BOOTP Packet Format

advertisement
Telecommunications &
Network Security
Originally (1/01) by: Usha Viswanathan
Modified (1/03, 5/06 ) by: John R. Durrett
1
Presentation Overview
–
–
–
–
–
–
–
–
C.I.A. as it applies to Network Security
Protocols & Layered Network Architectures
OSI and TCP/IP
TCP/IP protocol architecture
IP addressing & Routing
TCP
Applications
IPv6
2
C.I.A.
–
Confidentiality: The opposite of disclosure
• Elements used to insure:
Security Protocols, authentication services, encryption services
–
Integrity: The opposite of Alteration
• Elements used to insure:
Firewalls, Communications Security Management, Intrusion
Detection Services
–
Availability: The opposite of destruction / denial
• Fault Tolerance, Acceptable system performance, Reliable
administration and network security
3
Protocols & the Layered Network: Intro
–
Protocol:
• A standard set of rules that determine how computers talk
• Describes the format a message must take
• Enables multi-platform computers to communicate
–
The Layered Architecture Concept
• Data passes down through the layers to get “out”, and up to get
“in”
• Reasons for use: to clarify functionality, to break down
complexity, to enable interoperability, easier troubleshooting
4
TCP/IP
The “lingua franca” of the Internet.
5
ISO’s Open Systems Interconnect (OSI)
Reference Model
–
Protocol Layering
• Series of small modules
 Well defined interfaces, hidden inner processes

Process modules can be replaced

Lower layers provide services to higher layers
–
Protocol Stack: modules taken together
–
Each layer communicates with its pair on the other machine
6
The OSI Model
Sender
Receiver
Application
Application
The path messages take
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Datalink
Datalink
Across Network
Physical
Physical
7
OSI Layers
Communication partners, QoS identified
Semantics , encryption compression (gateways)
Application
Presentation
Establishes, manages, terminates sessions
Session
Sequencing, flow/error control, name/address
resolution
Routing, network addresses (routers)
Transport
Network
MAC address, low level error control (bridges )
Datalink
Encoding/decoding digital bits, interface card
Physical
8
TCP/IP
Application
Application
Transport
Layer
Transport
Layer
Transport
Layer
Network
Layer
Network
Layer
Network
Layer
Network
Layer
Network
Layer
Network
Layer
Alice
Router
Bob
9
TCP/IP: The Protocols and the OSI Model
Application
Presentation
Session
Transport
TELNET
FTP
SMTP
DNS
SNMP
DHCP
RIP
RTP
RTCP
Transmission
Control Protocol
User Datagram
Protocol
OSPF
ICMP
IGMP
Internet Protocol
Network
ARP
Datalink
Physical
Ethernet
Token Bus
Token Ring
FDDI
10
Data Encapsulation by Layer
Data
Application
TCP Header
Datagram
TCP
Network
Packet
Data Link
Frame
Destination
Opens envelopes layer-by-layer
11
Transmission Control Protocol (TCP)
–
–
–
–
–
–
Traditional TCP/IP Security: None
• No authenticity, confidentiality, or integrity
• Implemented & expanding: IPSec
Workhorse of the internet
• FTP, telnet, ssh, email, http, etc.
The protocol responsible for the reliable transmission and reception
of data.
Unreliable service is provided by UDP.
Transport layer protocol.
Can run multiple applications using the same transport.
• Multiplex through port numbers
12
TCP Fields
Source port
Destination port
Sequence number
Acknowledgment number
Data offset Reserved
U A P R S F
R C S S Y I
P K H T N N
Window
Checksum
Urgent pointer
Options
Padding
data
13
TCP Connection Establishment
–
Alice to Bob: SYN with Initial Sequence Number-a
–
Bob to Alice: ACK ISN-a with ISN-b
–
Alice to Bob: ISN-b
–
Connection Established
14
User Datagram Protocol (UDP)
–
–
Connectionless
Does not retransmit lost packets
Does not order packets
Inherently unreliable
–
Mainly tasks where speed is essential
–
Streaming audio and video
DNS
–
–
–
Source Port
Destination Port
Message Length
Checksum
Data
…
15
ICMP: network plumber
Message Type
Type #
Purpose
Echo Reply
0
Ping response –system is alive
Destination Unreachable
3
No route, protocol, or port closed
Source Quench
4
Slow down transmission
Redirect
5
Reroute traffic
Echo
8
Ping
Time Exceeded
11
TTL exceeded packet dropped
Parameter Problem
12
Bad header
Timestamp
13
Time sent and requested
Timestamp return
14
Time request reply
Information request
15
Hosts asks: What network am I on
Information Reply
16
Information Response
16
Ports
“Ports are used in the TCP [RFC793] to name the ends of logical connections which carry
long term conversations. For the purpose of providing services to unknown callers, a service
contact port is defined. This list specifies the port used by the server process as its contact
port. The contact port is sometimes called the "well-known port".
