Fundamentals of computer networks

Syllabus content

Content   Additional Information

Define what a computer network is. (more..)

Discuss the benefits and risks of computer networks. (more..)


Describe the main types of computer network including:

  • Personal Area Network (PAN)
  • Local Area Network (LAN)
  • Wide Area Network (WAN).




PAN – only Bluetooth needs to be considered.

LAN – know that these usually cover relatively small geographical areas.

LAN – know that these are often owned and controlled/managed by a single person or organisation.

WAN – know that the Internet is the biggest example of a WAN.

WAN – know that these usually cover a wide geographic area.

WAN – know that these are often under collective or distributed ownership.

Understand that networks can be wired or wireless. Discuss the benefits and risks of wireless networks as opposed to wired networks. (more..)   Know that wired networks can use different types of cable such as fibre and copper and when each would be appropriate.

Explain the following common network topologies:

  • star
  • bus.


  Students should be able to draw topology diagrams and explain the differences between the two topologies. They should also be able to select the most appropriate topology for a given scenario.
Define the term ‘network protocol’. (more..)    

Explain the purpose and use of common network protocols including:

  • Ethernet
  • Wi-Fi
  • TCP (Transmission Control Protocol)
  • UDP (User Datagram Protocol)
  • IP (Internet Protocol)
  • HTTP (Hypertext Transfer Protocol)
  • HTTPS (Hypertext Transfer Protocol Secure)
  • FTP (File Transfer Protocol)
  • email protocols:
    • SMTP (Simple Mail Transfer Protocol)
    • IMAP (Internet Message Access Protocol).



Students should know what each protocol is used for (eg HTTPS provides an encrypted version of HTTP for more secure web transactions).

Students should understand that Ethernet is a family of related protocols rather than a single protocol. They do not need to know the individual protocols that make up the Ethernet family.

Students should understand that Wi-Fi is a family of related protocols rather than a single protocol. They do not need to know the individual protocols that make up the Wi-Fi family but they should know that Wi-Fi is a trademark and that the generic term for networks of this nature is WLAN.

Understand that computers use binary to represent all data and instructions. (more..)   Students should be familiar with the idea that a bit pattern could represent different types of data including text, image, sound and integer.
Understand the need for, and importance of, network security. (more..)    

Explain the following methods of network security:

  • authentication
  • encryption
  • firewall
  • MAC address filtering.



Students should be able to explain, using examples, what each of these security methods is and when each could be used.

Students should understand how these methods can work together to provide a greater level of security.

Students should understand that MAC address filtering allows devices to access, or be blocked from accessing a network based on their physical address embedded within the device’s network adapter.


Describe the 4 layer TCP/IP model:

  • application layer
  • transport layer
  • network layer
  • data link layer.

Understand that the HTTP, HTTPS, SMTP, IMAP and FTP protocols operate at the application layer.

Understand that the TCP and UDP protocols operate at the transport layer.

Understand that the IP protocol operates at the network layer.



Students should be able to name the layers and describe their main function(s) in a networking environment.

  • Application layer: this is where the network applications, such as web browsers or email programs, operate.
  • Transport layer: this layer sets up the communication between the two hosts and they agree settings such as ‘language’ and size of packets.
  • Network layer: addresses and packages data for transmission. Routes the packets across the network.
  • Data link layer: this is where the network hardware such as the NIC (network interface card) is located. OS device drivers also sit here.

Teachers should be aware that the network layer is sometimes referred to as the Internet layer and that the data link layer is sometimes referred to as the network interface layer. However, students will not be expected to know these alternative layer names.



What is a network?

The examiner expects you to be able to describe all of the features of a network, what possible topologies can be used, what security is required, the benefits and drawbacks and the reasons for establishing networks for small, medium and vast networks.

The first 1:25 is a spot of high quality waffle.


Computer Network Defined

computer network is a set of connected computers. Computers on a network are called nodes. The connection between computers can be done via cabling, most commonly the Ethernet cable, or wirelessly through radio waves. Connected computers can share resources, like access to the Internet, printers, file servers, and others. A network is a multipurpose connection, which allows a single computer to do more.

.. OR ..

In information technology, a computer network, also called a data network, is a series of points, or nodes, interconnected by communication paths for the purpose of transmitting, receiving and exchanging data, voice and video traffic.

.. OR ..

A number of computing devices connected together so that they can share data and resources.

The benefits and risk of networks

Advantages and disadvantages of networks


  • Sharing devices such as printers saves money.
  • Site (software) licences are likely to be cheaper than buying several standalone licences.
  • Files can easily be shared between users.
  • Network users can communicate by email and instant messenger.
  • Security is good - users cannot see other users' files unlike on stand-alone machines.
  • Data is easy to backup as all the data is stored on the file server.


  • Purchasing the network cabling and file servers can be expensive.
  • Managing a large network is complicated, requires training and a network manager usually needs to be employed.
  • If the file server breaks down the files on the file server become inaccessible.
  • Email might still work if it is on a separate server. The computers can still be used but are isolated.
  • Viruses can spread to other computers throughout a computer network.
  • There is a danger of hacking, particularly with wide area networks. Security procedures are needed to prevent such abuse, eg a firewall.

.. OR ..

The Advantages (Benefits) of Networking

You have undoubtedly heard the “the whole is greater than the sum of its parts”. This phrase describes networking very well, and explains why it has become so popular. A network isn't just a bunch of computers with wires running between them. Properly implemented, a network is a system that provides its users with unique capabilities, above and beyond what the individual machines and their software applications can provide.

Most of the benefits of networking can be divided into two generic categories: connectivity and sharing. Networks allow computers, and hence their users, to be connected together. They also allow for the easy sharing of information and resources, and cooperation between the devices in other ways. Since modern business depends so much on the intelligent flow and management of information, this tells you a lot about why networking is so valuable.

Here, in no particular order, are some of the specific advantages generally associated with networking:

  • Connectivity and Communication: Networks connect computers and the users of those computers. Individuals within a building or work group can be connected into local area networks (LANs); LANs in distant locations can be interconnected into larger wide area networks (WANs). Once connected, it is possible for network users to communicate with each other using technologies such as electronic mail. This makes the transmission of business (or non-business) information easier, more efficient and less expensive than it would be without the network.
  • Data Sharing: One of the most important uses of networking is to allow the sharing of data. Before networking was common, an accounting employee who wanted to prepare a report for her manager would have to produce it on his PC, put it on a floppy disk, and then walk it over to the manager, who would transfer the data to her PC's hard disk. (This sort of “shoe-based network” was sometimes sarcastically called a “sneakernet”.) True networking allows thousands of employees to share data much more easily and quickly than this. More so, it makes possible applications that rely on the ability of many people to access and share the same data, such as databases, group software development, and much more. Intranets and extranets can be used to distribute corporate information between sites and to business partners.
  • Hardware Sharing: Networks facilitate the sharing of hardware devices. For example, instead of giving each of 10 employees in a department an expensive color printer (or resorting to the “sneakernet” again), one printer can be placed on the network for everyone to share.
  • Internet Access: The Internet is itself an enormous network, so whenever you access the Internet, you are using a network. The significance of the Internet on modern society is hard to exaggerate, especially for those of us in technical fields.
  • Internet Access Sharing: Small computer networks allow multiple users to share a single Internet connection. Special hardware devices allow the bandwidth of the connection to be easily allocated to various individuals as they need it, and permit an organization to purchase one high-speed connection instead of many slower ones.
  • Data Security and Management: In a business environment, a network allows the administrators to much better manage the company's critical data. Instead of having this data spread over dozens or even hundreds of small computers in a haphazard fashion as their users create it, data can be centralized on shared servers. This makes it easy for everyone to find the data, makes it possible for the administrators to ensure that the data is regularly backed up, and also allows for the implementation of security measures to control who can read or change various pieces of critical information.
  • Performance Enhancement and Balancing: Under some circumstances, a network can be used to enhance the overall performance of some applications by distributing the computation tasks to various computers on the network.
  • Entertainment: Networks facilitate many types of games and entertainment. The Internet itself offers many sources of entertainment, of course. In addition, many multi-player games exist that operate over a local area network. Many home networks are set up for this reason, and gaming across wide area networks (including the Internet) has also become quite popular. Of course, if you are running a business and have easily-amused employees, you might insist that this is really a disadvantage of networking and not an advantage!

