Information Security: The Big Picture – Part III

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:1

Thêm vào BST

Báo xấu

123
lượt xem 3
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

The Internet Protocol (IP) is the protocol by which information is sent from one computer to another on the Internet. Each computer on the Internet has at least one address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an e-mail note or a web page), the message gets divided into little chunks called packets. Each of these packets contains both the sender's Internet address and the receiver's address.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Information Security: The Big Picture – Part III

Information Security: The Big Picture – Part III Stephen Fried Information Security: The Big Picture - SANS GIAC © 2000 1 1
IP – The Internet Protocol • Deals with transmission of packets between end points • The fundamental protocol of the Internet Information Security: The Big Picture - SANS GIAC © 2000 2 The Internet Protocol (IP) is the protocol by which information is sent from one computer to another on the Internet. Each computer on the Internet has at least one address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an e-mail note or a web page), the message gets divided into little chunks called packets. Each of these packets contains both the sender's Internet address and the receiver's address. Any packet is sent first to a gateway computer that understands a small part of the Internet. The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwards the packet directly to the computer whose address is specified. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than the order they were sent in. The Internet Protocol just delivers them. It's up to another protocol, the Transmission Control Protocol (TCP) to put them back in the right order. IP is a connectionless protocol, which means that there is no established connection between the end points that are communicating. Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data. (The reason the packets do get put in the right order is because of TCP, the connection-oriented protocol that keeps track of the packet sequence in a message.) The most widely used version of IP today is Internet Protocol Version 4 (IPv4). However, IP Version 6 (IPv6) is also beginning to be supported. IPv6 provides for much longer addresses and therefore the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets. 2
TCP – The Transmission Control Protocol • Connection-oriented communications • Ensures reliable packet delivery • Overhead can be “expensive” Information Security: The Big Picture - SANS GIAC © 2000 3 The Transmission Control Protocol, or TCP, is called a connection-oriented protocol. That is because it is primarily concerned with establishing connections between two computers and making sure that all communication on that connection are orderly and complete. TCP works in combination with the Internet Protocol, a combination usually referred to as TCP/IP. The IP layer provides the packet delivery service and the TCP layer provides the packaging and sequencing of the packets. TCP works by giving each packet a sequence number. When a packet is sent to a destination, the sending computer waits for an acknowledgement from the destination that the packet was received. The receiver will send the acknowledgement if it receives the packet and it was not damaged during the transmission. If the sender does not receive the acknowledgement it will resend the packet. In that way it ensures that every packet arrives at the destination in good order. TCP is a good protocol for ensuring the delivery of packets to a destination. However, this assurance comes at a price. All the work required to send, receive, and track acknowledgements takes a toll on the network. However, when you want to make sure a message arrives, TCP is the way to go. TCP is also good from a security standpoint. When compared to connectionless protocols (for example, UDP, which we will examine closer in the next slide) the connection-oriented nature of TCP gives us some assurance that information is coming from a genuine source and that packets received in a TCP stream have some relationship to both each other and to the originating server. As we have seen in previous slides, packets can be spoofed and transmissions can be interrupted, but compared to connectionless protocols, like UDP, TCP provides a higher level safety. 3
