networks, tcp/ip, and network- based attacks lesson 2
Post on 19-Dec-2015
220 views
TRANSCRIPT
Networks, TCP/IP, and Network-Based attacks Networks, TCP/IP, and Network-Based attacks
Lesson 2
ReviewIs an ROI from Security Possible?
ReviewIs an ROI from Security Possible?
Security as an ROI
Improved Security ROI
Security that provides savings in the budget
Security that provides additional revenue
Computer System BasicsComputer System Basics
Operating SystemsManage the computer’s resources– Memory management– Scheduling– Access Controls
Lots of different operating systems– Win9X, Win2K, WinME, NT, Unix, Linux, VMS
NetworksNetworks
What is a network?Two or more systems connected togetherLAN (local area network)WAN (Wide area network)MAN (metropolitan area network)
Network TopologiesNetwork Topologies Topology – the physical arrangement of the network.
Completely ConnectedStarRingBus
Characteristics# of connections# of “hops”Addition of new nodesFairnessCollisions and points of failure
Network TopologiesNetwork Topologies
?
Network Topologies -- StarNetwork Topologies -- Star
Adv: distance = 2 hops connections = n-1
DisAdv: 1 point of failure
Fairness? Addition of new nodes? Congestion(collisions)?
Network Topologies -- RingNetwork Topologies -- Ring
Adv: avg dist = (n-1)/2 hops connections = n
DisAdv: many points of failure
Fairness (token)? Addition of new nodes? Congestion(collisions)?
Network Topology -- BusNetwork Topology -- Bus
Adv: distance = 1 hop connections = n
DisAdv: Collisions
Fairness? Addition of new nodes?
ProtocolsProtocols
A protocol is an agreed upon format for exchanging information.
A protocol will define a number of parameters:Type of error checkingData compression methodMechanisms to signal reception of a transmission
There are a number of protocols that have been established in the networking world.
OSI Reference ModelOSI Reference Model ISO standard describing 7 layers of protocols
Application: Program-level communicationPresentation: Data conversion functions, data format, data encryptionSession: Coordinates communication between endpoints. Session state maintained for security.Transport: end-to-end transmission, controls flow of dataNetwork: routes data from one system to the nextData Link: Handles physical passing of data between nodesPhysical: Manages the transmission media/HW connections
Abstraction is the principle, you only have to communicate with the layer directly above and below
TCP/IP Protocol SuiteTCP/IP Protocol Suite TCP/IP refers to two network protocols used on the
Internet:Transmission Control Protocol (TCP)Internet Protocol (IP)
TCP and IP are only two of a large group of protocols that make up the entire “suite”
A “real-world” application of the layered concept. There is not a one-to-one relationship between the
layers in the TCP/IP suite and the OSI Model.
OSI and TCP/IP comparisonOSI and TCP/IP comparisonOSI Model
Application
Presentation
Session
Transport
Network
Data-link
Physical
TCP/IP Protocol Suite
NFSFTP, Telnet,SSH, SMTP SMBHTTP, NNTP
RPC
TCP,UDP
IP ICMPARP
Physical
Application-levelprotocols
Network-levelprotocols
TCP/IP Protocol SuiteTCP/IP Protocol SuiteUser
ProcessUser
ProcessUser
ProcessUser
Process
TCP UDP
IP
HWInterface
RARPARP
ICMP IGMP
Media
Encapsulation of dataEncapsulation of dataUser Data
User DataAppl
header
Application dataTCP
header
Application dataTCP
headerIP
header
Application dataTCP
headerIP
headerEthernetheader
Ethernettrailer
Ethernet Frame
IP Datagram
TCP segment
application
TCP
IP
Ethernetdriver
Ethernet
Demultiplexing of a received Ethernet FrameDemultiplexing of a received Ethernet Frame
application application application application
UDPTCP
ICMP IGMP
IP
ARP RARP
Ethernetdriver
Incoming Frame
IP DatagramIP Datagram
32 Bits
Source Address
Destination Address
Time-to-live Protocol Header Checksum
Version head lngth Type of Service Total Length
Identification Flags Frag Offset
Options (if any)
Data
TCP Packet StructureTCP Packet Structure32 Bits
Source Port Destination Port
Sequence Number
Acknowledgment Number
Options (if any)
Data
WindowData Offset Reserved Flags
Checksum Urgent Pointer
TCP establishes a “virtual circuit” between client and server.