Key Concept: At a high level, networks are advantageous because they allow computers and people to be connected together, so they can share resources. Some of the specific benefits of networking include communication, data sharing, Internet access, data security and management, application performance enhancement, and entertainment.

.. OR ..

Benefits Of Computer Networking

Technically speaking networking can be defined as a bunch of computers that have with wires running in between them. If proper implementation of a network is done it acts as a system that provides unique capabilities, to its users. These are much beyond the abilities of individual machines and software applications associated with them.

The benefits networking offers to its users can be separated into two main groups i.e. sharing and connectivity. Networks make computers and their users capable of being connected together. This facilitates sharing of resources and information between the users. The modern businesses are expanded all over the world. So, uses and significance of networking has gained momentum during the last years. The many benefits that networking offers to us are:

  • Helps to enhance connectivity: Networks connect and link unlimited number of computers. This in turn connects the people using those computers. Individuals within a work group are connected through local area networks. Many LANs in far off locations are interconnected through larger wide area networks (WANs). These connections ease out communication between people using technologies like e-mail. Today e-mail has become the easiest, and cheapest mode of transformation of information between the users.
  • Networking helps in sharing of hardware: Networks help in sharing of different kinds of hardware devices. For example, sharing of a single printer in an office of twenty people is done through networking of wires. This saves lot of cost that could otherwise have incurred if twenty different printers were provided for each computer in use.
  • Eases out management of data: Networking provides the advantage of centralization of data from all the user systems to one system where it can be managed in an easy and better way. Administrators can thus manage all this data efficiently and in the best interest of the company. Even the access of this data becomes easy for the users.
  • Internet: The most beautiful gift of networking is internet that is massively used by people all over the world. Whenever you are accessing Internet, you are making use of a network. The benefits of internet need no mentioning. Thanks to the wonderful world of networking.
  • Data Sharing: Sharing of data through the use of networks helps save a lot of time and energy. It also facilitates the use of applications like databases that are based on ability of many individuals to access and to share exactly the same data.
  • Networking has promoted gaming: Many internet games like WOW accounts are being played by players all over the world using common servers. These give fun and enjoyment to people and also improve their skills.

Such are the varied benefits of networking to the people all over the world. The success of networking in providing benefits to people depends upon the frequency of its use. So, make the maximum out of this wonderful gift of technology to man.

.. OR ..

The BBC's new website has this.

The main types of networks

There are many ways to categorise a network, size, topolgy, complexity or by how it is used.

The traditional method is based on the size of the network,

  • Personal Area Network (PAN): the network used by a single person usually connected via Bluetooth.
  • Local Area Network (LAN): a network where all of the infrastructure is owned by the organisation.
  • Wide Area Network (WAN): where a portion of the infrastructure is owned by a third party.


The history of Bluetooth Wireless Technology dates all the way back to the 14th Century, drops by the 1940s, and really gets going in the 1990s.

Bluetooth Wireless Technology was invented by a group of scientists working for the Swedish company Ericsson in 1994.  Just four years later, a whole group of companies began to share the technology to enhance their own projects and help those products communicate better.  So, like a lot of very cool things in computing, Bluetooth Technology isn't 'owned' by any single entity.  

The Bluetooth logo, the core specification, and all testing and approval are conducted by the Bluetooth Special Interest Group, which is a group of companies and developers (currently more than 17000) dedicated to maintaining and improving Bluetooth Technology.

The radio technology that powers Bluetooth has its origins in secure portable radio communicators (such as walkie-talkies) developed by the miliary.  

The name 'Bluetooth' comes from the Middle Ages, and is named after King Harald I of Denmark, who's nickname was 'Bluetooth', supposedly because he liked blueberries so much they stained his teeth blue.  King Harald united the various Danish tribes into a single kingdom, and so the technology connects a lot of different devices.  The symbol is a bine rune made up of the initials of Harald's name.

PAN – only Bluetooth needs to be considered.

Activity - On the "PAN Technology" page draw and describe all of the possible technology that can form part of a PAN

LAN – know that these usually cover relatively small geographical areas.

LAN – know that these are often owned and controlled/managed by a single person or organisation.

WAN – know that the Internet is the biggest example of a WAN.

WAN – know that these usually cover a wide geographic area.

WAN – know that these are often under collective or distributed ownership.

Activity - What other types of networks can you discover?

Understand that networks can be wired or wireless. 

Understand that networks can be wired or wireless. Discuss the benefits and risks of wireless networks as opposed to wired networks.

Know that wired networks can use different types of cable such as fibre and copper and when each would be appropriate.

Wireless networking has many advantages to offer

According to Quadratek there are nine advantages to a wireless network. For those businesses where superfast speed and ultra secure methodology are not critically important, going wireless has many advantages to offer.


Increased mobility is by far the biggest attraction that wireless networking holds for most businesses. Being able to sit at any terminal, anywhere in the building and access the server is a great advantage.

When laptops were developed, because of the new mobility convenience factor that they brought within them, this gave added impetus to the advantages of being able to work anywhere within range of the wireless network signal.  It means that not only can employees now access information from the server, wherever they are in the premises, but it also enables colleagues to collaborate and share information in meetings held anywhere; either in a corner of the office, a bespoke meeting room, or even the staff canteen. It enables total mobility.


The increased mobility factor both enables and facilitates the Bring Your Own Device (BYOD) phenomenon, which more and more businesses are now taking advantage of. Laptops, Tablets, and Smartphones that belong to individual employees are now being brought into the workplace and are being given access rights to the wireless network. As well, as making it more convenient for employees to carry out their tasks, BYOD also represents a potential cost saving, as businesses no longer have to fund the hardware cost of the devices themselves.


Another important by-product of the increased mobility factor is that it promotes increased productivity, allowing employees to collaborate where and when they need to. It brings freedom of operation and speeds up the working process. But there is another factor too, and that is that employees take their device’s home with them, and can work, (as many do), in their own time when it’s convenient to do so.


Wireless networking has also gone into the public domain, with Wi-Fi hotspots being available in many high street coffee shops, hotels, railway stations, airports, universities, hospitals, etc. It enables people to get onto the Internet when they’re away from the office, or away from home. People can pick up their emails, both social and business, and if their place of work allows, can also connect into the business network remotely.


One of the inherent problems with a wired network is coping with expansion. Having to add additional cabling, and reroute existing cables, can be a disruptive and costly process. Whilst every company should plan ahead when installing a wired network, it is almost impossible to forecast future requirements accurately unless sound planning is carried out.

There’s no such problem with a wireless network. Being able to add new users is no more difficult than having to issue a new password, and update the server accordingly. It’s fast, and it’s relatively convenient. It also means that offices can be relocated within the building with consummate ease, furniture can be readily moved around, and, of course, employees can sit wherever they need to.

Not only is it so much more convenient to add new users to a wireless network, but it seldom involves any additional expenditure.


Having a wireless network also means that a business can provide secure network access to visiting colleagues from other sites within the organisation. It enables them to access the data they need and pick up and respond to their emails.

It also grants Internet access to visiting customers and suppliers. It’s now something that most business people who have reason to travel, have come to expect. It’s also how most public Wi-Fi hotspots grant Internet access to their guests.


Another one of the benefits of having a wireless network is that it can be used to make telephone calls using voice over Internet protocol. VoIP calls are often free, depending on the country and the devices you are calling, and are considerably cheaper than using conventional technology to make international calls.


