View
475
Download
1
Category
Preview:
DESCRIPTION
Citation preview
Telecom and Network SecurityTelecom and Network Security
Understand the OSI modelIdentify network hardwareUnderstand LAN topologiesBasic protocols - routing and routedUnderstand IP addressing schemeUnderstand subnet maskingUnderstand basic firewall architecturesUnderstand basic telecommunications security issues
Telecom And Network SecurityTelecom And Network Security
Telecom and Network SecurityTelecom and Network Security
Intro to OSI modelIntro to OSI model LAN topologiesLAN topologies OSI revisitedOSI revisited
• hardwarehardware• bridging,routingbridging,routing• routed protocols, WANsrouted protocols, WANs
IP addressing, subnet masksIP addressing, subnet masks Routing ProtocolsRouting Protocols
OSI/ISO ??OSI/ISO ?? OSI model developed by ISO, International Standards OSI model developed by ISO, International Standards
OrganizationOrganization IEEE - Institute of Electrical and Electronics IEEE - Institute of Electrical and Electronics
EngineersEngineers NSA - National Security AgencyNSA - National Security Agency NIST - National Institute for Standards and NIST - National Institute for Standards and
TechnologyTechnology ANSI - American National Standards InstituteANSI - American National Standards Institute CCITT - International Telegraph and Telephone CCITT - International Telegraph and Telephone
Consultative CommitteeConsultative Committee
OSI Reference Model Open Systems Interconnection Reference Model
Standard model for network communications Allows dissimilar networks to communicate Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its
respective layer on another workstation using protocols (i.e. agreed-upon communication formats)
“Mapping” each protocol to the model is useful for comparing protocols.
The OSI Layers
Provides data representation between systemsProvides data representation between systems
Establishes, maintains, manages sessions Establishes, maintains, manages sessions example - synchronization of data flowexample - synchronization of data flow
Provides end-to-end data transmission integrityProvides end-to-end data transmission integrity
Switches and routes information unitsSwitches and routes information units
Provides transfer of units of information to other Provides transfer of units of information to other end of physical linkend of physical link
Transmits bit stream on physical mediumTransmits bit stream on physical medium
66
55
44
33
22
11
Provides specific services for applications such as Provides specific services for applications such as file transferfile transfer
77 ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
Mnemonic: Please Do Not Take Sales Person Advice
Data Flow in OSI Reference Model
66
55
44
33
22
11
77 ApplicatioApplicationnPresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
Host 1 Host 2
Data travels dow
n the stack
Through the network
The
n up
the
rece
ivin
g st
ack
66
55
44
33
22
11
77 ApplicatioApplicationnPresentationPresentation
SessioSessionnTransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
As the data passes through each layer on the client information about that layer is added to the data.. This information is stripped off by the corresponding layer on the server.
OSI ModelOSI Model Protocols required for Networking are covered Protocols required for Networking are covered
in OSI modelin OSI model Keep model in mind for rest of courseKeep model in mind for rest of course All layers to be explored in more detailAll layers to be explored in more detail
LAN TopologiesLAN Topologies Star TopologyStar Topology
Bus TopologyBus Topology
LAN Topologies Cont…LAN Topologies Cont… Ring TopologyRing Topology
Star TopologyStar Topology Telephone wiring is one common exampleTelephone wiring is one common example
Center of star is the wire closetCenter of star is the wire closet Star Topology easily maintainableStar Topology easily maintainable
Bus TopologyBus Topology Basically a cable that attaches many devicesBasically a cable that attaches many devices Can be a “daisy chain” configurationCan be a “daisy chain” configuration Computer I/O bus is exampleComputer I/O bus is example
Tree TopologyTree Topology
Can be extension of bus and star topologiesCan be extension of bus and star topologies
Tree has no closed loopsTree has no closed loops
Ring TopologyRing Topology Continuous closed path between devicesContinuous closed path between devices A logical ring is usually a physical starA logical ring is usually a physical star Don’t confuse logical and physical topologyDon’t confuse logical and physical topology
Network topologiesNetwork topologies
Topology Advantages DisadvantagesBus Passive transmission medium
Localized failure impact Adaptive Utilization
Channel access technique(contention)
Star Simplicity Central routing No routing decisions
Reliability of central node Loading of central node
Ring Simplicity Predictable delay No routing decisions
Failure modes with global effect
LAN Access MethodsLAN Access Methods Carrier Sense Multiple Access with Collision Carrier Sense Multiple Access with Collision
Detection (CSMA/CD)Detection (CSMA/CD) Talk when no one else is talkingTalk when no one else is talking
TokenToken Talk when you have the tokenTalk when you have the token
SlottedSlotted Similar to token, talk in free “slots”Similar to token, talk in free “slots”
LAN Signaling TypesLAN Signaling Types BasebandBaseband
