Information Security: The Big Picture – Part III

Trang 1

Information Security:

The Big Picture – Part III

Stephen Fried

Trang 2

IP – The Internet Protocol

• Deals with transmission of packets

between end points

• The fundamental protocol of the

Internet

The Internet Protocol (IP) is the protocol by which information is sent from one computer to another on

the Internet Each computer on the Internet has at least one address that uniquely identifies it from all other

computers on the Internet When you send or receive data (for example, an e-mail note or a web page), the

message gets divided into little chunks called packets Each of these packets contains both the sender's

Internet address and the receiver's address Any packet is sent first to a gateway computer that understands

a small part of the Internet The gateway computer reads the destination address and forwards the packet to

an adjacent gateway that in turn reads the destination address and so forth across the Internet until one

gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain.

That gateway then forwards the packet directly to the computer whose address is specified

Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different

route across the Internet Packets can arrive in a different order than the order they were sent in The

Internet Protocol just delivers them It's up to another protocol, the Transmission Control Protocol (TCP) to

put them back in the right order

IP is a connectionless protocol, which means that there is no established connection between the end points

that are communicating Each packet that travels through the Internet is treated as an independent unit of

data without any relation to any other unit of data (The reason the packets do get put in the right order is

because of TCP, the connection-oriented protocol that keeps track of the packet sequence in a message.)

The most widely used version of IP today is Internet Protocol Version 4 (IPv4) However, IP Version 6

(IPv6) is also beginning to be supported IPv6 provides for much longer addresses and therefore the

possibility of many more Internet users IPv6 includes the capabilities of IPv4 and any server that can

support IPv6 packets can also support IPv4 packets

Trang 3

TCP – The Transmission

Control Protocol

• Connection-oriented communications

• Ensures reliable packet delivery

• Overhead can be “expensive”

The Transmission Control Protocol, or TCP, is called a connection-oriented protocol That is because

it is primarily concerned with establishing connections between two computers and making sure that all

communication on that connection are orderly and complete TCP works in combination with the

Internet Protocol, a combination usually referred to as TCP/IP The IP layer provides the packet

delivery service and the TCP layer provides the packaging and sequencing of the packets

TCP works by giving each packet a sequence number When a packet is sent to a destination, the

sending computer waits for an acknowledgement from the destination that the packet was received The

receiver will send the acknowledgement if it receives the packet and it was not damaged during the

transmission If the sender does not receive the acknowledgement it will resend the packet In that way

it ensures that every packet arrives at the destination in good order

TCP is a good protocol for ensuring the delivery of packets to a destination However, this assurance

comes at a price All the work required to send, receive, and track acknowledgements takes a toll on the

network However, when you want to make sure a message arrives, TCP is the way to go

TCP is also good from a security standpoint When compared to connectionless protocols (for example,

UDP, which we will examine closer in the next slide) the connection-oriented nature of TCP gives us

some assurance that information is coming from a genuine source and that packets received in a TCP

stream have some relationship to both each other and to the originating server As we have seen in

previous slides, packets can be spoofed and transmissions can be interrupted, but compared to

connectionless protocols, like UDP, TCP provides a higher level safety

Trang 4

TCP Session Open & Close

SYN (100) SYN (500), ACK (101) ACK (501) FIN (130)

FIN (570) ACK (571) ACK (131)

This slide shows a sample TCP session, illustrating how it opens and closes connections on the network In the example, we

are assuming that a PC is connecting to some kind of server over the network, but this same process holds true for any TCP

session established between any two devices

Just to get you familiar with the symbols on the chart, the arrows represent the direction of the communications So, an arrow

going from the PC to the server means that the PC is sending a message to the server and an arrow going from the server to the

PC means that the server is sending a message to the PC The SYN, ACK, and FIN labels represent the different types of

packets that are used during session setup and close The SYN packet is used to “sync up”, or start the communications The

ACK packet sends an acknowledgement of the message back to the originator, and the FIN packet starts the process of

finishing the connection Finally, the numbers in parentheses are the sequence numbers that are sent along with each packet.

