Download - Tcp Ip Concepts
Module 1 - Background
• Networking review• Review of services and protocols• Secure web server• Risks involved in a typical online credit card
transaction• Firewalls
Protocol Stacks• Comparison of TCP/IP protocol stack and the OSI layered model
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
ApplicationTransportNetwork
Link
OSI stack
TCP/IP stack
TCP/IP protocol stack• Four layers in TCP/IP protocol stack• Each layer establishes a logical dialog with its peer on
another host, using the services of lower layer protocols
Application Layer FTP TELNET RLOGIN
SMTP DNS HTTP TFTP …
Transport Layer TCP UDP …Network Layer IP ICMP IGMP …
Link Layer Ethernet/ATM/Wireless ARP …
TCP/IP protocol stack (continued)• The data from higher levels of the stack is encapsulated with
a header (and sometimes a trailer) • The information in gray is ignored by that layer of the stack
(payload)
Application Layer
Transport Layer
Network Layer
Link Layer
Message
Message
Message
Message
TCP header
TCP header
TCP header
IP header
IP headerheader trailer
IP Protocol header
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version Header Len Type of Service Total Length
Identification r D M Fragment Offset
Time to Live Protocol Header Checksum
Source IP Address
Destination IP Address
Options
Data (<= 65 536 octets)
• The source and destination IP addresses and the protocol field in the IP header are often used to match firewall rules
IP addressing• 32-bit number, identifies network and host• Difficult to remember/manipulate large integers
– “dot” notation uses four 8-bit numbers in 0-255 range– Binary representation:
• 11000000101010000000000000000001– Decimal representation:
• 3232235521– “dot” notation:
• 192.168.0.1• Broken into classes
– Class determines which portion identifies network number, which portion identifies a host on the network
IP address classes• Class of address is based on first four bits
– Class A – starts with 0 (first number is from 1 to 126)• 8 bits for network, 24 bits for host address• Approx. 125 networks with over 16 million hosts each
– Class B – starts with 10 (first number is from 128 to 191)
• 16 bits for network, 16 bits for host address• Approx. 16,000 networks with over 65,000 hosts each
– Class C – starts with 110 (first number is from 192 to 223)
• 24 bits for network, 8 bits for host address• Approx. 2 million networks with over 250 hosts each
Classless Inter Domain Routing (CIDR)• Used to assign more bits to the network portion of an IP
address (and less bits to the host portion)• Example: 192.168.0.65/26 The /26 indicates that 26 bits of the IP address identify the
network instead of the standard Class C 24-bit network portion
The extra two network bits divide this Class C address space into four sub-networks (subnets):
Network Address Broadcast Address First host address192.168.0.0 192.168.0.63 192.168.0.1192.168.0.64 192.168.0.127 192.168.0.65192.168.0.128 192.168.0.191 192.168.0.129192.168.0.192 192.168.0.255 192.168.0.193
TCP Protocol header
0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
Sequence Number
Acknowledgement Number
Data Offset Reserved
URG
ACK
PSH
RST
SYN
FIN
Window
Checksum Urgent Pointer
Options… Options...
Options... Options...
Options... Padding...