Digital signal, serial bit streamDigital signal, serial bit stream BroadbandBroadband
Analog signalAnalog signal Cable TV technologyCable TV technology
EthernetEthernet Bus topologyBus topology CSMA/CDCSMA/CD BasebandBaseband Most common network type Most common network type IEEE 802.3IEEE 802.3 Broadcast technology - transmission stops at Broadcast technology - transmission stops at
terminatorsterminators
Token BusToken Bus IEEE 802.4IEEE 802.4 Very large scale, expensiveVery large scale, expensive Usually seen in factory automationUsually seen in factory automation Used when one needs:Used when one needs:
Multichannel capabilities of a broadband LANMultichannel capabilities of a broadband LAN resistance to electrical interferenceresistance to electrical interference
Token RingToken Ring IEEE 802.5IEEE 802.5 Flow is unidirectionalFlow is unidirectional Each node regenerates signal (acts as repeater)Each node regenerates signal (acts as repeater) Control passed from interface to interface by Control passed from interface to interface by
“token”“token” Only one node at a time can have tokenOnly one node at a time can have token 4 or 16 Mbps4 or 16 Mbps
Fiber Distributed Data Interface (FDDI)Fiber Distributed Data Interface (FDDI)
Dual counter rotating ringsDual counter rotating rings Devices can attach to one or both ringsDevices can attach to one or both rings Single attachment station (SAS), dual (DAS)Single attachment station (SAS), dual (DAS)
Uses token passingUses token passing Logically and physically a ringLogically and physically a ring ANSI governedANSI governed
WANWAN WANs connect LANs WANs connect LANs Generally a single data linkGenerally a single data link Links most often come from Regional Bell Operating Links most often come from Regional Bell Operating
Companies (RBOCs) or Post, Telephone, and Companies (RBOCs) or Post, Telephone, and Telegraph (PTT) agenciesTelegraph (PTT) agencies
Wan link contains Data Terminal Equipment (DTE) Wan link contains Data Terminal Equipment (DTE) on user side and Data Circuit-Terminating Equipment on user side and Data Circuit-Terminating Equipment (DCE) at WAN provider’s end(DCE) at WAN provider’s end
MAN - Metropolitan Area NetworkMAN - Metropolitan Area Network
ISDNISDN Integrated services digital network (ISDN) is a
worldwide public network service that can provide end-to-end digital communications and fully integrate technologies
The basic rate interface (BRI) - 2B+D The primary rate interface (PRI) - 23B+D B channel - 64-Kbps bandwidth and are appropriate
for either voice or data transmission D channel - 16-Kbps signaling channel, is designed to
control transmission of the B channel
Typical Point-to –Point WAN Typical Point-to –Point WAN
The ConnectionsT1 – 1.544 Mbps of electronic informationT2 - a T-carrier that can handle 6.312 Mbps or 96 voice channels.T3 - a T-carrier that can handle 44.736 Mbps or 672 voice channels. T4 - a T-carrier that can handle 274.176 Mbps or 4032 voice channels
WAN Cont… Cable Modem and DSL
ADSL - Asymmetric Digital Subscriber Line - 144 Kbps to 1.5 Mbps
SDSL - Single Line Digital Subscriber Line - 1.544 Mbps to 2.048 Mbps
HDSL - High data rate Digital Subscriber Line - 1.544 Mbps to 42.048 Mbps
VDSL - Very high data rate Digital Subscriber Line - 13 to 52 Mbps 1.5 to 2.3 Mbps
WAN Cont…WAN Cont… Frame Relay and X.25 - Frame Relay and X.25 - PPacket-switched technologies
Evolved from standardization work on ISDN Designed to eliminate much of the overhead in X.25 DTE - Data Terminal Equipment DCE - Data Circuit-terminating Equipment CIR - Committed Information Rate
OSI Model -LayersOSI Model -Layers
PhysicalPhysical Data LinkData Link NetworkNetwork TransportTransport SessionSession PresentationPresentation ApplicationApplication
Physical LayerPhysical Layer Specifies the electrical, mechanical, Specifies the electrical, mechanical,
procedural, and functional requirements for procedural, and functional requirements for activating, maintaining, and deactivating the activating, maintaining, and deactivating the physical link between end systemsphysical link between end systems
Examples of physical link characteristics Examples of physical link characteristics include voltage levels, data rates, maximum include voltage levels, data rates, maximum transmission distances, and physical transmission distances, and physical connectorsconnectors
Physical Layer HardwarePhysical Layer Hardware CablingCabling
twisted pairtwisted pair 10baseT10baseT 10base210base2 10base510base5 fiberfiber
transceiverstransceivers hubshubs topologytopology
Twisted PairTwisted Pair 10BaseT (10 Mbps, 100 meters w/o repeater)10BaseT (10 Mbps, 100 meters w/o repeater) Unshielded and shielded twisted pair (UTP most Unshielded and shielded twisted pair (UTP most
common)common) two wires per pair, twisted in spiral two wires per pair, twisted in spiral Typically 1 to 10 Mbps, up to 100Mbps possibleTypically 1 to 10 Mbps, up to 100Mbps possible Noise immunity and emanations improved by Noise immunity and emanations improved by
shieldingshielding
Coaxial CableCoaxial Cable 10Base2 (10 Mbps, repeater every 200 m)10Base2 (10 Mbps, repeater every 200 m) ThinEthernet or Thinnet or CoaxThinEthernet or Thinnet or Coax 2-50 Mbps2-50 Mbps Needs repeaters every 200-500 metersNeeds repeaters every 200-500 meters Terminator: 50 ohms for ethernet, 75 for TVTerminator: 50 ohms for ethernet, 75 for TV Flexible and rigid available, flexible most commonFlexible and rigid available, flexible most common Noise immunity and emanations very goodNoise immunity and emanations very good
