NETWORK FUNDAMENTALS Agenda In this section • TCP/IP • Network structure • Common Protocols • Basic windows communications • Firewalls Page 2 TCP/IP What is TCP/IP Transmission Control Protocol / Internet Protocol • Created by Advanced Research Projects Agency (ARPA) • Used in first computer network, the Arpanet • Later used to construct the global internet • TCP/IP name is taken from the two fundamental protocols TCP and IP Page 4 TCP/IP Protocol Stack FTP SMTP DNS HTTP TCP Telnet Application Level Protocols 7. Application 6. Presentation 5. Session 4. Transport UDP IP Level Protocols 3. Network IP ICMP IGMP IP over Ethernet IP over Serial Line Ethernet Adapter Analog Modem 2. Data Link 1. Physical/HW Page 5 Internet Protocols: TCP & UDP TCP (Transmission Control Protocol) is connection-oriented transport protocol • It is reliable, ordered, but fairly heavy • Used by Telnet, FTP, SSH, HTTP etc. UDP (User Datagram Protocol) is connectionless transport protocol • UDP is much lighter than TCP, but it is unreliable and not ordered • Used by TFTP, DSN etc. Page 6 Internet Protocols: ICMP, AH & ESP ICMP (Internet Control Message Protocol) is used for diagnostic and management purposes • IP's internal network management protocol and is not intended for use by applications • Two well known exceptions are the ping and traceroute diagnostic utilities ESP (Encapsulating Security Payload) and AH (Authentication Header) protocols are used by IPSec • Protocols for securing packet flow and key exchange protocols used for setting up those flows • Can be used to protect TCP and UDP-based protocols Page 7 TCP/IP Packet Encapsulation http://www.f-secure.com TCP IP ENet Application Stream TCP Segment IP Datagram Page 8 IP Packet Format Bits 4 8 Version IHL 16 TOS Total Length Flags Protocol Fragment offset Header Checksum 160 Identification TTL 32 Source address (32-bit) Destination address (32-bit ) Options Payload Page 9 TCP and UDP Headers Bits 4 8 16 32 TCP Source Port TCP Destination Port Acknowledgment Number Offset Reserved Flags 160 Sequence Number Window Checksum Urgent Pointer Options Payload UDP Destination Port Checksum 64 UDP Source Port Length Payload Page 10 NETWORK STRUCTURE IP Addresses Unique number used by computers to refer to each other when sending information through the Internet The network layer protocol in use today is IPv4 (32 bits), but since Internet is slowly running out of addresses, and IPv6 is proposed as a successor with its 128-bit addresses • The 32-bit IP address is grouped eight bits at a time, separated by dots, and represented in decimal format (known as dotted decimal notation). IP Address Classes • IP addressing supports five different address classes: A, B,C, D, and E. Only classes A, B, and C are available for commercial use Page 12 Network and Host Address The ranges for address classes are: • Class A: 0.0.0.0 – 127.255.255.255 • Class B: 128.0.0.0 – 191.255.255.255 • Class C: 192.0.0.0 – 223.255.255.255 7 bits Class A 0 24 bits Network ID Host ID 14 bits Class B 10 16 bits Network ID 21 bits Class C 110 Network ID Host ID 8 bits Host ID Page 13 Private and Public Network Some IP addresses are reserved for private use, they are not routed on the Internet • Used in intranets and test environments Private addresses • 127.0.0.1 (localhost) • 10.0.0.0…10.255.255.255 (Class A) • 172.16.0.0…172.31.255.255 (Class B) • 192.168.0.0…192.168.255.255 (Class C) Page 14 Network Address Translation (NAT) Communication from a private address (inside a LAN) to a public address (on the Internet), and vice versa, requires Network Address Translation (NAT) S: 194.197.29.1 D: Server Pool of public IPs 194.197.29.0/26 Workstation Server(s) S: Server D: 194.197.29.1 S:Workstation D:Server Dynamic NAT S:Server D:Workstation Page 15 PAT and NAT Alternatives • Static NAT enables access to private network from public network • Dynamic NAT enables access to a public network from private network • Port Address Translation (PAT) S: 194.197.29.1:6855 D: Server:80 Public IP 194.197.29.1 S:Workstation:1029 D:Server:80 Workstation Server(s) S: Server:80 D: 194.197.29.1:6855 PAT S:Server:80 D:Workstation:1029 Page 16 Network Mask and Subnets Networks are split into smaller subnets by “borrowing” bits from the host block to the network block Network mask is used to communicate how much of the address is reserved