Instructor’s Manual Module A Networking Concepts Answer Key Module A Networking Concepts Introduction 1. a) What is an octet? A collection of 8 bits b) What is a host? Any device with an IP address c) Is a home PC connected to the Internet a host? Yes d) Distinguish between the terms internet and Internet. When the term is spelled with a lowercase “i,” it refers to any internet or the internet layer. When it is spelled with an uppercase “I,” it refers to the global Internet. Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko A Sampling of Networks A Simple Home Network 2. a) What are the functions of an access router? Explain each function in one sentence. It is a switch, a wireless access point (sometimes), a router to connect the firm to the Internet, a DHCP server, and a NAT provider. b) Describe the technology of 4-pair UTP wiring. A UTP cord contains eight copper wires organized as four pairs. The two wires of each pair are twisted around each other several times an inch to reduce interference. c) What is an Internet access line? A transmission line that connects a home or business to its Internet service provider d) What is a broadband modem? A broadband modem transmits signals over a broadband access line. e) Why is wireless transmission dangerous? Eavesdroppers can intercept wireless transmissions. A Building LAN 3. a) What is a local area network? A local area network (LAN) is a network that operates on the customer’s premises. b) What is the customer premises? The land and buildings owned by the corporations c) Distinguish between workgroup switches and core switches. Workgroup switches connect users to the network. Core switches connect switches to other switches. d) Why is UTP dangerous? It is easy to tap and generates signals that can be picked up even without tapping the UTP cord. e) Why is 802.1X needed? Most switches today have 802.1X capability that requires any device connecting to a wall jack to authenticate itself before being allowed to transmit beyond the switch. A Firm’s Wide Area Networks (WANs) 4. a) Distinguish between LANs and WANs. LANs operate within a company’s premises. WANs connect different premises. A-2 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko b) Why do companies use carriers for WAN transmission? They lack the right of way to lay communication facilities between sites. c) What two WAN technologies are illustrated in the figure (Figure A-4)? Point-to-point networks and public switched data networks (Frame Relay) d) Why is carrier WAN traffic generally considered safe? Access to the network is limited, and internal routing is hidden. The Internet 5. a) Which organization created the Internet? The Defense Advanced Research Projects Agency b) What is the function of a router? To connect networks together c) Distinguish between frames and packets. Frames are messages sent through LANs or WANs. Packets are messages sent through an internet. Packets are carried within frames. d) If two hosts are separated by five networks, how many packets will there be along the way when a host transmits a packet to another host? One e) If two hosts are separated by five networks, how many frames will there be along the way when a host transmits a packet to another host? Five f) Why was intranet security initially light? It was believed that attackers would have a difficult time getting into an intranet. This belief has since been called into question. Applications 6. a) What type of applications usually generates the most traffic in an organization? Business-specific applications b) Why is managing application security time-consuming? There are many applications to protect. A-3 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Network Protocols and Vulnerabilities Inherent Security Security Explicitly Designed into the Standard Security in Older Versions of the Standard Defective Implementation 7. List the four security problems with protocols. Write one sentence describing each. Some protocol designs are inherently insecure. Others have had security added but have done so in an awkward way that causes problems. Security in older versions may still be causing problems. Defective implementation of a standard can lead to unsecure products based on secure protocols. Core Layers in Layered Standards Architectures 8. a) What are the three core standards layers? Single network Internet Application b) Distinguish between the single-network core layer and the internet core layer. The single-network core layer is responsible for delivering frames within LANs or WANs. The internet core layer is responsible for delivering packets from source host to destination host across an internet. c) At what core layer do you find LAN standards? Single network d) At what core layer do you find WAN standards? Single network e) At what core layer do you find standards for the global Internet? Internet A-4 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Standards Architectures 9. What is a standards architecture? A standards architecture is a broad layering plan that specifies layers. Later, standards are created for individual layers. The TCP/IP Standards Architecture 10. a) Which organization creates Internet standards? The Internet Engineering Task Force b) What is the name of its standards architecture? TCP/IP c) What is an RFC? RFC stands for Request for Comments. It is a document