Presentation on theme: "TCP/IP Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr."— Presentation transcript:
TCP/IP Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne
Protocol Layer n+1 Vertical & Horizontal Communication sender receiver Protocol Layer n+1 Protocol Layer n Protocol Layer 1
The TCP/IP “Suite” of Protocols RFCs developed & maintained by the Internet Engineering Task Force (IETF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet Protocol (IP) Internet Control Message Protocol (ICMP) Originally, no security provisions security provided at application level IPSec is a security add-on for IPv4 IPv6 incorporates IPSec
TCP/IP In this model, the top 3 layers in the OSI model are usually reduced to just “the application layer” Application Layer TCP IP Data Link Layer Physical Layer In reality, we will later squeeze a layer in between the application layer and TCP’s layer
TCP/IP Transmission Control Protocol the “workhorse” on the Internet at OSI Layer 4 (Transport Layer) ensures packets get to the right place, in the right order creates TCP segment by adding a header the User Datagram Protocol (UDP) also operates as this layer Internet Protocol most commonly used protocol at OSI Layer 3 (Network Layer) delivers packets end-to- end creates the IP datagram by adding a header the Internet Control Message Protocol (ICMP) also operates at this layer
The TCP Header TCP Source PortTCP Destination Port ChecksumUrgent Pointer Window Data Offset. Reserved. Control Bits Sequence Number Acknowledgment Number Options (if any)Padding Data 32-bit words
TCP Control/Code Bits URG the Urgent Pointer is significant ACK the Acknowledgement field is significant PSH Push Function — flush data RST reset the connection (due to an error condition) SYN synchronize sequence numbers FIN “the end” en français used during the 3-way handshake to establish a connection
3-way TCP Handshake by Steve Gibson, Gibson Research Corporation
TCP/IP Port Numbers Client sets destination port to a well known port on the server. Client source port is generated dynamically and is set to > 1023. Use ‘netstat –an” command to see which ports are currently used.
Application’s TCP Ports File Transfer Protocol (FTP) — Port 21 Secure Shell (SSH) — Port 22 Telnet — Port 23 Simple Mail Transfer Protocol (SMTP) — Port 25 Post Office Protocol version 3 (POP3) — Port 110 HyperText Transfer Protocol (HTTP) — Port 80 Secure HyperText Transfer Protocol (HTTPS) — Port 443 Kerberos — Port 88 [Stallings, §4.1] Echo — Port 7 Finger — Port 79 Network News Transfer Protocol (NNTP) — Port 119 Gopher — Port 70 Doom — Port 666 31337 – Back Orifice Trojan !
TCP v. UDP has control (= code) bits 6 bits what part of the session? has 3-way handshake SYN=1, initial seq. no. ACK=SYN=1, initial seq. no., acknowledgment no. ACK=1, ack. no. has sequence numbers has more overhead SYN, ACK, RST help attackers find open ports “connectionless” protocol “unreliable” protocol no control bits no 3-way handshake can’t tell if a packet is... start of message a response a malicious scan no sequence numbers packets may be permuted dropped packets are not retransmitted
The UDP Header UDP Source PortUDP Destination Port Message LengthChecksum Data 32-bit words
UDP UDP Header contains only source, destination ports, message length, checksum and the data. 16 bit port number so 65535 possible ports. It’s harder for network devices to understand and track UDP status. You can’t tell from the header what part of the transmission it is. More difficult to secure therefore easy to use to attack.
Application’s UDP Ports Requests for Domain Name Service (DNS) lookup Port 53 Trivial File Transfer Protocol (TFTP) Port 69 Simple Network Management Protocol (SNMP) Port 161 [Stallings, Chp.8] Echo — Port 7 Gopher — Port 70 RealPlayer [streaming] Data Port 7070 (among others)
The IP Header 32-bit words Source IP Address Destination IP Address Options (if any)Padding Data Total LengthIHL Service Type Version. Fragment Offset FlagsIdentification Header ChecksumProtocol Time to Live
Some IP Header Components Internet Header Length (IHL) Service type sensitivity to delays Identification Supports fragment reassembly Flags “Don’t Fragment,” “More Fragments” Fragment Offset this fragment’s position in the packet Time-to-Live (TTL) max. no. of router-to-router hops packet can take
Internet Control Message Protocol (ICMP) Network layer, “network plumber” Provides more control than IP Same header format as IP, except... protocol field holds the value 1 (= ICMP) data component holds an ICMP type field 0 — echo reply 3 — destination unreachable 4 — source quench 5 — redirect 8 — echo 11 — time exceeded 12 — parameter problem 13 — timestamp 14 — timestamp reply 15 — information request 16 — information reply
IP Addresses 2 32 (= 4,294,967,296) dotted-quad addresses binary: 32 bits min: 00000000000000000000000000000000 max: 11111111111111111111111111111111 decimal: 4 groups of 3 digits (0-255) min: 0.0.0.0 max: 255.255.255.255 Not all addresses are available some set aside for private networks (“unroutable”) 10.x.y.z, 172.16.y.z, 192.168.y.z 127.0.0.1 connects any machine back to itself!
MAC Addresses Medium Access Control (MAC) addresses Data link layer 48 bits Globally unique each card manufacturer has a range of addresses to assign each card has its own MAC address Address Resolution Protocol (ARP) table contains MAC-to-IP mappings
Types of Network Connection Points Hub dumb, broadcasts all packets to everybody Bridge connects 2 + networks, sends packet to destination Router connects several networks, can look up best route Switch additional intelligence, sends packets to one specific MAC address [Personal] firewall [Stallings, Chp. 10] hardware/software passes only authorized packets
Network Address Translation (NAT) Mapping to a single external IP address every inbound packet appears to come from the NAT device’s IP address connect large, IP-address-poor network to Internet One-to-one mapping each machine on the internal network is mapped to a valid IP address map user requests to a perimeter network
Traditional Packet Filters Can filter based on... source IP address destination IP address source TCP/UDP port destination TCP/UDP port TCP code bits protocol in use direction interface Can also filter using a state table which... remembers previous packets outgoing SYN should be followed by an incoming ACK from the appropriate address has timeouts (10-90 secs.) remove entry if no further packets associated with the entry after interval Stateful Packet Filters v.
Adding Security via Protocols Application-layer security Pretty Good Privacy (PGP) [Stallings, §5.1] Secure/Multipurpose Internet Mail Extension (S/MIME) [Stallings, §5.2] Secure Shell (SSH) Secure Socket Layer (SSL) Transport Layer Security (TLS) [Stallings, §7.2] HTTPS is HTTP running over SSL (on Port 443) Internet Protocol Security (IPSec) [Stallings, Chp. 6] Authentication Header (AH) Encapsulating Security Payload (ESP)