Chapter 4 Transport Layer Basics

Did you say port ?

Campus-Booster ID : XXXX

www.supinfo.com
Copyright SUPINFO. All

rights reserved

TCP Basics

Course objectives
By completing this course you will:
Understand TCP and UDP protocols Understand the way several communications happen at the same time Understand the basics of firewalling

TCP Basics

Course plan :
During this course we'll see :

Osi TCP/IP Models Intro to transport UDP Congestion control basics Firewalling

TCP Basics

OSI and TCP/IP models

OSI and TCP/IP models

History
Computers were not connected together

First pseudo network Sneakernet

Anarchistic evolution + Absence of standardization + Incompatibility between manufacturers impossibility to communicate

Examples : DecNET, SNA

OSI and TCP/IP models

History
OSI Model in 7 layers (created by the ISO)

Allow interconnection between networks of various manufacturers

Independent, generic conceptual model

Objective To analyze the communication network by cutting out it in various steps

OSI and TCP/IP models

History
TCP/IP model

Resulting from research of the Department of Defense of the US. Evolution of ARPANet
Ancestor of Internet

Decentralized mode of communication

OSI and TCP/IP models

OSI Layers
The layers system helps to break down network functions 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

OSI and TCP/IP models

OSI Layers
7 provides network access to applications

6 Generate data / encryption services

5 Starts and ends sessions (logical session separation)

Layers 5 to 7 are handle by the OS and browser

OSI and TCP/IP models

OSI Layers
4 how the data is sent (reliable way or not) / wellknown services (ports) 3 logical addressing (best path to a destination) 2 physical addressing / ensures error-free data 1 ensures access (cable, electrical signal )

OSI and TCP/IP models

OSI Layers
Analogy with a human conversation 7 A wish to converse 6 Same spoken language 5 Starts with Hello 4 Insurance of receiving the message

3 Transported by the sound

2 Preparation to sending (air, telephone, ) 1 The sound is propagated in space

OSI and TCP/IP models

OSI Layers

Application

DNS, FTP, SNMP, Telnet

6 5
4 3 2 1

Presentation
Session Transport Network Data Link Physical

GIF, MPEG, ZIP, MD5

SQL, NetBIOS, X Window TCP, UDP, SPX IP, IPX,ICMP MAC, HDLC, PPP UTP, STP, Fiber optical

OSI and TCP/IP models

OSI Layers

Please Do Not Throw S ausage P izza Away

OSI and TCP/IP models

TCP/IP Layers
Model in 4 layers

4 3
2 1

Application

Layer 5 to 7of the OSI Model

Transport
Internet Network Access

Reliability of the transmission

Path selection Regroup the layer 1 & 2 of the OSI Model

TCP/IP Model is not just a protocol but a team of protocol

OSI and TCP/IP models

Encapsulation : PDUs

Application

6 5
4 3 2 1

Presentation
Session Transport Network Data Link Physical

Data

Segment Packet Frame Bit

OSI and TCP/IP models

Encapsulation : PDUs
Encapsulation

Application Presentation Session Transport Network Data Link Physical Segment Packet Frame Header
Header Header Packet

Data Data Data

Data Segment Trailer

Application Presentation Session Transport Network Data Link Physical

0110011101001001001001100101
Decapsulation

OSI and TCP/IP models

Encapsulation: PDUs
A division of the communication network in smaller and easier elements

Elements standardizations

The possibility of modifying an aspect of the communication network without modifying the remainder

OSI and TCP/IP models

Comparison between the 2 models

OSI Model TCP/IP Model

7 6 5 4 3 2 1

Application Presentation Session Transport Network

Data Link

Application

4 3 2 1

Transport Internet Network Access

Physical

Reference Models

Comparison between the 2 models

Common points Layers models

Layer Application similar but with different services

Layer Transport & layer Network similar

Both ensure the commutation of the packets

OSI and TCP/IP models

Comparison between the 2 models

Differences Do not use same technologies

The networks are built with TCP/IP

OSI model is used like a model of reference, and is not implemented physically on the equipment

OSI and TCP/IP models

Stop-and-think 1
To connect PDUs to their layers

Layer 1 Layer 2 Layer 3 Layer 4 Layer 5 Layer 6 Layer 7 Segment Bits Packet Data Frame

OSI and TCP/IP models

Stop-and-think 2
Which are the 4 layers of model TCP/IP?