for network and how much for the host • Each network class has a default subnet mask • Class A: 255.0.0.0 (8 bits) • Class B: 255.255.0.0 (16 bits) • Class C: 255.255.255.0 (24 bits) • Thus a C class network with mask 255.255.255.192 (e.g. 192.168.100.0/26) will split the network in four subnets Page 17 NSC Notation NSC Notation is another, shorter way to express IP network masks, it shows how many of those bits is reserved for the network mask • IP address (255.255.255.255) is a 32 bit number (2^32) • For example; 255.255.255.0 is /24 • Note that 0.0.0.0/0 means any IP address Usually NSC notation for different network mask are checked from a notation table Page 18 Initiator / Responder Outbound / Inbound outbound inbound Initiator Responder INITIATOR always starts the communication RESPONDER is the host, that the initiator connects to OUTBOUND traffic is outgoing packets originated by the initiator INBOUND traffic is incoming packets originated by other parties Page 19 Ports in TCP/UDP Initiator port: >1023 Responder port: X Initiator opens a connection • From dynamic port (>1023) to a fixed port (X) that the responder listens to Responder replies • From the fixed port (X) to the dynamic port (>1023) Page 20 TCP/UDP Ports Assigned by IANA Port ranges • 0 … 1023 Well Known Ports, assigned by the IANA • 1024 … 49151 Registered ports • 49152 … 65535 Dynamic ports Some familiar TCP and UDP port and their numbers: • ftp-data 20/tcp File Transfer [Data] • ftp 21/tcp File Transfer [Control] • ssh 22/tcp SSH Remote Login Protocol • smtp 25/tcp Simple Mail Transfer Protocol • http 80/tcp Hypertext Transfer Protocol • netbios-ns 137/udp NETBIOS Name Service Page 21 COMMON PROTOCOLS Telnet and SSH Telnet • Allows terminal sessions to a remote systems • Authentication and all data is in plain text • TCP port 23 Secure Shell (SSH) • Allows fully encrypted terminal sessions to a remote systems • Can be used to tunnel TCP connections through encrypted connection • Also encrypted file transfer (SFTP) is available • TCP port 22 Page 23 HTTP and HTTPs Hypertext Transfer Protocol (HTTP) • Used when browsing web pages • All transmitted data is unencrypted • TCP port 80 Secure Socket Layer (SSL) • Also known as Secure HTTP (HTTPs) • Encrypted variant of the HTTP protocol • All transmitted data is encrypted • TCP port 443 Page 24 SMTP, POP and IMAP Sending (SMTP) • Simple Mail Transfer Protocol • Clients transfer emails to mail server • Server also sends and receives mail to/from other servers • Authentication is optional, but unencrypted Receiving (POP and IMAP) • Post Office Protocol and Internet Mail Access Protocol • Clients receive mail from mail server (POP) or clients manage the mail on a mail server (IMAP) • Authentication and all data transfer is normally unencrypted, but encryption is optional Page 25 Domain Name System (DNS) Used to translate human-readable host names to computer friendly IP addresses and vice versa (reverse DNS) • www.f-secure.com is 193.110.109.50 (done through Winsock) • DNS Server stores the information • Servers exchange DNS information between other DNS Servers Clients asks information from the server • nslookup DNS will mostly use UDP but will if needed sometimes fall over to TCP Page 26 File Transfer Protocol (FTP) Widely used to transport large data files • Two modes • Active FTP • Passive FTP Authentication and all transferred data is unencrypted Page 27 Active FTP FTP Client n > 1023 21 FTP Server Control Data n+1 20 Control • Client connects from a random port (n) to server port 21 and sends port information (PORT n+1) to server • Client starts listening to a specified port (n+1) Data • Server connects from port 21 to clients a data connection to negotiated port (n+1) Page 28 Passive FTP FTP Client n > 1023 21 FTP Server Control Data n+1 p > 1023 Control • Client connects from a random port (n) to server’s port 21 • Server starts listening to a random port (p) Data • Client connects from random port (n+1) to server’s random port port (p) Page 29 BASIC WINDOWS COMMUNICATION Microsoft Windows Networking and WINS Microsoft Windows Networking • Can be transmitted over IP/NetBEUI/IPX • Used e.g. during domain login, when browsing the Network Neighborhood, when sharing files or printers Windows Internet Name Service (WINS ) • Used to provide NetBIOS network clients with a name-to-IP and