM with 24 slots and have biet rat

1.536 Mbps. Also suppose that it takes 500 msecs ttaob lish an end-to-end circuit before A can begin

to transmit the file. How long does it take to s ethned file?

Each circuit has a transmission rate of (1.536p sM)/b24 = 64 Kbps, so it takes (640 Kbits)/(64

Kbps) = 10 seconds to transmit the file. To this s1e0conds we add the circuit establishment time,

giving 10.5 seconds to send the file. Note tha tt rtahnesmission time is independent of the numbekrs :li n

the transmission time would be 10 seconds if thde- teon-end circuit passes through one link or one-

hundred links.

2. Packet Switched Networks

2. A. Datagram Networks
• In packet switched network message is divided ninutmo ber of packets. Each packet is of fixed
size defined by network or protocol.
•
Datagram switched network is also known as Connecotniless packet switching
•
There is no dedicated link between source andn daetisotni.
 • No dedicated Resources are allocated for packesto. uRrcees are allocated on demand and it follows first
come first basis. When a switch rievcees a packet, irrespective of the source or destination, the packet
must wait if the other peatsc kbeing processed.
• A single message is divided into number of pac kDeutsr.ing the transfer of packets from source
to destination, each packet is treated indepenyd.e Dnetlstination can receive unordered packets
and later packet can be ordered and combine thkee tpsa tco extract the messa ge.
• Packets are referred as datagrams in this typew iotcf hsing. Datagram switching is normally
done at the network layer.
•
The datagram networks are referred to as connelecstiso nnetworks. Connectionless means
• switches have no connection state information.
There is no setup and teardown phase. So a ro tuatbinleg is required in every switch to route
packet from source to destination. A Routing taibsl eb ased on the destination address. The
routing table updated periodically. The destina taiodndresses and the corresponding forwarding
output ports are recorded in the tables. This fifse rdeint from the table of a circuit switched
network in which each entry is created when thuep s epthase is completed and deleted when the
teardown phase is over. Figure 4`shows the routatibnlge for a switch.

Destination Output Por

address
1234 1
4444 2
6666 3
…..
.
2222
3

Figure 6Routing table for a switch

Destination Address
Every packet in a datagram network carries a he athdaetr contains information of the destination
address of the packet. When the switch receive sp athceket, this destination address is examined; the
routing table is consulted to find the correspongd pinort through which the packet should be forwa.r ded
This address, unlike the address in a virtual-citi-rscwuitched network, remains the same during the
entire journey of the packet.
 Efficiency
The efficiency of a datagram network is better ththaant of a circuit-switched network; resources are
allocated only when there are packets to be trarrnesdf.e If a source sends a packet and there isa ay del
of a few minutes before another packet can be stheen t,resources can be reallocated during these
minutes for other packets from other sources.

Delay
There may be greater delay in a datagram netwoarnk itnh a virtual-circuit network .Although there are
no setup and teardown phases, each packet mayi eenxcpee ra wait at a switch before it is forwarded . In
addition, since not all packets in a message naercielys stravel through the same switches, the desla y i
not uniform for the packets of a message.
Switching in the Internet is done by using the datgaram approach to packet switching at the
network layer.

2.B. Virtual –Circuit Networks:

A virtual-circuit network uses the characteris toicf sboth the circuit switched network and the daratamg
network. A virtual-circuit network is normally imepmlented in the data link layer, while a circuit-
switched network is implemented in the physicale lra aynd a datagram network in the network layer.
Virtual-circuit network is also known as Connect-iorniented packet switchin g

Addressing
Two types of addressing is used in virtual-circnueitwork
• Global Address I:t is an address which can uniquely identify thyset esms (source or destination)
in a network or internet. This address is usedr etoa tce virtual circuit identifier only .
• Virtual Circuit Identifier: The identifier that is actually used for datan strfaer is known as
virtual circuit identifier (VCI). It is a number hwich is used in a frame between two switches.
This VCI changes from one switch to another. Evsewryit ch uses a fixed range of values for
VCI.

Three phases of Virtual –Circuit Networks:

1. Data Transfer Phase
 • To transfer a frame from a source to its destina, taioll switches need to have a table entry for
this virtual circuit .
•
The table, in its simplest form, has four colum ns.
•
This means that the switch holds four pieces ofof rmination for each virtual circuit that is
•
already setup .
Figure 6 shows such a switch and its correspon tdaibnlge. Figure 7 shows a frame arriving at
port 1with a VCI of 14. When the frame arrives, sthweitch looks in its table to find port 1 and
VCI of 14.When it is found, the switch knows to nchgae the VCI to 22 and send out the frame
from port 3.