OK, now that you know who all the players are, we are ready to begin When opening a two-way connection between two

machines, each end of the connection must connect to the other separately The process starts when the PC sends a SYN

packet requesting a connection to the server with an initial sequence number of 100 The server responds back to the PC with a

SYN/ACK packet This packet starts up the second half of the two-way connections (again with a starting sequence number)

It also acknowledges the packet sent originally by the PC (incrementing the PC’s sequence number by 1) Finally, the PC

acknowledges the server’s connection with an ACK packet and by incrementing the server’s sequence number This sequence

is sometimes called the TCP Three Way Handshake.

After the opening sequence, the PC and the server will continue to exchange packets of information, each time increasing the

sequence number

When the time comes to close the connection, once again each end of the connection must be closed separately Assuming that

the PC wants to close the connection first, the process starts when the PC sends a FIN packet to the server The FIN portion

indicates to the server that the PC wants to close the connection (continuing with the sequence count it has been using with the

server) The server responds by sending an ACK to the PC acknowledging the FIN sent by the PC Next, the server sends a

FIN packet to the PC to close its side of the connection Finally, the PC sends an ACK to the server to acknowledge the FIN

Normally, you will never have to go into this much detail when talking about network security unless you are going into depth

on router or firewall configuration However, a basic understanding of this diagram will come in handy when we talk later

about denial of service attacks, particularly SYN flood attacks Understanding how the sequence numbers work will also help

when we discuss sequence prediction attacks

Trang 5

UDP – The User Datagram

Protocol

• Connectionless-oriented

communications

• Sends packets out, doesn’t care if

they get there

• Much less “overhead”

• Good if small amount of packet loss

is acceptable

The User Datagram Protocol (UDP) is a communications protocol that offers a limited amount of

connectivity when messages are exchanged between computers in a network that uses the Internet Protocol

(IP) Like TCP, UDP uses IP as its underlying delivery service to move pieces of information from one host

to another Those pieces are called “datagrams.” Unlike TCP, however, UDP does not provide the service

of dividing a message into packets and reassembling it at the other end Specifically, UDP doesn't provide

sequencing of the packets that the data arrives in UDP will send the packets out, but it does not provide any

mechanism for ensuring they get there properly, intact, or in the right order Whereas TCP will do its part to

ensure orderly delivery of packets, UDP leaves this task to the application itself The application program

that uses UDP must be able to make sure that the entire message has arrived and is in the right order

Because much of the disassembly, sequencing, and reassembly of packets is performed by the application

rather than built into the protocol, UDP as a protocol has less overhead than TCP This makes it faster to

send information using UDP Network applications that want to save processing time will use UDP rather

than TCP because they have very small data units to exchange, and therefore very little message

reassembling to do

UDP is also a good choice for applications that can stand a small amount of packet loss For example, a

broadcast of a musical program may consist of many packets of similar or repetitive sounds If a packet or

two were to get lost, nobody will notice If, however, a transmission consisted of the precise coordinates to

which to aim a space shuttle for landing, reliable transmission would be a priority and TCP would be a better

choice

From a security standpoint, the “U” in UDP might as well stand for “Unreliable.” Because a UDP packet has

no information about the context of the information it contains, it should not be trusted without some kind of

supporting network or application information

Trang 6

ICMP

• Handles error and control information

• Works between gateways and hosts

• Sent as IP datagrams

• Generated by protocol, not by user

applications

• Most users access ICMP via “Ping”

One final protocol you should be aware of is the Internet Control Message Protocol, or ICMP.

