© itt educational services, inc. all rights reserved. is3220 information technology infrastructure...
DESCRIPTION
Introduction Class introduction Introduction of Course Syllabus. –Course Summary –Lab Infrastructure (Mock) –Course Plan –Evaluation –Academic integrity Discussion and questions about syllabus.TRANSCRIPT
© ITT Educational Services, Inc. All rights reserved.
IS3220 Information Technology Infrastructure Security
Unit 1Essential TCP/IP Network Protocols and
Applications
• Name: Williams Obinkyereh MSc. IT, Post Masters Software
Engineering DSC (Doctor of Computer Science)
Student.• Contacts: • Phone: 612-516-9712• Email: [email protected]
Introduction• Class introduction• Introduction of Course Syllabus.
– Course Summary– Lab Infrastructure (Mock)– Course Plan– Evaluation– Academic integrity
• Discussion and questions about syllabus.
© ITT Educational Services, Inc. All rights reserved.Page 4IS3220 Information Technology Infrastructure Security
Learning Objective
Review essential Transmission Control Protocol/Internet Protocol (TCP/IP) behavior and applications used in IP networking
© ITT Educational Services, Inc. All rights reserved.Page 5IS3220 Information Technology Infrastructure Security
Key Concepts TCP/IP protocol analysis using NetWitness
Investigator
Differentiating clear-text from cipher-text
Essential TCP/IP characteristics
IP networking protocol behavior
Network management tools
© ITT Educational Services, Inc. All rights reserved.Page 6IS3220 Information Technology Infrastructure Security
EXPLORE: CONCEPTS
© ITT Educational Services, Inc. All rights reserved.Page 7IS3220 Information Technology Infrastructure Security
TCP/IP Networking and OSI Reference Models7. Application
6. Presentation
5. Session
4. Transport
3. Network
2. Data link
1. Physical
Application
Transport
Internet
Network Interface
© ITT Educational Services, Inc. All rights reserved.Page 8IS3220 Information Technology Infrastructure Security
TCP/IP Protocol Suite
• Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Hypertext Transfer Protocol (HTTP), Tele-network (Telnet), File Transfer Protocol (FTP)
Application
• Transmission Control Protocol (TCP), User Datagram Protocol (UDP)
Transport
• Internet Protocol (IP), IPSec, Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and Internet Group Management Protocol IGMP
Internet
• Serial Line Internet Protocol (SLIP), Purchasing Power Parity (PPP)
Network Interface
© ITT Educational Services, Inc. All rights reserved.Page 9IS3220 Information Technology Infrastructure Security
The Structure of a Packet
© ITT Educational Services, Inc. All rights reserved.Page 10IS3220 Information Technology Infrastructure Security
A Packet Moves Through the Protocol Stack
© ITT Educational Services, Inc. All rights reserved.Page 11IS3220 Information Technology Infrastructure Security
Protocol Analysis Functions of a Protocol Analyzer
Why analyze data packets?• Detect network problems, such as bottlenecks• Detect network intrusions• Check for vulnerabilities• Gather network statistics
What does a protocol analyzer do?• Captures and decodes data packets traveling on a
network• Allows you to read and analyze them
© ITT Educational Services, Inc. All rights reserved.Page 12IS3220 Information Technology Infrastructure Security
NetWitness Investigator Threat analysis software
− Protocol Analyzer
Captures raw packets from wired and wireless interfaces
Analyzes real-time data throughout the seven layers
© ITT Educational Services, Inc. All rights reserved.Page 13IS3220 Information Technology Infrastructure Security
NetWitness Investigator (cont.)