• The data transfer phase is active until the sosuercned s all its frames to the destination.

• The procedure at the switch is the same for eaacmhe f rof a message.

• The process creates a virtual circuit, not a riercaul ict, between the source and destination.

Figure 7 Switch and tables in a virtual-circuit network

2. Setup Phase
In the setup phase, a switch creates an entry fvoir tuaal circuit. For example, suppose
source A needs to create a virtual circuit to B.o T swteps are required: the setup request and
the acknowledgment.
 Figure 8 Setup request in a virtual-circuit network

2.1. Setup Request:

A setup request frame is sent from the source eto d tehstination. Figure 6 shows the
process.
a. Source A sends a setup frame to switch 1.
b. Switch 1 receives the setup request frame. It kn tohwats a frame going from A to B goes out
through port 3.The switch, in the setup phase, asc tsa packet switch; it has a routing table
which is different from the switching table. Fore thmoment, assume that it knows the output
port. The switch creates an entry in its tablet hfoisr virtual circuit, but it is only able to fillh tree
of the four columns. The switch assigns the incogm pinort (1) and chooses an available
incoming VCI (14) and the outgoing port (3). It dso neot yet know the outgoing VCI, which
will be found during the acknowledgment step. Thweit csh then forwards the frame through
port3 to switch 2.

c. Switch 2 receives the setup request frames. The seavments happen here as at switch1; three
columns of the table are completed: in this cansceo, miing port (l), incoming VCI (66), and
outgoing port (2).
d. Switch 3 receives the setup request frame. Aghairne,e t columns are completed: Incoming port
(2), incoming VCI (22), and outgoing port (3).
e. Destination B receives the setup frame, and sif rite iady to receive frames from A, it assigns a VCI
to the incoming frames that come from A, in this ec a77. This VCI lets the destination know that
the frames come from A, and no other sour ces.

2.2.Acknowledgment:
A special frame, called the acknowledgment framoem, pcletes the entries in the switching
tables. Figure 7 shows the proce ss.
a. The destination sends an acknowledgment to swi.t cThh e3 acknowledgment carries the global
source and destination addresses so the switch sk nwohwich entry in the table is to be
completed. The frame also carries VCI 77, chose nth eb ydestination as the incoming VCI for
frames from A. Switch 3 uses this VCI to complehte toutgoing VCI column for this entry.
Note that 77 is the incoming VCI for destination b Bu,t the outgoing VCI for switch 3.
b. Switch 3 sends an acknowledgment to switch 2 thoant acins its incoming VCI in the table,
chosen in the previous step. Switch 2 uses thtihse a os utgoing VCI in the table.
c. Switch 2 sends an acknowledgment to switch 1thant acinos its incoming VCI in the table,
chosen in the previous step. Switch 1uses thihse a os uttgoing VCI in the table.
d. Finally switch 1 sends an acknowledgment to souAr cteh at contains its incoming VCI in the
table, chosen in the previous step.
e. The source uses this as the outgoing VCI for thtae fdrames to be sent to destination B.

Figure 9 Setup acknowledgment in a virtual-circuit network

1. Teardown Phase
In this phase, source A, after sending all framoe Bs ,t sends a special frame called a teardown
request. Destination B responds with a teardownf ircmoantion frame. All switches delete the
corresponding entry from their tables.

Note: In virtual-circuit switching, all packets belonging to the same source and destination
travel the same path; but the packets may arrive a tthe destination with different delays if
resource allocation is on demand .

Efficiency of Virtual-Circuit Networks:

Virtual-Circuit Networks uses the resources eeffnictily and it reduces the waiting time of data
frame.

Delay in Virtual-Circuit Networks:

In a virtual-circuit network, there is a delay fosertup and for teardown. If resources are
allocated during the setup phase, there is no twimaeit for individual packets. Figure 8 shows thea dye l
for a packet traveling through two switches in ratu vail-circuit network.

Figure 10 Delay in a virtual-circuit network

 The packet is traveling through two switches (erorsu)t. There are three transmission times (3T),
three propagation times Ƭ(3), data transfer depicted by the sloping linese, tau ps delay (which includes
transmission and propagation in two directions)d, an teardown delay (which includes transmission
and propagation in one direction).

