PEARSON EDEXCEL IGCSE

Computer Science (4CP0)

TOPIC 5 MASTERBOOK
Communication and the Internet

Grade 9 (Distinction) Revision Guide

Lead Examiner Edition

Networks | Protocols | Security | Internet & WWW

Section 1: Types of Networks

1.1 Personal Area Network (PAN)

A Personal Area Network (PAN) is the smallest classification of network, typically spanning a
range of approximately 10 metres and centred around an individual's personal devices. PANs
are constructed either using short-range wireless technologies such as Bluetooth (IEEE
802.15.1) or via wired USB connections. The fundamental purpose of a PAN is to enable
communication and data exchange between devices owned or operated by a single user — for
example, synchronising a smartphone with a laptop, connecting wireless earbuds, or
transferring files from a digital camera to a computer.
Bluetooth-based PANs operate within the 2.4 GHz ISM band and use frequency-hopping spread
spectrum (FHSS) to mitigate interference from other devices sharing the same frequency range.
The relatively low data throughput (up to approximately 3 Mbps for Bluetooth 3.0, or up to 2
Gbps for Bluetooth 5.0 with high-speed extension) is acceptable given the typically small file
sizes involved in personal device synchronisation. PANs are characterised by their simplicity of
setup, low power consumption, and inherent security through proximity — a device must be
physically close to join the network.

1.2 Local Area Network (LAN)

A Local Area Network (LAN) connects devices within a geographically limited area such as a
single building, office floor, school, or campus. LANs are owned, managed, and maintained
entirely by the organisation that operates them — they do not rely on any third-party
telecommunications infrastructure for their internal operation. The defining characteristic of a
LAN is that all the connecting hardware (cabling, switches, routers) is under the direct control of
the organisation.
Modern LANs are constructed using Ethernet (IEEE 802.3) for wired connections, typically using
Cat5e, Cat6, or Cat6a twisted-pair copper cables with RJ-45 connectors, capable of transmitting
data at speeds of 100 Mbps (Fast Ethernet), 1 Gbps (Gigabit Ethernet), or 10 Gbps (10-Gigabit
Ethernet). Wireless LANs (WLANs) extend connectivity using Wi-Fi (IEEE 802.11 standards).
Within a LAN, data travels as electrical signals over copper or as light pulses over fibre optic
cable. Switches are the central devices within a LAN, operating at the Data Link layer (Layer 2)
of the OSI model, forwarding frames based on MAC addresses stored in their Content
Addressable Memory (CAM) table.

1.3 Wide Area Network (WAN)

A Wide Area Network (WAN) spans large geographic distances — potentially city-wide,
national, or even global in scope. Unlike a LAN, a WAN typically relies on third-party
telecommunications infrastructure such as leased lines, MPLS (Multiprotocol Label Switching)
circuits, or public internet connectivity provided by an Internet Service Provider (ISP). The
Internet itself is the largest and most prominent example of a WAN.
WANs connect multiple LANs together, enabling an organisation with offices in different cities or
countries to share resources and communicate. Data transmission across a WAN typically
occurs over fibre optic trunk lines, satellite links, or ADSL (Asymmetric Digital Subscriber Line)
connections. Latency — the delay in data transmission — is significantly higher on a WAN than
a LAN due to the greater physical distances involved and the number of intermediate routing
hops. WAN links are also generally more expensive to provision and maintain than LAN
infrastructure.

1.4 Wireless Local Area Network (WLAN)

A Wireless Local Area Network (WLAN) is a LAN in which devices connect to the network using
radio frequency (RF) transmission rather than physical cables. WLANs are governed by the
IEEE 802.11 family of standards, commonly known by the commercial brand name Wi-Fi. The
802.11ac (Wi-Fi 5) standard operates in the 5 GHz band and supports theoretical throughput of
up to several Gbps using technologies such as MU-MIMO (Multi-User, Multiple Input, Multiple
Output) and beamforming. The newer 802.11ax (Wi-Fi 6) standard improves efficiency in high-
density environments through OFDMA (Orthogonal Frequency Division Multiple Access).
WLANs operate through Wireless Access Points (WAPs), which are connected to the wired
network infrastructure and broadcast an SSID (Service Set Identifier) — the network name —
that client devices detect and associate with. Security in a WLAN is enforced through protocols
such as WPA3 (Wi-Fi Protected Access 3), which uses the SAE (Simultaneous Authentication
of Equals) handshake to prevent offline dictionary attacks, a vulnerability present in the older
WPA2 standard.

Feature PAN LAN WAN WLAN

Geographic Range ~10 m Building / City / Country / Building / Campus

Campus Global

Typical Speed Up to 2 Gbps 100 Mbps – 10 1 Mbps – 100 Up to 9.6 Gbps

(BT5) Gbps Gbps (Wi-Fi 6)

Ownership Individual Organisation Shared / ISP- Organisation

leased

Primary Technology Bluetooth / Ethernet Fibre, MPLS, Wi-Fi (802.11)

USB (802.3) ADSL

Typical Latency < 1 ms < 1 ms 10 ms – 100+ ms < 5 ms

📌 EXAMINER TIP: A very common error is stating that the Internet IS a WAN. The Internet is the
largest example of a WAN, but a WAN simply describes any network spanning a large geographical
area. Always distinguish between the two. In a 4-mark question asking you to 'describe two
differences between a LAN and WAN', you must give a feature AND explain it — do not just list 'LAN
is small, WAN is big' without justification.
1.5 Client-Server vs. Peer-to-Peer Network Models

Client-Server Architecture
In a client-server network, roles are clearly partitioned: dedicated server machines provide
services and resources, while client machines request and consume those services. A server is
a high-specification computer running server operating systems (e.g., Windows Server, Linux)
and server-side software (e.g., Apache HTTP server, Active Directory Domain Services). Clients
initiate communication using standardised protocols; the server processes the request and
returns a response.
The architectural strength of client-server lies in centralised management. An IT administrator
can apply security policies, software updates, and access controls from a single location — the
server. User accounts, permissions, and data are stored centrally, which simplifies backup
procedures. For a business with sensitive financial or customer data, this centralised control is
critical: if a client machine is compromised, the data remains protected on the server.
However, the client-server model introduces a single point of failure at the server level. If the
server goes offline — due to hardware failure, software crash, or a cyberattack such as a DDoS
— all clients lose access to shared resources simultaneously. This can be mitigated through
redundant servers and failover clustering, but at significant additional cost.

Peer-to-Peer (P2P) Architecture

In a peer-to-peer network, all machines are functionally equivalent — each node can act as both
a client and a server simultaneously. There is no dedicated server; resources such as storage,
processing power, and bandwidth are distributed across all peers. The BitTorrent protocol is the
canonical example of a P2P system: each peer downloading a file simultaneously uploads
portions of that file to other peers, distributing the load.
P2P networks scale well because adding a new peer also adds new resource capacity to the
network. They are also more resilient — if one peer fails, other peers continue operating
independently with no central dependency. However, P2P networks are substantially harder to
administer: there is no central point from which to enforce security policies, update software, or
control data access. This makes P2P inappropriate for business environments handling
confidential data.

