Computer Architecture and Components

A2.1.1 Describe networks purpose, characteristics (AO2)

A2.1.1_1 Types: LAN, WAN, PAN, VPN

Local Area Network (LAN)

Purpose: Connects devices within a limited area (e.g., home, office, school) for resource sharing (e.g., files, printers)
Characteristics: High-speed connections (e.g., 1–10 Gbps), low latency, typically wired (Ethernet) or wireless (Wi-Fi), managed locally

Wide Area Network (WAN)

Purpose: Connects geographically dispersed networks, enabling communication across cities or countries (e.g., the internet)
Characteristics: Lower speeds than LAN (e.g., 10–100 Mbps), higher latency, relies on ISPs or leased lines, covers large areas

Personal Area Network (PAN)

Purpose: Connects personal devices (e.g., smartphone, laptop, smartwatch) over short distances for individual use
Characteristics: Short range (e.g., 10 meters), low power, uses technologies like Bluetooth or USB, typically wireless

Virtual Private Network (VPN)

Purpose: Creates secure, encrypted connections over public networks (e.g., internet) for private communication
Characteristics: Enhances security, uses tunneling protocols (e.g., IPsec, OpenVPN), enables remote access to private networks

A2.1.2 Describe modern digital infrastructures (AO2)

A2.1.2_1 Internet, cloud, distributed systems, edge computing, mobile networks

Internet

Global network of interconnected computers using standardized protocols (e.g., TCP/IP) for data exchange
Enables services like web browsing, email, and streaming across diverse devices
Characteristics: Scalable, decentralized, relies on infrastructure like routers and servers

Cloud Computing

Delivers on-demand computing resources (e.g., storage, processing) over the internet
Includes services like SaaS (e.g., Google Docs), PaaS (e.g., AWS Elastic Beanstalk), and IaaS (e.g., Azure VMs)
Characteristics: Scalable, cost-efficient, accessible remotely, supports data backup and collaboration

Distributed Systems

Collection of independent computers working together to achieve a common goal, appearing as a single system
Example: Blockchain networks or distributed databases like Apache Cassandra
Characteristics: Fault-tolerant, scalable, no central control, complex coordination

Edge Computing

Processes data closer to its source (e.g., IoT devices) rather than relying on centralized cloud servers
Reduces latency and bandwidth usage for real-time applications
Characteristics: Low latency, localized processing, ideal for IoT and autonomous systems

Mobile Networks

Wireless networks (e.g., 4G, 5G) enabling mobile device connectivity for voice, data, and internet access
Characteristics: High mobility, varying speeds (e.g., 5G up to 10 Gbps), supports location-based services

A2.1.2_2 Examples: WWW, blockchains, smart traffic lights, schools

World Wide Web (WWW)

System of interlinked resources accessed via the internet using HTTP/HTTPS protocols
Example: Websites like Wikipedia or e-commerce platforms accessed through browsers
Role: Facilitates information sharing, commerce, and communication globally

Blockchains

Distributed ledger technology for secure, decentralized data storage and transactions
Example: Bitcoin or Ethereum for cryptocurrency or smart contracts
Role: Ensures transparency, security, and immutability in financial and data systems

Smart Traffic Lights

Networked traffic control systems using sensors and edge computing to optimize traffic flow
Example: Adaptive signals adjusting timing based on real-time traffic data
Role: Reduces congestion, improves safety, and enhances urban mobility

Schools

Local networks (LANs) and cloud-based systems for educational purposes, connecting devices and resources
Example: Google Classroom or school Wi-Fi for student collaboration and resource access
Role: Supports digital learning, file sharing, and administrative tasks

A2.1.3 Describe network devices functions (AO2)

A2.1.3_1 Devices: gateways, firewalls, modems, NICs, routers, switches, wireless access points

Gateways

Function: Connects different networks with varying protocols, translating data for interoperability
Example: Links a LAN to a WAN, such as connecting an office network to the internet

Firewalls

Function: Monitors and filters network traffic based on security rules to protect against unauthorized access
Example: Blocks malicious packets or restricts access to specific websites

Modems

Function: Converts digital signals to analog (and vice versa) to connect networks to ISPs
Example: Converts cable or DSL signals for home internet access

Network Interface Cards (NICs)

Function: Provides a physical connection for devices (e.g., computers) to a network, handling data transmission
Example: Ethernet or Wi-Fi cards in laptops for network connectivity

Routers

Function: Directs data packets between networks, determining optimal paths using routing tables
Example: Routes traffic between a home LAN and the internet

Switches

Function: Connects devices within a single network, forwarding data to specific destinations using MAC addresses
Example: Connects computers in an office LAN for file sharing

Wireless Access Points (WAPs)

Function: Enables wireless devices to connect to a wired network using Wi-Fi
Example: Provides Wi-Fi coverage in a home or office for smartphones and laptops

A2.1.3_2 Mapping to TCP/IP model layers

Application Layer

Devices: Gateways, firewalls (filter application-specific traffic, e.g., HTTP)
Role: Handle high-level protocols and user-facing services

