Chapter 5: Understanding the Basics of Network Communication (New Employee Fundamentals)
5.1 What Is an IP Address?
The Role of IP Addresses
An IP address (Internet Protocol Address) is a number used to identify devices on a network. It functions like a postal address, used to specify the destination and source of data transmissions.
IPv4 Address Format
- Expressed as four numbers ranging from 0 to 255, separated by dots
- Approximately 4.3 billion addresses exist in total
Private IP Addresses and Global IP Addresses
| Type | Range (Representative Examples) | Usage |
|---|---|---|
| Private IP | 10.0.0.0 – 10.255.255.255 | Internal organizational network (large-scale) |
| Private IP | 172.16.0.0 – 172.31.255.255 | Internal organizational network (medium-scale) |
| Private IP | 192.168.0.0 – 192.168.255.255 | Internal organizational network (small-scale) |
| Global IP | All other ranges | Uniquely identified on the Internet |
IP Addresses in Hospital Networks
Devices within a hospital are assigned private IP addresses. Smart Assist PCs also have private IPs within the hospital network. When communicating with the Internet, the address is translated to a global IP via NAT (explained in Section 5.8).
5.2 What Is a Subnet?
The Concept of Subnets
A subnet is a logically divided, smaller network segment within a larger network. In hospital networks, subnets are separated by purpose to ensure security.
Subnet Mask
A subnet mask indicates which part of an IP address is the "network portion" and which part is the "host portion."
CIDR Notation
| Subnet Mask | CIDR | Number of Hosts | Usage Example |
|---|---|---|---|
| 255.255.255.0 | /24 | 254 devices | Common segment |
| 255.255.255.128 | /25 | 126 devices | Medium-scale segment |
| 255.255.255.240 | /28 | 14 devices | Small-scale segment (for servers) |
| 255.255.0.0 | /16 | 65,534 devices | Large-scale network |
Typical Subnet Configuration in a Hospital
Communication between different subnets must pass through a router (or L3 switch).
5.3 Routers and Switches
Cisco (a leading network equipment manufacturer)
Switch (L2 Switch)
A switch is a device that connects devices within the same subnet.
| Feature | Description |
|---|---|
| Operating Layer | Layer 2 (Data Link Layer) |
| Identification Method | MAC Address |
| Role | Frame forwarding within the same segment |
| Example | Connecting AUTION EYE and other analyzers within the medical device segment |
Cisco Catalyst Switch installation example (rack-mounted L2 switch)
Router (L3 Switch)
A router is a device that relays communication between different subnets.
| Feature | Description |
|---|---|
| Operating Layer | Layer 3 (Network Layer) |
| Identification Method | IP Address |
| Role | Packet forwarding between different subnets, routing control |
| Example | Communication between the medical device segment and the LIS server segment |
Cisco 2800 Series Router (example of a business-grade router)
Routers on the Smart Assist Communication Path
5.4 How DNS Works
What Is DNS?
DNS (Domain Name System) is a mechanism that translates human-readable domain names (e.g., smartassist.example.com) into IP addresses (e.g., 52.194.10.20).
The DNS Name Resolution Process
DNS in Hospital Environments
Many hospitals use the following DNS configurations.
| Configuration Pattern | Description |
|---|---|
| Internal DNS Server | Resolves internal hostnames. External names are resolved via forwarder |
| Forwarder Configuration | Internal DNS forwards external queries to the ISP's DNS |
| Proxy DNS | The proxy server may also handle DNS resolution |
Key Points for Smart Assist
If the Smart Assist destination is specified by FQDN (domain name), communication will fail unless DNS name resolution is functioning properly. DNS failures are one of the most common causes of Smart Assist connectivity issues.
We mentioned that DNS is the most common cause of Smart Assist communication failures. Of those DNS troubles, 80% come down to "which DNS server is being queried".
You only need to check two things:
- Use
ipconfig /allto verify the DNS server IP configured on the Smart Assist PC - Verify whether that DNS server can resolve external FQDNs (domain names on the Internet)
If the internal DNS cannot resolve external names, it is likely that forwarder settings are missing or that UDP port 53 traffic to the forwarder destination is being blocked by the FW. Start by running nslookup smartassist.example.com 8.8.8.8 to query an external DNS directly. If it resolves, you can isolate the problem to the internal DNS side.
