There are two types of computer hosts connected to the Internet: server hosts and client hosts. The server host can be described as an “information provider”. This type of host contains some type of resource or data which is available to other hosts on the Internet.

The second type of host connected to the Internet is the client host which can be described as an “information retriever”. The client host will access resources and data located on the server hosts, but usually will not provide any resources back to the server host.

Both server and client host computers can be connected to the Internet by various methods that offer different communication capabilities dependent on varied communications surcharges. Direct Internet Connections: A computer connected directly to the Internet via a network interface will allow the user the highest internetwork functionality.

Each computer connected in this manner must also have a unique Internet (IP) address. This type of connection is also the most expensive. Serial Internet Connections: Another type of connection offering most communications capabilities is a SLIP (Serial Line Internet Protocol) or PPP (Point to Point Protocol) connection.

These two connection schemes offer similar services: full network and application capability over a serial (modem) line. Since this connection offers full TCP/IP and ICMP functionality each computer configured in this manner requires its own IP address.

This type of connection is an on-demand service, at slower speeds, that therefore reduces communications charges, however all TCP/IP and Internet vulnerabilities remain when the connection is "live".

An important point for the network security investigator to remember is that most dial-up TCP connections, either SLIP or PPP, assign the IP address to a connected machine dynamically. This means that when a system dials-up to the Internet Service Provider (ISP), the ISP assigns an IP address at that point.

It also means that the address for the dialer may change each and every time the system connects. This can cause serious problems for the investigator when attempting to trace access back through firewall and router logs for specific IP addresses.

You will need to work closely with the victim and the ISP to properly track which system was assigned a particular IP address when the system connected to the ISP at a particular point in time.

Host Access Connections: The most limited type of network access is available as a user account on a host which is directly connected to the Internet. The user will then use a terminal to access that host using a standard serial connection. This type of connection is usually the most inexpensive form of access.

Sneaker-Net Connections: This type of connection is by far the most limiting, since the computer has no electrical connection to the Internet at all. This type of connection is the most secure because there is no direct access to the user's computer by a hacker.

If information and programs are required on the computer they must be transferred from a networked computer to the user's computer via magnetic media or manually. All computers with direct, SLIP, and PPP connections must have their own IP address, and their security administrators must be aware of the vulnerability concerns associated with these connections.

Communications channels work both ways: a user having access to the Internet implies that the Internet also has access to that user. Therefore, these computers must be protected and secured to ensure the Internet has limited access.

A terminal user calling using an Internet host has fewer concerns since the host is where the Internet interface lies. In this situation the host must take all necessary security precautions. To connect the various sub-networks and pieces of the Internet together, hardware equipment is required.

The following are definitions of the various terms which are use to describe this equipment:

• Repeater - A repeater is a hardware device which is used to connect two Local Area Segments that use the same physical level protocol. The repeater will copy all bits from one network segment to another network segment. This device will not make any routing decisions at all, and will not modify the packets.

This device operates at layer 1 (Physical) of the OSI Network Model. A repeater may also be used to connect specific workstations in a physically local area to each other. Repeaters are very often used on networks like Ethernet/802.3 networks and very commonly available at most computer stores at a low price.

• Modem - A modem is a device which will convert between the digital signal structures that computers require and the analog voltage levels that are used by telephone services. The term MODEM stands for MOdulator DEModulator.

A modem operates at level 1 (Physical) of the OSI Network Model and therefore does not modify the data packets or make any routing decisions. Modems are used to connect two computers together over standard phone lines (usually for on-demand services). Current MODEM speeds range from 50 bits per second to over 56 thousand bits per second (56kbps).

• Bridge - A bridge is a device which is used to connect two Local Area Networks that use the same LAN framing protocol (such as Ethernet or token ring). The bridge acts as an address filter by picking up packets from one LAN segment and transferring them to another.

IF the bridge recognizes that the packets need to travel from one LAN to the other. If the communicating source system and destination system are on the same side of the bridge, the bridge will not forward the frame to the other side of the bridge.

The bridge makes no modification to any packets it forwards, and the bridge operates at layer 2 (data-link) of the OSI Network Model.

• Router - A router is a device that is used to connect two or more LAN, MAN or WANsegments that may or may not use the framing protocols. Since the router operates at level 3 (Network) of the OSI Network Model it is able to make routing decisions based on the destination network address (IP address for the Internet).

Routers will sometimes have filtering capability included. In this case a router might be used as a packet filter to enhance security and/or reduce traffic flow throughout the network that does not need to traverse all locations on the network (described below).

Some very large routers at larger network sites can interconnect dozens of different types of network framing formats.

• Gateway - A gateway is a device which will interconnect two network segments which utilize different communications architectures. Gateways typically function on a programtype by program-type (application) basis.The gateway maps (or translates) data from one application to another application and as such operates at level 7 (Application) of the OSI Network Model.

• Packet filter - Packet filtering is a capability usually added to routers, but can be implemented in host or firewall systems as well. Packet filtering applies a set of filters (or rules of traversal) to all packets entering or leaving the filtering mechanism that enable the router to decide whether the packet should be forwarded or disregarded.

For instance, security configurations may add address filters for certain ranges of addresses to keep traffic from roaming all over a network or to keep undesireable addresses from accessing resources that are restricted in access.

• Firewall - A firewall is a description of a system (one or more pieces of hardware) that acts as a barrier between two or more network segments. A firewall can be used to provide a barrier between an internal network and the Internet.

A firewall can be considered the technical implementation of a security policy. The firewall upholds the security policy of a network when connecting that network to a second network which has a less stringent security policy.

• Cyberwall - A cyberwall is similar in scope to a firewall, but instead of offering perimeter defense filtering between two or more networks, cyberwalls are typically installed on desktop and server systems on the inside network at a corporate site.

Cyberwalls provide a defensive barrier to attacks on mission critical systems on internal networks and help “harden” the operating system environment from a network attack. Some cyberwalls also include intrusion detection software to allow the system to detect an attack of specific types in progress and effect some levels of defense against them.

Readers are cautioned that these terms are not always used in a consistent manner in publications which can cause confusion or misconceptions.