Protocols — Set 3

Correct Answer: A. NTP

• **NTP (Network Time Protocol)** = An application-layer networking protocol designed to synchronise the clocks of computers over packet-switched, variable-latency networks to within a few milliseconds of Coordinated Universal Time (UTC), using a hierarchical system of reference clocks called strata. NTP operates on UDP Port 123. • **Key fact** — NTP organises time servers into strata: Stratum 0 devices are atomic clocks and GPS receivers; Stratum 1 servers are directly connected to Stratum 0 sources; Stratum 2 servers sync from Stratum 1, and so on — with client devices typically at Stratum 3 or 4. • Accurate time synchronisation via NTP is critical for SSL/TLS certificate validation (expired certificates cause connection failures), Kerberos authentication (which rejects tickets with a clock skew over 5 minutes), distributed log correlation, and financial transaction timestamping. • 💡 Option B (FTP) is wrong because FTP is a file transfer protocol used to move files between systems, not to synchronise clocks; Option C (HTTP) is wrong because HTTP is the protocol for delivering web pages and has no time synchronisation function; Option D (SNMP) is wrong because SNMP manages and monitors network device status, not clock synchronisation.

Correct Answer: A. Syslog

• **Syslog** = A standard protocol (RFC 5424) for sending event log messages from network devices, operating systems, and applications to a central log collection server (Syslog server), enabling administrators to store, search, and alert on log data from dozens of devices in one place. Syslog traditionally uses UDP Port 514, and the secure version (Syslog over TLS) uses TCP Port 6514. • **Key fact** — Each Syslog message carries a Priority value encoding two fields: Facility (the source, e.g., kernel=0, mail=2, security=4, local0-7=16-23) and Severity (0=Emergency down to 7=Debug); this combination allows filtering and alerting only on critical events while archiving all levels for forensics. • Syslog is the foundation of Security Information and Event Management (SIEM) systems — tools like Splunk, Graylog, and ELK Stack ingest Syslog streams to detect intrusions, compliance violations, and hardware failures in real time. • 💡 Option B (SMTP) is wrong because SMTP is used for sending email messages between mail transfer agents, not for transmitting device log data; Option C (POP3) is wrong because POP3 is an email retrieval protocol for downloading messages from a server to a client; Option D (IMAP) is wrong because IMAP is an email access protocol that keeps messages synchronised on the server.

Correct Answer: B. LDAP

• **LDAP (Lightweight Directory Access Protocol)** = An open, vendor-neutral application-layer protocol for accessing and maintaining distributed directory information services over an IP network, allowing applications to query a centralised database of users, groups, computers, and permissions in a hierarchical tree structure called the Directory Information Tree (DIT). LDAP operates on TCP/UDP Port 389, and LDAPS (secure) uses Port 636. • **Key fact** — LDAP entries are organised in a Distinguished Name (DN) hierarchy (e.g., cn=John,ou=Staff,dc=company,dc=com), and each entry has object classes that define its allowed attributes — this structure makes LDAP extremely efficient for read-heavy workloads like login authentication where millions of lookups occur daily. • LDAP is the backbone of Microsoft Active Directory (the dominant enterprise identity system), OpenLDAP (Linux), and Apple Open Directory; any application that says 'supports Active Directory single sign-on' is using LDAP under the hood. • 💡 Option A (DHCP) is wrong because DHCP dynamically assigns IP addresses to network devices, not directory or user information; Option C (DNS) is wrong because DNS maps domain names to IP addresses and does not store user credentials or organisational data; Option D (FTP) is wrong because FTP transfers files between a client and server and has no directory service capability.

