You are on page 1of 41

Chapter 1

Network Security
Overview
www.huawei.com

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved.


Objectives
Upon completion of this course, you will be able to
understand:

OSI model

TCP/IP principles

TCP/IP security issues

Common attack means for TCP/IP

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 2
Agenda
1. TCP/IP Introduction

2. TCP/IP Security Issues

3. Common Network Attacks

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 3
OSI Model Introduction
Purposes

Design principles

Strengths

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 4
Introduction to the Seven Layers of
the OSI Model
APDU Application layer 7 Providing inter-application
communication
Upper
layers PPDU Presentation layer 6 Processing data formats and
data encryption
SPDU Session layer 5 Setting up, maintaining, and managing
sessions

Segment Transport layer 4 Establishing E2E connections between


hosts

Packet Network layer 3 Addressing and routing


Lower
layers
Frame Data link layer 2 Providing medium access and link
management

Bit Physical layer 1 Transmitting bit streams

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 6
Communication Between Peer Layers
Each layer communicates with its peer layer using the service provided by the
lower layer.
APDU
Application Application

PPDU
Presentation Presentation

SPDU
Session Session

Segment
Transport Transport
Packet
Network Network
Host A Host B
Frame
Data link Data link
Bit
Physical Physical

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 7
Procedure for Processing Network
Data Streams

Application Application
D
C
Presentation Presentation
A
Session Session
B E
Transport Router A Router B Router C Transport

Network Network Network Network Network

Data link Data link Data link Data link Data link

Physical Physical Physical Physical Physical

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 9
Mapping Between the TCP/IP Model
and OSI Model
TCP/IP is simply tiered, and its layers clearly map with OSI model
layers.
OSI TCP/IP

Application layer

Presentation layer Application layer

Session layer

Transport layer Transport layer

Network layer Network layer

Data link layer


Data link layer
Physical layer

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 10
Encapsulation and Decapsulation
Processes of TCP/IP Packets

Sender Recipient

Application Application
layer APP DATA
layer
Encapsulation process

Decapsulation process
Transport
Transport
layer TCP APP DATA
layer

Network Network
IP TCP APP DATA layer
layer

Data link Data link


Eth IP TCP APP DATA
layer layer

10101011010101001010100011101010010

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 11
Functions of Each TCP/IP Layer

Application
HTTP, Telnet, FTP,TFTP, DNS Providing a network interface
layer
for applications

Transport
TCP/UDP Establishing E2E connections
layer

Network ICMP, IGMP


IP Addressing and routing
layer ARP, RARP

Data link Ethernet, 802.3, PPP, HDLC, FR


layer Accessing physical media

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 13
Socket

HTTP FTP Telnet SMTP DNS TFTP SNMP

80 20/21 23 25 53 69 161

TCP UDP

IP data packets

Source socket: source IP address + protocol + source port


Socket

Destination socket: destination IP address + protocol + destination port

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 15
Data Link Layer Protocol
Ethernet protocol encapsulation

Destination Source
Type Data CRC
address address

6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes

Type

Type 0800: indicates IP.

Type 0806: indicates ARP.

Type 8035: indicates RARP.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 16
Network Layer Protocol
0 4 8 16 19 31

Version Header Type of service Total length


length

Identifier Flag Fragment offset

TTL Protocol Head checksum

Source IP address

Destination IP address

IP option Padding

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 17
Transport Layer Protocol
0 8 16 24 31
Source port Destination port
UDP length UDP checksum (optional)
Data

UDP packet format

Source port Destination port

SN
Acknowledgement number
URG
ACK
PSH

SYN
RST

FIN
Data offset Reserved (6 bits) Window size
TCP checksum Urgent pointer
Option
Data

TCP packet format

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 19
Establishing a TCP Connection
Three-way handshake

Client Server

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 20
Closing a TCP Connection
Four-way handshake

Proactively cut off


the connection Passively cut off the
connection

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 21
Agenda
1. TCP/IP Introduction

2. TCP/IP Security Issues

3. Common Network Attacks

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 22
TCP/IP Security Risks

Lacking a data source


authentication mechanis
1 m

3 2

Lacking an integrity
Lacking a confidentiality check mechanism
guarantee mechanism

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 23
TCP/IP Common Security Risks
Vulnerabilities, buffer overflow attacks,
Web application attacks, viruses and Application
Trojans layer

TCP spoofing, SYN flood, UDP flood,


port scanning Transport layer

IP spoofing, Smurf attacks,


ICMP flood attacks, IP sweep
Network layer

MAC spoofing, MAC


flooding, ARP spoofing Data link layer

Equipment damage,
Network interception Physical layer

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 24
Equipment Damage
Damage of physical devices

Direct damage to physical network facilities, such as server


infrastructure and network transmission and communication
facilities

Equipment damage attacks mainly aim to disrupt network services.

Defense against equipment damage

Mainly relies on non-technical factors, such as constructing a solid


equipment room and formulating strict security management
regulations.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 25
Network Interception
Physical-layer devices

Hub

Repeater

Wireless network

Defense Interceptor

Replace hubs and repeaters with switches.