Application ___________

___________ Transport
Internet ___________

___________ Network Access

OSI and TCP/IP models

Stop-and-think
Do you have any questions ?

TCP Basics

Transport Layer: Basics

Intro to transport UDP Congestion control basics

Transport Layer Basics

To Boldly Go Where We Have Yet to Go

Recall Internet Architecture Layers used to define functionality Our focus up to now has been layer 5 Applications demand reliable transport Application may demand predictable delays
Application Transport Network
5 4 3 2 1

Link
Physical

We are now going up to layer 4

This layer is tricky! Goal at the end of the next few weeks is an understanding of the Reno version of TCP

Transport Layer Basics

End-to-End Protocols
Underlying network is best-effort
drop messages re-orders messages delivers duplicate copies of a given message limits messages to some finite size delivers messages after an arbitrarily long delay

Common end-to-end services

guarantee message delivery

deliver messages in the same order they are sent deliver at most one copy of each message support arbitrarily large messages

support synchronization
allow the receiver to flow control the sender support multiple application processes on each host

Transport Layer Basics

Basic function of transport layer

How can processes on different systems get the right messages? Ports are numeric locators which enable messages to be demultiplexed to proper process. Ports are addresses on individual hosts, not across the Internet. Ports are established using well-know values first Port 80 = http, port 53 = DNS

Ports are typically implemented as message queues

Simplest function of the transport layer: multiplexing/demultiplexing of messages Enables processes on different systems to communicate End-to-end since only processes on end hosts invoke this protocol

Transport Layer Basics

Other transport layer functions

Connection control Setting up and tearing down communication between processes Error detection within packets our first focus Checksums Reliable, in order delivery of packets our second focus Acknowledgement schemes Flow control Matching sending and receiving rates between end hosts Congestion control Managing congestion in the network

Transport Layer Basics

User Datagram Protocol (UDP)

Unreliable and unordered datagram service Adds multiplexing/demultiplexing Adds reliability through optional checksum No flow or congestion control Endpoints identified by ports servers have well-known ports see /etc/services on Unix Header format
0 SrcPort Checksum Data 16 DstPort Length 31

Optional checksum Computed over psuedo header + UDP header + data

Transport Layer Basics

UDP Checksums
Optional in current Internet Pseudoheader consists of 3 fields from IP header: protocol number (TCP or UDP), IP src, IP dst and UDP length field Pseudoheader enables verification that message was delivered between correct source and destination.

IP dest address was changed during delivery, checksum would reflect this
UDP uses the same checksum algorithm as IP Internet checksum

Transport Layer Basics

Basics of dealing with errors

Bit errors can be introduced in packets This problem has been studied for a long time Error detection (and correction) codes Cyclic redundancy check (CRC) is a common error detection method

Basic idea of any scheme is to add redundant data

Extreme example send two identical copies of data Poor for many reasons

A primary goal is to send minimal amount of redundant data

CRC used in Ethernet has 32 bits for each 1500 byte packet

Another goal is to make generation of checksum fast

Transport Layer Basics

Checksum basics contd.

