Copyright Justin C. Klein Keane Networking Basics Information Security Training.
-
Upload
junior-newman -
Category
Documents
-
view
214 -
download
1
Transcript of Copyright Justin C. Klein Keane Networking Basics Information Security Training.
Copyright Justin C. Klein Keane <[email protected]>
Building Blocks
Two computers want to communicate Actually two programs
Each has hardware designed to pass signal Send electrical pulses
Networking topology between them Signal may travel over the air, across a wire,
from one room to another or across the planet
Copyright Justin C. Klein Keane <[email protected]>
Security Implications
Throughout these slides we will observe that IP was designed for usability, not security
The architecture was developed when the internet was trusted
Notice how assumptions of trust introduce security issues almost every step of the way
Copyright Justin C. Klein Keane <[email protected]>
OSI Model
Open Systems Interconnection OSI is an architectural abstraction Demonstrates the challenges (and solutions) to
complex networking Understanding OSI helps conceptualize
process, and problems
Copyright Justin C. Klein Keane <[email protected]>
OSI Model
Physical layer (networking hardware: ethernet cards, modems, routers, etc.)
Data link layer (transport specifics: PTP, Ethernet, ISDN, etc.)
Network layer (addressing and routing)
Transport layer (flow control, error correction, TCP/UDP)
Session layer (controls dialogue, three way handshake, auth, etc.)
Presentation layer (transform data into stuff programs can use – serialize/unserialize objects, encryption, etc.)
Application layer (the actual program, such as Firefox, that interacts with the user)
Copyright Justin C. Klein Keane <[email protected]>
Communication
Communication between programs: Starts at the top of the layer, traverses down Then starts at the bottom and travels back up
Copyright Justin C. Klein Keane <[email protected]>
Layer 1 & 2
At the bottom of the model we have hardware Players in the network at this layer use Machine
Address Control numbers (MAC address) to identify one another
Sample MAC - 00:50:56:C0:00:08 MAC is supposed to be unique Vendor of hardware is assigned certain MAC
ranges so you can look at a MAC and deduce the hardware vendor
Copyright Justin C. Klein Keane <[email protected]>
Routers and ARP
Routers can operate at the bottom 2 layers Router can listen for MAC addresses on ports
and route traffic Address Resolution Protocol (ARP) stored in
ARP tables in routers ARP translates layer 2 to layer 4
Copyright Justin C. Klein Keane <[email protected]>
IP Addressing
IPv4 composed of a 32 bit number Composed of four 8 bit blocks 8 bits allows for numbers between 0 and 255 165.123.57.40 is a typical IPv4 address
Copyright Justin C. Klein Keane <[email protected]>
IP Routing
Once a router has translated a MAC address into an IP address it consults routing tables
Tables are organized only in upstream/downstream fashion
For example, numbers x-y are down, all other are up
Copyright Justin C. Klein Keane <[email protected]>
Routers vs. Hubs
Machines send out network traffic as a broadcast
Electrical signals cannot be directed Routers responsible for directing traffic Hubs just relay traffic Hubs may just be mechanical while routers
have (sometimes complex) software and OS If a router becomes unstable it may fail to hub
mode
Copyright Justin C. Klein Keane <[email protected]>
Gateway and Broadcast
If there is no listing for a destination it is sent to the gateway address, which is the next upstream router
Broadcast is used to communicate to all machines on a subnet
This is why all machine IP configurations include an IP address, a gateway, and a subnet mask
Copyright Justin C. Klein Keane <[email protected]>
Subnet Mask
Subnet mask indicates all the IP addresses on the subnet
Used for routing and resolution 192.168.0.10 with subnet 255.255.255.0 CIDR Notation 192.168.0.0/24
Copyright Justin C. Klein Keane <[email protected]>
Ports
Ports are numbered 1-65,535 Ports are used to translate between layer 4 and
5 Machine receives a message, but what
program should handle it? Programs bind to ports to indicate what sorts of
messages they handle IANA sets “well known ports”
Copyright Justin C. Klein Keane <[email protected]>
Reserved IP Addresses
192.168.x.x 10.x.x.x 172.16.x.x – 172.31.x.x 127.0.0.1
Copyright Justin C. Klein Keane <[email protected]>
Protocols
IP – Internet Protocol UDP – Universal Datagram Protocol TCP – Transport Control Protocol ICMP – Internet Control Message Protocol
Copyright Justin C. Klein Keane <[email protected]>
ICMP
Not used to transfer data Employed to query and broadcast availability of
services or devices Also used for diagnostics Mainly used in networking operating systems One of the lesser known/utilized protocols
Copyright Justin C. Klein Keane <[email protected]>
UDP
UDP is used to transport data when reliability is not required
UDP messages specify: Source address Destination address Protocol, UDP length Source Port, Destination Port Length, Checksum Data
Copyright Justin C. Klein Keane <[email protected]>
UPD
Can you spot the security flaw in UDP? Hint - authentication
Copyright Justin C. Klein Keane <[email protected]>
UDP
Does not confirm message delivery, messages are fire and forget
Out of order messages are discarded There is a checksum that is referenced when
datagrams arrive UDP is commonly used for DNS, VOIP, TFTP,
Streaming data, and games
Copyright Justin C. Klein Keane <[email protected]>
TCP
TCP is much heavier weight than UDP TCP ensures message delivery TCP packets have a much more complex
structure
Copyright Justin C. Klein Keane <[email protected]>
TCP Packet (Abbr.)
