Home > Articles > Security > Network Security

This chapter is from the book

This chapter is from the book

Internet Site SecurityInternet Site Security

Learn More Buy

This chapter is from the book

This chapter is from the book

Internet Site SecurityInternet Site Security

Learn More Buy

Management of the Internet

Back in the days of the ARPANET and NSFnet, the responsibility for management of things such as IP addresses, domain names, and core DNS servers (or hostname lists, if you go back far enough) was given to various organizations through federal contracts via DARPA and NSF. Several key organizations emerged through these activities, including these:

  • Internet Network Information Center (InterNIC)

  • Internet Engineering Task Force (IETF)

  • Internet Assigned Numbers Authority (IANA)

Dr. Jon Postel, who was a graduate student at the University of California (UCLA) during the early ARPANET days, is fondly remembered as the person who maintained the early libraries of standards, pre-DNS hostname lists, and "magic numbers" lists. The InterNIC allocated IP addresses and domain names, while the IETF and IANA provided the mechanisms for setting protocol standards and defining official lists of important numbers associated with the protocols, respectively.

As the Internet became more commercialized, the U.S. government began the process of shifting management responsibilities away from federally funded companies and organizations and toward a collection of both nonprofit and for-profit entities.

Today, the last ties to the U.S. government have long since been broken, and the Internet is a totally commercial entity. As we already have stated, the physical infrastructure of the Internet is owned by many ISPs that have built and maintain numerous interconnected global and national backbones. A number of both nonprofit and for-profit organizations take care of day-to-day management issues such as these:

  • The allocation of blocks of IP addresses to ISPs around the world

  • The control over the domain name space (a new TLD cannot be created by anyone on the Internet—or, at least, it shouldn't be)

  • The creation of new Internet protocols, such as the "next-generation" version of IP (IPv6) or a secure DNS query-and-response protocol

The various organizations that provide the "big-picture" management functions of the Internet are illustrated in Figure 3.5. Many of the policy organizations are staffed by volunteers who are elected from the public and private sector stakeholders. On the other hand, the efforts that require significant capitol investment, such as maintaining domain name databases, are for-profit enterprises, which compete with each other in the open market.

The ICANN

Many of the historical entities that handled the details of IP address allocation, domain name management, and other broad-ranging technical issues have been consolidated under a nonprofit organization called the Internet Corporation for Assigned Names and Numbers, or ICANN. The ICANN provides a structure for Internet-related businesses, researchers, and technology developers to come to consensus on high-level matters affecting the overall operation of the Internet. The ICANN primarily is concerned with four issues:

  • IP address allocation

  • Protocol development

  • DNS management

  • DNS root server management

Figure 3.5 Internet management authorities.

The work of the ICANN is divided up among three principle support organizations: the DNSO, ASO, and PSO.

Domain Name Supporting Organization (DNSO)

The DNSO is responsible for setting the rules for assigning domain names and managing the top-level domains that we described previously (such as .com and .net). For example, the DNSO conducts the activities required to officially create new TLDs, such as the .biz, .info, and .name domains. Although the DNSO is not the place you go to get a domain name, it does retain the authority to accredit commercial domain name registrars.

In addition, the DNSO takes an active role in ensuring that a number of "root servers" maintained around the world act as the authoritative DNS servers for the .com, .edu, ,org, .gov, and .int TLDs. As of late 2001, there were 13 root servers, 10 in the United States, 2 in Europe, and 1 in Japan.

Address Supporting Organization (ASO)

The ASO is the ultimate authority for the allocation of IP addresses and a few other technical issues surrounding IP networks (such as autonomous system, or AS, numbers). The ASO principally deals with the allocation of large blocks of IP addresses to three regional Internet registries (RIRs):

  • ARIN—American Registry for Internet Numbers, which covers North and South America, the Caribbean, and sub-Saharan Africa

  • RIPE—Reseaux IP Europeens, which covers Europe, Russia, the Middle East, and parts of Africa

  • APNIC—Asian Pacific Network Information Center, which covers the Asia-Pacific nations

The RIRs are then responsible for allocating smaller blocks of IP addresses to local Internet registries (LIRs), which are typically Internet service providers. The RIRs do not actually run any kind of backbone network; they simply manage the broad assignment of IP addresses across regions. For example, the smallest block of IP addresses that the APNIC will allocate is 4,096 addresses. An end user or small ISP can then go to one of the LIRs for an actual IP address assignment.

