5. telecomm & network security

Telecom and Network SecurityTelecom and Network Security

Understand the OSI modelIdentify network hardwareUnderstand LAN topologiesBasic protocols - routing and routedUnderstand IP addressing schemeUnderstand subnet maskingUnderstand basic firewall architecturesUnderstand basic telecommunications security issues

Telecom And Network SecurityTelecom And Network Security

Telecom and Network SecurityTelecom and Network Security

Intro to OSI modelIntro to OSI model LAN topologiesLAN topologies OSI revisitedOSI revisited

• hardwarehardware• bridging,routingbridging,routing• routed protocols, WANsrouted protocols, WANs

IP addressing, subnet masksIP addressing, subnet masks Routing ProtocolsRouting Protocols

OSI/ISO ??OSI/ISO ?? OSI model developed by ISO, International Standards OSI model developed by ISO, International Standards

OrganizationOrganization IEEE - Institute of Electrical and Electronics IEEE - Institute of Electrical and Electronics

EngineersEngineers NSA - National Security AgencyNSA - National Security Agency NIST - National Institute for Standards and NIST - National Institute for Standards and

TechnologyTechnology ANSI - American National Standards InstituteANSI - American National Standards Institute CCITT - International Telegraph and Telephone CCITT - International Telegraph and Telephone

Consultative CommitteeConsultative Committee

OSI Reference Model Open Systems Interconnection Reference Model

Standard model for network communications Allows dissimilar networks to communicate Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its

respective layer on another workstation using protocols (i.e. agreed-upon communication formats)

“Mapping” each protocol to the model is useful for comparing protocols.

The OSI Layers

Provides data representation between systemsProvides data representation between systems

Establishes, maintains, manages sessions Establishes, maintains, manages sessions example - synchronization of data flowexample - synchronization of data flow

Provides end-to-end data transmission integrityProvides end-to-end data transmission integrity

Switches and routes information unitsSwitches and routes information units

Provides transfer of units of information to other Provides transfer of units of information to other end of physical linkend of physical link

Transmits bit stream on physical mediumTransmits bit stream on physical medium

66

55

44

33

22

11

Provides specific services for applications such as Provides specific services for applications such as file transferfile transfer

77 ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysical

Mnemonic: Please Do Not Take Sales Person Advice

Data Flow in OSI Reference Model

66

55

44

33

22

11

77 ApplicatioApplicationnPresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysical

Host 1 Host 2

Data travels dow

n the stack

Through the network

The

n up

the

rece

ivin

g st

ack

66

55

44

33

22

11

77 ApplicatioApplicationnPresentationPresentation

SessioSessionnTransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysical

As the data passes through each layer on the client information about that layer is added to the data.. This information is stripped off by the corresponding layer on the server.

OSI ModelOSI Model Protocols required for Networking are covered Protocols required for Networking are covered

in OSI modelin OSI model Keep model in mind for rest of courseKeep model in mind for rest of course All layers to be explored in more detailAll layers to be explored in more detail

LAN TopologiesLAN Topologies Star TopologyStar Topology

Bus TopologyBus Topology

LAN Topologies Cont…LAN Topologies Cont… Ring TopologyRing Topology

Star TopologyStar Topology Telephone wiring is one common exampleTelephone wiring is one common example

Center of star is the wire closetCenter of star is the wire closet Star Topology easily maintainableStar Topology easily maintainable

Bus TopologyBus Topology Basically a cable that attaches many devicesBasically a cable that attaches many devices Can be a “daisy chain” configurationCan be a “daisy chain” configuration Computer I/O bus is exampleComputer I/O bus is example

Tree TopologyTree Topology

Can be extension of bus and star topologiesCan be extension of bus and star topologies

Tree has no closed loopsTree has no closed loops

Ring TopologyRing Topology Continuous closed path between devicesContinuous closed path between devices A logical ring is usually a physical starA logical ring is usually a physical star Don’t confuse logical and physical topologyDon’t confuse logical and physical topology

Network topologiesNetwork topologies

Topology Advantages DisadvantagesBus Passive transmission medium

Localized failure impact Adaptive Utilization

Channel access technique(contention)

Star Simplicity Central routing No routing decisions

Reliability of central node Loading of central node

Ring Simplicity Predictable delay No routing decisions

Failure modes with global effect

LAN Access MethodsLAN Access Methods Carrier Sense Multiple Access with Collision Carrier Sense Multiple Access with Collision

Detection (CSMA/CD)Detection (CSMA/CD) Talk when no one else is talkingTalk when no one else is talking