Coaxial Cables, contCoaxial Cables, cont Ethernet uses “T” connectors and 50 ohm Ethernet uses “T” connectors and 50 ohm
terminatorsterminators Every segment must have exactly 2 Every segment must have exactly 2
terminatorsterminators Segments may be linked using repeaters, hubsSegments may be linked using repeaters, hubs
Standard EthernetStandard Ethernet 10Base510Base5 Max of 100 taps per segmentMax of 100 taps per segment Nonintrusive taps available (vampire tap)Nonintrusive taps available (vampire tap) Uses AUI (Attachment Unit Interface)Uses AUI (Attachment Unit Interface)
Fiber-Optic CableFiber-Optic Cable Consists of Outer jacket, cladding of glass, and Consists of Outer jacket, cladding of glass, and
core of glasscore of glass FastFast
TransceiversTransceivers Physical devices to allow you to connect Physical devices to allow you to connect
different transmission mediadifferent transmission media May include Signal Quality Error (SQE) or May include Signal Quality Error (SQE) or
“heartbeat” to test collision detection “heartbeat” to test collision detection mechanism on each transmissionmechanism on each transmission
May include “link light”, lit when connection May include “link light”, lit when connection existsexists
HubsHubs A device which connects several other devicesA device which connects several other devices Also called concentrator, repeater, or multi-Also called concentrator, repeater, or multi-
station access unit (MAU)station access unit (MAU)
OSI Model - LayersOSI Model - Layers
PhysicalPhysical
Data LinkData Link NetworkNetwork TransportTransport SessionSession PresentationPresentation ApplicationApplication
Data Link LayerData Link Layer Provides data transport across a physical linkProvides data transport across a physical link Data Link layer handles physical addressing, Data Link layer handles physical addressing,
network topology, line discipline, error network topology, line discipline, error notification, orderly delivery of frames, and notification, orderly delivery of frames, and optional flow controloptional flow control
Bridges operate at this layerBridges operate at this layer
Data Link Sub-layersData Link Sub-layers Media Access Control (MAC)Media Access Control (MAC)
refers downward to lower layer hardware functionsrefers downward to lower layer hardware functions Logical Link Control (LLC)Logical Link Control (LLC)
refers upward to higher layer software functionsrefers upward to higher layer software functions
Medium Access ControlMedium Access Control MAC address is “physical address”, unique for LAN MAC address is “physical address”, unique for LAN
interface cardinterface card Also called hardware or link-layer addressAlso called hardware or link-layer address
The MAC address is burned into the Read Only The MAC address is burned into the Read Only Memory (ROM)Memory (ROM)
MAC address is 48 bit address in 12 hexadecimal MAC address is 48 bit address in 12 hexadecimal digitsdigits 1st six identify vendor, provided by IEEE1st six identify vendor, provided by IEEE 2nd six unique, provided by vendor2nd six unique, provided by vendor
Logical Link ControlLogical Link Control Presents a uniform interface to upper layersPresents a uniform interface to upper layers Enables upper layers to gain independence Enables upper layers to gain independence
over LAN media accessover LAN media access upper layers use network addresses rather than upper layers use network addresses rather than
MAC addressesMAC addresses Provide optional connection, flow control, and Provide optional connection, flow control, and
sequencing servicessequencing services
BridgesBridges Device which forwards frames between data link Device which forwards frames between data link
layers associated with two separate cableslayers associated with two separate cables Stores source and destination addresses in tableStores source and destination addresses in table When bridge receives a frame it attempts to find the When bridge receives a frame it attempts to find the
destination address in its tabledestination address in its table If found, frame is forwarded out appropriate portIf found, frame is forwarded out appropriate port If not found, frame is flooded on all other portsIf not found, frame is flooded on all other ports
BridgesBridges Can be used for filteringCan be used for filtering
Make decisions based on source and destination address, Make decisions based on source and destination address, type, or combination thereoftype, or combination thereof
Filtering done for security or network management Filtering done for security or network management reasonsreasons Limit bandwidth hogsLimit bandwidth hogs Prevent sensitive data from leavingPrevent sensitive data from leaving
Bridges can be for local or remote networksBridges can be for local or remote networks Remote has “half” at each end of WAN linkRemote has “half” at each end of WAN link
Network LayerNetwork Layer Which path should traffic take through Which path should traffic take through
networks?networks? How do the packets know where to go?How do the packets know where to go? What are protocols?What are protocols? What is the difference between routed and What is the difference between routed and
routing protocols?routing protocols?