Criterion Client-Server Peer-to-Peer

Management Centralised — easy to administer Decentralised — each machine

policies and updates managed individually

Security High — server enforces access Low — no central authority to enforce

controls and authentication security

Fault Tolerance Low — server failure affects all clients High — no single point of failure

Performance at High — dedicated server hardware Degrades if peers have limited

Scale optimised for service provision resources

Setup Cost High — requires dedicated server Low — no dedicated hardware needed
hardware and OS licences
 Criterion Client-Server Peer-to-Peer

Data Backup Centralised and straightforward Difficult — data dispersed across

peers

Best Use Case Businesses, schools — structured Small home networks, file sharing,
environments with sensitive data collaborative computing

📌 EXAMINER TIP: For a 6-mark 'Discuss the advantages and disadvantages of a client-server
network for a business' question, you must address BOTH sides and reach a conclusion. A Grade 9
answer will link specific advantages (centralised security, easy backup) to business context ('...this
means the company's customer database is protected...') rather than stating generic benefits. Avoid
the error of saying P2P has 'no security' — it has weaker, decentralised security; that is subtly
different.

1.6 Network Hardware: Routers, Switches, and NICs

Network Interface Card (NIC)

A Network Interface Card (NIC) is the hardware component that enables a device to connect to
a network. Every NIC is assigned a unique 48-bit (6-byte) Media Access Control (MAC) address
by the manufacturer — this address is hardcoded into the firmware of the NIC and serves as a
globally unique hardware identifier. A MAC address is expressed in hexadecimal notation (e.g.,
[Link]). The NIC operates at the Data Link layer (Layer 2) of the OSI model,
converting data from the device into the electrical, optical, or radio frequency signals appropriate
for the physical medium.
A wired NIC incorporates circuitry to encode/decode Ethernet frames, manage collision
detection (CSMA/CD in older half-duplex networks), and handle the physical signalling at the
appropriate standard (e.g., 1000BASE-T for Gigabit Ethernet over twisted-pair copper). A
wireless NIC additionally contains an RF transceiver and antenna to communicate with a WAP
using the IEEE 802.11 protocol.

Network Switch
A switch is a Layer 2 device that connects multiple devices within a LAN and forwards data
frames only to the specific port where the intended recipient device is connected — in contrast
to an older 'hub', which broadcast frames to all ports indiscriminately, causing unnecessary
bandwidth consumption and security vulnerabilities. The switch builds its CAM (Content
Addressable Memory) table by learning which MAC addresses are reachable through which
physical ports; as frames arrive, the switch records the source MAC address and the ingress
port.
When a frame arrives destined for a MAC address already in the CAM table, the switch
performs unicast forwarding to the correct port only — all other ports are undisturbed. If the
destination MAC address is not in the table (or if it is a broadcast address), the switch floods the
frame to all ports. This mechanism drastically reduces collision domains compared to hubs and
allows full-duplex communication on each port, effectively doubling the available bandwidth.
Modern managed switches also support VLANs (Virtual LANs), which logically segment the
network to improve security and performance.

Router
A router operates at Layer 3 (the Network layer) of the OSI model and is responsible for
forwarding data packets between different networks — for example, between a home LAN and
the wider Internet. The router makes forwarding decisions based on the destination IP address
contained in each packet's header, consulting its routing table to determine the most efficient
path. Routing tables are built through static configuration or dynamic routing protocols such as
OSPF (Open Shortest Path First) or BGP (Border Gateway Protocol).
A home broadband router performs several functions simultaneously: it acts as a gateway
between the LAN and the ISP's WAN, runs NAT (Network Address Translation) to allow multiple
private IP devices to share a single public IP address, operates a DHCP server to automatically
assign IP addresses to devices on the LAN, and typically includes a firewall component for
basic packet filtering. The key distinction from a switch is that a switch connects devices within a
single network (same IP subnet) by MAC address, whereas a router connects different networks
and makes path decisions based on IP addresses.

Device OSI Layer Addressing Used Primary Function

NIC Layer 1 & 2 MAC Address Physical connection to medium;

converts data to signals

Switch Layer 2 (Data Link) MAC Address Forwards frames within a LAN to
correct port

Router Layer 3 (Network) IP Address Routes packets between different

networks
Section 2: Network Topologies

2.1 Star Topology

In a star topology, every end device (node) connects directly and individually to a central switch
or hub. No device communicates directly with another device — all data must pass through the
central device. This architecture is the dominant topology in modern LANs due to its
manageability and fault isolation properties. If any single end-device connection or cable fails,
only that device loses network connectivity; the central switch continues operating, and all other
nodes are unaffected. This represents excellent fault isolation at the node level.
The central switch in a star topology is the single point of failure for the entire network — if the
switch fails, all network communication ceases. This risk is mitigated in enterprise environments
by using redundant switches with link aggregation (bonding multiple physical connections) or by
deploying a hierarchical star-of-stars topology where access layer switches connect to
redundant distribution switches. Cable management in a star topology is straightforward but
cable runs can be long for devices physically distant from the central switch, increasing material
and installation costs.

2.2 Bus Topology

In a bus topology, all devices connect to a single shared communication medium — a central
cable known as the 'bus' or 'backbone' — via T-connectors or drop cables. Both ends of the bus
are terminated with a resistor to prevent signal reflection. All devices receive all transmitted data
simultaneously; each NIC reads the destination MAC address in a frame header and discards
the frame if it is not the intended recipient.
Bus topologies use CSMA/CD (Carrier Sense Multiple Access with Collision Detection) to
manage channel access: before transmitting, a device senses whether the medium is in use. If
two devices transmit simultaneously, a collision occurs, corrupting both transmissions. Both
devices detect the collision, stop transmitting, wait a random back-off period, and attempt
retransmission. This collision overhead significantly degrades performance as the number of
devices increases. Bus topologies are also highly vulnerable to single-point failures: a break
anywhere in the central cable, or a faulty terminator, disrupts communication for every device on
the network. For these reasons, bus topology is largely obsolete in modern networks.

2.3 Mesh Topology

In a full mesh topology, every device is directly connected to every other device in the network.
A partial mesh topology provides multiple paths between devices without requiring complete
interconnection. Mesh topologies are the cornerstone of fault-tolerant, highly-available network
designs and are extensively used in core internet infrastructure, wide-area networks, and
mission-critical environments.
The concepts of fault tolerance and redundancy are intrinsically linked in mesh design. Fault
tolerance is the capability of a system to continue operating correctly even when one or more
components fail. In a mesh network, if any single link between two nodes fails, data can be
rerouted dynamically through an alternative path — the network 'heals' around the failure.
Redundancy is the provision of additional (duplicate) links or nodes that serve no primary
function but exist specifically to take over if a primary component fails. In a full mesh, every path
between two nodes has at least N-1 redundant alternative routes (where N is the number of
nodes), making it extremely resilient.
The trade-off is cost and complexity. A full mesh with N nodes requires N(N-1)/2 bidirectional
links — for 10 nodes, this requires 45 individual connections. Each device also needs sufficient
interfaces to support all its connections. The configuration and maintenance of routing protocols
across many links adds administrative overhead. This cost is acceptable for critical
infrastructure (e.g., internet exchange points, military networks, financial trading systems) where
downtime is catastrophically expensive.

