NETWORK FUNDAMENTALS

Page 2

Agenda

In this section

• TCP/IP

• Network structure

• Common Protocols

• Basic windows communications

• Firewalls

TCP/IP

Page 4

What is TCP/IP

Transmission Control Protocol / Internet Protocol

• Created by Advanced Research Projects Agency (ARPA)

• Used in first computer network, the Arpanet

• Later used to construct the global internet

• TCP/IP name is taken from the two fundamental protocols TCP and IP

Page 5

TCP/IP Protocol Stack

3. Network

4. Transport

7. Application6. Presentation5. Session

IP Level Protocols

ApplicationLevel Protocols

FTP DNS

HTTPSMTP Telnet

UDPTCP

IGMPIP ICMP

IP over Ethernet IP over Serial Line

Ethernet Adapter Analog Modem

2. Data Link

1. Physical/HW

Page 6

Internet Protocols:TCP & UDP

TCP (Transmission Control Protocol) is connection-oriented transport

protocol

• It is reliable, ordered, but fairly heavy

• Used by Telnet, FTP, SSH, HTTP etc.

UDP (User Datagram Protocol) is connectionless transport protocol

• UDP is much lighter than TCP, but it is unreliable and not ordered

• Used by TFTP, DSN etc.

Page 7

Internet Protocols:ICMP, AH & ESP

ICMP (Internet Control Message Protocol) is used for diagnostic and

management purposes

• IP's internal network management protocol and is not intended for use by applications

• Two well known exceptions are the ping and traceroute diagnostic utilities

ESP (Encapsulating Security Payload) and AH (Authentication

Header) protocols are used by IPSec

• Protocols for securing packet flow and key exchange protocols used for setting up those flows

• Can be used to protect TCP and UDP-based protocols

Page 8

TCP/IP Packet Encapsulation

ENet IP Datagram

IP TCP Segment

http://www.f-secure.com

Application StreamTCP

Page 9

IP Packet Format

Source address (32-bit)

Destination address (32-bit )

ProtocolTTL

TOSVersion

Header Checksum

Payload

160

IHL Total Length

Identification Flags Fragment offset

Options

Bits 4 8 16 32

Page 10

TCP and UDP Headers

TCP Destination Port

Reserved Flags Window

Urgent Pointer

UDP Destination PortChecksum

TCP Source Port

Acknowledgment Number

Sequence Number

Payload

LengthUDP Source Port

Options

Payload

Checksum

Offset

Bits

16064

4 8 16 32

NETWORK STRUCTURE

Page 12

IP Addresses

Unique number used by computers to refer to each other when sending information through the Internet

The network layer protocol in use today is IPv4 (32 bits), but since Internet is slowly running out of addresses, and IPv6 is proposed as a successor with its 128-bit addresses

• The 32-bit IP address is grouped eight bits at a time, separated by dots, and represented in decimal format (known as dotted decimal notation).

IP Address Classes

• IP addressing supports five different address classes: A, B,C, D, and E. Only classes A, B, and C are available for commercial use

Page 13

0 Network ID Host ID

Network and Host Address

The ranges for address classes are:

• Class A: 0.0.0.0 – 127.255.255.255

• Class B: 128.0.0.0 – 191.255.255.255

• Class C: 192.0.0.0 – 223.255.255.255

1 0 Network ID Host ID

1 1 0 Network ID Host ID

21 bits 8 bits

14 bits 16 bits

7 bits 24 bits

Class A

Class C

Class B

Page 14

Private and Public Network

Some IP addresses are reserved for private use, they are not routed

on the Internet

• Used in intranets and test environments

Private addresses

• 127.0.0.1 (localhost)

• 10.0.0.0…10.255.255.255 (Class A)

• 172.16.0.0…172.31.255.255 (Class B)

• 192.168.0.0…192.168.255.255 (Class C)

Page 15

Network Address Translation (NAT)

Communication from a private address (inside a LAN) to a public

address (on the Internet), and vice versa, requires Network Address

Translation (NAT)

Pool of public IPs194.197.29.0/26

WorkstationServer(s)

S:WorkstationD:Server

S: 194.197.29.1D: Server

S: ServerD: 194.197.29.1

S:ServerD:WorkstationDynamic NAT

Page 16

PAT and NAT

Alternatives

• Static NAT enables access to private network from public network

• Dynamic NAT enables access to a public network from private network

• Port Address Translation (PAT)

Public IP194.197.29.1

WorkstationServer(s)