TokenToken Talk when you have the tokenTalk when you have the token

SlottedSlotted Similar to token, talk in free “slots”Similar to token, talk in free “slots”

LAN Signaling TypesLAN Signaling Types BasebandBaseband

Digital signal, serial bit streamDigital signal, serial bit stream BroadbandBroadband

Analog signalAnalog signal Cable TV technologyCable TV technology

EthernetEthernet Bus topologyBus topology CSMA/CDCSMA/CD BasebandBaseband Most common network type Most common network type IEEE 802.3IEEE 802.3 Broadcast technology - transmission stops at Broadcast technology - transmission stops at

terminatorsterminators

Token BusToken Bus IEEE 802.4IEEE 802.4 Very large scale, expensiveVery large scale, expensive Usually seen in factory automationUsually seen in factory automation Used when one needs:Used when one needs:

Multichannel capabilities of a broadband LANMultichannel capabilities of a broadband LAN resistance to electrical interferenceresistance to electrical interference

Token RingToken Ring IEEE 802.5IEEE 802.5 Flow is unidirectionalFlow is unidirectional Each node regenerates signal (acts as repeater)Each node regenerates signal (acts as repeater) Control passed from interface to interface by Control passed from interface to interface by

“token”“token” Only one node at a time can have tokenOnly one node at a time can have token 4 or 16 Mbps4 or 16 Mbps

Fiber Distributed Data Interface (FDDI)Fiber Distributed Data Interface (FDDI)

Dual counter rotating ringsDual counter rotating rings Devices can attach to one or both ringsDevices can attach to one or both rings Single attachment station (SAS), dual (DAS)Single attachment station (SAS), dual (DAS)

Uses token passingUses token passing Logically and physically a ringLogically and physically a ring ANSI governedANSI governed

WANWAN WANs connect LANs WANs connect LANs Generally a single data linkGenerally a single data link Links most often come from Regional Bell Operating Links most often come from Regional Bell Operating

Companies (RBOCs) or Post, Telephone, and Companies (RBOCs) or Post, Telephone, and Telegraph (PTT) agenciesTelegraph (PTT) agencies

Wan link contains Data Terminal Equipment (DTE) Wan link contains Data Terminal Equipment (DTE) on user side and Data Circuit-Terminating Equipment on user side and Data Circuit-Terminating Equipment (DCE) at WAN provider’s end(DCE) at WAN provider’s end

MAN - Metropolitan Area NetworkMAN - Metropolitan Area Network

ISDNISDN Integrated services digital network (ISDN) is a

worldwide public network service that can provide end-to-end digital communications and fully integrate technologies

The basic rate interface (BRI) - 2B+D The primary rate interface (PRI) - 23B+D B channel - 64-Kbps bandwidth and are appropriate

for either voice or data transmission D channel - 16-Kbps signaling channel, is designed to

control transmission of the B channel

Typical Point-to –Point WAN Typical Point-to –Point WAN

The ConnectionsT1 – 1.544 Mbps of electronic informationT2 - a T-carrier that can handle 6.312 Mbps or 96 voice channels.T3 - a T-carrier that can handle 44.736 Mbps or 672 voice channels. T4 - a T-carrier that can handle 274.176 Mbps or 4032 voice channels

WAN Cont… Cable Modem and DSL

ADSL - Asymmetric Digital Subscriber Line - 144 Kbps to 1.5 Mbps

SDSL - Single Line Digital Subscriber Line - 1.544 Mbps to 2.048 Mbps

HDSL - High data rate Digital Subscriber Line - 1.544 Mbps to 42.048 Mbps

VDSL - Very high data rate Digital Subscriber Line - 13 to 52 Mbps 1.5 to 2.3 Mbps

WAN Cont…WAN Cont… Frame Relay and X.25 - Frame Relay and X.25 - PPacket-switched technologies

Evolved from standardization work on ISDN Designed to eliminate much of the overhead in X.25 DTE - Data Terminal Equipment DCE - Data Circuit-terminating Equipment CIR - Committed Information Rate

OSI Model -LayersOSI Model -Layers

PhysicalPhysical Data LinkData Link NetworkNetwork TransportTransport SessionSession PresentationPresentation ApplicationApplication

Physical LayerPhysical Layer Specifies the electrical, mechanical, Specifies the electrical, mechanical,

procedural, and functional requirements for procedural, and functional requirements for activating, maintaining, and deactivating the activating, maintaining, and deactivating the physical link between end systemsphysical link between end systems

Examples of physical link characteristics Examples of physical link characteristics include voltage levels, data rates, maximum include voltage levels, data rates, maximum transmission distances, and physical transmission distances, and physical connectorsconnectors

