P01-Uvod in ponovitev-en - University of Ljubljana in...Data link layer Physical layer Entity pair...
22
11/9/12 1 Introduction and repetition of the basics 1 Communica.on protocols and network security Professor: dr. Andrej Brodnik (Ljubljana) Teaching Assistant: as. dr. Gašper Fele Žorž Implementation of course : 3 hours of lectures –consisting of two parts, 2 hours of lab work per week contact : e‐mail, consultation hours, forum on the course web page 2 Content of the course Repetition of the basics of communications (ISO/OSI, TCP/IP, protocols, services, security), control and management of networks, distribution (multicasting), real‐time applications, security: authentication, authorization, records, safe transfers, VPN, certification, firewalls, IDS systems, information for network operation, LDAP, IEEE 802. 3
Transcript of P01-Uvod in ponovitev-en - University of Ljubljana in...Data link layer Physical layer Entity pair...
11/9/12
1
Introductionandrepetitionofthebasics
1
Communica.onprotocolsandnetworksecurity
Professor:dr.AndrejBrodnik(Ljubljana)
TeachingAssistant:as.dr.GašperFeleŽorž
Implementationofcourse: 3hoursoflectures–consistingoftwoparts,2hoursoflabworkperweek
contact:e‐mail,consultationhours,forumonthecoursewebpage
2
Contentofthecourse
Repetitionofthebasicsofcommunications(ISO/OSI,TCP/IP,
protocols,services,security), controlandmanagementofnetworks, distribution(multicasting), real‐timeapplications, security:authentication,authorization,records,safe
transfers,VPN,certification,firewalls,IDSsystems, informationfornetworkoperation,LDAP, IEEE802.
3
11/9/12
2
Contentofthecourse–anindica.veplanweek lecture HW SEM
8.10. Introduction 1
15.10. Startingyourcomputer,networkconfiguration 1
22.10. Managmentandcontrolofthenetworks 1
29.10. Circulationandreal‐timeaplications 2
5.11. Distribution 2
12.11. Distribution/Preparationforthetest 2
19.11. MIDTERMTEST1 SEM1
26.11. Elementsofnetworksecurity 3
3.12. Authentication,authorization,records(AAA)3
10.12. Authentication,authorizationandrecords(AAA)/avtorizacijainbeleženje(AAA)/Datafornetworkoperation(LDAP)
3,4
17.12. Visitinglecturer
24.12. <<<Christmasholidays>>>
31.12. <<<Christmasholidays>>>
7.1. DružinaIEEE802 4
14.1. MIDTERMTEST2 SEM2
4
Obliga.ons
Finalgrade(≥50): 4piecesofhomework: 20% 2seminarpapers: 40% writtenexamor2midtermtests: 40% 100%
Obligations: notes:2xperlecture,1xlaboratorywork homework≥40,eachhomework≥20 seminarpaper≥40,eachseminarpaper≥20 writtenexam≥50,eachofthemidtermtests≥40
5
Obliga.ons
Thegradealsotakesintoaccount: participationintheforums Complementingthenotes assistancetothecolleagues ...
6
11/9/12
3
Literature
J.F.Kurose,K.W.Ross:ComputerNetworking,5thedition,Addison‐Wesley,2010.
A.Farrel:TheInternetandItsProtocols:AComparativeApproach,MorganKaufmann,2004.
E.Cole:NetworkSecurityBible,Wiley,2ndedition,2009.
ManiSubramanian:NetworkManagement:Anintroductiontoprinciplesandpractice,AddisonWesleyLongman,2000
RFC …
7
8
ISO/OSImodel Themodelconsistsofsevenlayers,whichdefinethelayersofrelatedfunctionsofthecommunicationsystem.
Applicationlayer
Presentationlayer
Sessionlayer
Transportlayer
Networklayer
Datalinklayer
Physicallayer9
11/9/12
4
ISO/OSImodel layerNprovidesservices(serving)forlayerN+1 layerNrequiresservices(deliverability)fromlayerN‐1, Protocol:rulesofcommunicationbetweenprocessesonthesame
location, Entitypair:pairofprocessesthatcommunicateonthesamelayer
Applicationlayer
Presentationlayer
Sessionlayer
Transportlayer
Networklayer
Datalinklayer
Physicallayer
Entitypairofprocesses
layersNN‐1...
