Lower Layers Local Area Network Standards Point-to-Point Link Layer Protocols ARP and RARP
1 TCP/IP Protocols Contains Five Layers Top three layers contains many protocols Actual transmission...
45
1 TCP/IP Protocols • Contains Five Layers • Top three layers contains many protocols • Actual transmission at the physical layer
-
Upload
colleen-simon -
Category
Documents
-
view
217 -
download
0
Transcript of 1 TCP/IP Protocols Contains Five Layers Top three layers contains many protocols Actual transmission...
1
TCP/IP Protocols
• Contains Five Layers
• Top three layers contains many protocols
• Actual transmission at the physical layer
2
TCP/IP LayersApplication
Presentation
Session Applications
SMTP FTP DNS TELNETHTTP
Transport TCP UDP
Network ICMPARP RARP
Data Link
Physical
Protocols specific to the underlying physical media used for data communication at the hardware level
IP
3
Message Transfer using TCP/IP
Original Message
Original Message
Original MessageTCP header
TCP header
IP header
Original MessageTCP headerIP headerFrame header
Original Message
Original Message
Original MessageTCP header
TCP header
IP header
Original MessageTCP headerIP headerFrame header
Source Destination
4
TCP
• Reliable transport layer communication
• Establishes a logical connection between the communicating hosts
• Socket-to-socket communication (Socket = Port + IP address)
5
TCP Segment Format
Source Port number
Destination Port number
Sequence Number Acknowledgement Number
Data
2 bytes 2 bytes 4 bytes 4 bytes20-to-60 bytes header consisting of the following fields
Header Length
4 bits
Reserved
6 bits
Flag
6 bits
Window size
2 bytes
Checksum Urgent pointer
2 bytes 2 bytes
Options
0 to 40 bytes
6
IP
• Best effort delivery
• Does not guarantee success
• Leaves error checking to higher layers (e.g. to TCP)
7
IP Datagram FormatVersion HLEN Service Type Total Length(4 bits) (4 bits) (8 bits) (16 bits)
Identification Flags Fragmentation Offset
(16 bits) (3 bits) (13 bits)
Time to live Protocol Header Checksum
(8 bits) (8 bits) (16 bits)
Source IP address(32 bits)
Destination IP address(32 bits)
Data
Options
8
Network Aspects
• Internal network (e.g. LAN)
• External Network (e.g. Internet)
• Threats from the External Network to the Internal Network
9
Network Threats
N e t w o r k B a c k
b o n e
RouterTo Internet
Outside dangers can come in from here
Inside information can leak out from here
Corporate network
10
Firewall
• Special type of router
• Controls transmission between internal and external networks
• Decides what to allow/disallow
11
NAT Implementation
Internal network with internal IP addresses
192.168.10.1
192.168.10.3
192.168.10.2
192.168.10.10Internet
201.26.7.9
Router’s internal IP address Router’s external IP address
NAT router
12
NAT Example
Internal network with internal IP addresses
192.168.10.1
192.168.10.10Internet
201.26.7.9
NAT router
Source: 192.168.10.1 Source: 201.26.7.9
Destination: 192.168.10.1 Destination: 201.26.7.9
13
NAT Translation Table
Source: 192.168.10.1Destination: 210.10.20.20
Source: 201.26.7.9Destination: 210.10.20.20
192.168.10.10 201.26.7.9
192.168.10.1 210.10.20.20
Source: 210.10.20.20Destination: 192.168.10.1
192.168.10.10 201.26.7.9
Source: 210.10.20.20Destination: 201.26.7.9
192.168.10.1 210.10.20.20
Internal
192.168.10.1……
External
210.10.20.20……
Translation table
14
Firewall Concept
N e t w
o r k B
a c k b o n e
To Internet
Corporate networkFirewall
15
Firewall Types
Firewalls
Packet Filters Application Gateways
16
Packet Filter
InternetInternal (Private)
Network
Packet filter
Protected zone
17
Packet Filter Operation
Outgoing packets Incoming packets
Receive each packet.Apply rules.If no rules, apply default rules.
18
Packet Filter Defeating IP Spoofing Attack
Incoming packet
178.29.10.89
178.29.10.90178.29.10.91
Internal network and the IP addresses of the hosts
Packet filter
Source address: 178.29.10.91
STOP!