Feature Star Bus Mesh

Central Component Switch/Hub Backbone cable None (distributed)

Fault Tolerance Medium — switch failure Low — cable break = Very High — multiple
= total outage total outage redundant paths

Performance High — dedicated switch Low — shared medium, High — direct paths
ports, no collisions collisions degrade between nodes
performance

Installation Cost Medium — cabling to Low — single cable Very High — N(N-1)/2
each device backbone links for full mesh

Scalability Easy — add devices to Difficult — affects all Difficult — exponential

switch nodes link growth

Maintenance Easy — isolate failed Difficult — fault finding Complex — many

node easily on shared cable connections to manage

Use Case Modern LANs, offices, Legacy/obsolete Core internet, WAN,

schools critical systems

📌 EXAMINER TIP: Students frequently confuse 'fault tolerance' with 'fault isolation'. Fault isolation
(star topology) means a single device failure doesn't affect others. Fault tolerance (mesh topology)
means the network CONTINUES TO FUNCTION even when a component fails — data is rerouted.
These are distinct concepts. For a 4-mark question on mesh topology, ensure you explain WHY
multiple paths equal fault tolerance, not just that 'there are many connections'.
Section 3: Protocols and the TCP/IP Model

3.1 Why Protocols Are Essential

A protocol is a formally defined set of rules governing the format, timing, sequencing, and error
control of data exchanged between communicating systems. Without protocols, devices from
different manufacturers using different operating systems could not communicate — it would be
equivalent to two people attempting conversation in mutually incomprehensible languages.
Protocols achieve interoperability by standardising every aspect of communication: how a
connection is initiated, how data is packaged, how errors are detected and corrected, and how a
connection is terminated. The concept of a layered protocol model separates the concerns of
communication into discrete, independently implementable layers.

3.2 The TCP/IP Model (Four-Layer Stack)

The TCP/IP model (also called the Internet model) describes the suite of protocols used on the
Internet in four conceptual layers. Each layer has a specific responsibility and communicates
with the layers immediately above and below it through well-defined interfaces. When data is
sent, it passes downwards through the layers, with each layer adding its own header (a process
called encapsulation). When received, data passes upwards through the layers, with each layer
stripping its corresponding header (de-encapsulation).

Layer 4 — Application Layer

The Application layer is the topmost layer and provides the interface between network services
and user-facing applications. It is responsible for defining the communication rules for specific
types of services: web browsing (HTTP/HTTPS), email (SMTP, IMAP, POP3), file transfer
(FTP), domain name resolution (DNS), and remote terminal access (SSH/Telnet). The
Application layer does not define how data is physically transmitted; it defines what is
transmitted and its meaning. Protocols at this layer interact directly with software applications,
generating application-level data that is then handed down to the Transport layer.

Layer 3 — Transport Layer

The Transport layer is responsible for end-to-end communication between specific processes
running on source and destination hosts. It receives application data and segments it into
smaller units called segments (TCP) or datagrams (UDP). Each segment is assigned a port
number — a 16-bit identifier that specifies which application process should receive the data
(e.g., port 80 for HTTP, port 443 for HTTPS, port 25 for SMTP). The two principal Transport
layer protocols are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
TCP provides a reliable, connection-oriented service: it establishes a connection via a three-way
handshake (SYN → SYN-ACK → ACK), guarantees delivery through acknowledgements and
retransmission of lost segments, ensures correct ordering through sequence numbers, and
implements flow control via a sliding window mechanism. UDP is connectionless and provides
no delivery guarantees — it is faster due to its minimal overhead and is used where speed
outweighs the need for reliability (e.g., video streaming, VoIP, DNS queries).

Layer 2 — Internet Layer

The Internet layer is responsible for logical addressing and routing of packets across multiple
networks from source to destination. It encapsulates Transport layer segments into packets by
adding an IP header containing the 32-bit (IPv4) or 128-bit (IPv6) source and destination IP
addresses. Routers operate at this layer, reading the destination IP address of each arriving
packet and forwarding it towards its destination based on the router's routing table. The Internet
layer does not guarantee packet delivery, ordering, or error correction — these responsibilities
belong to TCP at the Transport layer.

Layer 1 — Link Layer (Network Access / Data Link + Physical)

The Link layer (sometimes called the Network Access layer) handles the physical transmission
of data across a single network segment — it corresponds roughly to the Data Link and Physical
layers of the OSI model. It converts IP packets into frames by adding a frame header containing
MAC addresses (source and destination) for transmission across the local network segment.
Protocols at this layer include Ethernet (IEEE 802.3) for wired networks and Wi-Fi (IEEE
802.11) for wireless. The Link layer is responsible for encoding data as electrical signals, light
pulses, or radio waves, and for error detection within a single link (but not across the entire
path).

TCP/IP Layer Equivalent OSI PDU Name Key Protocols Addressi

Layer(s) ng Used

Application Application, Data / Message HTTP, HTTPS, FTP, URLs,

Presentation, SMTP, IMAP, POP3, Hostname
Session DNS s

Transport Transport Segment (TCP) / TCP, UDP Port

Datagram (UDP) Numbers

Internet Network Packet IP (IPv4/IPv6), ICMP IP

Addresses

Link Data Link + Frame Ethernet, Wi-Fi MAC

Physical (802.11) Addresses

3.3 Packet Switching

Packet switching is the fundamental data transmission paradigm of the Internet. When a large
file or message is to be transmitted across a network, it is divided at the source node into
multiple small, fixed-size units called data packets. Each packet consists of two principal
components: the header and the payload. The header contains control information — including
the source IP address, the destination IP address, the packet sequence number (for reassembly
at the destination), the Time-to-Live (TTL) value (a counter decremented at each router hop to
prevent infinite routing loops), and a checksum for error detection. The payload (also called the
data portion) contains the actual fragment of user data being transported.
Once created, each packet is independently injected into the network. Critically, different
packets belonging to the same original message may travel along different physical paths
through the network — this dynamic path selection is a defining feature of packet switching.
Each router along a packet's route examines the destination IP address in the packet header
and makes an independent forwarding decision to the next-hop router, based on current routing
table information which reflects real-time network conditions. This independence of path
selection is the key source of packet switching's efficiency advantages.
Packet switching is more efficient than the alternative — circuit switching (used in traditional
telephone networks) — for several reasons. In circuit switching, a dedicated physical circuit is
reserved between source and destination for the entire duration of a communication session:
bandwidth on that path is allocated even when no data is being transmitted (e.g., during pauses
in a phone call), resulting in wasted capacity. In packet switching, bandwidth on each link is only
consumed when packets are actually transmitted; during idle periods, other traffic freely uses
the same links. This statistical multiplexing allows far more users to share network infrastructure
simultaneously. Furthermore, if a link on a packet-switched network fails, routers dynamically
route packets via alternative paths — a circuit-switched network would require re-establishing
the dedicated circuit, causing a service interruption.

📌 EXAMINER TIP: The 'Packet Switching' question frequently asks you to describe HOW it works,
not just what it is. A Grade 9 answer must describe: (1) data divided into packets with headers
containing addressing info, (2) packets routed independently, potentially via different paths, (3)
reassembly at destination using sequence numbers. Many students forget to mention that packets
may take different routes — this is worth at least one mark.