Network LayerNetwork Layer Only two devices which are directly connected by Only two devices which are directly connected by
the same “wire” can exchange data directlythe same “wire” can exchange data directly Devices not on the same network must Devices not on the same network must
communicate via intermediate systemcommunicate via intermediate system Router is an intermediate systemRouter is an intermediate system The network layer determines the best way to The network layer determines the best way to
transfer data. It manages device addressing and transfer data. It manages device addressing and tracks the location of devices. The router operates tracks the location of devices. The router operates at this layer.at this layer.
Network LayerNetwork LayerBridge vs. RouterBridge vs. Router
Bridges can only extend a single networkBridges can only extend a single network All devices appear to be on same “wire”All devices appear to be on same “wire” Network has finite size, dependent on topology, Network has finite size, dependent on topology,
protocols usedprotocols used Routers can connect bridged subnetworksRouters can connect bridged subnetworks Routed network has no limit on sizeRouted network has no limit on size
Internet, SIPRNETInternet, SIPRNET
Network LayerNetwork Layer Provides routing and relayingProvides routing and relaying
Routing: determining the path between two end systemsRouting: determining the path between two end systems Relaying: moving data along that pathRelaying: moving data along that path
Addressing mechanism is requiredAddressing mechanism is required Flow control may be requiredFlow control may be required Must handle specific features of subnetworkMust handle specific features of subnetwork
Mapping between data link layer and network layer Mapping between data link layer and network layer addressesaddresses
Connection-Oriented vs. ConnectionlessConnection-Oriented vs. Connectionless
Network LayerNetwork Layer Connection-OrientedConnection-Oriented
provides a Virtual Circuit (VC) between two end provides a Virtual Circuit (VC) between two end systems (like a telephone)systems (like a telephone)
3 phases - call setup, data exchange, call close3 phases - call setup, data exchange, call close Examples include X.25, OSI CONP, IBM SNAExamples include X.25, OSI CONP, IBM SNA Ideal for traditional terminal-host networks of finite Ideal for traditional terminal-host networks of finite
sizesize
Connection-Oriented vs. ConnectionlessConnection-Oriented vs. Connectionless
Network LayerNetwork Layer Connectionless (CL)Connectionless (CL)
Each piece of data independently routedEach piece of data independently routed Sometimes called “datagram” networkingSometimes called “datagram” networking Each piece of data must carry all addressing and routing Each piece of data must carry all addressing and routing
infoinfo Basis of many current LAN/WAN operationsBasis of many current LAN/WAN operations
TCP/IP, OSI CLNP, IPX/SPXTCP/IP, OSI CLNP, IPX/SPX
Well suited to client/server and other distributed system Well suited to client/server and other distributed system networksnetworks
Connection-Oriented vs. ConnectionlessConnection-Oriented vs. Connectionless
Network LayerNetwork Layer Arguments can be made Connection Oriented is best Arguments can be made Connection Oriented is best
for many applicationsfor many applications Market has decided on CL networkingMarket has decided on CL networking
All mainstream developments on CLAll mainstream developments on CL Majority of networks now built CLMajority of networks now built CL Easier to extend LAN based networks using CL WANsEasier to extend LAN based networks using CL WANs
We will focus on CLWe will focus on CL
Network switchingNetwork switching Circuit-switchedCircuit-switched
Transparent path between devicesTransparent path between devices Dedicated circuitDedicated circuit
Phone callPhone call
