1 Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part III Stephen Fried 2 Information Security: The Big Picture - SANS GIAC © 2000 2 IP – The Internet Protocol • Deals with transmission of packets between end points • The fundamental protocol of the Internet The Internet Protocol (IP) is the protocol by which information is sent from one computer to another on the Internet. Each computer on the Internet has at least one address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an e-mail note or a web page), the message gets divided into little chunks called packets. Each of these packets contains both the sender's Internet address and the receiver's address. Any packet is sent first to a gateway computer that understands a small part of the Internet. The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwards the packet directly to the computer whose address is specified. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than the order they were sent in. The Internet Protocol just delivers them. It's up to another protocol, the Transmission Control Protocol (TCP) to put them back in the right order. IP is a connectionless protocol, which means that there is no established connection between the end points that are communicating. Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data. (The reason the packets do get put in the right order is because of TCP, the connection-oriented protocol that keeps track of the packet sequence in a message.) The most widely used version of IP today is Internet Protocol Version 4 (IPv4). However, IP Version 6 (IPv6) is also beginning to be supported. IPv6 provides for much longer addresses and therefore the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets. 3 Information Security: The Big Picture - SANS GIAC © 2000 3 TCP – The Transmission Control Protocol • Connection-oriented communications • Ensures reliable packet delivery • Overhead can be “expensive” The Transmission Control Protocol, or TCP, is called a connection-oriented protocol. That is because it is primarily concerned with establishing connections between two computers and making sure that all communication on that connection are orderly and complete. TCP works in combination with the Internet Protocol, a combination usually referred to as TCP/IP. The IP layer provides the packet delivery service and the TCP layer provides the packaging and sequencing of the packets. TCP works by giving each packet a sequence number. When a packet is sent to a destination, the sending computer waits for an acknowledgement from the destination that the packet was received. The receiver will send the acknowledgement if it receives the packet and it was not damaged during the transmission. If the sender does not receive the acknowledgement it will resend the packet. In that way it ensures that every packet arrives at the destination in good order. TCP is a good protocol for ensuring the delivery of packets to a destination. However, this assurance comes at a price. All the work required to send, receive, and track acknowledgements takes a toll on the network. However, when you want to make sure a message arrives, TCP is the way to go. TCP is also good from a security standpoint. When compared to connectionless protocols (for example, UDP, which we will examine closer in the next slide) the connection-oriented nature of TCP gives us some assurance that information is coming from a genuine source and that packets received in a TCP stream have some relationship to both each other and to the originating server. As we have seen in previous slides, packets can be spoofed and transmissions can be interrupted, but compared to connectionless protocols, like UDP, TCP provides a higher level safety. 4 Information Security: The Big Picture - SANS GIAC © 2000 4 TCP Session Open & Close SYN (100) SYN (500), ACK (101) ACK (501) FIN (130) FIN (570) ACK (571) ACK (131) This slide shows a sample TCP session, illustrating how it opens and closes connections on the network. In the example, we are assuming that a PC is connecting to some kind of server over the network, but this same process holds true for any TCP session established between any two devices. Just to get you familiar with the symbols on the chart, the arrows represent the direction of the communications. So, an arrow going from the PC to the server means that the PC is sending a message to the server and an arrow going from the server to the PC means that the server is sending a message to the PC. The SYN, ACK, and FIN labels represent the different types of packets that are used during session setup and close. The SYN packet is used to “sync up”, or start the communications. The ACK packet sends an acknowledgement of the message back to the originator, and the FIN packet starts the process of finishing the connection. Finally, the numbers in parentheses are the sequence numbers that are sent along with each packet. OK, now that you know who all the players are, we are ready to begin. When opening a two-way connection between two machines, each end of the connection must connect to the other separately. The process starts when the PC sends a SYN packet requesting a connection to the server with an initial sequence number of 100. The server responds back to the PC with a SYN/ACK packet. This packet starts up the second half of the two-way connections (again with a starting sequence number). It also acknowledges the packet sent originally by the PC (incrementing the PC’s sequence number by 1). Finally, the PC acknowledges the server’s connection with an ACK packet and by incrementing the server’s sequence number. This sequence is sometimes called the TCP Three Way Handshake. After the opening sequence, the PC and the server will continue to exchange packets of information, each time increasing the sequence number. When the time comes to close the connection, once again each end of the connection must be closed separately. Assuming that the PC wants to close the connection first, the process starts when the PC sends a FIN packet to the server. The FIN portion indicates to the server that the PC wants to close the connection (continuing with the sequence count it has been using with the server). The server responds by sending an ACK to the PC acknowledging the FIN sent by the PC. Next, the server sends a FIN packet to the PC to close its side of the connection. Finally, the PC sends an ACK to the server to acknowledge the FIN. Normally, you will never have to go into this much detail when talking about network security unless you are going into depth on router or firewall configuration. However, a basic understanding of this diagram will come in handy when we talk later about denial of service attacks, particularly SYN flood attacks. Understanding how the sequence numbers work will also help when we discuss sequence prediction attacks. 