Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012
Hands-On Network Security Module 2 Network Fundamentals
Roadmap Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 3
Focus on IPv4 and Ethernet IP is the dominant network protocol IPv6 not yet widely deployed Ethernet is ubiquitous Some notes The basic principles apply to other protocols and other media As always, the devil is in the details 4
You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 5
The OSI model 7 - Application (HTML) 6 - Presentation (ASCII, JPEG) 5 - Session (ZIP, SCP) 4 - Transport (TCP, UDP) 3 - Network (IP, IPX, Appletalk) 2 - Data Link (Ethernet II, IEEE 802.2) 1 - Physical (100BaseT, 1000BaseSX) 6
The OSI model in pictures Users interact with layer 7 Each layer interacts with adjacent layers Layers communicate with peer layers 7
Data encapsulation Headers and trailers are added or stripped as data moves down and up the stack Each layer s information is encapsulated by the next lower layer 8
An example Bold text on a web page => encapsulated by HTML (<B> Bold text </B>) => encoded as 8-bit ASCII => encapsulated in TCP source port 80 (HTTP), destination port 12345 => encapsulated in IP packet from IP address 1.2.3.4 to 55.66.77.88 => encapsulated in an Ethernet II frame from MAC address 1111.2222.3333 to 0123.4567.89ab => encoded as 4B/5B NRZI-3 100BaseTx => carried over Cat5e cable to your desktop 9
Layer 8: Users Vulnerable to social engineering Vulnerable to the Oops of death Vulnerable to ignorance, curiosity, evil Two missing layers Layer 0: The environment Equipment has to sit somewhere Power has to come from somewhere Cables have to follow some path Everyone talks about the weather, but 10
You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 11
Let s get physical 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical 12
Layer 1 covers: Voltage / power levels Cable impedance, loss, dispersion RF frequency, power, modulation Bit encoding scheme Connectors and termination Clocking / timing / synchronization Collision detection / avoidance Speed / duplex negotiation 13
Layer 1 basics Common media are: Copper (coax, twisted pair) Fiber (single-mode, multimode, WDM) RF (point-to-point or broadcast) Common electronics are: Hubs (everyone hears everyone else) Switches (traffic is directed to the target) Media converters (wireless bridges, etc.) 14
Let s talk 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical 15
Layer 2 - data link The Data Link layer provides reliable transit of data across the physical layer Physical addressing Error detection and notification Flow control Frame sequencing 16
Layer-2 framing Ethernet header has three or more fields: Destination (MAC) address (6 bytes) Source (MAC) address (6 bytes) Type (Ethernet II; 2 bytes) or Length (IEEE 802.3; 2 bytes) Other data (depending on frame type) Ethernet trailer is a 4-byte CRC Frame size between 64 bytes and 1518 bytes Frame Data link layer header Upper layer data Data link layer trailer 17
MAC addresses Unique to each network interface Sometimes this rule is violated Ethernet: 6 bytes => 2.8 x 10 14 addresses 3-byte Vendor code, 3-byte Device code Some protocols (e.g. DECnet) require user-programmable MAC addresses Destination address of all 1s is a layer-2 broadcast (i.e. all devices ) frame 18
Definition: LAN A LAN is a layer-2 network Every device can directly reach every other device on the LAN LANs are generally responsive A LAN is a single broadcast domain A broadcast frame from any device will reach every other device on the LAN LANs generally don t scale up well 19
Hubs / Repeaters Classic Ethernet is multiple access Every box sees every frame Each interface examines every frame header Frame is discarded if destination MAC isn t either itself or a broadcast CSMA/CD - half duplex, collision detection On collision, back off and try again later A hub is a multi-port repeater In one port, out on all the others 20
Switches Switches snoop for MAC addresses to learn which devices are on which ports If destination MAC is known, frame is directed out appropriate port If destination MAC is unknown, frame is flooded out all ports (except ingress) Switches may (must?) buffer Buffer overflow => dropped traffic Switches do not modify transiting frames 21
Starting to get abstract 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical 22
OSI and the IP protocol suite The IP protocol suite maps onto the OSI model layers 2-7 IP is the layer 3 part of the IP suite TCP/IP is a common (and incorrect!) synonym for IP 23
Layer 3 - Network Layer 3 adds logical addresses One-to-one or many-to-one mapping of layer 3 to layer 2 addresses Other layer 3 functions include: Fragmentation / reassembly Sequencing Priority / precedence / type-of-service Time to live 24
Layer 3: IP packet header IP Header includes: Header length Source & destination addresses Priority Fragmentation info Header checksum Protocol field indicates what s inside the packet 25