21
Applicationlayer
Presentationlayer
Sessionlayer
Transportlayer
Networklayer
Datalinklayer
Physicallayer
SystemA SystemB
10
Analogy:conversa.onbetweentwophilosophers
Whylayers? systematicconceptofsystemarchitecture, Thechangeofimplementationofonepartofthesystemisindependentfromtherestofthesystem.
11
ISO/OSImodelInotherwords:Eachlayerhasitsownprotocols(thelanguageusedforcommunicationbytheprocessesonthesamelayer)
Theprotocolsarespecificfortheservicesprovidedbythelayer
12
11/9/12
5
OSIlayers:detailed
closesttotheuser, Allowsapplicationinteractionwithnetworkservices. standardservices:telnet,FTP,SMTP,SNMP,HTTP
13
OSIlayers
Determinesthemeaningofthedatabetweentheentitypairoftheapplicationlayer,
syntaxandsemantics, providescoding,datacompression,securitymechanisms
controlsconversationsbetweenapplications, logicalconnectionbetweenapplications, usuallyit'sbuiltintotheapplications.
14
OSIlayers(unit:SEGMENT)
effective,reliableandtransparentdatatransferbetweenusers;Providetheseservicestohigherlayers,
Mechanisms:controloftheflux,segmentation,controloftheerrors.,
Connectionandconnectionlessorientedtransfers, TCP,UDP,IPSec,GRE,L2TP,PPP
15
11/9/12
6
OSIlayers(unit:PACKAGE)
routing(Connectionandconnectionlessorientedservices) transmissionofpackagesfromthesourcetothetargetcomputer,
canprovide:guaranteeddelivery,correctsequence,fragmentation,avoidingofclogging,
routing,routers,routingalgorithms, protocols:IP,ICMP,IPSec,IGMP,IPX
16
OSIlayers(unit:FRAME)
asynchronous/synchronouscomunication, physicaladdressing:MACaddress, detectionanddebuggingoferrors(parity,CRC,checksum) Controloftheflux,framing protocols:Ethernet,PPP,FrameRelay
17
OSIlayers
transmissionofbitsthroughthechannels(copper/optics/wireless),
digital,analogmedia, UTP,optics,coaxialcables,wirelessnetworks, RS‐232,T1,E1,802.11b/g,USB,Bluetooth
18
11/9/12
7
OSImodelandmodelTCP/IP
Comparisonofmodels: ISOOSI:deiure,theoretical,systematic,lackofimplementations(products),
TCP/IP:defacto,adjustable,unsystematic,manyproducts19
Encapsula.on
applica.ontransportnetworkdatalinkphysical
HtHn M
segment Ht
datagram
applica.ontransportnetworkDatalinkphysical
HtHnHl M
HtHn M
Ht M
M
networkdatalinkphysical
datalinkphysical
HtHnHl M
HtHn M
HtHn M
HtHnHl M
router
switch
message M
Ht M
frame
20
21
11/9/12
8
Intermediary table
rou.ng• Choice of the root • RIP,OSPF,BGP
ProtocolIP• addressing• Shapeofdatagrams• workingwithpackages
ProtokolICMP• signalingerrors• addi.onalno.ces
transportnalayer:TCP,UDP
Datalinklayer
Physicallayer
networklayer
func.ons
Networklayerfunc.onsNetworklayer:
22
Useofrou.ngprotocols(RIP,OSPF,BGP) forwardingdatagramsbetweentheinputandoutputports
RoutersNetworklayer:
23
devicethatworksontheNETWORKlayer maintainsarptables,performdirectionalalgorithms
DevicethatworksonDATALINKlayer, maintainstheswitchingtable,performfiltrationandnetworkdetection
devicethatoperatesatthePHYSICALlayer,itisnolongerinuse
Comparisonofac.veequipmentNetworklayer:
24
11/9/12
9
IPv4 Protocolonnetwork(3.)layerOSImodel
is32‐bitaddressinterface.Example:11000001000000100000000101000010 or193.2.1.66
isacrowdofIPaddressesthatareaccessibleamongeachotherwithouttheintercessionoftherouter.Mask(32bits)providespartoftheIPaddressthatrepresentsthesubnetaddress.example: 11111111111111111111000000000000(255.255.255.240)
meansthatthefirst20bitsoftheIPaddressrepresentsthenetworkaddressandtheremaining12bitsareaddressoftheinterface.