Using wireless technology rather than having a hard wired network can be much more cost-effective. The larger the network, both in terms of area and users, the more expensive a hard wired network will be to install. It’s not just the amount of cabling, but the actual cost of the labour to install the raceways, and chase the cabling all through the premises; through walls, up and down different floors etc.

Once a wireless network is in place, and even if it costs a little more initially to install, maintenance costs are lower, and there are normally no additional costs involved in scaling up, unless the signal needs to be boosted.


Because there are no wires involved with a wireless connection, the potential risk of tripping over any trailing cables that wired connectivity requires, can be avoided altogether.

The BBC however notes some disadvantages.


  • cheap set-up costs
  • not tied down to a specific location
  • can connect multiple devices without the need for extra hardware
  • less disruption to the building due to no wires being installed


  • interference can occur
  • the connection is not as stable as wired networks and can 'drop off'
  • it will lose quality through walls or obstructions
  • more open to hacking
  • slower than wired networks

On the other hand Chron notes a number of advantages to wired networking.

Wi-Fi has its advantages in terms of flexibility and convenience, but it's also worth considering a wired network for connecting your office computers and devices. For some scenarios -- depending on how many computers you're working with, the office layout and other factors -- a wired network may make more sense than a wireless one.


As wired networks are connected by physically plugging in a cable from one device to another, it is much more difficult to access them without authorization. There is no opportunity for someone wandering past your office windows to hack into your wireless network, for example. There's no need to give out wireless access keys -- a device physically connected to the network is part of it. If you want to keep your network as closed and secure as possible, then a wired network is the way to go.


Wired networks bring with them a reliable, constant download and upload speed unaffected by the environment. As these networks are closed off and don't travel through the air, they aren't susceptible to fluctuations in speed or interference from other wireless devices. While the most recent 802.11ac Wi-Fi standard can theoretically achieve speeds of 1,000MB per second, older hardware isn't up to this standard -- 802.11n maxes out at 600MB/s. Gigabit Ethernet provides a stable, constant 1,000MB/s connection.

Ease of Use

The details depend on the computers and devices on your network, but broadly speaking, plugging an Ethernet cable into a laptop or printer is enough for it to recognize the network and get connected. There's no playing around with scanning for available networks, inputting security keys or trying to locate an area with a strong Wi-Fi signal. Ultimately how convenient this wired networking method is for your company depends on how well equipped your office is and the extent of the existing network cabling.


The fastest 802.11n Wi-Fi speed currently in widespread use can achieve a maximum range of 250 feet in the most ideal conditions, although substandard hardware, interference from other devices and physical obstacles such as walls and floors can substantially reduce this distance. Ethernet cabling, in contrast, can stretch up to 330 feet without any loss of quality. If you have a lot of floor space to cover, then a wired solution enables you to stretch your network further than a wireless one.

Cicso suggests five reasons to go wireless

Every minute counts in a small company and wireless networks are a powerful tool for boosting productivity and encouraging information sharing. With untethered access to documents, emails, applications and other network resources, employees can roam where they need to and have constant access to the tools required to do their jobs.

Here are some of the ways businesses are taking advantage of wireless LANs:

Increased mobility and collaboration

  • Roam without losing your connection
  • Work together more effectively

Employees who use your wireless LAN can roam around your office or to different floors without losing their connection. Imagine everyone in a team meeting or in small conferences having access to up-to-the minute communications, and all documents and applications on your network. Similarly, using Voice over Wireless LAN technology, they can have roaming capabilities in their voice communications.

Improved responsiveness

  • Connect to the information you need when you need it
  • Provide better customer service

Customers want quick response to queries and concerns. A wireless network can improve customer service by connecting staff to the information they need. For example, a doctor in a small medical office can access online patient files while moving between exam rooms, or a retail sales person can check on available inventory necessary to write up orders on the showroom floor.

Better access to information

  • Connect hard-to-reach areas
  • Improve your processes

Wireless LANs allow a business to bring network access to areas that would be difficult to connect to a wired network. For example, adding wireless access points to a warehouse can make it easier to check and manage inventory, providing the company with accurate inventory figures in real time.

Easier network expansion

  • Add users quickly
  • Grow your network cost-effectively

Companies that need to add employees or reconfigure offices frequently will immediately benefit from the flexibility wireless LANs provide. Desks can be moved and new employees can be added to the network without the effort and cost required to run cables and wires.

Enhanced guest access

  • Give secure network access to customers and business partners
  • Offer a value-added service

A wireless network allows your business to provide secure wireless access to the Internet for guests such as customers or business partners. Retailers, restaurants, hotels and other public-facing businesses can provide this as a unique value-added service.

An interesting Computer Weekly article "What are the pros and cons of wired and wireless connectivity? And what does the future hold for the corporate environment?" by Steve Evans states that the world around us is going wireless; we stream music and movies from our home PCs to any room in the house, we can play music from our phones on car stereos and we can go to any number of public places and hook up to the internet. But one place has stayed resolutely wired: the enterprise. Yes, many offices these days will have Wi-Fi but often it is reserved for senior management or visitors. Even if it is available for all workers, the connection is rarely the most reliable.

Benefits of wired connection

It is easy enough to see why enterprises want to remain wired – control and security, reliability and speed are the primary benefits of using physical connections. It is also relatively cost-effective, as the price of cabling – even at the lengths needed to cover an average office – is pretty cheap.

One great advantage of having a wired infrastructure, which seems particularly relevant in today’s mobile world, is the control it provides. If a physical connection is needed to access the corporate network, the business is in full control of who and what gets online. While this has obvious security benefits of keeping unauthorised visitors out of your network, it also means your network will not be overloaded with non-business critical traffic.

Another bonus with a wired connection is the speed and reliability they offer, way more so than a wireless infrastructure. For businesses that regularly need to move a lot of data around, a wired set-up is the best way to go.

Benefits of wireless connection

While a physical infrastructure may be good from a management point of view and offer cheap deployment, having all those wires running throughout a building can be costly and awkward to maintain. For example, if a business increases its workforce, all those new workers will need physical connections at their desk – connections that will need to be manually set up. Any breakages in the wired connection will also have to be manually fixed as there is no software solution to a broken Ethernet pin.

With the explosion in mobile devices over the last few years – Apple alone has sold around 100 million iPads since the tablet was introduced in 2010 – many workers are bringing their own devices into the office. It is vital these employees have access to the corporate network to get the most out of them, and that means giving them wireless access. As well as being able to use their own devices, wireless infrastructure means freedom to move around the office, from desk to desk or meeting room to meeting room.

A wireless network is also neater, getting rid of all those unsightly cables that usually run around an office.

Disadvantages of wireless connection

But while enabling workers to use their own devices at work, connect up with the corporate network and move around the building brings obvious productivity benefits, it also causes huge headaches for the IT department from a security point of view.

The threat of malware getting onto the corporate network via a compromised device is one particular issue. If the mobile or tablet is owned by the business, security is obviously easier to take care of – but employee-owned devices are another question, as most are not protected.

Prior to allowing workers to connect their personal device to the wireless network, it is important for a business to ensure employees are aware of the risks. Updating security policies to reflect changing ownership is one good step, but educating employees through initiatives such as workshops is vital.

There are other threats to a wireless enterprise. Your network will now extend beyond the physical walls of the office, giving attackers another potential route into the business. All that critical corporate data is now flying across the airwaves, and if your wireless network is not secured to the same extent as your wired infrastructure, it could very easily end up in the wrong hands.

This means elements such as authentication, intrusion detection, prevention, reporting and security event management (SEM) must be included in the security set-up of a wireless infrastructure. It is also worth pointing out more simple measures – such as changing the default SSID and password to a more secure one – can be very effective. 

Beyond the security implications there are other drawbacks to wireless connections. Speeds are much slower than with a wired connection and the signals can be affected by outside influences, such as walls and floors, as well as other electronic items.

