coop_training-networking
Download
Report
Transcript coop_training-networking
Networking Basics
Information Security Training
Copyright Justin C. Klein Keane
<[email protected]>
Building Blocks
Two computers want to communicate
Each has hardware designed to pass signal
Actually two programs
Send electrical pulses
Networking topology between them
Signal may travel over the air, across a wire,
from one room to another or across the planet
Copyright Justin C. Klein Keane
<[email protected]>
Security Implications
Throughout these slides we will observe that IP
was designed for usability, not security
The architecture was developed when the
internet was trusted
Notice how assumptions of trust introduce
security issues almost every step of the way
Copyright Justin C. Klein Keane
<[email protected]>
OSI Model
Open Systems Interconnection
OSI is an architectural abstraction
Demonstrates the challenges (and solutions) to
complex networking
Understanding OSI helps conceptualize
process, and problems
Copyright Justin C. Klein Keane
<[email protected]>
OSI Model
Physical layer (networking hardware: ethernet cards, modems,
routers, etc.)
Data link layer (transport specifics: PTP, Ethernet, ISDN, etc.)
Network layer (addressing and routing)
Transport layer (flow control, error correction, TCP/UDP)
Session layer (controls dialogue, three way handshake, auth, etc.)
Presentation layer (transform data into stuff programs can use –
serialize/unserialize objects, encryption, etc.)
Application layer (the actual program, such as Firefox, that interacts
with the user)
Copyright Justin C. Klein Keane
<[email protected]>
Communication
Communication between programs:
Starts at the top of the layer, traverses down
Then starts at the bottom and travels back up
Copyright Justin C. Klein Keane
<[email protected]>
Layer 1 & 2
At the bottom of the model we have hardware
Players in the network at this layer use Machine
Address Control numbers (MAC address) to
identify one another
Sample MAC - 00:50:56:C0:00:08
MAC is supposed to be unique
Vendor of hardware is assigned certain MAC
ranges so you can look at a MAC and deduce
the hardware vendor
Copyright Justin C. Klein Keane
<[email protected]>
Routers and ARP
Routers can operate at the bottom 2 layers
Router can listen for MAC addresses on ports
and route traffic
Address Resolution Protocol (ARP) stored in
ARP tables in routers
ARP translates layer 2 to layer 4
Copyright Justin C. Klein Keane
<[email protected]>
IP Addressing
IPv4 composed of a 32 bit number
Composed of four 8 bit blocks
8 bits allows for numbers between 0 and 255
165.123.57.40 is a typical IPv4 address
Copyright Justin C. Klein Keane
<[email protected]>
IP Routing
Once a router has translated a MAC address
into an IP address it consults routing tables
Tables are organized only in
upstream/downstream fashion
For example, numbers x-y are down, all other
are up
Copyright Justin C. Klein Keane
<[email protected]>
Routers vs. Hubs
Machines send out network traffic as a
broadcast
Electrical signals cannot be directed
Routers responsible for directing traffic
Hubs just relay traffic
Hubs may just be mechanical while routers
have (sometimes complex) software and OS
If a router becomes unstable it may fail to hub
mode
Copyright Justin C. Klein Keane
<[email protected]>
Gateway and Broadcast
If there is no listing for a destination it is sent to
the gateway address, which is the next
upstream router
Broadcast is used to communicate to all
machines on a subnet
This is why all machine IP configurations
include an IP address, a gateway, and a subnet
mask
Copyright Justin C. Klein Keane
<[email protected]>
Subnet Mask
Subnet mask indicates all the IP addresses on
the subnet
Used for routing and resolution
192.168.0.10 with subnet 255.255.255.0
CIDR Notation 192.168.0.0/24
Copyright Justin C. Klein Keane
<[email protected]>
Ports
Ports are numbered 1-65,535
Ports are used to translate between layer 4 and
5
Machine receives a message, but what program
should handle it?
Programs bind to ports to indicate what sorts of
messages they handle
IANA sets “well known ports”
Copyright Justin C. Klein Keane
<[email protected]>
Reserved IP Addresses
192.168.x.x
10.x.x.x
172.16.x.x – 172.31.x.x
127.0.0.1
Copyright Justin C. Klein Keane
<[email protected]>
Protocols
IP – Internet Protocol
UDP – Universal Datagram Protocol
TCP – Transport Control Protocol
ICMP – Internet Control Message Protocol
Copyright Justin C. Klein Keane
<[email protected]>
ICMP
Not used to transfer data
Employed to query and broadcast availability of
services or devices
Also used for diagnostics
Mainly used in networking operating systems
One of the lesser known/utilized protocols
Copyright Justin C. Klein Keane
<[email protected]>
UDP
UDP is used to transport data when reliability is
not required
UDP messages specify:
Source address
Destination address
Protocol, UDP length
Source Port, Destination Port
Length, Checksum
Data
Copyright Justin C. Klein Keane
<[email protected]>
UPD
Can you spot the security flaw in UDP?