5.5 The Meaning of Port Numbers
What Is a Port Number?
A port number is a number used to identify multiple services running on the same device. If an IP address is the "building address," then the port number is the "room number."
Major Port Numbers
| Port Number | Protocol | Usage |
|---|---|---|
| 80 | HTTP | Unencrypted web communication |
| 443 | HTTPS | Encrypted web communication (used by Smart Assist) |
| 53 | DNS | Name resolution |
| 22 | SSH | Secure remote connection |
| 3389 | RDP | Remote Desktop |
Ports Used by Smart Assist
Smart Assist communication uses HTTPS (443/tcp). The firewall must allow 443/tcp traffic from the Smart Assist PC to external destinations.
When submitting a FW permit request with "Please allow HTTPS 443/tcp" and forgetting DNS 53/udp -- this is a truly classic mistake. Chapter 12's case study (Section 12.1) covers exactly this scenario.
If you use FQDN-based allow rules, the FW itself performs DNS resolution, so this may not be an issue. However, with direct DNS, 53/udp must be allowed from the Smart Assist PC to the DNS server and then to external DNS for name resolution to work.
Add "DNS 53/udp" to your FW permit request checklist. This alone can prevent half of the DNS troubles during deployment.
Example permit rule:
Source: 192.168.10.50 (Smart Assist PC)
Destination: smartassist.example.com
Dest Port: 443/tcp
Action: Allow
5.6 TCP and HTTPS
What Is TCP?
TCP (Transmission Control Protocol) is a communication protocol designed to reliably deliver data to its destination.
Characteristics of TCP
| Feature | Description |
|---|---|
| Connection-Oriented | Establishes a connection before communication begins (3-way handshake) |
| Reliability | Includes delivery confirmation and retransmission control |
| Order Guarantee | Data arrives in the order it was sent |
3-Way Handshake
What Is HTTPS?
HTTPS (HTTP over TLS) is a protocol that encrypts HTTP communication using TLS.
Smart Assist communication uses HTTPS, ensuring data encryption, server authentication, and data integrity.
5.7 How TLS Encryption Works
What Is TLS?
TLS (Transport Layer Security) is a protocol that encrypts communication to prevent eavesdropping, tampering, and impersonation.
Three Protections Provided by TLS
| Protection | Description | Meaning for Smart Assist |
|---|---|---|
| Encryption | Communication content cannot be read by third parties | Specimen image data cannot be eavesdropped on in transit |
| Authentication | Confirms that the connection destination is genuine | Prevents connection to a fraudulent server |
| Integrity | Guarantees that data has not been tampered with in transit | Classification results cannot be altered mid-transmission |
Overview of the TLS Handshake
What Is a Server Certificate?
A server certificate is an electronic identity document that proves the connecting server is genuine.
| Certificate Element | Description |
|---|---|
| Subject (CN/SAN) | The server's domain name (e.g., smartassist.example.com) |
| Issuer | Name of the Certificate Authority (CA) |
| Validity Period | Start and end dates of the certificate |
| Public Key | The key used for encryption |
If the certificate has expired or the Certificate Authority is not trusted, the TLS handshake will fail and communication will be impossible.
5.8 The Role of NAT
What Is NAT?
NAT (Network Address Translation) is a mechanism that translates between private IP addresses and global IP addresses.
Why Is NAT Necessary?
The Smart Assist PC inside the hospital has a private IP address, but private IPs cannot be used on the Internet. By translating to a global IP via NAT, communication with the Internet becomes possible.
How NAT Works
| Step | Description |
|---|---|
| 1. Send | Smart Assist PC (192.168.10.50) sends a packet to AWS |
| 2. NAT Translation (Outbound) | NAT device translates the source IP to a global IP (203.0.113.1) |
| 3. Server Response | AWS sends a response back to 203.0.113.1 |
| 4. NAT Translation (Return) | NAT device translates the global IP back to the private IP (192.168.10.50) |
| 5. Receive | Smart Assist PC receives the response |
Relationship Between Firewall and NAT
In many hospitals, the firewall device also handles NAT functions. In other words, firewall rule configuration and NAT configuration are often performed on the same device.
In the next chapter, we will use the foundational knowledge learned here to technically dissect the actual communication sequence of Smart Assist.