Another issue is the range offered by wireless access points. Not only can these be limited in terms of how far the signal travels but the signal can also fade the further away from it you are. This means to ensure full, reliable coverage across a building, a business must install plenty of access points, driving up the cost of the installation.

Activity - Word process (on a single A4 page) an explanation of the benefits and drawbacks of wired and wireless networking, suggest the 4 key benefits and drawbacks of each form of networking and suggest (with reasons) which in your opinion is best.

Cable types

Cable Express give 5 reasons why IT professionals choose fibre optic cables instead of copper. Fibre or Copper: That's the cable question

When assessing which type of network cable you want to install, which type should you go with?

Copper has some advantages, including the fact that it already exists in many places and is less expensive to connect network devices. While fibre optic cables are more expensive, there are several advantages that make it a more enticing cable infrastructure solution than its copper counterpart.

5 reasons IT Pros Choose fibre Optic Cables

1. Fibre optic transmission is faster. Fibre optic versus copper wire transmission can be boiled down to the speed of photons versus the speed of electrons. While fibre optic cables don’t travel at the speed of light, they come very close—only about 31 percent slower. (True, but the speed of the cable is rearely the limiting factor in the speed of a network.)

2. Fibre optic transmission results in less attenuation. When traveling over a long distance, fibre optic cables experience less signal loss than copper cabling. This is called low attenuation. Copper cables can only transmit information up to 9,328 ft due to power loss, whereas fibre cables can travel between 984.2 ft to 24.8 miles. (Switches can extend the range of a cable to be as long as any fibre cable and don't forget that there are coper cables under the Atlantic that are more than 9000 feet long.)

3. Fibre optic cables are impervious to electromagnetic interference (EMI). Copper wires, if not properly installed, will produce electromagnetic currents that can interfere with other wires and wreak havoc on a network. fibre optic cables, unlike copper cables, do not conduct electricity. (If they are improperly installed?)

4. Light cannot catch on fire. An added benefit of fibre optic cables is that they are not a fire hazard. This can also be attributed to the same reason that the cables do not produce EMI—there is no electric current traveling through the core. (Copper doesn't burn either and if you include the correct mineral insulation it will put fires out.)

5. fibre optic cables do not break as easily. This means that you will not have to worry about replacing them as frequently as copper wires. Even though the fibre is made of glass, copper wires are more prone to damage than fibre optic cables are. (Fibre is a lot more fragile than copper has a greater bend radius and is prone to fracturing whereas copper can stretch.)

The Takeaway

So, there you have it - five good reasons why people choose fibre cables over copper cables. One could argue that many of the advantages of using fibre cables can lead to a greater ROI (Return On Investment). Keep this in mind when deciding whether to choose copper or fibre cabling. (Fibre is much more difficult to work and is far more expensive than copper.)

Copper vs Fibre

Pound For Pound, How Do They Measure Up?

Why Is the Fiber Optic Technology Better Than Copper?

How will fiber optics save the world?

Activity in two parts - firstly using the information provided, the links suggested and any information that you can discover on the Internet, compare and evaluate copper and fibre cables on a purely technical basis. Secondly, from a green, environmental perspective compare fibre and copper cables.

Explain the following common network topologies:

Explain the following common network topologies:

  • star
  • bus.

Students should be able to draw topology diagrams and explain the differences between the two topologies. They should also be able to select the most appropriate topology for a given scenario.

Bus network

In a bus network all the workstationsservers and printers are joined to one cable - 'the bus'. At each end of the cable a terminatoris fitted to stop signals reflecting back down the bus.


  • easy to install
  • cheap to install - it does not require much cabling


  • if the main cable fails or gets damaged, the whole network will fail
  • as more workstations are connected, the performance of the network will become slower because of data collisions
  • every workstation on the network 'sees' all of the data on the network, which can be a security risk

Ring network

In a ring network, each device (eg workstation, server, printer) is connected in a ring so each one is connected to two other devices. Each data packet on the network travels in one direction. Each device receives each packet in turn until the destination device receives it.


  • this type of network can transfer data quickly (even if there are a large number of devices connected) as data only flows in one direction so there won't be any data collisions


  • if the main cable fails or any device is faulty, then the whole network will fail - a serious problem in a company where communication is vital

Star network

In a star network, each device on the network has its own cable that connects to a switch or hub. This is the most popular way of setting up a LAN. You may find a star network in a small network of five or six computers where speed is a priority.


  • very reliable – if one cable or device fails, then all the others will continue to work
  • high performing as no data collisions can occur


  • expensive to install as this type of network uses the most cable, and network cable is expensive
  • extra hardware is required - hubs or switches - which add to the cost
  • if a hub or switch fails, all the devices connected to it will have no network connection

Define the term ‘network protocol’.

Network protocols are formal standards and policies comprised of rules, procedures and formats that define communication between two or more devices over a network. Network protocols govern the end-to-end processes of timely, secure and managed data or network communication.

Explain the purpose and use of common network protocols

Explain the purpose and use of common network protocols including:

  • Ethernet
  • Wi-Fi
  • TCP (Transmission Control Protocol)
  • UDP (User Datagram Protocol)
  • IP (Internet Protocol)
  • HTTP (Hypertext Transfer Protocol)
  • HTTPS (Hypertext Transfer Protocol Secure)
  • FTP (File Transfer Protocol)
  • email protocols:
    • SMTP (Simple Mail Transfer Protocol)
    • IMAP (Internet Message Access Protocol)

Students should know what each protocol is used for (eg HTTPS provides an encrypted version of HTTP for more secure web transactions).

Students should understand that Ethernet is a family of related protocols rather than a single protocol. They do not need to know the individual protocols that make up the Ethernet family.

Students should understand that Wi-Fi is a family of related protocols rather than a single protocol. They do not need to know the individual protocols that make up the Wi-Fi family but they should know that Wi-Fi is a trademark and that the generic term for networks of this nature is WLAN.


Understand that computers use binary to represent all data and instructions.

Students should be familiar with the idea that a bit pattern could represent different types of data including text, image, sound and integer.

Understand the need for, and importance of, network security.

What Is Network Security?


"Network security" refers to any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and stops them from entering or spreading on your network.

Cisco are one of the major players in network security that you might have heard of.


The ISO/OSI Reference Model

The International Standards Organization (ISO) Open Systems Interconnect (OSI) Reference Model defines seven layers of communications types, and the interfaces among them. (See Figure 1.) Each layer depends on the services provided by the layer below it, all the way down to the physical network hardware, such as the computer's network interface card, and the wires that connect the cards together.

An easy way to look at this is to compare this model with something we use daily: the telephone. In order for you and I to talk when we're out of earshot, we need a device like a telephone. (In the ISO/OSI model, this is at the application layer.) The telephones, of course, are useless unless they have the ability to translate the sound into electronic pulses that can be transferred over wire and back again. (These functions are provided in layers below the application layer.) Finally, we get down to the physical connection: both must be plugged into an outlet that is connected to a switch that's part of the telephone system's network of switches.

If I place a call to you, I pick up the receiver, and dial your number. This number specifies which central office to which to send my request, and then which phone from that central office to ring. Once you answer the phone, we begin talking, and our session has begun. Conceptually, computer networks function exactly the same way.

It isn't important for you to memorize the ISO/OSI Reference Model's layers; but it's useful to know that they exist, and that each layer cannot work without the services provided by the layer below it.

What is the Internet?

The Internet is the world's largest network of networks . When you want to access the resources offered by the Internet, you don't really connect to the Internet; you connect to a network that is eventually connected to the Internet backbone , a network of extremely fast (and incredibly overloaded!) network components. This is an important point: the Internet is a network of networks  -- not a network of hosts.