Protocol Supporting Organization (PSO)

The PSO coordinates the development of new Internet-related protocols. Its principle partners in this effort include the Internet Engineering Task Force (IETF) and the Internet Assigned Numbers Authority (IANA). At the end of the day, the fruits of these efforts are reflected in the Request for Comments documents (more commonly referred to as RFCs), which are the authoritative descriptions of things such as the TCP and IP packet protocols and the HTTP and SMTP application protocols. The IANA maintains a large collection of lists that describe the "magic numbers" associated with these protocols. For example, the detail-oriented reader might want to know what number is used in an IP header to indicate that TCP is being carried in the packet's payload, or which application protocol is associated with TCP port number 80. A quick check of the IANA references will reveal that the answers to these questions are 6 and HTTP, respectively. Any reader who is interested in Internet protocols should become familiar with the IETF and IANA Web sites:

These are the sites where software and network equipment developers go to learn all about the details of putting together valid packets and application data so that one vendor's program or device can interoperate with another's. It is also the place where the more elite "hackers" go to look for opportunities to exploit systems that implement the standards.

The PSO also coordinates with other technical standards bodies, including the WWW Consortium (W3C), the International Telecommunications Union (ITU) and the European Telecommunications Standards Institute (ETSI).

Domain Name Registries

We have established that an ISP provides its customers with their IP address(es), as well as one or more DNS server addresses. After a user has obtained these two things, he is ready to surf the Internet. If a user wants other people to be able to surf to him, then that user needs to reserve a domain name of his own. To do this, the user must contact a commercial domain name registrar and ask whether the desired domain name is available. If it is, then, after the payment of a relatively small annual fee (remember, domain name registration is a competitive, for-profit enterprise nowadays), the registrar will take care of the formalities of assigning the name and entering it in the global system of DNS servers. Finding a domain name registrar is pretty easy—their advertisements can be found on many Web pages.

The first commercial domain name registrar was Network Solutions, Inc. This organization, along with any one of dozens of other registrars, will be happy to handle your request for a .com, .net, .org, .biz, .info, or .name domain name. These registrars also have put in place procedures for handling disputes over the use of copyrighted names—domain name hijacking has become a serious issue for companies that found that they were forced to pay large sums of money to cybersquatters who registered for popular commercial domain names.

A few of the top-level domains are controlled by specific entities. For example, .gov is reserved for U.S. government agencies, and .mil is reserved for the U.S. military. Similarly, the .edu TLD is reserved for educational institutions that meet certain qualifying criteria.

whois Databases

The various Regional Internet Registries, such as ARIN, RIPE, and APNIC, as well as the commercial domain name registrars, maintain "whois" databases that contain information about the people and organizations that register for addresses and domain names. Access to the whois databases is generally open and available through several means:

  • Registry Web sites (for example, ARIN, RIPE, APNIC, Network Solutions)

  • Web sites that provide interfaces to various online network tools (whois queries, DNS queries, and so on)

  • Lookup tools that run on an end user's computer (for example, the whois command on UNIX systems)

These are good databases to get familiar with because they can be quite a useful source of information for performing any kind of investigation into suspicious IP addresses that might be associated with probes of or attacks on a network. Just as a phone number on a caller ID device is not very revealing without the name of a person or company next to it, an IP address on its own also is not very illuminating. Queries to the whois databases can reveal all sorts of interesting information, including the name and street address of the organization that is assigned the IP address, the ISP used, and the names and phone numbers of key IT staff. An example of a whois query and the database response is included in Figure 3.6.

Figure 3.6 A whois query.

Finally, be aware that similar information about you and your domain is available from the whois databases. The whois database is a resource that many hackers use to find IP addresses associated with a network that they want to target. A combination of queries to DNS servers and whois database servers can provide would-be attackers with lists of IP addresses of both public and private servers, and even phone numbers and street addresses of particular individuals in the IT organization. This can come in quite handy for performing less technical hacking operations, such as "dumpster diving" for discarded documents and "social engineering," in which probing phone calls are made to unsuspecting users or employees in an attempt to gather information (or even asking someone at the help desk to reset a "forgotten" password).

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020