Networklayer:
25
Exercise!
TheIPaddressofsomeinterfaceandmaskofthesubnetworkaregiven193.90.230.25/20
Whatistheaddressofthesubnetwork?
Whatisaddressofinterface?
Networklayer:
26
IPv6:
largeraddressspace:128bites QuickdirectionandintercessionandQoSisenabledbytheformatofthehead,thereis
nofragmentation, TheimplementationofIPSecwithinIPv6isobligatory
:consistingof64bitsforthesubnetID+64bitesforinterfaceID
0010000111011010 0000000011010011 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010
Writtenhexadecimal,separatedbycolons
21DA:00D3:0000:0000:02AA:00FF:FE28:9C5A or(withoutleadingzeros) 21DA:D3:0:0:2AA:FF:FE28:9C5A or(omitblocksofzeros) 21DA:D3::2AA:FF:FE28:9C5A
Networklayer:
27
11/9/12
10
ComparisonofIPv4andIPv6Networklayer:
28
IPv6‐typesofaddressing
addressingeachnetworkinterface
addressingofagroupofnetworkinterfaces,deliverytoallinterfacesinthecrowd
istheaddressofthecrowdoftheinterfaces,thedeliveryisperformedtooneoftheinterfacesofthecrowd(theclosestone?)
Eachinterfacecanhavemultipleaddressesofvarioustypes.(BROADCASTaddresses–inIPv6theyorenolongerthere!)
Networklayer:
29
IPv6‐typesofunicastaddresses1.) (=publicaddresses)
2.) (localhost::1,undefined0::0,IPv4addresses)3.) (within1connection,adhocnetwork)
4.) (Privateaddresses,withintheorg.theyarenotperformed,FEC0::/10)
5.) (privateaddresses,allocatedbytheregistrar,they'rebetterstructured,FC00::/7)
FE80::/64
Networklayer:
30
11/9/12
11
IPv6–distribu.on(mul5cast)
1.)FF02::1(linklocal:allinterfaces)2.)FF02::2(linklocalallrouters)3.)addressstructure:
Networklayer:
31
IPv6inIPv4networks
1.) routersknownIPv4andIPv62.) IPv6packetpackedinoneormoreIPv4packetsasdata.
Networklayer:
32
Rou.ng
static/dynamic(considerationofconditionsinthenetwork) centralized/distributed(accordingtotheknowledgeofthewholenetworkstatus)
oneway/bymultiplepathways
Withthedistancevector(RIP,IGRP,EIGRP) accordingtothenetworkstatus(OSPF,IS‐IS)
Networklayer:
33
11/9/12
12
Func.onali.es
interfacebetweenthetransportandapplicationlayer,
WeaddresstheprocesswiththeIPnumberandtheportnumber(www:80,SMTP:25,DNS:53,POP3:110).
process
connection
plug
process
connection
socket
Internet
Transportlayer:
: Receivingamessagefromapplication Assemblingsegmentsinthemessagetothenetworklayer Transferringtoapplicationlayer
34
Connec.onandconnec.onlessoriented
TCPandUDP,andotherprotocols establishment,transmission,demolition–connection
intheprotocol(TCP) intheapplication(UDP) directly(ACKandNACK) indirectly(onlyACK,weconcludeaccordingtothenumberofpackages)
Simultaneousconfirmation:thenextpackageissentonlyafterthereceivaloftheconfirmation
Fluentsending:nowaitingfortheconfirmation
Transportlayer:
35
TCPandUDPTransportlayer:
36
11/9/12
13
telnet,ssh;rdesktop ftp,sftp WWWinHTTP, SMTP,POP3,IMAP,MAPI DNS, SNMP,LDAP,RADIUS,... ...