A simple network can be constructed using the same protocols and such that the Internet uses without actually connecting it to anything else. Such a basic network is shown in Figure 3

Figure 3: A Simple Local Area Network
\begin{figure}  \begin{center}    \setlength {\unitlength}{0.00041700in}     \begingr...   ...ult}B}}}  \put(376,-661){\line( 1, 0){9000}}\end{picture}\end{center}\end{figure}

I might be allowed to put one of my hosts on one of my employer's networks. We have a number of networks, which are all connected together on a backbone , that is a network of our networks. Our backbone is then connected to other networks, one of which is to an Internet Service Provider(ISP) whose backbone is connected to other networks, one of which is the Internet backbone.

If you have a connection ``to the Internet'' through a local ISP, you are actually connecting your computer to one of their networks, which is connected to another, and so on. To use a service from my host, such as a web server, you would tell your web browser to connect to my host. Underlying services and protocols would send packets (small datagrams) with your query to your ISP's network, and then a network they're connected to, and so on, until it found a path to my employer's backbone, and to the exact network my host is on. My host would then respond appropriately, and the same would happen in reverse: packets would traverse all of the connections until they found their way back to your computer, and you were looking at my web page.

In Figure 4, the network shown in Figure 3 is designated ``LAN 1'' and shown in the bottom-right of the picture. This shows how the hosts on that network are provided connectivity to other hosts on the same LAN, within the same company, outside of the company, but in the same ISP cloud , and then from another ISP somewhere on the Internet.

Figure 4: A Wider View of Internet-connected Networks
\begin{figure}  \begin{center}    \setlength {\unitlength}{0.00041700in}     \begingr...}}}  \put(7651,-7036){\line( 1, 0){4304}}\end{picture}\end{center}\end{figure}

The Internet is made up of a wide variety of hosts, from supercomputers to personal computers, including every imaginable type of hardware and software. How do all of these computers understand each other and work together?

TCP/IP: The Language of the Internet

TCP/IP (Transport Control Protocol/Internet Protocol) is the ``language'' of the Internet. Anything that can learn to ``speak TCP/IP'' can play on the Internet. This is functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape's Navigator) that uses the network.

Open Design

One of the most important features of TCP/IP isn't a technological one: The protocol is an ``open'' protocol, and anyone who wishes to implement it may do so freely. Engineers and scientists from all over the world participate in the IETF (Internet Engineering Task Force) working groups that design the protocols that make the Internet work. Their time is typically donated by their companies, and the result is work that benefits everyone.


As noted, IP is a ``network layer'' protocol. This is the layer that allows the hosts to actually ``talk'' to each other. Such things as carrying datagrams, mapping the Internet address (such as to a physical network address (such as 08:00:69:0a:ca:8f), and routing, which takes care of making sure that all of the devices that have Internet connectivity can find the way to each other.

Understanding IP

IP has a number of very important features which make it an extremely robust and flexible protocol. For our purposes, though, we're going to focus on the security of IP, or more specifically, the lack thereof.

Attacks Against IP

A number of attacks against IP are possible. Typically, these exploit the fact that IP does not perform a robust mechanism for authentication , which is proving that a packet came from where it claims it did. A packet simply claims to originate from a given address, and there isn't a way to be sure that the host that sent the packet is telling the truth. This isn't necessarily a weakness, per se , but it is an important point, because it means that the facility of host authentication has to be provided at a higher layer on the ISO/OSI Reference Model. Today, applications that require strong host authentication (such as cryptographic applications) do this at the application layer.

IP Spoofing.

This is where one host claims to have the IP address of another. Since many systems (such as router access control lists) define which packets may and which packets may not pass based on the sender's IP address, this is a useful technique to an attacker: he can send packets to a host, perhaps causing it to take some sort of action.

Additionally, some applications allow login based on the IP address of the person making the request (such as the Berkeley r-commands )[2]. These are both good examples how trusting untrustable layers can provide security that is -- at best -- weak.

IP Session Hijacking.

This is a relatively sophisticated attack, first described by Steve Bellovin [3]. This is very dangerous, however, because there are now toolkits available in the underground community that allow otherwise unskilled bad-guy-wannabes to perpetrate this attack. IP Session Hijacking is an attack whereby a user's session is taken over, being in the control of the attacker. If the user was in the middle of email, the attacker is looking at the email, and then can execute any commands he wishes as the attacked user. The attacked user simply sees his session dropped, and may simply login again, perhaps not even noticing that the attacker is still logged in and doing things.

For the description of the attack, let's return to our large network of networks in Figure 4. In this attack, a user on host A is carrying on a session with host G. Perhaps this is a telnet session, where the user is reading his email, or using a Unix shell account from home. Somewhere in the network between A and G sits host H which is run by a naughty person. The naughty person on host H watches the traffic between A and G, and runs a tool which starts to impersonate A to G, and at the same time tells A to shut up, perhaps trying to convince it that G is no longer on the net (which might happen in the event of a crash, or major network outage). After a few seconds of this, if the attack is successful, naughty person has ``hijacked'' the session of our user. Anything that the user can do legitimately can now be done by the attacker, illegitimately. As far as G knows, nothing has happened.

This can be solved by replacing standard telnet-type applications with encrypted versions of the same thing. In this case, the attacker can still take over the session, but he'll see only ``gibberish'' because the session is encrypted. The attacker will not have the needed cryptographic key(s) to decrypt the data stream from G, and will, therefore, be unable to do anything with the session.


TCP is a transport-layer protocol. It needs to sit on top of a network-layer protocol, and was designed to ride atop IP. (Just as IP was designed to carry, among other things, TCP packets.) Because TCP and IP were designed together and wherever you have one, you typically have the other, the entire suite of Internet protocols are known collectively as ``TCP/IP.'' TCP itself has a number of important features that we'll cover briefly.

Guaranteed Packet Delivery

Probably the most important is guaranteed packet delivery. Host A sending packets to host B expects to get acknowledgments back for each packet. If B does not send an acknowledgment within a specified amount of time, A will resend the packet.

Applications on host B will expect a data stream from a TCP session to be complete, and in order. As noted, if a packet is missing, it will be resent by A, and if packets arrive out of order, B will arrange them in proper order before passing the data to the requesting application.

This is suited well toward a number of applications, such as a telnet session. A user wants to be sure every keystroke is received by the remote host, and that it gets every packet sent back, even if this means occasional slight delays in responsiveness while a lost packet is resent, or while out-of-order packets are rearranged.

It is not suited well toward other applications, such as streaming audio or video, however. In these, it doesn't really matter if a packet is lost (a lost packet in a stream of 100 won't be distinguishable) but it does matter if they arrive late (i.e., because of a host resending a packet presumed lost), since the data stream will be paused while the lost packet is being resent. Once the lost packet is received, it will be put in the proper slot in the data stream, and then passed up to the application.


UDP (User Datagram Protocol) is a simple transport-layer protocol. It does not provide the same features as TCP, and is thus considered ``unreliable.'' Again, although this is unsuitable for some applications, it does have much more applicability in other applications than the more reliable and robust TCP.

Lower Overhead than TCP

One of the things that makes UDP nice is its simplicity. Because it doesn't need to keep track of the sequence of packets, whether they ever made it to their destination, etc., it has lower overhead than TCP. This is another reason why it's more suited to streaming-data applications: there's less screwing around that needs to be done with making sure all the packets are there, in the right order, and that sort of thing.

Risk Management: The Game of Security

It's very important to understand that in security, one simply cannot say ``what's the best firewall?'' There are two extremes: absolute security and absolute access. The closest we can get to an absolutely secure machine is one unplugged from the network, power supply, locked in a safe, and thrown at the bottom of the ocean. Unfortunately, it isn't terribly useful in this state. A machine with absolute access is extremely convenient to use: it's simply there, and will do whatever you tell it, without questions, authorization, passwords, or any other mechanism. Unfortunately, this isn't terribly practical, either: the Internet is a bad neighborhood now, and it isn't long before some bonehead will tell the computer to do something like self-destruct, after which, it isn't terribly useful to you.