Transport Layer

Devices: Firewalls (monitor ports, e.g., TCP/UDP traffic)
Role: Manage end-to-end communication and data transfer reliability

Internet Layer

Devices: Routers, gateways (route packets using IP addresses)
Role: Direct packets across networks using IP protocols

Network Interface Layer

Devices: NICs, switches, modems, WAPs
Role: Handle physical data transmission, MAC addressing, and network access (e.g., Ethernet, Wi-Fi)

A2.1.4 Describe transport, application protocols (AO2)

A2.1.4_1 Protocols: TCP, UDP, HTTP, HTTPS, DHCP

Transmission Control Protocol (TCP)

Function: Reliable, connection-oriented protocol ensuring data delivery without errors or loss
Characteristics: Uses handshakes (e.g., three-way handshake), error checking, and retransmission for reliability
Use Case: Web browsing, email, file transfers (e.g., FTP) where data integrity is critical

User Datagram Protocol (UDP)

Function: Connectionless protocol prioritizing speed over reliability, sending data without guaranteed delivery
Characteristics: Minimal overhead, no error correction or retransmission, suitable for time-sensitive applications
Use Case: Video streaming, online gaming, VoIP where low latency is more important than occasional data loss

Hypertext Transfer Protocol (HTTP)

Function: Application-layer protocol for transferring web content (e.g., HTML, images) between clients and servers
Characteristics: Stateless, request-response model, operates over TCP
Use Case: Accessing websites (e.g., loading a webpage)

Hypertext Transfer Protocol Secure (HTTPS)

Function: Secure version of HTTP using encryption (SSL/TLS) to protect data during transmission
Characteristics: Ensures confidentiality, integrity, and authentication of web traffic
Use Case: Secure online transactions, login pages, sensitive data transfers

Dynamic Host Configuration Protocol (DHCP)

Function: Automatically assigns IP addresses and network configuration to devices on a network
Characteristics: Operates at the application layer, uses UDP for communication, reduces manual configuration
Use Case: Assigning IP addresses to devices in a home or office network

A2.1.5 Describe TCP/IP model function (HL) (AO2)

A2.1.5_1 Layers: application, transport, internet, network interface

Application Layer

Function: Provides protocols for user applications to access network services and exchange data
Examples: HTTP, HTTPS, FTP, SMTP, DNS
Role: Handles high-level communication, such as web browsing or email, interfacing directly with software

Transport Layer

Function: Manages end-to-end communication, ensuring reliable or efficient data transfer
Examples: TCP (reliable, connection-oriented), UDP (fast, connectionless)
Role: Controls data segmentation, error checking, and flow control between devices

Internet Layer

Function: Routes data packets across networks using IP addresses
Examples: IP (IPv4, IPv6), ICMP, ARP
Role: Ensures packets reach their destination, handling addressing and routing

Network Interface Layer

Function: Manages physical data transmission over hardware, including framing and media access
Examples: Ethernet, Wi-Fi, MAC addressing
Role: Interfaces with physical hardware to send/receive data over a network

A2.1.5_2 Layer roles, interactions for reliable data transmission

Layer Roles

Application Layer: Formats data for applications (e.g., HTTP request for a webpage)
Transport Layer: Breaks data into segments, adds headers (e.g., TCP for reliability), and ensures proper delivery
Internet Layer: Encapsulates segments into packets with IP addresses for routing across networks
Network Interface Layer: Converts packets into frames, transmits them over physical media (e.g., Ethernet cables, Wi-Fi)

Interactions

Data flows downward from application to network interface layer when sending, and upward when receiving
Sending: Application data is segmented (transport), addressed (internet), and framed (network interface) for transmission
Receiving: Frames are reassembled into packets (network interface), routed to the destination (internet), and reconstructed into data (transport) for the application
Reliability: TCP at the transport layer ensures reliable delivery through error checking, retransmission, and sequencing; IP at the internet layer ensures correct routing

Example

Loading a webpage: Browser (application layer) sends an HTTP request via TCP (transport layer), which is routed as IP packets (internet layer) over Ethernet/Wi-Fi (network interface layer) to the server, with the response following the reverse path

A2.2.1 Describe network topologies functions, applications (AO2)

A2.2.1_1 Topologies: star, mesh, hybrid

Star Topology

Function: All devices connect to a central hub or switch, which manages data transfer between nodes
Characteristics: Centralized control, easy to add/remove devices, single point of failure at the hub
Advantages: Simple setup, easy troubleshooting, high scalability
Disadvantages: Hub failure disrupts the entire network; requires more cabling

Mesh Topology

Function: Each device connects directly to multiple or all other devices, enabling multiple data paths
Characteristics: Fully connected (full mesh) or partially connected (partial mesh), highly redundant
Advantages: Fault-tolerant, no single point of failure, reliable data paths
Disadvantages: Expensive, complex setup due to extensive cabling/connections

Hybrid Topology

Function: Combines elements of multiple topologies (e.g., star and mesh) to balance benefits and drawbacks
Characteristics: Flexible, tailored to specific needs, combines centralized and decentralized features
Advantages: Customizable, balances cost and reliability
Disadvantages: Complex to design and maintain

