1 / 39

Network Security CS 478/CIS 678

Network Security CS 478/CIS 678. Intro to TCP/IP. Objectives. Reading: Computer Security Principles and Practice, W Stallings, L Brown Appendix E (See my web link) The student should be able to:

phyre
Download Presentation

Network Security CS 478/CIS 678

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security CS 478/CIS 678 Intro to TCP/IP

  2. Objectives Reading: Computer Security Principles and Practice, W Stallings, L Brown • Appendix E (See my web link) The student should be able to: • Interpret output for ARP, IP, TCP, UDP, ICMP on a sniffer: Wireshark (sufficient as shown in this PowerPoint).

  3. Internet Architecture

  4. TCP/IP Packet Source & Destination logical addr. What physical node to send to? What data is actually being sent? Packet checkcode Which app does this go to? L2 L3 L4 Application CRC Ethernet IP TCP

  5. Addressing Requirements • two levels of addressing required • each host on a subnet needs a unique global network address • its IP address • each application on a (multi-tasking) host needs a unique address within the host • known as a port

  6. TCP/IP Packet Source & Destination logical addr. What physical node to send to? What data is actually being sent? Packet checkcode Which app does this go to? L2 L3 L4 Application CRC Ethernet IP TCP Ginger.cs.uwp.edu 124.36.92.81 Hi Alice, Are you coming to the party on Friday? Port 80 = web Address on LAN: 00:0c:29:80:ec:29

  7. Operation of TCP and IP

  8. Operation of TCP/IP

  9. Some TCP/IP Protocols

  10. Protocols used at each Layer L5 = Application L4 = Transport: • TCP: Transport Control Protocol (End-to-End Error control: Retransmission) • UDP: User Datagram Protocol (Only Port Addressing) L3 = Network: • IP: Internet Protocol (Routing) • ICMP: Internet Control Message Protocol (Reports errors, performs tests for IP) L2 = Data Link Layer - Medium Access Control (MAC): • Ethernet Protocol • ARP: Address Resolution Protocol (Translates IP to MAC addresses)

  11. Physical Layer • concerned with physical interface between computer and network • concerned with issues like: • characteristics of transmission medium • signal levels • data rates • other related matters

  12. Network Access Layer • exchange of data between an end system and attached network • concerned with issues like : • destination address provision • invoking specific services like priority • access to & routing data across a network link between two attached systems • allows layers above to ignore link specifics

  13. Internet Layer (IP) • routing functions across multiple networks • for systems attached to different networks • implemented in end systems and routers • routers connect two networks and relays data between them # Time Source IP Dest IP App 152 919.001559 10.1.1.165 10.1.1.128 IP Fragmented IP protocol (proto=ICMP 0x01, off=0, ID=19d9)

  14. Internet Protocol (IP) • Performs routing • Addresses hosts • Performs fragmentation/reassembly • Security problem: Spoofed fragments replace or confuse real data • Security problem: Fragmented attacks may not be noticed by firewalls, IDS (depending on their sophistication)

  15. IP Header

  16. IP Header Format First 8 nibbles: • 0-3: IP Version (V4 or V6) • 4-7: Header length (in 32-bit words) • 8-15: Type of service (relates to quality of service - ignore for this class) • 16-31: Total length Second 8 nibbles: • 0-15: Identification (used with fragmentation) • 16-18: Flags: More bit, Don’t Fragment • 19-31: Fragment offset Third 8 nibbles: • 0-7: Time to live • 8-15: Next Protocol (e.g. TCP, ICMP) • 16-31: Header Checksum Fourth 8 nibbles: Source IP Address Fifth 8 nibbles: Destination IP Address

  17. Transmission Control Protocol (TCP) • usual transport layer is (TCP) • provides a reliable connection for transfer of data between applications • a TCP segment is the basic protocol unit • TCP tracks segments between entities for duration of each connection

  18. Transport Control Protocol (TCP) • TCP is responsible for end-to-end retransmission, and reordering of packets received out-of-order. • Addresses applications via 16-bit Port number • Performs error control on an end-to-end basis: • Reorders out-of-sequence segments • Retransmits segments when acknowledgements are not received • Performs flow control on an end-to-end basis (using the window) • Performs congestion control to ensure network is not overwhelmed

  19. TCP Header Fields • Source Port: Source port (application) address • Dest Port: Destination port (application) address • Flag: S=SYN, F=FIN, P=PUSH, R=RESET, A=ACK • Sequence #: Beginning Sequence number (byte #) • AckNr: Acknowledgment sequence number (=next expected seq #) • WindowSize: Size of empty space in receive buffer (in bytes) • Checksum: Verifies no change in segment and parts of IP header • Urgent Pointer: index to urgent data (rarely used)

  20. TCP • TCP is connection-oriented, which means that it must explicitly establish and break down a connection before transmission occurs. • Establishes a connection • Sends data • Each side gracefully disconnects

  21. TCP Flags The flags within segments that TCP uses includes: S=SYN: Request to establish a connection P=PUSH: Request from application to flush (or force) transmission. F=FIN: Request to close a transmission - graceful R=RESET: Notification of aborting of a connection ack: Contains an ack for previous data

  22. Initiate a TCP Connection • Establishes a connection via a 3-way handshake. • SYN=Synchronization, establishes send and receive sequence numbers SYN   SYN,ACK ACK 