TCP Session Open & Close SYN (100) SYN (500), ACK (101) ACK (501) FIN (130) ACK (131) FIN (570) ACK (571) Information Security: The Big Picture - SANS GIAC © 2000 4 This slide shows a sample TCP session, illustrating how it opens and closes connections on the network. In the example, we are assuming that a PC is connecting to some kind of server over the network, but this same process holds true for any TCP session established between any two devices. Just to get you familiar with the symbols on the chart, the arrows represent the direction of the communications. So, an arrow going from the PC to the server means that the PC is sending a message to the server and an arrow going from the server to the PC means that the server is sending a message to the PC. The SYN, ACK, and FIN labels represent the different types of packets that are used during session setup and close. The SYN packet is used to “sync up”, or start the communications. The ACK packet sends an acknowledgement of the message back to the originator, and the FIN packet starts the process of finishing the connection. Finally, the numbers in parentheses are the sequence numbers that are sent along with each packet. OK, now that you know who all the players are, we are ready to begin. When opening a two-way connection between two machines, each end of the connection must connect to the other separately. The process starts when the PC sends a SYN packet requesting a connection to the server with an initial sequence number of 100. The server responds back to the PC with a SYN/ACK packet. This packet starts up the second half of the two-way connections (again with a starting sequence number). It also acknowledges the packet sent originally by the PC (incrementing the PC’s sequence number by 1). Finally, the PC acknowledges the server’s connection with an ACK packet and by incrementing the server’s sequence number. This sequence is sometimes called the TCP Three Way Handshake. After the opening sequence, the PC and the server will continue to exchange packets of information, each time increasing the sequence number. When the time comes to close the connection, once again each end of the connection must be closed separately. Assuming that the PC wants to close the connection first, the process starts when the PC sends a FIN packet to the server. The FIN portion indicates to the server that the PC wants to close the connection (continuing with the sequence count it has been using with the server). The server responds by sending an ACK to the PC acknowledging the FIN sent by the PC. Next, the server sends a FIN packet to the PC to close its side of the connection. Finally, the PC sends an ACK to the server to acknowledge the FIN. Normally, you will never have to go into this much detail when talking about network security unless you are going into depth on router or firewall configuration. However, a basic understanding of this diagram will come in handy when we talk later about denial of service attacks, particularly SYN flood attacks. Understanding how the sequence numbers work will also help when we discuss sequence prediction attacks. 4
UDP – The User Datagram Protocol • Connectionless-oriented communications • Sends packets out, doesn’t care if they get there • Much less “overhead” • Good if small amount of packet loss is acceptable Information Security: The Big Picture - SANS GIAC © 2000 5 The User Datagram Protocol (UDP) is a communications protocol that offers a limited amount of connectivity when messages are exchanged between computers in a network that uses the Internet Protocol (IP). Like TCP, UDP uses IP as its underlying delivery service to move pieces of information from one host to another. Those pieces are called “datagrams.” Unlike TCP, however, UDP does not provide the service of dividing a message into packets and reassembling it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in. UDP will send the packets out, but it does not provide any mechanism for ensuring they get there properly, intact, or in the right order. Whereas TCP will do its part to ensure orderly delivery of packets, UDP leaves this task to the application itself. The application program that uses UDP must be able to make sure that the entire message has arrived and is in the right order. Because much of the disassembly, sequencing, and reassembly of packets is performed by the application rather than built into the protocol, UDP as a protocol has less overhead than TCP. This makes it faster to send information using UDP. Network applications that want to save processing time will use UDP rather than TCP because they have very small data units to exchange, and therefore very little message reassembling to do. UDP is also a good choice for applications that can stand a small amount of packet loss. For example, a broadcast of a musical program may consist of many packets of similar or repetitive sounds. If a packet or two were to get lost, nobody will notice. If, however, a transmission consisted of the precise coordinates to which to aim a space shuttle for landing, reliable transmission would be a priority and TCP would be a better choice. From a security standpoint, the “U” in UDP might as well stand for “Unreliable.” Because a UDP packet has no information about the context of the information it contains, it should not be trusted without some kind of supporting network or application information. 5
