MANAGING TCP/IP NETWORKS: TECHNIQUES, TOOLS, AND

SECURITY CONSIDERATIONS

Gilbert Held 4 Degree Consulting

Macon, Georgia, USA

JOHN WILEY & SONS, LTD Chichester • New York • Weinheim • Brisbane • Singapore • Toronto

CONTENTS

Preface xv

Acknowledgments xvii

1 Introduction 1 1.1 Rationale for network management 1

1.1.1 Cost of service interruptions 2 1.1.2 Size and complexity of networks 2 1.1.3 Performance monitoring 2 1.1.4 Coping with equipment sophistication 3

1.2 The network management process 3 1.2.1 The OSI framework for network management 4

Configuration/change management 4 Fault/problem management 5 Performance/growth management 6 Security/access management 7 Accounting/cost management 7

1.2.2 Other network management functions 8 Asset management 8 Planning/support management 9

1.3 Tools and systems 9 1.3.1 Monitoring tools 10 1.3.2 Diagnostic tools 10 1.3.3 Computer-based management systems 10

1.4 Book preview 11 1.4.1 The TCP/IP protocol suite 11 1.4.2 The Internet Protocol 12 1.4.3 The transport protocols 12 1.4.4 DNS operations 12 1.4.5 Layer 2 management 12 1.4.6 Layer 3 and layer 4 management 13 1.4.7 SNMP and RMON 13 1.4.8 Management by utility program 13 1.4.9 Security management 13

vi CONTENTS

2 The TCP/IP Protocol Suite 15 2.1 Evolution 15 2.2 Governing bodies 16

2.2.1 The IAB 16 2.2.2 The IANA 16 2.2.3 The IETF 17 2.2.4 RFCs 17

2.3 The ISO Reference Model 18 2.3.1 Layers of the OSI Reference Model 19

Layer 1: The physical layer 19 Layer 2: The data link layer 19 Layer 3: The network layer 20 Layer 4: The transport layer 20 Layer 5: The session layer 21 Layer 6: The presentation layer 21 Layer 7: The application layer 21

2.3.2 Data flow 22 2.3.3 Layer subdivision 22

Addressing 22 Universally vs. locally administered addresses 24

2.4 The TCP/IP protocol suite 24 2.4.1 Comparison with the ISO Reference Model 25

The network layer 25 ICMP 26 The transport layer 26

TCP 26 UDP 26 Port numbers 26

2.4.2 Application data delivery 27

29 29 30 30 30 31 32 32 33 33 33 33 36 36 37 38

3 The Internet Protocol 3.1 The IPv4 header

3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9

Vers field Hlen and Total Length fields Type of Service field Identification field Flags field Fragment Offset field Time-to-Live field Protocol field Checksum field

3.1.10 Source and Destination Address fields 3.1.11 . Options and Padding fields

3.2 IP addressing 3.2.1 Overview 3.2.2 IPv4

CONTENTS vii

The basic addressing scheme 39 Address classes 40 Address formats 40

Address composition and notation 41 Special IP addresses 42

Class A 42 Class B 43 Class C 4 3 Class D 44 Class E 44 Reserved addresses 45 Subnet t ing and the subne t m a s k 46

Host addresses on subne t s 48 The subne t mask 49 Configuration examples 50 Classless networking 52

3.3 The IPv6 header 53 3.3.1 Ver field 55 3.3.2 Priority field 56 3.3.3 Flow Label field 57 3.3.4 Payload Length field 57 3.3.5 Next Header field 57 3.3.6 Hop Limit field 57 3.3.7 Source and Destination Address fields 58 3.3.8 Address types 58 3.3.9 Address notation 58 3.3.10 Address allocation 59