Physical Layer HardwarePhysical Layer Hardware CablingCabling

twisted pairtwisted pair 10baseT10baseT 10base210base2 10base510base5 fiberfiber

transceiverstransceivers hubshubs topologytopology

Twisted PairTwisted Pair 10BaseT (10 Mbps, 100 meters w/o repeater)10BaseT (10 Mbps, 100 meters w/o repeater) Unshielded and shielded twisted pair (UTP most Unshielded and shielded twisted pair (UTP most

common)common) two wires per pair, twisted in spiral two wires per pair, twisted in spiral Typically 1 to 10 Mbps, up to 100Mbps possibleTypically 1 to 10 Mbps, up to 100Mbps possible Noise immunity and emanations improved by Noise immunity and emanations improved by

shieldingshielding

Coaxial CableCoaxial Cable 10Base2 (10 Mbps, repeater every 200 m)10Base2 (10 Mbps, repeater every 200 m) ThinEthernet or Thinnet or CoaxThinEthernet or Thinnet or Coax 2-50 Mbps2-50 Mbps Needs repeaters every 200-500 metersNeeds repeaters every 200-500 meters Terminator: 50 ohms for ethernet, 75 for TVTerminator: 50 ohms for ethernet, 75 for TV Flexible and rigid available, flexible most commonFlexible and rigid available, flexible most common Noise immunity and emanations very goodNoise immunity and emanations very good

Coaxial Cables, contCoaxial Cables, cont Ethernet uses “T” connectors and 50 ohm Ethernet uses “T” connectors and 50 ohm

terminatorsterminators Every segment must have exactly 2 Every segment must have exactly 2

terminatorsterminators Segments may be linked using repeaters, hubsSegments may be linked using repeaters, hubs

Standard EthernetStandard Ethernet 10Base510Base5 Max of 100 taps per segmentMax of 100 taps per segment Nonintrusive taps available (vampire tap)Nonintrusive taps available (vampire tap) Uses AUI (Attachment Unit Interface)Uses AUI (Attachment Unit Interface)

Fiber-Optic CableFiber-Optic Cable Consists of Outer jacket, cladding of glass, and Consists of Outer jacket, cladding of glass, and

core of glasscore of glass FastFast

TransceiversTransceivers Physical devices to allow you to connect Physical devices to allow you to connect

different transmission mediadifferent transmission media May include Signal Quality Error (SQE) or May include Signal Quality Error (SQE) or

“heartbeat” to test collision detection “heartbeat” to test collision detection mechanism on each transmissionmechanism on each transmission

May include “link light”, lit when connection May include “link light”, lit when connection existsexists

HubsHubs A device which connects several other devicesA device which connects several other devices Also called concentrator, repeater, or multi-Also called concentrator, repeater, or multi-

station access unit (MAU)station access unit (MAU)

OSI Model - LayersOSI Model - Layers

PhysicalPhysical

Data LinkData Link NetworkNetwork TransportTransport SessionSession PresentationPresentation ApplicationApplication

Data Link LayerData Link Layer Provides data transport across a physical linkProvides data transport across a physical link Data Link layer handles physical addressing, Data Link layer handles physical addressing,

network topology, line discipline, error network topology, line discipline, error notification, orderly delivery of frames, and notification, orderly delivery of frames, and optional flow controloptional flow control

Bridges operate at this layerBridges operate at this layer

Data Link Sub-layersData Link Sub-layers Media Access Control (MAC)Media Access Control (MAC)

refers downward to lower layer hardware functionsrefers downward to lower layer hardware functions Logical Link Control (LLC)Logical Link Control (LLC)

refers upward to higher layer software functionsrefers upward to higher layer software functions

Medium Access ControlMedium Access Control MAC address is “physical address”, unique for LAN MAC address is “physical address”, unique for LAN

interface cardinterface card Also called hardware or link-layer addressAlso called hardware or link-layer address

The MAC address is burned into the Read Only The MAC address is burned into the Read Only Memory (ROM)Memory (ROM)

MAC address is 48 bit address in 12 hexadecimal MAC address is 48 bit address in 12 hexadecimal digitsdigits 1st six identify vendor, provided by IEEE1st six identify vendor, provided by IEEE 2nd six unique, provided by vendor2nd six unique, provided by vendor

Logical Link ControlLogical Link Control Presents a uniform interface to upper layersPresents a uniform interface to upper layers Enables upper layers to gain independence Enables upper layers to gain independence

over LAN media accessover LAN media access upper layers use network addresses rather than upper layers use network addresses rather than