ICMP is a protocol that handles traffic flow between network elements In particular, it provides

feedback about problems in the communication and network environment

A typical use of ICMP is as follows: every network uses devices called routers to move packets

from one local network to another Each network has a “default route”, that is, the router that will

be used if no other access out of the network is available For most situations, the default route works

best However, occasionally the default route may not be the best path between two points This may

be because of problems in the network, network service outages, traffic congestion, or some other

reason When this happens, the default router will send an ICMP message back to the machine that

sent the packet stating, “it would be better if you sent your packets some other way” and specifies a

new path the sending machine should use

ICMP messages are sent in several situations: for example, when a datagram cannot reach its

destination, when the gateway does not have the capacity to forward a datagram, and when the

gateway can direct the host to send traffic on a shorter route

ICMP uses the Internet Protocol to transfer messages, but instead of full packets it sends

“datagrams”, much like UDP ICMP is actually an integral part of IP, and must be implemented

within the IP software itself Most user-level applications will never concern themselves with ICMP

directly, rather relying on TCP or UDP for their transmissions

There is one exception, however The ping program is a user-level application that uses ICMP to

give information about network conditions and availability If a user wants to know if a host is

available, he will use ping to test if the machine is on the network If it is, ping will send a positive

reply back If it is not available, or there is network trouble between the two hosts, ping will also

indicate that

Trang 7

Protocol “Stacks”

• Divides network communications

into layers

• Each layer interfaces with above

and below layers

• Divide task of communication into

pieces for easier implementation

Having all these protocols is nice, but how does information actually get from one place to another? In the next few

slides we will examine exactly how this happens We will start by discussing protocol stacks And to discuss

protocol stacks, we need a good real-life example

Imagine, if you will, a five-story apartment building This building, however, is very special (or very strange,

depending on your point of view) First of all, the really important things happen on the top floor, floor 5 Second, the

only way the people on the fifth floor can get anything done is by asking the people on the floors below them to do it

For example, the people on the fifth floor want to make dinner They tell this to the people on the fourth floor The

people on the fourth floor figure out that dinner requires a soup, salad, main course and dessert They tell this to the

people on the third floor The people on the third floor decide that the courses will be onion soup, a garden salad, beef

stew, and apple pie, and they tell this to the people on the second floor The people on the second floor figure out

what ingredients will be needed for this dinner (for example, chicken broth, lettuce, vegetables, beef, etc.) and give

this information to the people on the first floor The people in the first floor actually go to the store, buy all the

ingredients, and bring them back to the apartment building

Once the ingredients are purchased, the process goes in reverse The first floor gives the raw ingredients to the second

floor The second floor checks that all the ingredients are there and then hands them off to the third floor The third

floor prepares the various courses by making the soup, tossing the salad, cooking the beef, and baking the pie Once

all this is done they hand the food off to the fourth floor The fourth floor people package all the food up into nice

courses and bring it up to the fifth floor residents so they can eat a delicious meal

Well, in essence, that’s how protocol stacks work Protocol stacks divide network communications into different

layers, like the floors in the apartment building Each layer in the stack works on the packet in different ways Some

layers make sure the packet has all the information it needs, some layers make sure the packet is ready for an

application to work with, and some layers make sure the packet gets onto the network properly Each layer works

directly with the layer above and below it, just as in the apartment building example As packets are passed from one

layer to the next, each layer examines or modifies the packet in some way Once the packet has reached the “ground

floor” of the network it is sent to its destination

The use of protocol stacks in network communications makes the task of implementing protocols much easier By

making communications more modular, a service, process or application need only concern itself with the layers it

needs, leaving the other layers to someone else

Trang 8

The OSI Protocol Stack

Application Presentation Session Transport Network Data Link Physical

Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1

One of the most widely known protocol stacks is the International Standards Organization (ISO) Open Systems

Interconnect (OSI) model The OSI model divides network communications into seven layers.