ICMP • Handles error and control information • Works between gateways and hosts • Sent as IP datagrams • Generated by protocol, not by user applications • Most users access ICMP via “Ping” Information Security: The Big Picture - SANS GIAC © 2000 6 One final protocol you should be aware of is the Internet Control Message Protocol, or ICMP. ICMP is a protocol that handles traffic flow between network elements. In particular, it provides feedback about problems in the communication and network environment. A typical use of ICMP is as follows: every network uses devices called routers to move packets from one local network to another. Each network has a “default route”, that is, the router that will be used if no other access out of the network is available. For most situations, the default route works best. However, occasionally the default route may not be the best path between two points. This may be because of problems in the network, network service outages, traffic congestion, or some other reason. When this happens, the default router will send an ICMP message back to the machine that sent the packet stating, “it would be better if you sent your packets some other way” and specifies a new path the sending machine should use. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. ICMP uses the Internet Protocol to transfer messages, but instead of full packets it sends “datagrams”, much like UDP. ICMP is actually an integral part of IP, and must be implemented within the IP software itself. Most user-level applications will never concern themselves with ICMP directly, rather relying on TCP or UDP for their transmissions. There is one exception, however. The ping program is a user-level application that uses ICMP to give information about network conditions and availability. If a user wants to know if a host is available, he will use ping to test if the machine is on the network. If it is, ping will send a positive reply back. If it is not available, or there is network trouble between the two hosts, ping will also indicate that. 6
Protocol “Stacks” • Divides network communications into layers • Each layer interfaces with above and below layers • Divide task of communication into pieces for easier implementation Information Security: The Big Picture - SANS GIAC © 2000 7 Having all these protocols is nice, but how does information actually get from one place to another? In the next few slides we will examine exactly how this happens. We will start by discussing protocol stacks. And to discuss protocol stacks, we need a good real-life example. Imagine, if you will, a five-story apartment building. This building, however, is very special (or very strange, depending on your point of view). First of all, the really important things happen on the top floor, floor 5. Second, the only way the people on the fifth floor can get anything done is by asking the people on the floors below them to do it. For example, the people on the fifth floor want to make dinner. They tell this to the people on the fourth floor. The people on the fourth floor figure out that dinner requires a soup, salad, main course and dessert. They tell this to the people on the third floor. The people on the third floor decide that the courses will be onion soup, a garden salad, beef stew, and apple pie, and they tell this to the people on the second floor. The people on the second floor figure out what ingredients will be needed for this dinner (for example, chicken broth, lettuce, vegetables, beef, etc.) and give this information to the people on the first floor. The people in the first floor actually go to the store, buy all the ingredients, and bring them back to the apartment building. Once the ingredients are purchased, the process goes in reverse. The first floor gives the raw ingredients to the second floor. The second floor checks that all the ingredients are there and then hands them off to the third floor. The third floor prepares the various courses by making the soup, tossing the salad, cooking the beef, and baking the pie. Once all this is done they hand the food off to the fourth floor. The fourth floor people package all the food up into nice courses and bring it up to the fifth floor residents so they can eat a delicious meal. Well, in essence, that’s how protocol stacks work. Protocol stacks divide network communications into different layers, like the floors in the apartment building. Each layer in the stack works on the packet in different ways. Some layers make sure the packet has all the information it needs, some layers make sure the packet is ready for an application to work with, and some layers make sure the packet gets onto the network properly. Each layer works directly with the layer above and below it, just as in the apartment building example. As packets are passed from one layer to the next, each layer examines or modifies the packet in some way. Once the packet has reached the “ground floor” of the network it is sent to its destination. The use of protocol stacks in network communications makes the task of implementing protocols much easier. By making communications more modular, a service, process or application need only concern itself with the layers it needs, leaving the other layers to someone else. 7
