itp 457 network security
DESCRIPTION
ITP 457 Network Security. Networking Technologies III IP, Subnets & NAT. Internet Protocol( IP). IP handles end-to-end delivery Most commonly used network layer protocol All traffic on the internet uses IP. Internet Protocol ( IP). - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/1.jpg)
ITP 457Network Security
Networking Technologies III
IP, Subnets & NAT
![Page 2: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/2.jpg)
Internet Protocol( IP)
IP handles end-to-end delivery Most commonly used network layer protocol All traffic on the internet uses IP
![Page 3: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/3.jpg)
Internet Protocol ( IP)
Upon receiving packet from Transport layer, IP layer generates a header
Header includes : source and destination IP addresses
Header is added to front of TCP packet to create a resulting IP packet.
Purpose of IP is to carry packets end to end across a network.
![Page 4: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/4.jpg)
IP header
Source IP address
Destination IP address
Data
![Page 5: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/5.jpg)
IP addresses
Identify each individual machine on the internet
32 bits in length Hackers attempt to determine all IP address
in use on a target network – “network mapping”
Hackers generate bogus packets appearing to come from a given IP address – “IP address spoofing”
![Page 6: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/6.jpg)
IP Addresses in depth
32 bits, with 8 bit groupings E.x: 192.168.0.1 Each number between the dots can be between 0
and 255 4 billion combinations
Not really Allocated in groups called address blocks
3 sizes, based on the class of the address Class A, Class B, and Class C
![Page 7: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/7.jpg)
Class A Addresses Giant organizations There are no more available All IP addresses are of the form:
0 – 126.x.x.xx can be between 0 and 255
The first octet is assigned to the owner, with the rest being freely distributable to the nodes
Has a 24 bit address space Uses up to half of the total IP addresses available!!! Who owns these???
Internet Service Providers Large internet companies
Google, CNN, WB
![Page 8: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/8.jpg)
Class B Addresses Large Campuses or Organizations
Example: Colleges, including USC These are running out!!! All Class B Addresses are of the form:
128 - 191.x.x.xWhere x can take any number between 0 and 255
The first two octets are assigned to the address block owner, with the last two being freely distributable Example: 128.125.x.x USC Example: 169.232.x.x UCLA
16-bit address space ¼ of all IP addresses belong to Class B Addresses
![Page 9: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/9.jpg)
Class C Addresses
Small to mid-sized businesses A fair number left All Class C Addresses have the following
format:192-232.x.x.x
The first three octets are assigned, with the last being freely distributable Only 253 distributable addresses within a Class C
Address
![Page 10: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/10.jpg)
Reserved Addresses
Private Networks (no public connections) 10.x.x.x 172.16.x.x 192.168.x.x
127.x.x.x – local network (loopback) 255.255.255.255 – broadcast – sends to
everyone on the network
![Page 11: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/11.jpg)
Netmasks
IP address has 2 components Network address Host address
Determined by the address and the class of the address
Example (Class C): IP Address: 192.168.3.16 Network address: 192.168.3 Host address: 16
![Page 12: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/12.jpg)
Packet Fragmentation
Various transmission media have different characteristics
Some require short packets others require longer packets
E.g. satellite – longer packets Local LAN – shorter packets
![Page 13: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/13.jpg)
Packet Fragmentation
To optimize packet lengths for various communication links, IP offers network elements (routers and firewalls) the ability to slice up packets into smaller pieces, a process called fragmentation.
The end system’s IP layer is responsible for reassembling all fragments
Hackers use packet fragmentation to avoid being detected by Intrusion Detection Systems
![Page 14: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/14.jpg)
Lack of Security in IP
IP version 4 does not include any security All components of packets are in clear text,
nothing is encrypted Anything in the header or data segment can
be viewed or modified by the hacker TCP/UDP Hijacking “Man-in-the-middle” attack
![Page 15: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/15.jpg)
ICMP
ICMP – Internet Control Message Protocol It is the Network Plumber Its job is to transmit command and control
information between networks and systems
![Page 16: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/16.jpg)
ICMP examples
“ping” request = ICMP Echo message If the “pinged” system is alive it will respond with
ICMP Echo Reply Message Try pinging
www.google.com www.yahoo.com www.cnn.com
Will they all work? Some sites have disabled ping. Why?
Ping-of-death a ping too big Ping flooding type of denial-of-service attack
![Page 17: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/17.jpg)
Routers and packets
Routers Transfer packets from network to network They determine the path that a packet should
take across the network specifying from hop to hop which network segments the packets should bounce through as they travel across the network
Most networks use dynamic routing RIP, EIGRP We will be discussing these technologies later in
the course
![Page 18: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/18.jpg)
Network address translation
NAT Blocks of addresses are allotted to ISP’s and
organizations Classes of IP Addresses
What happens when we have more computers than IP Addresses? We have a Class C address – allows 253
computers Our organization has 1000 computers What do we do???
![Page 19: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/19.jpg)
Solution?
Reserve a range of IP addresses to build your own IP network 10.x.y.z - un-routable IP addresses 172.16.y.z 192.168.y.z
How to connect these machines to Internet?
![Page 20: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/20.jpg)
Network Address Translation
Use a gateway /router to map invalid addresses to valid IP addresses Translates your local address to a routable address Router receives one IP Address
Either dynamically assigns addresses to all the nodes behind the router, or it is assigned statically using non-routable addresses If dynamic, uses DHCP (Dynamic Host Configuration Protocol)
When someone inside the network wants to access a computer outside the local network (the internet), the request is sent to the router, which uses NAT to send the request to the internet
![Page 21: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/21.jpg)
NAT and security?
Does NAT improve security? It hides internal IP addresses from hacker NAT must be combined with “firewalls” for
optimum security
![Page 22: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/22.jpg)
Firewalls
![Page 23: ITP 457 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813be4550346895da5113d/html5/thumbnails/23.jpg)
Firewalls
Network traffic cops Tools that control the flow of traffic going
between networks By looking at addresses associated with
traffic, firewalls determine whether connections should be transmitted or dropped
We will cover the setup and configuration of firewalls in great depth later in class