Module 16 - Network Security TCP-IP

4/23/2013
Domain #1 Network Security TCP/IP
TCP/IP Overview
Copyright SecureNinja.com 2000-2011 All rights Reserved
The De Facto standard for Internetworking Also called Internet Protocol (IP) Internet was ARPANET designed by DARPA
Initially mostly friendly groups connected together Universities, Government, researchers, etc Now millions of computer worldwide
TCP/IP is a SUITE of protocols

Architecture independent Stable and Robust (to a point of course)
4/23/2013
What about models

TCP/IP
OSI
Application Presentation Session
RFC 1122 (in bold) Application Transport / Host to Host Internet / Network Access Link Layer
Transport Network Data Link Physical
Routing Datagrams
Host A1
Host C1 Application Transport Internet Link Layer
Application Transport Internet Link Layer
Gateway G1 Internet Link Layer
Gateway G2 Internet Link Layer
Network A
Network B
Network C
4/23/2013
Data Encapsulation
Application Layer
Data
Transport Layer Header Internet Layer Header Link Layer Header

Send Receive
Data
Header
Data
Header
Header
Data
Data Structures (1 of 2)
Application Layer
TCP stream
UDP message
Transport Layer segment packet
Internet Layer datagram datagram
Link Layer
frame
frame
4/23/2013
Data Structures (2 of 2)
Transmission Methods
Unicast From one station to another station
Broadcast From one station to all the stations on the same LAN Multicast From one station to multiple selected locations Information sent only once over the networks Routers must be configured appropriately
4/23/2013
Whats in a MAC address

Built at the factory directly on the card
A Media Access Control (MAC) address has 48 bits 24 bits is the OUI OUI specifies the vendor name OUI specifies the mode Unicast Multicast MAC address are globally unique Could be spoofed or fake
Ethernet Overview
4/23/2013
Address Resolution Protocol (ARP)

Maps IP address to their corresponding MAC address
Commonly called ARP Station on Ethernet network communicate using MAC You know the IP address but not the MAC address You must query using ARP to find the destination MAC A broadcast will be use for that purpose The intended recipient will reply back with MAC MAC is kept in cache for a short period of time As mentioned they should be unique
Gratuitous ARP
Requests that are NOT normally needed
Could be a gratuitous ARP Request or an ARP reply Gratuitous Arp Request Has both the source and destination IP set to the IP address of the machine that issued the packet. A gratuitous ARP is a reply to which no request has been made They have many legitimate usage (see notes) However Gratuitous ARP can be used for offensive purpose We will see later on in the lesson all the details of ARP poisoning
4/23/2013
What are ports (UDP & TCP)

Same as doors within a building Ease communication between entities A 16 bit field within the TCP and UDP packets IANA Internet Assigned Numbers Authority Well Known ports are from 0-1023 (0 is not used on IPV4) Registered ports are from 1024 to 49151 Dynamic and/or Private Ports are from 49152 to 65535 Ephemeral ports (short live connections) Some OS dare to be different, see the notes Windows Server 2003 is from 1025 to 5000
http://www.iana.org
What are protocols

Protocols online are very much the same as real life one Take a phone call for example The SMTP protocol is a great example Hello The HTTP protocol is the most commonly use protocol Some common one are: TCP UDP SNMP Telnet RIP IP HTTP FTP SSL OSPF ICMP SMTP TFTP TLS Ethernet POP3 SFTP Chargen Echo Finger
4/23/2013
Port Numbers (Partial List)

80
HTTP
110 POP3 119 NNTP 123 NTP 143 IMAP 161 SNMP Monitoring
500 IKE 1701 L2TP 1723 PPTP 1812 RADIUS AUTH 1813 RADIUS ACCNT 2049 NFS 4000 ICQ 5000 Yahoo Messenger
443 HTTPS 20/21 FTP 23 25 88 53 22 69 Telnet SMTP
Kerberos 162 SNMP Trap/Alert DNS SSH TFTP 389 LDAP 636 LDAP SSL 520 RIP
Protocol Numbers
# /etc/protocols # Internet (IP) protocols # ip 0 IP # internet protocol icmp 1 ICMP # internet control message protocol ggp 3 GGP # gateway-gateway protocol tcp 6 TCP # transmission control protocol egp 8 EGP # exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # user datagram protocol hmp 20 HMP # host monitoring protocol xns-idp NSIDP # Xerox NS IDP rdp 27 RDP # "reliable datagram" protocol
4/23/2013
Port Number and Protocol