5 Information Security: The Big Picture - SANS GIAC © 2000 5 UDP – The User Datagram Protocol • Connectionless-oriented communications • Sends packets out, doesn’t care if they get there • Much less “overhead” • Good if small amount of packet loss is acceptable The User Datagram Protocol (UDP) is a communications protocol that offers a limited amount of connectivity when messages are exchanged between computers in a network that uses the Internet Protocol (IP). Like TCP, UDP uses IP as its underlying delivery service to move pieces of information from one host to another. Those pieces are called “datagrams.” Unlike TCP, however, UDP does not provide the service of dividing a message into packets and reassembling it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in. UDP will send the packets out, but it does not provide any mechanism for ensuring they get there properly, intact, or in the right order. Whereas TCP will do its part to ensure orderly delivery of packets, UDP leaves this task to the application itself. The application program that uses UDP must be able to make sure that the entire message has arrived and is in the right order. Because much of the disassembly, sequencing, and reassembly of packets is performed by the application rather than built into the protocol, UDP as a protocol has less overhead than TCP. This makes it faster to send information using UDP. Network applications that want to save processing time will use UDP rather than TCP because they have very small data units to exchange, and therefore very little message reassembling to do. UDP is also a good choice for applications that can stand a small amount of packet loss. For example, a broadcast of a musical program may consist of many packets of similar or repetitive sounds. If a packet or two were to get lost, nobody will notice. If, however, a transmission consisted of the precise coordinates to which to aim a space shuttle for landing, reliable transmission would be a priority and TCP would be a better choice. From a security standpoint, the “U” in UDP might as well stand for “Unreliable.” Because a UDP packet has no information about the context of the information it contains, it should not be trusted without some kind of supporting network or application information. 6 Information Security: The Big Picture - SANS GIAC © 2000 6 ICMP • Handles error and control information • Works between gateways and hosts • Sent as IP datagrams • Generated by protocol, not by user applications • Most users access ICMP via “Ping” One final protocol you should be aware of is the Internet Control Message Protocol, or ICMP. ICMP is a protocol that handles traffic flow between network elements. In particular, it provides feedback about problems in the communication and network environment. A typical use of ICMP is as follows: every network uses devices called routers to move packets from one local network to another. Each network has a “default route”, that is, the router that will be used if no other access out of the network is available. For most situations, the default route works best. However, occasionally the default route may not be the best path between two points. This may be because of problems in the network, network service outages, traffic congestion, or some other reason. When this happens, the default router will send an ICMP message back to the machine that sent the packet stating, “it would be better if you sent your packets some other way” and specifies a new path the sending machine should use. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. ICMP uses the Internet Protocol to transfer messages, but instead of full packets it sends “datagrams”, much like UDP. ICMP is actually an integral part of IP, and must be implemented within the IP software itself. Most user-level applications will never concern themselves with ICMP directly, rather relying on TCP or UDP for their transmissions. There is one exception, however. The ping program is a user-level application that uses ICMP to give information about network conditions and availability. If a user wants to know if a host is available, he will use ping to test if the machine is on the network. If it is, ping will send a positive reply back. If it is not available, or there is network trouble between the two hosts, ping will also indicate that. 7 Information Security: The Big Picture - SANS GIAC © 2000 7 Protocol “Stacks” • Divides network communications into layers • Each layer interfaces with above and below layers • Divide task of communication into pieces for easier implementation Having all these protocols is nice, but how does information actually get from one place to another? In the next few slides we will examine exactly how this happens. We will start by discussing protocol stacks. And to discuss protocol stacks, we need a good real-life example. Imagine, if you will, a five-story apartment building. This building, however, is very special (or very strange, depending on your point of view). First of all, the really important things happen on the top floor, floor 5. Second, the only way the people on the fifth floor can get anything done is by asking the people on the floors below them to do it. For example, the people on the fifth floor want to make dinner. They tell this to the people