Home > Articles > Security > Network Security

Internet Infrastructure Components: A 10,000-Foot View

Learn how the Internet works, who administers it, and why it is inherently insecure. The Internet is still comprised of a community of ISPs, enterprise networks, and home users, all tied together by a collection of consensus-led management organizations, technical protocols, and a few large but critical services (such as domain name servers). Even after recent technical advances, the Internet still utilizes the same inherently insecure TCP/IP infrastructure developed in the late 1970s and early 1980s, so security must be a critical consideration of businesses and home users.
This chapter is from the book

This chapter is from the book

In This Chapter

  • Understanding and Connecting to the Internet

  • Transporting Information

  • Management of the Internet

  • What Makes the Internet (In)Secure?

  • Why Is the Internet Attractive to Businesses?

To connect to and utilize the Internet in a secure manner, the security practitioner must understand not just the "what" of the Internet, but also the "how." It is certainly possible to build a secure network by simply refusing to connect it to any others. Many very useful private networks such as this exist today; however, the users of these networks are cut off from all of the information resources and communication options that the Internet provides. It is fair to say that almost all commercial and federal organizations have decided that some form of connectivity to the Internet is worth having, from the "ma and pa" store with a single email account to large stock exchanges with redundant high-speed connections into hardened data centers. Even very sensitive government organizations such as the Central Intelligence Agency and the National Security Agency can be found utilizing the Internet.

Before plunging into the technical details of the Internet—packet-layer protocols, application-layer protocols, operating systems, applications, and security devices—let's take a 10,0000-foot view of the most ubiquitous network on Earth. The Internet is the world's largest network based on the TCP/IP protocol; however, it is not merely a collection of routers and switches that move packets around the world at the speed of light (well, pretty fast, most of the time). This core set of transport and routing mechanisms is merely the glue that holds the rest of the Internet together. The "rest" is composed of the myriad of servers, such as Web, mail, file, DNS, application, and transaction servers, that serve up everything from transactional experiences to the latest music video.

The Internet and its predecessors have been around for quite a while now. Students, scientists, engineers, computer specialists, and others have been emailing, exchanging files, and even chatting for several decades. It was the development of the Hypertext Transfer Protocol (HTTP) and Web browsers such as Mosaic and Netscape that brought the Internet into the average person's life, spurring the real growth in Internet service providers and online companies such as America Online, as well as infrastructure companies such as Cisco Systems.

The Internet is really as much about applications and the personal computers that they run on as it is about routers and fiber-optic cable. This said, it's still vitally important to understand what makes the Internet work and how it functions to effectively secure the protocols and applications that utilize its services. To that end, this chapter provides a high-level overview of the major components of the Internet. When you've developed an understanding of how this online world is built and organized, you will be ready to proceed into the more explicit details needed to design and implement a secure Web infrastructure. Details of specific security components and secure network design will be addressed in forthcoming chapters of this book.

Understanding and Connecting to the Internet

What we now call the Internet began as a government-funded network called the ARPANET (named after ARPA, the Department of Defense's Advanced Research Project Agency, which is now known as DARPA). Actually, the government funded the original Internet "backbone," the core that connected all of the edge networks. The edge networks were owned and maintained by universities, research organizations, and government agencies, all interconnected by the ARPANET (and later the National Science Foundation–funded NSFnet) backbone. This internetworking of many IP networks through a core backbone gave rise to the popular term Internet. The modern Internet is built from a collection of privately built and operated backbone networks that are interconnected at major demarcation points around the world. The companies that own and provide access to these networks are called Internet service providers, or ISPs.

Internet Service Providers

ISPs come in many sizes. The "big names" in the industry—AT&T, MCI/UUNET, and others—operate global high-speed backbones. Smaller, regional-based ISPs might serve individual countries or states. Although they are less common than they were in the mid-1990s, many small ISPs also provide dial-up or specialized access to the Internet. This hierarchy of ISPs is illustrated in Figure 3.1.

Figure 3.1 Internet service provider hierarchy.

To get "on the Internet," the first thing you must do is contract with an ISP that provides physical access to the Internet. Nowadays, physical Internet access comes in many forms, with examples including these:

  • Dial-up modem—This access establishes low-speed connections (tens of kilobits per second, up to about 56Kbps) using an analog modem over a normal phone line.

