Lesson 2

uptightexampleNetworking and Communications

Oct 24, 2013 (3 years and 5 months ago)

42 views

Networks, TCP/IP, and Network
-
Based attacks

Lesson 2

Review

Is an ROI from Security Possible?


Security as an ROI



Improved Security ROI



Security that provides savings in the budget



Security that provides additional revenue

Computer System Basics


Operating Systems

Manage the computer’s resources


Memory management


Scheduling


Access Controls

Lots of different operating systems


Win9X, Win2K, WinME, NT, Unix, Linux, VMS

Networks


What is a network?

Two or more systems connected together

LAN (local area network)

WAN (Wide area network)

MAN (metropolitan area network)


Network Topologies


Topology


the physical arrangement of the network.

Completely Connected

Star

Ring

Bus


Characteristics

# of connections

# of “hops”

Addition of new nodes

Fairness

Collisions and points of failure

Network Topologies

?

Network Topologies
--

Star

Adv:


distance = 2 hops


connections = n
-
1



DisAdv:


1 point of failure





Fairness? Addition of new nodes? Congestion(collisions)?

Network Topologies
--

Ring

Adv:


avg dist = (n
-
1)/2 hops


connections = n



DisAdv:


many points of


failure





Fairness (token)? Addition of new nodes? Congestion(collisions)?

Network Topology
--

Bus

Adv:


distance = 1 hop


connections = n



DisAdv:


Collisions





Fairness? Addition of new nodes?

Protocols


A protocol is an agreed upon format for exchanging
information.


A protocol will define a number of parameters:

Type of error checking

Data compression method

Mechanisms to signal reception of a transmission


There are a number of protocols that have been
established in the networking world.

OSI Reference Model


ISO standard describing 7 layers of protocols

Application
: Program
-
level communication

Presentation
: Data conversion functions, data format, data
encryption

Session
: Coordinates communication between endpoints. Session
state maintained for security.

Transport
: end
-
to
-
end transmission, controls flow of data

Network
: routes data from one system to the next

Data Link
: Handles physical passing of data between nodes

Physical
: Manages the transmission media/HW connections


Abstraction is the principle, you only have to communicate
with the layer directly above and below

TCP/IP Protocol Suite


TCP/IP refers to two network protocols used on the
Internet:

Transmission Control Protocol (TCP)

Internet Protocol (IP)


TCP and IP are only two of a large group of protocols
that make up the entire “suite”


A “real
-
world” application of the layered concept.


There is not a one
-
to
-
one relationship between the
layers in the TCP/IP suite and the OSI Model.


OSI and TCP/IP comparison

OSI Model


Application


Presentation


Session


Transport


Network


Data
-
link


Physical


TCP/IP Protocol Suite




NFS

FTP, Telnet,

SSH, SMTP

SMB

HTTP, NNTP



RPC



TCP,UDP



IP


ICMP


ARP



Physical


Application
-
level

protocols

Network
-
level

protocols

TCP/IP Protocol Suite

User

Process

User

Process

User

Process

User

Process

TCP

UDP

IP

HW

Interface

RARP

ARP

ICMP

IGMP

Media

Encapsulation of data

User Data

User Data

Appl

header

Application data

TCP

header

Application data

TCP

header

IP

header

Application data

TCP

header

IP

header

Ethernet

header

Ethernet

trailer

Ethernet Frame

IP Datagram

TCP segment

application

TCP

IP

Ethernet

driver

Ethernet

Demultiplexing of a received
Ethernet Frame

application

application

application

application

UDP

TCP

ICMP

IGMP

IP

ARP

RARP

Ethernet

driver

Incoming Frame

IP Datagram

32 Bits

Source Address

Destination Address

Time
-
to
-
live Protocol

Header Checksum

Version

head lngth

Type of Service

Total Length

Identification Flags Frag Offset

Options (if any)

Data

TCP Packet Structure

32 Bits

Source Port Destination Port

Sequence Number

Acknowledgment Number

Options (if any)

Data

Window

Data Offset Reserved Flags


Checksum



Urgent Pointer

TCP establishes a “virtual circuit” between client and server.

Establishment of a TCP connection

(“3
-
way Handshake”)

client

Server

SYN

Client sends connection request,

Specifying a port to connect to

On the server.

client

Server

SYN/ACK

Server responds with both an

acknowledgement and a queue

for the connection.

client

Server

ACK

Client returns an acknowledgement

and the circuit is opened.