MAC addressesMAC addresses Provide optional connection, flow control, and Provide optional connection, flow control, and

sequencing servicessequencing services

BridgesBridges Device which forwards frames between data link Device which forwards frames between data link

layers associated with two separate cableslayers associated with two separate cables Stores source and destination addresses in tableStores source and destination addresses in table When bridge receives a frame it attempts to find the When bridge receives a frame it attempts to find the

destination address in its tabledestination address in its table If found, frame is forwarded out appropriate portIf found, frame is forwarded out appropriate port If not found, frame is flooded on all other portsIf not found, frame is flooded on all other ports

BridgesBridges Can be used for filteringCan be used for filtering

Make decisions based on source and destination address, Make decisions based on source and destination address, type, or combination thereoftype, or combination thereof

Filtering done for security or network management Filtering done for security or network management reasonsreasons Limit bandwidth hogsLimit bandwidth hogs Prevent sensitive data from leavingPrevent sensitive data from leaving

Bridges can be for local or remote networksBridges can be for local or remote networks Remote has “half” at each end of WAN linkRemote has “half” at each end of WAN link

Network LayerNetwork Layer Which path should traffic take through Which path should traffic take through

networks?networks? How do the packets know where to go?How do the packets know where to go? What are protocols?What are protocols? What is the difference between routed and What is the difference between routed and

routing protocols?routing protocols?

Network LayerNetwork Layer Only two devices which are directly connected by Only two devices which are directly connected by

the same “wire” can exchange data directlythe same “wire” can exchange data directly Devices not on the same network must Devices not on the same network must

communicate via intermediate systemcommunicate via intermediate system Router is an intermediate systemRouter is an intermediate system The network layer determines the best way to The network layer determines the best way to

transfer data. It manages device addressing and transfer data. It manages device addressing and tracks the location of devices. The router operates tracks the location of devices. The router operates at this layer.at this layer.

Network LayerNetwork LayerBridge vs. RouterBridge vs. Router

Bridges can only extend a single networkBridges can only extend a single network All devices appear to be on same “wire”All devices appear to be on same “wire” Network has finite size, dependent on topology, Network has finite size, dependent on topology,

protocols usedprotocols used Routers can connect bridged subnetworksRouters can connect bridged subnetworks Routed network has no limit on sizeRouted network has no limit on size

Internet, SIPRNETInternet, SIPRNET

Network LayerNetwork Layer Provides routing and relayingProvides routing and relaying

Routing: determining the path between two end systemsRouting: determining the path between two end systems Relaying: moving data along that pathRelaying: moving data along that path

Addressing mechanism is requiredAddressing mechanism is required Flow control may be requiredFlow control may be required Must handle specific features of subnetworkMust handle specific features of subnetwork

Mapping between data link layer and network layer Mapping between data link layer and network layer addressesaddresses

Connection-Oriented vs. ConnectionlessConnection-Oriented vs. Connectionless

Network LayerNetwork Layer Connection-OrientedConnection-Oriented

provides a Virtual Circuit (VC) between two end provides a Virtual Circuit (VC) between two end systems (like a telephone)systems (like a telephone)

3 phases - call setup, data exchange, call close3 phases - call setup, data exchange, call close Examples include X.25, OSI CONP, IBM SNAExamples include X.25, OSI CONP, IBM SNA Ideal for traditional terminal-host networks of finite Ideal for traditional terminal-host networks of finite

sizesize

Connection-Oriented vs. ConnectionlessConnection-Oriented vs. Connectionless

Network LayerNetwork Layer Connectionless (CL)Connectionless (CL)

Each piece of data independently routedEach piece of data independently routed Sometimes called “datagram” networkingSometimes called “datagram” networking Each piece of data must carry all addressing and routing Each piece of data must carry all addressing and routing

infoinfo Basis of many current LAN/WAN operationsBasis of many current LAN/WAN operations

TCP/IP, OSI CLNP, IPX/SPXTCP/IP, OSI CLNP, IPX/SPX

Well suited to client/server and other distributed system Well suited to client/server and other distributed system networksnetworks

Connection-Oriented vs. ConnectionlessConnection-Oriented vs. Connectionless

Network LayerNetwork Layer Arguments can be made Connection Oriented is best Arguments can be made Connection Oriented is best

for many applicationsfor many applications Market has decided on CL networkingMarket has decided on CL networking

All mainstream developments on CLAll mainstream developments on CL Majority of networks now built CLMajority of networks now built CL Easier to extend LAN based networks using CL WANsEasier to extend LAN based networks using CL WANs

