Network Security CS 478CIS 678 Intro to TCPIP

  • Slides: 40
Download presentation
Network Security CS 478/CIS 678 Intro to TCP/IP

Network Security CS 478/CIS 678 Intro to TCP/IP

Objectives Reading: Computer Security Principles and Practice, W Stallings, L Brown • Appendix E

Objectives Reading: Computer Security Principles and Practice, W Stallings, L Brown • Appendix E The student should be able to: • Interpret output for ARP, IP, TCP, UDP, ICMP on a sniffer: Wireshark (sufficient as shown in this Power. Point).

Internet Architecture

Internet Architecture

TCP/IP Packet What physical node to send to? L 2 Ethernet Source & Destination

TCP/IP Packet What physical node to send to? L 2 Ethernet Source & Destination logical addr. L 3 IP What data is actually Which app being sent? does this go to? L 4 TCP Application Packet checkcode CRC

Addressing Requirements • two levels of addressing required • each host on a subnet

Addressing Requirements • two levels of addressing required • each host on a subnet needs a unique global network address – its IP address • each application on a (multi-tasking) host needs a unique address within the host – known as a port

TCP/IP Packet What physical node to send to? L 2 Ethernet Source & Destination

TCP/IP Packet What physical node to send to? L 2 Ethernet Source & Destination logical addr. L 3 IP What data is actually Which app being sent? does this go to? L 4 TCP Ginger. cs. uwp. edu 124. 36. 92. 81 Port 80 = Address on LAN: web 00: 0 c: 29: 80: ec: 29 Application Hi Alice, Are you coming to the party on Friday? Packet checkcode CRC

Operation of TCP and IP

Operation of TCP and IP

Operation of TCP/IP

Operation of TCP/IP

Some TCP/IP Protocols

Some TCP/IP Protocols

Protocols used at each Layer L 5 = Application L 4 = Transport: •

Protocols used at each Layer L 5 = Application L 4 = Transport: • TCP: Transport Control Protocol (End-to-End Error control: Retransmission) • UDP: User Datagram Protocol (Only Port Addressing) L 3 = Network: • IP: Internet Protocol (Routing) • ICMP: Internet Control Message Protocol (Reports errors, performs tests for IP) L 2 = Data Link Layer - Medium Access Control (MAC): • Ethernet Protocol • ARP: Address Resolution Protocol (Translates IP to MAC addresses)

Physical Layer: Layer 1 • Basic Function: Concerned with physical interface between computer and

Physical Layer: Layer 1 • Basic Function: Concerned with physical interface between computer and network • concerned with issues like: – characteristics of transmission medium – signal levels – data rates – other related matters

Network Access Layer: Layer 2 • Basic Function: Coordinate multiple access on LAN •

Network Access Layer: Layer 2 • Basic Function: Coordinate multiple access on LAN • exchange of data between an end system and attached network • concerned with issues like : – destination address provision – invoking specific services like priority – access to & routing data across a network link between two attached systems • allows layers above to ignore link specifics • Example protocol: Ethernet

Internet Layer (IP): Layer 3 • Basic Function: Routing packets across network(s) • for

Internet Layer (IP): Layer 3 • Basic Function: Routing packets across network(s) • for systems attached to different networks • implemented in end systems and routers • routers connect two networks and relays data between them # Time 152 001559 Source IP 10. 1. 1. 165 Dest IP App Packet Type 10. 1. 1. 128 IP Fragmented IP protocol (proto=ICMP 0 x 01, off=0, ID=19 d 9)

Internet Protocol (IP) Performs routing Addresses hosts Performs fragmentation/reassembly Security problem: Spoofed fragments replace

Internet Protocol (IP) Performs routing Addresses hosts Performs fragmentation/reassembly Security problem: Spoofed fragments replace or confuse real data • Security problem: Fragmented attacks may not be noticed by firewalls, IDS (depending on their sophistication) • •

IP Header

IP Header

IP Header Format First 8 nibbles: • 0 -3: IP Version (V 4 or

IP Header Format First 8 nibbles: • 0 -3: IP Version (V 4 or V 6) • 4 -7: Header length (in 32 -bit words) • 8 -15: Type of service (relates to quality of service - ignore for this class) • 16 -31: Total length Second 8 nibbles: • 0 -15: Identification (used with fragmentation) • 16 -18: Flags: More bit, Don’t Fragment • 19 -31: Fragment offset Third 8 nibbles: • 0 -7: Time to live • 8 -15: Next Protocol (e. g. TCP, ICMP) • 16 -31: Header Checksum Fourth 8 nibbles: Source IP Address Fifth 8 nibbles: Destination IP Address

Transmission Control Protocol (TCP): Layer 4 • Transport protocols are TCP (most common) and

Transmission Control Protocol (TCP): Layer 4 • Transport protocols are TCP (most common) and UDP • Basic Function (TCP): Provides a reliable connection for transfer of data between applications – Reliable = Packets delivered in order and no packets are missing – Reliability provided by sequencing and retransmission • a TCP segment is the basic protocol unit • TCP tracks segments between end-to-end (source, destination) entities for duration of each connection

