network fundamentals. page 2 agenda in this section tcp/ip network structure common protocols basic...
TRANSCRIPT
NETWORK FUNDAMENTALS
Page 2
Agenda
In this section
• TCP/IP
• Network structure
• Common Protocols
• Basic windows communications
• Firewalls
TCP/IP
Page 4
What is TCP/IP
Transmission Control Protocol / Internet Protocol
• Created by Advanced Research Projects Agency (ARPA)
• Used in first computer network, the Arpanet
• Later used to construct the global internet
• TCP/IP name is taken from the two fundamental protocols TCP and IP
Page 5
TCP/IP Protocol Stack
3. Network
4. Transport
7. Application6. Presentation5. Session
IP Level Protocols
ApplicationLevel Protocols
FTP DNS
HTTPSMTP Telnet
UDPTCP
IGMPIP ICMP
IP over Ethernet IP over Serial Line
Ethernet Adapter Analog Modem
2. Data Link
1. Physical/HW
Page 6
Internet Protocols:TCP & UDP
TCP (Transmission Control Protocol) is connection-oriented transport
protocol
• It is reliable, ordered, but fairly heavy
• Used by Telnet, FTP, SSH, HTTP etc.
UDP (User Datagram Protocol) is connectionless transport protocol
• UDP is much lighter than TCP, but it is unreliable and not ordered
• Used by TFTP, DSN etc.
Page 7
Internet Protocols:ICMP, AH & ESP
ICMP (Internet Control Message Protocol) is used for diagnostic and
management purposes
• IP's internal network management protocol and is not intended for use by applications
• Two well known exceptions are the ping and traceroute diagnostic utilities
ESP (Encapsulating Security Payload) and AH (Authentication
Header) protocols are used by IPSec
• Protocols for securing packet flow and key exchange protocols used for setting up those flows
• Can be used to protect TCP and UDP-based protocols
Page 8
TCP/IP Packet Encapsulation
ENet IP Datagram
IP TCP Segment
http://www.f-secure.com
Application StreamTCP
Page 9
IP Packet Format
Source address (32-bit)
Destination address (32-bit )
ProtocolTTL
TOSVersion
Header Checksum
Payload
160
IHL Total Length
Identification Flags Fragment offset
Options
Bits 4 8 16 32
Page 10
TCP and UDP Headers
TCP Destination Port
Reserved Flags Window
Urgent Pointer
UDP Destination PortChecksum
TCP Source Port
Acknowledgment Number
Sequence Number
Payload
LengthUDP Source Port
Options
Payload
Checksum
Offset
Bits
16064
4 8 16 32
NETWORK STRUCTURE
Page 12
IP Addresses
Unique number used by computers to refer to each other when sending information through the Internet
The network layer protocol in use today is IPv4 (32 bits), but since Internet is slowly running out of addresses, and IPv6 is proposed as a successor with its 128-bit addresses
• The 32-bit IP address is grouped eight bits at a time, separated by dots, and represented in decimal format (known as dotted decimal notation).
IP Address Classes
• IP addressing supports five different address classes: A, B,C, D, and E. Only classes A, B, and C are available for commercial use
Page 13
0 Network ID Host ID
Network and Host Address
The ranges for address classes are:
• Class A: 0.0.0.0 – 127.255.255.255
• Class B: 128.0.0.0 – 191.255.255.255
• Class C: 192.0.0.0 – 223.255.255.255
1 0 Network ID Host ID
1 1 0 Network ID Host ID
21 bits 8 bits
14 bits 16 bits
7 bits 24 bits
Class A
Class C
Class B
Page 14
Private and Public Network
Some IP addresses are reserved for private use, they are not routed
on the Internet
• Used in intranets and test environments
Private addresses
• 127.0.0.1 (localhost)
• 10.0.0.0…10.255.255.255 (Class A)
• 172.16.0.0…172.31.255.255 (Class B)
• 192.168.0.0…192.168.255.255 (Class C)
Page 15
Network Address Translation (NAT)
Communication from a private address (inside a LAN) to a public
address (on the Internet), and vice versa, requires Network Address
Translation (NAT)
Pool of public IPs194.197.29.0/26
WorkstationServer(s)
S:WorkstationD:Server
S: 194.197.29.1D: Server
S: ServerD: 194.197.29.1
S:ServerD:WorkstationDynamic NAT
Page 16
PAT and NAT
Alternatives
• Static NAT enables access to private network from public network
• Dynamic NAT enables access to a public network from private network
• Port Address Translation (PAT)
Public IP194.197.29.1
WorkstationServer(s)
S:Workstation:1029D:Server:80
S: 194.197.29.1:6855D: Server:80
S: Server:80D: 194.197.29.1:6855
S:Server:80D:Workstation:1029PAT
Page 17
Network Mask and Subnets
Networks are split into smaller subnets by “borrowing” bits from the
host block to the network block