User Data
• The source and destination port numbers in the TCP header are used to match packet-filtering firewall rules
UDP Protocol header
0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
Length Checksum
Data (if any)
• The source and destination port numbers in the UDP header are used to match packet-filtering firewall rules
Port numbering• 16-bit number (range is from 0 – 65535)• Divided into three groups
– Well-known port numbers• 0 – 1023
– Registered port numbers• 1024 – 49151
– Dynamic/Private port numbers• 49152 – 65535
• Ephemeral (short-lived) ports– Port numbers assigned to the client side of a connection
for the duration of the connection– Pool of ephemeral ports is reusable– Defaults vary based on operating system (Windows is
1024-4999)
Examples of TCP and UDP well-known ports
Name Port/Protocol Commentftp-data 20/tcpftp 21/tcptelnet 23/tcpsmtp 25/tcp mailhttp 80/tcppop3 110/tcp # Post Officenntp 119/tcp usenet # Network News
Transferimap 143/tcp # Internet Message Accessssh 22/tcp # Secure SHellwho 513/udp whodkerberos 750/udp kdc # Kerberos key server
Networking components
• Hosts– Considered a “node” or “end point” in the
network (client/server/printer)– Processes all levels of the protocol stack
• Hubs– acts as an “extender” - acts at physical layer– Does not do any processing
• Bridges– attaches two physically identical LANs
together, physical layer processing– forwards only traffic which is destined for “the
other side”
Networking components (continued)
HostApplication
TCP
IP
Data link
HubPhysical
Physical
BridgeDatalink
Physical
Datalink
Physical
HostApplication
TCP
IP
Datalink
Physical
HubPhysical
HostApplication
TCP
IP
Datalink
Physical
Networking components (continued)• Switches
– Works at the data link layer– Each port on the switch acts like a bridge
• Routers– Processing at the Network layer– Route packets between networks with
potentially different lower level protocol stacks (i.e., different physical and data link layers)
• Gateways– Processes all levels of the protocol stack– Used to connect networks with different
protocol stacks
Networking components (continued)
SwitchDatalink
Physical
Datalink
Physical
GatewayApplication
TCP
IP
Datalink
PhysicalHostApplication
TCP
IP
Datalink
Physical
Datalink
Physical
Datalink
Physical
Router
Datalink
Physical
Network
Datalink
Physical
Network
Application
TCP
IP
Datalink
Physical
What is a “secure web server”?
• To vendors, a web server which supports cryptographic protocols
• To web surfers, a web server which will safeguard the user’s personal information and their privacy, and which will not take control of their browser and cause it to download viruses, etc.
• To a company running a web server, it is a server which is resistant to a determined attack over the internet or from within the company
The Web Security Problem• Part 1 - securing the web server and the data on it
– ensure the server remains available– ensure the information isn’t modified without authorization– ensure the information isn’t distributed to unauthorized parties
• Part 2 - securing the transfer of information– ensure that confidential transmissions cannot be read, modified, or destroyed by others
• Part 3 - securing the user’s own computer– ensure that information downloaded from your service will not compromise the user’s
system in any way, and that the downloaded information will continue to be controlled in accordance with the license agreement or copyright
• Additional concerns - in some cases we must also– verify the identity of the user to the server– verify the identity of the server to the user– ensure adequate logging for billing, conflict resolution, “non-repudiation”, and
investigation of misuse
Internet Payment Network
Internet Backbone
User’s computer
A typical online credit card transaction
Order form
ISP
User’s bank
Merchantbank
Warehouse
Delivery Service
Online store
User
• Well-publicized Risks for credit card holder– credit card number may be “sniffed” in transit. Illegal charges can
be placed to max out the credit limit, causing the card to be unusable by its rightful owner
– credit card could be billed, but goods might never arrive - merchant site has since disappeared…
• SSL is supposed to protect the consumer…– the consumer is already protected, in that the card holder is only
liable for the first $50 of fraudulent charges (or none, depending on the credit company)
– the banks are liable for the charges, unless they can prove negligence on the part of the merchant
– proof of who the merchant is has already been carried out in rigorous detail, in order for the merchant to secure a merchant credit account
– SSL really helps protect the merchant and the bank, not the consumer
Less-well-publicized risks for the user
• information provided in transaction might be used/sold for mailing lists or other forms of solicitation
• information regarding user’s price sensitivity might be used to selectively raise prices for the individual in the future