Transport Control Protocol (TCP) • TCP is responsible for end-to-end retransmission, and reordering of

Transport Control Protocol (TCP) • TCP is responsible for end-to-end retransmission, and reordering of packets received out-of-order. • Addresses applications via 16 -bit Port number • Performs error control on an end-to-end basis: – Reorders out-of-sequence segments – Retransmits segments when acknowledgements are not received – Performs flow control to ensure destination is not overwhelmed with data (using a window) – Performs congestion control to ensure network is not overwhelmed

TCP Header Fields Source Port: Source port (application) address Dest Port: Destination port (application)

TCP Header Fields Source Port: Source port (application) address Dest Port: Destination port (application) address Flag: S=SYN, F=FIN, P=PUSH, R=RESET, A=ACK Sequence #: Beginning Sequence number (byte #) Ack. Nr: Acknowledgment sequence number (=next expected seq #) • Window. Size: Size of empty space in receive buffer (in bytes) • Checksum: Verifies no change in segment and parts of IP header • Urgent Pointer: index to urgent data (rarely used) • • •

TCP • TCP is connection-oriented, which means that it must explicitly establish and break

TCP • TCP is connection-oriented, which means that it must explicitly establish and break down a connection before transmission occurs. • Establishes a connection • Sends data • Each side gracefully disconnects

TCP Flags The flags within segments that TCP uses includes: S=SYN: Request to establish

TCP Flags The flags within segments that TCP uses includes: S=SYN: Request to establish a connection P=PUSH: Request from application to flush (or force) transmission. F=FIN: Request to close a transmission - graceful R=RESET: Notification of aborting of a connection ack: Contains an ack for previous data

Initiate a TCP Connection • Establishes a connection via a 3 -way handshake. •

Initiate a TCP Connection • Establishes a connection via a 3 -way handshake. • SYN=Synchronization, establishes send and receive sequence numbers SYN ACK SYN, ACK

Send TCP Data • Each byte of TCP data has a sequence number associated

Send TCP Data • Each byte of TCP data has a sequence number associated with it, which indicates the byte number of the first byte sent. • The acknowledgment indicates the sequence number of the byte # of data expected next (PUSH) ACK # Time Source IP Dest IP App Port 2 Port [Packet Type] Send. Seq Ack. Seq 45 1037. 608722 10. 1. 1. 3 10. 1. 1. 165 TCP 3128 > 1270 [ACK] Seq=86244 Ack=6584 Win=19220 Len=0 46 1037. 751240 10. 1. 1. 3 10. 1. 1. 165 TCP [TCP segment of a reassembled PDU] 47 1037. 751279 10. 1. 1. 3 10. 1. 1. 165 TCP [TCP segment of a reassembled PDU]

Terminate TCP Connection • Graceful Disconnect: Both sides must disconnect • FIN = Finish

Terminate TCP Connection • Graceful Disconnect: Both sides must disconnect • FIN = Finish • Sending FIN indicates no more data to transmit FIN ACK FIN

Session Abort • I don’t want to participate in this connection • Uses Reset

Session Abort • I don’t want to participate in this connection • Uses Reset RST

TCP Connect – Data - Disconnect # 1 Time 0. 000000 Source IP 10.

TCP Connect – Data - Disconnect # 1 Time 0. 000000 Source IP 10. 1. 1. 165 Dest IP App 10. 1. 1. 3 TCP 2 0. 000623 10. 1. 1. 165 TCP 3 0. 000667 10. 1. 1. 165 10. 1. 1. 3 7 0. 029386 10. 1. 1. 165 10. 1. 1. 3 TCP 8 0. 160003 10. 1. 1. 165 TCP 9 0. 160598 10. 1. 1. 165 10. 1. 1. 3 TCP 10 0. 161706 10. 1. 1. 165 10. 1. 1. 3 TCP 11 0. 163407 10. 1. 1. 3 10. 1. 1. 165 TCP … … Port 2 Port [Packet Type] Send. Seq Ack. Seq 1179 > 3128 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 3128 > 1179 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 1179 > 3128 [ACK] Seq=1 Ack=1 Win=64240 Len=0 1179 > 3128 [ACK] Seq=860 Ack=3691 Win=64240 Len=0 80 > 1190 [FIN, ACK] Seq=341 Ack=436 Win=6432 Len=0 1190 > 80 [ACK] Seq=436 Ack=342 Win=63900 Len=0 1190 > 80 [FIN, ACK] Seq=436 Ack=342 Win=63900 Len=0 80 > 1190 [ACK] Seq=342 Ack=437 Win=6432 Len=0

TCP Wireshark Showing Connection, Data, Disconnect

TCP Wireshark Showing Connection, Data, Disconnect

TCP Header

TCP Header

User Datagram Protocol (UDP) • UDP can be used instead of TCP to address

User Datagram Protocol (UDP) • UDP can be used instead of TCP to address an application • Does NOT support end-to-end retransmission, reorder out-of-order packets, or perform flow control or congestion control. • Addresses applications via 16 -bit Port number Protocol: • UDP is connectionless, which means it sends packets without establishing a connection first. If packets cannot be successfully sent, there may be no indication of failure. • 1 Packet type: Send data # Time 1 0. 000000 Source IP 131. 210. 13. 7 Dest IP App Port 2 Port [Packet Type] 10. 1. 1. 165 UDP Source port: 1060 Dest port: 8881