Network mask is used to communicate how much of the address is
reserved for network and how much for the host
• Each network class has a default subnet mask
• Class A: 255.0.0.0 (8 bits)
• Class B: 255.255.0.0 (16 bits)
• Class C: 255.255.255.0 (24 bits)
• Thus a C class network with mask 255.255.255.192 (e.g. 192.168.100.0/26) will split the network in four subnets
Page 18
NSC Notation
NSC Notation is another, shorter way to express IP network masks, it
shows how many of those bits is reserved for the network mask
• IP address (255.255.255.255) is a 32 bit number (2^32)
• For example; 255.255.255.0 is /24
• Note that 0.0.0.0/0 means any IP address
Usually NSC notation for different network mask are checked from a
notation table
Page 19
Initiator
outbound inbound
Initiator / ResponderOutbound / Inbound
INITIATOR always starts the communication
RESPONDER is the host, that the initiator connects to
OUTBOUND traffic is outgoing packets originated by the initiator
INBOUND traffic is incoming packets originated by other parties
Responder
Page 20
Ports in TCP/UDP
Initiator opens a connection
• From dynamic port (>1023) to a fixed port (X) that the responder listens to
Responder replies
• From the fixed port (X) to the dynamic port (>1023)
Initiator port: >1023 Responder port: X
Page 21
TCP/UDP Ports Assigned by IANA
Port ranges
• 0 … 1023 Well Known Ports, assigned by the IANA
• 1024 … 49151 Registered ports
• 49152 … 65535 Dynamic ports
Some familiar TCP and UDP port and their numbers:
• ftp-data 20/tcp File Transfer [Data]
• ftp 21/tcp File Transfer [Control]
• ssh 22/tcp SSH Remote Login Protocol
• smtp 25/tcp Simple Mail Transfer Protocol
• http 80/tcp Hypertext Transfer Protocol
• netbios-ns 137/udp NETBIOS Name Service
COMMON PROTOCOLS
Page 23
Telnet and SSH
Telnet
• Allows terminal sessions to a remote systems
• Authentication and all data is in plain text
• TCP port 23
Secure Shell (SSH)
• Allows fully encrypted terminal sessions to a remote systems
• Can be used to tunnel TCP connections through encrypted connection
• Also encrypted file transfer (SFTP) is available
• TCP port 22
Page 24
HTTP and HTTPs
Hypertext Transfer Protocol (HTTP)
• Used when browsing web pages
• All transmitted data is unencrypted
• TCP port 80
Secure Socket Layer (SSL)
• Also known as Secure HTTP (HTTPs)
• Encrypted variant of the HTTP protocol
• All transmitted data is encrypted
• TCP port 443
Page 25
SMTP, POP and IMAP
Sending (SMTP)
• Simple Mail Transfer Protocol
• Clients transfer emails to mail server
• Server also sends and receives mail to/from other servers
• Authentication is optional, but unencrypted
Receiving (POP and IMAP)
• Post Office Protocol and Internet Mail Access Protocol
• Clients receive mail from mail server (POP) or clients manage the mail on a mail server (IMAP)
• Authentication and all data transfer is normally unencrypted, but encryption is optional
Page 26
Domain Name System (DNS)
Used to translate human-readable host names to computer friendly IP
addresses and vice versa (reverse DNS)
• www.f-secure.com is 193.110.109.50 (done through Winsock)
• DNS Server stores the information
• Servers exchange DNS information between other DNS Servers
Clients asks information from the server
• nslookup
DNS will mostly use UDP but will if needed sometimes fall over to
TCP
Page 27
File Transfer Protocol (FTP)
Widely used to transport large data files
• Two modes
• Active FTP
• Passive FTP
Authentication and all transferred data is unencrypted
Page 28
Active FTP
Control
• Client connects from a random port (n) to server port 21 and sends port information (PORT n+1) to server
• Client starts listening to a specified port (n+1)
Data
• Server connects from port 21 to clients a data connection to negotiated port (n+1)
FTP Server
DataData
ControlControl
n > 1023 21FTP Client
n+1 20
Page 29
Passive FTP
Control
• Client connects from a random port (n) to server’s port 21
• Server starts listening to a random port (p)
Data
• Client connects from random port (n+1) to server’s random port port (p)
FTP Server
DataData
ControlControl
n > 1023 21FTP Client
n+1 p > 1023
BASIC WINDOWS COMMUNICATION
Page 31
Microsoft Windows Networking and WINS
Microsoft Windows Networking
• Can be transmitted over IP/NetBEUI/IPX
• Used e.g. during domain login, when browsing the Network Neighborhood, when sharing files or printers
Windows Internet Name Service (WINS )