with a proposed standard and other information. d) How can you tell which RFCs are Internet Official Protocol Standards? Periodically, the IETF issues an RFC listing Internet Official Protocol Standards. The OSI Standards Architecture 11. a) What two standards agencies govern OSI? (Just give their acronyms.) ISO and ITU-T b) Distinguish between OSI and ISO. OSI is the architecture. ISO is one of the two standards agencies responsible for OSI. c) How many layers does the OSI architecture have? 7 d) Which of these layers are similar to the layers in TCP/IP? Physical, data link, internet, and transport e) Compare the TCP/IP application layer with comparable OSI layers. TCP/IP has a single application layer. OSI has three standards layer: session, presentation, and application. The Hybrid TCP/IP-OSI Architecture 12. a) What architecture do most firms actually use? The hybrid TCP/IP-OSI architecture b) In the hybrid TCP/IP-OSI architecture, which layers come from OSI? Physical and data link d) From what standards architecture do application layer standards come? A-5 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Both OSI and TCP/IP standards are used, often in combination. Single-Network Standards 13. What two layers define LAN and WAN standards? Physical and data link The Data Link Layer 14. What is a data link? The path a frame takes across a single network, from the source host to the destination host, across multiple switches. The Physical Layer 15. a) Distinguish between physical links and data links. Physical links connect adjacent devices. Data links are paths between the source host and destination host, usually across multiple physical links. b) What advantage of optical fiber over UTP was listed in the text? UTP cords act like radio antennas when they carry signals, allowing people to intercept UTP signals by placing devices near (but not touching) the cord. Optical fiber requires physically tapping into the fiber cords. c) Why is spread-spectrum transmission used in wireless LANs? To reduce transmission problems d) Why are switch supervisory frames needed? They are needed to allow the network to run efficiently. e) Why does optical fiber have better inherent security than UTP? Optical fiber signals cannot be read without physically tapping the fiber cord. UTP signals can be read without tapping the cord. f) What dangers does radio transmission create? Radio signals can be intercepted easily. g) Does spread spectrum transmission in commercial wireless LANs provide security? No h) Why is the 802.1AE standard necessary? The 802.1AE LAN security standard is designed to limit switch-to-switch communication to authenticated switches, thus preventing attacks based on impersonating switches A-6 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Internetworking Standards 16. a) Why was IP made to be a very simple standard? The standards developers could not assume much functionality in the individual networks through which IP packets would travel. b) Why was complexity needed in the TCP standard? To add error correction and other desirable features that IP did not offer The Internet Protocol (IP) The IP Version 4 Packet The First Row The Second Row The Third Row Options 17. a) If the header length field’s value is 6 and the total length field’s value is 50, how long is the data field? Show your work. Header is 6 x 4 = 24 octets Total length = 50 octets Data field is 50 – 24 = 26 octets b) What is the general function of the second row in the IPv4 header? To handle fragmentation and reassembly c) Why is a TTL field needed? So that misaddressed packets will not circulate endlessly d) If a router receives a packet with a TTL value of 1, what will it do? It decreases the TTL value to 0 and then drops the packet. e) What does the protocol field in the IP header tell the destination host? What is in the data field f) How is the header checksum field used? To determine if there is a header error, which might cause routing problems If an error is found, the router or destination host drops the packet. g) Are IPv4 options used frequently? A-7 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko No h) Why is fragmentation a threat indication? Hackers use it so firewalls cannot see entire packets. i) How can attackers use the TTL field to map a network? The attacker keeps sending packets to an IP destination address. In each successive packet, the TTL field is increased by one. The router that sets the TTL value to zero and drops the packet sends the attacker an ICMP message that contains the router’s IP address. Each packet reveals one more router along the route to the destination host. Doing this with different destination hosts will map a good deal of the network. The Source and Destination IP Addresses Masks IP Version 6 18. a) How long are traditional IP addresses? 