The OSI Protocol Stack Application Layer 7 Presentation Layer 6 Session Layer 5 Transport Layer 4 Network Layer 3 Data Link Layer 2 Physical Layer 1 Information Security: The Big Picture - SANS GIAC © 2000 8 One of the most widely known protocol stacks is the International Standards Organization (ISO) Open Systems Interconnect (OSI) model. The OSI model divides network communications into seven layers. The Physical Layer handles transmission across the physical media. This includes such things as electrical pulses on wires, connection specifications between hardware, voltage and current, etc. The Data Link Layer connects the physical part of the network (e.g. cables and electrical signals) with the abstract part (e.g. packets and data streams). It also creates the headers and validation information that get attached to packets. The Network Layer handles interaction with the network address scheme and connectivity over multiple network segments. It describes how systems on different network segments find and communicate with each other. The Transport Layer actually interacts with your information and prepares it to be transmitted across the network. It is this layer that ensures reliable connectivity from end-to-end. The Transport Layer also handles the sequencing of packets in a transmission. The Session Layer handles the establishment and maintenance of connections between systems. It negotiates the connection, sets it up, maintains it, and makes sure that information exchanged across the connection is in sync on both sides. The Presentation Layer makes sure that the data sent from one side of the connection is received in a format that is useful to the other side. For example, if the data is compressed by the sender prior to transmission, the Presentation Layer on the receiving end would have to decompress it before it can be used by the receiver. The Application Layer is responsible for interacting with the application to determine whether network services will be required. When a program requires access to the network, the Application Layer will manage requests from the program to the other layers down the stack. Why is all this important, and do you really need to memorize all this for an Introduction course? Well, only sort of. You need to have at least a passing familiarity with the OSI model because you will hear network engineers and vendors talk about “Layer 2 Switches” or “Layer 3 Protocols.” The layers they are referring to are the OSI model layers. Understanding basically what each layer does will go a long way in both understanding the conversation and securing your network services. 8
The TCP/IP Protocol Stack • Application • Transport • Internet • Network Information Security: The Big Picture - SANS GIAC © 2000 9 In comparison to the OSI protocol stack, the TCP/IP stack is much simpler. The TCP/IP model predates the OSI model and, as the underlying protocol of the Internet, is more widely used than OSI-based protocols. The TCP/IP stack only has four layers: the Application Layer, the Transport Layer, the Internet Layer, and the Network Access Layer. (Editor’s note: the four layers of the TCP/IP stack are sometimes referred to as the Application Layer, the Transport Layer, the Network Layer, and the Link Layer. – JEK) The definition of the TCP/IP layers is as follows: The Network Layer (sometimes called the Link Layer – ed.) defines how to access a specific network topology, for example Ethernet, Token Ring, etc. The Internet Layer (sometimes called the Network Layer – ed.) defines how datagrams are formatted and handles the routing of data through the network. Examples of Internet Layer protocols include IP and ICMP. The Transport Layer provides end-to-end data delivery service. This is the layer that assembles packets and sends them to the Internet layer for processing. Examples of Transport Layer protocols are TCP and UDP. Finally, the Application Layer consists of application programs and serves as the network interface into user applications. Examples of application layer service are Telnet, FTP, and DNS. 9
OSI vs. TCP/IP Application 7 Presentation 6 Application Session 5 OSI Transport 4 Transport (TCP) TCP/IP Network 3 Internet (IP) Data Link 2 Network Physical 1 Information Security: The Big Picture - SANS GIAC © 2000 10 This diagram shows a comparison between the OSI model and the TCP/IP model. As you can see, the OSI model has more granularity than the TCP/IP model. In addition, the OSI model chose to split apart some functionality that was combined in the TCP/IP model. For example, the Network Layer in the TCP/IP model comprises both the Physical Layer and the Data Link Layer in the OSI model. And the Application Layer in TCP/IP encompasses the Application, Presentation, and Session Layers of the OSI model. The OSI model is more detailed and more granular because it was designed to encompass protocols other than just TCP/IP. By creating more layers the designers of OSI made it easier to break down the functionality of each protocol and build more specific interfaces and linkages between the layers. Unless you plan on becoming a network engineer or a network application designer, it is not so important to remember each of the different layers in the two models, or even remember the functionality that each layer has. It is, however, important to know that no matter which model you use, it must perform all the functions required to take a piece of application data, place it into a packet, place that packet on the wire, and handle its safe and efficient delivery to its destination. 10