• Used to provide NetBIOS network clients with a name-to-IP and IP-to-name translation
• Clients inform the WINS Server about their names and IP addresses
• WINS Server stores all name-to-IP and IP-to-name information
• Clients can inquire this information from the server
Page 32
Server Message Block (SMB)
Client/Server Protocol that provides file and print sharing between
computers
• Used directly over TCP or over NETBIOS
Windows 2000 and later use SMB over TCP which brings the
following advantages
• Simplifying transport of SMB traffic as no NETBIOS is needed
• Removing WINS and NETBIOS broadcast as a means of name resolution
• Standardizing name resolution on DNS for file and printer sharing
• Uses port 445
Page 33
Remote Procedure Call (RPC)
Allows a computer program running on one host to run code on
another host without the programmer needing to explicitly code for this
• Not a protocol in itself but a paradigm for implementation
• Used by services like DNS (Domain Name System)
• RPC and DCOM (Distributed Component Object) use port 135
RPC over HTTP
• HTTP wrapper around the RPC traffic (actually usually uses HTTPs and thus uses port 443)
• Used between Outlook clients and Exchange Servers (version 2003)
• Alternative to OWA (Outlook Web Access) or VPN
FIREWALLS
Page 35
Firewall Basics
Firewall is a protecting entry point, which controls all incoming and outgoing network traffic
Firewalls are used to guard against unauthorized access to networks and/or hosts• Protect hosts against vulnerabilities of
the OS or applications• Protect against insecure configurations
of a host• Enforce security policy
Page 36
Firewall Basics
Firewalls are configured with a list of rules
• The rules are read from top to bottom and the first rule which matches is applied
• Often the last rule denies all traffic
The rules can be based on
• Source/destination IP address
• Source/destination protocol
• Source/destination port
Page 37
Testing Firewall Settings
Regular testing
• Very important to check the configurations
• Should be defined in Company Security Policy
There are many tools that can be used to test the configuration
• Cisco Secure Scanner
• ISS (Internet Security Scanner)
• nmap, nessus
Page 38
Types of Firewalls:Technology
Firewall technologies are often classified in
• Firewalls based on packet filtering
• Rules are based on IP address, protocol and port
• Firewalls based on Circuit relay
• Rules are also based on time, user account and password
• Application level firewalls
• Acts also as a proxy and inspects the content of the traffic
Page 39
Static Packet Filter
Acts on OSI layer 3 (network layer)
• Source and destination IP address/port
• Protocol, flags, sequence and acknowledge numbers
• ICMP code and type number
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
TransportTransport
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
Page 40
Multi Level Filtering
Inspects the traffic on all layers
• Application level restrictions possible, only certain commands can be allowed
• Slower than packet filtering
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
TransportTransport
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
ApplicationApplication
PresentationPresentation
SessionSession
TelnetTelnet FTPFTP HTTPHTTP
Page 41
Types of Firewalls:Network Role
Firewalls can also be classified based on their role in network
topology
• Perimeter firewalls (or traditional firewalls)
• Mostly dedicated hosts at the border of the network
• Personal firewalls
• Runs on an end users host and is installed and configured by the end user
• Distributed firewalls
• Runs on each host and is deployed and configured centrally
Page 42
On the Road
Home Office
The Evolution of Firewalls
Corporate Office
Page 43
Mobility Dilemma
On the Road
Corporate Office
Page 44
What a Firewall Doesn’t Protect From?
Attacks that don’t go through the
firewall
• Backdoors, (personal) modems and RAS (remote access server)
Insider attacks in your network
• Social engineering
Content based attacks
• Macros etc.
• Some firewalls are able to filter out some content, such as ActiveX and Java
No firewall can protect against
inadequate or mismanaged
policies
• Firewall, like all security software, is a tool, not a magic bullet
Page 45
Summary
In this section
• TCP/IP
• Network structure
• Common Protocols
• Basic windows communications
• Firewalls