Copyright Justin C. Klein Keane Networking Basics Information Security Training.

Copyright Justin C. Klein Keane <[email protected]>

Networking Basics

Information Security Training


Building Blocks

Two computers want to communicate Actually two programs

Each has hardware designed to pass signal Send electrical pulses

Networking topology between them Signal may travel over the air, across a wire,

from one room to another or across the planet


Security Implications

Throughout these slides we will observe that IP was designed for usability, not security

The architecture was developed when the internet was trusted

Notice how assumptions of trust introduce security issues almost every step of the way


OSI Model

Open Systems Interconnection OSI is an architectural abstraction Demonstrates the challenges (and solutions) to

complex networking Understanding OSI helps conceptualize

process, and problems


OSI Model

Physical layer (networking hardware: ethernet cards, modems, routers, etc.)

Data link layer (transport specifics: PTP, Ethernet, ISDN, etc.)

Network layer (addressing and routing)

Transport layer (flow control, error correction, TCP/UDP)

Session layer (controls dialogue, three way handshake, auth, etc.)

Presentation layer (transform data into stuff programs can use – serialize/unserialize objects, encryption, etc.)

Application layer (the actual program, such as Firefox, that interacts with the user)


Communication

Communication between programs: Starts at the top of the layer, traverses down Then starts at the bottom and travels back up


Layer 1 & 2

At the bottom of the model we have hardware Players in the network at this layer use Machine

Address Control numbers (MAC address) to identify one another

Sample MAC - 00:50:56:C0:00:08 MAC is supposed to be unique Vendor of hardware is assigned certain MAC

ranges so you can look at a MAC and deduce the hardware vendor


Routers and ARP

Routers can operate at the bottom 2 layers Router can listen for MAC addresses on ports

and route traffic Address Resolution Protocol (ARP) stored in

ARP tables in routers ARP translates layer 2 to layer 4


IP Addressing

IPv4 composed of a 32 bit number Composed of four 8 bit blocks 8 bits allows for numbers between 0 and 255 165.123.57.40 is a typical IPv4 address


IP Routing

Once a router has translated a MAC address into an IP address it consults routing tables

Tables are organized only in upstream/downstream fashion

For example, numbers x-y are down, all other are up


Routers vs. Hubs

Machines send out network traffic as a broadcast

Electrical signals cannot be directed Routers responsible for directing traffic Hubs just relay traffic Hubs may just be mechanical while routers

have (sometimes complex) software and OS If a router becomes unstable it may fail to hub

mode


Gateway and Broadcast

If there is no listing for a destination it is sent to the gateway address, which is the next upstream router

Broadcast is used to communicate to all machines on a subnet

This is why all machine IP configurations include an IP address, a gateway, and a subnet mask


Subnet Mask

Subnet mask indicates all the IP addresses on the subnet

Used for routing and resolution 192.168.0.10 with subnet 255.255.255.0 CIDR Notation 192.168.0.0/24


Ports

Ports are numbered 1-65,535 Ports are used to translate between layer 4 and

5 Machine receives a message, but what

program should handle it? Programs bind to ports to indicate what sorts of

messages they handle IANA sets “well known ports”


Reserved IP Addresses

192.168.x.x 10.x.x.x 172.16.x.x – 172.31.x.x 127.0.0.1


Protocols

IP – Internet Protocol UDP – Universal Datagram Protocol TCP – Transport Control Protocol ICMP – Internet Control Message Protocol


ICMP

Not used to transfer data Employed to query and broadcast availability of

services or devices Also used for diagnostics Mainly used in networking operating systems One of the lesser known/utilized protocols


UDP

UDP is used to transport data when reliability is not required

UDP messages specify: Source address Destination address Protocol, UDP length Source Port, Destination Port Length, Checksum Data


UPD

Can you spot the security flaw in UDP? Hint - authentication


UDP

Does not confirm message delivery, messages are fire and forget

Out of order messages are discarded There is a checksum that is referenced when

datagrams arrive UDP is commonly used for DNS, VOIP, TFTP,

Streaming data, and games


TCP

TCP is much heavier weight than UDP TCP ensures message delivery TCP packets have a much more complex

structure


TCP Packet (Abbr.)

Source address, destination address Source port, destination port Sequence number Acknowledgment number Flags Checksum Data


TCP Setup

Three way handshake Machine 1 (SYN) Machine 2 (SYN/ACK) Machine 1 (ACK) This verifies that both machines are at the IP

they advertise for


TCP Seq and Ack

Initial Sequence Number (ISN) chosen randomly and sent to receiver

After each chunk of data is sent, the ISN increments

Receiver sends back a packet acknowledging the receipt of the sequence number

This prevents data from being lost since sender can confirm receipt of all data sent


Network Address Translation

A word about NAT NAT works by mangling packet headers By manipulating header information (such as

port numbers) the NAT device does IP to IP translation

IP is changed on the way out, then again on the way back in

NAT allows the use of reserved IP


Demonstrative Protocols

Dynamic Host Control Protocol – DHCP Domain Name System – DNS Simple Mail Transport Protocol – SMTP Hyper Text Transport Protocol - HTTP


DHCP

DHCP allows new machines to come on to the network and “discover” topology

Machine comes online, advertises it's MAC and sends a packet to UDP port 67 to the universal broadcast (255.255.255.255)

Router registers MAC address at port DHCP server responds with a packet sent to

UDP port 68 on broadcast


DHCP cont

Client accepts offer and configures IP address, gateway, broadcast (and often DNS) from DHCP server

Client can receive multiple offers and is supposed to respond to offers turned down

DHCP server keeps a table of offers to MAC addresses

Once client has an IP router adds it to the ARP table and client is up and running


Problems with DHCP

Can anyone spot the biggest problem with DHCP?


DNS

DNS makes the internet work DNS translates domain names (upenn.edu) to

IP addresses (192.168.1.1) Clients query DNS servers on UDP port 53 (can

use TCP as well) Nslookup is the standard command to query

DNS


DNS Architecture

DNS servers are organized in a tree Servers assert authority for a domain and send

queries for which they are not authoritative upstream


DNS Issues

Can anyone spot the security & privacy issues behind DNS?


SMTP

Simple mail transport protocol Operates on TCP port 25. Servers listen for messages, and queue locally

delivered messages or forward on remote messages

Initially no authentication or verification Early programs had support to query servers for

all local e-mail addresses


SMTP has NUMEROUS problems

How do you accept mail you want and reject mail you don't

SPAM has become a serious issue Message delivery isn't confirmed There is no actual authentication of message

source


HTTP

HTTP is a plain text protocol that operates on port 80

Designed as a client/server model for document delivery

GET and POST requests Although we're used to web browsers, HTTP

can be accessed via command line tools or text based browsers.


Protocol tools

Most protocol tools are based on libpcap and promiscuous mode

Tools include: Snort – network based IDS Tcpdump – command line analysis tool Wireshark – GUI packet capture utility


tcpdump in Action


Wireshark


Usefulness

Troubleshooting networking issues Checking firewall effectiveness Troubleshooting application issues Monitoring connections Intrusion detection


Problems & Challenges

Given the OSI model can anyone spot potential issues with logging?

If you were to implement a monitoring system, what layer would you put it at?

Copyright Justin C. Klein Keane Networking Basics Information Security Training.

Documents

Transcript of Copyright Justin C. Klein Keane Networking Basics Information Security Training.