Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 2 Network Fundamentals Roadmap Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 3 1
Focus on IPv4 and Ethernet IP is the dominant network protocol IPv6 not yet widely deployed Ethernet is ubiquitous Some notes The basic principles apply to other protocols and other media As always, the devil is in the details 4 You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 5 The OSI model 7 - Application (HTML) 6 - Presentation (ASCII, JPEG) 5 - Session (ZIP, SCP) 4 - Transport (TCP, UDP) 3 - Network (IP, IPX, Appletalk) 2 - Data Link (Ethernet II, IEEE 802.2) 1 - Physical (100BaseT, 1000BaseSX) 6 2
The OSI model in pictures Users interact with layer 7 Each layer interacts with adjacent layers Layers communicate with peer layers 7 Data encapsulation Headers and trailers are added or stripped as data moves down and up the stack Each layer s information is encapsulated by the next lower layer 8 An example Bold text on a web page => encapsulated by HTML (<B> Bold text </B>) => encoded as 8-bit ASCII => encapsulated in TCP source port 80 (HTTP), destination port 12345 => encapsulated in IP packet from IP address 1.2.3.4 to 55.66.77.88 => encapsulated in an Ethernet II frame from MAC address 1111.2222.3333 to 0123.4567.89ab => encoded as 4B/5B NRZI-3 100BaseTx => carried over Cat5e cable to your desktop 9 3
Two missing layers Layer 8: Users Vulnerable to social engineering Vulnerable to the Oops of death Vulnerable to ignorance, curiosity, evil Layer 0: The environment Equipment has to sit somewhere Power has to come from somewhere Cables have to follow some path Everyone talks about the weather, but 10 You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 11 Let s get physical 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical 12 4
Layer 1 covers: Voltage / power levels Cable impedance, loss, dispersion RF frequency, power, modulation Bit encoding scheme Connectors and termination Clocking / timing / synchronization Collision detection / avoidance Speed / duplex negotiation 13 Layer 1 basics Common media are: Copper (coax, twisted pair) Fiber (single-mode, multimode, WDM) RF (point-to-point or broadcast) Common electronics are: Hubs (everyone hears everyone else) Switches (traffic is directed to the target) Media converters (wireless bridges, etc.) 14 Let s talk 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical 15 5
Layer 2 - data link The Data Link layer provides reliable transit of data across the physical layer Physical addressing Error detection and notification Flow control Frame sequencing 16 Layer-2 framing Ethernet header has three or more fields: Destination (MAC) address (6 bytes) Source (MAC) address (6 bytes) Type (Ethernet II; 2 bytes) or Length (IEEE 802.3; 2 bytes) Other data (depending on frame type) Ethernet trailer is a 4-byte CRC Frame size between 64 bytes and 1518 bytes Frame Data link layer header Upper layer data Data link layer trailer 17 MAC addresses Unique to each network interface Sometimes this rule is violated Ethernet: 6 bytes => 2.8 x 10 14 addresses 3-byte Vendor code, 3-byte Device code Some protocols (e.g. DECnet) require user-programmable MAC addresses Destination address of all 1s is a layer-2 broadcast (i.e. all devices ) frame 18 6
Definition: LAN A LAN is a layer-2 network Every device can directly reach every other device on the LAN LANs are generally responsive A LAN is a single broadcast domain A broadcast frame from any device will reach every other device on the LAN LANs generally don t scale up well 19 Hubs / Repeaters Classic Ethernet is multiple access Every box sees every frame Each interface examines every frame header Frame is discarded if destination MAC isn t either itself or a broadcast CSMA/CD - half duplex, collision detection On collision, back off and try again later A hub is a multi-port repeater In one port, out on all the others 20 Switches Switches snoop for MAC addresses to learn which devices are on which ports If destination MAC is known, frame is directed out appropriate port If destination MAC is unknown, frame is flooded out all ports (except ingress) Switches may (must?) buffer Buffer overflow => dropped traffic Switches do not modify transiting frames 21 7
Starting to get abstract 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical 22 OSI and the IP protocol suite The IP protocol suite maps onto the OSI model layers 2-7 IP is the layer 3 part of the IP suite TCP/IP is a common (and incorrect!) synonym for IP 23 Layer 3 - Network Layer 3 adds logical addresses One-to-one or many-to-one mapping of layer 3 to layer 2 addresses Other layer 3 functions include: Fragmentation / reassembly Sequencing Priority / precedence / type-of-service Time to live 24 8
