Network Security Fundamentals
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2013
Network Security Fundamentals
Module 2 Network Fundamentals
Roadmap
• Network Fundamentals The OSI 7-layer model OSI Layers 1 - 4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network
04/13 3 cja 2013
Some notes
• Focus on IPv4 and Ethernet IP is the dominant network protocol IPv6 not yet widely deployed Ethernet is ubiquitous
• The basic principles apply to other protocols and other media As always, the devil is in the details…
04/13 4 cja 2013
You are here…
• Network Fundamentals The OSI 7-layer model OSI Layers 1 - 4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network
04/13 5 cja 2013
The OSI model
• 7 - Application (HTML) • 6 - Presentation (ASCII, JPEG) • 5 - Session (ZIP, SCP) • 4 - Transport (TCP, UDP) • 3 - Network (IP, IPX, Appletalk) • 2 - Data Link (Ethernet II, IEEE 802.2) • 1 - Physical (100BaseT, 1000BaseSX)
04/13 6 cja 2013
The OSI model in pictures
• Users interact with layer 7 • Each layer interacts with adjacent layers • Layers communicate with peer layers
04/13 7 cja 2013
Data encapsulation
• Headers and trailers are added or stripped as data moves down and up the stack
• Each layer’s information is encapsulated by the next lower layer
04/13 8 cja 2013
An example
• Bold text on a web page => encapsulated by HTML (<B> Bold text </B>) => encoded as 8-bit ASCII => encapsulated in TCP
source port 80 (HTTP), destination port 12345 => encapsulated in IP packet
…from IP address 1.2.3.4 to 55.66.77.88 => encapsulated in an Ethernet II frame
…from MAC address 1111.2222.3333 to 0123.4567.89ab => encoded as 4B/5B NRZI-3 100BaseTx => carried over Cat5e cable to your desktop
04/13 9 cja 2013
Two missing layers
• Layer 8: Users Vulnerable to social engineering Vulnerable to the “Oops of death” Vulnerable to ignorance, curiosity, evil
• Layer 0: The environment Equipment has to sit somewhere Power has to come from somewhere Cables have to follow some path Everyone talks about the weather, but…
04/13 10 cja 2013
You are here…
• Network Fundamentals The OSI 7-layer model OSI Layers 1 - 4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network
04/13 11 cja 2013
Let’s get physical
• 7 - Application • 6 - Presentation • 5 - Session • 4 - Transport • 3 - Network • 2 - Data Link • 1 - Physical
04/13 12 cja 2013
Layer 1 covers:
• Voltage / power levels • Cable impedance, loss, dispersion • RF frequency, power, modulation • Bit encoding scheme • Connectors and termination • Clocking / timing / synchronization • Collision detection / avoidance • Speed / duplex negotiation
04/13 13 cja 2013
Layer 1 basics
• Common media are: Copper (coax, twisted pair) Fiber (single-mode, multimode, WDM) RF (point-to-point or broadcast)
• Common electronics are: Hubs (everyone hears everyone else) Switches (traffic is directed to the target) Media converters (wireless bridges, etc.)