Applica.onlayer:
37
Communicationoftworandomfinalsystems
serversarenotconstantlyswitchedon,
brokenconnections/changestoIPaddresses,
examples:BitTorrent,Skype
Applica.onlayer:
38
Fromthepasttothefuture
:lackofIPv4addresses Theefficiencyofprivateaddressspaces NATgateways‐usuallyatthesametimefirewallstoo simplyinclient‐serversystems InP2Pweneedacopyaddressintheouterworld
InIPv6NATgatewaysarenotrequired
Networkandtransportlayer:
39
11/9/12
14
40
Internet provider 68.80.0.0/13
Google network 64.233.160.0/19 64.233.169.105
Web server
DNS server
faculty network 68.80.2.0/24
browser
Web page
Exampleofcommunica.on:Webbrowsing
41
Whenitconnectstothenetwork,thelaptopneedsanIPaddress,andthedataofconnectionandDNSserver:ItusesDHCP.
TherequestDHCPencapsulates:UDP‐>IP‐>802.1Ethernet
ethernetframetransmits(broadcast)itselftothenetwork,itisreceivedbytherouter,whichcarriesouttheDHCPserver'stask
DHCPserverreadsthecontentofDHCPrequest
router(usesDHCP)
DHCPUDPIPEthPhy
DHCP
DHCP
DHCP
DHCP
DHCPUDPIPEthPhy
DHCP
DHCP
DHCP
DHCPDHCP
Exampleofcommunica.on:Webbrowsing
42
11/9/12
15
DHCPanswerstotheclient(laptop)withtheDHCOACKpackage,whichcontainsitsIPaddressandtheaddressesofthetransitionandDNSserver
TheanswerencapsulatestheDHCPserver(router)andpassesitontotheclienetwhichdecapsulates.
TheDHCPclientreceivestheanswerDHCPACK
Theresult:Theclientisreadyforcommunication
router(usesDHCP)
DHCPUDPIPEthPhy
DHCP
DHCP
DHCP
DHCP
DHCPUDPIPEthPhy
DHCP
DHCP
DHCP
DHCPDHCP
Exampleofcommunica.on:Webbrowsing
43
BeforesendingoffthehttprequestweneedtheIPoftheserverwww.google.com:useDNS
EncapsulationoftheDNSrequest:UDP‐>IP‐>Ethernet.WeneedMACaddressoftherouter:useARP
WesendofftheARPrequest,therouteranswerswiththeARPanswer,whichkeepsitsMACaddress
TheclientnowknowstheMACaddressofthegateway,whichcansendtheDNSrequesttoit.
DNS UDP
IP Eth Phy
DNS
DNS
DNS
ARP query
Eth Phy
ARP reply
Exampleofcommunica.on:Webbrowsing
44
DNS UDP
IP Eth Phy
DNS
DNS
DNS
DNS
DNS
TheIPdatagramwithispassedontherouter.
IPdatagramispassedonthe,whichisinthenetworkof
internetprovider(RIP,OSPF,IS‐ISaliBGP),
network provider
DNS server DNS UDP
IP Eth Phy
DNS
DNS
DNS
DNS
Exampleofcommunica.on:Webbrowsing DNSserver the
requestandsendstousertheIPaddressofthenetworkserverwww.gooogle.com
45
11/9/12
16
HTTP TCP IP Eth Phy
HTTP Tosendthe
,totheclientfirstaddressesthe ofthewebserver
segmentdirectitselfthroughthenetworktothewebserver
Thewebserveranswerswith(confirmationofthehandshake),
TheTCPconnectionisnowestablished!
Web server
SYN
SYN
SYN
SYN
TCP IP
Eth Phy
SYN
SYN
SYN
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
routing....
Exampleofcommunica.on:Internetbrowsing
46
HTTP TCP IP Eth Phy
issenttotheofthewebserver,
,whichcontainstheinternetrequestforthewebsitewww.google.comisdirectedtothewebserver
Theinternetserveranswerswith ,whichcontainsthecontentsofthewebpage
TheIPdatagramwiththewebpageisdirectedtotheclient,
Web server
routing....