Layer 3: IP packet header IP Header includes: Header length Source & destination addresses Priority Fragmentation info Header checksum Protocol field indicates what s inside the packet 25 Routers Routers exchange layer-3 information to learn which networks are reachable on which ports If destination net is known, packet is directed out appropriate port If destination net is unknown, packet is forwarded to default gateway Routers must buffer packets Buffer overflow => dropped traffic Routers must modify transiting frames Decrement packet TTL, update header checksum Rewrite source / destination MAC, frame checksum 26 Layer 4: Transport IP protocols include: ICMP UDP & TCP IGMP & PIM ESP & L2TP UDP for one-way TCP for two-way ICMP for signalling 27 9
ARP - Address Resolution Protocol How do you send an IP packet to a machine whose MAC address you don t know? ARP request: Layer 2 broadcast ARP reply: Layer 2 unicast 28 Putting it all together Layer 1: Ethernet preamble Layer 2: MAC source/destination, frame CRC Layer 3: IP source/destination, header CRC Layer 4: Protocol/port numbers, packet CRC (maybe) 29 You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 30 10
IP nets and subnetting Classful networks come in three sizes Class A (16,777,216 addresses) - 0.x.x.x - 127.x.x.x e.g. Apple 17.0.0.0-17.255.255.255 Class B (65,536 addresses) - 128.x.x.x - 191.x.x.x) e.g. Oakland U. 141.210.0.0-141.210.255.255 Class C (256 addresses) - 192.x.x.x - 223.x.x.x) e.g. Ernst & Young (Belgium) 195.0.0.0-195.0.0.255 Class D range is used for Multicast 224.x.x.x - 239.x.x.x Several special networks are defined 127.x.x.x, 169.254.x.x, 192.0.2.x are special-purpose Private IP - 10.x.x.x, 172.<16-31>.x.x, 192.168.x.x 31 IP nets and subnetting Classful addressing can be very wasteful Did Merit (35.x.x.x) really need 16 million addresses? Subnetting divides address space into smaller chunks Major nets are assigned to organizations Subnets are assigned within organizations Anything within your subnet is local Anything outside your subnet passes through the default gateway (i.e. a router) Net and subnet sizes must be powers of 2 32 IP nets and subnetting Net (subnet) mask 1 indicates network part of address 0 indicates host part of address Usually represented in decimal, e.g. 255.255.255.0 CIDR (Classless Inter-Domain Routing) notation: /nn nn is the number of 1 bits in the mask. /24 = 255.255.255.0 = 11111111.11111111.11111111.00000000 Subnets typically contain 4-1024 addresses i.e. a mask of /30 to /22 Network must begin on appropriate power-of-2 boundary 141.211.40.0/22 (= 141.211.<40-43>.x) is OK 141.211.42.0/22 => 141.211.42.0/23 + 141.211.44.0/23 33 11
IP nets and subnetting An IP subnet has three broadcast addresses: Local IP broadcast: 255.255.255.255 Subnet directed broadcast: <IP Subnet>.<all 1s> Subnet address: <IP Subnet>.<all 0s> Ex: 141.211.28.0/22 = 141.211.<28.0-31.255> Local Broadcast: 255.255.255.255 Normal host address: 141.211.28.255 Directed broadcast: 141.211.31.255 Local broadcasts are not forwarded by routers Directed broadcasts might be forwarded All 0s broadcast is deprecated 34 Switching vs. Routing Switches forward traffic within subnets Routers forward traffic between subnets Routers must rewrite headers TTL decrements on each hop Header checksum changes Source/dest. MACs change with each hop Frame CRC changes Routers may need to fragment packets 35 Routing Routers exchange information on what IP networks ( prefixes ) they can reach Routing decisions are based on metrics such as path bandwidth (OSPF), hop count (RIP), or congestion (EIGRP), or on explicit policy (Reshall-via-Packeteer) Internet routing table >250,000 prefixes UMnet routing table >1200 prefixes 36 12
You are here Network Fundamentals The OSI 7-layer model OSI Layers 1-4 in detail: Ethernet and IP IP subnetting and routing Virtualizing the network 37 VLANs People / groups / units change, move, grow, split, share space Separate physical LANs are expensive to build and maintain VLANs allow logically independent nets to share a common physical network Like P LANs, each VLAN is a separate (layer 2) broadcast domain 38 VLANs in switches Each VLAN is assigned a VLAN ID Access ports are assigned to one VLAN Trunk ports can carry multiple VLANs; each frame is tagged with the VLAN ID Gotchas: Some switches don t support VLANs Some switches don t support trunking Switches support different # of VLANs Switches support different tagging schemes 39 13
UMnet backbone diagram 04/13 http://www.itcom.itd.umich.edu/backbone/ cja 2013 40 UMnet VLAN configuration IP Telephones UMnet Backbone Workstations Wireless APs Access Layer Data VLAN VOIP VLAN Wireless VLAN Distribution Layer VLAN Trunk 41 14