Concepts of networking - Florida State Universitybreno/CIS-5930/slides/class08.pdf ·...
Transcript of Concepts of networking - Florida State Universitybreno/CIS-5930/slides/class08.pdf ·...
Concepts ofnetworking
IP, TCP/UDP protocols
IP protocol Defines a uniform mechanism to access resources between
internets Enables networking across networks that are not connected at level 2
(data-link). Defines IP addresses and how to route network packets to a destination
address. IP v.4, addresses: 4 octets, organized hierarchically
Single host: 128.220.23.4 or 192.168.33.1 Class C network: 128.220.23.x, also written 128.220.23.0/24 Class B network: 192.168.x.x., also written
192.168.0.0/16 Class A network: 10.x.x.x, or 10.0.0.0/8
IP v.6 16 octet addresses, also hierarchical Represented by eight 4-digit hexadecimal values (one
string of 0’s can be omitted) Single host: 1080:0:0:0:0:800:0:417A or 1080::800:0:417A
Internet routing is performed only on the 64 left bits (theremaining is for internal routing to hosts)
Blocks of addresses denoted using the / notation. 12AB::CD30:0:0:0:0/60 indicates a 68-bit wide space,
from 12AB:0:0:CD30:0:0:0:0to 12AB:0:0:CD3F:FFFF:FFFF:FFFF:FFFF
(all addresses starting with prefix 12AB:0:0:CD3)
IP packet
TCP/UDP Layer 4 (transport layer) protocols, run over IP
TCP and UDP packets are encapsulated into IP packets Use their own control information, stored in packet
headers Port numbers (indicate consuming program in the destination
host) TCP is connection-oriented, and provides for reliable,
order-preserving transmission of data UDP is not connection-oriented, does not guarantee data
arrival, or proper ordering of arriving data
TCP header
flags:•URG (urgent),•ACK (acknowledg-ment),•PSH (push function),•RST (close theconnection),•SYN (synchronizesequence numbers),•FIN (end of data fromsender)
TCP state diagram
TCP new connection:•3-way handshake, byTCP packets with SYN,SYN & ACK, and ACKflags set.
TCP close connection:•Via RST, without ACK•Via FIN, ACK, FIN,ACK (4 way teardown)
UDP
IP packet filteringBasic firewall functionality
Packet filtering Packet filtering is a network security mechanism
that works by controlling what data can flow toand from a network. Packet filtering occurs at routers A router inspects each packet entering and/or leaving the
network to make routing decisions. A filtering router also makes policy decisions.
Dropping spoofed/malformedpackets
From: Building Internet Firewalls(recommended text)
Basic ip-filtering policies Source and destination addresses Session and application ports
enforce visibility/connectivity policies of internal network tothe Internet
prevent certain protocols from being executed betweenspecific hosts in different networks
Maintains no state information about connections
Examples Allow outgoing TCP port 80 requests Allow incoming SMTP to mail server only Disallow outgoing packets with external source
addresses Disallow incoming packets with internal source
addresses Disallow incoming packets for TCP/UDP port 79
(finger)
Stateful packet filtering Allows for more complex policies based on
current state of connections between twomachines. Let incoming UDP packets through only if they
are responses to outgoing UDP packets youhave seen.
Accept TCP packets with SYN set only as part ofTCP connection initiation.
Stateful /dynamic filtering Routers must keep state information
For how long?
If multiple routers are used, they need tosynchronize the state information very fast, orelse there will be incorrect decisions.
Protocol-based filtering: ensure that packets contain properly formed protocol data prevent protocols being run on other ports
Default deny Disallow all by default; add rules to permit traffic explicitly Log dropped packets Log some allowed packets For some protocols, such as mail authentication, require that
send an ICMP error message in response to a disallowedpacket. In most cases, better to drop the packet and saynothing to sender.