Media Access Methods deals with how the systems communicate over the media. The maximum transmission unit (MTU) is a unit that indicates how much data can be carried out.

Token-passing uses a 24bit token (message frame). Computers need to wait for a free token to pass a message.

CSMA (Carrier Sense Multiple Access) is used in Ethernet. Computers monitor transmission activity and wait until the carrier is free to transmit (absence of carrier). If computers transmit at the same time they have to compete (contention) and a collision happens. They use then a random collision timer and retransmit. This is CSMA/CD (with Collision Detection). With CSMA/CA (Collision Avoidance) they transmit their intent to transmit so other computers don't send at this time (for example 802.11 WLAN).

A collision domain is a group of computer on a same segment where collisions can happen.

By polling, some stations are primary stations, others secondary. Primary ask secondary if it has something to transmit.

The physical address of a network card (NIC) is the Media Access Control (MAC) and is unique.

MAC and IP addresses must be correctly mapped. This is the work of the ARP protocol (Address Resolution Protocol). A system send an ARP request to know whose belong an IP address, only the corresponding computer should respond. Then the system keep the mapping in it's ARP table. Attackers do ARP table poisoning by changing the addresses in the tables (masquerading attack).

DHCP (Dynamic Host Configuration Protocol) assigns dynamically IP Addresses when a computer comes up. The system sends a RARP (Reverse ARP) and the server responds with the corresponding IP address. BOOTP (Boot Protocol) is an evolution of RARP with more function. But today most systems uses DHCP.

ICMP (Internet Control Message Protocol) is used to test connectivity (ping). It informs also about delays, routing problems, is used by connectionless protocols.

The Loki Attack uses ICMP to transmit data and gain access over a corrupted computer.

Individual networks are called AS (Autonomous Systems) and is made up of routers using a common IGP (Interior Gateway Protocol). Border routers runs exterior protocols to other ASs. Routing protocols can be dynamic (discover routes and build routing tables) or static (static tables). As route changes it is route flapping. Types of routing protocols are:

• Distance-vector (based on distance or number of hopes and a vector or direction): RIP (Routing Information Protocol) with slow performance should be used in small networks. IGRP (Interior Gateway routing Protocol, Cisco proprietary) uses 5 criteria to make route decision
• Link-state (uses a topology database and are more accurate): OSPF (Open Shortest Path First) allows hierarchical routing and is more accurate

Exterior routing protocols are BGP (Border Gateway Protocol) uses a combination of distance-vector and link-state.

Attacks against router happens commonly with spoofed ICMP messages (submit wrong routing table information). Most routers do not switch on authentication.

Network devices are:

• repeaters (simple repeater of the signal, no intelligence: hub or concentrator)
• bridges (is used to connect LAN segments and works with MAC addresses. Isolates collision domains. Bridges are sensible to broadcast storm because they broadcast on every segment). Bridges uses forwarding tables to remember on which port is which computer (Spanning Tree Algorithm, STA) = transparent bridging. With source routing the packets contain the information required to route it (should not be allowed by border routers).
• local bridge connect LAN segments
• remote bridge connect LAN over MAN through telecommunication services
• translation bridge used when the LANs uses different protocols
• routers (works at network layer, looks at IPs, uses routing tables and access control lists, modify header information like TTL)
• switches (combines repeater and router technologies, only the corresponding ports are accessed, contention and collision are not an issue). There are layer 2, 3 and 4 switches = multilayer switches (QoS, traffic priorization...)
• Layer 3 and layer 4 switches uses tags to inform other switches which route they should use (Multi Protocol Label Switching MPLS) and are used for QoS, Video conference. They can provide Virtual LANs (VLAN) that brings control over the environment. Computer on 2 separated VLANs require a router to communicate with each other.
• Gateway (is a general term when a device connects two networks and provides some kind of translation because the protocols are different). A NAS is an example of gateway, or an Email gateway translate from Exchange to X.400 for example.
• PBX (Private Banch Exchange) is a private telephone switch and has many connections (Analog voice, digital voice, data). A phreaker is a phone hacker and attacks PBX, they uses brute force and other technics.
• Firewalls (restrict access from one network to another network). It can filter packets, make decision based on the policy, redirection, discard packets... Firewalls are set up to build a Demilitarized Zone (DMZ), a network segment playing a buffer between the bad (internet) and the good (LAN). Types of firewalls are:
• Packet filtering uses ACL to determine within rules if a packet is allowed or not. They look only at the header and uses routing tables. They are less secure but offer better performance.
• Stateful firewalls are able to recognize the connection in which each packet belongs. It can make decision based on the connections taking place. It must keep a dynamic state table and is more complex. They are victims of a lot of DoS attacks.
• Proxy firewalls inspect messages before relaying them. It breaks the communication channel, rebuilding the packets (only the information of IP Firewall will remain). Some are multihomed, that is have multiple NICs and bind several networks together.
• Application-level proxy inspect packets up to the application level. They understand various services and can decide if some protocols are not built correctly.
• Circuit-level proxy just know about the client and the server and make decisions based on this communication. It is used when an application is unknown and can not be controlled at application-level. An example is SOCKS (each client must have the SOCKS software).
• Dynamic packet filtering allows a client to use an application with a random port over 1023 to be used. the firewall recognize it and allow the communication through this port only for this application. It uses ACL to remember connections. (4th generation firewall)
• Kernel proxy is the 5th generation firewall and build dynamic, cusotmized TCP/IP stacks when packets need to be evaluated. It is evaluated in a virtual stack built into the kernel, so it is faster than proxy firewall because it's not a piece of software that do the job.

A bastion host is a hardened system with a firewall software.

Dual-homed firewalls have two NICs, multihomed several.

A screened host is a firewall directly behind a perimeter router. A screened subnet is built if a second firewall is present before any access to the LAN (they build a DMZ between them called the screened subnet).

A honeypot is a system that sits in the screened subnet and simulate a productive system so an attacker will try to gain access to it and can be detected.