We will focus on CLWe will focus on CL

Network switchingNetwork switching Circuit-switchedCircuit-switched

Transparent path between devicesTransparent path between devices Dedicated circuitDedicated circuit

Phone callPhone call

Packet-switchedPacket-switched Data is segmented, buffered, & recombinedData is segmented, buffered, & recombined

Network Layer AddressingNetwork Layer Addressing

Impossible to use MAC addressesImpossible to use MAC addresses Hierarchical scheme makes much more sense Hierarchical scheme makes much more sense

(Think postal - city, state, country)(Think postal - city, state, country) This means routers only need to know regions This means routers only need to know regions

(domains), not individual computers(domains), not individual computers The network address identifies the network and The network address identifies the network and

the hostthe host

Network Layer AddressingNetwork Layer Addressing Network Address - path part used by routerNetwork Address - path part used by router Host Address - specific port or deviceHost Address - specific port or device

Router1.1

1.2

1.3

2.1 2.2

2.3

Network Host1

2

1,2,3

1,2,3

Network Layer AddressingNetwork Layer AddressingIP exampleIP example

IP addresses are like street addresses for computersIP addresses are like street addresses for computers Networks are hierarchically divided into subnets Networks are hierarchically divided into subnets

called domainscalled domains Domains are assigned IP addresses and namesDomains are assigned IP addresses and names

Domains are represented by the network portion Domains are represented by the network portion of the addressof the address

IP addresses and Domains are issued by InterNIC IP addresses and Domains are issued by InterNIC (cooperative activity between the National Science (cooperative activity between the National Science Foundation, Network Solutions, Inc. and AT&T)Foundation, Network Solutions, Inc. and AT&T)

Network Layer Addressing - IPNetwork Layer Addressing - IP IP uses a 4 octet (32 bit) network addressIP uses a 4 octet (32 bit) network address The network and host portions of the address can The network and host portions of the address can

vary in sizevary in size Normally, the network is assigned a class according Normally, the network is assigned a class according

to the size of the networkto the size of the network Class A uses 1 octet for the networkClass A uses 1 octet for the network Class B uses 2 octets for the networkClass B uses 2 octets for the network Class C uses 3 octets for the networkClass C uses 3 octets for the network Class D is used for multicast addressesClass D is used for multicast addresses

Class A Address Used in an inter-network that has a few

networks and a large number of hosts First octet assigned, users designate the other

3 octets (24 bits) Up to 128 Class A Domains Up to 16,777,216 hosts per domain

0-127

This Field is Fixed by IAB

24 Bits of Variable Address

0-255 0-255 0-255

Class B Address Used for a number of networks having a

number of hosts First 2 octets assigned, user designates the

other 2 octets (16 bits) 16384 Class B Domains Up to 65536 hosts per domain

128-191 0-255

These Fields are Fixed by IAB

16 Bits of Variable Address

0-255

0-255

Class C Address Used for networks having a small amount of

hosts First 3 octets assigned, user designates last

octet (8 bits) Up to 2,097,152 Class C Domains Up to 256 hosts per domain

191-223 0-255 0-255

These Fields are Fixed by IAB

8 Bits ofVariable Address

0-255

IP AddressesIP Addresses A host address of all ones is a broadcastA host address of all ones is a broadcast A host address of zero means the wire itselfA host address of zero means the wire itself These host addresses are always reserved and These host addresses are always reserved and

can never be usedcan never be used

Subnets & Subnet Masks

Every host on a network (i.e. same cable segment) must be configured with the same subnet ID.

First octet on class A addresses First & second octet on class B addresses First, second, & third octet on class C addresses

A Subnet Mask (Netmask) is a bit pattern that defines which portion of the 32 bits represents a subnet address.

Network devices use subnet masks to identify which part of the address is network and which part is host

Network LayerNetwork LayerRouted vs. Routing ProtocolsRouted vs. Routing Protocols

Routed Protocol - any protocol which provides Routed Protocol - any protocol which provides enough information in its network layer enough information in its network layer address to allow the packet to reach its address to allow the packet to reach its destinationdestination

Routing Protocol - any protocol used by Routing Protocol - any protocol used by routers to share routing informationrouters to share routing information

Routed ProtocolsRouted Protocols IPIP IPXIPX SMBSMB AppletalkAppletalk DEC/LATDEC/LAT

OSI Reference Model Protocol Mapping

66

55

44

33

22

11

77 ApplicatioApplicationnPresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysical

Application using TCP/IP

TCP

IP

TCP/IP UDP/IP SPX/IPXApplication using UDP/IP

UDP

IP

Application using SPX/IPX

SPX

IPX

Network-level Protocols IPX (Internet Packet Exchange protocol)