on the fourth floor. The people on the fourth floor figure out that dinner requires a soup, salad, main course and dessert. They tell this to the people on the third floor. The people on the third floor decide that the courses will be onion soup, a garden salad, beef stew, and apple pie, and they tell this to the people on the second floor. The people on the second floor figure out what ingredients will be needed for this dinner (for example, chicken broth, lettuce, vegetables, beef, etc.) and give this information to the people on the first floor. The people in the first floor actually go to the store, buy all the ingredients, and bring them back to the apartment building. Once the ingredients are purchased, the process goes in reverse. The first floor gives the raw ingredients to the second floor. The second floor checks that all the ingredients are there and then hands them off to the third floor. The third floor prepares the various courses by making the soup, tossing the salad, cooking the beef, and baking the pie. Once all this is done they hand the food off to the fourth floor. The fourth floor people package all the food up into nice courses and bring it up to the fifth floor residents so they can eat a delicious meal. Well, in essence, that’s how protocol stacks work. Protocol stacks divide network communications into different layers, like the floors in the apartment building. Each layer in the stack works on the packet in different ways. Some layers make sure the packet has all the information it needs, some layers make sure the packet is ready for an application to work with, and some layers make sure the packet gets onto the network properly. Each layer works directly with the layer above and below it, just as in the apartment building example. As packets are passed from one layer to the next, each layer examines or modifies the packet in some way. Once the packet has reached the “ground floor” of the network it is sent to its destination. The use of protocol stacks in network communications makes the task of implementing protocols much easier. By making communications more modular, a service, process or application need only concern itself with the layers it needs, leaving the other layers to someone else. 8 Information Security: The Big Picture - SANS GIAC © 2000 8 The OSI Protocol Stack Application Presentation Session Transport Network Data Link Physical Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 One of the most widely known protocol stacks is the International Standards Organization (ISO) Open Systems Interconnect (OSI) model. The OSI model divides network communications into seven layers. The Physical Layer handles transmission across the physical media. This includes such things as electrical pulses on wires, connection specifications between hardware, voltage and current, etc. The Data Link Layer connects the physical part of the network (e.g. cables and electrical signals) with the abstract part (e.g. packets and data streams). It also creates the headers and validation information that get attached to packets. The Network Layer handles interaction with the network address scheme and connectivity over multiple network segments. It describes how systems on different network segments find and communicate with each other. The Transport Layer actually interacts with your information and prepares it to be transmitted across the network. It is this layer that ensures reliable connectivity from end-to-end. The Transport Layer also handles the sequencing of packets in a transmission. The Session Layer handles the establishment and maintenance of connections between systems. It negotiates the connection, sets it up, maintains it, and makes sure that information exchanged across the connection is in sync on both sides. The Presentation Layer makes sure that the data sent from one side of the connection is received in a format that is useful to the other side. For example, if the data is compressed by the sender prior to transmission, the Presentation Layer on the receiving end would have to decompress it before it can be used by the receiver. The Application Layer is responsible for interacting with the application to determine whether network services will be required. When a program requires access to the network, the Application Layer will manage requests from the program to the other layers down the stack. Why is all this important, and do you really need to memorize all this for an Introduction course? Well, only sort of. You need to have at least a passing familiarity with the OSI model because you will hear network engineers and vendors talk about “Layer 2 Switches” or “Layer 3 Protocols.” The layers they are referring to are the OSI model layers. Understanding basically what each layer does will go a long way in both understanding the conversation and securing your network services. 9 Information Security: The Big Picture - SANS GIAC © 2000 9 The TCP/IP Protocol Stack • Application • Transport • Internet • Network In comparison to the OSI protocol stack, the TCP/IP stack is much simpler. The TCP/IP model predates the OSI model and, as the underlying protocol of the Internet, is more widely used than OSI-based protocols. The TCP/IP stack only has four layers: the Application Layer, the Transport Layer, the Internet Layer, and the Network Access Layer. (Editor’s note: the four layers of the TCP/IP stack are sometimes referred to as the Application Layer, the Transport Layer, the Network Layer, and the Link Layer. – JEK) The definition of the TCP/IP layers is as follows: The Network Layer (sometimes called the Link Layer – ed.) defines how to access a specific network topology, for example Ethernet, Token Ring, etc. The Internet Layer (sometimes called the Network Layer – ed.) defines how datagrams are formatted and handles the routing of data through the network. Examples of Internet Layer protocols include IP and ICMP. The Transport Layer provides end-to-end data delivery service. This is the layer that assembles packets and sends them to the Internet layer for