PORT
USE
17
Quote of the Day
20
File Transfer Data
•Source port
•Destination port
•Logical connection
21
File Transfer Control
22
SSH
•Priviledged – unprivileged ports
23
Telnet
25
SMTP
43
Whois (tcp & udp)
666
Doom
17
Network Address Translation (NAT)
–
–
–
–
Illegal Addresses
Unroutable addresses: 10.0.0.0 192.168.0.0
Limited address space in IP V4
NAT maps bad to valid addresses
• Mapping to single external address
• One-to-One mapping
• Dynamically allocated addresses
12.13.4.5
10.0.0.5
Router
18
Logical Structure of the
Internet Protocol Suite
HTTP
TELNET
FTP
TFTP
DNS
SNMP
User Datagram
Protocol
Transmission
Control Protocol
Connectionless
Connection Oriented
IP
(ICMP,IGMP)
Internet Addressing
ARP
RARP
Physical Layer
19
Address Resolution Protocol (ARP)
Maps IP addresses to MAC addresses
When host initializes on local network:
– ARP broadcast : IP and MAC address
– If duplicate IP address, TCP/IP fails to initialize
Address Resolution Process on Local Network
– Is IP address on local network?
– ARP cache
– ARP request
– ARP reply
– ARP cache update on both machines
20
ARP Operation
Give me the MAC address of station 129.1.1.4
Here is my
MAC address
ARP
Request
129.1.1.1
ARP Response
Accepted
B
Not
me
Request
Ignored
C
Not
me
Request
Ignored
129.1.1.4
That’s
me
21
Address Resolution on Remote Network
–
IP address determined to be remote
– ARP resolves the address of each router on the way
– Router uses ARP to forward packet
Router
Network A
Network B
22
Reverse Address Resolution Protocol
(RARP)
Give me my IP address
RARP
Response
129.1.1.1
Not
me
Not
me
RARP
Request
Diskless
Workstation
B
RARP Response
Accepted
Request
Ignored
C
RARP
Server
Request
Ignored
 Same packet type used as ARP
 Only works on local subnets
 Used for diskless workstations
23
The Internet Protocol (IP)
–
–
IP’s main function is to provide for the
interconnection of subnetworks to form an
internet in order to pass data.
The functions provided by IP are:
• Addressing
• Routing
• Fragmentation of datagrams
24
Host Name Resolution
Standard Resolution
–
–
–
Checks local name
Local HOSTS file
DNS server
Windows NT Specific Resolution
–
–
–
–
NetBIOS cache
WINS server
b-node broadcasts
LMHOSTS file (NetBIOS name)
25
Routing Packets
–
Process of moving a packet from one network to another toward its
destination
–
RIP, OSPF, BGP
–
Dynamic routing
–
Static routing
–
Source routing
26
Static Routing Tables
–
–
–
Every host maintains a routing table
• Use the “route” command in Linux and Windows
Each row (or “entry”) in the routing table has the following columns:
• (1) destination address and (2) mask
• (3) gateway [i.e., the IP address of the host’s gateway/router]
• (4) interface [i.e., the IP address of a host interface]
• (5) metric [indicates the “cost” of the route, smaller is better]
When the host wants to send a packet to a destination, it looks in the routing table to
find out how
• Each OS handles routing somewhat differently
27
LAN Technologies
–
–
–
–
–
Ethernet: CSMA/CD, occasionally heavy traffic, BUS topology
ARCnet: token passing, STAR topology
Token Ring: active monitor, IBM, RING topology
FDDI: token passing, fast, long distance, predictable, expensive
Media & Vulnerabilities
• Attenuation, Crosstalk, Noise
• Coax: cable failure & length limits
• Twisted Pair (Cat 1-7): bending cable, crosstalk, Noise
• Fiber-Optic: cost, high level of expertise required to install
• Wireless: later
28
Coaxial Cable