IP (Internet Protocol)
IP provides the basic packet delivery service on which TCP/IP networks are built. All TCP/IP data flows through IP, incoming and outgoing, regardless of its final destination The Internet Protocol functions include: Defines the datagram, which is the basic unit of transmission on the internet Defines the Internet addressing scheme Moving data between the Network Access Layer and the Transport Layer Routing of datagrams to remote hosts Performs fragmentation and re-assembly of datagrams.
4/23/2013
IP Datagram
The datagram is the packet format defined by IP
A packet is a block of data The packet carries the information necessary to deliver it Similar to your postal letter which has an address The first five or six 32-bit words, (default is 5) of the datagram are control information called header. The header contains all the information necessary to deliver the packet. No error detection or recovery
IP Datagram Format
10
4/23/2013
Services provided by TCP
Connection-oriented data management Reliable data transfer Stream-oriented data transfer Push functions Resequencing Flow control ( sliding windows ) Multiplexing Full-duplex transmission Precedence and security Graceful close
TCP Three Way Handshake

Host A Source 132.87.19.6
Host B Destination 195.173.24.10
Port 23 = Telnet source port 3044
3044,23 SYN
23,3044 SYN, ACK

IP address + Port number = socket
3044,23 ACK, data
23,3044 data transfer has begun
TCP uses Three-way Handshake, and dynamically allocate port.
11
4/23/2013
TCP Segment Format

Bits
0
12
16
20
24
28
31
1 2
Source Port Sequence Number
Destination Port
Words
3 4 5 6
Acknowledgment Number Offset Reserved Checksum Options data begins here ... Flags Window Urgent Pointer Padding
UDP Protocol
User Datagram Protocol
A connectionless protocol Uses best effort A lot less overhead than TCP Has no reliability and no acknowledgement Good for application where some packets can be lost Streaming media and Voice over IP are examples DNS makes use of UDP Often used by attackers as well, i:e port 53 UDP
Header
12
4/23/2013
UDP Message Format

Bits
12
16
20
24
28
31
Source Port Length data begins here ...
Destination Port Checksum
TCP/IP Addressing Packets

IP address & Subnetwork mask uses decimal dot notation
Each address has four integers separated by periods Each integers represents 8 bits of the 32 bits address Values are from 0 (network) to 255 (broadcast) 0 and 255 are reserved and cannot be use An IP address could be 10.10.5.2 for example One portion is the network the other is the hosts Subnetwork masks uses Decimal Dot notation as well An example for a Class C address is 255.255.255.0
13
4/23/2013
IP Addressing
140.179.220.200
Written in binary form:

140 10001100 .179 10110011 .220 11011100 .200 11001000
We see the address in the decimal form Your computer sees it in the binary form Lets decode the first octet (140) on the next slide
Binary Octet Decoded

An octet is made up of eight 1s and/or 0s:
Bit Pos: 1 Value: 128
2 64
3 32
4 16
5 8
6 4
7 2
8 1
The value of 140 looks like this:
27 1 128 128 128
26 0 64 0
25 0 32 0
24 0 16 0
23 1 8 8 8
22 1 4 4 4
21 0 2 0
20 0 1 0 = 140
14
4/23/2013
Classes of IP addresses
As mentioned previously, all IP addresses are 32 bit
They are expressed in dot notation ( 4 octets of 8 bits) All IPs have a Network ID and a Host ID
It may have a Subnetwork ID if subnetting is being use
Belong to one of five classes: A, B, C, D, E Each address has a corresponding subnetwork mask
Most of the time referred to as Subnet Mask
We will look at each of the main classes next
Classes of IP addresses
15
4/23/2013
Class A IP addresses
Has an 8 bits network ID starting with 0
24 bits host ID, up to 22 bits may be used for subnetwork ID Class supports network numbers 1 to 126
Class B IP addresses
Has 16 bits network ID starting with 1-0
16 bits host ID, up to 14 bits may be used for subnetwork ID Class supports network numbers from 128.1 to 191.254
16
4/23/2013
Class C IP addresses
Has 24 bits network ID starting with 1-1-0
8 bits host ID, up to 6 bits may be used for subnetwork ID Class supports network numbers from 192.1 to 223.254
Resume of classes
The number of addresses usable for addressing specific hosts in each network is always 2N 2 Classful versus Classless Inter-Domain Routing (CIDR)
17
4/23/2013
A few more things