User Datagram Protocol (UDP) • • • an alternative to TCP no guaranteed delivery

User Datagram Protocol (UDP) • • • an alternative to TCP no guaranteed delivery no preservation of sequence no protection against duplication minimum overhead adds port addressing to IP

Application Layer: Layer 5 (Internet) • Basic Function: User applications • need a separate

Application Layer: Layer 5 (Internet) • Basic Function: User applications • need a separate module for each type of application: File transfer, web, ssh, email, etc. # Time Source IP Dest IP App Packet Type 4 0. 001151 10. 1. 1. 165 10. 1. 1. 3 HTTP GET http: //www. cs. uwp. edu/Classes/Cs 475 HTTP/1. 1 90 80. 40513 10. 1. 1. 165 10. 1. 1. 10 SNMP get-request RFC 1213 -MIB: : mib-2. 25. 3. 2. 1. 5. 1 RFC 1213 -MIB: : mib 2. 25. 3. 5. 1. 1. 1 RFC 1213 -MIB: : mib-2. 25. 3. 5. 1. 2. 1

Application Protocols Application & Port • SMTP: Simple Mail Transfer Protocol (Email): 25 •

Application Protocols Application & Port • SMTP: Simple Mail Transfer Protocol (Email): 25 • HTTP: Hyper. Text Transfer Protocol (Web): 80 • FTP: File Transfer Protocol: 20/21 • SNMP: Simple Network Management Protocol: 161 • DNS: Domain Name Server: 53 • NBNS: Net. Bios Name Service (Microsoft Internal, similar to DNS): 137 • SSL: Secure Socket Layer: 443

Some TCP/IP Protocols

Some TCP/IP Protocols

Internet Control Message Protocol (ICMP) • Reports errors from IP (e. g. Destination not

Internet Control Message Protocol (ICMP) • Reports errors from IP (e. g. Destination not reachable) • Replies to requests (routing info) • Test connectivity (ping) # Time Source IP Dest IP App Packet Type 71 16. 725008 10. 1. 1. 165 207. 46. 170. 123 76 17. 813662 207. 231. 240. 7 10. 1. 1. 165 ICMP 73 13. 696159 10. 1. 1. 1 ICMP Echo (ping) request Time-to-live exceeded (Time to live exceeded in transit) Destination unreachable (Communication administratively filtered) 10. 1. 1. 165

Address Resolution Protocol (ARP) • Converts an IP Address (192. 164. 53. 25) to

Address Resolution Protocol (ARP) • Converts an IP Address (192. 164. 53. 25) to a MAC Address (e. g. 0: 90: 27: 1 c: 50: d 0) Protocol: • Requester broadcasts to all nodes on subnet: ARP Request (IP_Address) • Replier (Me) sends: ARP Response (IP_Address, MAC Address) 3 8. 617021 00: 0 c: 29: 80: ec: 29 ff: ff: ff: ff ARP Who has 10. 1. 1. 3? Tell 10. 1. 1. 165 4 8. 617825 00: 0 e: 0 c: 3 d: f 7: 7 d 00: 0 c: 29: 80: ec: 29 ARP 10. 1. 1. 3 is at 00: 0 e: 0 c: 3 d: f 7: 7 d

Domain Name Server (DNS) • Converts a IP address name (e. g. www. cs.

Domain Name Server (DNS) • Converts a IP address name (e. g. www. cs. uwp. edu) to a numeric IP address, or vice versa. Protocol: • Request describes a name or numeric IP address to transfer • Reply provides information about that IP address. # Time Source IP Dest IP 53 55. 927059 10. 1. 1. 165 10. 1. 1. 3 App Packet Type DNS Standard query A www. mozilla. org 54 55. 946341 10. 1. 1. 3 10. 1. 1. 165 DNS Standard query response CNAME groups. l. google. com A 74. 125. 95. 138 A 74. 125. 95. 139 A 74. 125. 95. 100 A 74. 125. 95. 101 A 74. 125. 95. 102 A 74. 125. 95. 113

IGMP: Internet Group Management Protocol Sets up multicast for streaming and gaming

IGMP: Internet Group Management Protocol Sets up multicast for streaming and gaming

NTP: Network Time Protocol Synchronizes Clocks

NTP: Network Time Protocol Synchronizes Clocks

LDAP: Lightweight Directory Access Protocol • Used with Microsoft’s Active Directory & Novell’s e.

LDAP: Lightweight Directory Access Protocol • Used with Microsoft’s Active Directory & Novell’s e. Directory • Enables clients to connect to query LDAP directory for user account info, printers, similar to DNS. • Uses default port 389

And now for a … WIRESHARK DEMO

And now for a … WIRESHARK DEMO