  • ISDN—Integrated Services Digital Networks, or ISDN, is a technology that never really caught on in the United States, although it had more success in some European countries. Narrowband ISDN provides two 64Kbps channels that can be used for voice, fax, or data. Some ISPs support ISDN and allow users to "strap" their two 64Kbps channels together to form a 128Kbps connection to the Internet.

  • DSL—Digital Subscriber Loop is an always-on "broadband" connection that also uses normal phone lines. The advanced technology allows the phone line to be used for both normal telephone conversations and full-time Internet access. High-speed data flows from the Internet to the end user, while a lower-speed connection is provided for outbound traffic. This type of "asymmetric" service works on the assumption that the typical consumer user spends a lot of time downloading information and actually sends very little data.

  • Cable modem—Cable television service providers have recently began offering their own "broadband" Internet access. Like DSL, cable modems offer asymmetrical connections to the Internet, providing a high-speed download capability.

  • Satellite modem—Some satellite TV service providers offer "high-speed" downlink connections from the Internet. Like DSL and cable modem access, these connections are asymmetric and usually require that a dial-up modem be used for the client-to-provider uplink connection.

  • Frame Relay—In the commercial world, businesses often contract with ISPs that offer higher levels of service than consumer-grade Internet connections. Frame Relay is one technology that is used for permanent Internet connections ranging from several hundred kilobits to over a megabit per second of access.

  • T1/T3—The "T carriers" have been used within the telephone network for many years now and are convenient increments of bandwidth to sell to enterprise customers. A T1 runs at about 1.5Mbps, and a T3 runs at about 45Mbps.

  • OC3 and higher—High-speed fiber-optic links starting at 155Mbps are available to really serious users. Although some enterprise networks use these connections, this type of link more commonly is found within ISP backbones and in connections between ISPs.

  • Ethernet—Direct Ethernet connections, usually 100Mbps, are provided by ISPs that also provide server hosting. In these cases, a customer is provided physical "rack space" inside the provider's facilities in which to install things such as Web servers and database servers, and the ISP/hosting/colocation ("co-lo") company provides direct Ethernet connections into its backbone, along with high-availability power and a secure facility.

Regardless of the type of connection to the facility, an Internet connection provides a link into one of the ISP's local "points of presence" or POPs. For example, some dial-up providers have only a few POPs, all located within a small region to service a very local customer base. This means that you may "dial in" using only the local phone numbers that connect to the POPs in the local area. On the other hand, a larger ISP with national presence might have dial-up POPs in cities around the country or around the world. Because the POP ultimately connects to the ISP's backbone, it is possible for a customer to dial a local number wherever he travels to gain access to the ISP.

It also should be noted that many times the company that provides the physical connection to the network is not the same as the ISP. This is very common with DSL, in which one company (such as a phone carrier) provides the physical cable that runs into the facility, and another company provides the Internet connectivity. An example of this type of arrangement is illustrated in Figure 3.2. Similarly, most local cable companies partner with a national ISP to provide their cable modem service. The cable companies install the new equipment and fiber-optic lines in their system to handle the data connections to the end users, and the big ISP provides the high-speed IP backbone and connections to other backbones.

Figure 3.2 An example ISP.

What Does an ISP Provide?

The types of providers just described provide just a few simple things that are minimally required to "get on the Net":

  • Physical access to the Internet

  • An IP address (or set of addresses) that allows a device to send and receive packets

  • The IP address of one or more domain name servers, which act as a sort of telephone book for the Internet (more detail on this in a few pages)

Depending on the service contract given to the end-user customer, the ISP also might provide one or more of the following:

  • Email accounts (very common for consumer services)

  • Disk space for Web pages (also common for consumer services)

  • Security features, such as a firewall or intrusion monitoring

A home user is likely to want the email account and perhaps some space for a personal "vanity" Web page. On the other hand, an enterprise network might be more interested in getting highly reliable service with the intent of running its own mail and Web servers.