User Datagram Protocol (UDP)

UDP is a connectionless transport layer protocol that provides no reliability and

has no mechanism for connection establishment or termination.

UDP makes no guarantee about packet delivery. This “fire and forget” nature

means a packet is placed on the network and you just hope it gets to where it

was supposed to go to.

UDP is commonly used for network services that are not sensitive to an

occasional lost (dropped) packet.

Because of the relative overall reliability of the network, it has become less

important to have a guaranteed service and thus UDP is a good choice for many

streaming services.

Application Protocols


HTTP


HyperText Transfer Protocol


FTP


File Transfer Protocol


Telnet


A terminal communications facility


SMTP


Simple Mail Transfer Protocol


SSH


Secure SHell

Common Ports


Common Ports used to facilitate communication
between common protocols

HTTP: TCP port 80

Telnet: TCP port 23

FTP: TCP port 20 and 21

SMTP: TCP port 25

SSH: TCP port 22

DNS: UDP and TCP port 53

Routing


The overall process of delivering a packet from point A to point B.


It is the job of the router to know where to send a packet in order to reach its
destination


Routing tables are used to determine where to send a packet.

Static: entries entered once and not updated

Routing Information Protocol (RIP): entire tables shared on a periodic
basis. Not very efficient or secure.

Open Shortest Path First (OSPF): Table maintained to determine what the
shortest path is to specific destinations. Tremendous overhead.

Border Gateway Protocol (BGP): Peer routers (neighbors) exchange
routing information. Entire table initially loaded but subsequent changes
limited to updates.

IP Addressing


We’re all familiar with the concept of URL’s and IP addresses, we’ve been using them
for a while. We normally like to recall the URL, not the IP address but the network
requires the address, DNS (Domain Name Service) solves this problem for us.

When you use a site’s name, your computer will send a DNS query to your local DNS
server, if it knows the address it will return it otherwise it will send a query to a higher
-
level
domain server, which may forward the query further up and so forth until the address is
obtained.


There are two basic ways to assign an IP address to a computer:

Static


a specific address is assigned to a specific system and stays with it

DHCP (Dynamic Host Configuration Protocol)


a dynamic addressing scheme that allows
us to allocate IP addresses on a first
-
come, first
-
served basis. When a device connects to
the network, it queries a DHCP server to obtain an IP address from a range of addresses.
If the server runs out of addresses, the requestor is out of luck.


Method allows for more people to access the network without using as many addresses

Network Address Translation (NAT)


There are a limited number of IP addresses available
and not every system needs one.


NAT was developed to provide a means to translate
private IP addresses into public IP addresses.

A device (typically a router or firewall) will accomplish this translation
process.

Source: 10.1.1.123

Destination: 207.25.71.23

Source: 63.69.110.110

Destination: 207.25.71.23

Source: 207.25.71.23

Destination: 10.1.1.123

Source: 207.25.71.23

Destination: 63.69.110.110

Firewall

performs NAT

Network Address Translation

A modern NAT gateway must change the Source address on every outgoing

packet to be its single public address. It therefore also renumbers the Source

Ports to be unique, so that it can keep track of each client connection. The NAT

gateway uses a port mapping table to remember how it renumbered the ports for

each client's outgoing packets. The port mapping table relates the client's real

local IP address and source port plus its translated source port number to a

destination address and port. The NAT gateway can therefore reverse the process

for returning packets and route them back to the correct clients.


When any remote server responds to an NAT client, incoming packets arriving at

the NAT gateway will all have the same Destination address, but the destination

port number will be the unique Source Port number that was assigned by the

NAT. The NAT gateway looks in its port mapping table to determine which "real“

client address and port number a packet is destined for, and replaces these

numbers before passing the packet on to the local client.

Internet Control Message Protocol (ICMP)

ICMP uses the IP datagram delivery facility to send its messages.

IP Header ICMP message


20 bytes

(contents
--

depends on type and code)

8
-
bit type 8
-
bit code 16
-
bit checksum

The format for the ICMP message is as follows:

ICMP performs the following control, error reporting, and informational

Functions for TCP/IP:


-

Flow Control


-

Detecting unreachable destinations


-

Redirecting routes


-

Checking remote hosts (e.g.
ping
)

Internet Control Message Protocol (ICMP)

Type

Code

Message

0


0

Echo Reply


3


0

Net Unreachable

3

1

Host Unreachable

3


3

Port Unreachable

5


1

Host Redirect

8


0

Echo Request

11


0

Time
-
to
-
live exceeded

13


0

Timestamp Request

14


0

Timestamp Reply

Typical Net
-
based Attacks
--

Web


“Popular” and receives a great deal of media
attention.