Establishment of a TCP connection(“3-way Handshake”)
Establishment of a TCP connection(“3-way Handshake”)
client ServerSYN
Client sends connection request,Specifying a port to connect toOn the server.
client ServerSYN/ACK
Server responds with both anacknowledgement and a queuefor the connection.
client ServerACK
Client returns an acknowledgementand the circuit is opened.
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
UDP is a connectionless transport layer protocol that provides no reliability and has no mechanism for connection establishment or termination.
UDP makes no guarantee about packet delivery. This “fire and forget” naturemeans a packet is placed on the network and you just hope it gets to where itwas supposed to go to.
UDP is commonly used for network services that are not sensitive to anoccasional lost (dropped) packet.
Because of the relative overall reliability of the network, it has become lessimportant to have a guaranteed service and thus UDP is a good choice for manystreaming services.
Application ProtocolsApplication Protocols
HTTP – HyperText Transfer Protocol FTP – File Transfer Protocol Telnet – A terminal communications facility SMTP – Simple Mail Transfer Protocol SSH – Secure SHell
Common PortsCommon Ports Common Ports used to facilitate communication
between common protocolsHTTP: TCP port 80Telnet: TCP port 23FTP: TCP port 20 and 21SMTP: TCP port 25SSH: TCP port 22DNS: UDP and TCP port 53
RoutingRouting
The overall process of delivering a packet from point A to point B. It is the job of the router to know where to send a packet in order to reach its
destination Routing tables are used to determine where to send a packet.
Static: entries entered once and not updatedRouting Information Protocol (RIP): entire tables shared on a periodic basis. Not very efficient or secure.Open Shortest Path First (OSPF): Table maintained to determine what the shortest path is to specific destinations. Tremendous overhead.Border Gateway Protocol (BGP): Peer routers (neighbors) exchange routing information. Entire table initially loaded but subsequent changes limited to updates.
IP AddressingIP Addressing We’re all familiar with the concept of URL’s and IP addresses, we’ve been using them
for a while. We normally like to recall the URL, not the IP address but the network requires the address, DNS (Domain Name Service) solves this problem for us.
When you use a site’s name, your computer will send a DNS query to your local DNS server, if it knows the address it will return it otherwise it will send a query to a higher-level domain server, which may forward the query further up and so forth until the address is obtained.
There are two basic ways to assign an IP address to a computer:Static – a specific address is assigned to a specific system and stays with itDHCP (Dynamic Host Configuration Protocol) – a dynamic addressing scheme that allows us to allocate IP addresses on a first-come, first-served basis. When a device connects to the network, it queries a DHCP server to obtain an IP address from a range of addresses. If the server runs out of addresses, the requestor is out of luck.
– Method allows for more people to access the network without using as many addresses
Network Address Translation (NAT)Network Address Translation (NAT)
There are a limited number of IP addresses available and not every system needs one.
NAT was developed to provide a means to translate private IP addresses into public IP addresses.
A device (typically a router or firewall) will accomplish this translation process.Source: 10.1.1.123Destination: 207.25.71.23
Source: 63.69.110.110Destination: 207.25.71.23
Source: 207.25.71.23 Destination: 10.1.1.123
Source: 207.25.71.23 Destination: 63.69.110.110
Firewall performs NAT
Network Address TranslationNetwork Address Translation
A modern NAT gateway must change the Source address on every outgoing packet to be its single public address. It therefore also renumbers the Source Ports to be unique, so that it can keep track of each client connection. The NAT gateway uses a port mapping table to remember how it renumbered the ports for each client's outgoing packets. The port mapping table relates the client's real local IP address and source port plus its translated source port number to a destination address and port. The NAT gateway can therefore reverse the process for returning packets and route them back to the correct clients.
When any remote server responds to an NAT client, incoming packets arriving at the NAT gateway will all have the same Destination address, but the destination port number will be the unique Source Port number that was assigned by the NAT. The NAT gateway looks in its port mapping table to determine which "real“client address and port number a packet is destined for, and replaces these numbers before passing the packet on to the local client.
Internet Control Message Protocol (ICMP)Internet Control Message Protocol (ICMP)
ICMP uses the IP datagram delivery facility to send its messages.