Security Implications of Choosing an ISP

The primary concerns for most people when they select an ISP are price and availability. The guaranteed "up time" of an Internet connection is of particular concern to many business customers, especially if they have a revenue stream that is derived from some online service. Security often comes up, but it is usually not a top priority. There is a good reason for this: Most ISPs provide little in the way of security services or guarantees. With most ISPs, you get a connection to the Internet—period. The exceptions to this statement usually are found in the server-hosting companies, which are geared toward providing a more complete Internet service solution. Clients of these providers often might choose a la carte security packages, such as firewalls or intrusion detection. We will describe both of these types of systems (and services) in subsequent chapters of this book.

ISPs often perform monitoring of their network, but that is usually to protect them from you, not to protect you from everyone else on the Internet. ISPs usually are quite concerned about whether their customers are living within the bounds of the acceptable use policy (AUP). For example, most ISPs geared toward home users do not allow for software such as Web, file, or news servers to be run on the user's systems. Basically, most consumer Internet connections are provided so that the customer can get information, not provide it, and the providers who cater to this market have engineered their infrastructures to support that. Note that this is similar to the way that telephone companies engineer their networks for residential and business phone lines differently, based on their experience on how these two different types of customers use the network. The ISP monitors the network to make sure that you are living up to your end of the contract. Sometimes it will actively probe systems to see if the customer is running an unauthorized server. If the ISP discovers that a customer is not living within the rules set out in the AUP, that customer usually will be asked to cease those activities or move up to a more expensive service package geared for commercial users.

Furthermore, an ISP's monitoring might provide insight into whether any of its client's systems are being used to hack others. The ISP might be capable of detecting unusually large volumes of traffic coming from a system, or the ISP might run a more sophisticated security monitor called an intrusion-detection system, or IDS. Sometimes the ISP simply might receive a call from another person, company, or ISP on the Internet complaining about attacks coming from a computer for which the ISP provides connectivity.

The fact to take out of the previous discussion is that most the security measures of most ISPs are geared toward protecting themselves and providing their core service reliably, not preventing their customers from getting hacked. Their responsiveness to your security problems will vary from offering a few suggestions to trying to help, to simply shutting off your connection until "you get your house in order." For example, if a customer is under a sustained denial-of-service attack, the ISP (perhaps working with other ISPs) could be the only entity that can track down the attacker(s). It also might be capable of filtering the offensive inbound traffic to reduce the severity of the attack. On the other hand, if the ISP discovers that your computer or network is the source of an attack (whether you purposefully are carrying out an attack or someone else has taken over your computer remotely), you might get a reaction ranging from a firm warning to a loss of your connection.

It is common for people to think that the type of connection they have offers some form of protection from the threats on the Internet. Most people seem to understand that if they have a 24 x 7 connection to the Internet, they are at some risk, while many dial-up users believe that because they are connected only for a little bit at a time, they are somehow less susceptible to attack.

The Threat on a Dial-Up Connection

We recently worked with a friend who owns a small law firm in the mid-Atlantic. He has a handful of employees whose computers are all configured as a Microsoft Windows Workgroup. One of these computers is used to dial out to an ISP and is online for several hours during the day. After being hit with a virus in the office, he started to wonder just how secure his network really was. As an experiment, we suggested that he load a free "personal firewall" program on his computer and let it collect logs of blocked activity for about a month. After a month, we looked at the log file and discovered several hundred probes from all over the world. He was surprised to find out that these probes came from not just the United States, but also countries such as Argentina, Australia, Belgium, China, France, Japan, Korea, Malaysia, Mexico, the Netherlands, Romania, Taiwan, and Turkey. A little more analysis revealed that these probes were designed to discover things such as the file sharing associated with his Windows network, any network applications he might be running that might be vulnerable to remote attack, and previously installed Trojan horse programs, such as Sub7.

To summarize, many factors go into selecting an ISP, including cost, reliability, and security. Commercial companies, in particular, should be sure to ask questions of their potential providers:

  • Do you perform any security monitoring that protects me?

  • If so, is it a standard feature or an option that costs more money?

  • Is there a security "hotline" that I can call if I am being attacked?

  • What services does the security staff provide?

  • Will you be actively probing my network for any reason?

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020