Simple parity is the most basic method for error detection Odd/even parity Internet Checksum

Basic idea: sender adds up all words and transmit the sum
Add using 16 bit ones complement arithmetic then take ones complement of the result to get checksum Receiver adds up all words and compares with checksum Its very simple and efficient to code this Reason that this is used instead of CRC Not really great detecting errors CRC is much stronger Forward error correction is another possibility

Transport Layer Basics

UDP in practice
Minimal specification makes UDP very flexible Any kind of end-to-end protocol can be implemented See programming assignment #1 TCP can be implemented using UDP Examples Most commonly used in multimedia applications These are frequently more robust to loss RPCs Many others

Transport Layer Basics

Congestion in the Internet

Checksums are effective for detecting bit errors but bit errors are not the only problem
Throughput/delay Optimal load

We know that traffic has bursty characteristics

Statistical multiplexing of ON/OFF sources Heavy-tailed file sizes

Routers have limited buffer capacity

Packets received after buffers are full are dropped
Buffers do protect from short bursts

Load

Congestion lengthens delays and lowers throughput

Standard throughput/load curve

Transport Layer Basics

How can we deal with congestion?

Over-provision networks
Very expensive Commonly done

Networks designed to normally operate at 5% capacity

Develop protocols to respond to congestion Route away from congestion Good idea How can we do it? Retransmit in the face of loss This is the state of the art

Transport Layer Basics

Congestion Control Basics

UDP will send packets at a specified rate Does not have any mechanism for dealing with congestion

Issues:
Detecting congestion Reacting to congestion

Avoiding congestion
Shaping traffic QoS mechanisms

Transport protocol will deal with congestion

TCP Basics

Firewall basics
Gain a better understanding of what a firewall is. Understand different firewall types. Understand where firewalls fit.

What is a firewall?

A firewall is a device (or software feature) designed to control the flow of traffic into and out-of a network. In general, firewalls are installed to prevent attacks.

What is an attack?
Attack covers many things: 1. Someone probing a network for computers.

2. Someone attempting to crash services on a computer.

3. Someone attempting to crash a computer (Win nuke).

4. Someone attempting to gain access to a computer to use resources or information.

Edge Firewall
An edge firewall is usually software running on a server or workstation. An edge firewall protects a single computer from attacks directed against it. Examples of these firewalls are: ZoneAlarm

BlackIce
IPFW on OSX

Firewall Appliance
An appliance firewall is a device whose sole function is to act as a firewall. Examples of these firewalls are: Cisco PIX. Netscreen series.

Network Firewall
Router/Bridge based Firewall A firewall running on a bridge or a router protects from a group of devices to an entire network.

Computer-based Network Firewall

A network firewall runs on a computer (such as a PC or Unix computer). More flexible. Many free products are available including IPFilter, PF and IPTables (found on Linux). Commercial products include: Checkpoint Firewall-1. Apple OSX includes IPFW (included in an operating system that has to be purchased).

Why use a firewall?

Protect a wide range of machines from general probes and many attacks. Provides some protection for machines lacking in security.

Great first line of defense

Having a firewall is a necessary evil. Its like living in a gated community. The gate may stop 99% of unwanted visitors. The locks on your doors stop the remaining 1% (maybe, but you get the idea). Dont let the firewall give you a false sense of security. Harden your machines by turning off services you dont need.

How does a firewall work?

Blocks packets based on:

Source IP Address or range of addresses.

Source IP Port Destination IP Address or range of addresses.

Destination IP Port
Some allow higher layers up the OSI model. Other protocols

Sample firewall rules

Protected server: Protected subnet: 134.71.1.25 134.71.1.0/24

$internal refers to the internal network interface on the firewall.

$external refers to the external network interface on the firewall.

Sample rules:
Can you find the problem?
(For this example, when a packet matches a rule, rule processing stops.)

Pass in on $external from any proto tcp to 134.71.1.25 port = 80

Pass in on $external from any proto tcp to 134.71.1.25 port = 53

Pass in on $external from any proto udp to 134.71.1.25 port = 53 Pass in on $external from any proto tcp to 134.71.1.25 port = 25 Block in log on $external from any to 134.71.1.25 Block in on $external from any to 134.71.1.0/24 Pass in on $external from any proto tcp to 134.71.1.25 port = 22 Pass out on $internal from 134.71.1.0/24 to any keep state

Sample rules:
Can you find the problem?
(For this example, when a rules matches a packet, rule processing stops.)