Exampleofcommunica.on:Internetbrowsing
HTTP
HTTP
HTTP HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
47
TCP IP
Eth Phy
Capturingdatafromthenetwork
48
11/9/12
17
Capturingdatafromthenetwork:DHCPexample
Message type: Boot Reply (2) Hardware type: Ethernet Hardware address length: 6 Hops: 0 Transaction ID: 0x6b3a11b7 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) Client IP address: 192.168.1.101 (192.168.1.101) Your (client) IP address: 0.0.0.0 (0.0.0.0) Next server IP address: 192.168.1.1 (192.168.1.1) Relay agent IP address: 0.0.0.0 (0.0.0.0) Client MAC address: Wistron_23:68:8a (00:16:d3:23:68:8a) Server host name not given Boot file name not given Magic cookie: (OK) Option: (t=53,l=1) DHCP Message Type = DHCP ACK Option: (t=54,l=4) Server Identifier = 192.168.1.1 Option: (t=1,l=4) Subnet Mask = 255.255.255.0 Option: (t=3,l=4) Router = 192.168.1.1 Option: (6) Domain Name Server Length: 12; Value: 445747E2445749F244574092; IP Address: 68.87.71.226; IP Address: 68.87.73.242; IP Address: 68.87.64.146 Option: (t=15,l=20) Domain Name = "hsd1.ma.comcast.net."
Message type: Boot Request (1) Hardware type: Ethernet Hardware address length: 6 Hops: 0 Transaction ID: 0x6b3a11b7 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) Client IP address: 0.0.0.0 (0.0.0.0) Your (client) IP address: 0.0.0.0 (0.0.0.0) Next server IP address: 0.0.0.0 (0.0.0.0) Relay agent IP address: 0.0.0.0 (0.0.0.0) Client MAC address: Wistron_23:68:8a (00:16:d3:23:68:8a) Server host name not given Boot file name not given Magic cookie: (OK) Option: (t=53,l=1) DHCP Message Type = DHCP Request Option: (61) Client identifier Length: 7; Value: 010016D323688A; Hardware type: Ethernet Client MAC address: Wistron_23:68:8a (00:16:d3:23:68:8a) Option: (t=50,l=4) Requested IP Address = 192.168.1.101 Option: (t=12,l=5) Host Name = "nomad" Option: (55) Parameter Request List Length: 11; Value: 010F03062C2E2F1F21F92B 1 = Subnet Mask; 15 = Domain Name 3 = Router; 6 = Domain Name Server 44 = NetBIOS over TCP/IP Name Server …… 49
50
Networksecurity
analyzesthepotentialattacksonsystems, Plansthetechniquesofthedefencefromtheattacks, Formssafearchitectures,whichareresistanttotheinvasions
Firstthevissionoftheinternetwas:“Thiswasagroupofpeople,thettrusteachotherandareconnectedtoacommonnetwork”
Atthemakingoftheprotocol,themanufacturersmadeitwiththemethodologyof,,patching’’,
ThesafetymechanismsshouldbeconsideredatalllayersofOSImodel
51
11/9/12
18
interceptingofmessages,
Active ofmessagesinsomecommunication,
impersonization forgestheoriginaladdressoranyothercontentofthepackage
removestherealsenderorreceiverfromthecommunicationandtakes‐uphisrole
Disablestheuseoftheregularservice(ex.Withoverloadingit)
Howcantheintruderharmsthesystem?
52
Security:ensurethereliability
CONTROL:collectdataofoperation,
use,diaries
MANAGEMENT:actionbasedonthecollected
data,diagnostics,administration
SYSTEMATIC:directories,listsandindexes,
SNMP,businessrules
PLANNING:performance,development,testinganddeployment
DISPERSIONOFPROTECTIONE:
integrityofconnections,resources,content,users,
messages
53
Elementsofsafecommunica.on:
–whoisallowdtoread?(encryption)–provethatitisreallyyou(identification,tellwho
youare,withoutproof)–preventionofillegitimateuseof
sources(authorization–findingoutifyoucandosomething,accounting–whousedwhat)
–wasitchangedduringthetransmission?(nonrepudiation)youreallysent/receivedit
Practiceshowed: firewalls,intrusiondetectionsystems,
Safetyonapplication,transport,networkanddatalinklayer
54
11/9/12
19
Authen.ca.on
Wemakesureofthetrueidentityoftheperson–co‐speaker.