How TCP/IP Packets Are Generated “Hello There” Application “Hello There” Layer TCP Transport “Hello There” Hdr Layer IP TCP Internet Hdr Hdr “Hello There” Layer Eth IP TCP Network Hdr Hdr Hdr “Hello There” Layer Information Security: The Big Picture - SANS GIAC © 2000 11 This slide shows how a packet is generated as it moves through the stack. To start, the Application Layer takes information from the application itself. In this case we will be sending the phrase “Hello There” to another computer. The application program gives the “Hello There” to the Application Layer of the protocol stack. The Application Layer creates an empty packet and places the “Hello There” inside of it. The Application Layer then sends the packet to the Transport Layer. The Transport Layer takes the packet and adds a header to it. The header has all the information that the Transport Layer on the other side of the connection needs to determine what to do with the packet. Once the transport header is put on the packet it is given to the Internet Layer. The Internet Layer puts another header in front of the packet. Like the Transport layer before it, this header gives information for the Internet Layer on the other end. Once this header is attached, the packet is sent to the Network Layer. As you can probably guess by now, the Network Layer will want to put its own header on the packet. This header will assist the routers and gateways between the two machines in sending the packet along its way. Once this final header is placed on the packet it is put on the wire and sent to its final destination. 11
How Protocol Stacks Communicate Application Application Presentation Presentation Host Session Session Host A Transport Transport B Network Network Data Link Data Link Physical Physical Information Security: The Big Picture - SANS GIAC © 2000 12 The previous slide showed how a single stack handles the movement of data from the application program to the network. In this slide we will look at how data is passed between stacks. This slide uses the OSI model, but the process works the same way with the TCP/IP model. When two computers need to communicate with each other, it is actually the protocol stack on each computer that does the talking. Each stack layer on a host talks only to the corresponding layer on the remote computer. For example, in the above diagram the Application Layer on Host A exchanges information with the Application Layer on Host B, the Session Layer on Host A exchanges information with the Session layer on host B, etc. However, it does this by going through each of the layers below on its own host’s stack. Each layer takes the information from the layer above it, examines it, adds its own information to it, then sends it to the next layer down the stack. Once the packet reaches the bottom of the stack, it travels along the network wire to the remote host, then travels up the stack on the remote side. At each layer of the remote stack, the packet is examined, the information that layer needs is removed and the packet is sent further up the stack. Each layer removes only the information placed in the packet by the corresponding layer from the sending host’s stack. For example, the Network Layer from Host B removes and examines the information placed in the packet by the Network Layer in Host A. This is how protocol layers communicate with each other. Through the use of orderly flow of communications up and down the protocol stacks, packets can be created, moved, and examined with great efficiency across large distances and multiple networks. 12
Dial-Up Networking • Dial-Up access to the organization’s network • Must be properly controlled – Passwords – Dial-back – Tokens • Beware of “War Dialing” Information Security: The Big Picture - SANS GIAC © 2000 13 A popular method of connecting to a network is through the use of dial-up communications. Using ordinary telephone lines you can connect your computer to your organization’s network. Most people already do this with their home computers. They use their modems to connect to AOL or CompuServe or any number of Internet Service Providers. You will notice that when you connect to most service providers they will have some sort of access control to restrict use of the service to only authorized users. This is an extremely important part of dial-up security. You would be surprised at how many people hook modems up to their desktop computer to allow them to access the machine while they are out of the office. This may be fine for productivity, but many of the same people fail to use the most basic security precautions to protect their computers and their organization’s network. Failing to place even basic password protection in front of a modem is just sending an invitation to a attacker to come on in. There are many different types of protection one can use on modems. The most basic is the password protection previously mentioned. Another is the use of dial-back modems. With a dial-back arrangement, the user dials up the modem and gives some type of authentication information to prove their identity. Once this is established, the network modem disconnects the user and automatically dials them back at a pre-determined location. This makes it hard for an attacker to gain unauthorized entry, since they will have to know the location where the modem will call back to and be at that location waiting for the call. Dial-back security is not impossible to defeat, and several methods for doing so are known. However, it is much better than standard password security. Finally, the