–
Two types
• ThinNet (10Base2)
 10 Mbps, 30 nodes per segment, max 180 meters

•
ThickNet (10Base5)
 10 Mbps, 100 nodes per segment, max 500 meters

–
LAN
Backbone
Insecure
• Coax is easy to splice
29
Twisted Pair Copper Cable
–
–
–
Copper wire
Twist reduces EMI
Classified by transmission rates
• Cat3, Cat5, Cat5e, Cat6
30
Fiber-Optic Cable
–
–
–
–
–
–
Glass core with plastic shielding
Small, light, fragile, and expensive
Very fast transmission rate
Can transmit data very far
Immune to interference
Hard to splice
31
Security Concerns
–
–
–
–
Easy to insert a node or splice into
network
Most attacks involve eavesdropping
or sniffing
Physical security
War driving
32
Network Topologies
–
–
–
–
–
BUS
• Ethernet
RING
• Unidirectional
• FDDI, Token Ring
STAR
• Logical BUS tends to be implemented as physical Star
TREE
• Basically a complicated BUS topology
MESH
• Multiple computer to computer connections
33
Hubs & Switches
–
Hub:
• broadcasts information received on one interface to all other
physical interfaces
–
Switch:
• does not broadcast
• Uses MAC address to determine correct interface
34
Unswitched Devices
“Dumb” Devices
(forward all packets)
–
–
Layer 1 = Hub, Repeater
• Technically, a hub passes
signals without
regenerating them
Layer 2 = Bridge
• Connects different types of
LANs (e.g., Ethernet and
ATM, but not Token Ring if
you’re lucky)
“Intelligent” Devices
(decide whether to forward
packets)
–
Layer 3 = Router
• Use routing table to make
decisions
• Improved
performance
and security
–
Layer 2/3 =Bridge/Router
35
Switches
–
–
–
–
Layer 2 = data link layer (MAC address) = + over hubs/repeaters
• Systems only see traffic they are supposed to see
• Unswitched versus switched (full duplex) 10 and 100 mb Ethernet =
40% of bandwidth versus 95%+ (no collisions)
Layer 3 = network layer (IP address) = + over routers
• Routers moved to periphery
• Virtual LANs (VLANs) become viable
Layer 4 = transport layer (TCP/UDP/ICMP headers) = + over L3
• Firewall functionality (i.e., packet filtering)
• Significantly more expensive
Layer 5 = session layer and above (URLs) = + over L4 for clusters
• Application proxy functionality (but MUCH faster than proxies)
• Special function, cutting-edge = significant specific performance gains
• 1999/2000: researchers (from IBM & Lucent) designed a layer 5 switch as
front-end to a load-balanced 3-node cluster running AIX and Apache:
 220% performance increase due to content partitioning

600% performance increase due to SSL session reuse
36
Firewalls
–
Control the flow of traffic between networks
–
Internal, External, Server, Client Firewalls
–
Traditional Packet filters
Stateful Packet filters
Proxy-based Firewalls
–
–
37
Traditional Packet Filters
–
–
–
Analyses each packet to determine drop or pass
SourceIP, DestinationIP, SrcPort, DestPort, Codebits, Protocol, Interface
Very limited view of traffic
Action
Source
Destination Protocol
SrcPort
Dest Port Codebits
Allow
Inside
Outside
TCP
Any
80
Any
Allow
Outside
Inside
TCP
80
>1023
ACK
Deny
All
All
All
All
All
All
38
Stateful Packet Filters
–
Adds memory of previous packets to traditional packet filters
–
When packet part of initial connection (SYN) it is remembered
Other packets analyzed according to previous connections
–
39
Proxy-based (Application) Firewalls
–
Focus on application to application
–
Can approve:
• By user
• By application
• By source or destination
–
Mom calls, wife answers, etc.