IP-toname translation • Clients inform the WINS Server about their names and IP addresses • WINS Server stores all name-to-IP and IP-to-name information • Clients can inquire this information from the server Page 31 Server Message Block (SMB) Client/Server Protocol that provides file and print sharing between computers • Used directly over TCP or over NETBIOS Windows 2000 and later use SMB over TCP which brings the following advantages • Simplifying transport of SMB traffic as no NETBIOS is needed • Removing WINS and NETBIOS broadcast as a means of name resolution • Standardizing name resolution on DNS for file and printer sharing • Uses port 445 Page 32 Remote Procedure Call (RPC) Allows a computer program running on one host to run code on another host without the programmer needing to explicitly code for this • Not a protocol in itself but a paradigm for implementation • Used by services like DNS (Domain Name System) • RPC and DCOM (Distributed Component Object) use port 135 RPC over HTTP • HTTP wrapper around the RPC traffic (actually usually uses HTTPs and thus uses port 443) • Used between Outlook clients and Exchange Servers (version 2003) • Alternative to OWA (Outlook Web Access) or VPN Page 33 FIREWALLS Firewall Basics Firewall is a protecting entry point, which controls all incoming and outgoing network traffic Firewalls are used to guard against unauthorized access to networks and/or hosts • Protect hosts against vulnerabilities of the OS or applications • Protect against insecure configurations of a host • Enforce security policy Page 35 Firewall Basics Firewalls are configured with a list of rules • The rules are read from top to bottom and the first rule which matches is applied • Often the last rule denies all traffic The rules can be based on • Source/destination IP address • Source/destination protocol • Source/destination port Page 36 Testing Firewall Settings Regular testing • Very important to check the configurations • Should be defined in Company Security Policy There are many tools that can be used to test the configuration • Cisco Secure Scanner • ISS (Internet Security Scanner) • nmap, nessus Page 37 Types of Firewalls: Technology Firewall technologies are often classified in • Firewalls based on packet filtering • Rules are based on IP address, protocol and port • Firewalls based on Circuit relay • Rules are also based on time, user account and password • Application level firewalls • Acts also as a proxy and inspects the content of the traffic Page 38 Static Packet Filter Application Application Presentation Presentation Session Session Transport Transport Transport Network Network Network DataLink DataLink DataLink Physical Physical Physical Acts on OSI layer 3 (network layer) • Source and destination IP address/port • Protocol, flags, sequence and acknowledge numbers • ICMP code and type number Page 39 Multi Level Filtering Telnet FTP HTTP Application Application Application Presentation Presentation Presentation Session Session Session Transport Transport Transport Network Network Network DataLink DataLink DataLink Physical Physical Physical Inspects the traffic on all layers • Application level restrictions possible, only certain commands can be allowed • Slower than packet filtering Page 40 Types of Firewalls: Network Role Firewalls can also be classified based on their role in network topology • Perimeter firewalls (or traditional firewalls) • Mostly dedicated hosts at the border of the network • Personal firewalls • Runs on an end users host and is installed and configured by the end user • Distributed firewalls • Runs on each host and is deployed and configured centrally Page 41 The Evolution of Firewalls On the Road Home Office Corporate Office Page 42 Mobility Dilemma On the Road Corporate Office Page 43 What a Firewall Doesn’t Protect From? Attacks that don’t go through the firewall • Backdoors, (personal) modems and RAS (remote access server) Content based attacks • Macros etc. • Some firewalls are able to filter out some content, such as ActiveX and Java Insider attacks in your network • Social engineering No firewall can protect against inadequate or mismanaged policies • Firewall, like all security software, is a tool, not a magic bullet Page 44 Summary In this section • TCP/IP • Network structure • Common Protocols • Basic windows communications • Firewalls Page 45