Novell Netware & othersWorks with the Session-layer protocol SPX (Sequential Packet

Exchange Protocol)

NETBEUI (NetBIOS Extended User Interface)Windows for Workgroups & Windows NT

IP (Internet Protocol)Win NT, Win 95, Unix, etc…

Works with the Transport-layer protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol)

SLIP (Serial-line Input Protocol) & PPP (Point-to-Point Protocol)

TCP/IPConsists of a suite of protocols (TCP & IP)Handles data in the form of packetsKeeps track of packets which can be

Out of orderDamagedLost

Provides universal connectivityreliable full duplex stream delivery (as opposed to

the unreliable UDP/IP protocol suite used by such applications as PING and DNS)

TCP/IP Cont… Primary Services (applications) using TCP/IP

File Transfer (FTP) Remote Login (Telnet) Electronic Mail (SMTP)

Currently the most widely used protocol (especially on the Internet)

Uses the IP address scheme

Routing ProtocolsRouting Protocols

Distance -VectorDistance -Vector List of destination networks with direction and distance List of destination networks with direction and distance

in hopsin hops Link-state routingLink-state routing

Topology map of network identifies all routers and Topology map of network identifies all routers and subnetworkssubnetworks

Route is determined from shortest path to destinationRoute is determined from shortest path to destination Routes can be manually loaded (static) or Routes can be manually loaded (static) or

dynamically maintaineddynamically maintained

Routing Internet Routing Internet Management DomainsManagement Domains

Core of Internet uses Gateway-Gateway Protocol Core of Internet uses Gateway-Gateway Protocol (GGP) to exchange data between routers(GGP) to exchange data between routers

Exterior Gateway Protocol (EGP) is used to Exterior Gateway Protocol (EGP) is used to exchange routing data with core and other exchange routing data with core and other autonomous systemsautonomous systems

Interior Gateway Protocol (IGP) is used within Interior Gateway Protocol (IGP) is used within autonomous systemsautonomous systems

RoutingRoutingInternet Management DomainsInternet Management Domains

GGP

IGP IGP

EGP EGP

Internet Core

Autonomous systems

Routing ProtocolsRouting Protocols

Static routesStatic routes not a protocolnot a protocol entered by handentered by hand define a path to a network or subnetdefine a path to a network or subnet Most secureMost secure

Routing ProtocolsRouting ProtocolsRIPRIP

Distance VectorDistance Vector Interior Gateway ProtocolInterior Gateway Protocol Noisy, not the most efficientNoisy, not the most efficient

Broadcast routes every 30 secondsBroadcast routes every 30 seconds Lowest cost route always bestLowest cost route always best A cost of 16 is unreachableA cost of 16 is unreachable

No security, anyone can pretend to be a routerNo security, anyone can pretend to be a router

Routing ProtocolsRouting ProtocolsOSPFOSPF

Link-stateLink-state Interior Gateway ProtocolInterior Gateway Protocol Routers elect “Designated Router”Routers elect “Designated Router” All routers establish a topology database using All routers establish a topology database using

DR as gateway between areasDR as gateway between areas Along with IGRP, a replacement for outdated Along with IGRP, a replacement for outdated

RIPRIP

Routing ProtocolsRouting ProtocolsBGPBGP

Border Gateway Protocol is an EGPBorder Gateway Protocol is an EGP Can support multiple paths between Can support multiple paths between

autonomous systemsautonomous systems Can detect and suppress routing loopsCan detect and suppress routing loops Lacks securityLacks security Internet recently down because of incorrectly Internet recently down because of incorrectly

configured BGP on ISP routerconfigured BGP on ISP router

Source RoutingSource Routing Source (packet sender) can specify route a Source (packet sender) can specify route a

packet will traverse the networkpacket will traverse the network Two types, strict and looseTwo types, strict and loose Allows IP spoofing attacksAllows IP spoofing attacks Rarely allowed across InternetRarely allowed across Internet

Transport LayerTransport Layer TCPTCP UDPUDP IPX Service Advertising ProtocolIPX Service Advertising Protocol Are UDP and TCP connectionless or Are UDP and TCP connectionless or

connection oriented?connection oriented? What is IP?What is IP? Explain the differenceExplain the difference

Session LayerSession Layer Establishes, manages and terminates sessions Establishes, manages and terminates sessions

between applicationsbetween applications coordinates service requests and responses that coordinates service requests and responses that

occur when applications communicate between occur when applications communicate between different hostsdifferent hosts