Pass in on $external from any proto tcp to 134.71.1.25 port = 80 Pass in on $external from any proto tcp to 134.71.1.25 port = 53 Pass in on $external from any proto udp to 134.71.1.25 port = 53 Pass in on $external from any proto tcp to 134.71.1.25 port = 25 Block in log on $external from any to 134.71.1.25 Block in on $external from any to 134.71.1.0/24 Pass in on $external from any proto tcp to 134.71.1.25 port = 22 Pass out on $internal from 134.71.1.0/24 to any keep state

The SSH rule would never have a chance to be evaluated. All traffic to 134.71.1.25 is blocked with the previous two rules.

To log or not to log

Logging is both good and bad.

If you set your rules to log too much, your logs will not be examined. If you log too little, you wont see things you need. If you dont log, you have no information on how your firewall is operating.

Sample log file

Jul 31 11:50:05 kd2 ipmon[14110]: 11:50:05.633338 xl0 @1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN Jul 31 11:50:30 kd2 ipmon[14110]: 11:50:30.771581 xl0 @0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN Jul 31 11:50:30 kd2 ipmon[14110]: 11:50:30.772833 xl0 @0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN Jul 31 11:52:48 kd2 ipmon[14110]: 11:52:47.511993 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN

Jul 31 11:52:51 kd2 ipmon[14110]: 11:52:50.501969 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
Jul 31 11:52:54 kd2 ipmon[14110]: 11:52:53.501498 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:52:56 kd2 ipmon[14110]: 11:52:55.703527 xl0 @1:10 b 142.163.9.225,6346 -> 134.71.202.57,3343 PR tcp len 20 40 -A IN Jul 31 11:52:57 kd2 ipmon[14110]: 11:52:56.500682 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 11:53:00 kd2 ipmon[14110]: 11:52:59.500694 xl0 @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN Jul 31 12:00:24 kd2 ipmon[14110]: 12:00:24.220209 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:26 kd2 ipmon[14110]: 12:00:26.040009 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:28 kd2 ipmon[14110]: 12:00:28.794944 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:34 kd2 ipmon[14110]: 12:00:34.302899 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Jul 31 12:00:46 kd2 ipmon[14110]: 12:00:45.284181 xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN

What is a state?
When your computer makes a connection with another computer on the network, several things are exchanged including the source and destination ports. In a standard firewall configuration, most inbound ports are blocked. This would normally cause a problem with return traffic since the source port is randomly assigned (different from the destination port). A state is a dynamic rule created by the firewall containing the source-destination port combination, allowing the desired return traffic to pass the firewall.

How many states can a computer have?

A single computer could have hundreds of states depending on the number of established connections. Consider a server supporting POP3, FTP, WWW and Telnet/SSH access. It could have thousands of states.

What happens without state?

Without state, your request for traffic would leave the firewall but the reply would be blocked.

Sample state table

kd2.ec.csupomona.edu - IP Filter: v3.4.28 - state top Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Sorted by = # bytes Source IP Destination IP ST PR #pkts #bytes 551 399 33 2 5 2 1 62 35 35 16 14 16 7 32 ttl 368024 119:59:56 258160 119:59:59 6872 119:59:16 458 0:06 07:50:50

134.71.202.57,4738 134.71.202.57,4744 134.71.202.57,1039 134.71.203.168,138 134.71.202.57,4727 134.71.203.168,137 134.71.202.57 134.71.202.57,137 134.71.202.57,1028 134.71.202.57,1038 134.71.202.57,138 134.71.203.168,138 134.71.203.168,137 134.71.202.57,1036 134.71.202.57

