networking concepts module a copyright pearson prentice hall 2013

Networking ConceptsNetworking Concepts

Module AModule A

Copyright Pearson Prentice Hall Copyright Pearson Prentice Hall 20132013

This is a module that some teachers will cover while others will not

This module is a refresher on networking concepts, which are important in information security

If your teacher does not cover networking, you might want to cover it yourself, to “get the rust out” of your networking knowledge

2Copyright Pearson Prentice Hall 2013Copyright Pearson Prentice Hall 2013

Copyright Pearson Prentice-Hall 2010

Octet◦ A Byte (collection of 8 bits)

8 bits = 1 Character

◦ Bit Is the basic unit of IT represented as a 0 or 1

Host◦ Any Device connected to the Internet

3


Access Routerwith Built-in

Wireless Access PointFunctionality

PC withWireless

NIC

WirelessCommunication

DSLBroadband

Modem

PC withInternal

NIC

UTP

File Sharing

PrinterSharing

NIC = Network Interface Card,provides capability for Network communications

Router◦ Connects one network to another

Is a Switch◦ Sends frames between computers

Is a Wireless Access Point (WAP)◦ Signals are spread wide increasing danger

Contains a Dynamic Host Configuration Protocol (DHCP)◦ Provides each host an IP address

Provides Network Address Translation (NAT)◦ Hides IP address from attack


LAN (Local Area Network)◦ Operate within building not across geographic

locations

WAN (Wide Area Network, internet)◦ Operate across geographic locations

◦ Because corporations don’t have regulatory rights to lay network lines in public areas they rely on commercial companies

Internet◦ Network of Network’s


Copyright Pearson Prentice-Hall 2010 8

OfficeBuilding

WorkgroupSwitch

1

Core Switch

Optical Fiber Cord

Equipment Room

To WANRouter

WorkgroupSwitch

2

WirelessAccess PointWireless Client

Server

UTPTelephone

Wiring

WiredClient

Workgroup Switch: connect computers to the network

Core Switch: Connect switches to other switches

Any computer can plug into a wall jack and potentially gain access to the network. 802.1x requires any computer to first authenticate before gaining access to the network


FrameRelay

Credit CardAuthorization

BureauDa Kine Island

Headquarters

Branchin State

(60)

ISP 1

FrameRelay

North Shore

Operations

T1

T1

T3

T3

ISP 2

Internet

T3 Leased Line

LeasedLine

LeasedLine

LeasedLine

LeasedLines

LeasedLine

LeasedLine

Two Types of Leased Lines

Point to Point

Public Switched Data Network (PSDN) – passes frames between multiple sites

Connections to these Networks is limited

Security by Obscurity – not the best if it is breached there is no security

Connections to these Networks is limited

Security by Obscurity – not the best if it is breached there is no security

11

NetworkBrowser

Packet

Router

PacketRouter

Packet

Route

WebserverSoftware

Router

The global Internet has thousands of networks connectedby routers

The global Internet has thousands of networks connectedby routers

Copyright Pearson Prentice Hall 2013Copyright Pearson Prentice Hall 2013

Messages (data) can move from any computer to any other computer on any other network connected to the Internet

Frames:

◦ Messages (data) between a single network (LAN or WAN)

Packets

◦ Messages (data) between computers across the Internet

◦ Packets are contained within Frames Different Frame per Network

◦ Internet was designed specifically to NOT ADD SECURITY!


13

Packet travels in a differentframe in each network

Packet travels in a differentframe in each network



Router

User PC'sInternet Service

Provider

ISP

Internet Backbone(Multiple ISP Carriers)

User PCHost Computer

WebserverHost Computer

ISP

NAP

NAP

NAP

NAP = Network Access Point

Webserver'sInternet Service

Provider

AccessLine

Access Line

ISP

ISP

US Backbone Map

Networks must “talk” with each other◦ Interoperability

Requires Standards

Standards Security Issues:1.Is it inherently secure

an essential constituent or characteristic

2.Explicitly designed into standard

3.If added “after-the-fact” usually to newer versions going forward

4.Vendor implementations can be defective



Super Layer Description

Application Communication between application programs on different hosts attached to different networks on an internet.

Internetworking Transmission of packets across an internet. Packets contain application layer messages.

Single Network Transmission of frames across a network. Frames contain packets.

Core Standards for each sub-system of the network communication process

17

Super Layer TCP/IP OSI Hybrid TCP/IP-OSI

Application Application Application Application

Presentation

Session

Internet Transport Transport Transport

Internet Network Internet

Single Network Subnet Access Data Link Data Link

Physical Physical


18

In a single network, a physical link connects adjacent devices.

A data link is the path that a frame takes across a single network.