  23. Send TCP Data • Each byte of TCP data has a sequence number associated with it, which indicates the byte number of the first byte sent. • The acknowledgment indicates the sequence number of the byte # of data expected next (PUSH)   ACK # Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq 45 1037.608722 10.1.1.3 10.1.1.165 TCP 3128 > 1270 [ACK] Seq=86244 Ack=6584 Win=19220 Len=0 46 1037.751240 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU] 47 1037.751279 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU]

  24. Terminate TCP Connection • Graceful Disconnect: Both sides must disconnect • FIN = Finish • Sending FIN indicates no more data to transmit FIN   ACK  FIN ACK 

  25. Session Abort • I don’t want to participate in this connection • Uses Reset RST 

  26. TCP Connect – Data - Disconnect # Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeqAckSeq 1 0.000000 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 2 0.000623 10.1.1.3 10.1.1.165 TCP 3128 > 1179 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 3 0.000667 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [ACK] Seq=1 Ack=1 Win=64240 Len=0 … 7 0.029386 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [ACK] Seq=860 Ack=3691 Win=64240 Len=0 … 8 0.160003 10.1.1.3 10.1.1.165 TCP 80 > 1190 [FIN, ACK] Seq=341 Ack=436 Win=6432 Len=0 9 0.160598 10.1.1.165 10.1.1.3 TCP 1190 > 80 [ACK] Seq=436 Ack=342 Win=63900 Len=0 10 0.161706 10.1.1.165 10.1.1.3 TCP 1190 > 80 [FIN, ACK] Seq=436 Ack=342 Win=63900 Len=0 11 0.163407 10.1.1.3 10.1.1.165 TCP 80 > 1190 [ACK] Seq=342 Ack=437 Win=6432 Len=0

  27. TCP WiresharkShowing Connection, Data, Disconnect

  28. TCP Header

  29. User Datagram Protocol (UDP) • UDP can be used instead of TCP to address an application • Does NOT support end-to-end retransmission, reorder out-of-order packets, or perform flow control or congestion control. • Addresses applications via 16-bit Port number Protocol: • UDP is connectionless, which means it sends packets without establishing a connection first. If packets cannot be successfully sent, there may be no indication of failure. • 1 Packet type: Send data 1 0.000000 131.210.13.7 10.1.1.165 UDP Source port: 1060 Dest port: 8881

  30. User Datagram Protocol(UDP) • an alternative to TCP • no guaranteed delivery • no preservation of sequence • no protection against duplication • minimum overhead • adds port addressing to IP

  31. Application Layer • provide support for user applications • need a separate module for each type of application 4 0.001151 10.1.1.165 10.1.1.3 HTTP GET http://www.cs.uwp.edu/Classes/Cs475 HTTP/1.1 90 80.400513  10.1.1.165  10.1.1.10  SNMP get-request RFC1213-MIB::mib-2.25.3.2.1.5.1 RFC1213-MIB::mib-2.25.3.5.1.1.1 RFC1213-MIB::mib-2.25.3.5.1.2.1

  32. Application Protocols Application & Port • SMTP: Simple Mail Transfer Protocol (Email): 25 • HTTP: HyperText Transfer Protocol (Web): 80 • FTP: File Transfer Protocol: 20/21 • SNMP: Simple Network Management Protocol: 161 • DNS: Domain Name Server: 53 • NBNS: NetBios Name Service (Microsoft Internal, similar to DNS): 137 • SSL: Secure Socket Layer: 443

  33. Some TCP/IP Protocols

  34. Internet Control Message Protocol (ICMP) • Reports errors (e.g. Destination not reachable) • Replies to requests (routing info) • Test connectivity (ping) 71 16.725008 10.1.1.165 207.46.170.123 ICMP Echo (ping) request 76 17.813662 207.231.240.7 10.1.1.165 ICMP Time-to-live exceeded (Time to live exceeded in transit) 73 13.696159 10.1.1.1 10.1.1.165 ICMP Destination unreachable (Communication administratively filtered)

  35. Address Resolution Protocol (ARP) • Converts an IP Address (192.164.53.25) to a MAC Address (e.g. 0:90:27:1c:50:d0) Protocol: • Requester broadcasts to all nodes on subnet: ARP Request (IP_Address) • Replier (Me) sends: ARP Response (IP_Address, MAC Address) 3 8.617021 00:0c:29:80:ec:29 ff:ff:ff:ff:ff:ff ARP Who has 10.1.1.3? Tell 10.1.1.165 4 8.617825 00:0e:0c:3d:f7:7d 00:0c:29:80:ec:29 ARP 10.1.1.3 is at 00:0e:0c:3d:f7:7d

  36. Domain Name Server (DNS) • Converts a IP address name (e.g. www.cs.uwp.edu) to a numeric IP address, or vice versa. Protocol: • Request describes a name or numeric IP address to transfer • Reply provides information about that IP address. 53  55.927059  10.1.1.165  10.1.1.3  DNS  Standard query A www.mozilla.org 54  55.946341  10.1.1.3  10.1.1.165 DNS  Standard query response CNAME groups.l.google.com A 74.125.95.138 A 74.125.95.139 A 74.125.95.100 A 74.125.95.101 A 74.125.95.102 A 74.125.95.113

  37. IGMP: Internet Group Management ProtocolSets up multicast for streaming and gaming

  38. NTP: Network Time ProtocolSynchronizes Clocks

  39. And now for a … WireShark Demo

More Related