A2.2.1_2 Factors: reliability, speed, scalability, collisions, cost

Factor	Star	Mesh	Hybrid
Reliability	Less reliable due to central hub dependency; failure of hub disrupts all connections	Highly reliable; multiple paths ensure data delivery even if some connections fail	Reliability depends on design; can incorporate redundancy from mesh
Speed	Fast for small networks, but hub congestion can slow performance	High speed due to direct connections, though latency varies by routing	Speed varies based on combined topologies; optimized for specific needs
Scalability	Highly scalable; easy to add new devices via the hub	Less scalable; adding devices increases complexity and cost significantly	Moderately scalable; balances ease of expansion with complexity
Collisions	Low collision risk; hub/switch manages traffic, preventing collisions in switched networks	Minimal collisions due to dedicated paths, especially in full mesh	Collision risk depends on topology mix; switches reduce collisions in star components
Cost	Cost-effective; minimal cabling except for hub connections	Expensive due to extensive cabling and hardware for direct connections	Cost varies; balances affordability with performance needs

A2.2.1_3 Examples: home, small offices, corporations, campuses

Home

Topology: Typically star; devices (e.g., computers, phones) connect to a central router or Wi-Fi access point
Reason: Simple setup, cost-effective, sufficient for small-scale networks

Small Offices

Topology: Star or hybrid; devices connect via switches or routers, sometimes with partial mesh for critical systems
Reason: Balances scalability and reliability for moderate-sized networks

Corporations

Topology: Hybrid or mesh; combines star for workstations and mesh for server redundancy
Reason: Ensures high reliability and performance for large-scale, critical operations

Campuses

Topology: Hybrid; multiple star networks (e.g., per building) linked via mesh or backbone connections
Reason: Supports large areas with many devices, ensuring scalability and fault tolerance

A2.2.2 Describe servers function (HL) (AO2)

A2.2.2_1 Types: DNS, DHCP, file, mail, proxy, web

DNS Server (Domain Name System)

Function: Translates domain names (e.g., www.google.com) into IP addresses for network communication
Characteristics: Maintains a database of domain-to-IP mappings, responds to client queries
Example: Google's 8.8.8.8 DNS server resolves website addresses for browsers

DHCP Server (Dynamic Host Configuration Protocol)

Function: Automatically assigns IP addresses and network configuration to devices on a network
Characteristics: Manages a pool of IP addresses, leases them temporarily to devices
Example: Home routers assigning IPs to connected devices like phones or laptops

File Server

Function: Stores and manages files, providing centralized access and sharing for network users
Characteristics: Supports file permissions, backups, and concurrent access
Example: Network drives in offices for shared documents (e.g., via Samba or NFS)

Mail Server

Function: Handles sending, receiving, and storing email messages using protocols like SMTP, IMAP, or POP3
Characteristics: Manages mailboxes, ensures secure email delivery
Example: Microsoft Exchange or Postfix for corporate email systems

Proxy Server

Function: Acts as an intermediary between clients and external networks, caching data or filtering traffic
Characteristics: Enhances security, privacy, and performance by caching web content or hiding client IPs
Example: Squid proxy for caching web pages in an organization

Web Server

Function: Hosts websites, serving web content (e.g., HTML, images) to clients via HTTP/HTTPS
Characteristics: Handles client requests, supports dynamic content via scripting (e.g., PHP)
Example: Apache or Nginx hosting websites like online stores

A2.2.2_2 Factors: function, scalability, reliability, security

Function

Each server type serves a specific role (e.g., DNS for name resolution, file servers for storage)
Tailored to network needs
Servers may combine roles (e.g., a single server running web and file services) in smaller networks

Scalability

Servers must handle increasing loads (e.g., more users, requests)
Via hardware upgrades or load balancing
Example: Web servers use clusters (e.g., AWS Elastic Load Balancer) to scale for high traffic

Reliability

Ensures continuous operation through redundancy, backups, and fault-tolerant designs
Example: RAID on file servers or failover DNS servers to prevent downtime

Security

Protects against unauthorized access, data breaches, or attacks
Using firewalls, encryption, and authentication
Example: Mail servers use TLS for secure email transmission; proxy servers filter malicious traffic

A2.2.3 Compare networking models (AO3)

A2.2.3_1 Client-server vs peer-to-peer

Client-Server Model

Description: A centralized model where clients (e.g., computers, phones) request services from a dedicated server that processes and responds to requests
Structure: Servers manage resources (e.g., data, applications), while clients access them via a network
Example: A web browser (client) requests a webpage from a web server (e.g., Apache)

Peer-to-Peer (P2P) Model

Description: A decentralized model where each device (peer) acts as both client and server, sharing resources directly with others
Structure: No central server; peers communicate and share resources like files or processing power
Example: BitTorrent, where peers share file segments directly with each other

