NETWORK FUNDAMENTALS

advertisement
NETWORK FUNDAMENTALS
Agenda
In this section
• TCP/IP
• Network structure
• Common Protocols
• Basic windows communications
• Firewalls
Page 2
TCP/IP
What is TCP/IP
Transmission Control Protocol / Internet Protocol
• Created by Advanced Research Projects Agency (ARPA)
• Used in first computer network, the Arpanet
• Later used to construct the global internet
• TCP/IP name is taken from the two fundamental protocols TCP and IP
Page 4
TCP/IP Protocol Stack
FTP
SMTP
DNS
HTTP
TCP
Telnet
Application
Level
Protocols
7. Application
6. Presentation
5. Session
4. Transport
UDP
IP Level
Protocols
3. Network
IP
ICMP
IGMP
IP over Ethernet
IP over Serial Line
Ethernet Adapter
Analog Modem
2. Data Link
1. Physical/HW
Page 5
Internet Protocols:
TCP & UDP
TCP (Transmission Control Protocol) is connection-oriented transport
protocol
• It is reliable, ordered, but fairly heavy
• Used by Telnet, FTP, SSH, HTTP etc.
UDP (User Datagram Protocol) is connectionless transport protocol
• UDP is much lighter than TCP, but it is unreliable and not ordered
• Used by TFTP, DSN etc.
Page 6
Internet Protocols:
ICMP, AH & ESP
ICMP (Internet Control Message Protocol) is used for diagnostic and
management purposes
• IP's internal network management protocol and is not intended for use by
applications
• Two well known exceptions are the ping and traceroute diagnostic utilities
ESP (Encapsulating Security Payload) and AH (Authentication
Header) protocols are used by IPSec
• Protocols for securing packet flow and key exchange protocols used for
setting up those flows
• Can be used to protect TCP and UDP-based protocols
Page 7
TCP/IP Packet Encapsulation
http://www.f-secure.com
TCP
IP
ENet
Application Stream
TCP Segment
IP Datagram
Page 8
IP Packet Format
Bits
4
8
Version IHL
16
TOS
Total Length
Flags
Protocol
Fragment offset
Header Checksum
160
Identification
TTL
32
Source address (32-bit)
Destination address (32-bit )
Options
Payload
Page 9
TCP and UDP Headers
Bits
4
8
16
32
TCP Source Port
TCP Destination Port
Acknowledgment Number
Offset Reserved
Flags
160
Sequence Number
Window
Checksum
Urgent Pointer
Options
Payload
UDP Destination Port
Checksum
64
UDP Source Port
Length
Payload
Page 10
NETWORK STRUCTURE
IP Addresses
Unique number used by computers to refer to each other when
sending information through the Internet
The network layer protocol in use today is IPv4 (32 bits), but since
Internet is slowly running out of addresses, and IPv6 is proposed as a
successor with its 128-bit addresses
• The 32-bit IP address is grouped eight bits at a time, separated by dots,
and represented in decimal format (known as dotted decimal notation).
IP Address Classes
• IP addressing supports five different address classes: A, B,C, D, and E.
Only classes A, B, and C are available for commercial use
Page 12
Network and Host Address
The ranges for address classes are:
• Class A: 0.0.0.0 – 127.255.255.255
• Class B: 128.0.0.0 – 191.255.255.255
• Class C: 192.0.0.0 – 223.255.255.255
7 bits
Class A
0
24 bits
Network ID
Host ID
14 bits
Class B
10
16 bits
Network ID
21 bits
Class C
110
Network ID
Host ID
8 bits
Host ID
Page 13
Private and Public Network
Some IP addresses are reserved for private use, they are not routed
on the Internet
• Used in intranets and test environments
Private addresses
• 127.0.0.1 (localhost)
• 10.0.0.0…10.255.255.255 (Class A)
• 172.16.0.0…172.31.255.255 (Class B)
• 192.168.0.0…192.168.255.255 (Class C)
Page 14
Network Address Translation (NAT)
Communication from a private address (inside a LAN) to a public
address (on the Internet), and vice versa, requires Network Address
Translation (NAT)
S: 194.197.29.1
D: Server
Pool of public IPs
194.197.29.0/26
Workstation
Server(s)
S: Server
D: 194.197.29.1
S:Workstation
D:Server
Dynamic NAT
S:Server
D:Workstation
Page 15
PAT and NAT
Alternatives
• Static NAT enables access to private network from public network
• Dynamic NAT enables access to a public network from private network
• Port Address Translation (PAT)
S: 194.197.29.1:6855
D: Server:80
Public IP
194.197.29.1
S:Workstation:1029
D:Server:80
Workstation
Server(s)
S: Server:80
D: 194.197.29.1:6855
PAT
S:Server:80
D:Workstation:1029
Page 16
Network Mask and Subnets
Networks are split into smaller subnets by “borrowing” bits from the
host block to the network block
Network mask is used to communicate how much of the address is
reserved for network and how much for the host
• Each network class has a default subnet mask
• Class A: 255.0.0.0 (8 bits)
• Class B: 255.255.0.0 (16 bits)
• Class C: 255.255.255.0 (24 bits)
• Thus a C class network with mask 255.255.255.192 (e.g.