The Physical Layer handles transmission across the physical media This includes such things as electrical pulses on

wires, connection specifications between hardware, voltage and current, etc

The Data Link Layer connects the physical part of the network (e.g cables and electrical signals) with the abstract part

(e.g packets and data streams) It also creates the headers and validation information that get attached to packets

The Network Layer handles interaction with the network address scheme and connectivity over multiple network

segments It describes how systems on different network segments find and communicate with each other

The Transport Layer actually interacts with your information and prepares it to be transmitted across the network It is

this layer that ensures reliable connectivity from end-to-end The Transport Layer also handles the sequencing of

packets in a transmission

The Session Layer handles the establishment and maintenance of connections between systems It negotiates the

connection, sets it up, maintains it, and makes sure that information exchanged across the connection is in sync on both

sides

The Presentation Layer makes sure that the data sent from one side of the connection is received in a format that is

useful to the other side For example, if the data is compressed by the sender prior to transmission, the Presentation

Layer on the receiving end would have to decompress it before it can be used by the receiver

The Application Layer is responsible for interacting with the application to determine whether network services will

be required When a program requires access to the network, the Application Layer will manage requests from the

program to the other layers down the stack

Why is all this important, and do you really need to memorize all this for an Introduction course? Well, only sort of

You need to have at least a passing familiarity with the OSI model because you will hear network engineers and

vendors talk about “Layer 2 Switches” or “Layer 3 Protocols.” The layers they are referring to are the OSI model

layers Understanding basically what each layer does will go a long way in both understanding the conversation and

securing your network services

Trang 9

The TCP/IP Protocol Stack

• Application

• Transport

• Internet

• Network

In comparison to the OSI protocol stack, the TCP/IP stack is much simpler The TCP/IP model

predates the OSI model and, as the underlying protocol of the Internet, is more widely used than

OSI-based protocols The TCP/IP stack only has four layers: the Application Layer, the Transport

Layer, the Internet Layer, and the Network Access Layer (Editor’s note: the four layers of the

TCP/IP stack are sometimes referred to as the Application Layer, the Transport Layer, the Network

Layer, and the Link Layer – JEK)

The definition of the TCP/IP layers is as follows:

The Network Layer (sometimes called the Link Layer – ed.) defines how to access a specific

network topology, for example Ethernet, Token Ring, etc

The Internet Layer (sometimes called the Network Layer – ed.) defines how datagrams are

formatted and handles the routing of data through the network Examples of Internet Layer protocols

include IP and ICMP

The Transport Layer provides end-to-end data delivery service This is the layer that assembles

packets and sends them to the Internet layer for processing Examples of Transport Layer protocols

are TCP and UDP

Finally, the Application Layer consists of application programs and serves as the network interface

into user applications Examples of application layer service are Telnet, FTP, and DNS

Trang 10

OSI vs TCP/IP

Application

Transport (TCP) Internet (IP)

Network

7 6 5 4 3 2 1

This diagram shows a comparison between the OSI model and the TCP/IP model As you can see,

the OSI model has more granularity than the TCP/IP model In addition, the OSI model chose to split

apart some functionality that was combined in the TCP/IP model

For example, the Network Layer in the TCP/IP model comprises both the Physical Layer and the

Data Link Layer in the OSI model And the Application Layer in TCP/IP encompasses the

Application, Presentation, and Session Layers of the OSI model The OSI model is more detailed and

more granular because it was designed to encompass protocols other than just TCP/IP By creating

more layers the designers of OSI made it easier to break down the functionality of each protocol and

build more specific interfaces and linkages between the layers

Unless you plan on becoming a network engineer or a network application designer, it is not so

important to remember each of the different layers in the two models, or even remember the

functionality that each layer has It is, however, important to know that no matter which model you

use, it must perform all the functions required to take a piece of application data, place it into a

packet, place that packet on the wire, and handle its safe and efficient delivery to its destination

Trang 11

How TCP/IP Packets Are

IP Hdr

Eth

Layer

“Hello There”

This slide shows how a packet is generated as it moves through the stack To start, the Application

Layer takes information from the application itself In this case we will be sending the phrase “Hello

There” to another computer The application program gives the “Hello There” to the Application

Layer of the protocol stack The Application Layer creates an empty packet and places the “Hello

There” inside of it The Application Layer then sends the packet to the Transport Layer

The Transport Layer takes the packet and adds a header to it The header has all the information that

the Transport Layer on the other side of the connection needs to determine what to do with the

packet Once the transport header is put on the packet it is given to the Internet Layer

