Networking Basics and Network Security

(1)

N

ki

B

i

N

ki

B

i

Networking Basics

and Network Security

Networking Basics

and Network Security

University of Lübeck Institute for

Signal Processing

Why do we need networks ?

• Shared Data and Functions • Availability

• Performance, Load Balancing

What is needed for a network ?

• Physical Connection

Wi d Eth t USB – Wired: Ethernet, USB, … – Wireless: Bluetooth, WLAN, …

• Logic Connection

– Networking Software (OS)

• Network Applications

– WWW, E-Mail, Telnet, …

ISO 7-Layer Model

Î Web-Browser, FTP

Application Layer

Î HTML, ASCII

Î HTTP, SMTP

Î TCP, UDP, SPX

Î IP, IPX

Î IEEE 802.3, 802.11

Data Link Layer Network Layer Transport Layer Session Layer Presentation Layer

Î IEEE 802.3, 802.11

Î Cables, Radio

(2)

Benefits from layering

• Each layer uses the services provided

by the next lower one

by the next lower one…

• … and provides services to the next one

• Users don’t see the lower layers

• Programmers can rely on well defined

interfaces

• Improved interoperability

A simple Example

Megawati Sukarnoputri

Frederic Sumaye Conversation

Translator Translator

Offi

Offi Telegrams

English

Swahili Indonesia

Translated Text

Office

Office g

Physical Layer (1)

• Bit- / Baudrate

• Mechanical Dimensions

• Electrical Specification

• Functional Specification

• Protocol (Handshaking, etc.)

• Examples: ISDN, Ethernet,

Examples: ISDN, Ethernet,

Token-Ring, Wireless-LAN

Data Link Layer (2)

• Error-Recognition and -Recovery

Fl

C

t l

• Flow Control

• Commonly used: Shared Media

-> Collision Detection necessary

• Ethernet: “CSMA/CD”

ATM GSM

i

d Ti

l t

(3)

Network Layer (3)

• Main Task: Routing Packets

R

ti

R

i

t

• Routing Requirements:

simple, robust, stable, fair, optimal

• Internet (IPv4 / IPv6):

globally unique addresses

• AppleTalk / SMB (Windows):

addresses only valid in a local scope

Transport Layer (4)

• Connected or connection-less Services

UDP U

D t

P t

l

• UDP: User Datagram Protocol

very simple, connection-less protocol no flow-control, packets can be lost

• TCP: Transmission Control Protocol

reliable connection oriented protocol

reliable, connection oriented protocol flow-control, supports QoS

Session Layer (5)

Presentation Layer (6)

• Not implemented in TCP/IP Networks

St

d d f

P

t ti

L

• Standards for Presentation Layer are

well defined: ASCII, HTML, PNG, …

• No automatic conversion!

• Gateways

:

UNIVIS DB Access via Web UNIVIS-DB Access via Web, Internet to X.400 Mail Relays, …

Application Layer (7)

• The Network is “hidden”hidden

• Automatic Address resolution • No routing,

etc visible etc. visible • “Comfortable”

(4)

Overview ISO 7-Layer Model

Networking Hardware

• Physical Layer:

Repeater, Hub

“ i l ” l t i l lifi “simple” electrical amplifier

• Data Link Layer:

Bridge, Switch

separates “collision domains”

• Network Layer:

Router, “Layer 3 Switch”

forwarding between different networks

• Higher Layers:

Gateways (Software)

Internet Protocols (1)

• IP:“Internet Protocol”

Routing-Information: ToS-Flags, C Protocol-ID, Header-Checksum, Addresses

• ICMP:

“Internet Control

Message Protocol”

”Ping”, “Traceroute”

• UDP: “User Datagram

P t

l”

Protocol”

Connection-Less Protocol

Ports, Data-Length and –Checksum

Internet Protocols (2)

• TCP: “Transmission

Control Protocol”

Control Protocol

– Ports (widely used for many services in upper layers) – Connection-Based Protocol

Sequence- and Acknowledge-Numbers

– Connection establishment: 3 W H d h k 3-Way Handshake – CRC-Checksum (like UDP)

(5)

Network Security (Problems)

• No Security Mechanisms implemented

in TCP/IP (IPv4)

• Problems: Traffic can be

– observed (Passwords, Credit Cards, …) – manipulated (Bank Transfers, …) – faked (DoS Attacks, …)

faked (DoS Attacks, …)

• Server Programs are vulnerable!

Enhancing Network Security

• Cryptographic Protocol Extensions

(HTTPS SSH

)

(HTTPS, SSH, …)

– Inhibit Data-Manipulation and -Observation – Protocol dependant

– Can’t prevent DoS-Attacks – Can’t protect vulnerable Servers

p

• Network-Infrastructure is vulnerable!

Firewalls

• Protect Servers against Hackers

All

/ di

ll

t ffi b

d

i

l

• Allow / disallow traffic based on simple

rules (Addresses, Protocol, Ports, …)

• Example: Web-Server

– Incoming: only on Port 80 – Outgoing: only responses – Outgoing: only responses

• Detect “typical” Attacks

Simple Firewall: “Packet Filters”

• Filter Rules only match IP-Addresses,

Protocol and TCP/UDP Ports

Protocol and TCP/UDP-Ports

• FTP: big holes in Firewall necessary!

• Hackers can still find “hidden” Servers

Example (Linux):

p

(

)

(6)

Better: “Stateful Inspection”

• TCP: Connection-based Protocol

R i P k t b l i t – Recognize Packets belonging to an

established Connection

– Can allow FTP-Session from Server to Client Machine

• UDP: no Connections but Sessions

– Can allow DNS-responses but disallow malicious packets (“spoofing”)

“DMZ”: Demilitarized Zone

• “Internet”

– Absolutely insecure!Absolutely insecure!

• Private Network:

– Incoming: not allowed – Outgoing: Masquerading

• “DMZ”:

– “NAT”

– Incoming: only selected services (Web, Mail, …) – Outgoing: limited (DNS)

Masquerading

• Only 4 Billion IPv4 addresses available

• Clients usually don’t need “official” IPs

y

• Address translation

– Internal: private addresses (defined in RFC1918) – External: one official address

– Table for open connections

• Automatically hides private network • Automatically hides private network

– Outgoing traffic appears to come from one computer.

“NAT”: Network Address Translation

• Mapping of one IP address to another without the sender noticing

the sender noticing.

• E.g.: Gateway accepts packets for web server in DMZ and forwards them internally.

• Response appears to come from the original destination address.

• Forwarding of packets on specific ports • Forwarding of packets on specific ports

possible (e.g. port 80 for www). Other packets are discarded.

(7)

“VPN”: Virtual Private Networks

• Clients connect to an internal network (“intranet”) through the Internet. • Sessions are authenticated.

• Traffic is usually encrypted.

• “Comfortable” for the user:

Access to internal servers as if he was in his office

• Works with all IP based services.

Works with all IP based services.

• Certificates are used for authentication and encryption.

The Main Points Again...

Networking Basics

ISO/OSI M d l

Network Security

S it Ri k

• ISO/OSI Model Internet Protocols: • IPv4 / IPv6

• UDP: Connection-less • TCP: Connection-based • TCP Connection

• Security Risks • Protocol Dependant

Solutions • Firewalls: Packet Filter Stateful Inspection

• TCP Connection

establishment • “DMZ”, Masquerading,