Hint - authentication
Copyright Justin C. Klein Keane
<[email protected]>
UDP
Does not confirm message delivery, messages
are fire and forget
Out of order messages are discarded
There is a checksum that is referenced when
datagrams arrive
UDP is commonly used for DNS, VOIP, TFTP,
Streaming data, and games
Copyright Justin C. Klein Keane
<[email protected]>
TCP
TCP is much heavier weight than UDP
TCP ensures message delivery
TCP packets have a much more complex
structure
Copyright Justin C. Klein Keane
<[email protected]>
TCP Packet (Abbr.)
Source address, destination address
Source port, destination port
Sequence number
Acknowledgment number
Flags
Checksum
Data
Copyright Justin C. Klein Keane
<[email protected]>
TCP Setup
Three way handshake
Machine 1 (SYN)
Machine 2 (SYN/ACK)
Machine 1 (ACK)
This verifies that both machines are at the IP
they advertise for
Copyright Justin C. Klein Keane
<[email protected]>
TCP Seq and Ack
Initial Sequence Number (ISN) chosen
randomly and sent to receiver
After each chunk of data is sent, the ISN
increments
Receiver sends back a packet acknowledging
the receipt of the sequence number
This prevents data from being lost since sender
can confirm receipt of all data sent
Copyright Justin C. Klein Keane
<[email protected]>
Network Address Translation
A word about NAT
NAT works by mangling packet headers
By manipulating header information (such as
port numbers) the NAT device does IP to IP
translation
IP is changed on the way out, then again on the
way back in
NAT allows the use of reserved IP
Copyright Justin C. Klein Keane
<[email protected]>
Demonstrative Protocols
Dynamic Host Control Protocol – DHCP
Domain Name System – DNS
Simple Mail Transport Protocol – SMTP
Hyper Text Transport Protocol - HTTP
Copyright Justin C. Klein Keane
<[email protected]>
DHCP
DHCP allows new machines to come on to the
network and “discover” topology
Machine comes online, advertises it's MAC and
sends a packet to UDP port 67 to the universal
broadcast (255.255.255.255)
Router registers MAC address at port
DHCP server responds with a packet sent to
UDP port 68 on broadcast
Copyright Justin C. Klein Keane
<[email protected]>
DHCP cont
Client accepts offer and configures IP address,
gateway, broadcast (and often DNS) from
DHCP server
Client can receive multiple offers and is
supposed to respond to offers turned down
DHCP server keeps a table of offers to MAC
addresses
Once client has an IP router adds it to the ARP
table and client is up and running
Copyright Justin C. Klein Keane
<[email protected]>
Problems with DHCP
Can anyone spot the biggest problem with
DHCP?
Copyright Justin C. Klein Keane
<[email protected]>
DNS
DNS makes the internet work
DNS translates domain names (upenn.edu) to
IP addresses (192.168.1.1)
Clients query DNS servers on UDP port 53 (can
use TCP as well)
Nslookup is the standard command to query
DNS
Copyright Justin C. Klein Keane
<[email protected]>
DNS Architecture
DNS servers are organized in a tree
Servers assert authority for a domain and send
queries for which they are not authoritative
upstream
Copyright Justin C. Klein Keane
<[email protected]>
DNS Issues
Can anyone spot the security & privacy issues
behind DNS?
Copyright Justin C. Klein Keane
<[email protected]>
SMTP
Simple mail transport protocol
Operates on TCP port 25.
Servers listen for messages, and queue locally
delivered messages or forward on remote
messages
Initially no authentication or verification
Early programs had support to query servers for
all local e-mail addresses
Copyright Justin C. Klein Keane
<[email protected]>
SMTP has NUMEROUS problems
How do you accept mail you want and reject
mail you don't
SPAM has become a serious issue
Message delivery isn't confirmed
There is no actual authentication of message
source
Copyright Justin C. Klein Keane
<[email protected]>
HTTP
HTTP is a plain text protocol that operates on
port 80
Designed as a client/server model for document
delivery
GET and POST requests
Although we're used to web browsers, HTTP
can be accessed via command line tools or text
based browsers.
Copyright Justin C. Klein Keane
<[email protected]>
Protocol tools
Most protocol tools are based on libpcap and
promiscuous mode
Tools include:
Snort – network based IDS
Tcpdump – command line analysis tool
Wireshark – GUI packet capture utility
Copyright Justin C. Klein Keane
<[email protected]>
tcpdump in Action
Copyright Justin C. Klein Keane
<[email protected]>
Wireshark
Copyright Justin C. Klein Keane
<[email protected]>
Usefulness
Troubleshooting networking issues
Checking firewall effectiveness
Troubleshooting application issues
Monitoring connections
Intrusion detection
Copyright Justin C. Klein Keane
<[email protected]>
Problems & Challenges
Given the OSI model can anyone spot potential
issues with logging?
If you were to implement a monitoring system,
what layer would you put it at?
Copyright Justin C. Klein Keane
<[email protected]>