processing. Examples of Transport Layer protocols are TCP and UDP. Finally, the Application Layer consists of application programs and serves as the network interface into user applications. Examples of application layer service are Telnet, FTP, and DNS. 10 Information Security: The Big Picture - SANS GIAC © 2000 10 OSI vs. TCP/IP Application Presentation Session Transport Network Data Link Physical Application Transport (TCP) Internet (IP) Network OSI TCP/IP 7 6 5 4 3 2 1 This diagram shows a comparison between the OSI model and the TCP/IP model. As you can see, the OSI model has more granularity than the TCP/IP model. In addition, the OSI model chose to split apart some functionality that was combined in the TCP/IP model. For example, the Network Layer in the TCP/IP model comprises both the Physical Layer and the Data Link Layer in the OSI model. And the Application Layer in TCP/IP encompasses the Application, Presentation, and Session Layers of the OSI model. The OSI model is more detailed and more granular because it was designed to encompass protocols other than just TCP/IP. By creating more layers the designers of OSI made it easier to break down the functionality of each protocol and build more specific interfaces and linkages between the layers. Unless you plan on becoming a network engineer or a network application designer, it is not so important to remember each of the different layers in the two models, or even remember the functionality that each layer has. It is, however, important to know that no matter which model you use, it must perform all the functions required to take a piece of application data, place it into a packet, place that packet on the wire, and handle its safe and efficient delivery to its destination. [...]... sending the phrase “Hello There” to another computer The application program gives the “Hello There” to the Application Layer of the protocol stack The Application Layer creates an empty packet and places the “Hello There” inside of it The Application Layer then sends the packet to the Transport Layer The Transport Layer takes the packet and adds a header to it The header has all the information that the. .. of the layers below on its own host’s stack Each layer takes the information from the layer above it, examines it, adds its own information to it, then sends it to the next layer down the stack Once the packet reaches the bottom of the stack, it travels along the network wire to the remote host, then travels up the stack on the remote side At each layer of the remote stack, the packet is examined, the. .. Transport Layer on the other side of the connection needs to determine what to do with the packet Once the transport header is put on the packet it is given to the Internet Layer The Internet Layer puts another header in front of the packet Like the Transport layer before it, this header gives information for the Internet Layer on the other end Once this header is attached, the packet is sent to the Network... Port Number Information Security: The Big Picture - SANS GIAC © 2000 20 OK, so how does all this fit together? Well, each connection between two computers uses four pieces of information: - The IP address of the originating computer - The port number that the application used on the originating computer - The IP address of the destination computer - The port number of the application used on the destination... the organization’s public address and sends the packets on their way When the outside machine replies to the client, it sends the replies to the gateway machine The gateway machine remembers the private address of the originating computer and sends the reply packets there NAT also has some security benefits as well The first is through information hiding Because the gateway machine translates all the. .. the information that layer needs is removed and the packet is sent further up the stack Each layer removes only the information placed in the packet by the corresponding layer from the sending host’s stack For example, the Network Layer from Host B removes and examines the information placed in the packet by the Network Layer in Host A This is how protocol layers communicate with each other Through the. .. Are Generated “Hello There” “Hello There” Application Layer Transport Layer TCP Hdr “Hello There” IP TCP Hdr Hdr “Hello There” Internet Layer Eth IP TCP Hdr Hdr Hdr “Hello There” Network Layer Information Security: The Big Picture - SANS GIAC © 2000 11 This slide shows how a packet is generated as it moves through the stack To start, the Application Layer takes information from the application itself... Office is the computer, we can then say that the application running on the computer is called “Mail Delivery.” In the process of running “Mail Delivery” the people in the post office need a way to get mail to and from their customers Very often, they do this through the use of post office boxes In our analogy, the post office boxes are what we call ports in the networking world They are the way a... Physical Information Security: The Big Picture - SANS GIAC © 2000 Host B 12 The previous slide showed how a single stack handles the movement of data from the application program to the network In this slide we will look at how data is passed between stacks This slide uses the OSI model, but the process works the same way with the TCP/IP model When two computers need to communicate with each other, it... When the COM domain gives it the address of xyzcorp.com, the browser then goes to the xyzcorp.com domain and asks it where the www.xyzcorp.com machine is The xyzcorp.com domain responds with the address for the www.xyzcorp.com machine Once the browser gets that address, it then goes to the www.xyzcorp.com server and begins to interact directly with that machine The idea is that you repeatedly query the . 1 Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part III Stephen Fried 2 Information Security: The. information to the people on the first floor. The people in the first floor actually go to the store, buy all the ingredients, and bring them back to the