use of security tokens or smart cards adds a much higher level of authentication to the process. We will discuss security tokens later in the course. How do attackers discover unprotected modem connections? One way is through the use of social engineering to discover dial-up numbers from help desks, unsuspecting end users, and other unaware personnel. Another common method is the use of a program known as a “War Dialer.” The war dialer will dial every phone number in a specified area looking for modem tones. Once it finds one it will log the phone number and go on to the next. Once the program has completed, the user will have a list of modem-answering numbers that can then be explored. If any of those numbers does not have basic security protection it will become a victim to the attacker. Since you never know when your modem line will become the target of a war dialing scan, you need to install access security on all modems in your organization. Better yet, your organization should supply a central pool of dial-up connections for everyone, eliminating the need for modems at end users’ desks. 13
Dial-Up Networking Protocols • SLIP • PPP • PPTP Information Security: The Big Picture - SANS GIAC © 2000 14 In the old days (i.e., 1990),when you talked about dial-up communications, you were referring to the ability to connect to a host computer and run a dumb terminal session over your modem. Nowadays, when you want to connect to your network you need to interact directly with the network services that are available. For that you need to use a true network protocol. The three most widely known dial-up network protocols are the Serial Line Internet Protocol, the Point to Point Protocol, and the Point-to-Point Tunneling Protocol. The Serial Line Internet Protocol, or SLIP, is a protocol for communicating between two hosts over a serial connection. This means that you can attach a serial cable directly between two computers and communicate between them. However, SLIP is more commonly used in TCP/IP environments for dial-in service to LANs from remote workstations to hosts. SLIP is widely available and easy to implement. SLIP sends an IP datagram, byte by byte, through the dial-up connection to the remote network. Developed in the 1980s, SLIP has basic networking functionality, but falls short of having robust features like error checking. It is for this reason that use of SLIP has died down, to be replaced by more robust protocols like the Point to Point Protocol. The Point-to-Point Protocol (PPP) is a also a protocol for communication between two computers using a serial connection, typically a personal computer connected by phone line to a server. PPP primarily uses the Internet Protocol (IP), although its design allows it to handle other protocols as well. Essentially, PPP packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the remote network. PPP can be used on various physical connections, including twisted pair phone line, fiber optic lines or satellite transmissions. PPP is usually preferred over SLIP because it can handle faster line speeds and better transmission protocols. PPP can share a line with multiple users and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred. The Point-to-Point-Tunneling Protocol (PPTP) is a networking technology that supports the use of virtual private networks (VPNs) over PPP connections. We will discuss VPNs later in the course, but in brief, VPN technology allows a user to create a secure connection over an insecure network, like the Internet. PPTP was developed by Microsoft and is supported on all Windows client and server platforms. Several major flaws in PPTP have been found over the past couple of years, but it is still in use and available on most Windows client and server platforms. 14
Computer and Network Addressing • Used to uniquely identify a computer or network • A device may have multiple types of “addresses” – MAC address (00:60:1D:F0:EA:AF) – IP address (192.168.100.105) – Machine name (Enterprise) – Domain name • enterprise.federation.org • enterprise.geek.com Information Security: The Big Picture - SANS GIAC © 2000 15 We all have many ways of identifying ourselves to other people depending on what type of communication we want with them. If we meet someone on the street we use names. If we are calling someone on the phone, we use their phone number. If we are mailing them a letter, we use their street address. Computers have identifiers as well. In fact, like humans, most computers have several of them depending on the type of communication. Each device on a network must have a Media Access Control, or MAC address. The MAC address is a numeric value that uniquely identifies that network device from every other device on the planet. The MAC address is used at the deepest layers of the various communications protocols to ensure that a message or packet is delivered to the proper device. As you can see from the slide, a MAC address is fairly complex and not very easily remembered. If the device is using the IP protocol it must also have an IP address. The IP address consists of four numbers separated by periods. The numbers can be used to divide large networks into smaller networks. Each IP-based device on the network must have a unique IP