A2.2.3_2 Benefits, drawbacks

Client-Server

Benefits:
- Centralized control simplifies management, security, and backups
- Scalable; servers can be upgraded to handle more clients
- Reliable for consistent service delivery (e.g., web hosting)
Drawbacks:
- Single point of failure; server downtime affects all clients
- Higher setup and maintenance costs due to dedicated server hardware
- Potential bottlenecks if server is overloaded with client requests

Peer-to-Peer

Benefits:
- Decentralized, reducing reliance on a single server and improving fault tolerance
- Cost-effective; no dedicated server infrastructure required
- Scales naturally as more peers join, contributing resources
Drawbacks:
- Security risks; peers may share malicious or unverified content
- Inconsistent performance due to varying peer availability and bandwidth
- Complex to manage, as there's no central control for coordination

A2.2.3_3 Applications: web browsing, email, banking, file sharing, VoIP, blockchain

Web Browsing

Client-Server: Dominant model; browsers (clients) request web pages from servers (e.g., Nginx, Apache)
P2P: Rarely used, except in experimental decentralized web platforms (e.g., IPFS)

Email

Client-Server: Email clients (e.g., Outlook) connect to mail servers (e.g., SMTP, IMAP servers) for sending/receiving emails
P2P: Uncommon, but possible in decentralized email systems (e.g., peer-to-peer messaging protocols)

Banking

Client-Server: Used for secure, centralized transactions; clients (e.g., banking apps) access bank servers for account management
P2P: Emerging in decentralized finance (DeFi) using blockchain for peer-to-peer transactions

File Sharing

Client-Server: Centralized platforms like Dropbox store and serve files from servers
P2P: Widely used in systems like BitTorrent for distributed file sharing among peers

VoIP

Client-Server: Centralized servers (e.g., Skype, Zoom) manage call connections and routing
P2P: Used in some VoIP systems (e.g., early Skype) for direct peer communication, reducing server load

Blockchain

Client-Server: Less common, used in centralized crypto exchanges
P2P: Core to blockchain; peers maintain a distributed ledger (e.g., Bitcoin, Ethereum) for decentralized transactions

Aspect	Client-Server	Peer-to-Peer
Structure	Centralized, server manages resources	Decentralized, peers share resources
Benefits	Easy management, scalable, reliable	Fault-tolerant, cost-effective, scalable
Drawbacks	Single point of failure, costly	Security risks, inconsistent performance
Applications	Web browsing, email, banking	File sharing, VoIP, blockchain

A2.2.4 Explain network segmentation (AO2)

A2.2.4_1 Improve performance, security, reduce congestion

Improve Performance

Divides a network into smaller segments, reducing the number of devices competing for bandwidth
Minimizes broadcast traffic, as segments operate independently, improving data transfer speeds
Example: Splitting a corporate network into departments (e.g., HR, IT) reduces network load

Enhance Security

Isolates network segments, limiting access to sensitive data and containing potential breaches
Allows specific security policies per segment (e.g., stricter rules for finance department)
Example: A guest Wi-Fi segment prevents unauthorized access to internal company resources

Reduce Congestion

Decreases network traffic by localizing communication within segments, preventing bottlenecks
Broadcasts (e.g., ARP requests) are confined to smaller segments, reducing overall network load
Example: Segmenting a university network into student and faculty subnets reduces congestion during peak usage

A2.2.4_2 Segmenting, subnetting, VLANs

Segmenting

Broad concept of dividing a network into smaller, manageable parts to optimize performance and security
Achieved through physical (e.g., separate switches) or logical (e.g., VLANs, subnets) methods
Example: A hospital network segments patient records from administrative systems for security

Subnetting

Divides a single IP network into smaller subnetworks using subnet masks to allocate IP address ranges
Reduces broadcast domains and enhances routing efficiency within a network
Example: Splitting a 192.168.1.0/24 network into 192.168.1.0/26 and 192.168.1.64/26 for different departments

Virtual Local Area Networks (VLANs)

Logically groups devices on the same physical network into separate virtual networks, regardless of physical location
Uses tagging (e.g., IEEE 802.1Q) to isolate traffic, improving security and reducing congestion
Example: A VLAN for VoIP phones ensures voice traffic is prioritized and isolated from data traffic

A2.3.1 Describe IP addressing types (AO2)

A2.3.1_1 IPv4 vs IPv6

IPv4 (Internet Protocol version 4)

Description: Uses 32-bit addresses, written as four decimal numbers (e.g., 192.168.1.1), providing ~4.3 billion unique addresses
Characteristics: Widely used, simpler implementation, but limited address space due to internet growth
Use Case: Traditional networks, home routers, and legacy systems

IPv6 (Internet Protocol version 6)

Description: Uses 128-bit addresses, written as eight hexadecimal groups (e.g., 2001:0db8::1), providing vastly more addresses (~340 undecillion)
Characteristics: Supports auto-configuration, improved security (e.g., IPsec), and eliminates NAT necessity
Use Case: Modern networks, IoT devices, and future-proofing large-scale internet infrastructure

A2.3.1_2 Public vs private, static vs dynamic

Public IP Addresses

Description: Globally unique addresses assigned by ISPs, routable on the public internet
Characteristics: Used for devices directly accessible online (e.g., web servers)
Example: 172.16.254.1 (if assigned by ISP for internet access)