The Internet Layer puts another header in front of the packet Like the Transport layer before it, this

header gives information for the Internet Layer on the other end Once this header is attached, the

packet is sent to the Network Layer

As you can probably guess by now, the Network Layer will want to put its own header on the packet

This header will assist the routers and gateways between the two machines in sending the packet

along its way Once this final header is placed on the packet it is put on the wire and sent to its final

destination

Trang 12

How Protocol Stacks

Communicate

Application Presentation

Session Transport Network Data Link Physical

Host

The previous slide showed how a single stack handles the movement of data from the application

program to the network In this slide we will look at how data is passed between stacks This slide

uses the OSI model, but the process works the same way with the TCP/IP model

When two computers need to communicate with each other, it is actually the protocol stack on each

computer that does the talking Each stack layer on a host talks only to the corresponding layer on the

remote computer For example, in the above diagram the Application Layer on Host A exchanges

information with the Application Layer on Host B, the Session Layer on Host A exchanges

information with the Session layer on host B, etc However, it does this by going through each of the

layers below on its own host’s stack Each layer takes the information from the layer above it,

examines it, adds its own information to it, then sends it to the next layer down the stack

Once the packet reaches the bottom of the stack, it travels along the network wire to the remote host,

then travels up the stack on the remote side At each layer of the remote stack, the packet is

examined, the information that layer needs is removed and the packet is sent further up the stack

Each layer removes only the information placed in the packet by the corresponding layer from the

sending host’s stack For example, the Network Layer from Host B removes and examines the

information placed in the packet by the Network Layer in Host A This is how protocol layers

communicate with each other

Through the use of orderly flow of communications up and down the protocol stacks, packets can be

created, moved, and examined with great efficiency across large distances and multiple networks

Trang 13

• Beware of “War Dialing”

A popular method of connecting to a network is through the use of dial-up communications Using ordinary telephone

lines you can connect your computer to your organization’s network Most people already do this with their home

computers They use their modems to connect to AOL or CompuServe or any number of Internet Service Providers You

will notice that when you connect to most service providers they will have some sort of access control to restrict use of the

service to only authorized users This is an extremely important part of dial-up security

You would be surprised at how many people hook modems up to their desktop computer to allow them to access the

machine while they are out of the office This may be fine for productivity, but many of the same people fail to use the

most basic security precautions to protect their computers and their organization’s network Failing to place even basic

password protection in front of a modem is just sending an invitation to a attacker to come on in

There are many different types of protection one can use on modems The most basic is the password protection previously

mentioned Another is the use of dial-back modems With a dial-back arrangement, the user dials up the modem and gives

some type of authentication information to prove their identity Once this is established, the network modem disconnects

the user and automatically dials them back at a pre-determined location This makes it hard for an attacker to gain

unauthorized entry, since they will have to know the location where the modem will call back to and be at that location

waiting for the call Dial-back security is not impossible to defeat, and several methods for doing so are known However,

it is much better than standard password security Finally, the use of security tokens or smart cards adds a much higher

level of authentication to the process We will discuss security tokens later in the course

How do attackers discover unprotected modem connections? One way is through the use of social engineering to discover

dial-up numbers from help desks, unsuspecting end users, and other unaware personnel Another common method is the

use of a program known as a “War Dialer.” The war dialer will dial every phone number in a specified area looking for

modem tones Once it finds one it will log the phone number and go on to the next Once the program has completed, the

user will have a list of modem-answering numbers that can then be explored If any of those numbers does not have basic

security protection it will become a victim to the attacker

Since you never know when your modem line will become the target of a war dialing scan, you need to install access

security on all modems in your organization Better yet, your organization should supply a central pool of dial-up

connections for everyone, eliminating the need for modems at end users’ desks

Tiêu đề	IP – The Internet Protocol
Tác giả	Stephen Fried
Trường học	SANS Institute
Chuyên ngành	Information Security
Thể loại	Lecture notes
Năm xuất bản	2000

Định dạng
Số trang	26
Dung lượng	479,1 KB