Provider-Based Unicast addresses 60 Multicast address 61

3.3.11 Transport ing IPv4 addresses 61 3.4 ICMP and ARP 62

3.4.1 ICMP 62 ICMFV4 62

Type field 62 Code field 63

ICMPv6 64 Type field 64 Code field 64

3.4.2 ARP 64 Need for address resolution 67 Operation 67

Hardware Type field 68 Protocol Type field 68 Hardware Length field 68 Protocol Length field 68 Operation field 69 Sender Hardware Address field 69 Sender IP Address field 69

vii i CONTENTS

Target Hardware Address field 70 Target IP Address field 70 ARP notes 70

4 The Transport Layer 73 4.1 TCP 73

4.1.1 The TCP header 74 Source and Destination Port fields 74

Port n u m b e r s 75 Well-known ports 75 Registered port n u m b e r s 76 Dynamic port n u m b e r s 76

Sequence Number field 76 Acknowledgment Number field 78 Hlen field 78 Reserved field 78 Code Bit fields 78

URG bit 79 ACK bit 79 PSH bit 79 RST bit 79 SYN bit 79 FIN bit 79

Window field 79 Checksum field 80 Urgent Pointer field 80 Options field 80 Padding field 81

4.1.2 Operation 81 Connection types 82 The three-way h a n d s h a k e 82 Segment size suppor t 8 3 The Window field and flow control 84 Timers 85

Delayed ACK 85 FIN-WAIT-2 t imer 85 Persist 86 Keep Alive 86

Slow star t and congestion avoidance 86 4.2 UDP 87

4.2.1 The UDP header 87 Source and Destination Port fields 88 Length field 88 Checksum field 8 8

4.2.2 Operation 88

5 The Domain Name S y s t e m 5.1 Evolution

89 89

CONTENTS IX

5.1.1 The HOSTS.TXT file 89 5.2 DNS overview 90

5.2.1 The domain structure 91 5.2.2 DNS components 92

Resource records 92 Name servers 93 Resolvers 93

The resolution process 93 5.3 The DNS database 95

5.3.1 Overview 95 5.3.2 Resource records 96 5.3.3 Using a sample network 98 5.3.4 DNS software configuration 98

The BOOT file 98 5.3.5 Using resource records 100

SOA record 101 NS records 101 MX records 101 A records 102 CNAME records 102 PTR records 102 Loopback files 103 All-zero/all-ones files 103 For further resolution 104

5.3.6 Accessing a DNS database 105 nslookup 105 The Whois command 112

6 Layer 2 Management 113 6.1 Ethernet frame operations 113

6.1.1 Ethernet frame composition 114 Preamble field 115 Start-of-Frame Delimiter field 115 Destination Address field 115

I/Gsubfield 116 U/Lsubfield 117 Universal versus locally administered addressing 117

Source Address field 118 Type field 120 Length field 121 Data field 122 Frame Check Sequence field 123

6.2 Ethernet media access control 124 6.2.1 Functions 125 6.2.2 Transmit media access management 126 6.2.3 Collision detection 128

Jam pattern 128 Wait time 128

X CONTENTS

Late collisions 130 6.3 Ethernet Logical Link Control 130

6.3.1 The LLC protocol da ta uni t 130 6.3.2 Types and classes of service 132

Type 1 132 Type 2 133 Type 3 133 Classes of service 133

6.4 Other Ethernet frame types 133 6.4.1 Ethernet_SNAP frame 133 6.4.2 NetWare Ethernet_802.3 frame 134 6.4.3 Receiver frame determination 135

6.5 Fas t Ethernet 135 6.5.1 Start-of-Stream Delimiter 136 6.5.2 End-of-Stream Delimiter 136

6.6 Gigabit Ethernet 136 6.6.1 Carrier extension 137 6.6.2 Packet burs t ing 139

6.7 Token-Ring frame operations 139 6.7.1 Transmiss ion formats 140

Star t ing/ending delimiters 141 Differential Manchester encoding 141 Non-data symbols 142

Access control field 143 The monitor bit 146 The active monitor 146

Frame Control field 147 Destination Address field 147

Universally administered address 148 Locally administered address 148 Functional address indicator 148 Address values 148

Source Address field 149 Routing Information field 151 Information field 152 Frame Check Sequence field 152 Frame Sta tus field 152