This is no different from our daily lives. We constantly make decisions about what risks we're willing to accept. When we get in a car and drive to work, there's a certain risk that we're taking. It's possible that something completely out of control will cause us to become part of an accident on the highway. When we get on an airplane, we're accepting the level of risk involved as the price of convenience. However, most people have a mental picture of what an acceptable risk is, and won't go beyond that in most circumstances. If I happen to be upstairs at home, and want to leave for work, I'm not going to jump out the window. Yes, it would be more convenient, but the risk of injury outweighs the advantage of convenience.

Every organization needs to decide for itself where between the two extremes of total security and total access they need to be. A policy needs to articulate this, and then define how that will be enforced with practices and such. Everything that is done in the name of security, then, must enforce that policy uniformly.

Types And Sources Of Network Threats

Now, we've covered enough background information on networking that we can actually get into the security aspects of all of this. First of all, we'll get into the types of threats there are against networked computers, and then some things that can be done to protect yourself against various threats.


DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address. These are the nastiest, because they're very easy to launch, difficult (sometimes impossible) to track, and it isn't easy to refuse the requests of the attacker, without also refusing legitimate requests for service.

The premise of a DoS attack is simple: send more requests to the machine than it can handle. There are toolkits available in the underground community that make this a simple matter of running a program and telling it which host to blast with requests. The attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection. If the host is able to answer 20 requests per second, and the attacker is sending 50 per second, obviously the host will be unable to service all of the attacker's requests, much less any legitimate requests (hits on the web site running there, for example).

Such attacks were fairly common in late 1996 and early 1997, but are now becoming less popular. Some things that can be done to reduce the risk of being stung by a denial of service attack include

  • Not running your visible-to-the-world servers at a level too close to capacity
  • Using packet filtering to prevent obviously forged packets from entering into your network address space.

Obviously forged packets would include those that claim to come from your own hosts, addresses reserved for private networks as defined in RFC 1918 [4], and the loopback network (

  • Keeping up-to-date on security-related patches for your hosts' operating systems.

Unauthorized Access

``Unauthorized access'' is a very high-level term that can refer to a number of different sorts of attacks. The goal of these attacks is to access some resource that your machine should not provide the attacker. For example, a host might be a web server, and should provide anyone with requested web pages. However, that host should not provide command shell access without being sure that the person making such a request is someone who should get it, such as a local administrator.

Executing Commands Illicitly

It's obviously undesirable for an unknown and untrusted person to be able to execute commands on your server machines. There are two main classifications of the severity of this problem: normal user access, and administrator access. A normal user can do a number of things on a system (such as read files, mail them to other people, etc.) that an attacker should not be able to do. This might, then, be all the access that an attacker needs. On the other hand, an attacker might wish to make configuration changes to a host (perhaps changing its IP address, putting a start-up script in place to cause the machine to shut down every time it's started, or something similar). In this case, the attacker will need to gain administrator privileges on the host.

Confidentiality Breaches

We need to examine the threat model: what is it that you're trying to protect yourself against? There is certain information that could be quite damaging if it fell into the hands of a competitor, an enemy, or the public. In these cases, it's possible that compromise of a normal user's account on the machine can be enough to cause damage (perhaps in the form of PR, or obtaining information that can be used against the company, etc.)

While many of the perpetrators of these sorts of break-ins are merely thrill-seekers interested in nothing more than to see a shell prompt for your computer on their screen, there are those who are more malicious, as we'll consider next. (Additionally, keep in mind that it's possible that someone who is normally interested in nothing more than the thrill could be persuaded to do more: perhaps an unscrupulous competitor is willing to hire such a person to hurt you.)

Destructive Behavior

Among the destructive sorts of break-ins and attacks, there are two major categories.

Data Diddling.

The data diddler is likely the worst sort, since the fact of a break-in might not be immediately obvious. Perhaps he's toying with the numbers in your spreadsheets, or changing the dates in your projections and plans. Maybe he's changing the account numbers for the auto-deposit of certain paychecks. In any case, rare is the case when you'll come in to work one day, and simply know that something is wrong. An accounting procedure might turn up a discrepancy in the books three or four months after the fact. Trying to track the problem down will certainly be difficult, and once that problem is discovered, how can any of your numbers from that time period be trusted? How far back do you have to go before you think that your data is safe?

Data Destruction.

Some of those perpetrate attacks are simply twisted jerks who like to delete things. In these cases, the impact on your computing capability -- and consequently your business -- can be nothing less than if a fire or other disaster caused your computing equipment to be completely destroyed.

Where Do They Come From?

How, though, does an attacker gain access to your equipment? Through any connection that you have to the outside world. This includes Internet connections, dial-up modems, and even physical access. (How do you know that one of the temps that you've brought in to help with the data entry isn't really a system cracker looking for passwords, data phone numbers, vulnerabilities and anything else that can get him access to your equipment?)

In order to be able to adequately address security, all possible avenues of entry must be identified and evaluated. The security of that entry point must be consistent with your stated policy on acceptable risk levels.

Lessons Learned

From looking at the sorts of attacks that are common, we can divine a relatively short list of high-level practices that can help prevent security disasters, and to help control the damage in the event that preventative measures were unsuccessful in warding off an attack.

Hope you have backups

This isn't just a good idea from a security point of view. Operational requirements should dictate the backup policy, and this should be closely coordinated with a disaster recovery plan, such that if an airplane crashes into your building one night, you'll be able to carry on your business from another location. Similarly, these can be useful in recovering your data in the event of an electronic disaster: a hardware failure, or a breakin that changes or otherwise damages your data.

Don't put data where it doesn't need to be

Although this should go without saying, this doesn't occur to lots of folks. As a result, information that doesn't need to be accessible from the outside world sometimes is, and this can needlessly increase the severity of a break-in dramatically.

Avoid systems with single points of failure

Any security system that can be broken by breaking through any one component isn't really very strong. In security, a degree of redundancy is good, and can help you protect your organization from a minor security breach becoming a catastrophe.

Stay current with relevant operating system patches

Be sure that someone who knows what you've got is watching the vendors' security advisories. Exploiting old bugs is still one of the most common (and most effective!) means of breaking into systems.

Watch for relevant security advisories

In addition to watching what the vendors are saying, keep a close watch on groups like CERT and CIAC. Make sure that at least one person (preferably more) is subscribed to these mailing lists

Have someone on staff be familiar with security practices

Having at least one person who is charged with keeping abreast of security developments is a good idea. This need not be a technical wizard, but could be someone who is simply able to read advisories issued by various incident response teams, and keep track of various problems that arise. Such a person would then be a wise one to consult with on security related issues, as he'll be the one who knows if web server software version such-and-such has any known problems, etc.

This person should also know the ``dos'' and ``don'ts'' of security, from reading such things as the ``Site Security Handbook.''[5]


As we've seen in our discussion of the Internet and similar networks, connecting an organization to the Internet provides a two-way flow of traffic. This is clearly undesirable in many organizations, as proprietary information is often displayed freely within a corporate intranet (that is, a TCP/IP network, modeled after the Internet that only works within the organization).

In order to provide some level of separation between an organization's intranet and the Internet, firewalls have been employed. A firewall is simply a group of components that collectively form a barrier between two networks.

A number of terms specific to firewalls and networking are going to be used throughout this section, so let's introduce them all together.

Bastion host.

A general-purpose computer used to control access between the internal (private) network (intranet) and the Internet (or any other untrusted network). Typically, these are hosts running a flavor of the Unix operating system that has been customized in order to reduce its functionality to only what is necessary in order to support its functions. Many of the general-purpose features have been turned off, and in many cases, completely removed, in order to improve the security of the machine.


A special purpose computer for connecting networks together. Routers also handle certain functions, such as routing , or managing the traffic on the networks they connect.

Access Control List (ACL).

Many routers now have the ability to selectively perform their duties, based on a number of facts about a packet that comes to it. This includes things like origination address, destination address, destination service port, and so on. These can be employed to limit the sorts of packets that are allowed to come in and go out of a given network.