S:Workstation:1029D:Server:80

S: 194.197.29.1:6855D: Server:80

S: Server:80D: 194.197.29.1:6855

S:Server:80D:Workstation:1029PAT

Page 17

Network Mask and Subnets

Networks are split into smaller subnets by “borrowing” bits from the

host block to the network block

Network mask is used to communicate how much of the address is

reserved for network and how much for the host

• Each network class has a default subnet mask

• Class A: 255.0.0.0 (8 bits)

• Class B: 255.255.0.0 (16 bits)

• Class C: 255.255.255.0 (24 bits)

• Thus a C class network with mask 255.255.255.192 (e.g. 192.168.100.0/26) will split the network in four subnets

Page 18

NSC Notation

NSC Notation is another, shorter way to express IP network masks, it

shows how many of those bits is reserved for the network mask

• IP address (255.255.255.255) is a 32 bit number (2^32)

• For example; 255.255.255.0 is /24

• Note that 0.0.0.0/0 means any IP address

Usually NSC notation for different network mask are checked from a

notation table

Page 19

Initiator

outbound inbound

Initiator / ResponderOutbound / Inbound

INITIATOR always starts the communication

RESPONDER is the host, that the initiator connects to

OUTBOUND traffic is outgoing packets originated by the initiator

INBOUND traffic is incoming packets originated by other parties

Responder

Page 20

Ports in TCP/UDP

Initiator opens a connection

• From dynamic port (>1023) to a fixed port (X) that the responder listens to

Responder replies

• From the fixed port (X) to the dynamic port (>1023)

Initiator port: >1023 Responder port: X

Page 21

TCP/UDP Ports Assigned by IANA

Port ranges

• 0 … 1023 Well Known Ports, assigned by the IANA

• 1024 … 49151 Registered ports

• 49152 … 65535 Dynamic ports

Some familiar TCP and UDP port and their numbers:

• ftp-data 20/tcp File Transfer [Data]

• ftp 21/tcp File Transfer [Control]

• ssh 22/tcp SSH Remote Login Protocol

• smtp 25/tcp Simple Mail Transfer Protocol

• http 80/tcp Hypertext Transfer Protocol

• netbios-ns 137/udp NETBIOS Name Service

COMMON PROTOCOLS

Page 23

Telnet and SSH

Telnet

• Allows terminal sessions to a remote systems

• Authentication and all data is in plain text

• TCP port 23

Secure Shell (SSH)

• Allows fully encrypted terminal sessions to a remote systems

• Can be used to tunnel TCP connections through encrypted connection

• Also encrypted file transfer (SFTP) is available

• TCP port 22

Page 24

HTTP and HTTPs

Hypertext Transfer Protocol (HTTP)

• Used when browsing web pages

• All transmitted data is unencrypted

• TCP port 80

Secure Socket Layer (SSL)

• Also known as Secure HTTP (HTTPs)

• Encrypted variant of the HTTP protocol

• All transmitted data is encrypted

• TCP port 443

Page 25

SMTP, POP and IMAP

Sending (SMTP)

• Simple Mail Transfer Protocol

• Clients transfer emails to mail server

• Server also sends and receives mail to/from other servers

• Authentication is optional, but unencrypted

Receiving (POP and IMAP)

• Post Office Protocol and Internet Mail Access Protocol

• Clients receive mail from mail server (POP) or clients manage the mail on a mail server (IMAP)

• Authentication and all data transfer is normally unencrypted, but encryption is optional

Page 26

Domain Name System (DNS)

Used to translate human-readable host names to computer friendly IP

addresses and vice versa (reverse DNS)

• www.f-secure.com is 193.110.109.50 (done through Winsock)

• DNS Server stores the information

• Servers exchange DNS information between other DNS Servers

Clients asks information from the server

• nslookup

DNS will mostly use UDP but will if needed sometimes fall over to

TCP

Page 27

File Transfer Protocol (FTP)

Widely used to transport large data files

• Two modes

• Active FTP

• Passive FTP

Authentication and all transferred data is unencrypted

Page 28

Active FTP

Control

• Client connects from a random port (n) to server port 21 and sends port information (PORT n+1) to server

• Client starts listening to a specified port (n+1)

Data

• Server connects from port 21 to clients a data connection to negotiated port (n+1)

FTP Server

DataData

ControlControl

n > 1023 21FTP Client

n+1 20

Page 29

Passive FTP

Control

• Client connects from a random port (n) to server’s port 21

• Server starts listening to a random port (p)

Data

• Client connects from random port (n+1) to server’s random port port (p)