Private IP Addresses

Description: Reserved for internal networks, not routable on the public internet (e.g., 192.168.x.x, 10.x.x.x)
Characteristics: Used within LANs to conserve public IP addresses, requiring NAT for internet access
Example: 192.168.1.10 for a home device like a laptop

Static IP Addresses

Description: Fixed IP addresses manually assigned to a device, remaining constant over time
Characteristics: Ensures consistent addressing for critical devices like servers or printers
Use Case: Web servers or network printers requiring predictable access

Dynamic IP Addresses

Description: Temporarily assigned by a DHCP server, changing periodically or on reconnection
Characteristics: Simplifies IP management in dynamic environments, reduces manual configuration
Use Case: Home or office devices like smartphones or laptops

A2.3.1_3 NAT role in IP address use, private-public communication

Network Address Translation (NAT)

Function: Maps private IP addresses to a public IP address for internet communication, allowing multiple devices to share a single public IP
Mechanism: Router translates private IP (e.g., 192.168.1.10) to public IP (e.g., 203.0.113.1) when sending data, and reverses for incoming data

Benefits

Conserves public IPv4 addresses by enabling many devices to use one public IP
Enhances security by hiding private IP addresses from external networks

Use Case

Home routers use NAT to connect multiple devices (e.g., phones, PCs) to the internet via one ISP-provided public IP
Example: A private network (192.168.1.x) accesses a website; NAT translates internal IPs to a single public IP for external communication

A2.3.2 Compare data transmission media (AO3)

A2.3.2_1 Wired: fibre optic, twisted pair; wireless

Fibre Optic

Description: Transmits data as light pulses through glass or plastic fibres
Characteristics: High bandwidth (up to 100 Gbps), long-distance transmission, immune to electromagnetic interference
Use Case: Backbone internet connections, data centers, long-distance telecom networks

Twisted Pair

Description: Uses pairs of copper wires twisted together to transmit electrical signals (e.g., Cat5e, Cat6)
Characteristics: Categories determine speed (e.g., Cat6 up to 10 Gbps for short distances), susceptible to interference
Use Case: Ethernet LANs in homes, offices, and enterprise networks

Wireless

Description: Transmits data via radio waves (e.g., Wi-Fi, Bluetooth, 5G)
Characteristics: Flexible, no physical cabling, but limited by range and interference (e.g., Wi-Fi 6 up to 9.6 Gbps)
Use Case: Mobile devices, IoT, and environments where cabling is impractical

A2.3.2_2 Advantages, disadvantages

Fibre Optic

Advantages:
- High bandwidth and speed, ideal for large data transfers
- Long range (up to 100 km without signal degradation)
- Immune to electromagnetic interference, enhancing reliability
Disadvantages:
- Expensive to install and maintain due to specialized equipment
- Fragile cables, difficult to repair or splice

Twisted Pair

Advantages:
- Cost-effective and widely available (e.g., Ethernet cables)
- Easy to install and terminate in standard LAN setups
Disadvantages:
- Limited range (e.g., 100 meters for Cat6) before signal degradation
- Susceptible to electromagnetic interference, reducing reliability in noisy environments

Wireless

Advantages:
- Flexible, supports mobility and easy deployment without cabling
- Scalable for devices like smartphones, laptops, and IoT
Disadvantages:
- Lower reliability due to interference (e.g., walls, other signals)
- Limited range and variable speeds based on distance and obstacles

A2.3.2_3 Factors: bandwidth, installation, cost, range, interference, attenuation, reliability, security

Factor	Fibre Optic	Twisted Pair	Wireless
Bandwidth	High (up to 100 Gbps)	Moderate (up to 10 Gbps for Cat6)	Moderate to high (up to 9.6 Gbps for Wi-Fi 6)
Installation	Complex, requires specialized skills	Simple, standard connectors (e.g., RJ45)	Easy, no cabling needed
Cost	High (cables, equipment, labor)	Low to moderate (affordable cables)	Moderate (routers, access points)
Range	Long (up to 100 km)	Short (up to 100 m)	Short to moderate (50–100 m for Wi-Fi)
Interference	None (immune to EMI)	Susceptible to EMI	Susceptible to physical and signal interference
Attenuation	Low (minimal signal loss over distance)	Moderate (signal degrades over 100 m)	High (signal weakens with distance, obstacles)
Reliability	High (stable, no EMI issues)	Moderate (affected by EMI, cable quality)	Lower (affected by interference, environment)
Security	High (difficult to tap physically)	Moderate (vulnerable to physical tapping)	Lower (susceptible to eavesdropping, hacking)

A2.3.3 Explain packet switching (AO2)

A2.3.3_1 Segment data into packets, attach routing header, transmit independently

Segment Data into Packets

Data is divided into small, manageable chunks called packets, each containing a portion of the original message
Packets typically include a payload (data) and headers with metadata (e.g., source/destination addresses)
Example: A 1 MB file is split into thousands of packets, each ~1500 bytes, for efficient transmission