Demilitarized Zone (DMZ).

The DMZ is a critical part of a firewall: it is a network that is neither part of the untrusted network, nor part of the trusted network. But, this is a network that connects the untrusted to the trusted. The importance of a DMZ is tremendous: someone who breaks into your network from the Internet should have to get through several layers in order to successfully do so. Those layers are provided by various components within the DMZ.


This is the process of having one host act in behalf of another. A host that has the ability to fetch documents from the Internet might be configured as a proxy server , and host on the intranet might be configured to be proxy clients . In this situation, when a host on the intranet wishes to fetch the <> web page, for example, the browser will make a connection to the proxy server, and request the given URL. The proxy server will fetch the document, and return the result to the client. In this way, all hosts on the intranet are able to access resources on the Internet without having the ability to direct talk to the Internet.

Types of Firewalls

There are three basic types of firewalls, and we'll consider each of them.

Application Gateways

The first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name. Clients behind the firewall must be proxitized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure, because they don't allow anything to pass by default, but need to have the programs written and turned on in order to begin passing traffic.

Figure 5: A sample application gateway
\begin{figure}  \begin{center}    \setlength {\unitlength}{0.00041700in}     \begingr...   ...{375}}  \put(2926,-961){\vector( 0, 1){675}}\end{picture}\end{center}\end{figure}

These are also typically the slowest, because more processes need to be started in order to have a request serviced. Figure 5 shows a application gateway.

Packet Filtering

Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa.

There is less overhead in packet filtering than with an application gateway, because the feature of access control is performed at a lower ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead and the fact that packet filtering is done with routers, which are specialized computers optimized for tasks related to networking, a packet filtering gateway is often much faster than its application layer cousins. Figure 6 shows a packet filtering gateway.

Because we're working at a lower level, supporting new applications either comes automatically, or is a simple matter of allowing a specific packet type to pass through the gateway. (Not that the possibility of something automatically makes it a good idea; opening things up this way might very well compromise your level of security below what your policy allows.)

There are problems with this method, though. Remember, TCP/IP has absolutely no means of guaranteeing that the source address is really what it claims to be. As a result, we have to use layers of packet filters in order to localize the traffic. We can't get all the way down to the actual host, but with two layers of packet filters, we can differentiate between a packet that came from the Internet and one that came from our internal network. We can identify which network the packet came from with certainty, but we can't get more specific than that.

Hybrid Systems

In an attempt to marry the security of the application layer gateways with the flexibility and speed of packet filtering, some vendors have created systems that use the principles of both.

Figure 6: A sample packet filtering gateway
\begin{figure}  \begin{center}    \setlength {\unitlength}{0.00041700in}     \begingr...   ...{525}}  \put(2926,-961){\vector( 0, 1){675}}\end{picture}\end{center}\end{figure}

In some of these systems, new connections must be authenticated and approved at the application layer. Once this has been done, the remainder of the connection is passed down to the session layer, where packet filters watch the connection to ensure that only packets that are part of an ongoing (already authenticated and approved) conversation are being passed.

Other possibilities include using both packet filtering and application layer proxies. The benefits here include providing a measure of protection against your machines that provide services to the Internet (such as a public web server), as well as provide the security of an application layer gateway to the internal network. Additionally, using this method, an attacker, in order to get to services on the internal network, will have to break through the access router, the bastion host, and the choke router.

So, what's best for me?

Lots of options are available, and it makes sense to spend some time with an expert, either in-house, or an experienced consultant who can take the time to understand your organization's security policy, and can design and build a firewall architecture that best implements that policy. Other issues like services required, convenience, and scalability might factor in to the final design.

Some Words of Caution

The business of building firewalls is in the process of becoming a commodity market. Along with commodity markets come lots of folks who are looking for a way to make a buck without necessarily knowing what they're doing. Additionally, vendors compete with each other to try and claim the greatest security, the easiest to administer, and the least visible to end users. In order to try to quantify the potential security of firewalls, some organizations have taken to firewall certifications. The certification of a firewall means nothing more than the fact that it can be configured in such a way that it can pass a series of tests. Similarly, claims about meeting or exceeding U.S. Department of Defense ``Orange Book'' standards, C-2, B-1, and such all simply mean that an organization was able to configure a machine to pass a series of tests. This doesn't mean that it was loaded with the vendor's software at the time, or that the machine was even usable. In fact, one vendor has been claiming their operating system is ``C-2 Certified'' didn't make mention of the fact that their operating system only passed the C-2 tests without being connected to any sort of network devices.

Such gauges as market share, certification, and the like are no guarantees of security or quality. Taking a little bit of time to talk to some knowledgeable folks can go a long way in providing you a comfortable level of security between your private network and the big, bad Internet.

Additionally, it's important to note that many consultants these days have become much less the advocate of their clients, and more of an extension of the vendor. Ask any consultants you talk to about their vendor affiliations, certifications, and whatnot. Ask what difference it makes to them whether you choose one product over another, and vice versa. And then ask yourself if a consultant who is certified in technology XYZ is going to provide you with competing technology ABC, even if ABC best fits your needs.

Single Points of Failure

Many ``firewalls'' are sold as a single component: a bastion host, or some other black box that you plug your networks into and get a warm-fuzzy, feeling safe and secure. The term ``firewall'' refers to a number of components that collectively provide the security of the system. Any time there is only one component paying attention to what's going on between the internal and external networks, an attacker has only one thing to break (or fool!) in order to gain complete access to your internal

Secure Network Devices

It's important to remember that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around (rather than through ) your front door (or, firewall). Just as castles weren't built with moats only in the front, your network needs to be protected at all of its entry points.

Secure Modems; Dial-Back Systems

If modem access is to be provided, this should be guarded carefully. The terminal server , or network device that provides dial-up access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong -- not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully.

There are some remote access systems that have the feature of a two-part procedure to establish a connection. The first part is the remote user dialing into the system, and providing the correct userid and password. The system will then drop the connection, and call the authenticated user back at a known telephone number. Once the remote user's system answers that call, the connection is established, and the user is on the network. This works well for folks working at home, but can be problematic for users wishing to dial in from hotel rooms and such when on business trips.

Other possibilities include one-time password schemes, where the user enters his userid, and is presented with a ``challenge,'' a string of between six and eight numbers. He types this challenge into a small device that he carries with him that looks like a calculator. He then presses enter, and a ``response'' is displayed on the LCD screen. The user types the response, and if all is correct, he login will proceed. These are useful devices for solving the problem of good passwords, without requiring dial-back access. However, these have their own problems, as they require the user to carry them, and they must be tracked, much like building and office keys.

No doubt many other schemes exist. Take a look at your options, and find out how what the vendors have to offer will help you enforce your security policy effectively.

Crypto-Capable Routers

A feature that is being built into some routers is the ability to use session encryption between specified routers. Because traffic traveling across the Internet can be seen by people in the middle who have the resources (and time) to snoop around, these are advantageous for providing connectivity between two sites, such that there can be secure routes.

Virtual Private Networks

Given the ubiquity of the Internet, and the considerable expense in private leased lines, many organizations have been building VPNs (Virtual Private Networks). Traditionally, for an organization to provide connectivity between a main office and a satellite one, an expensive data line had to be leased in order to provide direct connectivity between the two offices. Now, a solution that is often more economical is to provide both offices connectivity to the Internet. Then, using the Internet as the medium, the two offices can communicate.

The danger in doing this, of course, is that there is no privacy on this channel, and it's difficult to provide the other office access to ``internal'' resources without providing those resources to everyone on the Internet.

VPNs provide the ability for two offices to communicate with each other in such a way that it looks like they're directly connected over a private leased line. The session between them, although going over the Internet, is private (because the link is encrypted), and the link is convenient, because each can see each others' internal resources without showing them off to the entire world.

A number of firewall vendors are including the ability to build VPNs in their offerings, either directly with their base product, or as an add-on. If you have need to connect several offices together, this might very well be the best way to do it.