address in order for it to receive information properly. Because they are shorter, it is easier to remember an IP address, but still not completely easy. Humans work better with words than with numbers. In order to remember particular computers from among the many we may work with on a regular basis, we give machines names to compliment the numbers we have already attached to them. In order to make it easier to tell one machine from another, we generally give them names that denote their function (like File Server) or names that denote a particular interest (like Enterprise or Ghandalf). Finally, you may work at a site with hundreds or thousands of computers. Or you may be on a large network like the Internet with millions of computers. How do you ensure unique names among so many computers? You do this by splitting computers up into groups called “domains.” The use of the domain grouping system allows us to address individual computers or an entire group of computers. Thus, you may have two machines named “Enterprise,” but one is in a group called “federation.org” and the other is in a group called “geek.com.” We will learn more about domains when we look at the Domain Name Service later in the course. 15
IP Addresses and Subnets • Each computer on the Internet has a unique IP address • Denoted as four numbers separated by periods – E.g. 135.118.231.10 • “Classes” of addresses – Class A: 1.0.0.0 through 127.255.255.255 – Class B: 128.0.0.0 through 191.255.255.255 – Class C: 192.0.0.0 through 223.255.255.255 Information Security: The Big Picture - SANS GIAC © 2000 16 As I stated in the last slide, when a system uses the IP protocol to communicate on the network it needs a unique IP address. IP addresses are expressed as four numbers separated by periods. Each number can theoretically range from 0 to 255, but in reality some of those numbers are reserved for special use. Given those four combinations of 256 addresses, the IP protocol can theoretically have approximately 4.2 billion possible addresses. Way back when, when the Earth was cooling and the Internet was just getting started, 4.2 billion seemed like an unlimited supply of addresses to choose from and we could never possibly run out. Well, thirty years later we are quickly seeing the day when it is possible to run out of addresses, but that discussion will come later. If everybody were allowed to just pick an IP address at random, things could get pretty confusing pretty quickly. There would be a high possibility that two people, or even two organizations, would pick the same addresses and that would cause enormous conflicts on the network. Thus, the designers of IP decided to break the available addresses, called the address “space”, into chunks of addresses. Each chunk is called an address “class.” There are four address classes, labeled A, B, C, and D. Most commonly, only classes A through C are used. The type of address class you have defines how many individual addresses you can have in your organization. So, if you are given Class A address space you will be allocated many, many more addresses than if you are given Class C address space. The underlying logic behind the class scheme is based on the bit pattern of the address itself, but that’s too in- depth for this course. So, without going into lots of bits and bytes, here’s how the class system works. Class A addresses are those that start with 1.0.0.0 and go through 127.255.255.255. If you are given a class A address space you can have a possible 16 million address in your organization. Class B address space is any address in the range 128.0.0.0 through 191.255.255.255. If you are given a Class B address space you can have approximately 65,536 addresses in your organization. Class C address space is any address in the range of 192.0.0.0 through 223.255.255.255. If you are given a Class C address space you can have up to 255 addresses in your organization. 16
Private Network Addressing • Used to handle “private” address space • Make more efficient use of IP addresses • Makes it difficult to trace info back to source • Non-routable addresses: – 10.X.X.X – 172.16.0.0 -> 172.32.255.255 – 192.168.X.X Information Security: The Big Picture - SANS GIAC © 2000 17 There are instances where it is not possible or advisable to use an IP address that is globally unique. There may be several reasons for this. First, you may have a network that is not connected to the Internet, and therefore does not need to route information to and from other networks. A second reason is that you may need a larger set of addresses than the number given to you by your ISP. A third reason might be that you need to be able to connect and share information with the Internet, but you do not necessarily want anyone to know the IP addresses you are using on your network. For these, and other, reasons, there is the use of a technique called Private Addressing. In the Internet Address specification there are ranges of addresses that are designated as “non-routable.” This means that routers will not forward packets destined for private addresses outside the local network. This can be very useful for the reasons stated above, as well for more efficient and secure use of addresses. The total number of possible unique IP