32 bits long b) What are the three parts of an IP address? Network part, subnet part, and host part c) Why are masks needed? To identify the size of the network part or network and subnet parts d) What is the main advantage of IPv6? It will support many more possible IP addresses. IPsec 19. a) In what sense is IPsec a general protection strategy for all internet, transport, and application protocols? It provides transparent protection to everything in the packet’s data field. This definitely includes the transport and application protocols. It may include the entire IP packet. b) Does IPsec work with IPv4, IPv6, or both? Both c) Compare IPsec transport mode and tunnel mode. In transport mode, there is protection all the way from the source host to the destination host. In tunnel mode, there is only protection between sites and none within sites. Transport mode gives stronger protection but is much more expensive to implement. In addition, firewalls cannot easily filter transport mode A-8 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko traffic, which is unreadable unless the firewall has the decryption key for the communication. The Transmission Control Protocol (TCP) 20. a) How many TCP/IP transport layer protocols are there? Two (TCP and UDP) b) What is a TCP message called? TCP segments TCP: A Connection-Oriented and Reliable Protocol 21. a) Describe a TCP session opening. One side sends a TCP SYN segment to indicate that it wishes to open a connection. The other side sends back a TCP SYN/ACK segment to indicate its willingness. The original side then sends an ACK to acknowledge the receipt of the SYN/ACK. b) Describe a normal TCP closing. One side sends and TCP FIN segment while the other side sends an ACK. The other side may continue to send content segments. The original side will continue to respond to ACKs. Later, the other side sends a TCP FIN segment while the original side sends a TCP ACK. c) Describe an abrupt TCP closing. One side sends a TCP RST segment. There is no acknowledgement or any other further communication. d) Describe how reliability is implemented in TCP. If a TCP process on the destination host correctly receives a TCP segment, it sends an acknowledgement to the sender. If the original sender does not receive an ACK promptly, it retransmits the segment. e) Describe a TCP half-open DoS attack. The attacker sends a SYN segment. The victim sends a SYN/ACK and sets aside resources for the connection. The attacker never sends the final ACK. The victim continues to reserve the resources for the connection and the attacker continues to send SYNs to tie up more resources. f) What information does a RST segment give an attacker? The RST segment is carried within an IP packet. Therefore, the attacker learns the IP address of the host sending the RST. A-9 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Flag Fields 22. a) What is a flag field? A one-bit field b) What does it mean to say that a flag field is set? Its value is equal to one. Sequence Number Field 23. a) A TCP segment carries octets 23,802 through 23,875. What is its sequence number? 23,802 b) The next segment is a FIN segment that carries no data. What is its sequence number? 23,803 c) What does an attacker have to predict to be able to do TCP session hijacking? The sequence number of the next TCP segment to be sent Acknowledgment Number Field 24. A TCP segment carries octets 23,802 through 23,875. What will be the acknowledgement number in the TCP segment that acknowledges this segment? 23,876 Window Field Options 25. a) What is the purpose of the TCP window field? To limit the transmission rate of the other host in the connection b) How does the window field automatically control congestion? The window size begins small in order to avoid congestion. If a segment is lost (probably due to congestion), the window size is again set to a small value. c) Does TCP use options frequently? Yes Port Numbers 26. a) A packet has the source socket 18.104.22.168:47 and the destination socket 10.18.45.123:4400. Is the source host a client or a server? Explain. The source port number is 47. This is a well-known port number. Therefore, the source host is a server. b) Is the destination host a client or a server? Explain. A-10 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko The destination port number is 4400. This is an ephemeral port number, so the destination host is a client. c) A server sends a packet with the source socket 22.214.171.124:25. What kind of server is it? Explain. It uses the well-known port number, which indicates that it is a mail server. d) What is socket spoofing? Sending a packet with a false IP address and port number TCP Security 27. a) Does TCP have comprehensive security comparable with IPsec for IP? No b) Why is a lack of an automatic key exchange a problem for TCP electronic signatures? There is none. The User Datagram Protocol 28. a) What is the attraction of UDP? It places a small load on the hosts and the network. b) What kinds of applications specify the use of UDP at the transport layer? Those that do not need reliability and those that cannot wait for retransmissions of lost or damaged messages. c) Why is UDP more dangerous than TCP? TCP’s sequence numbers make TCP session hijacking very difficult. UDP lacks this protection. TCP/IP Supervisory Standards Internet Control Message Protocol (ICMP) 29. a) What is the TCP/IP internet layer supervisory protocol? The Internet Control Message Protocol (ICMP) b) Describe ping. One side sends an ICMP Echo message. The other side sends back an ICMP Echo reply message. c) Describe ICMP error messages. A-11 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko When a router or destination host must drop a packet, it sends back an ICMP error message. d) What information does ping give an attacker? The fact that there is a host at a given IP address e) What information does