3.4 Application Layer Protocols — Detailed Reference

HTTP and HTTPS

HyperText Transfer Protocol (HTTP) is the foundational protocol of the World Wide Web,
enabling the transfer of web page resources (HTML documents, images, scripts, stylesheets)
between a web server and a client browser. HTTP is a request-response protocol operating at
the Application layer over TCP (default port 80). When a user navigates to a URL, the browser
issues an HTTP GET request to the web server; the server responds with the requested
resource and an HTTP status code (e.g., 200 OK, 404 Not Found, 301 Moved Permanently).
HTTP Secure (HTTPS) is HTTP wrapped within a TLS (Transport Layer Security) cryptographic
tunnel (default port 443). Before any HTTP data is exchanged, TLS performs a handshake in
which: the server presents its digital certificate (issued by a trusted Certificate Authority, CA) to
prove its identity; asymmetric encryption is used to securely exchange a session key; and
thereafter all HTTP communication is encrypted using faster symmetric encryption with that
session key. HTTPS provides three security guarantees: confidentiality (eavesdroppers cannot
read the data), integrity (data cannot be modified in transit without detection), and authentication
(the client can verify it is communicating with the legitimate server).
FTP — File Transfer Protocol
FTP (File Transfer Protocol, port 20/21) is a client-server protocol designed specifically for the
bulk transfer of files between a client and a remote server. FTP uses two separate TCP
connections: a control connection (port 21) for commands and responses, and a data
connection (port 20) for actual file transfer. Common FTP commands include USER, PASS (for
authentication), LIST (directory listing), RETR (retrieve/download a file), and STOR
(store/upload a file). A significant limitation of standard FTP is that all data — including
usernames and passwords — is transmitted in plaintext, making it vulnerable to interception.
FTPS (FTP Secure) adds TLS encryption, and SFTP (SSH File Transfer Protocol) tunnels file
transfer operations over an SSH (Secure Shell) connection for security.

Email Protocols: SMTP, IMAP, POP3

Three distinct protocols govern email communication, each serving a different role in the email
delivery chain. SMTP (Simple Mail Transfer Protocol, port 25/587) is a push protocol used
exclusively for sending and relaying email messages — it handles the transfer of outgoing mail
from a client's mail client to the sender's mail server (known as an MTA, Mail Transfer Agent)
and then between MTAs as the email traverses the internet towards the recipient's mail server.
SMTP cannot be used to retrieve email.
POP3 (Post Office Protocol version 3, port 110) is a pull protocol used by email clients to
retrieve messages from a mail server. POP3 downloads messages to the local device and, by
default, deletes them from the server. This means email is accessible only from the device that
downloaded it — if a user has multiple devices, they will not see already-downloaded emails on
a second device. POP3 is therefore most appropriate for users who access email from a single
device and want local copies.
IMAP (Internet Message Access Protocol, port 143) is a more sophisticated pull protocol that
synchronises email between the client and server. Unlike POP3, IMAP leaves messages on the
server and synchronises the client's view with the server state — reading, deleting, or moving a
message on one device is reflected on all other devices accessing the same account. IMAP
supports server-side folders and is designed for the multi-device world; it is the protocol used by
virtually all modern email services (Gmail, Outlook, etc.).

Protocol Port(s) TCP/ Purpose Key Characteristic

UDP

HTTP 80 TCP Web page transfer Plaintext — no encryption

HTTPS 443 TCP Secure web page TLS-encrypted; provides

transfer authentication and confidentiality

FTP 20, 21 TCP File transfer Dual connections (control + data);

plaintext by default

SMTP 25, 587 TCP Sending / relaying email Outgoing only — does not retrieve
mail

POP3 110 TCP Downloading email to Deletes from server; single-device

local device access

IMAP 143 TCP Synchronising email Leaves mail on server; multi-device

Protocol Port(s) TCP/ Purpose Key Characteristic
UDP

across devices sync

DNS 53 UDP/ Hostname to IP address UDP for queries; TCP for large
TCP resolution responses / zone transfers
Section 4: Network Security

4.1 Threat Landscape Overview

Network security is the practice of protecting the integrity, confidentiality, and availability of data
and systems from a diverse range of threats, both internal and external. Understanding the
technical mechanisms by which each attack operates is essential — not only for the
examination but for implementing effective countermeasures. Security threats can be
categorised into malware-based attacks, social engineering attacks, denial of service attacks,
and direct exploitation attacks.

4.2 Malware — Malicious Software

Viruses
A computer virus is a self-replicating piece of malicious code that attaches itself to or inserts
itself into legitimate executable files or boot sectors of storage media. Unlike a worm, a virus
cannot propagate autonomously — it requires human action to spread (e.g., executing an
infected file, inserting an infected USB drive). Once executed, a virus may perform its payload
— which could include corrupting data, displaying messages, encrypting files, or opening
backdoors — while simultaneously attempting to spread by infecting other executable files on
the local system or connected drives. Modern antivirus software uses signature-based detection
(comparing file hashes/patterns against known virus signatures) and heuristic analysis
(detecting suspicious behaviour patterns) to identify viruses.

Worms
A worm is a standalone malicious program that self-replicates and propagates across networks
autonomously, without requiring a host file or human interaction. Worms exploit network
vulnerabilities — such as unpatched software flaws in operating systems or network services —
to copy themselves from machine to machine. Their rapid self-propagation means they can
spread across thousands of machines within minutes, consuming bandwidth, system resources,
and storage, and potentially installing additional payloads such as backdoors or ransomware.
The 2017 WannaCry ransomware was worm-based, exploiting the SMBv1 vulnerability
(EternalBlue) to propagate across networks.

Trojans
A Trojan horse (Trojan) is a malicious program that disguises itself as, or is bundled with,
legitimate software to deceive users into executing it. Unlike viruses and worms, Trojans do not
self-replicate. Their impact depends on their payload type: a Remote Access Trojan (RAT) gives
the attacker remote control of the infected machine; a banking Trojan intercepts online banking
credentials; a dropper Trojan downloads and installs additional malware. Trojans typically arrive
via email attachments, fake software downloads, or compromised websites. They exploit the
user's trust rather than any technical vulnerability in the operating system.

Ransomware
Ransomware is a particularly damaging subclass of malware that encrypts the victim's files
(using strong asymmetric or hybrid cryptography) and demands a ransom payment — typically
in cryptocurrency — in exchange for the decryption key. Modern ransomware attacks often
involve a 'double extortion' mechanism: the attacker both encrypts the data and exfiltrates a
copy, threatening to publish it unless the ransom is paid. Organisations are particularly
vulnerable because entire file servers and network shares can be encrypted if the malware runs
with sufficient privileges. Recovery without a backup requires either paying the ransom (not
guaranteed to succeed) or accepting total data loss.

Spyware and Keyloggers

Spyware is software that covertly monitors and records user activity without consent. A
keylogger is a specific form of spyware that captures every keystroke made by the user —
including passwords, credit card numbers, and confidential messages — and either stores these
locally for later retrieval or transmits them in real-time to an attacker-controlled server (known as
a C2 or Command-and-Control server). More sophisticated spyware may also capture
screenshots at intervals, record microphone/camera input, and harvest stored passwords from
browsers.