We ignore the processing time in each switch. Tohtael tdelay time is

Total delay=3T+3Ƭ +setup delay + tear down delay

Packet Switching versus Circuit Switching

Packet Switching Circuit Switching
1. Packet switched network is implemented 1in. Circuit-switched network is implemented in
the physical layer. the physical layer.
2. Message is divided into number of packets 2o.r Complete message is transfer from source to
frames. destination.
3. Resources are allocated on demand 3.i f Resources are reserved during the data
available (or free). transfer.
4. More efficient and less costly.
5. A link can be used by any number of user. 4. Less efficient and more costly.
5. As the number of users increases, the
bandwidth for each user decreases. But most of
the time fixed number of user can use a link
6. It has unpredictable delay due to waiting boef cause number of channel is fixed.
packets/frames at switch, if resources are n6o. tI t has less delay in data transmission.
available.
7. Suitable for most of the Internet applications7.. Suitable for real time applications.
Internet Standards:
Internet Engineering Task Force (IETF):
The IETF is an open international community conecedr nwith the development and operation
of the Internet and its architecture. The IETF wfoarsm ally established by the Internet Architecture
Board (IAB) in 1986. The IETF meets three timese a ry; much of its ongoing work is conducted via
mailing lists by working groups. Typically, basepdo un previous IETF proceedings, working groups
will convene at meetings of the IETF to discuss wthoerk of the IETF working groups. The IETF is
administered by the Internet Society, whose WWWe csoitntains lots of high-quality, Internet-related
material.

TheIETF Internet Engineering Task Force) is the yb otdhat defines standard Internet
operatingp rotocosl such asT CP/IP. The IETF is supervised by theIn ternet Societ yInternet
Architecture Board IA(B). IETF members are drawn from the Internet Soc'si etinydividual and
organization membership. Standards are express tehde ifnorm of Requests for Comments (RFCTsh)e.
Internet Engineering Task Force (IETF) is an orzgeadn iactivity of the Internet Society (ISOCIt) .is an
openstandard organisations, with no formal membipe rosrh membership requirements. All participants
and managers are volunteers, though their works uisa luly funded by their employers or spons ors.

The IETF started out as an activity supported hbey UtS federal government, but since 1993 it has
operated as a standards development function unthdee r auspices of the Internet society, an
international membership-based non-profit organioizna. tThe mission of the IETF is to make the
Internet work better by producing high quality, ervealnt technical documents that influence the way
people design, use, and manage the Inte rnet.

Institute of Electrical and Electronics Engineers I(EEE) :

The Institute of Electrical and Electronics Engineers (IEEE) is a professional associatio wnith its
corporate office inN ew York City and its operations center Pinis cataway, New Jers.e Iyt was formed
in 1963 from the amalgamation of tAhem erican Institute of Electrical Enginee arnsd theI nstitute of
Radio Engineer.s Today it is the world's largest association ocfh tneical professionals with more than
400,000 members in chapters around the world. bItjse cotives are the educational and technical
advancement oef lectrical and electronic engineer,i nteglecommunication,s computer engineerin agnd
allied disciplines .
The IEEE is best known for developintagn sdards for the computer and electronics indu sIntr y.
particular, the IEEE 802 standards fLoAr Ns are widely followed. IEEE manages the Ethe randedtress
space and assigns addresses as ne eded.
IEEE is one of the leadinsgta ndard-smaking organizations in the world. IEEE performts i
standards making and maintaining functions throtuhgeh IE EE Standards Associati(oIEnEE-SA). IEEE
standards affect a wide range of industries incnlgu:d ipower and energy, biomedical and
healthcareI,n formation Technolog y(IT), telecommunications, transportation, nanonteoclohgy,
information assurance, and mamnyo re. In 2013, IEEE had over 900 active standawrditsh, over 500
standards under development. One of the more neo taIbElEE standards is the IEEE
802 LAN/MAN group of standards which includes thEeE IE 802.3 Ethernet standard and the IEEE
802.11 Wireless Networking stand.a rd

Asynchronous Transfer Mode (ATM ) :

