Embed Size (px)
Citation preview
Fundamentals of Networking תשס"ט
Definitions Network: physical connection that allows
two computers to communicatePacket: unit of transfer, sequence of bits carried over the network
Protocol: Agreement between two parties as to how information is to be transmitted
Internet Protocol (IP)Used to route messages through routes across
globe32-bit addresses, 16-bit ports
Definitions (cont.) Layering (separation of tasks)
building complex services from simpler ones
End-to-end argumentApplication-specific properties are best provided by the applications, not the network
Packet vs. Circuit SwitchingPost card (packet) vs. phone call (circuit)
Bandwidth and congestion• Packet - better bandwidth usage, but potentially congested links• Circuit - no congestion, but potentially lower link utilization
Failures and reconfiguration• Packet - Failed routed detected and routed around• Circuit - reconfigure entire path if any router fails
Two Ways To Handle Networking
Circuit SwitchingWhat you get when you make a phone callDedicated circuit per call
Packet SwitchingWhat you get when you send a bunch of
lettersBandwidth consumed only when sendingPackets are routed independently
Packet Switching vs. Packet Switching
In a circuit-switched network, a circuit is established between the two devices (like in a telephone system)
In a packet-switched network, blocks of data may take any number of paths as they travel from one device to the other
Circuit-switched Packet-switched
6
Layered Architectures How computers manage complex
protocol processing?Break-up design problem into smaller problems→ more manageable
Decompose complicated jobs into layers Each has a well defined taskSpecify well defined protocols to enact
Modular designeasy to extend / modify
Layered Architecture
Web, e-mail, file transfer, ...
Reliable/ordered transmission, QOS,security, compression, ...
End-to-end transmission,resource allocation, routing, ...
Point-to-point links,LANs, radios, ...
Applications
Middleware
Routing
Physical Links
usersnetwork
The OSI Model Open Systems Interconnect (OSI)
standard way of understanding conceptual layers of network communication, this is a model, nobody builds systems like this
Each level provides certain functions and guarantees communicates with the same level on remote notes
A messagegenerated at the highest level is passed down the levels, encapsulated by lower levels until it is sent over the wire
On the destinationencapsulated message makes its way up the layersuntil the high-level message reaches its high-level destination
OSI Levels
Presentation
Transport
Network
Data Link
Physical
Application
Presentation
Transport
Network
Data Link
Physical
ApplicationNode A Node B
Network
Session Session
Network Protocol: the OSI ModelSeparation of tasks using a hierarchy of data
1. Application Layer (FTP, DNS, SMTP, MIME, POP, TLS)
2. Presentation Layer (HTTP)
3. Session Layer
4. Transport Layer (control, firewall, protection)
5. Network Layer (IP address routing)
6. Data Link Layer (MAC / hardware address)
7. Physical Layer (cabling, wiring)Ethernet
BridgeSwitch
Router
Firewall
The Internet Protocol LayersOSI Internet
Internet Protocol Stack
HTTP, SMTP, FTP, TELNET, DNS, …
TCP, UDP
IP
Point-to-point links,LANs, radios, ...
Application
Transport
Network
Physical
usersnetwork
Protocol Stack
e-mail client
tcpserver process
ipserver process
ethernetdriver/card
user X
SMTP
TCP
IP
e-mail server
tcpserver process
Ipserver process
ethernetdriver/card
user Y
IEEE 802.3 standard
electric signals
English
Protocol encapsulation
e-mail client
tcpserver process
ipserver process
ethernetdriver/card
user X
e-mail server
tcpserver process
ipserver process
ethernetdriver/card
user Y“Hello”
“Hello”
“Hello”
“Hello”
“Hello”
Air travel
Ticket (purchase)
Baggage (check)
Gates (load)
Runway (take off)
Passenger Origin
Ticket (complain)
Baggage (claim)
Gates (unload)
Runway (landing)
Passenger Destination
Airplane routing
Bandwidth / Shannon’s Formula Transmission capacity of a channel
using radio frequencies (Wi-Fi) or a carrier wave (ADSL) is given by
Shannon’s formula:
Capacity = Bandwidth x Log2 (1+S/N)where S/N stands for signal/noise ratio
For instance: B = 40 kHz, S/N = 20 dB (factor 100)Capacity = 40’000 x 6.65821 = 266.33 kbps
History of Computer Networks Networks started in the late 60’s in the US, in military and academic
research projects
ARPAnet (Advanced Research Projects Agency Network)
DECnet developed by DEC in the 70’s to link their mini-computers worldwide
Later they became widely used by the financial community for terminals andATM’s in the 80’s (X.25)
Finally, the Internet, starting in the 90’s using the standard TCP/IP protocol (inherited from the ARPAnet), the World Wide Web, and the hyper-text transfer protocol (http) developed at the CERN in Geneva
Ethernet A technology for wiring computers and hosts in a
LAN (twisted pairs, fiberglass cable) standardized by IEEE 802.3 (physical layer 1)
Devices on the Network Bridges: connect network segments together; work at the
physical and data link layer using the hardware address (broadcast domain, layer 2)
Switches: connect devices on the same physical network segment; work at the data link layer using the hardware address (broadcast domain, layer 2)
Routers: process network packets using the IP-address (layer 3); they set the path for reaching the destination, using routing tablesand routing algorithms (they define the boundaries between
broadcast domains)
Gateways: connect different networks together (with protocol conversion if necessary); they are the access point to the network
where controlling and filtering functions are performed (firewall, mal- ware and spam detection); the Default Gateway is the node connecting to the outside world and may be the device provided by the ISP to home users or, a firewall or, a proxy server
Firewall A dedicated appliance (or a software running on another
computer) which inspects network traffic and denies or permits passage based on a set of rules