4.3 Phishing
Phishing is a social engineering attack in which the attacker masquerades as a trusted,
legitimate entity — such as a bank, technology company, or government authority — in
electronic communications (most commonly email) to manipulate the recipient into divulging
sensitive information (credentials, financial data) or performing an action that compromises
security (clicking a malicious link, downloading malware). Phishing attacks exploit psychological
principles such as urgency ('Your account will be suspended within 24 hours'), authority ('This is
a message from your IT department'), and fear to override the recipient's critical thinking.
Spear phishing is a targeted variant of phishing directed at a specific individual or organisation.
Attackers research their target using publicly available information (LinkedIn, company
websites, social media) to personalise the message, making it significantly more convincing.
Whaling refers to spear phishing targeting senior executives or other high-value individuals.
Vishing (voice phishing) conducts the attack over telephone, and smishing uses SMS
messages. The technical sophistication of phishing attacks has increased dramatically —
modern attacks use domain spoofing (registering domains visually similar to legitimate ones,
e.g., '[Link]'), HTML email to precisely clone legitimate communications, and URL
obfuscation.
4.4 Denial of Service (DoS) and Distributed DoS (DDoS)
A Denial of Service (DoS) attack aims to make a network resource — such as a web server,
online service, or network infrastructure — unavailable to its legitimate users by overwhelming it
with a flood of illegitimate traffic or requests, exhausting the resource's processing capacity,
memory, or bandwidth. A simple DoS attack originates from a single source machine; it can be
relatively easily mitigated by firewall rules blocking traffic from that source IP address.
A Distributed Denial of Service (DDoS) attack is a vastly more powerful and difficult-to-mitigate
variant. The attacker first compromises a large number of internet-connected devices
(computers, IoT devices, servers) by infecting them with malware, forming a botnet — a network
of 'zombie' machines under the attacker's remote command. When the attacker issues the
command, all botnet nodes simultaneously flood the target with traffic. Because DDoS traffic
originates from thousands or millions of different legitimate IP addresses distributed globally,
simple IP blocking is ineffective. The volume of traffic can overwhelm even the most robust
network infrastructure. Mitigation requires specialist services such as traffic scrubbing centres,
anycast routing, or Content Delivery Network (CDN) protection.

4.5 Brute Force Attacks

A brute force attack is a cryptanalytic attack in which the attacker systematically enumerates all
possible values of a key, password, or other secret until the correct value is found. For a
password brute force attack, automated software tests every possible combination of characters
up to a specified length. The effectiveness is determined by the computational speed of the
attacking hardware and the size of the keyspace: a 4-digit numeric PIN has 10,000 possibilities;
an 8-character password using uppercase, lowercase, digits, and symbols has approximately
6.6 trillion combinations.
A dictionary attack is an optimised variant that tests words from a dictionary and common
password lists before attempting random combinations — more efficient because most user-
chosen passwords are based on words. Credential stuffing attacks use known
username/password pairs from previous data breaches, exploiting the fact that many users
reuse passwords across multiple services. Countermeasures against brute force include:
account lockout policies (temporarily disabling an account after a threshold of failed attempts),
CAPTCHA challenges, rate limiting login attempts, and mandatory use of strong, complex
passwords.

4.6 Social Engineering

Social engineering is the psychological manipulation of individuals into performing actions or
divulging confidential information. Unlike technical attacks, social engineering exploits human
psychology — specifically trust, authority, reciprocity, urgency, and fear — rather than software
vulnerabilities. A social engineer may impersonate an IT support technician to convince an
employee to reveal their login credentials, present themselves as a new contractor to gain
physical access to a server room (pretexting), hold a door open by following an authorised
person through a security checkpoint (tailgating/piggybacking), or leave a malware-infected
USB drive in a location where a curious employee is likely to find and insert it (baiting).
Social engineering attacks are particularly dangerous because they bypass even the most
technically robust security infrastructure — a firewall cannot prevent an employee from being
convinced to email their password to an attacker. Defence against social engineering requires
comprehensive security awareness training, a culture of scepticism towards unexpected
requests for information or access, and clear verification procedures for any request involving
sensitive information or system access.
4.7 Firewalls and Packet Filtering
A firewall is a network security device — implemented in hardware, software, or a combination
— that monitors incoming and outgoing network traffic and enforces a set of security rules to
permit or deny packets based on defined criteria. Packet filtering is the most fundamental
firewall operation, examining the header information of each packet at the Network and
Transport layers without inspecting the payload.
A packet-filtering firewall evaluates each packet against a rule set (Access Control List, ACL)
that may specify: source IP address (e.g., block all traffic from a known malicious IP range),
destination IP address, source port number, destination port number, and the transport protocol
(TCP or UDP). Rules are evaluated in order from top to bottom; the first matching rule
determines the action (ACCEPT or DROP). An implicit 'deny all' rule at the end of the list blocks
all traffic not explicitly permitted. For example, a firewall might permit inbound TCP traffic on port
443 (HTTPS) to the web server but block all inbound traffic on port 22 (SSH) from external
sources to prevent remote access attempts.
Stateful inspection firewalls — an advancement on simple packet filtering — maintain a state
table of all established network connections. They can verify that incoming packets are part of a
legitimate, already-established connection rather than a spoofed or unsolicited packet, providing
significantly stronger security. Application-layer firewalls (next-generation firewalls) perform
Deep Packet Inspection (DPI), analysing the payload content to detect application-level attacks
and malware even when they use permitted ports.

📌 EXAMINER TIP: Students often describe a firewall as simply 'blocking viruses' — this is imprecise
and will not score full marks. A firewall primarily controls network traffic based on rules; it does not
inherently detect or remove malware (that is the role of antivirus software). Be specific: 'A packet-
filtering firewall examines the source and destination IP addresses and port numbers of each packet
and compares them against a rule set to decide whether to permit or deny the traffic.'

4.8 Encryption — Protecting Data in Transit and at Rest

Encryption is the process of transforming plaintext data into an unreadable ciphertext using a
mathematical algorithm (cipher) and a key, such that only parties possessing the correct key
can reverse the process (decryption) to recover the original plaintext. Encryption is the
fundamental technology underpinning data confidentiality in both data in transit (network
communication) and data at rest (stored on disk).

Symmetric Encryption
In symmetric encryption, the same key is used for both encryption and decryption. Both the
sender and recipient must possess this identical secret key. The primary advantage of
symmetric encryption is speed — symmetric algorithms such as AES (Advanced Encryption
Standard) with 128-bit or 256-bit keys are computationally highly efficient, capable of encrypting
large volumes of data rapidly with minimal latency. AES is a block cipher operating on 128-bit
blocks of data through multiple rounds of substitution, permutation, and mixing transformations.
The fundamental challenge of symmetric encryption is the key distribution problem: the secret
key must be shared between parties before encrypted communication can begin. If the key is
transmitted over an insecure channel, an eavesdropper could intercept it and subsequently
decrypt all communications. This makes symmetric encryption alone unsuitable for secure
communication between parties who have never previously exchanged keys.

Asymmetric Encryption (Public-Key Cryptography)

Asymmetric encryption solves the key distribution problem by using a mathematically linked key
pair: a public key and a private key. The public key can be freely distributed and published
without compromising security. Data encrypted with the public key can only be decrypted with
the corresponding private key — which the owner never shares. Conversely, data encrypted (or
'signed') with the private key can be verified by anyone with the public key. The RSA algorithm
(Rivest–Shamir–Adleman) is the most widely deployed asymmetric algorithm, with security
based on the computational difficulty of factoring the product of two large prime numbers.
In practice, asymmetric encryption is computationally expensive — far slower than symmetric
encryption for large data volumes. Therefore, real-world systems (such as TLS/HTTPS) use a
hybrid approach: asymmetric encryption is used to securely exchange a symmetric session key
at the start of a connection (the TLS handshake), and all subsequent bulk data transfer uses the
faster symmetric algorithm with that session key. This combines the key distribution advantage
of asymmetric encryption with the performance advantage of symmetric encryption.