addresses (in IPv4) is fixed at around 4.2 billion and if the Internet keeps growing at recent rates, we will soon run out of addresses. One way to address this is to increase the number of possible addresses. This is being addressed in the latest version of IP, IPv6. In the short term, many organizations are using private addressing. With private addressing, an organization only needs a small number of “official” IP addresses. These are the addresses it shows to the outside world. It then assigns private addresses to all of its internal machines. Unlike official, routable, addresses that must be unique across the Internet, many different organizations can use the same private addresses. Since routers will not route packets bound for private addresses, there will not be any conflict. There are three official ranges of addresses that have been reserved for private addressing: - Any address with 10 as the first number - Any address from 172.16.0.0 through 172.32.255.255 - Any address with 192.168 as the first two numbers 17
Network Address Translation (NAT) Internet 132.17.32.9 192.168.100.105 192.168.100.106 192.168.100.107 Information Security: The Big Picture - SANS GIAC © 2000 18 How does the Internet handle connectivity between private and public addresses? It uses Network Address Translation (NAT) to translate between the two. When a computer on a private network needs to connect to the outside, it connects to the Internet gateway of the organization’s network. The gateway then translates the private IP address to the organization’s public address and sends the packets on their way. When the outside machine replies to the client, it sends the replies to the gateway machine. The gateway machine remembers the private address of the originating computer and sends the reply packets there. NAT also has some security benefits as well. The first is through information hiding. Because the gateway machine translates all the private addresses to a single public address, the outside computer has no way of knowing the IP address of the originating machine. This may be highly desirable, as many organizations do not want the IP addresses of their machines known to anyone on the Internet. The second benefit is that machines outside the organization can not initiate connections to machines inside the private network. In this way, connections can only be established if the computer inside the private network requires it. This eliminates the establishment of unknown and undesired connections to your network from the Internet. 18
Ports • A way of specifying a service on a computer • Numbered from 0 to 65,535 • Assigned by IANA • “Well-known” ports for most common applications • Ephemeral ports are assigned dynamically Information Security: The Big Picture - SANS GIAC © 2000 19 In the previous slides we have learned about network protocols and network addressing. In IP network communications there is also the concept of “ports.” A port is the way a client program specifies a particular service or application program on a computer in a network. A good way to relate to ports is to think of your local Post Office. In this analogy, the Post Office building can be thought of as the computer. It is the structure that houses all the activity that goes into the business of delivering mail. If the Post Office is the computer, we can then say that the application running on the computer is called “Mail Delivery.” In the process of running “Mail Delivery” the people in the post office need a way to get mail to and from their customers. Very often, they do this through the use of post office boxes. In our analogy, the post office boxes are what we call ports in the networking world. They are the way a user or process (the customer) connects to a service (Mail Delivery). Port numbers rage from 0 to 65535. Ports 0 to 1024 are reserved for use by certain privileged services. Under the UNIX operating system, these ports can only be opened by the operating system. Ordinary user applications can only access ports higher than 1024. The more common applications that use TCP/IP, for example HTTP or FTP, have ports with pre- assigned numbers. These are known as "well-known ports" that have been assigned by the Internet Assigned Numbers Authority (IANA). For example, HTTP uses port 80, telnet uses port 23, and SMTP uses port 25. The common convention is to avoid using the well-known ports for other applications. Some applications are given port numbers dynamically for each connection. These ports are called “ephemeral” ports, because they change for each run of each application. 19
TCP/IP Messages • “From” Address • “From” Port Number • “To” Address • “To” Port Number Information Security: The Big Picture - SANS GIAC © 2000 20 OK, so how does all this fit together? Well, each connection between two computers uses four pieces of information: - The IP address of the originating computer. - The port number that the application used on the originating computer. - The IP address of the destination computer. - The port number of the application used on the destination computer. Given these four pieces of information, the computers and network elements involved in the connection can make sure information gets to and from the right places. 20