04/13 14 cja 2013
Let’s talk
• 7 - Application • 6 - Presentation • 5 - Session • 4 - Transport • 3 - Network • 2 - Data Link • 1 - Physical
04/13 15 cja 2013
Layer 2 - data link
• The Data Link layer provides reliable transit of data across the physical layer
• Physical addressing • Error detection and
notification • Flow control • Frame sequencing
04/13 16 cja 2013
Layer-2 framing
• Ethernet header has three or more fields: Destination (MAC) address (6 bytes) Source (MAC) address (6 bytes) Type (Ethernet II; 2 bytes) or Length (IEEE 802.3; 2 bytes) Other data (depending on frame type)
• Ethernet trailer is a 4-byte CRC • Frame size between 64 bytes and 1518 bytes
Data link layer header Upper layer data Data link
layer trailer
Frame
04/13 17 cja 2013
MAC addresses
• Unique to each network interface Sometimes this rule is violated…
• Ethernet: 6 bytes => 2.8 x 1014 addresses • 3-byte Vendor code, 3-byte Device code • Some protocols (e.g. DECnet) require
user-programmable MAC addresses • Destination address of all 1s is a layer-2
broadcast (i.e. “all devices”) frame
04/13 18 cja 2013
Definition: LAN
• A LAN is a layer-2 network Every device can directly reach every
other device on the LAN LANs are generally responsive
• A LAN is a single broadcast domain A broadcast frame from any device will
reach every other device on the LAN LANs generally don’t scale up well
04/13 19 cja 2013
Hubs / Repeaters
• “Classic” Ethernet is multiple access Every box sees every frame Each interface examines every frame header Frame is discarded if destination MAC
isn’t either itself or a broadcast CSMA/CD - half duplex, collision detection On collision, back off and try again later
• A hub is a multi-port repeater In one port, out on all the others
04/13 20 cja 2013
Switches
• Switches “snoop” for MAC addresses to learn which devices are on which ports If destination MAC is known, frame is
directed out appropriate port If destination MAC is unknown, frame is
flooded out all ports (except ingress) • Switches may (must?) buffer
Buffer overflow => dropped traffic • Switches do not modify transiting frames
04/13 21 cja 2013
Starting to get abstract
• 7 - Application • 6 - Presentation • 5 - Session • 4 - Transport • 3 - Network • 2 - Data Link • 1 - Physical
04/13 22 cja 2013
OSI and the IP protocol suite
• The IP protocol suite maps onto the OSI model layers 2 - 7
• ‘IP’ is the layer 3 part of the IP suite
• ‘TCP/IP’ is a common (and incorrect!) synonym for ‘IP’
04/13 23 cja 2013
Layer 3 - Network
• Layer 3 adds logical addresses One-to-one or many-to-one mapping of layer
3 to layer 2 addresses • Other layer 3 functions include:
Fragmentation / reassembly Sequencing Priority / precedence / type-of-service Time to live
04/13 24 cja 2013
Layer 3: IP packet header
• IP Header includes: Header length Source & destination
addresses Priority Fragmentation info Header checksum
• Protocol field indicates what’s inside the packet
04/13 25 cja 2013
Routers
• Routers exchange layer-3 information to learn which networks are reachable on which ports If destination net is known, packet is directed out
appropriate port If destination net is unknown, packet is forwarded to
default gateway • Routers must buffer packets
Buffer overflow => dropped traffic • Routers must modify transiting frames
Decrement packet TTL, update header checksum Rewrite source / destination MAC, frame checksum
04/13 26 cja 2013
Layer 4: Transport
• IP protocols include: ICMP UDP & TCP IGMP & PIM ESP & L2TP
• UDP for one-way • TCP for two-way • ICMP for signalling
04/13 27 cja 2013
ARP - Address Resolution Protocol
• How do you send an IP packet to a machine whose MAC address you don’t know?
• ARP request: Layer 2 broadcast
• ARP reply: Layer 2 unicast
04/13 28 cja 2013
Putting it all together
• Layer 1: Ethernet preamble • Layer 2: MAC source/destination, frame CRC • Layer 3: IP source/destination, header CRC • Layer 4: Protocol/port numbers, packet CRC (maybe)
04/13 29 cja 2013
You are here…
• Network Fundamentals The OSI 7-layer model OSI Layers 1 - 4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network
04/13 30 cja 2013
IP nets and subnetting
• Classful networks come in three sizes Class A (16,777,216 addresses) - 0.x.x.x - 127.x.x.x
e.g. Apple 17.0.0.0 - 17.255.255.255 Class B (65,536 addresses) - 128.x.x.x - 191.x.x.x)
e.g. Oakland U. 141.210.0.0 - 141.210.255.255 Class C (256 addresses) - 192.x.x.x - 223.x.x.x)
e.g. Ernst & Young (Belgium) 195.0.0.0 - 195.0.0.255 “Class D” range is used for Multicast
224.x.x.x - 239.x.x.x Several special networks are defined
127.x.x.x, 169.254.x.x, 192.0.2.x are special-purpose “Private IP” - 10.x.x.x, 172.<16-31>.x.x , 192.168.x.x
04/13 31 cja 2013
IP nets and subnetting
• Classful addressing can be very wasteful Did Merit (35.x.x.x) really need 16 million addresses?