Feature Symmetric Encryption Asymmetric Encryption

Keys Used Single shared secret key Public/private key pair

Speed Very fast — suitable for bulk data Slow — computationally intensive

Key Distribution Problem — key must be shared No problem — public key freely
securely in advance distributed

Security Very high with long keys (AES-256) Very high with long keys (RSA-4096)

Common Algorithm AES (Advanced Encryption Standard) RSA, ECC (Elliptic Curve
Cryptography)

Typical Use Bulk data encryption, full-disk Key exchange, digital signatures, TLS
encryption handshake

4.9 MAC Address Filtering

MAC address filtering is an access control mechanism implemented at the Link layer of a
network (typically on a wireless access point or network switch) that restricts network access to
only devices whose MAC address appears on a pre-configured whitelist. When a device
attempts to connect, the access point compares the device's MAC address against the
approved list. If the MAC address is present, the connection is permitted; if not, the connection
is denied regardless of whether the correct Wi-Fi password is known.
MAC address filtering provides an additional layer of access control but must not be relied upon
as a primary security mechanism. Its significant limitation is that MAC addresses are transmitted
in plaintext in the Link layer frame header and can be observed by any device with network
access and appropriate software (e.g., Wireshark). An attacker using a wireless adapter in
monitor mode can observe the MAC addresses of legitimate devices on the network and then
configure their own adapter to spoof (clone) one of those approved addresses — a technique
known as MAC spoofing. This bypasses MAC filtering entirely. Therefore, MAC address filtering
is best deployed as a defence-in-depth supplementary control alongside stronger authentication
(WPA3) and network segmentation.

4.10 Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) — also called Multi-Factor Authentication (MFA) when more
than two factors are used — is an authentication mechanism that requires a user to present two
independent credentials from different categories of evidence before access is granted. The
three authentication factor categories are: something you know (e.g., a password, PIN, or
security question answer), something you have (e.g., a hardware token, a smartphone running
an authenticator app such as Google Authenticator, or a physical smart card), and something
you are (biometric data — fingerprint, retinal scan, facial recognition).
The security rationale behind 2FA is that even if an attacker successfully obtains one factor —
for example, through a phishing attack or data breach — they cannot gain access without the
second factor. A stolen password alone is insufficient if the account is protected by a TOTP
(Time-based One-Time Password) generated by the user's smartphone app — the attacker
would additionally need physical possession of the user's device. This dramatically reduces the
risk from credential theft, brute force attacks, and phishing. Common implementations include
SMS OTP (one-time password sent by text), TOTP apps, hardware security keys (FIDO2/U2F
standard), and push notification approvals.

📌 EXAMINER TIP: When discussing 2FA, always specify that the two factors must come from
DIFFERENT categories — not just two separate passwords. Two passwords is single-factor (both
are 'something you know'). The examiner expects you to name the categories and give examples: 'A
password (something you know) combined with a one-time code generated by an authenticator app
on the user's phone (something you have)'

Security Measure What it Protects How it Works Limitation

Against

Firewall (Packet Unauthorised network Inspects packet headers; Cannot inspect

Filtering) access, port scanning allows/denies based on encrypted
IP/port rules payload;
vulnerable to IP
spoofing

Encryption Eavesdropping, data Encrypts data in transit; TLS Does not prevent
(HTTPS/TLS) interception, MITM handshake authenticates access to the
attacks server server itself

MAC Address Unauthorised device Maintains whitelist of MAC addresses

Filtering connection permitted MAC addresses can be spoofed;
plaintext in
Security Measure What it Protects How it Works Limitation
Against

frames

Two-Factor Credential theft, brute Requires knowledge factor + SMS-based 2FA

Authentication force, phishing possession/inherence factor vulnerable to
SIM-swap attacks

Antivirus/Anti- Viruses, worms, Trojans, Signature-based and heuristic Cannot detect

malware ransomware detection of malware zero-day threats
(no signature yet)

Strong Password Brute force, dictionary Enforces minimum length, Users may write
Policy attacks complexity, expiry passwords down
if too complex
Section 5: The Internet, the World Wide Web, and
Associated Technologies

5.1 The Internet vs. The World Wide Web — A Critical Distinction
One of the most frequently examined conceptual distinctions in this topic is the difference
between the Internet and the World Wide Web. They are not synonymous terms; they describe
fundamentally different things that exist in a dependent relationship.
The Internet is the global physical and logical infrastructure — the massive worldwide network
of interconnected computers, routers, switches, undersea fibre optic cables, wireless links, and
data centres, all communicating using the TCP/IP protocol suite. The Internet is the 'network of
networks': it connects millions of individual networks (LANs, WANs) belonging to universities,
governments, corporations, and individuals into a single globally reachable system. The Internet
supports many different services: web browsing, email, VoIP (Voice over IP), peer-to-peer file
sharing, online gaming, and others.
The World Wide Web (WWW) is a specific information and communication service that runs
over the Internet — it is one application of the Internet infrastructure. The WWW consists of a
vast, distributed collection of hyperlinked resources (web pages, images, videos, documents)
identified by URLs (Uniform Resource Locators) and transmitted using the HTTP/HTTPS
protocol. Web resources are stored on web servers and accessed by users through web
browsers. The WWW was invented by Tim Berners-Lee in 1989 as an information-sharing
system for physicists, based on the concepts of hypertext and hypermedia. Critically, one could
conceive of an Internet without the WWW (it existed before the WWW's invention) — but the
WWW cannot exist without the Internet as its transport layer.

Dimension The Internet The World Wide Web

Definition Global network infrastructure A service (collection of hyperlinked

interconnecting billions of devices documents/resources) delivered over
the Internet

Nature Physical and logical infrastructure Software/information system (an

application)

Protocol TCP/IP (the foundational protocol suite) HTTP / HTTPS (Application layer
protocol)

Components Routers, switches, cables, servers, Web pages, web servers, browsers,
protocols URLs, hyperlinks

Inventor / Origin ARPANET (1960s–70s), evolved into Tim Berners-Lee, CERN, 1989
modern Internet

Analogy The global road and motorway network The vehicles and destinations using
those roads
 📌 EXAMINER TIP: This distinction earns easy marks but is frequently missed. Never use 'Internet'
and 'World Wide Web' interchangeably in an exam answer. A precise answer to 'What is the
difference between the Internet and the WWW?' should state: the Internet is the global network
infrastructure; the WWW is a service/collection of resources accessed via that infrastructure using
HTTP. The WWW is one of many services that uses the Internet.

5.2 The Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical, distributed database that translates human-
readable domain names (such as [Link]) into the machine-readable IP addresses
(such as [Link]) needed to locate and establish connections with web servers over the
Internet. DNS is essential because humans memorise meaningful names, but routers and
network devices route data using numerical IP addresses. Without DNS, users would need to
remember the IP address of every website they wished to visit.