Source address, destination address Source port, destination port Sequence number Acknowledgment number Flags Checksum Data
Copyright Justin C. Klein Keane <[email protected]>
TCP Setup
Three way handshake Machine 1 (SYN) Machine 2 (SYN/ACK) Machine 1 (ACK) This verifies that both machines are at the IP
they advertise for
Copyright Justin C. Klein Keane <[email protected]>
TCP Seq and Ack
Initial Sequence Number (ISN) chosen randomly and sent to receiver
After each chunk of data is sent, the ISN increments
Receiver sends back a packet acknowledging the receipt of the sequence number
This prevents data from being lost since sender can confirm receipt of all data sent
Copyright Justin C. Klein Keane <[email protected]>
Network Address Translation
A word about NAT NAT works by mangling packet headers By manipulating header information (such as
port numbers) the NAT device does IP to IP translation
IP is changed on the way out, then again on the way back in
NAT allows the use of reserved IP
Copyright Justin C. Klein Keane <[email protected]>
Demonstrative Protocols
Dynamic Host Control Protocol – DHCP Domain Name System – DNS Simple Mail Transport Protocol – SMTP Hyper Text Transport Protocol - HTTP
Copyright Justin C. Klein Keane <[email protected]>
DHCP
DHCP allows new machines to come on to the network and “discover” topology
Machine comes online, advertises it's MAC and sends a packet to UDP port 67 to the universal broadcast (255.255.255.255)
Router registers MAC address at port DHCP server responds with a packet sent to
UDP port 68 on broadcast
Copyright Justin C. Klein Keane <[email protected]>
DHCP cont
Client accepts offer and configures IP address, gateway, broadcast (and often DNS) from DHCP server
Client can receive multiple offers and is supposed to respond to offers turned down
DHCP server keeps a table of offers to MAC addresses
Once client has an IP router adds it to the ARP table and client is up and running
Copyright Justin C. Klein Keane <[email protected]>
Problems with DHCP
Can anyone spot the biggest problem with DHCP?
Copyright Justin C. Klein Keane <[email protected]>
DNS
DNS makes the internet work DNS translates domain names (upenn.edu) to
IP addresses (192.168.1.1) Clients query DNS servers on UDP port 53 (can
use TCP as well) Nslookup is the standard command to query
DNS
Copyright Justin C. Klein Keane <[email protected]>
DNS Architecture
DNS servers are organized in a tree Servers assert authority for a domain and send
queries for which they are not authoritative upstream
Copyright Justin C. Klein Keane <[email protected]>
DNS Issues
Can anyone spot the security & privacy issues behind DNS?
Copyright Justin C. Klein Keane <[email protected]>
SMTP
Simple mail transport protocol Operates on TCP port 25. Servers listen for messages, and queue locally
delivered messages or forward on remote messages
Initially no authentication or verification Early programs had support to query servers for
all local e-mail addresses
Copyright Justin C. Klein Keane <[email protected]>
SMTP has NUMEROUS problems
How do you accept mail you want and reject mail you don't
SPAM has become a serious issue Message delivery isn't confirmed There is no actual authentication of message
source
Copyright Justin C. Klein Keane <[email protected]>
HTTP
HTTP is a plain text protocol that operates on port 80
Designed as a client/server model for document delivery
GET and POST requests Although we're used to web browsers, HTTP
can be accessed via command line tools or text based browsers.
Copyright Justin C. Klein Keane <[email protected]>
Protocol tools
Most protocol tools are based on libpcap and promiscuous mode
Tools include: Snort – network based IDS Tcpdump – command line analysis tool Wireshark – GUI packet capture utility
Copyright Justin C. Klein Keane <[email protected]>
tcpdump in Action
Copyright Justin C. Klein Keane <[email protected]>
Wireshark
Copyright Justin C. Klein Keane <[email protected]>
Usefulness
Troubleshooting networking issues Checking firewall effectiveness Troubleshooting application issues Monitoring connections Intrusion detection
Copyright Justin C. Klein Keane <[email protected]>
Problems & Challenges
Given the OSI model can anyone spot potential issues with logging?
If you were to implement a monitoring system, what layer would you put it at?