Attach Routing Header

Each packet is assigned a header with routing information, such as source and destination IP addresses, sequence numbers, and protocol details
Headers enable network devices to determine where to send packets and how to reassemble them
Example: TCP/IP headers specify the destination server for a webpage request

Transmit Independently

Packets travel independently across the network, potentially taking different paths based on network conditions
Allows efficient use of network resources, as packets can avoid congested or failed routes
Example: Packets from a video stream may travel through different routers to reach the user, reassembled at the destination

A2.3.3_2 Role of switches, routers

Switches

Function: Operate at the network interface layer (e.g., Ethernet), forwarding packets within a local network based on MAC addresses
Role in Packet Switching: Direct packets to the correct device within a LAN by reading MAC addresses in packet headers
Example: A switch in an office LAN sends a packet from a computer to a printer on the same network

Routers

Function: Operate at the internet layer, forwarding packets between different networks using IP addresses
Role in Packet Switching: Analyze packet headers to determine the best path to the destination, using routing tables and protocols (e.g., BGP, OSPF)
Example: A router directs packets from a home network to a remote web server via the internet

Combined Role

Switches handle intra-network packet movement, while routers manage inter-network routing, ensuring packets reach their final destination
Together, they enable efficient, dynamic packet switching, adapting to network conditions like congestion or failures

A2.3.4 Explain static vs dynamic routing (HL) (AO2)

A2.3.4_1 Static routing process, pros, cons

Static Routing Process

Routes are manually configured by a network administrator and stored in a router's routing table
Specifies fixed paths for data packets to travel between networks
Unchanged until manually updated
Example: A router configured to send all traffic for 192.168.2.0/24 to a specific next-hop router

Pros

Predictable and consistent; routes remain fixed, ensuring stable traffic patterns
Low resource usage; no need for processing routing updates or protocols
Secure; manual configuration reduces risk of unauthorized route changes

Cons

Not scalable; manual updates are time-consuming for large or changing networks
Inflexible; cannot adapt to network failures or congestion without manual intervention
Prone to human error during configuration, potentially causing routing issues

A2.3.4_2 Dynamic routing process, pros, cons

Dynamic Routing Process

Routers automatically discover and update routes using routing protocols (e.g., OSPF, BGP, RIP)
Routers exchange information about network topology and adjust routes based on changes
Example: OSPF recalculates paths if a router fails, rerouting traffic dynamically

Pros

Scalable; automatically adapts to network growth or topology changes
Fault-tolerant; quickly reroutes traffic around failures or congestion
Reduces manual configuration, saving time in large networks

Cons

Higher resource usage; requires CPU and memory for protocol processing and updates
Complex; configuration and troubleshooting require expertise
Potential security risks; misconfigured protocols or attacks (e.g., route poisoning) can disrupt routing

A2.3.4_3 Factors: configuration, maintenance, complexity, resource usage, convergence, scalability

Factor	Static Routing	Dynamic Routing
Configuration	Manual, time-intensive	Automated via protocols, less manual effort
Maintenance	High; requires manual updates for changes	Low; self-adjusting to network changes
Complexity	Simple; fixed routes, easy to understand	Complex; requires protocol knowledge
Resource Usage	Low; no protocol overhead	High; CPU/memory for protocol processing
Convergence	None; no adaptation to changes	Fast; adapts to failures or topology changes
Scalability	Poor; impractical for large networks	High; suitable for large, dynamic networks

A2.4.1 Discuss firewalls effectiveness (AO3)

A2.4.1_1 Inspect, filter traffic via whitelists, blacklists, rules

Inspection and Filtering

Firewalls monitor incoming and outgoing network traffic based on predefined security rules
Rules specify which traffic to allow or block, examining packet attributes like source/destination IP, port, or protocol
Example: A firewall may block all traffic from a specific IP address or allow only HTTP traffic on port 80

Whitelists

Allow only explicitly permitted traffic (e.g., specific IPs, ports, or protocols), blocking all else
Example: Whitelisting trusted employee IPs for remote server access

Blacklists

Block specific traffic (e.g., known malicious IPs or ports) while allowing others
Example: Blacklisting IPs associated with DDoS attacks

Rules

Configured to enforce security policies, such as allowing HTTPS traffic or blocking unauthorized access attempts
Can operate at different layers (e.g., packet filtering at network layer, application-layer filtering for specific apps)

A2.4.1_2 Strengths, limitations

Strengths

Security: Prevents unauthorized access, protecting networks from external threats (e.g., hackers, malware)
Control: Enforces organizational policies by restricting access to specific resources or services
Monitoring: Logs traffic for analysis, helping detect suspicious activity or intrusion attempts
Flexibility: Supports custom rules for various scenarios (e.g., blocking social media during work hours)

Limitations

Incomplete Protection: Cannot block internal threats (e.g., insider attacks) or encrypted traffic without deep packet inspection
Configuration Errors: Misconfigured rules can block legitimate traffic or allow malicious traffic
Performance Impact: Intensive filtering (e.g., application-layer firewalls) may slow network performance
Evasion: Advanced attacks (e.g., VPN tunneling, zero-day exploits) may bypass basic firewalls

