Module 16 - Network Security TCP-IP
57
Domain #1 Network Security TCP/IP
description
Network Security -TCP-IP
Transcript of Module 16 - Network Security TCP-IP
Domain #1Network Security
TCP/IP
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
TCP/IP Overview• The De Facto standard for Internetworking• Also called Internet Protocol (IP)• Internet was ARPANET designed by DARPA– Initially mostly friendly groups connected together– Universities, Government, researchers, etc…– Now millions of computer worldwide
• TCP/IP is a SUITE of protocols– Architecture independent– Stable and Robust (to a point of course)
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
What about modelsOSITCP/IP
Transport / Host to Host
Internet / Network Access
Link LayerPhysical
Application
Presentation
Session
Transport
Network
Data Link
Application
RFC 1122 (in bold)
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Routing DatagramsHost A1 Host C1
Gateway G1 Gateway G2
Application Application
Transport Transport
Internet Internet Internet Internet
Link Layer
Network A Network B Network C
Link Layer Link Layer Link Layer
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Data EncapsulationApplication Layer
Transport Layer
Internet Layer
Link Layer
Data
Data
Data
Data
Header
HeaderHeader
HeaderHeaderHeader
Send Receive
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Data Structures (1 of 2)Application Layer
Transport Layer
Internet Layer
Link Layer
TCP UDP
stream message
segment packet
datagram datagram
frame frame
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Data Structures (2 of 2)
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Transmission Methods• Unicast
• From one station to another station
• Broadcast
• From one station to all the stations on the same LAN
• Multicast
• From one station to multiple selected locations
• Information sent only once over the networks
• Routers must be configured appropriately
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
What’s in a MAC address• Built at the factory directly on the card
• A Media Access Control (MAC) address has 48 bits
• 24 bits is the OUI
• OUI specifies the vendor name
• OUI specifies the mode
• Unicast
• Multicast
• MAC address are globally unique
• Could be spoofed or fake
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Ethernet Overview
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Address Resolution Protocol (ARP)• Maps IP address to their corresponding MAC address
• Commonly called ARP
• Station on Ethernet network communicate using MAC
• You know the IP address but not the MAC address
• You must query using ARP to find the destination MAC
• A broadcast will be use for that purpose
• The intended recipient will reply back with MAC
• MAC is kept in cache for a short period of time
• As mentioned they should be unique
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Gratuitous ARP• Requests that are NOT normally needed
• Could be a gratuitous ARP Request or an ARP reply
• Gratuitous Arp Request
• Has both the source and destination IP set to the IP address of the machine that issued the packet.
• A gratuitous ARP is a reply to which no request has been made
• They have many legitimate usage (see notes)
• However Gratuitous ARP can be used for offensive purpose
• We will see later on in the lesson all the details of ARP poisoning
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
What are ports (UDP & TCP)• Same as doors within a building• Ease communication between entities• A 16 bit field within the TCP and UDP packets• IANA – Internet Assigned Numbers Authority • Well Known ports are from 0-1023 (0 is not used on IPV4)• Registered ports are from 1024 to 49151• Dynamic and/or Private Ports are from 49152 to 65535• Ephemeral ports (short live connections)– Some OS dare to be different, see the notes– Windows Server 2003 is from 1025 to 5000
http://www.iana.org