Examples include: NFS, RPC, X Window Examples include: NFS, RPC, X Window System, AppleTalk Session ProtocolSystem, AppleTalk Session Protocol

Presentation LayerPresentation Layer Provides code formatting and conversionProvides code formatting and conversion For example, translates between differing text and For example, translates between differing text and

data character representations such as EBCDIC and data character representations such as EBCDIC and ASCIIASCII

Also includes data encryptionAlso includes data encryption Layer 6 standards include JPEG, GIF, MPEG, MIDILayer 6 standards include JPEG, GIF, MPEG, MIDI

Application-layer ProtocolsFTP (File Transfer Protocol)TFTP (Trivial File Transfer Protocol)

Used by some X-Terminal systems

HTTP (HyperText Transfer Protocol)SNMP (Simple Network Management Protocol

Helps network managers locate and correct problems in a TCP/IP network

Used to gain information from network devices such as count of packets received and routing tables

SMTP (Simple Mail Transfer Protocol)Used by many email applications

Identification & AuthenticationIdentification & Authentication Identify who is connecting - useridIdentify who is connecting - userid Authenticate who is connectingAuthenticate who is connecting

password (static) - something you knowpassword (static) - something you know token (SecureID) - something you havetoken (SecureID) - something you have biometric - something you arebiometric - something you are RADIUS, TACACS, PAP, CHAPRADIUS, TACACS, PAP, CHAP DIAMETERDIAMETER

Firewall TermsFirewall Terms Network address translation (NAT)Network address translation (NAT)

Internal addresses unreachable from external Internal addresses unreachable from external networknetwork

DMZ - De-Militarized ZoneDMZ - De-Militarized Zone Hosts that are directly reachable from untrusted Hosts that are directly reachable from untrusted

networksnetworks ACL - Access Control ListACL - Access Control List

can be router or firewall termcan be router or firewall term

Firewall TermsFirewall Terms Choke, Choke routerChoke, Choke router

A router with packet filtering rules (ACLs) A router with packet filtering rules (ACLs) enabledenabled

Gate, Bastion host, Dual Homed HostGate, Bastion host, Dual Homed Host A server that provides packet filtering and/or A server that provides packet filtering and/or

proxy servicesproxy services proxy serverproxy server

A server that provides application proxiesA server that provides application proxies

Firewall typesFirewall types Packet-filtering routerPacket-filtering router

Most commonMost common Uses Access Control Lists (ACL)Uses Access Control Lists (ACL)

PortPort Source/destination addressSource/destination address

Screened hostScreened host Packet-filtering and Bastion hostPacket-filtering and Bastion host Application layer proxiesApplication layer proxies

Screened subnet (DMZ)Screened subnet (DMZ) 2 packet filtering routers and bastion host(s)2 packet filtering routers and bastion host(s) Most secureMost secure

Firewall ModelsFirewall Models Proxy servers Proxy servers

Intermediary Intermediary Think of bank tellerThink of bank teller

Stateful InspectionStateful Inspection State and context analyzed on every packet in State and context analyzed on every packet in

connectionconnection

VPN – Virtual Private NetworkVPN – Virtual Private Network PPTPPPTP L2TPL2TP IPSecIPSec Tunnel ModeTunnel Mode Transport ModeTransport Mode Site-to-Site VPNSite-to-Site VPN Client-to-Site VPNClient-to-Site VPN SSLSSL SSHSSH

Intrusion Detection (IDS)Intrusion Detection (IDS) Host or network basedHost or network based Context and content monitoringContext and content monitoring Positioned at network boundariesPositioned at network boundaries Basically a sniffer with the capability to detect Basically a sniffer with the capability to detect

traffic patterns known as attack signaturestraffic patterns known as attack signatures

Web SecurityWeb Security

Secure sockets Layer (SSL) Secure sockets Layer (SSL) Transport layer security (TCP based)Transport layer security (TCP based) Widely used for web based applicationsWidely used for web based applications by convention, https:\\by convention, https:\\

Secure Hypertext Transfer Protocol (S-HTTP)Secure Hypertext Transfer Protocol (S-HTTP) Less popular than SSLLess popular than SSL Used for individual messages rather than sessionsUsed for individual messages rather than sessions

Secure Electronic Transactions (SET)Secure Electronic Transactions (SET) PKIPKI Financial dataFinancial data Supported by VISA, MasterCard, Microsoft, NetscapeSupported by VISA, MasterCard, Microsoft, Netscape