A2.4.1_3 NAT role in security

Network Address Translation (NAT)

Function: Maps private IP addresses to a public IP for internet communication, hiding internal network structure
Security Role:
- Enhances security by concealing private IP addresses, making it harder for attackers to target specific devices
- Acts as a basic firewall by restricting direct inbound connections to private IPs unless explicitly allowed
Example: A home router uses NAT to allow multiple devices to share one public IP, preventing direct external access to internal devices

Limitations

Not a full firewall; relies on port forwarding or DMZ settings, which can expose devices if misconfigured
Less effective against sophisticated attacks targeting open ports or exploiting NAT traversal techniques

A2.4.2 Describe network vulnerabilities (HL) (AO2)

A2.4.2_1 DDoS, insecure protocols, malware, MitM, phishing, SQL injection, XSS, unpatched software, weak authentication, zero-day exploits

Distributed Denial of Service (DDoS)

Description: Overwhelms a network or server with excessive traffic from multiple sources, disrupting service availability
Impact: Causes downtime, affecting websites, online services, or business operations
Example: A botnet flooding a web server with requests, preventing legitimate users from accessing it

Insecure Protocols

Description: Use of outdated or unencrypted protocols (e.g., HTTP, Telnet) that transmit data in plain text
Impact: Allows attackers to intercept sensitive data like passwords or credit card details
Example: Using HTTP instead of HTTPS for a login page, exposing user credentials

Malware

Description: Malicious software (e.g., viruses, ransomware, spyware) that infects devices to steal data, disrupt operations, or gain unauthorized access
Impact: Compromises data integrity, privacy, or system functionality
Example: Ransomware encrypting files and demanding payment for decryption

Man-in-the-Middle (MitM)

Description: Attacker intercepts communication between two parties, potentially altering or stealing data
Impact: Breaches confidentiality and integrity of data, such as login credentials or financial transactions
Example: Intercepting unencrypted Wi-Fi traffic to capture sensitive information

Phishing

Description: Social engineering attacks using fraudulent emails, texts, or websites to trick users into revealing sensitive information
Impact: Leads to unauthorized access, financial loss, or identity theft
Example: Fake bank email prompting users to enter login details on a malicious site

SQL Injection

Description: Attackers inject malicious SQL queries into input fields to manipulate a database
Impact: Allows unauthorized data access, modification, or deletion
Example: Entering ' OR '1'='1 in a login form to bypass authentication

Cross-Site Scripting (XSS)

Description: Injects malicious scripts into web pages viewed by users, executed in their browsers
Impact: Steals user data (e.g., cookies, session tokens) or defaces websites
Example: Embedding a script in a comment field to steal user session data

Unpatched Software

Description: Software with known vulnerabilities not updated with security patches
Impact: Exploited by attackers to gain access or execute malicious code
Example: Exploiting an unpatched Windows vulnerability to install malware

Weak Authentication

Description: Inadequate authentication methods (e.g., weak passwords, no multi-factor authentication) allowing unauthorized access
Impact: Increases risk of account compromise or data breaches
Example: Using "password123" for admin access, easily guessed by attackers

Zero-Day Exploits

Description: Attacks targeting undisclosed vulnerabilities before patches are available
Impact: Difficult to defend against, as no fixes exist at the time of attack
Example: Exploiting a new flaw in a browser to install spyware before a patch is released

A2.4.3 Describe network countermeasures (HL) (AO2)

A2.4.3_1 Countermeasures: content security, passwords, DDoS mitigation, email filtering, encrypted protocols, input validation, IDS, IPS, MFA, SSL/TLS, updates, VPNs

Content Security

Description: Policies and tools (e.g., Content Security Policy for web) to restrict unauthorized scripts or content execution
Purpose: Prevents attacks like XSS by limiting executable content sources
Example: Web browsers blocking untrusted scripts on a website

Passwords

Description: Strong, unique passwords to secure accounts and systems
Purpose: Reduces risk of unauthorized access via brute force or guessing
Example: Enforcing complex passwords (e.g., 12+ characters with mixed types) on network devices

DDoS Mitigation

Description: Techniques like rate limiting, traffic filtering, or cloud-based scrubbing to absorb or block excessive traffic
Purpose: Maintains service availability during DDoS attacks
Example: Cloudflare filtering malicious traffic to protect a web server

Email Filtering

Description: Scans emails for phishing, malware, or spam using content analysis and blacklists
Purpose: Prevents phishing attacks and malware delivery via email
Example: Gmail flagging suspicious attachments or links

Encrypted Protocols

Description: Use of secure protocols (e.g., HTTPS, SSH) to encrypt data in transit
Purpose: Protects against interception and MitM attacks
Example: HTTPS securing online banking transactions

Input Validation

Description: Checks and sanitizes user inputs to prevent malicious data entry
Purpose: Mitigates SQL injection and XSS by rejecting invalid inputs
Example: Validating form inputs to ensure only expected data types are accepted

Intrusion Detection System (IDS)