• web browser might be subverted in order to glean confidential user information directly from user’s machine
• web browser might be subverted in order to wipe the user’s hard drive or, alternatively, silently forward contents of the hard drive to an arbitrary host on the internet
• User might try to access merchant site and find it down or too slow, and decide to buy from a competitor
• User might be a competitor (or robot) searching the site in order to undercut prices
• User might be a criminal with a stolen credit card• If the merchant stores the credit card numbers on their
computer, it could be hacked opening them up to liability• A hacker could break in and introduce fraudulent orders
from the web server into the legacy databases• A hacker could reverse credit payments onto their own card
once they’ve compromised the system• A hacker could cause orders to be messed up, shipping the
wrong goods to customers• A hacker could lower prices below the cost to the merchant
Less-well-publicized risks for the merchant
Firewall Basics - Types of firewall
• Packet filter• Stateful packet filter• Circuit-level gateway• Proxy-based
Packet filtering firewalls• Packet filtering firewalls decide whether
or not to forward packets based on– source and destination IP addresses– protocol field– source and destination port numbers– SYN flag settings
• Rules dictate whether or not packets should be forwarded
• Inspects packets in isolation• Does not keep track of connection state• Susceptible to application layer attacks
Stateful packet filtering firewalls
• Maintains state information on connections
• Tracks open, valid connections without reprocessing rule set
• Can implement complex policies• Susceptible to Application Layer
attacks• Lacks user authentication control
Circuit level gateway
• Operates at the Session layer of the OSI model (just above the Transport layer of the TCP/IP stack)
• Acts as a proxy between application server and client
• The gateway hides the addresses on the internal network
• Once a connection through the gateway has been established, traffic on this connection is passed without further scrutiny
Proxy
Proxy-based firewalls• Proxy-based firewalls operate at the application layer of the
protocol stack• Uses set of application-level proxies
– One per application (FTP, HTTP, SMTP,…)• Enforces the application rules• Application awareness allows for detailed logging of events
at the application layer• Maintains dual opposing connections between endpoints
Client Server Client Server
Logical connection
Client Server
Network Topology• The topology of your network after deploying a firewall will
likely include several types of network, such as:– Internet
• Attached to the untrusted interface of the firewall– De-Militarized Zone (DMZ)
• The LAN attached to the untrusted interface of the firewall– Extranet
• If using VPNs, may include remote branch offices or mobile clients– Service network
• A network protected by the firewall but separate from the internal trusted network, used to offer services over the Internet such as a web server
– Protected network• The internal trusted network which the firewall will protect
– Enclave network• An internal network protected from the rest of the internal network to
mitigate internal threats to sensitive data
Network Topology (continued)
Internet
Security Gateway
Enclave network
InternalSecurityGateway
ProtectedNetwork
Screeningrouter
Bastion hosts
DMZ network
Selected servicesSMTP, FTP, Web, ...
Service network
Network Address Translation
• Static NAT– Translates IP addresses in a one-to-one mapping– Maps a subnet of addresses to a pool of NAT’ed addresses– Useful when allowing incoming connections to a server on the
service network• Dynamic NAT
– Translates IP addresses in a one-to-one temporary mapping– Address mappings last for the duration of a session
• PAT (Port address translation)– Replaces internal addresses with the external IP address of the
firewall– Uses port numbers to manage the mappings– Useful for allowing outgoing access for many internal clients
Network Address Translation (continued)
Security Gateway Internet
IP 192.168.1.15
IP 192.168.1.1
IP 129.173.67.14
Source Destination
192.168.1.15 216.239.51.101 …
Source Destination
129.173.67.15 216.239.51.101 ...
Source Destination
216.239.51.101 192.168.1.15 …
Source Destination
216.239.51.101 129.173.67.15 ...
NAT pool 192.168.1.15 == 129.173.67.15
Destination IP address re-written on incoming packets
Source IP address re-written on outgoing packets
Port Address Translation
Security Gateway Internet
IP 192.168.1.15
IP 192.168.1.1
IP 129.173.67.14
Source Destination
192.168.1.15 216.239.51.101 17212 80 …
Source Destination
129.173.67.14 216.239.51.101 21031 80 ...
Source Destination
216.239.51.101 192.168.1.15 80 17212 …
Source Destination
216.239.51.101 129.173.67.14 80 21031 ...
Port mapping 192.168.1.15:17212 == 129.173.67.14:21031
Destination IP and port re-written on incoming packets
Source IP and port re-written on outgoing packets