One data link; three physical links.Copyright Pearson Prentice Hall 2013Copyright Pearson Prentice Hall 2013

Device Connection Types◦ UTP

Links between computers and switches Uses voltage changes (high vs low) Act like radio antennas, so signal can be

intercepted without tapping◦ Optical Fiber

Uses light changes (on or off) Require tapping for interception of data

◦ Wireless Uses radio waves for transmission Spread widely and easily intercepted


Internet◦ How routers forward packets

◦ Main standard is Internet Protocol (IP)

Transport◦ Main standard is Transport Control Protocol (TCP)

Fixes transmission errors Ensures proper order of packets Slows transmission if necessary

◦ For transmissions that do NOT require these capabilities will use User Datagram Protocol (UDP)


Connection-Oriented◦ Requires agreement for transmission to

commence

◦ Monitors transmission for errors to ensure Reliability of transmission

Connectionless◦ Does NOT require agreement, transmission occurs

when needed

◦ No monitoring of transmission for errors occurs


Connectionless

Unreliable

Purpose◦ How are packets organized

◦ How routers move packets to destination host

Versions◦ IPv4

32 bit address size 232 = 4,294,967,296

◦ IPv6 128 bit address size 2128 = 3.4e+38



Total Length(16 bits)

Identification (16 bits)

Header Checksum (16 bits)Time to Live

(8 bits)

Flags

Protocol (8 bits)1=ICMP, 6=TCP,

17=UDP

Bit 0 Bit 31IP Version 4 Packet

Source IP Address (32 bits)

Fragment Offset (13 bits)

Diff-Serv(8 bits)

HeaderLength(4 bits)

Version(4 bits)

Destination IP Address (32 bits)

Options (if any) Padding

Data Field

0100

Represented as 32 bit rows

Consists of:◦ Header consists of 5 rows

May have optional rows

◦ Data


Version◦ 0100 = 4

Header Length (usually 5 rows)◦ 0101 = 5

◦ More than 5 rows usually indicates an attack so examining this part of the header is important to detect attacks

Diff-Serv◦ Rarely uses intended to provide priority to different packets

(Network Neutrality)

Total Length◦ Length of (entire packet - header) in bytes

◦ Maximum size of a packet is 216 = 65,536


Total Length(16 bits)

Diff-Serv(8 bits)


Version(4 bits)

Used if a packet is too large and is divided into smaller packets

This is rare and can indicate an attack

Most O/S don’t allow fragmentation


Identification (16 bits) Flags Fragment Offset (13 bits)

Time to Live (TTL)◦ Set to a value between 0 and 255

Usually set to 64 or 128 by O/D

◦ As packet moves from router to router

◦ TTL decremented by 1

◦ If TTL reaches 0 the packet is discarded

◦ Attackers can determine how many router hops are between hacker and victim host by examining TTL and guessing 64 or 128 so…

Protocol Message

Header Checksum


Header Checksum (16 bits)Time to Live

(8 bits)

Protocol (8 bits)1=ICMP, 6=TCP,

17=UDP

Each Address is 32 bits long

11111111000000001111111100000000

Kind of hard to remember so…

Divided into 4 8 bit segments & converted to decimal (0 to 255)

132.170.217.166 www.bus.ucf.edu

4 segments divided into a mask◦ First 2 are for the

network◦ 132.170 = UCF◦ 217 = College of

Business◦ 166 = Web Server



Source IP Address (128 bits)

Destination IP Address (128 bits)

Next Header or Payload (Data Field)

Version(4 bits)

Value is 6(0110)

Diff-Serv(8 bits)

Flow Label (20 bits)Marks a packet as part of a specific flow

Payload Length (16 bits) Next Header(8 bits)

Name of next header

Hop Limit(8 bits)

Bit 0 Bit 31

Payload length = Total Length from IPv4Hop Limit = TTL from IPv4

Note there is no ChecksumReliability is assumed from higher level security

Unlike IPv4 IPv6 utilized optional header rows One such use is for IPSec Remember that IP was developed without

Security IPSec was added later to provide security

◦ Everything in the data field of the packet is Secure

◦ Application message is also secure

◦ Two Modes: Transport – host to host protection Tunnel – protection between hosts Details in Chapter 4


Transmission Control Protocol (TCP)◦ Connection-oriented, reliable

◦ TCP message is called a Segment

User Datagram Protocol (UDP)◦ Connectionless, unreliable



Source Port Number (16 bits) Destination Port Number (16 bits)

Sequence Number (32 bits)

TCP Checksum (16 bits)

Data Field

Flag fields are 1-bit fields. They include SYN, ACK, FIN, RST, PSH, and URG

Urgent Pointer (16 bits)