Correct Answer: A. IPsec

• **IPsec (Internet Protocol Security)** = A suite of protocols that operates at the Network Layer (Layer 3) to authenticate and encrypt every IP packet in a communication session, providing end-to-end security for IP traffic regardless of which application generates it. It uses two main protocols: AH (Authentication Header, Protocol 51) for integrity and authentication, and ESP (Encapsulating Security Payload, Protocol 50) for both encryption and authentication. • **Key fact** — IPsec operates in two modes: Transport Mode (encrypts only the payload, leaving the original IP header intact, used between two hosts) and Tunnel Mode (encrypts the entire original IP packet and wraps it in a new IP header, used for VPN gateways between networks). • IPsec is the most common technology underlying site-to-site VPNs (connecting two office networks) and remote-access VPNs; it uses IKE (Internet Key Exchange, UDP Port 500) to negotiate security associations and exchange cryptographic keys before data flows. • 💡 Option B (HTTPS) is wrong because HTTPS operates at the Application Layer securing only HTTP traffic, not all IP-layer traffic; Option C (SSH) is wrong because SSH secures remote terminal sessions and file transfers at the application layer, not the network layer; Option D (SSL) is wrong because SSL/TLS operates above the transport layer to secure specific application connections, while IPsec secures at the IP level for all applications.

Correct Answer: B. HTTP

• **HTTP (HyperText Transfer Protocol)** = The standard application-layer protocol used for transferring web pages between a web server and a browser, operating on TCP Port 80 with all request and response data sent entirely in plain text — meaning any intermediary router or attacker on the network path can read the full content of every page and form submission. • **Key fact** — HTTP's lack of encryption enables 'man-in-the-middle' (MITM) attacks where an attacker positioned between the user and server intercepts and can even modify the content of web pages in transit, a technique used in WiFi eavesdropping and session hijacking attacks. • Since 2018, Google Chrome marks all HTTP sites with a 'Not Secure' warning; from 2021, Chrome also downgrades mixed-content pages; HTTP/2 and HTTP/3 only work with HTTPS, effectively making encryption mandatory for modern web performance. • 💡 Option A (HTTPS) is wrong because HTTPS is the secure version that adds TLS encryption, making it the opposite of an insecure protocol; Option C (FTP) is wrong because FTP is used for direct file transfers between a client and server, not web page delivery; Option D (SMTP) is wrong because SMTP is used for sending email messages between mail servers, not web browsing.

Correct Answer: B. RIP

• **RIP (Routing Information Protocol)** = One of the oldest distance-vector Interior Gateway Protocols (IGPs), which determines the best path between networks by counting hops (each router traversed = 1 hop), with a hard maximum of 15 hops — any destination requiring 16 or more hops is considered unreachable, preventing routing loops in small networks. RIPv1 uses UDP Port 520. • **Key fact** — RIP routers broadcast their entire routing table to all neighbours every 30 seconds regardless of whether anything changed, wasting bandwidth on stable networks; OSPF, by contrast, only sends updates when the topology actually changes, making it far more efficient on large networks. • RIPv2 (RFC 2453) added support for CIDR (classless routing) and authentication; RIPng extended RIP for IPv6 networks; despite being largely replaced, RIP remains useful on very small networks due to its simplicity and ease of configuration. • 💡 Option A (OSPF) is wrong because OSPF is a link-state protocol that uses Dijkstra's algorithm and link cost as its metric, not hop count; Option C (BGP) is wrong because BGP is an Exterior Gateway Protocol for routing between autonomous systems on the internet; Option D (IS-IS) is wrong because IS-IS is a link-state IGP (like OSPF) that uses cost as its metric and is preferred by large ISPs.

Correct Answer: B. CGI

• **CGI (Common Gateway Interface)** = A standard specification (not a transport protocol) that defines how a web server passes an HTTP request to an external program (written in Perl, Python, C, etc.) and receives its output to return to the browser as a dynamically generated web page. The web server runs a new process for each CGI request, with request data passed via environment variables and stdin. • **Key fact** — CGI was the first widely used mechanism for dynamic web content (1993-era), enabling early web forms, search engines, and guestbooks; its key limitation is performance — spawning a new OS process per request is slow compared to modern alternatives like FastCGI, WSGI (Python), or Node.js which reuse persistent processes. • CGI laid the architectural groundwork for all modern web application frameworks: the concept of routing HTTP requests to handler code that queries a database and returns HTML is still the core pattern in Django, Rails, Laravel, and Express.js. • 💡 Option A (SQL) is wrong because SQL is a database query language used to interact with relational databases, not a web server-to-application interface; Option C (HTTP) is wrong because HTTP is the transport protocol that carries the request and response, not the interface for server-to-program communication; Option D (TCP) is wrong because TCP is the transport-layer protocol providing reliable connections, not a web application interface standard.