tracert give an attacker? The route a packet takes to a destination host f) What information does an ICMP error message give an attacker? The IP address of the host sending the error message The Domain Name System (DNS) 30. a) Why would a host contact a DNS server? To learn the IP address of a host to which it wants to send packets b) If a local DNS server does not know the IP address for a host name, what will it do? It will contact one or more other DNS servers. c) What kind of organization must maintain one or more DNS servers? An organization with a second-level domain name d) What is DNS cache poisoning? An attacker replaces the IP address of a host name with another IP address. e) Describe the status of DNSSEC. It is under development. f) Why are root servers attacked? If most or all root servers were taken down, the effectiveness of the DNS system would begin to degrade. Dynamic Host Configuration Protocol (DHCP) 31. a) What kind of IP addresses do servers get? Static IP addresses b) Why are DHCP servers used? To give IP addresses to clients c) Will a PC get the same dynamic IP address each time it uses the Internet? Not necessarily d) Both DHCP servers and DNS servers give IP addresses. How do these IP addresses differ? DHCP servers give a host an IP address for the host to use. DNS servers give a host the IP address of a host to which the original host wishes to send packets. A-12 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Dynamic Routing Protocols 32. a) Why are dynamic routing protocols needed? So that routers can get information for their routing tables b) What is the main TCP/IP interior dynamic routing protocol for large networks? OSPF c) What is the main TCP/IP exterior dynamic routing protocol? BGP d) Why is Cisco’s EIGRP attractive? It is not limited to TCP/IP routing. e) Is a company free to select its interior dynamic routing protocol, exterior dynamic routing protocol, or both? Only its internal dynamic routing protocol f) How could an attacker use dynamic routing protocols to attack a network? It could send false routing information to the network’s routers. Simple Network Management Protocol (SNMP) 33. a) What is the purpose of SNMP? To get configuration information from managed devices on the network and to change the configuration of managed devices b) Distinguish between the SNMP GET and SET commands. GET asks for configuration information. SET tells the managed device to change its configuration. c) Why do many organizations disable the SET command? SET is dangerous in terms of what it allows an attacker using SET to do. Application Standards 34. a) Why are there usually two protocols for each application? Application protocols need a protocol for message delivery and a protocol for message format. b) In e-mail, distinguish between SNMP and POP. SNMP is used to send messages. POP is used to download mail from a mail server. c) Why are Telnet and FTP dangerous? They have no security, sending passwords in the clear. d) What secure protocol can be used instead of Telnet and FTP? A-13 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko SSH (Secure Shell) e) What is the security standards situation in e-mail? There is no consensus on e-mail security standards, so the standards are not widely used. Conclusion Hands-on Projects NOTE: Screenshots and IP addresses for individual students will vary. PROJECT 1 One of the most well-known packet sniffers is Wireshark® (formerly named Ethereal®). This is a flexible and powerful tool. Any network administrator worth his or her salt will know how to run Wireshark. Most professionals use it often. Wireshark has been getting better and better with every release. It will likely be around for a long time as the industry standard. You will install Wireshark and do a few examples to give you a small taste of what Wireshark can do. In addition to loading Wireshark you will also have to load WinPCap® in order to actually capture the packets being sent over your network. 1. 2. 3. 4. 5. 6. Download Wireshark from http://www.wireshark.org/download.html. Click Download Windows Installer. (Download the latest stable release.) Click Save. Save the file in your download folder. If the program doesn’t automatically open, browse to your downloads folder. Double-click Wireshark-setup-1.8.5.exe. (The software version numbers will be slightly different as newer versions are released.) 7. Install Wireshark and WinPCap. 8. Double-click the Wireshark icon on your desktop. 9. Click Interface List. (This will display a list of all available network interfaces on your computer. You will want to note the description and IP address of the interface with the most traffic. You will need to select this interface in the following steps.) 10. Note the interface with the most traffic. (You will select this interface in the following steps.) 11. Close the Capture Interfaces window. A-14 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 12. Click Capture, and Options. 13. Select your Network Interface Card (NIC) if it is not already selected. 14. Close ALL other programs you currently have open except your word processing program (e.g., MS Word or OpenOffice Writer). 15. Click Start. 16. Let it run for 30 seconds. 17. While you are waiting, open a Web browser and go to www.Google.com. 18. Return to your Wireshark window. 