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
What are protocols• Protocols online are very much the same as real life one– Take a phone call for example
• The SMTP protocol is a great example– Hello
• The HTTP protocol is the most commonly use protocol• Some common one are:– TCP UDP SNMP Telnet RIP– IP HTTP FTP SSL OSPF– ICMP SMTP TFTP TLS Ethernet– POP3 SFTP Chargen Echo Finger
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Port Numbers (Partial List)• 80 HTTP 110 POP3 500 IKE
• 443 HTTPS 119 NNTP 1701 L2TP
• 20/21 FTP 123 NTP 1723 PPTP
• 23 Telnet 143 IMAP 1812 RADIUS AUTH
• 25 SMTP 161 SNMP Monitoring 1813 RADIUS ACCNT
• 88 Kerberos 162 SNMP Trap/Alert 2049 NFS
• 53 DNS 389 LDAP 4000 ICQ
• 22 SSH 636 LDAP SSL 5000 Yahoo Messenger
• 69 TFTP 520 RIP
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Protocol Numbers# /etc/protocols# Internet (IP) protocols#ip 0 IP # internet protocolicmp 1 ICMP # internet control message protocolggp 3 GGP # gateway-gateway protocoltcp 6 TCP # transmission control protocolegp 8 EGP # exterior gateway protocolpup 12 PUP # PARC universal packet protocoludp 17 UDP # user datagram protocolhmp 20 HMP # host monitoring protocolxns-idp NSIDP # Xerox NS IDPrdp 27 RDP # "reliable datagram" protocol
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Port Number and Protocol
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IP (Internet Protocol)• IP provides the basic packet delivery service on which TCP/IP
networks are built. All TCP/IP data flows through IP, incoming and outgoing, regardless of its final destination
• The Internet Protocol functions include:
• Defines the datagram, which is the basic unit of transmission on the internet
• Defines the Internet addressing scheme
• Moving data between the Network Access Layer and the Transport Layer
• Routing of datagrams to remote hosts
• Performs fragmentation and re-assembly of datagrams.
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IP Datagram• The datagram is the packet format defined by IP
• A packet is a block of data
• The packet carries the information necessary to deliver it
• Similar to your postal letter which has an address
• The first five or six 32-bit words, (default is 5) of the datagram are control information called header.
• The header contains all the information necessary to deliver the packet.
• No error detection or recovery
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IP Datagram Format
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Services provided by TCP• Connection-oriented data management
• Reliable data transfer
• Stream-oriented data transfer
• Push functions
• Resequencing
• Flow control ( sliding windows )
• Multiplexing
• Full-duplex transmission
• Precedence and security
• Graceful close
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
TCP Three Way Handshake
TCP uses Three-way Handshake, and dynamically allocate port.
Host A Source Host B Destination132.87.19.6 195.173.24.10
3044,23
3044,23
23,3044
23,3044
SYN
SYN, ACK
ACK, data
data transfer has begun
IP address + Port number = socket
Port 23 = Telnetsource port 3044
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
TCP Segment FormatBits
0 4 8 12 16 20 24 28 31
Head
erWor
ds
1
2
3
4
5
6
Source Port Destination Port
Sequence Number
Acknowledgment Number
Window
Urgent Pointer
Options Padding
data begins here ...
Offset Reserved Flags
Checksum
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
UDP Protocol• User Datagram Protocol
• A connectionless protocol
• Uses best effort
• A lot less overhead than TCP
• Has no reliability and no acknowledgement
• Good for application where some packets can be lost
• Streaming media and Voice over IP are examples
• DNS makes use of UDP
• Often used by attackers as well, i:e port 53 UDP
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
UDP Message Format
Bits
0 4 8 12 16 20 24 28 31
Source Port Destination Port
Checksum
data begins here ...