AsynchronousTransferMode,anetworktechnology based on transferring dacteal lisnorpackets of a fixed
size. The cell used with ATM is relatively smallm cpoared to units used with older technologies. The
small, constant cell size allows ATM equipment rtaon tsmit video, audio, and computer data over the
same network, and assure that no single type oaf hdoagts the line .
Some people think that ATM holds thew aenrs to theInternet bandwidthproblem, but others are
skeptical. ATM creates a fixed channel, or routet,w been two points whenever data transfer begins.
This differs fromTCP/IP, in which messages are ddeivdi into packetsand each packet can take a
different route from source to destination. Thifsf edreince makes it easier to track and bill datag eu sa
across an ATM network, but it makes it less adalpe ttaob sudden surges in network traf fic.
ATM (asynchronous transfer mode) isd ead icated-connection switching technology that
organizes digital data into 53-byte cell units atrnadn smits them over a physical medium using di gital
signal technology. Individually, a cell is proceds saesynchronously relative to other related cellds iasn
queued before being multiplexed over the transmonis psaith .
Asynchronous transfer mode was desdi gwnieth cells in mind. This is because voice dat a is
converted to packets and is forced to share a nrke twoith burst data (large packet data) passing
through the same medium. So, no matter how smea lvl othice packets are, they always encounter full-
sized data packets, and could experience maximuemui nqgu delays. This is why all data packets should
be of the same size. The fixed cell structure ofM A mTeans it can be easily switched by hardware
without the delays introduced by routed frames asonfdtw are switching. This is why some people
believe that ATM is the key to the Internet bandtwh ipdroblem. ATM creates fixed routes between two
points before data transfer begins, which differorsm f TCP/IP, where data is divided into packets,h eac
of which takes a different route to get to its dineasttion. This makes it easier to bill data usage.
However, an ATM network is less adaptable to a esund ndetwork traffic surge.

The ATM provides data link layer siecervs that run on the OSI's Layer 1 physical linIkt s.
functions much like small-packet switched and citir-csuwitched networks, which makes it ideal for
real-rime, low-latency data such as VoIP and vi daeso w,ell as for high-throughput data traffic likile f
transfers. A virtual circuit or connection must ebset ablished before the two end points can actually
exchange data.

ATM services generally have four different bit r actheoices:

• Available Bit Rate: Provides a guaranteed minimuampa ccity but data can be bursted to higher
capacities when network traffic is minimal.

• Constant Bit Rate: Specifies a fixed bit rate saot tdhata is sent in a steady stream. This is
analogous to a leased line.

• Unspecified Bit Rate: Doesn’t guarantee any thropugt hlevel and is used for applications such
as file transfers that can tolerate delays.

• Variable Bit Rate (VBR): Provides a specified thgrohuput, but data is not sent evenly. This
makes it a even popular choice for voice and vidoenofecrencing.

ATM Service includes:

• Voice and video
• Packetized voice and video
• Systems Network Architecture (SNA)
• WAN/VPN connectivity
• Web hosting
• E-commerce
• Client-server (terminal-host) data
 • LAN interconnection
• LAN emulation
• Remote access
• File transfer
• Internet/intranet/extranet access
◦ E-mail messaging
◦ Text imaging
• Forms processing
Use in internet: ATM is normally utilized by Internet service proveirds on their private long-distance
networks. ATM operates at the data link layer (Lra 2y ein theO SI mode)l over either fiber or twisted-
pair cable

International Telecommunication Union(ITU)

The ITU coordinates the shared global use of thioe rsapdectrum, promotes international cooperation in
assigning satellite orbits, works to improve telmecmounication infrastructure in the developing wo rld,
and assists in the development and coordinatiowno orlfd wide technical standards. The ITU is activ e in
areas including broadband Internet, latest-genoenr awtiireless technologies, aeronautical and mar itime
navigation, radio astronomy, satellite-based meotleoogry, convergence in fixed-mobile phone, Internet
access, data, voice, TV broadcasting, and nextr-agteionne networks .
ITU also organizes worldwide and regional exhibnisti oand forums, such as ITU TELECOM WORLD,
bringing together representatives of government tahned telecommunications and ICT industry to
exchange ideas, knowledge and technology.
ITU, based in Geneva, Switzerland, is a memberh eoUf ntited Nations Development GroupITU has
been an intergovernmental public-private partneprosrhgianization since its inception. Its membership
includes 193 Member States and around 700 publdic parnivate sector companies as well as
international and regional telecommunication eensti,t iknown as Sector Members and Associates,
which undertake most of the work of each Sector.