APPROACHES: Challenge‐response, Wetrustthethirdside, Authenticationwiththesystemofpublickeys
55
Confiden.alityofmessages:cryp.ng(concealing)thecontent
Thisisaformofdefencefrompassiveintruders(eavesdroppers)andactiveintruders(forgers). WeencryptmessagePwiththeEkey–wegetcryptogram
E(P).WeprocessthecryptogramE(P)intotheoriginalforwiththeD()keyandwhatwegetisoriginalmessageD(E(P))‐P.
Differentmethods:: Substitution(changeofsymbols)/transposition(sequence
ofthesymbols) Symmetric( ,ex.DES,AES)/asymmetric( ,ex.RSA,
ECC)
56
Cryptographythatuseskeys: Algorithmisusuallyknowntoeverybody, Onlythekeysaresecretive encryption:hidingthecontent Crypto‐analysis(,,crashing’’ofthecode)
Cryptographywithpublickey E()≠D():twokeys–publicandprivate
Symmetriccryptography E()=D():onlyonekey
Thickeningfunctions–theyarenotcryptography.Don’tusekeys.Howcantheybeuseful?
Typesofcryptography
57
11/9/12
20
Cryptographywithpublickeysisasystemthatdefinesthe
production,management,distribution,savingandcancellingofdigitalcertificates.
Usersareauthenticatedwiththehelpofpublickeys,whicharecertifiedbythecertificateauthority–CA)
58
Cryptographywithpublickeys Thealgorithmsforencryptingwithpublickeysareasymmetric,
E=encryptionkey,D=decryptionkey KeyEandDmustsatisfythefollowingrequirementsencryptionof
messageS:
2. FromknownEandE(S)itmustbeimpossibletofigureoutD3. FromEitmustbeveryhard/impossibletofigureoutD
ThemostknownalgorithmisRSA(Rivest,Shamir,Adelman).RSAusesbigprimenumberstodefineDandE;theprocedureofencrypting/decryptingisthesameascalculatingthemodofdividebytheproductofthesetwonumbers.
Problem:distributionofkeys,slowness. 59
Message S
Cryptogram Encryption Algorithm
Decryption algorithm
Branko’s public keyEB
Readable message EB(S)
EB
Branko’s private keyDB
DB
S=DB(EB(S))
Cryptographywithpublickeys
60
11/9/12
21
Let’ssaythatweknowthepublickeyofsomeperson(definedbyapairofnumbers(n,e)).Tofigureouttheprivatekeywehavetoknowthedenominatorsofthenumbern.Butsearchingthedenominatorsofalargenumberishardorimpossiblewithcurrentcomputationalcapacities.
Howtofindbigenoughprimenumbers? Wecarryout“guessing”forseveraltimes:wegeneratealargenumberandtestit,ifitisaprimenumber,
Totesttheprimenumbersthereexistefficientalgorithms.
WhyisRSAsafe?
61
Integrity:Proveswhosentthemessageandthatthe
messageisreadonlybytherealreceiver.WeencryptthemessageS,whichissentbyAtoB
EB(DA(S)) = XXXanddecrypt:DB(XXX) = DB(EB(DA(S))) = DA(S); EA(DA(S)) = S
:provesthatthemessage(alsonotcrypted!)hasn’tbeenchanged.Toachievethatweusethickeningfunctions,whichcalculatethesignatureofthemessageSIG(S).Wesignthisvaluewiththemechanismofelectronicsigning
DA(sig(S)) = sssAndwesendSSSalongwiththe(encrypted)originalmessagexxx:(xxx,sss).ThereceiverdecryptsXXXintoS,recalculatesthesig(S)andchecksisSSS=sig(S)
62
Cer.ficates
System PKI includes cetification authorities, which issue, save and cancell the certificates.
CertificatesaredefinedbythestandardX.509(RFC2459)
Thecertificatecontains: The nameoftheIssuer, The nameoftheperson,the address,the
domainnameandotherpersonalinformation, The ownerspublickey, The digitalsignature(signedbytheprivate
keyoftheissuer)
63
11/9/12
22
Next.mewemoveon!
connectacomputertotothenetwork bootyourcomputer:protocolsDHCPandBOOTP architectureserver–client, protocol:operation,itsfunctions, protocoltrace
64