Packet-switchedPacket-switched Data is segmented, buffered, & recombinedData is segmented, buffered, & recombined
Network Layer AddressingNetwork Layer Addressing
Impossible to use MAC addressesImpossible to use MAC addresses Hierarchical scheme makes much more sense Hierarchical scheme makes much more sense
(Think postal - city, state, country)(Think postal - city, state, country) This means routers only need to know regions This means routers only need to know regions
(domains), not individual computers(domains), not individual computers The network address identifies the network and The network address identifies the network and
the hostthe host
Network Layer AddressingNetwork Layer Addressing Network Address - path part used by routerNetwork Address - path part used by router Host Address - specific port or deviceHost Address - specific port or device
Router1.1
1.2
1.3
2.1 2.2
2.3
Network Host1
2
1,2,3
1,2,3
Network Layer AddressingNetwork Layer AddressingIP exampleIP example
IP addresses are like street addresses for computersIP addresses are like street addresses for computers Networks are hierarchically divided into subnets Networks are hierarchically divided into subnets
called domainscalled domains Domains are assigned IP addresses and namesDomains are assigned IP addresses and names
Domains are represented by the network portion Domains are represented by the network portion of the addressof the address
IP addresses and Domains are issued by InterNIC IP addresses and Domains are issued by InterNIC (cooperative activity between the National Science (cooperative activity between the National Science Foundation, Network Solutions, Inc. and AT&T)Foundation, Network Solutions, Inc. and AT&T)
Network Layer Addressing - IPNetwork Layer Addressing - IP IP uses a 4 octet (32 bit) network addressIP uses a 4 octet (32 bit) network address The network and host portions of the address can The network and host portions of the address can
vary in sizevary in size Normally, the network is assigned a class according Normally, the network is assigned a class according
to the size of the networkto the size of the network Class A uses 1 octet for the networkClass A uses 1 octet for the network Class B uses 2 octets for the networkClass B uses 2 octets for the network Class C uses 3 octets for the networkClass C uses 3 octets for the network Class D is used for multicast addressesClass D is used for multicast addresses
Class A Address Used in an inter-network that has a few
networks and a large number of hosts First octet assigned, users designate the other
3 octets (24 bits) Up to 128 Class A Domains Up to 16,777,216 hosts per domain
0-127
This Field is Fixed by IAB
24 Bits of Variable Address
0-255 0-255 0-255
Class B Address Used for a number of networks having a
number of hosts First 2 octets assigned, user designates the
other 2 octets (16 bits) 16384 Class B Domains Up to 65536 hosts per domain
128-191 0-255
These Fields are Fixed by IAB
16 Bits of Variable Address
0-255
0-255
Class C Address Used for networks having a small amount of
hosts First 3 octets assigned, user designates last
octet (8 bits) Up to 2,097,152 Class C Domains Up to 256 hosts per domain
191-223 0-255 0-255
These Fields are Fixed by IAB
8 Bits ofVariable Address
0-255
IP AddressesIP Addresses A host address of all ones is a broadcastA host address of all ones is a broadcast A host address of zero means the wire itselfA host address of zero means the wire itself These host addresses are always reserved and These host addresses are always reserved and
can never be usedcan never be used
Subnets & Subnet Masks
Every host on a network (i.e. same cable segment) must be configured with the same subnet ID.
First octet on class A addresses First & second octet on class B addresses First, second, & third octet on class C addresses
A Subnet Mask (Netmask) is a bit pattern that defines which portion of the 32 bits represents a subnet address.