On wireless networks, use strong authentication and encryption


mechanisms.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 26
MAC Spoofing Attack
MAC spoofing is a type of very intuitive attacks. The attacker changes
its own MAC address to the address of a trusted system.

Defense

Configure static entries on the switch and bind MAC addresses


with specific port.

F0-DE-F1-33-7F-DA E0

E1
I am also: F0-DE-F1-33-7F-DA

Impostor

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 27
MAC Flooding Attack
MAC flooding attacks utilize:

MAC address learning mechanism of switches

Number limit of MAC entries


Attacker
Switch forwarding mechanism

Defense

Configure static MAC entries.

Configure a limit for the number of MAC entries on the port.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 28
ARP Spoofing Attack

A B

Hacker

When A needs to communicate with B:


A sends an ARP request to ask for the MAC address of B.

B sends an ARP reply to notify A of its MAC address.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 29
IP Spoofing Attack
Why IP address is
easily spoofed?

Sniffer
A: 192.168.0.1 192.168.0.1 B:192.168.0.6

Makes it paralyzed Spoofed reply

sniffed

request

The trust relationship between hosts are build through IP addresses.


Attakcs can forge legitimate IP addresses to obtain confidential
information.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 30
Smurf Attack

ICMP echo request,


src = 128.100.100.2 The attacker
192.168.1.2
dest = 192.168.1.255 controls this
host.

192.168.1.3
192.168.1.1

192.168.1.4

ICMP echo replies Victim:


128.100.100.2
192.168.1.5

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 31
ICMP Redirect Packet and
Unreachable Packet Attack

Many ICMP dest


unreachable flood to The attacker
192.168.1.2
192.168.1.x, controls this
src=128.100.100.2 host.

192.168.1.3
192.168.1.1
Why cant
I receive
192.168.1.4 the packet?
The gateway
Many ICMP cannot receive
the packet. Victim
redirect
The attacker 128.100.100.2
192.168.1.5 controls this
host.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 32
IP Sweep Attack
An attacker uses ICMP packets or TCP/UDP packets to initiate
connections to certain IP addresses. By checking whether there are
response packets, the attacker can determine which target systems
are alive and connected to the target network.

192.168.1.2

192.168.1.3

192.168.1.4 192.168.1.
1 Attacker

192.168.1.5

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 33
TCP Spoofing Attack
Unauthorize
d connection
Host A
Host C SYN SEQ ACK
(Attacker) 1 11001 0
Spoofed packet from C to A
SYN ACK SEQ ACK
ACK SEQ ACK 1 1 5400211001
1 1100154003
Spoofed packet from B to A

Denial of A trusts B
service attacks
from C to B

Host B

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 34
SYN Flood Attack

SYN
Attacker Server

The SYN packet is the first packet in a TCP connection. The attacker
sends a large number of SYN packets. Then lots of half-open
connections are established on the attacked host, exhausting
resources of the attacked host.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 35
UDP Flood Attack

UDP
Attacker Server

The attacker sends a large number of UDP packets to the


server to occupy the bandwidth of the server. As a result, the
server is overloaded and cannot provide services for external
users.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 36
Port Scanning Attack
Port scanning attacks generally use the port scanning software
to initiate connections to a series of TCP or UDP ports on a
wide range of hosts. According to the response packets, the
attacker can determine whether hosts are providing services
through these ports.

Port scanning

Attacker

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 37
Buffer Overflow Attack
The most common among all software system
attack behaviors
Stack
Can be launched locally or remotely
Exploiting the loopholes in the various
software systems, including operating
systems, network services, and application
software, to launch attack code
The vulnerabilities are related to the
operating system and architecture, and the Data
attacker needs to have high-level
knowledge/skills.
Code

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 38
Web Application Attack
Common attacks
Targeting at clients
Web page that contains malicious code, the use of
browser vulnerabilities, threats to the local system
Targeting at servers
Use Apache / IIS ... loopholes
Use CGI implementation language (PHP / ASP / Perl ...)
and the implementation process loopholes
Database intrusion using the Web server

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 39
Agenda
1. TCP/IP Introduction

2. TCP/IP Security Issues

3. Common Network Attacks

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 40
Passive Attack

Internet

Host A Host B

Monitoring

I need to obtain
confidential
information.

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 41
Active Attack

Internet

Host A
Service resources of
an enterprise

Spoofing attack Falsification attack DoS attack

Spoofed part Data payload Packet header Falsified part

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 42
Man-in-the-Middle Attack

Internet

Falsify information
Host A Host B

Steal information

Active attack
Passive attack

Attacker

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 43
Summary
OSI model

TCP/IP principles

TCP/IP security issues

Common attack means

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 44
Question
Why is ARP spoofing easily initiated?

How to initiate IP spoofing attacks?

What is the difference between TCP and UDP?

Why does TCP have header length, but UDP does not?

Why does TCP connection establishment require a three-way


handshake, but disconnection require a four-way handshake?

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 45
Thank you
www.huawei.com