Professional Documents
Culture Documents
www.supinfo.com
Copyright SUPINFO. All
rights reserved
TCP Basics
Course objectives
By completing this course you will:
Understand TCP and UDP protocols Understand the way several communications happen at the same time Understand the basics of firewalling
TCP Basics
Course plan :
During this course we'll see :
Osi TCP/IP Models Intro to transport UDP Congestion control basics Firewalling
TCP Basics
History
Computers were not connected together
History
OSI Model in 7 layers (created by the ISO)
History
TCP/IP model
Resulting from research of the Department of Defense of the US. Evolution of ARPANet
Ancestor of Internet
OSI Layers
The layers system helps to break down network functions 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical
OSI Layers
7 provides network access to applications
OSI Layers
4 how the data is sent (reliable way or not) / wellknown services (ports) 3 logical addressing (best path to a destination) 2 physical addressing / ensures error-free data 1 ensures access (cable, electrical signal )
OSI Layers
Analogy with a human conversation 7 A wish to converse 6 Same spoken language 5 Starts with Hello 4 Insurance of receiving the message
OSI Layers
Application
6 5
4 3 2 1
Presentation
Session Transport Network Data Link Physical
OSI Layers
TCP/IP Layers
Model in 4 layers
4 3
2 1
Application
Transport
Internet Network Access
Encapsulation : PDUs
Application
6 5
4 3 2 1
Presentation
Session Transport Network Data Link Physical
Data
Encapsulation : PDUs
Encapsulation
Application Presentation Session Transport Network Data Link Physical Segment Packet Frame Header
Header Header Packet
0110011101001001001001100101
Decapsulation
Encapsulation: PDUs
A division of the communication network in smaller and easier elements
Elements standardizations
The possibility of modifying an aspect of the communication network without modifying the remainder
7 6 5 4 3 2 1
Application
4 3 2 1
Physical
Reference Models
OSI model is used like a model of reference, and is not implemented physically on the equipment
Stop-and-think 1
To connect PDUs to their layers
Layer 1 Layer 2 Layer 3 Layer 4 Layer 5 Layer 6 Layer 7 Segment Bits Packet Data Frame
Stop-and-think 2
Which are the 4 layers of model TCP/IP?
Application ___________
___________ Transport
Internet ___________
Stop-and-think
Do you have any questions ?
TCP Basics
Link
Physical
End-to-End Protocols
Underlying network is best-effort
drop messages re-orders messages delivers duplicate copies of a given message limits messages to some finite size delivers messages after an arbitrarily long delay
support synchronization
allow the receiver to flow control the sender support multiple application processes on each host
UDP Checksums
Optional in current Internet Pseudoheader consists of 3 fields from IP header: protocol number (TCP or UDP), IP src, IP dst and UDP length field Pseudoheader enables verification that message was delivered between correct source and destination.
IP dest address was changed during delivery, checksum would reflect this
UDP uses the same checksum algorithm as IP Internet checksum
Basic idea: sender adds up all words and transmit the sum
Add using 16 bit ones complement arithmetic then take ones complement of the result to get checksum Receiver adds up all words and compares with checksum Its very simple and efficient to code this Reason that this is used instead of CRC Not really great detecting errors CRC is much stronger Forward error correction is another possibility
UDP in practice
Minimal specification makes UDP very flexible Any kind of end-to-end protocol can be implemented See programming assignment #1 TCP can be implemented using UDP Examples Most commonly used in multimedia applications These are frequently more robust to loss RPCs Many others
Load
Issues:
Detecting congestion Reacting to congestion
Avoiding congestion
Shaping traffic QoS mechanisms
TCP Basics
Firewall basics
Gain a better understanding of what a firewall is. Understand different firewall types. Understand where firewalls fit.
What is a firewall?
A firewall is a device (or software feature) designed to control the flow of traffic into and out-of a network. In general, firewalls are installed to prevent attacks.
What is an attack?
Attack covers many things: 1. Someone probing a network for computers.
Edge Firewall
An edge firewall is usually software running on a server or workstation. An edge firewall protects a single computer from attacks directed against it. Examples of these firewalls are: ZoneAlarm
BlackIce
IPFW on OSX
Firewall Appliance
An appliance firewall is a device whose sole function is to act as a firewall. Examples of these firewalls are: Cisco PIX. Netscreen series.
Network Firewall
Router/Bridge based Firewall A firewall running on a bridge or a router protects from a group of devices to an entire network.
Destination IP Port
Some allow higher layers up the OSI model. Other protocols
Sample rules:
Can you find the problem?
(For this example, when a packet matches a rule, rule processing stops.)
Sample rules:
Can you find the problem?
(For this example, when a rules matches a packet, rule processing stops.)