Network devices use subnet masks to identify which part of the address is network and which part is host
Network LayerNetwork LayerRouted vs. Routing ProtocolsRouted vs. Routing Protocols
Routed Protocol - any protocol which provides Routed Protocol - any protocol which provides enough information in its network layer enough information in its network layer address to allow the packet to reach its address to allow the packet to reach its destinationdestination
Routing Protocol - any protocol used by Routing Protocol - any protocol used by routers to share routing informationrouters to share routing information
Routed ProtocolsRouted Protocols IPIP IPXIPX SMBSMB AppletalkAppletalk DEC/LATDEC/LAT
OSI Reference Model Protocol Mapping
66
55
44
33
22
11
77 ApplicatioApplicationnPresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
Application using TCP/IP
TCP
IP
TCP/IP UDP/IP SPX/IPXApplication using UDP/IP
UDP
IP
Application using SPX/IPX
SPX
IPX
Network-level Protocols IPX (Internet Packet Exchange protocol)
Novell Netware & othersWorks with the Session-layer protocol SPX (Sequential Packet
Exchange Protocol)
NETBEUI (NetBIOS Extended User Interface)Windows for Workgroups & Windows NT
IP (Internet Protocol)Win NT, Win 95, Unix, etc…
Works with the Transport-layer protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol)
SLIP (Serial-line Input Protocol) & PPP (Point-to-Point Protocol)
TCP/IPConsists of a suite of protocols (TCP & IP)Handles data in the form of packetsKeeps track of packets which can be
Out of orderDamagedLost
Provides universal connectivityreliable full duplex stream delivery (as opposed to
the unreliable UDP/IP protocol suite used by such applications as PING and DNS)
TCP/IP Cont… Primary Services (applications) using TCP/IP
File Transfer (FTP) Remote Login (Telnet) Electronic Mail (SMTP)
Currently the most widely used protocol (especially on the Internet)
Uses the IP address scheme
Routing ProtocolsRouting Protocols
Distance -VectorDistance -Vector List of destination networks with direction and distance List of destination networks with direction and distance
in hopsin hops Link-state routingLink-state routing
Topology map of network identifies all routers and Topology map of network identifies all routers and subnetworkssubnetworks
Route is determined from shortest path to destinationRoute is determined from shortest path to destination Routes can be manually loaded (static) or Routes can be manually loaded (static) or
dynamically maintaineddynamically maintained
Routing Internet Routing Internet Management DomainsManagement Domains
Core of Internet uses Gateway-Gateway Protocol Core of Internet uses Gateway-Gateway Protocol (GGP) to exchange data between routers(GGP) to exchange data between routers
Exterior Gateway Protocol (EGP) is used to Exterior Gateway Protocol (EGP) is used to exchange routing data with core and other exchange routing data with core and other autonomous systemsautonomous systems
Interior Gateway Protocol (IGP) is used within Interior Gateway Protocol (IGP) is used within autonomous systemsautonomous systems
RoutingRoutingInternet Management DomainsInternet Management Domains
GGP
IGP IGP
EGP EGP
Internet Core
Autonomous systems
Routing ProtocolsRouting Protocols
Static routesStatic routes not a protocolnot a protocol entered by handentered by hand define a path to a network or subnetdefine a path to a network or subnet Most secureMost secure
Routing ProtocolsRouting ProtocolsRIPRIP
Distance VectorDistance Vector Interior Gateway ProtocolInterior Gateway Protocol Noisy, not the most efficientNoisy, not the most efficient
Broadcast routes every 30 secondsBroadcast routes every 30 seconds Lowest cost route always bestLowest cost route always best A cost of 16 is unreachableA cost of 16 is unreachable
No security, anyone can pretend to be a routerNo security, anyone can pretend to be a router
Routing ProtocolsRouting ProtocolsOSPFOSPF
Link-stateLink-state Interior Gateway ProtocolInterior Gateway Protocol Routers elect “Designated Router”Routers elect “Designated Router” All routers establish a topology database using All routers establish a topology database using
DR as gateway between areasDR as gateway between areas Along with IGRP, a replacement for outdated Along with IGRP, a replacement for outdated
RIPRIP
Routing ProtocolsRouting ProtocolsBGPBGP
Border Gateway Protocol is an EGPBorder Gateway Protocol is an EGP Can support multiple paths between Can support multiple paths between
autonomous systemsautonomous systems Can detect and suppress routing loopsCan detect and suppress routing loops Lacks securityLacks security Internet recently down because of incorrectly Internet recently down because of incorrectly
configured BGP on ISP routerconfigured BGP on ISP router
Source RoutingSource Routing Source (packet sender) can specify route a Source (packet sender) can specify route a
packet will traverse the networkpacket will traverse the network Two types, strict and looseTwo types, strict and loose Allows IP spoofing attacksAllows IP spoofing attacks Rarely allowed across InternetRarely allowed across Internet