• An organization based on public-private partner sshinipce its inception, ITU currently has a
membership of 193 countries and over 700 privacteto-sr eentities and academic institutions.
 ITU is headquartered in Geneva, Switzerland, ansd t whaelve regional and area offices around
the world.
• ITU membership represents a cross-section of tohbea gl lICT sector, from the world's largest
manufacturers and carriers to small, innovativey eprlsa working with new and emerging
technologies, along with leading R&D institutionnsd a academia.

• Founded on the principle of international coopeorna tbietween governments (Member States)

and the private sector (Sector Members, Associaanteds A cademia), ITU is the premier global
forum through which parties work towards consenosnu sa wide range of issues affecting the
future direction of the ICT industry.
Internet Protocol (IP)

• The Internet Protocol (IP) is a network-layer (Lra y3e) protocol that contains addressing
information and some control information that eneasb plackets to be routed.
•
IP is documented in RFC 791 and is the primaryw onrekt-layer protocol in the Internet protocol
suite. Along with the Transmission Control Proto c(TolCP), IP represents the heart of the
Internet protocols.

• IP has two primary responsibilities: providing coenctnionless, best-effort delivery of datagrams

through an internetwork; and providing fragmentna taiond reassembly of datagrams to support
data links with different maximum-transmission u (nMitTU) sizes.

IP Packet Format
Packets in the IPlayer are called datagrams.A dramta gdivided into two parts : Header and Data
Header can be from 20 to 60 bytes and containsrm inaftoion for routing and delivery of data.

IP packet fields Details:

• Version: Indicates the version of IP currently used.

• IP Header Length (IHL) :Indicates the datagram header length in 32-bit ws.o rd
 • Type-of-Service:Specifies how an upper-layer protocol would likec uar rent datagram to
behandled, and assigns datagrams various leveimlsp ofr tance.
•
Total Length:Specifies the length, in bytes, of the entire IPc kpeat, including the data
• andheader.
Identification:Contains an integer that identifies the currenta gdraatm. This field is used to
•
helppiece together datagram fragments.

Flags:Consists of a 3-bit field of which the two low-ord e(least-significant) bits

controlfragmentation. The low-order bit specifiesh ewther the packet can be fragmented. The
middle bitspecifies whether the packet is the flraasgt ment in a series of fragmented packets.
The third orhigh-order bit is not used.
• Fragment Offset:Indicates the position of the fragment’s data riveela tto the beginning of
thedata in the original datagram, which allows dtheest ination IP process to properly reconstruct
theoriginal datagram.

• Time-to-Live:Maintains a counter that gradually decrements dotow nz ero, at which point

thedatagram is discarded. This keeps packets forompin lg endlessly.
•
Protocol:Indicates which upper-layer protocol receives inicnogm packets after IP processing
• iscomplete .
• Header ChecksumH:elps ensure IP header integrity.
• Source AddressS:pecifies the sending node.
Destination Address:Specifies the receiving node.

IP Addresses
• TCP/IP version 4 or IPv4 uses 32-bit for logicald raedss and IPv6 uses 128-bit for logical

address.

• An IP address represented in dotted decimal nont.a Etioxample- 123.22.33.44

• IP address is divided into net id or network id ahnodst id.

• IP Addresses are divided into five classes: Cla,s Cs laAss B, Class c, Class C, Class D, Class E.
 IP Starting First Last Address No. of No. of Host
Address Binary Address Network
Class Value
Class A 0 1.0.0.0 126.255.255.2 54 2-1 224– 2
Class B 10 128.0.0.0 191.255.255.2 54 214 216-2
Class C 110 192.0.0.0 223.255.255. 254 221 2-2
Class D 1110 224.0.0.0 239.255.255. 254 Multicast
Class E 1111 240.0.0.0 254.255.255. 254 Undefined

Class A:

Net ID Host ID
======8======> =====================24========================>
8 bit 8 bit 8 bit 8 bit

• It uses first octet for network address to uniq uiedleyntify the network and rest three octet for

host address to uniquely identify the host on ntheatwt ork.

• An important rule is that network address cannovte h aall 8 bits 0 (zero).

• First bit is set to zero for class A, so followin7g b its in the first octet use to distinguish the

network from other network.

• It means 27-1= 127 network i.e 0 to126

• Similar to the rule that the network portion oef tahddress cannot be all 0s, the host portion of

the address cannot be all 0s and it cannot bes .a ll 1

• A host portion with all 1s refers to an IP broadt caadsdress.