192.168.100.0/26) will split the network in four subnets
Page 17
NSC Notation
NSC Notation is another, shorter way to express IP network masks, it
shows how many of those bits is reserved for the network mask
• IP address (255.255.255.255) is a 32 bit number (2^32)
• For example; 255.255.255.0 is /24
• Note that 0.0.0.0/0 means any IP address
Usually NSC notation for different network mask are checked from a
notation table
Page 18
Initiator / Responder
Outbound / Inbound
outbound
inbound
Initiator
Responder
INITIATOR always starts the communication
RESPONDER is the host, that the initiator connects to
OUTBOUND traffic is outgoing packets originated by the initiator
INBOUND traffic is incoming packets originated by other parties
Page 19
Ports in TCP/UDP
Initiator port: >1023
Responder port: X
Initiator opens a connection
• From dynamic port (>1023) to a fixed port (X) that the responder listens to
Responder replies
• From the fixed port (X) to the dynamic port (>1023)
Page 20
TCP/UDP Ports Assigned by IANA
Port ranges
• 0 … 1023 Well Known Ports, assigned by the IANA
• 1024 … 49151 Registered ports
• 49152 … 65535 Dynamic ports
Some familiar TCP and UDP port and their numbers:
• ftp-data
20/tcp
File Transfer [Data]
• ftp
21/tcp
File Transfer [Control]
• ssh
22/tcp
SSH Remote Login Protocol
• smtp
25/tcp
Simple Mail Transfer Protocol
• http
80/tcp
Hypertext Transfer Protocol
• netbios-ns 137/udp NETBIOS Name Service
Page 21
COMMON PROTOCOLS
Telnet and SSH
Telnet
• Allows terminal sessions to a remote systems
• Authentication and all data is in plain text
• TCP port 23
Secure Shell (SSH)
• Allows fully encrypted terminal sessions to a remote systems
• Can be used to tunnel TCP connections through encrypted connection
• Also encrypted file transfer (SFTP) is available
• TCP port 22
Page 23
HTTP and HTTPs
Hypertext Transfer Protocol (HTTP)
• Used when browsing web pages
• All transmitted data is unencrypted
• TCP port 80
Secure Socket Layer (SSL)
• Also known as Secure HTTP (HTTPs)
• Encrypted variant of the HTTP protocol
• All transmitted data is encrypted
• TCP port 443
Page 24
SMTP, POP and IMAP
Sending (SMTP)
• Simple Mail Transfer Protocol
• Clients transfer emails to mail server
• Server also sends and receives mail to/from other servers
• Authentication is optional, but unencrypted
Receiving (POP and IMAP)
• Post Office Protocol and Internet Mail Access Protocol
• Clients receive mail from mail server (POP) or clients manage the mail on
a mail server (IMAP)
• Authentication and all data transfer is normally unencrypted, but
encryption is optional
Page 25
Domain Name System (DNS)
Used to translate human-readable host names to computer friendly IP
addresses and vice versa (reverse DNS)
• www.f-secure.com is 193.110.109.50 (done through Winsock)
• DNS Server stores the information
• Servers exchange DNS information between other DNS Servers
Clients asks information from the server
• nslookup
DNS will mostly use UDP but will if needed sometimes fall over to TCP
Page 26
File Transfer Protocol (FTP)
Widely used to transport large data files
• Two modes
• Active FTP
• Passive FTP
Authentication and all transferred data is unencrypted
Page 27
Active FTP
FTP Client
n > 1023
21
FTP Server
Control
Data
n+1
20
Control
• Client connects from a random port (n) to server port 21 and sends port
information (PORT n+1) to server
• Client starts listening to a specified port (n+1)
Data
• Server connects from port 21 to clients a data connection to negotiated
port (n+1)
Page 28
Passive FTP
FTP Client
n > 1023
21
FTP Server
Control
Data
n+1
p > 1023
Control
• Client connects from a random port (n) to server’s port 21
• Server starts listening to a random port (p)
Data
• Client connects from random port (n+1) to server’s random port port (p)
Page 29
BASIC WINDOWS
COMMUNICATION
Microsoft Windows Networking and WINS
Microsoft Windows Networking
• Can be transmitted over IP/NetBEUI/IPX
• Used e.g. during domain login, when browsing the Network Neighborhood,
when sharing files or printers
Windows Internet Name Service (WINS )
• Used to provide NetBIOS network clients with a name-to-IP and IP-toname translation
• Clients inform the WINS Server about their names and IP addresses
