network security fundamentals - university of michigancja/nsf13/lectures/netsec-02-notes.pdf ·...

1

Network Security Fundamentals

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2013

Network Security Fundamentals

Module 2 Network Fundamentals

Roadmap

•  Network Fundamentals   The OSI 7-layer model  OSI Layers 1 - 4 in detail: Ethernet and IP   IP subnetting and routing   Virtualizing the network

04/13 3 cja 2013

2

Some notes

•  Focus on IPv4 and Ethernet   IP is the dominant network protocol   IPv6 not yet widely deployed   Ethernet is ubiquitous

•  The basic principles apply to other protocols and other media   As always, the devil is in the details…

04/13 4 cja 2013

You are here…


04/13 5 cja 2013

The OSI model

•  7 - Application (HTML) •  6 - Presentation (ASCII, JPEG) •  5 - Session (ZIP, SCP) •  4 - Transport (TCP, UDP) •  3 - Network (IP, IPX, Appletalk) •  2 - Data Link (Ethernet II, IEEE 802.2) •  1 - Physical (100BaseT, 1000BaseSX)

04/13 6 cja 2013

3

The OSI model in pictures

•  Users interact with layer 7 •  Each layer interacts with adjacent layers •  Layers communicate with peer layers

04/13 7 cja 2013

Data encapsulation

•  Headers and trailers are added or stripped as data moves down and up the stack

•  Each layer’s information is encapsulated by the next lower layer

04/13 8 cja 2013

An example

•  Bold text on a web page   => encapsulated by HTML (<B> Bold text </B>)   => encoded as 8-bit ASCII   => encapsulated in TCP

 source port 80 (HTTP), destination port 12345   => encapsulated in IP packet

 …from IP address 1.2.3.4 to 55.66.77.88   => encapsulated in an Ethernet II frame

 …from MAC address 1111.2222.3333 to 0123.4567.89ab   => encoded as 4B/5B NRZI-3 100BaseTx   => carried over Cat5e cable to your desktop

04/13 9 cja 2013

4

Two missing layers

•  Layer 8: Users   Vulnerable to social engineering   Vulnerable to the “Oops of death”   Vulnerable to ignorance, curiosity, evil

•  Layer 0: The environment   Equipment has to sit somewhere   Power has to come from somewhere   Cables have to follow some path   Everyone talks about the weather, but…

04/13 10 cja 2013

You are here…


04/13 11 cja 2013

Let’s get physical

•  7 - Application •  6 - Presentation •  5 - Session •  4 - Transport •  3 - Network •  2 - Data Link •  1 - Physical

04/13 12 cja 2013

5

Layer 1 covers:

•  Voltage / power levels •  Cable impedance, loss, dispersion •  RF frequency, power, modulation •  Bit encoding scheme •  Connectors and termination •  Clocking / timing / synchronization •  Collision detection / avoidance •  Speed / duplex negotiation

04/13 13 cja 2013

Layer 1 basics

•  Common media are:  Copper (coax, twisted pair)   Fiber (single-mode, multimode, WDM)  RF (point-to-point or broadcast)

•  Common electronics are:  Hubs (everyone hears everyone else)   Switches (traffic is directed to the target)  Media converters (wireless bridges, etc.)

04/13 14 cja 2013

Let’s talk


04/13 15 cja 2013

6

Layer 2 - data link

•  The Data Link layer provides reliable transit of data across the physical layer

•  Physical addressing •  Error detection and

notification •  Flow control •  Frame sequencing

04/13 16 cja 2013

Layer-2 framing

•  Ethernet header has three or more fields:   Destination (MAC) address (6 bytes)   Source (MAC) address (6 bytes)   Type (Ethernet II; 2 bytes) or Length (IEEE 802.3; 2 bytes)   Other data (depending on frame type)

•  Ethernet trailer is a 4-byte CRC •  Frame size between 64 bytes and 1518 bytes