• And the host portion with all 0s is a referenceth teo network.

• Class A network is:224– 2 = 16,777,214 number of host.

• You subtract 2 because addresses with all 0s al n1ds alre invalid.

Class B:

Net ID Host ID
=============16===============> ===========16=================>
8 bit 8 bit 8 bit 8 bit

• It uses first two octet for network address to uneilqy identify the network and rest two octet

for host address to uniquely identify the host hoant tnetwork.

• 10 in the first 2 bits, the following 6 bits in t hfierst octet and all 8 bits in the second octet

for total 14 bits are used to distinguish this noertkw from allother networks.

• Hence 214= 16,384 number of Class B networks.

• And 216-2= 65534 number of host on class B network.

Class C:

Net ID Host ID
===================24=========================> ======8======>

8 bit 8 bit 8 bit 8 bit

• It uses first three octet for network address tioq uenly identify the network and last octet

for host address to uniquely identify the host hoant tnetwork.

• 110 in the first 3 bits, the following 5 bits ine t hfirst octet , all 8 bits in the second octet and

all 8 bits in the third octet for total 21 bits aurseed to distinguish this network from allother

networks.

• Hence 221= 2,097,152 number of Class C networks.

• And 28-2=254 number of host on class C network.

 Class D:

• In the first octet, the first 4 bits are 1110.

• Class D addresses are called Multicast Addressh w chaicnnot be used for host. • The purpose of a

multicast address is to enabelerv ae rs somewhere to send data to a Class D address that no one host

has so that several chaons tlsis ten to that address at the same time. When you are watching TV on the

Internet or lisntegn tio the radio on the Internet, your

computer is listening to a Class D address. No esr eirsv sending data directly to your

workstation; instead, a server is sending datah eto mtulticast address. Any host can use

software to listen for data at that address, anndy m haosts can be listening at once.

Class E:

• In the first octet, the first 4 bits are 1110.

• Class E addresses are reserved addresses andv aalirde hinost addresses. They are used for

experimental purposes by the IETF.

Special Address:
• Address use for Private use
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
• Loop Back Address
127.0.0.0 to 127.255.255- For testing the TCP/InPn ceoction.
It cannot be used for host addressing.
BookS
1. Data & Computer Communications, By William Stallings
2. Internetworking with TCP / IP, Principles, Protocols & Architecture, By Douglas
E.Comer.
3. Computer Networking Kurose and Ross.
4. Computer Networks, A system approach By Larry L.Peetrson, Bruce S. Davie .
5. Data Communications and Networking By Behrouz A.Forouzan
FIREWALL

Introduction
Many organizations have confidential or proprie tairnyformation, such as trade secrets, product
development plans, marketing strategies, etc., hw hsihcould be protected from unauthorized access and
modification. One possible approach is to use bsluei teancryption/decryption technique for transfer of data
between two secure sites, as we have discussehde ipnr etvious lesson. Although these techniques cea n b
used to protect data in transit, it does not prto dteacta from digital pests and hackers. To accomh pthlisis it is
necessary to perform user authentication and a cccoenstsrol to protect the networks from unauthorized
traffic. This is known asfi rewalls. A firewall system is an electronsice curity guard and electronic barrier
at the same time. It protects and controls ther fiancte between a private network and an insecureli cp ub
network as shown in the simplified diagram of F8i.g3. .1. It is responsible for partitioning a desitgenda area
such that any damage on one side cannot sprehaed ototh ter side. It prevents bad things from happge, ni.ien.
loss of information, without preventing good thi ngfrsom happening, that is controlled exchange of
information with the outside world. It essentiaellny forces an access control policy between two nrektsw. o
The manner in which this is implemented varies wlyi,d beut in principle, the firewall can be considde raes a
pair of mechanisms: one that is used to block ictr,a affnd the other that is used to permit traffico.m Se
firewalls place more emphasis on blocking trafwfich,i le others emphasize on permitting traffic. Prbolby a
the most important issue to understand of a firle iws atlhe access control policy it implements. If a firewall
administrator has no idea about what or whom hper oiste cting his network, what should be allowed and
what should be prohibited, a firewall really wohne't lp his organization. As firewall is a mechanisomr f
enforcing policy, which affects all the persons ibnedh it, it imposes heavy responsibility on the
administrator of the firewall. In this lesson vaursio issues related to Firewalls are discussed.
Figure

8.3.1 Schematic diagram of a firewall

Why a Firewall is needed?