Attempt to exploit vulnerabilities in order to:

Access sensitive data (e.g. credit card #’s)

Deface the web page

Disrupt, delay, or crash the server

Redirect users to a different site

Typical Net
-
based attacks
--

Sniffing


Essentially eavesdropping on the network


Takes advantage of the shared nature of the
transmission media.


Passive in nature (i.e. just listening, not broadcasting)


The increased use of switching has made sniffing more
difficult (less productive) but has not eliminated it (e.g.
DNS poisoning will allow you to convince target hosts to
send traffic to us intended for other systems)

Typical Net
-
Based Attacks


Spoofing, Hijacking, Replay


Spoofing attacks involve the attacker pretending
to be someone else.


Hijacking involves the assumption of another
systems role in a “conversation” already taking
place.


Replay occurs when the attacker retransmits a
series of packets previously sent to a target host.

Typical Net
-
Based Attacks


Denial of Service


DOS and Distributed DOS (DDOS) attacks have
received much attention in the media in the last year
due to some high
-
profile attacks.


Several varieties:

Flooding


sending more data than the target can process

Crashing


sending data, often malformed, designed to
disable the system or service

Distributed


using multiple hosts in a coordinated attack
effort against a target system.

IPv4 versus IPv6


From the IPv6 FAQ, what are the merits of IPv6?

scalability
:IPv6 uses 128bit address space. Address length is 4 times longer than
IPv4.

security
:IPv6 basic specification includes security. It includes packet encryption
(ESP:Encapsulated Security Payload) and source authentication (AH:Authentication
Header). [
confidentiality and authentication
]

real
-
time
:To support real
-
time traffic such as video conference, IPv6 has "Flow
Label". Using flow label, routers can know which end
-
to
-
end flow a packet belongs
to, and then find out the packet which belongs to real
-
time traffic.
[
needed to allow for prioritization of traffic
]

autoconfiguration
:IPv6 basic specification includes address autoconfiguration. So,
even a novice user can connect their machine to network.

specification optimization
:IPv6 keeps good parts and discards old and useless
parts of IPv4.


IP Security (IPSEC)


Optional in IPv4, supported in IPv6.


Two major modes:

Tunnel
: encrypts both the data and header portions
of the packet.

Transport
: encrypts the data portion of the packet.


Requires both ends to be using IPSEC
(obviously, since one end will encrypt, the other
needs to be able to decrypt).

About IPSEC

(from the IPSEC FAQ)



IPsec = AH + ESP + IPcomp + IKE

IPsec consists of a couple of separate protocols, listed below:


Authentication Header

(AH): provides authenticity guarantee for packets, by attaching strong
crypto checksum to packets. If you receive a packet with AH and the checksum operation was
successful, you can be sure about two things :


The packet was originated by the expected peer. The packet was not generated by an impersonator.


The packet was not modified in transit.


Encapsulating Security Payload

(ESP): provides confidentiality guarantee for packets, by
encrypting packets with encryption algorithms. If you receive a packet with ESP and successfully
decrypted it, you can be sure that the packet was not wiretapped in the middle.


IP payload compression

(IPcomp): ESP provides encryption service to the packets. However,
encryption tends to negatively impact compression on the wire. IPcomp provides a way to
compress packets before encryption by ESP (Of course, you can use IPcomp alone if you wish to).


Internet Key Exchange

(IKE): AH and ESP need shared secret keys between peers. For
communication between distant locations, we need to provide ways to negotiate keys in secrecy.
IKE will make this possible.


Ethernet


The most common physical layer protocol.


A shared media protocol, collisions possible

Uses CSMA/CD to control traffic


Several different variations of Ethernet exist

10Base
-
2 : Thinnet (thin coax)

10Base
-
5: Thicknet (earliest version, thick coax)

10Base
-
T: Standard twisted pair Ethernet

100Base
-
T: Fast Ethernet

1000Base
-
T: Gigabit Ethernet

Summary


What is the Importance and Significance of this
material?



How does this topic fit into the subject of “Voice
and Data Security”?