Data link layer header Upper layer data Data link

layer trailer

Frame

04/13 17 cja 2013

MAC addresses

•  Unique to each network interface   Sometimes this rule is violated…

•  Ethernet: 6 bytes => 2.8 x 1014 addresses •  3-byte Vendor code, 3-byte Device code •  Some protocols (e.g. DECnet) require

user-programmable MAC addresses •  Destination address of all 1s is a layer-2

broadcast (i.e. “all devices”) frame

04/13 18 cja 2013

7

Definition: LAN

•  A LAN is a layer-2 network   Every device can directly reach every

other device on the LAN  LANs are generally responsive

•  A LAN is a single broadcast domain   A broadcast frame from any device will

reach every other device on the LAN  LANs generally don’t scale up well

04/13 19 cja 2013

Hubs / Repeaters

•  “Classic” Ethernet is multiple access   Every box sees every frame   Each interface examines every frame header  Frame is discarded if destination MAC

isn’t either itself or a broadcast  CSMA/CD - half duplex, collision detection  On collision, back off and try again later

•  A hub is a multi-port repeater   In one port, out on all the others

04/13 20 cja 2013

Switches

•  Switches “snoop” for MAC addresses to learn which devices are on which ports   If destination MAC is known, frame is

directed out appropriate port   If destination MAC is unknown, frame is

flooded out all ports (except ingress) •  Switches may (must?) buffer

  Buffer overflow => dropped traffic •  Switches do not modify transiting frames

04/13 21 cja 2013

8

Starting to get abstract


04/13 22 cja 2013

OSI and the IP protocol suite

•  The IP protocol suite maps onto the OSI model layers 2 - 7

•  ‘IP’ is the layer 3 part of the IP suite

•  ‘TCP/IP’ is a common (and incorrect!) synonym for ‘IP’

04/13 23 cja 2013

Layer 3 - Network

•  Layer 3 adds logical addresses  One-to-one or many-to-one mapping of layer

3 to layer 2 addresses •  Other layer 3 functions include:

  Fragmentation / reassembly   Sequencing   Priority / precedence / type-of-service   Time to live

04/13 24 cja 2013

9

Layer 3: IP packet header

•  IP Header includes:   Header length   Source & destination

addresses   Priority   Fragmentation info   Header checksum

•  Protocol field indicates what’s inside the packet

04/13 25 cja 2013

Routers

•  Routers exchange layer-3 information to learn which networks are reachable on which ports   If destination net is known, packet is directed out

appropriate port   If destination net is unknown, packet is forwarded to

default gateway •  Routers must buffer packets

  Buffer overflow => dropped traffic •  Routers must modify transiting frames

  Decrement packet TTL, update header checksum   Rewrite source / destination MAC, frame checksum

04/13 26 cja 2013

Layer 4: Transport

•  IP protocols include:   ICMP   UDP & TCP   IGMP & PIM   ESP & L2TP

•  UDP for one-way •  TCP for two-way •  ICMP for signalling

04/13 27 cja 2013

10

ARP - Address Resolution Protocol

•  How do you send an IP packet to a machine whose MAC address you don’t know?

•  ARP request: Layer 2 broadcast

•  ARP reply: Layer 2 unicast

04/13 28 cja 2013

Putting it all together

•  Layer 1: Ethernet preamble •  Layer 2: MAC source/destination, frame CRC •  Layer 3: IP source/destination, header CRC •  Layer 4: Protocol/port numbers, packet CRC (maybe)

04/13 29 cja 2013

You are here…


04/13 30 cja 2013

11

IP nets and subnetting

•  Classful networks come in three sizes   Class A (16,777,216 addresses) - 0.x.x.x - 127.x.x.x

 e.g. Apple 17.0.0.0 - 17.255.255.255   Class B (65,536 addresses) - 128.x.x.x - 191.x.x.x)

 e.g. Oakland U. 141.210.0.0 - 141.210.255.255   Class C (256 addresses) - 192.x.x.x - 223.x.x.x)

 e.g. Ernst & Young (Belgium) 195.0.0.0 - 195.0.0.255   “Class D” range is used for Multicast

 224.x.x.x - 239.x.x.x   Several special networks are defined

 127.x.x.x, 169.254.x.x, 192.0.2.x are special-purpose  “Private IP” - 10.x.x.x, 172.<16-31>.x.x , 192.168.x.x

04/13 31 cja 2013


•  Classful addressing can be very wasteful   Did Merit (35.x.x.x) really need 16 million addresses?