6.8 Token-Ring Medium Access Control 154 6.8.1 Vectors and subvectors 155 6.8.2 MAC control 156

Purge frame 157 Beacon frame 157 Duplicate Address Test frame 158

6.8.3 Station insertion 158 6.9 Token-Ring Logical Link Control 159

6.9.1 Service Access Points 159 DSAP 160 SSAP 160

CONTENTS xi

6.9.2 Types and classes of service 161 6.10 Summary 161

7 Layer 3 and Layer 4 Management 163 7.1 Using WebXRay 163

7.1.1 Overview 164 7.1.2 Operation 164

Autodiscovery 165 Service selection 167 Topology discovery 167 Hosts information 168 Services information 169

Traffic measur ing 169 Server Host Table 170 Server-Client Matrix Table 171 IP Host Table 171 IP Matrix Table 171

Protocol distribution 173 Filtering and packet decoding 174

7.2 Using EtherPeek 176 7.2.1 Operation 176

Packet capture 176 Filtering 177 Selective packet capture 179

Packet decoding 179 7.2.2 Network statist ics 182

8 SNMP and RMON 185 8.1 SNMP and RMON overview 185

8.1.1 Basic architecture 186 Manager 186 Agents 187 Management Information Base 188

8.1.2 RMON 188 Probes and agents 188 MIBs 188 Operation 189 Evolution 190

8.2 The SNMP protocol 191 8.2.1 Basic SNMP commands 191

GetRequest 192 GetNextRequest 192 SetRequest 193 GetResponse 193 Trap 194

8.2.2 SNMP version 2 194 New features 195 GetBulkRequest 196

xii CONTENTS

InformRequest 196 8.2.3 SNMFV3 197

Architecture 198 SNMP engine modules 199 Application modules 199 Operation 200

8.3 Understanding the MIB 200 8.3.1 The object identifier 201 8.3.2 Structure and identification of management information 202 8.3.3 Network management subtrees 203

The mgmt subtree 203 The experimental subtree 203 The private subtree 204 Program utilization example 204

8.3.4 MIB II objects 207 The System Group 208 The Interfaces Group 210 The Address Translation Group 213 The Internet Protocol Group 214 The Internet Control Message Protocol Group 214 The Transmission Group 216 The Transmission Control Protocol Group 217 The User Datagram Protocol Group 218 The Exterior Gateway Protocol Group 218 The SNMP Group 218

Authentication traps 218 Incoming traffic counts 219 Outgoing traffic counts 220

9 Management by Utility Program 225 9.1 Network utility programs 225

9.1.1 Ping 225 Overview 226 Operation 227 Utilization 228 Operational example 228

9.1.2Traceroute 229 Overview 229 Operation 230 Utilization 231 Operational example 231

9.1.3 Nbtstat 232 Operation 233

9.1.4 Netstat 234 Operation 235

9.2 Monitoring server performance 236 9.2.1 Using Windows NT/2000 Performance Monitor 236

Overview 236

CONTENTS xiii

Utilization 237 Observing processor performance 240

9.2.2 Working with alerts 241

10 Security 245 10.1 Router security 246

10.1.1 Need for access security 246 10.1.2 Router access 247 10.1.3 Telnet access 247 10.1.4 TFTP access 249 10.1.5 Securing console and virtual terminals 250 10.1.6 File transfer 251 10.1.7 Internal router security 251 10.1.8 Additional protective measures 252

10.2 Router access-lists 253 10.2.1 Overview 254 10.2.2 TCP/IP protocol suite review 254 10.2.3 Using access-lists 256

Configuration principles 256 Standard access-lists 257 Extended access-lists 260 Limitations 262

10.3 Using firewall proxy services 263 10.3.1 Access-list limitations 263 10.3.2 Proxy services 264 10.3.3 ICMP proxy services 266 10.3.4 Limitations 268 10.3.5 Operational example 268

Using classes 268 Alert generation 269 Packet filtering 270 The gap to consider 272

10.4 Network address translation 272 10.4.1 Types of address translations 274

Static NAT 274 Pooled NAT 274 Port Address Translation 274

Appendix A The SNMP Management Information Base (MIB-II) 275

Appendix B Demonstration Software 325

Index 327