Pass in on $external from any proto tcp to 134.71.1.25 port = 80 Pass in on $external from any proto tcp to 134.71.1.25 port = 53 Pass in on $external from any proto udp to 134.71.1.25 port = 53 Pass in on $external from any proto tcp to 134.71.1.25 port = 25 Block in log on $external from any to 134.71.1.25 Block in on $external from any to 134.71.1.0/24 Pass in on $external from any proto tcp to 134.71.1.25 port = 22 Pass out on $internal from 134.71.1.0/24 to any keep state
The SSH rule would never have a chance to be evaluated. All traffic to 134.71.1.25 is blocked with the previous two rules.
If you set your rules to log too much, your logs will not be examined. If you log too little, you wont see things you need. If you dont log, you have no information on how your firewall is operating.
Jul 31 11:52:51 kd2 ipmon[14110]: 11:52:50.501969 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
Jul 31 11:52:54 kd2 ipmon[14110]: 11:52:53.501498 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:52:56 kd2 ipmon[14110]: 11:52:55.703527 xl0 @1:10 b 142.163.9.225,6346 -> 134.71.202.57,3343 PR tcp len 20 40 -A IN Jul 31 11:52:57 kd2 ipmon[14110]: 11:52:56.500682 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:53:00 kd2 ipmon[14110]: 11:52:59.500694 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 12:00:24 kd2 ipmon[14110]: 12:00:24.220209 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:26 kd2 ipmon[14110]: 12:00:26.040009 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:28 kd2 ipmon[14110]: 12:00:28.794944 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:34 kd2 ipmon[14110]: 12:00:34.302899 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:46 kd2 ipmon[14110]: 12:00:45.284181 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
What is a state?
When your computer makes a connection with another computer on the network, several things are exchanged including the source and destination ports. In a standard firewall configuration, most inbound ports are blocked. This would normally cause a problem with return traffic since the source port is randomly assigned (different from the destination port). A state is a dynamic rule created by the firewall containing the source-destination port combination, allowing the desired return traffic to pass the firewall.
A single computer could have hundreds of states depending on the number of established connections. Consider a server supporting POP3, FTP, WWW and Telnet/SSH access. It could have thousands of states.
Without state, your request for traffic would leave the firewall but the reply would be blocked.
134.71.202.57,4738 134.71.202.57,4744 134.71.202.57,1039 134.71.203.168,138 134.71.202.57,4727 134.71.203.168,137 134.71.202.57 134.71.202.57,137 134.71.202.57,1028 134.71.202.57,1038 134.71.202.57,138 134.71.203.168,138 134.71.203.168,137 134.71.202.57,1036 134.71.202.57
64.160.215.222,1677 4/4 tcp 64.160.215.222,1677 4/4 tcp 134.71.204.115,1410 4/4 tcp 134.71.203.255,138 0/0 udp
239.255.255.250
134.71.203.255,137 134.71.4.100,53
5844 4910
216.136.175.142,5050 4/4 tcp 134.71.203.255,138 134.71.203.255,138 134.71.203.255,137 0/0 udp 0/0 udp 0/0 udp
4208 119:59:59 3520 3026 1536 1127 320 1:54 1:49 2:00 1:59 1:58
239.255.255.250
134.71.202.57,4727 134.71.202.57,1031
The firewall is the first layer of defense in any security model. It should not be the only layer. A firewall can stop many attacks from reaching target machines. If an attack cant reach its target, the attack is defeated.
Ruleset design
Two main approaches to designing a ruleset are:
1.
2.
What is IDS?
IDS is an Intrusion Detection System.
IDS can identify many attacks and traffic patterns crossing a border device.
Sending bad traffic or malformed packets is a form of attack easily blocked at a firewall. The firewall inspects every packet and rejects those that are not properly formed or are intentionally malformed, protecting devices that may be succeptible.
Private IP address traffic should never be seen on the IT.UU.SE network. Private IP address blocks (RFC 1918): 10.0.0.0 10.255.255.255 (255.0.0.0 mask) 172.16.0.0 172.240.0.0 (255.240.0.0 mask) 192.168.0.0 192.168.255.255 (255.255.0.0 mask)
Should you tell a sending machine that their traffic was blocked or let them wait until they timeout? For some traffic, its better to let the sending machine wait. This slows down the rate of attack. For other traffic (such as SMTP) it may be nice to tell the sender that the SMTP port is closed.
Poking holes
How to allow traffic and expose yourself.
OK. Youve decided to block traffic. Do you have to block all traffic? No. You can allow select traffic in. The criteria for allowing traffic are the same as blocking traffic.
Compromised Machines
Just a note about compromised machines: When a machine is compromised, you have no way to determine exactly what was hacked. Cleaning what you think is the problem may not rid yourself of everything. Most instances require a reformat and reinstall of the operating system for proper cleaning.
Summary
How TCP and UPD work
Trafic filtering
Congratulations
You have successfully completed the SUPINFO course Chapter n 4
The End