Filters by Media Access Control (MAC) address, IP address, user, and more
Supports Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
Gets daily threat intelligence data from the SANS Internet Storm Center
Freely available
© ITT Educational Services, Inc. All rights reserved.Page 14IS3220 Information Technology Infrastructure Security
Wireshark Network protocol analyzer Captures Ethernet, IEEE 802.11, PPP/HDLC,
ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other packets
Analyzes real-time and saved data Runs on Windows, Linux, OS X, Solaris,
FreeBSD, NetBSD, and others Supports IPv4 and IPv6 Allows Voice over IP (VoIP) analysis Freely available
© ITT Educational Services, Inc. All rights reserved.Page 15IS3220 Information Technology Infrastructure Security
EXPLORE: PROCESS
© ITT Educational Services, Inc. All rights reserved.Page 16IS3220 Information Technology Infrastructure Security
Packet Capture Using NetWitness Investigator
Start the capture
Verify capture configuration settingsNetwork Adapter, Advanced Capture Settings, and Evidence Handling
Define rules or captureFilters and alerts
Select parsers to use with captureGeolocation IP (GeoIP), Search, FLEXPARSE
© ITT Educational Services, Inc. All rights reserved.Page 17IS3220 Information Technology Infrastructure Security
Trace Analysis Using NetWitness Investigator
Navigation SearchSelect a
collection.
Click Navigation.
Select a report.
Select a group of sessions.
Search for specific content.
Open a collection.
Click the Content Search icon.
Search on keyword or regular
expression.
© ITT Educational Services, Inc. All rights reserved.Page 18IS3220 Information Technology Infrastructure Security
TCP/IP Transaction Sessions Connection-oriented• Sender
- Breaks data into packets- Attaches packet numbers
• Receiver- Acknowledges receipt; lost packets are resent- Reassembles packets in correct order
© ITT Educational Services, Inc. All rights reserved.Page 19IS3220 Information Technology Infrastructure Security
TCP Three-Way Handshake
ServerHost
1 - SYN
2 - SYN/ACK
3 - ACK
Synchronize (SYN)Acknowledge (ACK)
© ITT Educational Services, Inc. All rights reserved.Page 20IS3220 Information Technology Infrastructure Security
TCP Connection Termination
Acknowledge (ACK) Finish (FIN)
ServerHost
1 – ACK/FIN
2 –ACK
4 - ACK
3 –ACK/FIN
© ITT Educational Services, Inc. All rights reserved.Page 21IS3220 Information Technology Infrastructure Security
TCP Connection Reset
ServerHost
1 - SYN
2 –SYN/ACK
3 - RST
Synchronize (SYN)Acknowledge (ACK)Reset (RST)
© ITT Educational Services, Inc. All rights reserved.Page 22IS3220 Information Technology Infrastructure Security
EXPLORE: CONTEXT
© ITT Educational Services, Inc. All rights reserved.Page 23IS3220 Information Technology Infrastructure Security
IPv4 Addressing Assigned to computers for identification on a
network 32-bit address space Internet routing uses numeric IP addresses Dotted decimal notation
• Example: 192.168.0.10 IP addresses in packet headers A packet makes many hops between source and
destination
© ITT Educational Services, Inc. All rights reserved.Page 24IS3220 Information Technology Infrastructure Security
Network Protocol Examination Normal Packet
• Connecting to an FTP server• Port 53 (dns) in UDP• Three-way handshake completes
Packet Showing Evidence of Port Scan• Series of TCP packets, part of three-way handshake• Arrange segments in sequential order by source port• Destination ports also in sequential order• Classic TCP port scan
© ITT Educational Services, Inc. All rights reserved.Page 25IS3220 Information Technology Infrastructure Security
Clear-Text Vs Encrypted Protocols Clear-text Protocols
• Are human readable• FTP, Telnet, Simple Mail Transfer Protocol (SMTP),
HTTP, Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAPv4), Network Basic Input/Output System (NetBIOS), Simple Network Management Protocol (SNMP)
Encrypted Protocols• Are not human readable• Secure Shell (SSH), SSH File Transfer Protocol
(SFTP), HTTP Secure (HTTPS)
© ITT Educational Services, Inc. All rights reserved.Page 26IS3220 Information Technology Infrastructure Security
Summary TCP/IP protocol analysis using NetWitness
Investigator
Differentiating clear-text from cipher-text
Essential TCP/IP characteristics
IP networking protocol behavior
Network management tools