There is no need for a firewall if each and everoys t hof a private network is properly secured.
Unfortunately, in practice the situation is diffnetr.e A private network may consist of different pfolarmts
with diverse OS and applications running on thema.n My of the applications were designed and devel oped
for an ideal environment, without considering thoes spibility of the existence of bad guys. Moreovmeor,s t
of the corporate networks are not designed for rsiteyc. uTherefore, it is essential to deploy a firellw tao
protect the vulnerable infrastructure of an entieserp. r
Access Control Policies
Access control policies play an important role hine toperation of a firewall. The policies can bea bdrloy
categorized in to the following four types:
Service Control:
Determines the types of internet services to be sascecd
Filters traffic based on IP addresses and TCPn puomrtb ers
Provides Proxy servers that receives and inter psreertvsice requests before it is passed on
Direction Control:
Determines the direction in which a particular siceer vrequest may be initiated and allowed to flowro uthgh
the firewall
User Control:
Controls access to a service according to whichr iussaettempting to access it
Typically applied to the users inside the firewpaellr imeter
Can be applied to the external users too by useincugr se authentication technique
Behavioral Control:
Controls how a particular service is used
For example, a firewall may filter email to elimtinea spam
Firewall may allow only a portion of the informanti on a local web server to an external user

Firewall Capabilities
Important capabilities of a firewall system arete ldis below:
defines a single choke point to keep unauthorizseedrs u out of protected network
It prohibits potentially vulnerable services fromnt ering or leaving the network
It provides protection from various kinds of IP ospfinog
It provides a location for monitoring security-rtelda events
Audits and alarms can be implemented on the firle swyasltems
A firewall is a convenient platform for severale inrntet functions that are not security related
A firewall can serve as the platform for IPSec ugs tihne tunnel mode capability and can be used to
implement VPNs

Limitations of a Firewall
Main limitations of a firewall system are given obwel:
Firewall cannot protect against any attacks thapta bsys the firewall. Many organizations buy expen sive
firewalls but neglect numerous other back-dooros tihnteir network.
A firewall does not protect against the internarel athts from traitors. An attacker may be able toa kb riento
network by completely bypassing the firewall, if chaen find a ``helpful'' insider who can be foolendto i
giving access to a modem pool
Firewalls can't protect against tunneling over m aopsptlication protocols. For example, firewall catn no
protect against the transfer of virus-infected praromgs or files
Types of Firewalls
The firewalls can be broadly categorized into tohlelo wfing three types:
Packet Filters
Application-level Gateways
Circuit-level Gateways
Packet Filters: Packet filtering router applies a set of rule se atoch incoming IP packet and then forwards or
discards it. Packet filter is typically set up a slis at of rules based on matches of fields in th eo rI PTCP header. An
example table of telnet filter rulesg iivse n in Fig. 8.3.2. The packet filter operatesh w pitositive filter rules. It is
necessary to specify what shdo uble permitted, and everything that is explicitloyt n permitted is automatically
forbidden.