IP Header ICMP message 20 bytes
(contents -- depends on type and code)
8-bit type 8-bit code 16-bit checksum
The format for the ICMP message is as follows:
ICMP performs the following control, error reporting, and informationalFunctions for TCP/IP:
- Flow Control- Detecting unreachable destinations- Redirecting routes- Checking remote hosts (e.g. ping)
Internet Control Message Protocol (ICMP)Internet Control Message Protocol (ICMP)
Type Code Message0 0 Echo Reply3 0 Net Unreachable3 1 Host Unreachable3 3 Port Unreachable5 1 Host Redirect8 0 Echo Request11 0 Time-to-live exceeded13 0 Timestamp Request14 0 Timestamp Reply
Typical Net-based Attacks -- WebTypical Net-based Attacks -- Web
“Popular” and receives a great deal of media attention.
Attempt to exploit vulnerabilities in order to:Access sensitive data (e.g. credit card #’s)Deface the web pageDisrupt, delay, or crash the serverRedirect users to a different site
Typical Net-based attacks -- SniffingTypical Net-based attacks -- Sniffing Essentially eavesdropping on the network Takes advantage of the shared nature of the
transmission media. Passive in nature (i.e. just listening, not broadcasting) The increased use of switching has made sniffing more
difficult (less productive) but has not eliminated it (e.g. DNS poisoning will allow you to convince target hosts to send traffic to us intended for other systems)
Typical Net-Based Attacks –Spoofing, Hijacking, Replay
Typical Net-Based Attacks –Spoofing, Hijacking, Replay
Spoofing attacks involve the attacker pretending to be someone else.
Hijacking involves the assumption of another systems role in a “conversation” already taking place.
Replay occurs when the attacker retransmits a series of packets previously sent to a target host.
Typical Net-Based Attacks –Denial of Service
Typical Net-Based Attacks –Denial of Service DOS and Distributed DOS (DDOS) attacks have
received much attention in the media in the last year due to some high-profile attacks.
Several varieties:Flooding – sending more data than the target can processCrashing – sending data, often malformed, designed to disable the system or serviceDistributed – using multiple hosts in a coordinated attack effort against a target system.
IPv4 versus IPv6IPv4 versus IPv6 From the IPv6 FAQ, what are the merits of IPv6?
scalability:IPv6 uses 128bit address space. Address length is 4 times longer than IPv4. security:IPv6 basic specification includes security. It includes packet encryption (ESP:Encapsulated Security Payload) and source authentication (AH:Authentication Header). [confidentiality and authentication]real-time:To support real-time traffic such as video conference, IPv6 has "Flow Label". Using flow label, routers can know which end-to-end flow a packet belongs to, and then find out the packet which belongs to real-time traffic. [needed to allow for prioritization of traffic]autoconfiguration:IPv6 basic specification includes address autoconfiguration. So, even a novice user can connect their machine to network. specification optimization:IPv6 keeps good parts and discards old and useless parts of IPv4.
IP Security (IPSEC)IP Security (IPSEC) Optional in IPv4, supported in IPv6. Two major modes:
Tunnel: encrypts both the data and header portions of the packet.Transport: encrypts the data portion of the packet.
Requires both ends to be using IPSEC (obviously, since one end will encrypt, the other needs to be able to decrypt).
About IPSEC (from the IPSEC FAQ) About IPSEC (from the IPSEC FAQ)
IPsec = AH + ESP + IPcomp + IKEIPsec consists of a couple of separate protocols, listed below:
– Authentication Header (AH): provides authenticity guarantee for packets, by attaching strong crypto checksum to packets. If you receive a packet with AH and the checksum operation was successful, you can be sure about two things :
The packet was originated by the expected peer. The packet was not generated by an impersonator. The packet was not modified in transit.
– Encapsulating Security Payload (ESP): provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms. If you receive a packet with ESP and successfully decrypted it, you can be sure that the packet was not wiretapped in the middle.
– IP payload compression (IPcomp): ESP provides encryption service to the packets. However, encryption tends to negatively impact compression on the wire. IPcomp provides a way to compress packets before encryption by ESP (Of course, you can use IPcomp alone if you wish to).
– Internet Key Exchange (IKE): AH and ESP need shared secret keys between peers. For communication between distant locations, we need to provide ways to negotiate keys in secrecy. IKE will make this possible.
EthernetEthernet The most common physical layer protocol. A shared media protocol, collisions possible
Uses CSMA/CD to control traffic Several different variations of Ethernet exist
10Base-2 : Thinnet (thin coax)10Base-5: Thicknet (earliest version, thick coax)10Base-T: Standard twisted pair Ethernet100Base-T: Fast Ethernet1000Base-T: Gigabit Ethernet
SummarySummary
What is the Importance and Significance of this material?
How does this topic fit into the subject of “Voice and Data Security”?