Classfull IP addressing Classless IP Addressing (has 3 categories) Subnetting VLSM (Variable Length Subnet Mask) No longer dependent of 8, 16, 24 network numbers Prefix length or Netmask is used for routing
CIDR (Classless Inter-Domain Routing) Used with Supernetting Supernetting allows route aggregation CIDR introduces prefix notation or CIDR notation (i:e /24 for class c) Reduces the size of routing tables
What is subnetting
It is making use of the host portion of the address
You borrow bits on the host portion Allow you to add more networks within your own range 2n 2 >= Number of subnets required A subnet is a single LAN segment Each LAN has a unique subnet number For the purpose of the exam you must know what it is You do not need to know all of the details
18
4/23/2013
SubNetwork Mask
Subnets masks are a 32 bits structure
They are also expressed in decimal dot notation Tells which bits are the Network ID and Subnetwork ID A bit marked as a 1 means it is part of the network or subnet A bit marked as a 0 means it is part of the host ID
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
11111111.11111111.11111111.11100000
Subnetting Scenario
So we have 1 Class C Network (206.15.143.0) We have 254 host address available (1 to 254)
But what if we need 5 different networks Each network has no more than 30 hosts each Do we apply for 4 more Class C licenses?
one for each network
Your ISP might no longer love you and may tell you to get smart! You would be wasting 224 addresses on each network, a total of 1120 addresses would be wasted ! Not good Are you out of luck? Subnetting is coming to the rescue
19
4/23/2013
Our needs

We know we need at least 5 subnets We are on a class C network with 8 bits for the hosts We need to borrow some bits from the host portion So 23 - 2 will give us 6 subnet, 3 bits would be sufficient (8 2 = 6) The -2 is to deduct the reserved network and broadcast address We also know we need at least 30 hosts per network So with 5 (25 - 2) bits left it will give us 30 hosts per subnet (network). This will work, because we can steal the first 3 bits from the hosts portion of the current address to give to the subnetwork portion and still have 5 bits (8-3) remaining for the host portion Lets take a look at how this is done on the next slide
Borrowing bits
Lets review what portion is what: We have a Class C address:
NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH With a Subnet mask of: 11111111.11111111.11111111.00000000
We steal/borrow 3 bits from the host portion (in green below): NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
20
4/23/2013
The new netmask

NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
This will change our subnet mask to the following: 11111111.11111111.11111111.11100000
Above is how the computer will see our new subnet mask, but we need to express it in decimal form as well: 255.255.255.224 (128+64+32=224)
Subnet addresses
Remember our values:
128
64
32
16
Equals
Now our 3 bit configurations: 0 0 0 1 1 1 0 1 1 0 0 1 1 0 1 0 1 0 H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H 32 64 96 128 160 192
21
Finger Chargen & Echo Daytime Telnet FTP SNMP SMTP POP3
Now the easy way
Antiquated Protocols
4/23/2013
22
4/23/2013
IP Version 4 versus IP Version 6

IP Version 6 aka IPng (Next Generation) The differences are in five major areas:
Addressing and routing Security Network address translation Administrative workload, and Mobile Computing
IPv6 includes migration & transition plans
IP Version 6 Migration
Over 30 IPv6 RFCs written since 1994 Migration from V4 to V6 will take time
Standard and Procedures for coexistence of both Tunneling IPv6 within IPv4 Tunneling IPv4 within IPv6 Double stacks used at the same time
Windows 7 is an OS using two stacks
23
4/23/2013
IPv6 Advantages (1 of 2)
Huge address space (2128) Makes NAT and it issues no longer necessary Reduces Configuration and Management
Support Stateless Auto Configuration Creates a guaranteed unique IP address
Combines LAN MAC with prefix provided by router DHCP is no longer needed, DHCPV6 can still be used
All host support multicast as a requirement
IPv6 Advantages (2 of 2)
Quality of Service (QoS) on VPNs
New 20 bits traffic flow field
IPSEC is required and built-in Router dont fragment packets, only host ICMPv6 Router Solicitation and Advertisement
Determine the IP address of the best gateway It is a requirement
Support a 1280 byte packet size
24
4/23/2013
IPv6 Packet Format

Graphic from: http://www.net-security.org/dl/insecure/INSECURE-Mag-30.pdf
IPv6 Address Notation

Thanks to Vivek from www.securitytube.net for his great tutorials on IPv6
25
4/23/2013
IPv6 Transmission Methods

Unicast From one station to another station
Multicast (a requirement in IPv6) From one station to multiple selected stations Information sent only once over the networks Anycast Sent to a group of nodes/stations Needs to be delivered to at least one node and not all of them
IPv6 and Mobility