FTP Server

DataData

ControlControl

n > 1023 21FTP Client

n+1 p > 1023

BASIC WINDOWS COMMUNICATION

Page 31

Microsoft Windows Networking and WINS

Microsoft Windows Networking

• Can be transmitted over IP/NetBEUI/IPX

• Used e.g. during domain login, when browsing the Network Neighborhood, when sharing files or printers

Windows Internet Name Service (WINS )

• Used to provide NetBIOS network clients with a name-to-IP and IP-to-name translation

• Clients inform the WINS Server about their names and IP addresses

• WINS Server stores all name-to-IP and IP-to-name information

• Clients can inquire this information from the server

Page 32

Server Message Block (SMB)

Client/Server Protocol that provides file and print sharing between

computers

• Used directly over TCP or over NETBIOS

Windows 2000 and later use SMB over TCP which brings the

following advantages

• Simplifying transport of SMB traffic as no NETBIOS is needed

• Removing WINS and NETBIOS broadcast as a means of name resolution

• Standardizing name resolution on DNS for file and printer sharing

• Uses port 445

Page 33

Remote Procedure Call (RPC)

Allows a computer program running on one host to run code on

another host without the programmer needing to explicitly code for this

• Not a protocol in itself but a paradigm for implementation

• Used by services like DNS (Domain Name System)

• RPC and DCOM (Distributed Component Object) use port 135

RPC over HTTP

• HTTP wrapper around the RPC traffic (actually usually uses HTTPs and thus uses port 443)

• Used between Outlook clients and Exchange Servers (version 2003)

• Alternative to OWA (Outlook Web Access) or VPN

FIREWALLS

Page 35

Firewall Basics

Firewall is a protecting entry point, which controls all incoming and outgoing network traffic

Firewalls are used to guard against unauthorized access to networks and/or hosts• Protect hosts against vulnerabilities of

the OS or applications• Protect against insecure configurations

of a host• Enforce security policy

Page 36

Firewall Basics

Firewalls are configured with a list of rules

• The rules are read from top to bottom and the first rule which matches is applied

• Often the last rule denies all traffic

The rules can be based on

• Source/destination IP address

• Source/destination protocol

• Source/destination port

Page 37

Testing Firewall Settings

Regular testing

• Very important to check the configurations

• Should be defined in Company Security Policy

There are many tools that can be used to test the configuration

• Cisco Secure Scanner

• ISS (Internet Security Scanner)

• nmap, nessus

Page 38

Types of Firewalls:Technology

Firewall technologies are often classified in

• Firewalls based on packet filtering

• Rules are based on IP address, protocol and port

• Firewalls based on Circuit relay

• Rules are also based on time, user account and password

• Application level firewalls

• Acts also as a proxy and inspects the content of the traffic

Page 39

Static Packet Filter

Acts on OSI layer 3 (network layer)

• Source and destination IP address/port

• Protocol, flags, sequence and acknowledge numbers

• ICMP code and type number

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

DataLinkDataLink

PhysicalPhysical

TransportTransport

NetworkNetwork

DataLinkDataLink

PhysicalPhysical

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

DataLinkDataLink

PhysicalPhysical

Page 40

Multi Level Filtering

Inspects the traffic on all layers

• Application level restrictions possible, only certain commands can be allowed

• Slower than packet filtering

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

DataLinkDataLink

PhysicalPhysical

TransportTransport

NetworkNetwork

DataLinkDataLink

PhysicalPhysical

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

DataLinkDataLink

PhysicalPhysical

ApplicationApplication

PresentationPresentation

SessionSession

TelnetTelnet FTPFTP HTTPHTTP

Page 41

Types of Firewalls:Network Role

Firewalls can also be classified based on their role in network

topology

• Perimeter firewalls (or traditional firewalls)

• Mostly dedicated hosts at the border of the network

• Personal firewalls

• Runs on an end users host and is installed and configured by the end user

• Distributed firewalls

• Runs on each host and is deployed and configured centrally

Page 42

On the Road

Home Office

The Evolution of Firewalls

Corporate Office

Page 43

Mobility Dilemma

On the Road

Corporate Office

Page 44

What a Firewall Doesn’t Protect From?

Attacks that don’t go through the

firewall

• Backdoors, (personal) modems and RAS (remote access server)

Insider attacks in your network

• Social engineering

Content based attacks

• Macros etc.

• Some firewalls are able to filter out some content, such as ActiveX and Java

No firewall can protect against

inadequate or mismanaged

policies

• Firewall, like all security software, is a tool, not a magic bullet

Page 45

Summary

In this section

• TCP/IP

• Network structure

• Common Protocols

• Basic windows communications

• Firewalls