The DNS Resolution Process

The DNS resolution process — also called DNS lookup or IP address resolution — proceeds
through a well-defined series of steps when a user enters a URL into a browser:
• Step 1 — Browser Cache Check: The browser first checks its own DNS cache for a
recently resolved record for the requested domain. If found and not expired (based on
the record's TTL — Time to Live — value), the cached IP address is used immediately,
bypassing all further steps.
• Step 2 — Operating System Cache / Hosts File: If the browser cache misses, the
operating system checks its own DNS resolver cache and its local 'hosts' file (a local
static mapping of hostnames to IP addresses).
• Step 3 — Recursive Resolver Query: If still unresolved, the query is sent to the user's
configured DNS recursive resolver — typically operated by their ISP or a public DNS
service (e.g., Google [Link], Cloudflare [Link]). The recursive resolver acts as an
agent on behalf of the client.
• Step 4 — Root Name Server: If the recursive resolver does not have the answer cached,
it queries one of the 13 logical root name server clusters (operated by organisations
such as ICANN, IANA, and Verisign). The root server responds with the address of the
appropriate Top-Level Domain (TLD) name server for the TLD in question
(e.g., .uk, .com, .org).
• Step 5 — TLD Name Server: The recursive resolver queries the TLD name server (e.g.,
the .[Link] TLD server), which responds with the address of the authoritative name
server for the specific domain (e.g., [Link]).
• Step 6 — Authoritative Name Server: The recursive resolver queries the authoritative
name server for the domain. This server holds the definitive DNS records for that domain
and returns the IP address (A record for IPv4, AAAA record for IPv6) associated with the
queried hostname.
• Step 7 — Response and Caching: The recursive resolver returns the IP address to the
client and caches the result for the duration of the TTL. The client's browser and OS also
cache the result. The browser can now initiate a TCP/TLS connection to the web server
at the resolved IP address.
DNS queries predominantly use UDP on port 53 for efficiency (DNS responses are typically
small enough to fit in a single UDP datagram). TCP on port 53 is used when responses are too
large for a single UDP packet and for zone transfers between DNS servers. DNS Security
Extensions (DNSSEC) add cryptographic signatures to DNS records to prevent DNS cache
poisoning attacks — where an attacker injects false DNS records to redirect users to malicious
servers.

5.3 Web Servers

A web server is a combination of hardware (a computer with persistent storage, processor, and
network interface) and software (a server application such as Apache HTTP Server, Nginx, or
Microsoft IIS) that stores, processes, and delivers web resources to clients on request. Web
server software listens continuously on port 80 (HTTP) and/or port 443 (HTTPS) for incoming
connection requests. When a client browser connects and sends an HTTP GET request for a
specific resource (identified by its URL path), the web server locates the requested resource in
its file system or database, constructs an appropriate HTTP response (including a status code
and response headers), and transmits the resource back to the client.
Modern web servers do not merely serve static files. Dynamic web servers use server-side
scripting languages (PHP, Python, [Link], Ruby on Rails) to generate HTML content on-the-fly
— querying databases, processing user input, and personalising content. Web servers also
handle: SSL/TLS certificate management for HTTPS, virtual hosting (serving multiple domain
names from a single IP address), load balancing (distributing incoming requests across multiple
physical servers to manage high traffic volumes), compression (e.g., gzip) to reduce data
transfer size, and caching of frequently requested resources.

5.4 Web Browsers

A web browser is a client-side application that retrieves, renders, and displays web resources.
When a user enters a URL or clicks a hyperlink, the browser performs the DNS resolution
process to obtain the target server's IP address, then establishes a TCP connection (and TLS
handshake for HTTPS) to the web server. It sends an HTTP GET request and receives the
server's HTTP response, which typically contains an HTML document.
The browser's rendering engine (e.g., Blink in Chrome/Edge, Gecko in Firefox, WebKit in Safari)
parses the HTML document, constructing a Document Object Model (DOM) tree — an internal
representation of the page structure. As it encounters references to external resources (CSS
stylesheets, JavaScript files, images, fonts), the browser makes additional HTTP requests to
retrieve them. CSS is applied to style the DOM elements, and JavaScript is executed by the
browser's JavaScript engine (e.g., V8 in Chrome) to provide interactivity and dynamic
behaviour. The browser also manages: cookies (small data files stored on the client for session
management and personalisation), browser history, bookmarks, extensions, and security
features such as certificate validation, mixed-content blocking (preventing HTTP resources on
HTTPS pages), and sandboxing (isolating web page processes from the OS).
Component Role in Web Communication Key Technology

DNS Translates domain name to IP address DNS UDP/TCP port 53;

A/AAAA records

Browser Sends HTTP(S) requests; renders HTTP/HTTPS client; rendering

HTML/CSS/JS engine (Blink/Gecko)

Web Server Hosts and delivers web resources on request Apache/Nginx; HTTP/HTTPS
on ports 80/443

URL Uniquely identifies a specific resource on the Protocol + domain + path +

web query string

TLS Certificate Proves server identity; enables HTTPS Issued by Certificate Authority;
encryption X.509 standard

Transmission Bandwidth Latency Security Cost Best Use

Medium

Twisted-Pair Copper Up to 10 Gbps Low Susceptible to EMI Low LAN

(Cat6) (Cat6a) and eavesdropping workstations
, desktop
PCs

Fibre Optic Up to 100+ Very Low Immune to EMI; High Backbone,

Tbps (long- hard to tap WAN, data
haul) centres

Wi-Fi (802.11ax) Up to 9.6 Gbps Low Vulnerable if Medium Mobile

theoretical (~5ms) misconfigured devices,
(WLAN) laptops

Coaxial Cable Up to 10 Gbps Low Some EMI Medium Cable

resistance internet,
legacy
networks
Section 6: Past Paper Simulation — Grade 9 Model
Answers
The following questions are representative of the most challenging long-form questions
encountered in Pearson Edexcel IGCSE Computer Science (4CP0) examinations. Each model
answer is written to the standard expected for full marks, incorporating the technical depth,
specific terminology, and structured argument required for Grade 9 achievement.

Question 1 — Network Models (6 marks)

A school is setting up a new computer network. Discuss the advantages and
disadvantages of using a client-server network rather than a peer-to-peer network in this
context. [6 marks]
Mark Scheme Guidance: Award up to 3 marks for advantages of client-server (linked to school
context) and up to 3 marks for disadvantages. Reward 'discuss' structure — both sides with
evaluative conclusion.

MODEL ANSWER:
A client-server network provides significant advantages for a school environment due to its
centralised management architecture. Firstly, user account administration is centralised on the
server — an IT administrator can apply security policies, user permissions, and software
updates from a single location rather than configuring each machine individually. In a school
with hundreds of students, this dramatically reduces administrative overhead. For example,
blocking access to certain websites or applications can be enforced network-wide through
server-side group policy rather than setting restrictions on every individual workstation.
Secondly, data storage is centralised, meaning students' work is saved to the server and is
accessible from any workstation in the school. This also simplifies backup procedures: a single
daily backup of the server protects all students' data. In a peer-to-peer arrangement, student
files would be scattered across individual machines, making systematic backup practically
impossible.
Thirdly, centralised security controls are superior in a client-server model. Access to resources
is authenticated via user credentials verified against a central directory (e.g., Active Directory),
preventing unauthorised access to sensitive data such as student records.
However, the client-server model introduces a single point of failure at the server level. If the
server hardware fails or is taken offline for maintenance, all client workstations lose access to
shared resources simultaneously — this could disrupt teaching across the entire school.
Additionally, dedicated server hardware and server operating system licences represent a
substantially higher initial setup cost compared to a peer-to-peer arrangement, which requires
no dedicated hardware.
Overall, despite the higher cost and single-point-of-failure risk, a client-server network is clearly
more appropriate for a school due to the critical requirements for centralised data management,
security enforcement, and user administration that a P2P network cannot provide effectively.