Figure 8.3.2 A table of packet filter rules forn tetl application

Application-level Gateway: Application level gateway, also called a Proxyr vSeer acts as a relay of
application level traffic. Users contact gatewayssin gu an application and the request is successftfeurl a
authentication. The application gateway is servsipcec ific such as FTP, TELNET, SMTP or HTTP.
Circuit Level Gateway: Circuit-level gateway can be a standalone or a iaslpizeecd system. It does not
allow end-to-end TCP connection; the gateway spe tstw uo TCP connections. Once the TCP connections
are established, the gateway relays TCP segmeonmts ofnre connection to the other without examinineg th
contents. The security function determines whichn nceoctions will be allowed and which are to be
disallowed.
Bastion Host
An application level gateway is sometimes knownB ast ion Host. It is a system identified by the firewall
administrator as a very critical point in the nertkw’so security. It serves as a platform for an acpaptliion-
level or circuit-level gateway. It executes a vseeryc ured version of OS and configured to be veruy rsee. cIt
is necessary to perform additional authenticatieofno rbe a user is allowed to access the gateway. pEraocxhy
server is configured to perform the following:
• Support only a subset of the application’s comdm saent
• Allow access only to specific host systems
• Maintains detailed audit information
Network Address Translation
NAT works by using one set of addresses for commcautinoins on the internet and a separate set of
addresses for communication on the private netw IoArNk.A set aside three ranges of IP addresses given
below for communication on the internal netwo r k.
Class A addresses: 10.0.0.0 – 10.255.255.255.255
Class B addresses: 172.16.0.0 – 172.31. 255.255
Class C addresses: 192.168.0.0 – 192.168.255.255
As these addresses are reserved for internal nke twadodrressing, these are not routable. The Firewall
performs translation of an internal address to axnte rneal IP address and vice versa to facilitate
communication between the private and the publitcw onrek, as shown in Fig. 8.3.3. However, the NAT
affords a substantial degree of security by preinvegn dtirect communication. Moreover, NAT allows tuhsee
of same IP addresses in different private netw oTrhksis. prolongs the life expectancy of IPv4 on tnhte rinet.
Without NAT the supply of IP addresses would haxvhea eusted long back.
 Figure 8.3.3 Function of a Network Address Tranosrl at
Firewall Configurations
Firewalls are typically configured in one of theu rf ofollowing ways:
Screened host Firewall system (Single-homed Ba shtoiosnt)
Screened host Firewall system (dual-homed Bastoiosnt) h
Screened subnet Firewall system (Single-homed oBna shtoist)
• Screened subnet Firewall system (Dual-homed oBna shtoist)
Screened host Firewall systemI:n case of single-homed Bastion host, the packoemtse c in and go out over
the same network interface as shown in Fig. 8.S3o.4 t.h e application gateway cannot

Figure 8.3.4 Screen subnet single-homed Bastiotn hos

guarantee that all packets are analyzed and ch.e cFkoer dinternet traffic, only IP packets destinedr tfhoe bastion
host are allowed. For intranet traffic,y o InPl packets from the bastion host are allowed.t ioBna shost performs
authentication and proxy functions. Thoisn fciguration affords flexibility in providing diret c internet access. If
the packet filtering routecr oism pletely compromised, traffic could flow direc tlhyrough the router between the
internet and other hostthse i np rivate network. In case of dual-homed Bashtiosnt , the application gateway has
two separate netwotrekr fainces as shown in Fig. 8.3.5. As a consequeitn ce, has complete control over the
packets.
 Figure 8.3.5 Screen subnet dual-homed Bastion host

Active Firewall Elements

The structure of an active firewall element, whiisc hin tegrated in the communication interface betnw tehee
insecure public network and the private networks hiso wn in Fig. 8.3.6. To provide necessary security
services, following components are required:
Integration Module: It integrates the active firewall element into tchoem munication system with the help
of device drivers. In case of packet filters, tnhtee giration is above the Network Access Layer, w haesr eit is
above the Transport layer ports in case of Appiolicna Gtateway.
Analysis Module: Based on the capabilities of the firewall, them cmounication data is analysed in the
Analysis Module. The results of the analysis iss peads on to the Decision Module.
Decision Module: The Decision Module evalutes and compares the trse osfu lthe analysis with the security
policy definitions stored in the Ruleset and them mcounication data is allowed or prevented based the
outcome of the comparision.
Processing module for Securityrelated Even:t sBased on ruleset, configuration settings andm thees sage
received from the decision module, it writes on ltohgebook and generates alarm message to the Sye curit
Management System.
Authentication Module: This module is responsible for the identificat ioand authentication of the
instances that are communicated through the firle swyastlem.
Ruleset: It contains all the information necessary to m ak edecision for or against the transmission of
communication data through the Firewall and it adlesofines the security-releted events to be log ged.
Logbook: All security-related events that occur during roaptieon are recorded in the loogbook based on the
existing ruleset.
Security Management System: It provides an interface where the administraetnotre r and maintain the
ruleset. It also analyses the data entered ino tghbeo lok.
 Figure 8.3.6 Components of the active firewall esmys t

References
1. William Stallings, Cryptography and Network Security: Principles and Practices, Pearson
Education, 2006
2. Behrouz A. Forouzan, Data Communications and Nwetorking, 3rd Edition, Tata McGraw-Hill
Publishing Company Limited, 2004
3. Charlie Kaufman, Radia Perlman and Mike Specine,r Network Security: PRIVATE
Communication in a PUBLIC World, Prentice-Hall of India Private Limited, 2005
4. Norbert Pohlmann and Tim Crothers, Firewall Architecture fot the Enterprise, FIREWALL
MEDIA, 2003