19
Application Gateway
HTTPSMTPFTP
TELNET
Outside connection
Inside connection
Application gateway
20
Circuit Gateway
HTTPSMTPFTP
TELNET
Application gateway
IP address = 178.29.10.90
IP address = 178.29.10.70
Source address = 178.29.10.90
Source address = 178.29.10.70
IP packet IP packet
Inside host Outside host
21
Application Gateway - Illusion
HTTPSMTPFTP
TELNET
External hostInternal host
Application gateway
User’s illusion
Real connection Real connection
22
Firewall Configurations
Firewall Configurations
Screened host firewall,
Single-homed bastion
Screened host firewall,
Dual-homed bastion
Screened subnet firewall
23
Screened Host Firewall, Single-homed Bastion
Packet filter
HTTPSMTPFTP
TELNET
Internet
Application gateway
Internal network
24
Screened Host Firewall, Dual-homed Bastion
Packet filter
HTTPSMTPFTP
TELNET
Internet
Application gateway
Internal network
25
Screened Subnet Firewall
Packet filter
HTTPSMTPFTP
TELNET
Internet
Application gateway
Internal network
Packet filter
26
Demilitarized Zone (DMZ)
Internet
Internal private network
Demilitarized Zone (DMZ)
Firewall
27
Security at multiple Layers
Application Layer
Transport Layer
Internet Layer
Data Link Layer
Physical Layer
First level of security
Second level of security
28
IPSec
• Not concerned with application layer security
• Applies security at the Internet layer
• More effective in IPv6
29
IPSec Processing Result
Actual data (Encrypted)
Transport header (Encrypted)
Internet header (Not encrypted)
30
IPSec in TCP/IP
Original message
Transmission medium
Application
TransportIPSec
Internet
Data link
Original message
Application
TransportIPSec
Internet
Data link
Sender Receiver
31
IPSec Protocols
IPSec
Authentication Header (AH) Encapsulating Security Payload (ESP)
32
AH and ESP Operation Modes
AH and ESP modes of operation
Tunnel mode Transport mode
33
Tunnel Mode
X
P1
Proxy
P2
Proxy
Y
Network 1 Network 2
Tunnel
34
Tunnel Mode Implementation
A <---> BP1 <---> P2 …
Internal IP header and data (encrypted)External IP header
(not encrypted)
35
IPSec steps
Step 1Algorithm and Key negotiations using IKE
Step 2Actual AH and ESP operations
36
AH Format
Bit 0 8 16 31
Next header Payload length Reserved
Security Parameter Index (SPI)
Sequence number
Authentication data (Variable size)
37
Receiver’s Sliding Window
Receiver’s sliding window (W = 8)
N – W
Marked if a valid packet is received
Unmarked if a valid packet is not yet received
N
38
AH Transport Mode
IP header TCP headerOriginal data
(a) Before applying AH
IP header TCP header Original data
(b) After applying AH
AH
39
AH Tunnel Mode
IP header TCP headerOriginal data
(a) Before applying AH
Original IP header
TCP header Original data
(b) After applying AH
AHNew IP header
40
ESP Format
Bit 0 16 24 31
Security Parameter Index (SPI)
Sequence Number
Padding (0-255 bytes)
Payload data (Variable size)
Padding length Next header
Authentication data (Variable size)
41
ESP Transport Mode
IP header TCP headerOriginal data
(a) Before applying ESP
TCP header Original data
(b) After applying ESP
ESP header
Original IP header
ESP trailer
ESP auth
Encrypted
Authenticated
42
ESP Tunnel Mode
IP header TCP headerOriginal data
(a) Before applying ESP
TCP header Original data
(b) After applying ESP
ESP header
Original IP header
ESP trailer
ESP auth
Encrypted
Authenticated
New IP header
43
ISAKMP Header Format
Bit 0 8 16 24 31
Initiator cookie
Responder cookie
Next payload
Major version
Minor version
Exchange type
Flags
Message ID
Length
44
Virtual Private Network (VPN)
• Uses the Internet as if it is a private network
• Far less expensive than a leased line
• Uses IPSec protocol
45
VPN Between Two Networks
X
Network 1
Y
Network 2
Firewall 1 Firewall 2
VPN tunnel
Internet