Routers Routers exchange layer-3 information to learn which networks are reachable on which ports If destination net is known, packet is directed out appropriate port If destination net is unknown, packet is forwarded to default gateway Routers must buffer packets Buffer overflow => dropped traffic Routers must modify transiting frames Decrement packet TTL, update header checksum Rewrite source / destination MAC, frame checksum 26
Layer 4: Transport IP protocols include: ICMP UDP & TCP IGMP & PIM ESP & L2TP UDP for one-way TCP for two-way ICMP for signalling 27
ARP - Address Resolution Protocol How do you send an IP packet to a machine whose MAC address you don t know? ARP request: Layer 2 broadcast ARP reply: Layer 2 unicast 28
Putting it all together Layer 1: Ethernet preamble Layer 2: MAC source/destination, frame CRC Layer 3: IP source/destination, header CRC Layer 4: Protocol/port numbers, packet CRC (maybe) 29
You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 30
IP nets and subnetting Classful networks come in three sizes Class A (16,777,216 addresses) - 0.x.x.x - 127.x.x.x e.g. Apple 17.0.0.0-17.255.255.255 Class B (65,536 addresses) - 128.x.x.x - 191.x.x.x) e.g. Oakland U. 141.210.0.0-141.210.255.255 Class C (256 addresses) - 192.x.x.x - 223.x.x.x) e.g. Ernst & Young (Belgium) 195.0.0.0-195.0.0.255 Class D range is used for Multicast 224.x.x.x - 239.x.x.x Several special networks are defined 127.x.x.x, 169.254.x.x, 192.0.2.x are special-purpose Private IP - 10.x.x.x, 172.<16-31>.x.x, 192.168.x.x 31
IP nets and subnetting Classful addressing can be very wasteful Did Merit (35.x.x.x) really need 16 million addresses? Subnetting divides address space into smaller chunks Major nets are assigned to organizations Subnets are assigned within organizations Anything within your subnet is local Anything outside your subnet passes through the default gateway (i.e. a router) Net and subnet sizes must be powers of 2 32
IP nets and subnetting Net (subnet) mask 1 indicates network part of address 0 indicates host part of address Usually represented in decimal, e.g. 255.255.255.0 CIDR (Classless Inter-Domain Routing) notation: /nn nn is the number of 1 bits in the mask. /24 = 255.255.255.0 = 11111111.11111111.11111111.00000000 Subnets typically contain 4-1024 addresses i.e. a mask of /30 to /22 Network must begin on appropriate power-of-2 boundary 141.211.40.0/22 (= 141.211.<40-43>.x) is OK 141.211.42.0/22 => 141.211.42.0/23 + 141.211.44.0/23 33
IP nets and subnetting UM s major nets (CIDR blocks) include: 141.211.0.0/16 (255.255.0.0) UMnet 141.212.0.0/16 (255.255.0.0) CAEN 141.213.0.0/17 (255.255.128.0) CAEN 141.213.128.0/17 (255.255.128.0) UMnet 141.214.0.0/16 (255.255.0.0) UMHS 141.215.0.0/16 (255.255.0.0) Dearborn 141.216.0.0/16 (255.255.0.0) Flint 198.108.8.0/21 (255.255.248.0) VOIP 207.75.144.0/20 (255.255.240.0) Off-campus 67.194.0.0/17 (255.255.128.0) Wireless 35.0.0.0/16 (255.225.0.0) Guest Access Some UM subnet examples: 141.211.28.0/22 (255.255.252.0) V-BUSAD 207.75.156.32/27 (255.255.255.224) E-DEVEL-CA 34
IP nets and subnetting An IP subnet has three broadcast addresses: Local IP broadcast: 255.255.255.255 Subnet directed broadcast: <IP Subnet>.<all 1s> Subnet address: <IP Subnet>.<all 0s> Ex: 141.211.28.0/22 = 141.211.<28.0-31.255> Local Broadcast: 255.255.255.255 Normal host address: 141.211.28.255 Directed broadcast: 141.211.31.255 Local broadcasts are not forwarded by routers Directed broadcasts might be forwarded All 0s broadcast is deprecated 35
Switching vs. Routing Switches forward traffic within subnets Routers forward traffic between subnets Routers must rewrite headers TTL decrements on each hop Header checksum changes Source/dest. MACs change with each hop Frame CRC changes Routers may need to fragment packets 36
Routing Routers exchange information on what IP networks ( prefixes ) they can reach Routing decisions are based on metrics such as path bandwidth (OSPF), hop count (RIP), or congestion (EIGRP), or on explicit policy (Reshall-via-Packeteer) Internet routing table >250,000 prefixes UMnet routing table >1200 prefixes 37
You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 38
VLANs People / groups / units change, move, grow, split, share space Separate physical LANs are expensive to build and maintain VLANs allow logically independent nets to share a common physical network Like P LANs, each VLAN is a separate (layer 2) broadcast domain 39
VLANs in switches Each VLAN is assigned a VLAN ID Access ports are assigned to one VLAN Trunk ports can carry multiple VLANs; each frame is tagged with the VLAN ID Gotchas: Some switches don t support VLANs Some switches don t support trunking Switches support different # of VLANs Switches support different tagging schemes 40
UMnet backbone diagram 04/12 http://www.itcom.itd.umich.edu/backbone/ cja 2012 41
UMnet VLAN configuration IP Telephones UMnet Backbone Workstations Wireless APs Access Layer Data VLAN VOIP VLAN Wireless VLAN Distribution Layer VLAN Trunk 42