Correct Answer: A. RTP

• **RTP (Real-time Transport Protocol)** = An application-layer protocol that delivers audio and video streams over IP networks in real time, providing payload type identification, sequence numbering, timestamping, and source identification — all critical for reassembling media in the correct order and timing at the receiver. RTP typically runs over UDP (not TCP) to prioritise low latency over guaranteed delivery. • **Key fact** — RTP always works alongside RTCP (Real-time Transport Control Protocol): while RTP carries the media payload, RTCP carries periodic control packets reporting statistics like packet loss percentage, jitter (delay variation), and round-trip time, allowing the sender to dynamically adjust bitrate and codec parameters. • RTP is used by virtually all real-time communication systems: Zoom, Google Meet, WhatsApp calls, Skype, VoIP phone systems (SIP), and live TV broadcasting over IP (IPTV) all use RTP to deliver their media streams. • 💡 Option B (FTP) is wrong because FTP uses TCP for reliable file transfers and introduces too much latency for real-time media due to retransmission delays; Option C (SMTP) is wrong because SMTP is the email sending protocol for text-based messages between mail servers; Option D (SNMP) is wrong because SNMP is used to monitor and manage network infrastructure devices, not to stream media.

Correct Answer: A. PPP

• **PPP (Point-to-Point Protocol)** = A Data Link Layer protocol that encapsulates network-layer packets (IP, IPX, AppleTalk) for transmission over direct serial links between exactly two nodes — such as a modem dialling into an ISP, a leased line between two offices, or a DSL connection — providing a complete link-layer solution with link establishment, configuration negotiation, and termination. PPP is defined in RFC 1661. • **Key fact** — PPP includes Link Control Protocol (LCP) for link negotiation and a family of Network Control Protocols (NCPs) — one per network protocol — such as IPCP for IP configuration; this makes PPP the first protocol capable of carrying multiple different network protocols over the same serial link simultaneously. • PPP supports optional authentication via PAP (Password Authentication Protocol, sends passwords in clear text) or CHAP (Challenge Handshake Authentication Protocol, uses a hash challenge, far more secure); PPPoE (PPP over Ethernet) extends PPP for use over ADSL broadband connections. • 💡 Option B (IP) is wrong because IP is a Network Layer protocol that handles addressing and routing; it needs a Data Link Layer protocol like PPP to carry it over a serial link; Option C (TCP) is wrong because TCP is a Transport Layer protocol for reliable delivery, not for establishing physical point-to-point links; Option D (DNS) is wrong because DNS translates domain names to IP addresses and has no role in establishing or maintaining network links.

Correct Answer: A. WINS

• **WINS (Windows Internet Name Service)** = A Microsoft-proprietary name resolution service that maintains a database mapping NetBIOS computer names (e.g., 'ACCOUNTS-PC') to their current IP addresses, allowing Windows computers to find each other by their friendly 'Computer Name' on a network. WINS uses UDP/TCP Port 137 for name registration and resolution. • **Key fact** — Unlike DNS (which is static until manually updated), WINS is dynamic — when a Windows PC boots, it automatically registers its NetBIOS name and current IP address with the WINS server, so the database always reflects the current IP even for DHCP clients whose addresses change. • WINS was introduced in Windows NT 3.5 and has been in 'deprecated' status since Windows Server 2008; Microsoft recommends migrating to DNS with dynamic updates (DDNS), but WINS remains in some organisations that still run Windows XP-era legacy software requiring NetBIOS. • 💡 Option B (DNS) is wrong because DNS resolves fully qualified domain names (like server.company.com) to IPs using a hierarchical distributed system, not flat Windows NetBIOS computer names via a centralised Microsoft server; Option C (DHCP) is wrong because DHCP assigns IP addresses dynamically and does not resolve computer names; Option D (ARP) is wrong because ARP maps IP addresses to MAC addresses within a local subnet and has no knowledge of computer names.