Length
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
TCP/IP Addressing Packets• IP address & Subnetwork mask uses decimal dot notation
• Each address has four integers separated by periods
• Each integers represents 8 bits of the 32 bits address
• Values are from 0 (network) to 255 (broadcast)
• 0 and 255 are reserved and cannot be use
• An IP address could be 10.10.5.2 for example
• One portion is the network the other is the hosts
• Subnetwork masks uses Decimal Dot notation as well
• An example for a Class C address is 255.255.255.0
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IP Addressing140.179.220.200
Written in binary form:
140 .179 .220 .200
10001100 10110011 11011100 11001000
We see the address in the decimal formYour computer sees it in the binary form
Let’s decode the first octet (140) on the next slide
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Binary Octet DecodedAn octet is made up of eight “1”s and/or “0”s:
Bit Pos: 1 2 3 4 5 6 7 8
Value: 128 64 32 16 8 4 2 1
The value of 140 looks like this:
27 26 25 24 23 22 21 20
1 0 0 0 1 1 0 0128 64 32 16 8 4 2 1128 0 0 0 8 4 0 0128 8 4 = 140
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Classes of IP addresses• As mentioned previously, all IP addresses are 32 bit
• They are expressed in dot notation ( 4 octets of 8 bits)
• All IP’s have a Network ID and a Host ID• It may have a Subnetwork ID if subnetting is being use
• Belong to one of five classes: A, B, C, D, E
• Each address has a corresponding subnetwork mask• Most of the time referred to as Subnet Mask
• We will look at each of the main classes next
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Classes of IP addresses
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Class A IP addresses• Has an 8 bits network ID starting with 0
• 24 bits host ID, up to 22 bits may be used for subnetwork ID
• Class supports network numbers 1 to 126
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Class B IP addresses• Has 16 bits network ID starting with 1-0
• 16 bits host ID, up to 14 bits may be used for subnetwork ID
• Class supports network numbers from 128.1 to 191.254
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Class C IP addresses• Has 24 bits network ID starting with 1-1-0
• 8 bits host ID, up to 6 bits may be used for subnetwork ID
• Class supports network numbers from 192.1 to 223.254
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Resume of classes
The number of addresses usable for addressing specific hosts in each network is always 2N – 2
Classful versus Classless Inter-Domain Routing (CIDR)
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
A few more things…• Classfull IP addressing
• Classless IP Addressing (has 3 categories)
• Subnetting
• VLSM (Variable Length Subnet Mask)
• No longer dependent of 8, 16, 24 network numbers
• Prefix length or Netmask is used for routing
• CIDR (Classless Inter-Domain Routing)
• Used with Supernetting
• Supernetting allows route aggregation
• CIDR introduces prefix notation or CIDR notation (i:e /24 for class c)
• Reduces the size of routing tables
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
What is subnetting• It is making use of the host portion of the address
• You borrow bits on the host portion
• Allow you to add more networks within your own range
• 2n – 2 >= Number of subnets required
• A subnet is a single LAN segment
• Each LAN has a unique subnet number
• For the purpose of the exam you must know what it is
• You do not need to know all of the details
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
SubNetwork Mask• Subnets masks are a 32 bits structure
• They are also expressed in decimal dot notation
• Tells which bits are the Network ID and Subnetwork ID
• A bit marked as a 1 means it is part of the network or subnet
• A bit marked as a 0 means it is part of the host ID
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
11111111.11111111.11111111.11100000
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Subnetting Scenario• So we have 1 Class C Network (206.15.143.0)• We have 254 host address available (1 to 254)• But what if we need 5 different networks • Each network has no more than 30 hosts each• Do we apply for 4 more Class C licenses?
• one for each network
• Your ISP might no longer love you and may tell you to get smart!• You would be wasting 224 addresses on each network, a total of
1120 addresses would be wasted ! Not good…• Are you out of luck? Subnetting is coming to the rescue…
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Our needs• We know we need at least 5 subnets• We are on a class C network with 8 bits for the hosts• We need to borrow some bits from the host portion • So 23 - 2 will give us 6 subnet, 3 bits would be sufficient
(8 – 2 = 6)• The -2 is to deduct the reserved network and broadcast address• We also know we need at least 30 hosts per network• So with 5 (25 - 2) bits left it will give us 30 hosts per subnet (network).• This will work, because we can steal the first 3 bits from the host’s portion of
the current address to give to the subnetwork portion and still have 5 bits (8-3) remaining for the host portion
• Let’s take a look at how this is done on the next slide
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Borrowing bits• Let’s review what portion is what:
We have a Class C address:
NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH
With a Subnet mask of:
11111111.11111111.11111111.00000000
We steal/borrow 3 bits from the host portion (in green below):
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
The new netmask
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
This will change our subnet mask to the following:
11111111.11111111.11111111.11100000
• Above is how the computer will see our new subnet mask, but we need to express it in decimal form as well:
255.255.255.224 (128+64+32=224)
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Subnet addressesRemember our values:
128 64 32 16 8 4 2 1Equals
Now our 3 bit configurations:
0 0 1 H H H HH 32
0 1 0 H H H HH 64
0 1 1 H H H HH 96
1 0 0 H H H HH 128
1 0 1 H H H HH 160
1 1 0 H H H H H 192
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Now the easy way
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Antiquated Protocols• Finger • Chargen & Echo• Daytime• Telnet• FTP • SNMP• SMTP• POP3
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IP Version 4 versus IP Version 6• IP Version 6 aka IPng (Next Generation)• The differences are in five major areas:– Addressing and routing– Security– Network address translation– Administrative workload, and – Mobile Computing
• IPv6 includes migration & transition plans
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IP Version 6 Migration• Over 30 IPv6 RFC’s written since 1994• Migration from V4 to V6 will take time– Standard and Procedures for coexistence of both– Tunneling IPv6 within IPv4– Tunneling IPv4 within IPv6– Double stacks used at the same time
• Windows 7 is an OS using two stacks
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 Advantages (1 of 2)• Huge address space (2128)• Makes NAT and it issues no longer necessary• Reduces Configuration and Management– Support Stateless Auto Configuration– Creates a guaranteed unique IP address• Combines LAN MAC with prefix provided by router• DHCP is no longer needed, DHCPV6 can still be used
• All host support multicast as a requirement
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 Advantages (2 of 2)• Quality of Service (QoS) on VPN’s– New 20 bits traffic flow field
• IPSEC is required and built-in• Router don’t fragment packets, only host• ICMPv6 Router Solicitation and Advertisement– Determine the IP address of the best gateway– It is a requirement
• Support a 1280 byte packet size
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 Packet Format
Graphic from: http://www.net-security.org/dl/insecure/INSECURE-Mag-30.pdf
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 Address Notation
Thanks to Vivek from www.securitytube.net for his great tutorials on IPv6
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 Transmission Methods• Unicast
• From one station to another station
• Multicast (a requirement in IPv6)
• From one station to multiple selected stations
• Information sent only once over the networks
• Anycast
• Sent to a group of nodes/stations
• Needs to be delivered to at least one node and not all of them
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 and Mobility• Mobility is a new feature in IPv6
• Mobile nodes can change their location and addresses without loosing existing connections through which the nodes are communicating
• Supported at Internet Level – Thus transparent
• Use two types of IP addresses:
• The IPv6 address; and
• The Mobile IP Address
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 Security Issues (1 of 2)• Dual Stack = Dual the amount of issues
• Spoofing could be use on the same network segment
• Neighbor Discovery prevent it remotely on IPv6
• Could be possible if tunneling IPv6 over IPv4
• Flooding and Scanning are possible attacks
• Vendor of security tools are catching up• They claim to be compliant, but are they?
• Smurf attack can be done on Multicast Addresses
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
IPv6 Security Issues (2 of 2)• No security through obscurity as provided by Natting
• Must be configured on the firewall instead
• Stateless Autoconfiguration
• Gives IP address away to anyone
• Could be turned on by default
• Network Intrusion Detection will be hard to perform
• Key management is still necessary
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Other Security Issues• Turn IPv6 OFF if you don’t need it• Could be used for covert channels
• Tunneling IRC over IPv6 for example
• Rogue devices could be setup to assign IPv6 addresses
• ICMP6 redirect attacks (See next slide)
• Type 0 Routing Header Attack• Packet bounces between two or more router
• Amplification Attack, up to 88 fold amplification
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
ICMP6 Redirect Attack
1. A attacker with access to the network sends an Echo Request with the source address as User 2 and the destination as the User 1.
2. The victim receives this echo request and sends an Echo Reply to User 2.3. The attacker then creates a redirect packet with the Echo Reply attached.
The packet is constructed with the source as the router and the destination as User 1 and in this packet tells User 1 to redirect all traffic for User 2 to the attacker. The Hacker then receives packets from User 1 and can spoof User 2.
Copy
right
Sec
ureN
inja
.com
© 2
000-
2011
All
right
s Res
erve
d
Questions?
ANY [email protected] Line: SN SEC+ QUESTION