Description: Monitors network traffic for suspicious activity and alerts administrators
Purpose: Detects potential threats like unauthorized access or malware
Example: Snort analyzing traffic for signs of intrusion

Intrusion Prevention System (IPS)

Description: Actively blocks detected threats in addition to monitoring, unlike IDS
Purpose: Prevents attacks by stopping malicious traffic in real-time
Example: Cisco IPS blocking packets from a known malicious IP

Multi-Factor Authentication (MFA)

Description: Requires multiple verification methods (e.g., password, SMS code, biometrics) for access
Purpose: Enhances security by making unauthorized access harder
Example: Google Authenticator requiring a code alongside a password

SSL/TLS

Description: Encrypts communication between clients and servers to ensure data privacy and integrity
Purpose: Protects sensitive data during transmission, prevents MitM attacks
Example: TLS securing HTTPS connections for e-commerce websites

Software Updates

Description: Regular patching of software and systems to fix known vulnerabilities
Purpose: Prevents exploitation of unpatched software or zero-day vulnerabilities
Example: Applying Windows security patches to mitigate exploits

VPNs

Description: Creates encrypted tunnels for secure remote access over public networks
Purpose: Protects data privacy and enables secure access to private networks
Example: NordVPN securing remote employee access to a corporate network

A2.4.3_2 Security testing, employee training

Security Testing

Description: Regular assessments like penetration testing or vulnerability scanning to identify weaknesses
Purpose: Proactively finds and fixes vulnerabilities before exploitation
Example: Using tools like Nessus to scan for network vulnerabilities or simulating phishing attacks to test defenses

Employee Training

Description: Educating staff on security best practices, such as recognizing phishing or using strong passwords
Purpose: Reduces human error, a common entry point for attacks like phishing or social engineering
Example: Training employees to avoid clicking suspicious email links or to enable MFA on accounts

A2.4.3_3 Wireless security: MAC, whitelists, blacklists

MAC Address Filtering

Description: Restricts network access to devices with approved MAC addresses
Purpose: Limits unauthorized devices from connecting to wireless networks
Example: A router allowing only known device MACs to join a Wi-Fi network

Whitelists

Description: Permits only pre-approved devices or traffic to access the wireless network
Purpose: Enhances security by explicitly allowing trusted devices or connections
Example: Whitelisting specific IP addresses for access to a Wi-Fi access point

Blacklists

Description: Blocks specific devices or traffic identified as malicious or unauthorized
Purpose: Prevents known threats from accessing the wireless network
Example: Blacklisting a device's MAC address after detecting suspicious activity

A2.4.4 Describe encryption, digital certificates (AO2)

A2.4.4_1 Symmetric vs asymmetric cryptography

Symmetric Cryptography

Description: Uses a single shared key for both encryption and decryption of data
Characteristics: Fast, efficient for large data volumes, but requires secure key exchange
Example: AES (Advanced Encryption Standard) used for encrypting files or disk drives
Use Case: Secure data storage, VPNs, or disk encryption where key sharing is controlled

Asymmetric Cryptography

Description: Uses a pair of keys—public key for encryption and private key for decryption
Characteristics: Slower, more secure for key exchange, as public keys can be freely shared
Example: RSA used in HTTPS for secure web communication
Use Case: Secure communication over untrusted networks, digital signatures, or key exchange

A2.4.4_2 Digital certificates for secure connections

Description

Digital certificates are electronic documents issued by a Certificate Authority (CA) to verify a party's identity
Contain a public key, identity information (e.g., domain name), and a CA's digital signature

Function

Establish trust in secure connections (e.g., HTTPS websites) by verifying the server's identity
Enable encrypted communication using the certificate's public key

Use Case

Securing web browsing, email communication, or VPN connections
Example: A browser verifies a website's SSL/TLS certificate issued by a CA like Let's Encrypt to ensure secure HTTPS connections

A2.4.4_3 Public, private keys in asymmetric cryptography

Public Key

Freely shared, used to encrypt data or verify digital signatures
Example: A user encrypts an email with the recipient's public key, ensuring only the recipient can decrypt it

Private Key

Kept secret, used to decrypt data or create digital signatures
Example: A server uses its private key to decrypt data encrypted with its public key

Role

Public and private keys work together to ensure secure communication and authentication
Example: In HTTPS, a server's public key encrypts data, and its private key decrypts it, ensuring confidentiality

A2.4.4_4 Encryption key management

Description

Involves securely generating, storing, distributing, rotating, and revoking encryption keys

Key Practices

Generation: Use strong random number generators to create secure keys
Storage: Store keys in secure hardware (e.g., HSMs) or encrypted key vaults
Distribution: Share keys securely (e.g., via asymmetric encryption for symmetric keys)
Rotation: Regularly update keys to limit exposure from breaches
Revocation: Invalidate compromised or expired keys, using certificate revocation lists (CRLs) for certificates

Example

AWS Key Management Service (KMS) automates key creation, rotation, and secure storage for cloud applications

Purpose

Ensures keys remain secure, preventing unauthorized access to encrypted data