Mobility is a new feature in IPv6
Mobile nodes can change their location and addresses without loosing existing connections through which the nodes are communicating Supported at Internet Level Thus transparent Use two types of IP addresses: The IPv6 address; and The Mobile IP Address
26
4/23/2013
IPv6 Security Issues (1 of 2)

Dual Stack = Dual the amount of issues Spoofing could be use on the same network segment
Neighbor Discovery prevent it remotely on IPv6 Could be possible if tunneling IPv6 over IPv4 Flooding and Scanning are possible attacks Vendor of security tools are catching up
They claim to be compliant, but are they?
Smurf attack can be done on Multicast Addresses
IPv6 Security Issues (2 of 2)

No security through obscurity as provided by Natting Must be configured on the firewall instead
Stateless Autoconfiguration Gives IP address away to anyone Could be turned on by default Network Intrusion Detection will be hard to perform Key management is still necessary
27
4/23/2013
Other Security Issues

Turn IPv6 OFF if you dont need it
Could be used for covert channels
Tunneling IRC over IPv6 for example
Rogue devices could be setup to assign IPv6 addresses ICMP6 redirect attacks (See next slide) Type 0 Routing Header Attack
Packet bounces between two or more router Amplification Attack, up to 88 fold amplification
ICMP6 Redirect Attack

1. 2. 3.
A attacker with access to the network sends an Echo Request with the source address as User 2 and the destination as the User 1. The victim receives this echo request and sends an Echo Reply to User 2. The attacker then creates a redirect packet with the Echo Reply attached. The packet is constructed with the source as the router and the destination as User 1 and in this packet tells User 1 to redirect all traffic for User 2 to the attacker. The Hacker then receives packets from User 1 and can spoof User 2.
28
4/23/2013
Questions?
ANY QUESTIONS? clement@secureninja.com

Subject Line: SN SEC+ QUESTION
29

Module 16 - Network Security TCP-IP

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Module 16 - Network Security TCP-IP

Загружено:

Авторское право:

Доступные форматы

4/23/2013

Domain #1 Network Security TCP/IP

TCP/IP is a SUITE of protocols

What about models

Transport Network Data Link Physical

Host C1 Application Transport Internet Link Layer

Application Transport Internet Link Layer

Gateway G1 Internet Link Layer

Gateway G2 Internet Link Layer

Transport Layer Header Internet Layer Header Link Layer Header

Transport Layer segment packet

Internet Layer datagram datagram

Whats in a MAC address

Address Resolution Protocol (ARP)

What are ports (UDP & TCP)

What are protocols

Port Numbers (Partial List)

443 HTTPS 20/21 FTP 23 25 88 53 22 69 Telnet SMTP

Port Number and Protocol

Services provided by TCP

Copyright SecureNinja.com 2000-2011 All rights Reserved

TCP Three Way Handshake

Host B Destination 195.173.24.10

Port 23 = Telnet source port 3044

23,3044 SYN, ACK

3044,23 ACK, data

23,3044 data transfer has begun

TCP uses Three-way Handshake, and dynamically allocate port.

TCP Segment Format

Source Port Sequence Number

UDP Message Format

Source Port Length data begins here ...

Destination Port Checksum

TCP/IP Addressing Packets

Written in binary form:

Binary Octet Decoded

Bit Pos: 1 Value: 128

The value of 140 looks like this:

27 1 128 128 128

We will look at each of the main classes next

A few more things

Copyright SecureNinja.com 2000-2011 All rights Reserved

Subnets masks are a 32 bits structure

NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH With a Subnet mask of: 11111111.11111111.11111111.00000000

The new netmask

This will change our subnet mask to the following: 11111111.11111111.11111111.11100000

Now our 3 bit configurations: 0 0 0 1 1 1 0 1 1 0 0 1 1 0 1 0 1 0 H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H 32 64 96 128 160 192

Copyright SecureNinja.com 2000-2011 All rights Reserved

Copyright SecureNinja.com 2000-2011 All rights Reserved

Now the easy way

IP Version 4 versus IP Version 6

IPv6 includes migration & transition plans

Windows 7 is an OS using two stacks

All host support multicast as a requirement

New 20 bits traffic flow field

Support a 1280 byte packet size

IPv6 Packet Format

Graphic from: http://www.net-security.org/dl/insecure/INSECURE-Mag-30.pdf

IPv6 Address Notation

Thanks to Vivek from www.securitytube.net for his great tutorials on IPv6

IPv6 Transmission Methods

IPv6 and Mobility

IPv6 Security Issues (1 of 2)

Smurf attack can be done on Multicast Addresses