IPSECIPSEC

IP SecurityIP Security Set of protocols developed by IETFSet of protocols developed by IETF Standard used to implement VPNsStandard used to implement VPNs Two modesTwo modes Transport ModeTransport Mode

encrypted payload (data), clear text headerencrypted payload (data), clear text header Tunnel ModeTunnel Mode

encrypted payload and headerencrypted payload and header IPSEC requires shared public keyIPSEC requires shared public key

SpoofingSpoofing TCP Sequence number predictionTCP Sequence number prediction UDP - trivial to spoof (CL)UDP - trivial to spoof (CL) DNS - spoof/manipulate IP/hostname pairingsDNS - spoof/manipulate IP/hostname pairings Source RoutingSource Routing

SniffingSniffing Passive attackPassive attack Monitor the “wire” for all traffic - most Monitor the “wire” for all traffic - most

effective in shared media networkseffective in shared media networks Sniffers used to be “hardware”, now are a Sniffers used to be “hardware”, now are a

standard software tool standard software tool

Session HijackingSession Hijacking Uses sniffer to detect sessions, get pertinent session Uses sniffer to detect sessions, get pertinent session

info (sequence numbers, IP addresses)info (sequence numbers, IP addresses) Actively injects packets, spoofing the client side of Actively injects packets, spoofing the client side of

the connection, taking over session with serverthe connection, taking over session with server Bypasses I&A controlsBypasses I&A controls Encryption is a countermeasure, stateful inspection Encryption is a countermeasure, stateful inspection

can be a countermeasurecan be a countermeasure

IP FragmentationIP Fragmentation Use fragmentation options in the IP header to Use fragmentation options in the IP header to

force data in the packet to be overwritten upon force data in the packet to be overwritten upon reassemblyreassembly

Used to circumvent packet filtersUsed to circumvent packet filters Leads to Denial of Service AttackLeads to Denial of Service Attack

IDS AttacksIDS Attacks Insertion AttacksInsertion Attacks

Insert information to confuse pattern matchingInsert information to confuse pattern matching Evasion AttacksEvasion Attacks

Trick the IDS into not detecting trafficTrick the IDS into not detecting traffic Example - Send a TCP RST with a TTL setting Example - Send a TCP RST with a TTL setting

such that the packet expires prior to reaching its such that the packet expires prior to reaching its destinationdestination

Syn FloodsSyn Floods Remember the TCP handshake?Remember the TCP handshake?

Syn, Syn-Ack, AckSyn, Syn-Ack, Ack Send a lot of Syns Send a lot of Syns Don’t send AcksDon’t send Acks Victim has a lot of open connections, can’t Victim has a lot of open connections, can’t

accept any more incoming connectionsaccept any more incoming connections Denial of ServiceDenial of Service

Telecom/Remote Access SecurityTelecom/Remote Access Security Dial up lines are favorite hacker targetDial up lines are favorite hacker target

War dialingWar dialing social engineeringsocial engineering

PBX is a favorite phreaker targetPBX is a favorite phreaker target blue box, gold box, etc.blue box, gold box, etc. Voice mailVoice mail

Remote Access SecurityRemote Access Security SLIP - Serial Line Internet ProtocolSLIP - Serial Line Internet Protocol PPP - Point to Point ProtocolPPP - Point to Point Protocol

SLIP/PPP about the same, PPP adds error checking, SLIP SLIP/PPP about the same, PPP adds error checking, SLIP obsoleteobsolete

PAP - Password authentication protocolPAP - Password authentication protocol clear text passwordclear text password

CHAP - Challenge Handshake Auth. Prot.CHAP - Challenge Handshake Auth. Prot. Encrypted passwordEncrypted password

Remote Access SecurityRemote Access Security

TACACS, TACACS+TACACS, TACACS+ Terminal Access Controller Access Control Terminal Access Controller Access Control

System System Network devices query TACACS server to Network devices query TACACS server to

verify passwordsverify passwords ““+” adds ability for two-factor (dynamic) +” adds ability for two-factor (dynamic)

passwordspasswords RadiusRadius

Remote Auth. Dial-In User ServiceRemote Auth. Dial-In User Service

RAIDRAID Redundant Array of Inexpensive(or Redundant Array of Inexpensive(or

Independent) Disks - 7 levelsIndependent) Disks - 7 levels Level 0 - Data striping (spreads blocks of each file Level 0 - Data striping (spreads blocks of each file

across multiple disks)across multiple disks) Level 1 - Provides disk mirroringLevel 1 - Provides disk mirroring Level 3 - Same as 0, but adds a disk for error Level 3 - Same as 0, but adds a disk for error

correctioncorrection Level 5 - Data striping at byte level, error Level 5 - Data striping at byte level, error

correction toocorrection too

??