Transport LayerTransport Layer TCPTCP UDPUDP IPX Service Advertising ProtocolIPX Service Advertising Protocol Are UDP and TCP connectionless or Are UDP and TCP connectionless or
connection oriented?connection oriented? What is IP?What is IP? Explain the differenceExplain the difference
Session LayerSession Layer Establishes, manages and terminates sessions Establishes, manages and terminates sessions
between applicationsbetween applications coordinates service requests and responses that coordinates service requests and responses that
occur when applications communicate between occur when applications communicate between different hostsdifferent hosts
Examples include: NFS, RPC, X Window Examples include: NFS, RPC, X Window System, AppleTalk Session ProtocolSystem, AppleTalk Session Protocol
Presentation LayerPresentation Layer Provides code formatting and conversionProvides code formatting and conversion For example, translates between differing text and For example, translates between differing text and
data character representations such as EBCDIC and data character representations such as EBCDIC and ASCIIASCII
Also includes data encryptionAlso includes data encryption Layer 6 standards include JPEG, GIF, MPEG, MIDILayer 6 standards include JPEG, GIF, MPEG, MIDI
Application-layer ProtocolsFTP (File Transfer Protocol)TFTP (Trivial File Transfer Protocol)
Used by some X-Terminal systems
HTTP (HyperText Transfer Protocol)SNMP (Simple Network Management Protocol
Helps network managers locate and correct problems in a TCP/IP network
Used to gain information from network devices such as count of packets received and routing tables
SMTP (Simple Mail Transfer Protocol)Used by many email applications
Identification & AuthenticationIdentification & Authentication Identify who is connecting - useridIdentify who is connecting - userid Authenticate who is connectingAuthenticate who is connecting
password (static) - something you knowpassword (static) - something you know token (SecureID) - something you havetoken (SecureID) - something you have biometric - something you arebiometric - something you are RADIUS, TACACS, PAP, CHAPRADIUS, TACACS, PAP, CHAP DIAMETERDIAMETER
Firewall TermsFirewall Terms Network address translation (NAT)Network address translation (NAT)
Internal addresses unreachable from external Internal addresses unreachable from external networknetwork
DMZ - De-Militarized ZoneDMZ - De-Militarized Zone Hosts that are directly reachable from untrusted Hosts that are directly reachable from untrusted
networksnetworks ACL - Access Control ListACL - Access Control List
can be router or firewall termcan be router or firewall term
Firewall TermsFirewall Terms Choke, Choke routerChoke, Choke router
A router with packet filtering rules (ACLs) A router with packet filtering rules (ACLs) enabledenabled
Gate, Bastion host, Dual Homed HostGate, Bastion host, Dual Homed Host A server that provides packet filtering and/or A server that provides packet filtering and/or
proxy servicesproxy services proxy serverproxy server
A server that provides application proxiesA server that provides application proxies
Firewall typesFirewall types Packet-filtering routerPacket-filtering router
Most commonMost common Uses Access Control Lists (ACL)Uses Access Control Lists (ACL)
PortPort Source/destination addressSource/destination address
Screened hostScreened host Packet-filtering and Bastion hostPacket-filtering and Bastion host Application layer proxiesApplication layer proxies
Screened subnet (DMZ)Screened subnet (DMZ) 2 packet filtering routers and bastion host(s)2 packet filtering routers and bastion host(s) Most secureMost secure
Firewall ModelsFirewall Models Proxy servers Proxy servers
Intermediary Intermediary Think of bank tellerThink of bank teller
Stateful InspectionStateful Inspection State and context analyzed on every packet in State and context analyzed on every packet in
connectionconnection
VPN – Virtual Private NetworkVPN – Virtual Private Network PPTPPPTP L2TPL2TP IPSecIPSec Tunnel ModeTunnel Mode Transport ModeTransport Mode Site-to-Site VPNSite-to-Site VPN Client-to-Site VPNClient-to-Site VPN SSLSSL SSHSSH
Intrusion Detection (IDS)Intrusion Detection (IDS) Host or network basedHost or network based Context and content monitoringContext and content monitoring Positioned at network boundariesPositioned at network boundaries Basically a sniffer with the capability to detect Basically a sniffer with the capability to detect
traffic patterns known as attack signaturestraffic patterns known as attack signatures
Web SecurityWeb Security
Secure sockets Layer (SSL) Secure sockets Layer (SSL) Transport layer security (TCP based)Transport layer security (TCP based) Widely used for web based applicationsWidely used for web based applications by convention, https:\\by convention, https:\\
Secure Hypertext Transfer Protocol (S-HTTP)Secure Hypertext Transfer Protocol (S-HTTP) Less popular than SSLLess popular than SSL Used for individual messages rather than sessionsUsed for individual messages rather than sessions