40
Firewall Architectures
–
Packet-Filtering Routers
• Oldest type, sits between “trusted” & “untrusted” networks
–
Screened-Host Firewalls
• Between a trusted network host and untrusted network
–
Dual-Homed Host Firewalls
• Two nics, ip forwarding, NAT translation
–
Screened-Subnet Firewalls
• Two screening routers on each side of bastion host
• DMZ
41
Security
–
Encryption: Symmetric vs Asymmetric, hash codes
–
Application Layer
• PGP, GnuPG, S/MIME, SSH
–
Session Layer: Secure Socket Layer (SSL)
• Digital certificates to authenticate systems and distribute
encryption keys
• Transport Layer Security (TLS)
–
Network-IP Layer Security (IPSec)
• AH: digital signatures
• ESP: confidentiality, authentication of data source, integrity
42
IPSec Authentication Header (AH)
Next Header
Payload Length
Reserved
Security Parameters Index (SPI)
Sequence Number Field
Authentication Data
(variable number of 32 bit Words)
43
IPSec: Encapsulating Security Payload (ESP)
Security Parameters Index (SPI)
Sequence Number Field
Opaque Data, variable Length
Padding
Pad Length
Next Header
Authentication Data
44
Introduction to the TCP/IP
Standard Applications
–
–
–
–
–
–
–
DHCP–Provides for management
of IP parameters.
TELNET–Provides remote terminal emulation.
FTP–Provides a file transfer protocol.
TFTP–Provides for a simple file transfer
protocol.
SSH-Encrypted remote terminal & file transfer
SMTP–Provides a mail service.
DNS–Provides for a name service.
45
DHCP Operation
DHCP
Server
B
DHCP
Server
A
DHCP Client
DHCP Discover
FFFFFF
DHCP A Offer (IP addr)
DHCP B Offer (IP addr)
DHCP Request (A)
DHCP A ACK
46
TELNET
TELNET
server
Host
TELNET
server
TELNET
client
47
File Transfer Protocol (FTP)
Host
Storage
Client
(TFTP – uses UDP)
48
Simple Mail Transfer Protocol (SMTP)
– Basic
RFCs 821, 822, 974.
– Very fast and capable of delivery guarantee depending on client & server.
– Primary protocols are used for today’s email.
• SMTP–operates over TCP, used primarily as send protocol
• POP–operates over TCP, basic receive protocol
• IMAP-allows remote storage
• Exchange-calendar, contacts, storage, news
• http-web interface
– Problems:
• Phishing,
viruses, no built in protects for “stupidity”
• Client software glitches
49
Post Office Protocol (POP)
–
–
–
–
SMTP is set up to send and receive mail by hosts that are up full
time.
• No rules for those hosts that are intermittent on the LAN
POP emulates you as a host on the network.
• It receives SMTP mail for you to retrieve later
POP accounts are set up for you by an ISP or your company.
POP retrieves your mail and downloads it to your personal computer
when you sign on to your POP account.
50
POP Operation
POP
Server
POP Client
TCP port 110 connection
attempt
Send authentication
Retrieve all messages
Send QUIT command
Session closed
Read messages locally
“POP3 server ready” reply
Wait for authentication
Process authentication and if
okay, enter transaction state
Lock mailbox for user.
Assign messages numbers
Send messages
Delete (possibly) messages
Quit received
Perform update on mailbox
51
SMTP, DNS, and POP Topology
Your
PC
Your ISP
Retrieve mail
Send mail
POP Server
mnaugle
user1
user2
DNS
SMTP
POP3/SMTP
root DNS
Internet
Remote ISP
DNS
send mail
Joe’s PC
SMTP
joe
Retrieve mail
POP Server
52
IPv6
–
–
IPv6 features:
•
128 bit address space
•
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
•
ARP not used, “Neighbor Discovery Protocol"
IPv6 addressing:
•
Unicast: A one-to-one IP transfer
•
Multicast: A one-to-many-but-not-all transfer
•
Anycast: A one-to-many-but-not-all (nearest in group)
•
No broadcast
53
References
–
–
RFCs:
1180 - A TCP/IP tutorial, 1812 - IP Version 4 Routers
1122 - Requirements for Internet Hosts -- Communication Layers
1123 –Requirements for Internet Hosts -- Application & Support
826 – Address Resolution Protocol, 791 – IP addressing,
950 – Subnetting, 1700 – Assigned Numbers
TCP/IP 24/7 (ISBN: 0782125093)
–
MCSE TCP/IP for Dummies : Cameron Brandon
–
Illustrated TCP/IP : Matthew Naugle
54
Download