•  Subnetting divides address space into smaller chunks   ‘Major nets’ are assigned to organizations   ‘Subnets’ are assigned within organizations

•  Anything within your subnet is local •  Anything outside your subnet passes through the

default gateway (i.e. a router) •  Net and subnet sizes must be powers of 2

04/13 32 cja 2013


•  Net (subnet) mask   ‘1’ indicates network part of address   ‘0’ indicates host part of address   Usually represented in decimal, e.g. 255.255.255.0

•  CIDR (Classless Inter-Domain Routing) notation: /nn   nn is the number of ‘1’ bits in the mask.   /24 = 255.255.255.0 = 11111111.11111111.11111111.00000000

•  Subnets typically contain 4 - 1024 addresses   i.e. a mask of /30 to /22

•  Network must begin on appropriate power-of-2 boundary   141.211.40.0/22 (= 141.211.<40-43>.x) is OK   141.211.42.0/22 => 141.211.42.0/23 + 141.211.44.0/23

04/13 33 cja 2013

12


•  An IP subnet has three broadcast addresses:   Local IP broadcast: 255.255.255.255   Subnet directed broadcast: <IP Subnet>.<all 1s>   Subnet address: <IP Subnet>.<all 0s>   Ex: 141.211.28.0/22 = 141.211.<28.0 - 31.255>

 Local Broadcast: 255.255.255.255  Normal host address: 141.211.28.255  Directed broadcast: 141.211.31.255

•  Local broadcasts are not forwarded by routers •  Directed broadcasts might be forwarded… •  “All 0s” broadcast is deprecated

04/13 34 cja 2013

Switching vs. Routing

•  Switches forward traffic within subnets •  Routers forward traffic between subnets •  Routers must rewrite headers

  TTL decrements on each hop  Header checksum changes

  Source/dest. MACs change with each hop  Frame CRC changes

 Routers may need to fragment packets

04/13 35 cja 2013

Routing

•  Routers exchange information on what IP networks (“prefixes”) they can reach

•  Routing decisions are based on metrics such as path bandwidth (OSPF), hop count (RIP), or congestion (EIGRP), or on explicit policy (Reshall-via-Packeteer)

•  Internet routing table >250,000 prefixes •  UMnet routing table >1200 prefixes

04/13 36 cja 2013

13

You are here…


04/13 37 cja 2013

VLANs

•  People / groups / units change, move, grow, split, share space

•  Separate physical LANs are expensive to build and maintain

•  VLANs allow logically independent nets to share a common physical network

•  Like “P” LANs, each VLAN is a separate (layer 2) broadcast domain

04/13 38 cja 2013

VLANs in switches

•  Each VLAN is assigned a VLAN ID •  Access ports are assigned to one VLAN •  Trunk ports can carry multiple VLANs;

each frame is tagged with the VLAN ID •  Gotchas:

  Some switches don’t support VLANs   Some switches don’t support trunking   Switches support different # of VLANs   Switches support different tagging schemes

04/13 39 cja 2013

14

UMnet backbone diagram

04/13 40 http://www.itcom.itd.umich.edu/backbone/ cja 2013

UMnet VLAN configuration

Data VLAN VOIP VLAN

Wireless VLAN

VLAN Trunk

UMnet Backbone

Distribution Layer

Wireless APs

IP Telephones

Workstations

Access Layer

04/13 41 cja 2013

network security fundamentals - university of michigancja/nsf13/lectures/netsec-02-notes.pdf ·...

Documents