Secure Electronic Transactions (SET)Secure Electronic Transactions (SET) PKIPKI Financial dataFinancial data Supported by VISA, MasterCard, Microsoft, NetscapeSupported by VISA, MasterCard, Microsoft, Netscape
IPSECIPSEC
IP SecurityIP Security Set of protocols developed by IETFSet of protocols developed by IETF Standard used to implement VPNsStandard used to implement VPNs Two modesTwo modes Transport ModeTransport Mode
encrypted payload (data), clear text headerencrypted payload (data), clear text header Tunnel ModeTunnel Mode
encrypted payload and headerencrypted payload and header IPSEC requires shared public keyIPSEC requires shared public key
SpoofingSpoofing TCP Sequence number predictionTCP Sequence number prediction UDP - trivial to spoof (CL)UDP - trivial to spoof (CL) DNS - spoof/manipulate IP/hostname pairingsDNS - spoof/manipulate IP/hostname pairings Source RoutingSource Routing
SniffingSniffing Passive attackPassive attack Monitor the “wire” for all traffic - most Monitor the “wire” for all traffic - most
effective in shared media networkseffective in shared media networks Sniffers used to be “hardware”, now are a Sniffers used to be “hardware”, now are a
standard software tool standard software tool
Session HijackingSession Hijacking Uses sniffer to detect sessions, get pertinent session Uses sniffer to detect sessions, get pertinent session
info (sequence numbers, IP addresses)info (sequence numbers, IP addresses) Actively injects packets, spoofing the client side of Actively injects packets, spoofing the client side of
the connection, taking over session with serverthe connection, taking over session with server Bypasses I&A controlsBypasses I&A controls Encryption is a countermeasure, stateful inspection Encryption is a countermeasure, stateful inspection
can be a countermeasurecan be a countermeasure
IP FragmentationIP Fragmentation Use fragmentation options in the IP header to Use fragmentation options in the IP header to
force data in the packet to be overwritten upon force data in the packet to be overwritten upon reassemblyreassembly
Used to circumvent packet filtersUsed to circumvent packet filters Leads to Denial of Service AttackLeads to Denial of Service Attack
IDS AttacksIDS Attacks Insertion AttacksInsertion Attacks
Insert information to confuse pattern matchingInsert information to confuse pattern matching Evasion AttacksEvasion Attacks
Trick the IDS into not detecting trafficTrick the IDS into not detecting traffic Example - Send a TCP RST with a TTL setting Example - Send a TCP RST with a TTL setting
such that the packet expires prior to reaching its such that the packet expires prior to reaching its destinationdestination
Syn FloodsSyn Floods Remember the TCP handshake?Remember the TCP handshake?
Syn, Syn-Ack, AckSyn, Syn-Ack, Ack Send a lot of Syns Send a lot of Syns Don’t send AcksDon’t send Acks Victim has a lot of open connections, can’t Victim has a lot of open connections, can’t
accept any more incoming connectionsaccept any more incoming connections Denial of ServiceDenial of Service
Telecom/Remote Access SecurityTelecom/Remote Access Security Dial up lines are favorite hacker targetDial up lines are favorite hacker target
War dialingWar dialing social engineeringsocial engineering
PBX is a favorite phreaker targetPBX is a favorite phreaker target blue box, gold box, etc.blue box, gold box, etc. Voice mailVoice mail
Remote Access SecurityRemote Access Security SLIP - Serial Line Internet ProtocolSLIP - Serial Line Internet Protocol PPP - Point to Point ProtocolPPP - Point to Point Protocol
SLIP/PPP about the same, PPP adds error checking, SLIP SLIP/PPP about the same, PPP adds error checking, SLIP obsoleteobsolete
PAP - Password authentication protocolPAP - Password authentication protocol clear text passwordclear text password
CHAP - Challenge Handshake Auth. Prot.CHAP - Challenge Handshake Auth. Prot. Encrypted passwordEncrypted password
Remote Access SecurityRemote Access Security
TACACS, TACACS+TACACS, TACACS+ Terminal Access Controller Access Control Terminal Access Controller Access Control
System System Network devices query TACACS server to Network devices query TACACS server to
verify passwordsverify passwords ““+” adds ability for two-factor (dynamic) +” adds ability for two-factor (dynamic)
passwordspasswords RadiusRadius
Remote Auth. Dial-In User ServiceRemote Auth. Dial-In User Service
RAIDRAID Redundant Array of Inexpensive(or Redundant Array of Inexpensive(or
Independent) Disks - 7 levelsIndependent) Disks - 7 levels Level 0 - Data striping (spreads blocks of each file Level 0 - Data striping (spreads blocks of each file
across multiple disks)across multiple disks) Level 1 - Provides disk mirroringLevel 1 - Provides disk mirroring Level 3 - Same as 0, but adds a disk for error Level 3 - Same as 0, but adds a disk for error
correctioncorrection Level 5 - Data striping at byte level, error Level 5 - Data striping at byte level, error
correction toocorrection too
??
Recommended