Ethernet packets, Ethernet frames and IP packets in the Virtual World

On layer 2, we are transmitting ethernet frames. Confusingly, these are sometimes referred to as ethernet packets. They are in fact not quite the same thing. The IEEE standard is shown below

The ethernet packet is the frame plus some extra headers and trailers

When the ethernet frame (or packet) arrives at the NIC, it is briefly stored , an interrupt is raised from the NIC card to the motherboard to ask for the frame to be read into the computer’s memory. A series of processes then occurs in the kernel of the operating system


This particular graphic is confusing as the distinction between ethernet packet, ethernet frame and IP packet is not clear.

If the NIC is a virtual switch, the NIC will pass the frame to the driver which will send the memory structure (sk_buf) to the hypervisor’s memory. This is then forwarded to the driver part of the appropriate Hyper-V virtual network adapter which will unencapsulate the frame to pass the IP packet up the stack of the virtual machine. If the host does not have a virtual adapter connected to the virtual switch, it should in theory be impossible to be able to attack the host by this vector

Remote Desktop Connection (RDP)

The remote desktop protocol (RDP) is a protocol used by remote desktop to connect to a windows machine remotely.  Although it is a Microsoft protocol, the client is available for Linux, Mac, ipad etc.

RDP access on a computer is enabled through the properties of “my computer” or “this pc” and users can be specifically allowed or denied access.

To access a computer on the network from outside, it is necessary to forward a port from the firewall to the server computer. So for example if the server on the network has a private address of and the public IP address of the firewall is then a rule needs to be placed in the firewall to forward the port.  The listening port is by default 3389 but this can be altered and the firewall can be configured to forward a different port.  For example 2299 on the internet side could be forwarded to 3389 on the LAN side.  In this example, to connect to the server you would type in to remote desktop connecton

Although using RDP for external access is convenient, easy and cheap it should be thought of as unsafe and should not be done.  A large percentage of successful ransomware attacks are thought to be delivered through RDP either through misconfiguration, bugs or brute force attacks.

Remote access from outside the network should always be done via the additional protection of a VPN

The Attack Surface

The attack surface is a list of ways in which your network can be attacked.  For our small business network this includes

  • From the internet – a direct attack on the internet address of the router
  • Via email – a malicious attachment or link
  • Via WiFi
  • Via USB – infection inadvertently or maliciously through a USB port.  This might happen for example when you leave the consulting room leaving a patient with access to your computer
  • Via a network port – unsecured ports connected to your network can be used to attack it
  • Via a backdoor – remote support might have left TeamViewer or similar running on your network to facilitate intrusion

The DR plan

Disaster recovery (DR) is a concept different to backup. Backup is obviously part of the DR plan but is not the only component.

Disasters can have many causes and can affect many services. The first step is to identify all of the key services. These will include for example

  • Domain controllers (usernames, passwords, computer names, DNS, DHCP etc etc)
  • Medical software servers
  • Imaging servers
  • Shared resources
  • Scanned documents
  • Router and switch configurations
  • Dictation audio files
  • Business emails
  • Business financial records

Some enumeration of the potential disasters

  • Hard Drive Failure
  • File corruption
  • Ransomware attack
  • Individual computer failure eg Power supply, motherboard, network card
  • Multiple computer failure eg fire, water damage (sprinklers), theft

Then some thought is required about the RTO and RPO time points.

Recovery point objective (RPO) is the point to which the system can be recovered. If the last backup was 10 days ago, then this is the RPO

Recovery time objective (RTO) is the time taken to restore the system from the disaster. If it takes 4 days to get a new server installed and configured then the RTO is 4 days. The time to diagnose the problem needs to be added to the RTO

The RTO increases in cost very quickly with reducing time. The RPO has an increasing system performance cost but not as much of a dollar cost with reducing time. Backups can be done 5 minutely but will slow the system appreciably.

Block or File level Backup and Open Files

A backup system can be block level, which backs up bits on the actual hard drive or file level which backs up actual files.

Block level is great for the hard drives of virtual machines. It can also be used on physical machines but restore is much more tricky than file level backup

File level backup checks which files have changed and backs up copies of those files – with or without versioning.

One problem with file-level backup can be open files. These are files currently being used by the operating system which may stop the backup process from accessing them. A very common example of this is for database files. Many backup softwares have an “open file” option. What this does is to tell the operating system to take a snapshot of the hard drive and then the file is copied from the snapshot. Once the backup is complete the snapshot is merged back into the hard drive. This uses a feature of windows known as the volume shadow service (VSS)

One issue with all of this can be database files. The main medical accounting and clinical system is usually a database file such as a firebird fdb file. In determining which files have changed since the last backup, the backup software may check the file size and the time attributes on the file to determine whether it has actually changed.

Because the file is open, the dates will not have changed and the size may not change frequently despite a large number of writes. This is because a database file works in blocks of pages and the size of the file will only change with each new page creation. This may be slower than first thought, even with a large number of writes. Close inspection of the backup logs may revea l that the main database is only being infrequently backed up. One solution to this is to maintain a local (non open) copy of the database file the dates of which are flushed prior to the backup operation. ie copy file, flush dates, run backup The flush operation can be done with copy /b myfile.txt ,,