• WINS Server stores all name-to-IP and IP-to-name information
• Clients can inquire this information from the server
Page 31
Server Message Block (SMB)
Client/Server Protocol that provides file and print sharing between
computers
• Used directly over TCP or over NETBIOS
Windows 2000 and later use SMB over TCP which brings the following
advantages
• Simplifying transport of SMB traffic as no NETBIOS is needed
• Removing WINS and NETBIOS broadcast as a means of name resolution
• Standardizing name resolution on DNS for file and printer sharing
• Uses port 445
Page 32
Remote Procedure Call (RPC)
Allows a computer program running on one host to run code on
another host without the programmer needing to explicitly code for this
• Not a protocol in itself but a paradigm for implementation
• Used by services like DNS (Domain Name System)
• RPC and DCOM (Distributed Component Object) use port 135
RPC over HTTP
• HTTP wrapper around the RPC traffic (actually usually uses HTTPs and
thus uses port 443)
• Used between Outlook clients and Exchange Servers (version 2003)
• Alternative to OWA (Outlook Web Access) or VPN
Page 33
FIREWALLS
Firewall Basics
Firewall is a protecting entry point,
which controls all incoming and
outgoing network traffic
Firewalls are used to guard against
unauthorized access to networks and/or
hosts
• Protect hosts against vulnerabilities of
the OS or applications
• Protect against insecure configurations
of a host
• Enforce security policy
Page 35
Firewall Basics
Firewalls are configured with a list of rules
• The rules are read from top to bottom and the first rule which matches is
applied
• Often the last rule denies all traffic
The rules can be based on
• Source/destination IP address
• Source/destination protocol
• Source/destination port
Page 36
Testing Firewall Settings
Regular testing
• Very important to check the configurations
• Should be defined in Company Security Policy
There are many tools that can be used to test the configuration
• Cisco Secure Scanner
• ISS (Internet Security Scanner)
• nmap, nessus
Page 37
Types of Firewalls:
Technology
Firewall technologies are often classified in
• Firewalls based on packet filtering
• Rules are based on IP address, protocol and port
• Firewalls based on Circuit relay
• Rules are also based on time, user account and password
• Application level firewalls
• Acts also as a proxy and inspects the content of the traffic
Page 38
Static Packet Filter
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Transport
Network
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Acts on OSI layer 3 (network layer)
• Source and destination IP address/port
• Protocol, flags, sequence and acknowledge numbers
• ICMP code and type number
Page 39
Multi Level Filtering
Telnet
FTP
HTTP
Application
Application
Application
Presentation
Presentation
Presentation
Session
Session
Session
Transport
Transport
Transport
Network
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Inspects the traffic on all layers
• Application level restrictions possible, only certain commands can be
allowed
• Slower than packet filtering
Page 40
Types of Firewalls:
Network Role
Firewalls can also be classified based on their role in network topology
• Perimeter firewalls (or traditional firewalls)
• Mostly dedicated hosts at the border of the network
• Personal firewalls
• Runs on an end users host and is installed and configured by the end
user
• Distributed firewalls
• Runs on each host and is deployed and configured centrally
Page 41
The Evolution of Firewalls
On the Road
Home Office
Corporate Office
Page 42
Mobility Dilemma
On the Road
Corporate Office
Page 43
What a Firewall Doesn’t Protect From?
Attacks that don’t go through the
firewall
• Backdoors, (personal) modems
and RAS (remote access server)
Content based attacks
• Macros etc.
• Some firewalls are able to filter out
some content, such as ActiveX
and Java
Insider attacks in your network
• Social engineering
No firewall can protect against
inadequate or mismanaged
policies
• Firewall, like all security software,
is a tool, not a magic bullet
Page 44
Summary
In this section
• TCP/IP
• Network structure
• Common Protocols
• Basic windows communications
• Firewalls
Page 45
Download