• Subnetting divides address space into smaller chunks ‘Major nets’ are assigned to organizations ‘Subnets’ are assigned within organizations
• Anything within your subnet is local • Anything outside your subnet passes through the
default gateway (i.e. a router) • Net and subnet sizes must be powers of 2
04/13 32 cja 2013
IP nets and subnetting
• Net (subnet) mask ‘1’ indicates network part of address ‘0’ indicates host part of address Usually represented in decimal, e.g. 255.255.255.0
• CIDR (Classless Inter-Domain Routing) notation: /nn nn is the number of ‘1’ bits in the mask. /24 = 255.255.255.0 = 11111111.11111111.11111111.00000000
• Subnets typically contain 4 - 1024 addresses i.e. a mask of /30 to /22
• Network must begin on appropriate power-of-2 boundary 141.211.40.0/22 (= 141.211.<40-43>.x) is OK 141.211.42.0/22 => 141.211.42.0/23 + 141.211.44.0/23
04/13 33 cja 2013
IP nets and subnetting
• An IP subnet has three broadcast addresses: Local IP broadcast: 255.255.255.255 Subnet directed broadcast: <IP Subnet>.<all 1s> Subnet address: <IP Subnet>.<all 0s> Ex: 141.211.28.0/22 = 141.211.<28.0 - 31.255>
Local Broadcast: 255.255.255.255 Normal host address: 141.211.28.255 Directed broadcast: 141.211.31.255
• Local broadcasts are not forwarded by routers • Directed broadcasts might be forwarded… • “All 0s” broadcast is deprecated
04/13 34 cja 2013
Switching vs. Routing
• Switches forward traffic within subnets • Routers forward traffic between subnets • Routers must rewrite headers
TTL decrements on each hop Header checksum changes
Source/dest. MACs change with each hop Frame CRC changes
Routers may need to fragment packets
04/13 35 cja 2013
Routing
• Routers exchange information on what IP networks (“prefixes”) they can reach
• Routing decisions are based on metrics such as path bandwidth (OSPF), hop count (RIP), or congestion (EIGRP), or on explicit policy (Reshall-via-Packeteer)
• Internet routing table >250,000 prefixes • UMnet routing table >1200 prefixes
04/13 36 cja 2013
You are here…
• Network Fundamentals The OSI 7-layer model OSI Layers 1 - 4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network
04/13 37 cja 2013
VLANs
• People / groups / units change, move, grow, split, share space
• Separate physical LANs are expensive to build and maintain
• VLANs allow logically independent nets to share a common physical network
• Like “P” LANs, each VLAN is a separate (layer 2) broadcast domain
04/13 38 cja 2013
VLANs in switches
• Each VLAN is assigned a VLAN ID • Access ports are assigned to one VLAN • Trunk ports can carry multiple VLANs;
each frame is tagged with the VLAN ID • Gotchas:
Some switches don’t support VLANs Some switches don’t support trunking Switches support different # of VLANs Switches support different tagging schemes
04/13 39 cja 2013
UMnet backbone diagram
04/13 40 http://www.itcom.itd.umich.edu/backbone/ cja 2013
UMnet VLAN configuration
Data VLAN VOIP VLAN
Wireless VLAN
VLAN Trunk
UMnet Backbone
Distribution Layer
Wireless APs
IP Telephones
Workstations
Access Layer
04/13 41 cja 2013