Security is a very difficult topic. Everyone has a different idea of what ``security'' is, and what levels of risk are acceptable. The key for building a secure network is to define what security means to your organization . Once that has been defined, everything that goes on with the network can be evaluated with respect to that policy. Projects and systems can then be broken down into their components, and it becomes much simpler to decide whether what is proposed will conflict with your security policies and practices.

Many people pay great amounts of lip service to security, but do not want to be bothered with it when it gets in their way. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him. Users who find security policies and systems too restrictive will find ways around them. It's important to get their feedback to understand what can be improved, and it's important to let them know why what's been done has been, the sorts of risks that are deemed unacceptable, and what has been done to minimize the organization's exposure to them.

Security is everybody's business, and only with everyone's cooperation, an intelligent policy, and consistent practices, will it be achievable.

Here is the link to a very detailed glossary of network security terms.

Types of network security according to Cisco

Access control

Not every user should have access to your network. To keep out potential attackers, you need to recognize each user and each device. Then you can enforce your security policies. You can block noncompliant endpoint devices or give them only limited access. This process is network access control (NAC).

Antivirus and antimalware software

"Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware, and spyware. Sometimes malware will infect a network but lie dormant for days or even weeks. The best antimalware programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies, remove malware, and fix damage.

Application security

Any software you use to run your business needs to be protected, whether your IT staff builds it or whether you buy it. Unfortunately, any application may contain holes, or vulnerabilities, that attackers can use to infiltrate your network. Application security encompasses the hardware, software, and processes you use to close those holes.

Behavioral analytics

To detect abnormal network behavior, you must know what normal behavior looks like. Behavioral analytics tools automatically discern activities that deviate from the norm. Your security team can then better identify indicators of compromise that pose a potential problem and quickly remediate threats.

Data loss prevention

Organizations must make sure that their staff does not send sensitive information outside the network. Data loss prevention, or DLP, technologies can stop people from uploading, forwarding, or even printing critical information in an unsafe manner.

Email security

Email gateways are the number one threat vector for a security breach. Attackers use personal information and social engineering tactics to build sophisticated phishing campaigns to deceive recipients and send them to sites serving up malware. An email security application blocks incoming attacks and controls outbound messages to prevent the loss of sensitive data.


Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware, software, or both. Cisco offers unified threat management (UTM) devices and threat-focused next-generation firewalls.

More about firewalls

An intrusion prevention system (IPS) scans network traffic to actively block attacks. Cisco Next-Generation IPS (NGIPS) appliances do this by correlating huge amounts of global threat intelligence to not only block malicious activity but also track the progression of suspect files and malware across the network to prevent the spread of outbreaks and reinfection.

Mobile device security

Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3 years, 90 percent of IT organizations may support corporate applications on personal mobile devices. Of course, you need to control which devices can access your network. You will also need to configure their connections to keep network traffic private.

Network segmentation

Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier. Ideally, the classifications are based on endpoint identity, not mere IP addresses. You can assign access rights based on role, location, and more so that the right level of access is given to the right people and suspicious devices are contained and remediated.

Security information and event management

SIEM products pull together the information that your security staff needs to identify and respond to threats. These products come in various forms, including physical and virtual appliances and server software.


A virtual private network encrypts the connection from an endpoint to a network, often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to authenticate the communication between device and network.

Web security

A web security solution will control your staff’s web use, block web-based threats, and deny access to malicious websites. It will protect your web gateway on site or in the cloud. "Web security" also refers to the steps you take to protect your own website.

Wireless security

Wireless networks are not as secure as wired ones. Without stringent security measures, installing a wireless LAN can be like putting Ethernet ports everywhere, including the parking lot. To prevent an exploit from taking hold, you need products specifically designed to protect a wireless network.


Explain the following methods of network security:

Students should be able to explain, using examples, what each of these security methods is and when each could be used.

Students should understand how these methods can work together to provide a greater level of security.

Students should understand that MAC address filtering allows devices to access, or be blocked from accessing a network based on their physical address embedded within the device’s network adapter.







MAC address filtering.



Describe the 4 layer TCP/IP model:

Describe the 4 layer TCP/IP model:

  • application layer
  • transport layer
  • network layer
  • data link layer.

Understand that the HTTP, HTTPS, SMTP, IMAP and FTP protocols operate at the application layer.

Understand that the TCP and UDP protocols operate at the transport layer.

Understand that the IP protocol operates at the network layer.

Students should be able to name the layers and describe their main function(s) in a networking environment.

  • Application layer: this is where the network applications, such as web browsers or email programs, operate.
  • Transport layer: this layer sets up the communication between the two hosts and they agree settings such as ‘language’ and size of packets.
  • Network layer: addresses and packages data for transmission. Routes the packets across the network.
  • Data link layer: this is where the network hardware such as the NIC (network interface card) is located. OS device drivers also sit here.

Teachers should be aware that the network layer is sometimes referred to as the Internet layer and that the data link layer is sometimes referred to as the network interface layer. However, students will not be expected to know these alternative layer names.

A model such as the 4 layer model, is a reference model for how applications can communicate over a network. A reference model is a conceptual framework for understanding relationships. The purpose of a reference model is to guide vendors and developers so the digital communication products and software programs they create will interoperate, and to facilitate clear comparisons among communications tools. Most vendors involved in telecommunications make an attempt to describe their products and services in relation to the OSI model.

Like the OSI (Open Systems Interconnection) network model, TCP/IP (Transfer Control Protocol / Internet Protocol - known as the Internet Stack) also has a network model. TCP/IP was on the path of development when the OSI standard was published (1983) and there was interaction between the designers of OSI and TCP/IP standards. The TCP/IP model is not same as OSI model. OSI is a seven-layered standard, but TCP/IP is a four layered standard. The OSI model has been very influential in the growth and development of TCP/IP standard, and that is why much OSI terminology is applied to TCP/IP. The following figure compares the TCP/IP and OSI network models.

Layer 4 - The Application Layer.

The Application layer is the top most layer of four layer TCP/IP model. The Application layer is present on the top of the Transport layer. The Application layer defines TCP/IP application protocols and how host programs interface with Transport layer services to use the network.

The Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP (Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP (Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.

Layer 3 - The Transport Layer

The Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is between VApplication layer andV Internet layer. The purpose of VTransport layer is to permit devices on the source and destination hosts to carry on a conversation. The Transport layer defines the level of service and status of the connection used when transporting data.

The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Layer 2 - The Internet Layer

The Internet Layer is the second layer of the four layer TCP/IP model. The position of the Internet layer is between the Network Access Layer and theTransport layer. The Internet layer pack data into data packets known as IP datagrams, which contain source and destination address (logical address or IP address) information that is used to forward the datagrams between hosts and across networks. The Internet layer is also responsible for routing of IP datagrams.

A Packet switching network depends upon a connectionless internetwork layer. This layer is known as Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver independently to the destination. At the destination side data packets may appear in a different order than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to proper network applications operating at the Application layer.

The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP (Internet Group Management Protocol).

Layer 1 - The Network Access Layer

The Network Access Layer is the first layer of the four layer TCP/IP model. The Network Access Layer defines details of how data is physically sent through the network, including how bits are electrically or optically signalled by hardware devices that interface directly with a network medium, such as coaxial cable, optical fibre, or twisted pair copper wire.

The protocols included in the Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.

The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when Ethernet operates in a shared media. An Access Method determines how a host will place data on the medium.

3.1 Fundamentals of algorithms

3.2 Programming

3.3 Fundamentals of data representation

3.4 Computer systems

3.5 Fundamentals of computer networks

3.6 Fundamentals of cyber security

3.7 Ethical, legal and environmental impacts of digital technology on wider society, including issues of privacy

3.8 Aspects of software development

Glossary and other links

Glossary of computing terms.

AQA 8520: The 2016 syllabus

AQA pseudo-code guides