19. In the file menu, click Capture, and Stop. 20. Scroll up until you see a green and blue area. (These are the packets you captured when you requested Google’s main page.) 21. Take a screenshot. 22. Scroll down until you see a line that has GET / HTTP/1.1 in the Info column. (You may have to try more than one until you get to the packet that shows “www.Google.com” in the bottom pane.) 23. Select that row. 24. In the bottom pane, you will see a bunch of numbers to the left. (It’s the packet’s contents in hexadecimal.) Just to the right, you will see the content of the packet in a column. 25. Select the text: www.Google.com. 26. Take a screenshot. Note: You just picked packets off your network and looked at their contents. There may have been a lot of traffic that you couldn’t interpret. Don’t worry about the information on your screen that is difficult to understand. In the next project, you will use a filter to capture only Web traffic going over port 80. PROJECT 2 In this project, you are going to filter out all the “extra” packets you captured and just look at Web traffic. Too often, you will capture much more information than you will ever want or need. Being able to filter out the traffic you don’t want is an important skill. Wireshark can filter packets by IP address or by port number. A thorough understanding of TCP/IP will greatly aid your understanding of how packet filtering works. There are several great online tutorials available that will teach you the basics of TCP/IP. Below are instructions on how to filter out all packets except Web traffic by creating a filter for just Port 80. This will capture all the Web traffic going to all the computers on your local network. Reread the last sentence. Yes, you read that correctly, it may even capture Web traffic intended for other computers on your network. This is one of the reasons why packet sniffers are important to learn. 1. With Wireshark open, click Capture, and Options. A-15 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 2. If you haven’t already done so, select your Network Interface Card (NIC) in the Interface drop-down menu at the top of the screen. (Your NIC will undoubtedly have a different name.) 3. Double-click the interface you have selected. (This will allow you to enter a capture filter.) 4. Click Capture Filter. 5. Type “YourName_TCP_port_80” for the filter name. (Replace YourName with your first and last name. In this case, the filter name was RandyBoyle_TCP_port_80.) 6. Type “tcp port 80” in the filter string text box next. 7. Take a screenshot. 8. Click OK. 9. Close all other programs you currently have open except your word processing program (e.g., Microsoft Word, OpenOffice Writer, etc.). 10. Click OK. (You should see the capture filter set.) 11. Click Start. 12. Click “Continue without Saving” when prompted. 13. Open a Web browser and go to www.Microsoft.com. 14. Return to your Wireshark window. 15. Click Capture, and Stop. 16. Scroll down until you see a line that has GET / HTTP/1.1. (You may have to try more than one until you get to the www.Microsoft.com packet.) 17. Select that row. 18. In the bottom pane, you will see a bunch of numbers to the left. (It’s the contents of the packet in hexadecimal.) Just to the right, you will see the contents of the packet in a column. 19. Select the text www.Microsoft.com. 20. Take a screenshot. Project Thought Questions 1. 2. 3. 4. What do the different colors mean in the Wireshark log? Different color codes help the end user quickly identify specific types of packets. Color coding helps reduce the time it takes to sift through packets. Why does your computer get packets that are addressed to another machine? Your NIC can pick up all packets sent to it if it is in promiscuous mode. How many packets does your computer send/receive in a single mouse click when you visit a website? You can get 1,000 or more packets with a single mouse click, depending on the website. Could you organize or filter the traffic to make it easier to understand? A-16 Copyright © 2015 Pearson Education, Inc. Module A: Networking Concepts Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 5. 6. 7. 8. Yes, filters make understanding the types and quantities of traffic going over your network much easier. Why does your computer send so many packets? Why not send just one really big packet? It sends many smaller packets for a variety of reasons. Some of the packets are sent/received as part of the TCP/IP connection. Other packets are HTML content, pictures, or fragments of larger files. Some networks fragment packets, which would produce even more packets. What do SYN, ACK, FIN, and GET mean? These are all packets used in the TCP/IP connection. They stand for synchronize (SYN), acknowledgement (ACK), final (FIN), and get (GET). Can you capture all of the packets for an entire network? Yes, as long as the packets are on your local network, you can capture all packets in promiscuous mode. Can Wireshark automatically resolve the IP address into host names? Yes, there is an option to automatically resolve all IP addresses on captured packets to hostnames. This option is on the configuration screen. Perspective Questions 1. 2. What was the most surprising thing for you in this chapter? Student answers will differ. What was the most difficult thing for you in this chapter? Student answers will differ. A-17 Copyright © 2015 Pearson Education, Inc.