Question 2 — Packet Switching (6 marks)

Explain how data is transmitted across the internet using packet switching. In your
answer, describe the structure of a data packet and explain why packet switching is
more efficient than circuit switching. [6 marks]
Mark Scheme Guidance: 1 mark for definition of packet/division; 1 mark for header contents (IP
addresses, seq. number, TTL); 1 mark for independent routing; 1 mark for reassembly at
destination; 2 marks for efficiency comparison with circuit switching.

MODEL ANSWER:
When data is to be transmitted across the Internet, the sending device first divides the data into
small, standardised units called data packets. Each packet comprises two principal sections: the
header and the payload. The header contains control metadata, including the source IP
address, the destination IP address, a sequence number (used to reassemble packets in the
correct order at the destination), a Time-to-Live (TTL) value (a counter that is decremented by 1
at each router hop, causing the packet to be discarded if it reaches zero — preventing infinite
routing loops), and a checksum for error detection. The payload contains the actual fragment of
data being transmitted.
Once created, packets are injected independently into the network. Crucially, each router along
the path examines only the destination IP address in each packet's header and makes its own
forwarding decision based on its current routing table — packets belonging to the same original
message may travel along entirely different physical routes across the network. At the
destination device, the packets are reassembled into the original data in the correct order using
the sequence numbers in the headers.
Packet switching is considerably more efficient than circuit switching for data transmission. In
circuit switching (used in traditional telephone networks), a dedicated physical circuit is reserved
between source and destination for the entire duration of a session — bandwidth is allocated
even during periods of silence or inactivity when no data is being transmitted, wasting valuable
network capacity. In packet switching, no dedicated path is reserved; each link carries packets
from many different communications simultaneously (statistical multiplexing), using bandwidth
only when packets are actually present. This allows the same physical infrastructure to carry
vastly more concurrent data sessions, maximising utilisation. Furthermore, if a link fails in a
packet-switched network, routers dynamically reroute packets via alternative paths without any
connection re-establishment overhead.
Question 3 — DNS (4 marks)
Describe the process that takes place when a user types a URL into their web browser
and presses Enter, up to and including the web page being displayed. Focus on the role
of DNS in this process. [4 marks]
Mark Scheme Guidance: Award 1 mark each for: DNS query sent to recursive resolver; resolver
queries root → TLD → authoritative servers; IP address returned to browser; browser uses IP to
request web page from server using HTTP/HTTPS.

MODEL ANSWER:
When the user enters a URL and presses Enter, the browser first checks its own DNS cache
and the operating system's cache to determine whether the IP address for the domain has been
recently resolved. If no cached result is found, the browser sends a DNS query to its configured
recursive DNS resolver (typically operated by the user's ISP or a public DNS provider such as
Google or Cloudflare). The recursive resolver, acting on behalf of the client, queries the DNS
hierarchy: it first contacts a root name server, which directs it to the appropriate top-level
domain (TLD) name server (e.g., the .com or .[Link] TLD server). The TLD server in turn directs
the resolver to the authoritative name server for the specific domain, which holds the definitive
DNS A record mapping the domain name to its IPv4 address. The authoritative server returns
this IP address to the recursive resolver, which forwards it to the client browser and caches it for
the duration of the record's TTL. The browser then establishes a TCP connection (and
completes a TLS handshake for HTTPS) to the web server at the resolved IP address, sends an
HTTP GET request, receives the HTML response, and renders the web page for the user.

Question 4 — Network Security Threats (6 marks)

A large company has recently suffered a data breach. Describe THREE different types of
threat that could have caused this breach, and for each threat, describe a suitable
protection method. [6 marks]
Mark Scheme Guidance: 1 mark per threat + protection pair (must be correctly matched and
described, not just named). Maximum 2 marks per threat-protection pair to reward depth.

MODEL ANSWER:
First, the breach could have resulted from a phishing attack, in which an attacker sent fraudulent
emails impersonating a trusted entity — such as the company's IT department — to deceive
employees into entering their network credentials on a fake login page or clicking a link that
downloads malware. An effective protection against phishing is staff security awareness
training, which educates employees to recognise the indicators of phishing (unusual sender
domains, urgency language, unexpected requests for credentials) and to verify requests through
an independent communication channel. Implementing multi-factor authentication (2FA) also
limits the damage of credential theft, as a stolen password alone is insufficient to gain system
access.
Second, the breach could have been caused by a malware infection — specifically a Trojan
horse downloaded when an employee executed a seemingly legitimate software package from
an untrusted source. Once executed, the Trojan could have provided the attacker with a remote
access backdoor or exfiltrated data directly. Protection methods include deploying antivirus and
anti-malware software with up-to-date signatures and heuristic detection capabilities, combined
with application whitelisting policies that prevent users from installing unauthorised software.
Third, the breach could have been facilitated by a brute force attack against user accounts, in
which automated software systematically tested password combinations until valid credentials
were discovered — particularly effective against accounts with weak or previously breached
passwords. Protection against brute force attacks includes enforcing an account lockout policy
(e.g., temporarily disabling an account after five failed login attempts), requiring strong, complex
passwords (minimum 12 characters with mixed character classes), and implementing
CAPTCHA challenges on login interfaces to prevent automated attack tools from operating.

Question 5 — Encryption (6 marks)

Explain the difference between symmetric and asymmetric encryption. Describe how
HTTPS uses BOTH types of encryption to secure communication between a web browser
and a web server. [6 marks]
Mark Scheme Guidance: 1 mark for symmetric definition (same key); 1 mark for asymmetric
definition (key pair); 1 mark for advantage/disadvantage comparison; up to 3 marks for TLS
handshake process linking both types correctly.

MODEL ANSWER:
Symmetric encryption uses a single shared secret key for both encrypting and decrypting data.
Both the sender and recipient must possess this identical key. Symmetric algorithms such as
AES (Advanced Encryption Standard) are computationally highly efficient and capable of
encrypting large volumes of data with minimal latency. However, symmetric encryption has a
fundamental key distribution challenge: the shared secret key must be transmitted to the
communication partner before secure communication can begin, and if this transmission occurs
over an insecure channel, an eavesdropper could intercept the key and subsequently decrypt all
communications.
Asymmetric encryption (public-key cryptography) uses a mathematically linked key pair: a public
key and a private key. The public key is freely distributed; data encrypted with it can only be
decrypted using the corresponding private key, which is never shared. This solves the key
distribution problem because no secret information need be transmitted to initiate secure
communication. However, asymmetric algorithms (such as RSA) are computationally far more
expensive than symmetric algorithms, making them impractical for encrypting large data
volumes directly.
HTTPS uses a hybrid approach that leverages the advantages of both. During the TLS
handshake that initiates an HTTPS connection, asymmetric encryption is used to securely
exchange a symmetric session key. The web server sends its digital certificate (containing its
public key and identity, signed by a trusted Certificate Authority) to the browser. The browser
verifies the certificate's validity and uses the server's public key to encrypt a randomly
generated pre-master secret, which it sends to the server. Only the server — possessing the
matching private key — can decrypt this pre-master secret. Both parties independently derive
the same symmetric session key from this shared secret. All subsequent HTTP communication
during the session is then encrypted using this fast symmetric session key (typically AES),
ensuring confidentiality, integrity, and performance throughout the browsing session. The
combination is therefore: asymmetric for the secure key exchange, symmetric for the bulk data
transfer.

End of Masterbook — Topic 5: Communication and the Internet

Pearson Edexcel IGCSE Computer Science (4CP0) | Grade 9 Distinction Edition