Bit 0 Bit 31

Acknowledgement Number (32 bits)


Reserved(6 bits)

Flag Fields(6 bits)

Window(16 bits)

Options (if any) Padding


PCTransport Process

WebserverTransport Process

1. SYN (Open)

2. SYN, ACK (1) (Acknowledgement of 1)

3. ACK (2)

Open(3)

3-Way Open

1. Syn = Synchronize sequence numbers, I want to send a message

2. SYN, ACK (Acknowledge), OK I’ll accept your message

3. ACK = OK I’m acknowledging that I received your acknowledgement

Hacker floods victim host with SYN messages

The victim host◦ Sends SYN, ACK &

◦ Sets aside resources for the upcoming message

Hacker never sends ACK back◦ Half-open SYN attack


36

PCtransport process

Webservertransport process

1. SYN (Open)

2. SYN, ACK (1) (Acknowledgement of 1)

3. ACK (2)

4. Data = HTTP Request

5. ACK (4)

6. Data = HTTP Response

7. ACK (6)

Open(3)

CarryHTTPReq &Resp(4)


37

PCtransport process


8. Data = HTTP Request (Error)CarryHTTPReq &Resp(4)

9. Data = HTTP Request (No ACK so Retransmit)

10. ACK (9)

11. Data = HTTP Response

12. ACK (11)

Error Handling


38

PCtransport process


Close(4)

13. FIN (Close)

14. ACK (13)

15. FIN

16. ACK (15)

Note: An ACK may be combined with the next message if the next messageis sent quickly enough

Normal Four-Way Close



PCTransport Process

WebserverTransport Process

Close(1)

RST

Abrupt Close

Either side can sendA Reset (RST) Segment

At Any TimeEnds the Session Immediately

Rejection of a SYN (from an untrusted host) with a RST will provideHacker with IP address of internal host, something the hacker tries to get

Sequence Number field◦ Allows for segments to be put together in order

First segment uses a randomly generated number

If segment contains no data (SYN, ACK, etc) number is 1 + last segment

If segment contains data Number of first octet (byte) for the data field is used

Acknowledgement Number field◦ Enables verification that a segment has arrived

Number of last octet (byte) for the data field + 1


Clients◦ Random number used when connecting to Host

for transmission session (short-lived session)

Servers◦ Represents a specific application running

Socket◦ Combination of IP Address and Port Number

◦ 132.170.217.166:80


There is NO security built into the standard

Security is instead provided by IPSec in the IP standard since it secures the data package where the TCP segment is contained.


Ping◦ Are you there?

Traceroute◦ How do packets go from my client to a host

ICMP messages contain error messages back to originator◦ Hackers can send mal-formed ICMP message

hoping to identify IP address of host


Organized Hierarchically◦ 13 DNS Root Servers

◦ Top-level Domain Servers (.com, .edu, etc.)

◦ Second-level (University of Central Florida) Need to know the names of host computers

within its own network

Cache Poisoning occurs if an attacker replaces an IP address on the DNS with a fake one


Becky GrangerDirector, Information Technology

and Member ServicesEDUCAUSE

April 29, 2010

Illustration courtesy of Niranjan Kunwar / Nirlog.com

DNS Servers cache data to improve performance

But…what happens if the cached data is wrong?

More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf

Packet Interception◦ DNS's usual behavior of sending an entire query or

response in a single unsigned, unencrypted UDP packet makes these attacks particularly easy Attacker intercepts query to DNS or response back Substituting their own message

ID Guessing & Query Prediction◦ Attacker guesses UDP ID for DNS Query

DNS port number is well-known 16 bits per ID so 2⌃16 – susceptible to brute force

Name Chaining or Cache Poisoning (see previous slide)

DOS – no different from any other server

Original illustration courtesy of Niranjan Kunwar / Nirlog.com

Application Exploits◦ By taking over applications, hackers gain the

permissions of the exploited program

◦ A multitude of application standards

◦ Consequently, there is a multitude of security issues at the application level


Many Applications Need Two Types of Standards◦ One for the transmission of messages, one for the

content of application documents

◦ For the World Wide Web, these are HTTP and HTML, respectively

◦ For transmission, e-mail uses SMTP, POP, and IMAP

◦ For message content, e-mail uses RFC 2822 (all-text), HTML, and MIME


FTP and Telnet◦ Have no security

◦ Passwords are transmitted in the clear so can be captured by sniffers

◦ Secure Shell (SSH) can replace both securely


Many Other Application Standards Have Security Issues◦ Voice over IP

◦ Service-oriented architecture (SOA); web services

◦ Peer-to-peer applications


networking concepts module a copyright pearson prentice hall 2013

Documents