Firewalls of the second generation are stateful, meaning that they maintain a record of all connection passing through the firewall (detect Denial-Of-Service attacks)
Firewall often have Network Address Translation functionality (NAT), i.e. they hide from the outside world the IP-address of hosts protected behind
Proxy Server
Services requests to other servers on behalf of its clients
A proxy server that passes all requests and replies unmodified is also called a gateway
Network ProtocolsProtocol Description Listening PortFTP File Transfer Protocol
(used for file downloading)21
SMTP Simple Mail Transfer Protocol(Internet standard for electronic mail, Exchange)
25
DHCP Dynamic Host Configuration Protocol(used by clients to obtain the network parameters)
67, 68
HTTP Hyper Text Transfer Protocol(request/response standard in the Web)
80
POP3 Post Office Protocol 3(client server protocol for e-mail, Outlook)
110
LDAP Lightweight Directory Access Protocol(querying and modifying directory services)
389
HTTPS Hyper Text Transfer Protocol Secure(secure socket layer for secure communication)
443
ICAP Internet Content Adaptation Protocol(used for proxy servers and content filtering)
1344
IP Addressing IP (v4) addresses are divided into 4 groups of 8 bits
separated by dots (32 bits), each group has a valuebetween 0 and 28 – 1 = 255
In order to reduce routing requirements, the IP address is also divided into
network-prefix, subnet-number and host-number
Sub-netting enables organizations to reduce the number of public (unique) IP-addresses requested for the LAN
Subnets (broadcasting addresses) allow for deploying additional networks without requesting new network numbers
Local routers will use the extended network-prefix while Internet routers will only need to know the network-prefix to route traffic to individual subnets
The extended network-prefix is commonly called subnet-maskfor instance: a 24-bits network-prefix is written as 255.255.255.0
network-prefix subnet-number host-number
extended network prefix
CIDR: Classless Inter-Domain Routing
A method of categorizing IP-addresses for efficient use of available IP numbers
Prefix Subnet-Mask # of hosts
/24 255.255.255.0 256
/25 255.255.255.128 128
/26 255.255.255.192 64
/27 255.255.255.224 32
/28 255.255.255.240 16
/29 255.255.255.248 8
/30 255.255.255.252 4
/31 255.255.255.254 2
/32 255.255.255.255 1
VLAN (Virtual LAN) Set of computers connected together as if they
were attached to the same Broadcasting Domain, regardless of their physical location
A Virtual LAN works like a physical LAN, even the endpoint stations are not located on the same
network switch
A Virtual LAN is often associated with a network segment (subnet)
VPN: Virtual Private Network VPN are used to connect organizations
with remote users across multiple locations VPN’s establish tunnels that allow
sensitive data to be protected with encryption as it goes over the Internet
Remote access VPN: for mobile users through dial-up services
LAN-to-LAN VPN: for communication between two different networks
IPsec protocol is used as a secured link(authentication, integrity and confidentiality)
Demilitarized Zone (DMZ)
A non-critical region at the periphery of the LAN (outside the firewall)
Web servers, Mail Relay servers may reside in the DMZ
Domain Name System (DNS)
A fully qualified domain name is composed of a server,
an organizational domain, and a top-level domain Top-level domains are shared across organizations
(.com, .org, .net, .gov, .edu, ...) Top-level domains around the world are defined
according to country codes (.il, .uk, .us, .de, .ch, .fr …)
www.mcafee.comserver domain top-level domain
Name to Address Resolution Forward lookup
translates domain names into IP addresses
Reverse lookupdoes the oppositeresolving addressesinto names
User DNS Server
Www.mcafee.comDNS query
216.49.88.12DNS answer
DNS Servers DNS Servers are distributed worldwide, but there
are 13 Root Servers that are the central repository of all domain names in the World Wide Web, and another 110 (Anycast) with copies across the
globe
Use of DNS Servers
There are many records kept on DNS servers for instance:
The “A” record keeping the 32-bit IP address of the host
The “MX” record (mail exchange record) keeping a list ofmail exchange servers associated with a particular domain
The “TXT” record keeping “Sender Policy Framework” and “Domain Key” information used to identify valid mail from Spam
Wireless 802.11b (Wi-Fi)
Uses radio frequencies (2.4 GHz) Transmission speed 5.5 Mbps (new 54 Mbps)
WEP (Wired Equivalent Privacy) uses a shared key between the mobile station and the base, but has security loopholes
IEEE 802.11i addresses the WEP weaknesses, uses AES and block cipher to encrypt the wireless communication
Bluetooth A wireless short-range
communication technologyof 1 Mbp/s, named after Harald
Bluetooth King of Denmark in 900
Used to exchange informationbetween devices such as mobile
phones, laptops, printers, digital cameras etc.
The 10 Commandments of Security1. Know that one line of defense is not enough 2. Understand the exposure and loopholes3. Understand the technology used in attacks4. See the “big picture” (network, servers, endpoints)5. Beware of weak authentication mechanism6. Remember that security is part of a life cycle7. Address security breaches from insiders8. Do not overlook physical security9. Explain that security means also positive thinking10. Avoid to many false alarms (false positive)
Requirements → What To Do • One line of defense is not enough → Protect gateway/server/desktop
• Understand the exposure → Ask for a second opinion
• Understand the technology of attacks → Look for up-to-date information
• See the “big picture” → Install Total Protection suites
• Beware of weak authentication → Enforce strict passwords rules
• Security is part of a life cycle → Renew the licenses on time
• Address security breaches from insiders→ Install Device Control, Encryption
• Do not overlook physical security → Verify backups, disaster recovery
• Security means also positive thinking → Delegate tasks to the users
• Avoid too many false alarms → Use powerful algorithms