64.160.215.222,1677 4/4 tcp 64.160.215.222,1677 4/4 tcp 134.71.204.115,1410 4/4 tcp 134.71.203.255,138 0/0 udp

64.160.215.222,1677 0/6 tcp 134.71.203.255,137 0/0 udp

200 1:58:03 156 0:13

239.255.255.250

0/0 igmp 0/0 udp 0/0 udp

1:20 1:51 0:11

134.71.203.255,137 134.71.4.100,53

5844 4910

216.136.175.142,5050 4/4 tcp 134.71.203.255,138 134.71.203.255,138 134.71.203.255,137 0/0 udp 0/0 udp 0/0 udp

4208 119:59:59 3520 3026 1536 1127 320 1:54 1:49 2:00 1:59 1:58

239.255.255.250,1900 0/0 udp 0/0 igmp 10 5 3

239.255.255.250

134.71.202.57,4727 134.71.202.57,1031

64.160.215.222,1677 0/6 tcp 134.71.184.58,445 2/0 tcp

200 1:53:26 128 0:47

Where does a firewall fit in the security model?

The firewall is the first layer of defense in any security model. It should not be the only layer. A firewall can stop many attacks from reaching target machines. If an attack cant reach its target, the attack is defeated.

Ruleset design
Two main approaches to designing a ruleset are:

1.
2.

Block everything then open holes.

Block nothing then close holes.

Ruleset design Block Everything

Blocking everything provides the strongest security but the most inconvenience. Things break and people complain. The block everything method covers all bases but creates more work in figuring out how to make some applications work then opening holes.

Ruleset design Block Nothing

Blocking nothing provides minimal security by only closing holes you can identify. Blocking nothing provides the least inconvenience to our users. Blocking nothing means you must spend time figuring out what you want to protect yourself from then closing each hole.

What is IDS?
IDS is an Intrusion Detection System.

IDS can identify many attacks and traffic patterns crossing a border device.

An IDS sounds good. Is it?

Yes and no. An IDS can identify port scans, different web attacks, known buffer overflow attacks, etc. An IDS can also produce many false positive hits. AOL Instant Messenger triggers port scan hits because it talks to several AOL Ad servers within a few seconds. An IDS can create more information on a small network than a network administrator can deal with.

Filtering bad traffic

(RFC 1918, bad headers, options, etc.)

Sending bad traffic or malformed packets is a form of attack easily blocked at a firewall. The firewall inspects every packet and rejects those that are not properly formed or are intentionally malformed, protecting devices that may be succeptible.

Filtering bad traffic

(RFC 1918, bad headers, options, etc.)

Private IP address traffic should never be seen on the IT.UU.SE network. Private IP address blocks (RFC 1918): 10.0.0.0 10.255.255.255 (255.0.0.0 mask) 172.16.0.0 172.240.0.0 (255.240.0.0 mask) 192.168.0.0 192.168.255.255 (255.255.0.0 mask)

Black hole or Return-RST

(or how to respond to things you dont want.)

Should you tell a sending machine that their traffic was blocked or let them wait until they timeout? For some traffic, its better to let the sending machine wait. This slows down the rate of attack. For other traffic (such as SMTP) it may be nice to tell the sender that the SMTP port is closed.

Poking holes
How to allow traffic and expose yourself.

OK. Youve decided to block traffic. Do you have to block all traffic? No. You can allow select traffic in. The criteria for allowing traffic are the same as blocking traffic.

Compromised Machines
Just a note about compromised machines: When a machine is compromised, you have no way to determine exactly what was hacked. Cleaning what you think is the problem may not rid yourself of everything. Most instances require a reformat and reinstall of the operating system for proper cleaning.

Summary
How TCP and UPD work

How a firewall operate ?

Trafic filtering

Congratulations
You have successfully completed the SUPINFO course Chapter n 4

Protocols & Service Transport Layer Basics

Module 4 TCP Basics

The End