Network Security: Networking principles
Stack of layers
Packet switching
Encapsulation
Packet Switching
→ data in packets
→ individual paths to destination
→ destination sorts out reassembly
→ can be dropped by intermediate device - problem
→ job of other layers to determine errors + error handling
Stack of layers
→ Network communication broken into “layers”
→ layers at top deal with applications using lower layers’ services
→ “communication channel” : established across all the layers : only at the very bottom layer it is physical, otherwise virtual
OSI Model
→ Open system Interconnect reference model
→ Communication across networks: need an agreement: same protocols/implementations
→ New model mapped on OSI:
OSI model
Encapsulation
→ Things in other things
→ Packet: header, footer, data payload
→ protocol at high level uses lower level via encapsulation - put packet in another packet - adding a header and footer the layer below understand
→ add headers and footers as we go down the layers, strip them as we go back up
Network Interface
→ device connecting computer to a network
→ e.g every port on a router
→ packets transmitted between network interfaces
→ LANs broadcast frames - at the linked layer
→ going further requires IP addressing - disconnected networks
→ come with MAC addresses - each physical device - 48 bit number - first 3 octets IEEE assigned to manufacturers - unique
→ Can change MAC address via the OS - stops tracking by changing it
→ If machines will only connect to machines in a network, its ok to change it
Switch
→ Connects multiple machines together - wifi router
→ operates at link layer, multiple interfaces
→ job is to learn MAC address
→ machine “shouts” MAC address until picked up
→ only sends frames to the right computer
Hub
→ If receives a messages, broadcasts to all connected machines
→ essentially an amplifier
→ wasteful + collisions
→ simpler than the switch
Combining Switches
→ arranged in a tree
→ connecting different networks
→ if a switch encounters a frame from an unknown MAC address, forwards it to another switch
→ asking to broadcast to known MAC address, just sends to them
IP Functions
→ to deliver data, IP needs to be aware of destination - includes addressing systems (IP Packet)
→ Routing: going across networks needs IP
→ Fragmentation and reassembly: networks can have different maximum packet length, so some networks will fragment packets further - MTU size
→ Set MTU to a big number, a lot of fragmentation - smaller number means less reassembly
IP addresses
→ IPv6 addresses: 128 bit addresses - needed huge numbers of IP addresses
→ subdivided into network, subnet, host
→ Structure: first two parts: destination network, second two: destination subnet, 3 : specific device
→ dont need whole address until very final part
→ .255 is normally broadcast address - everyone in local network
→ Reserved for private use: 10. something 172…
192…. router will drop these addresses
→ ip
Reading
p222-228
→ Network Topology: network connection structure
→ Computers in a network: host nodes that are sources/destinations
→ Routers in a network: communication nodes
→ Private network with computers in close proximity: LAN → Internet is a WAN
→ Autonomous Systems: routers in WANs on the internet are partitioned into clusters → Each autonomous system is controlled by a single organisation, determining routing of packets among the nodes - normally done via shortest paths → Routing between AS is determined by contractual agreements
Internet Protocol Layers:
→ Internet protocol stack: architecture of the internet modelled as layers
→ each layer provides a set of services/functionality guarantees for higher levels and mostly does not rely on services or details from higher levels
→ interface between lower and higher levels only provides essential information between - lower level details hidden from higher levels
Example: 5 conceptual layers for internet comms- TCP/IP model
1: Physical Layer: moves actual bits between nodes - details with physical cables - abstraction is transmitting bits between network nodes
2: Link layer: transfers data between a pair of network nodes/nodes in a LAN, detecting errors from physical layer - logical aspects of sending info across links and finding good routing paths in LANs. Provides grouping of bits into grames. Uses MAC addresses
3: Network layer: Internet layer, provides ability to move packets between two hosts. Provides IP address. Main protocol: IP. Best effort basis: no guarantees a given packet will be delivered - reliable delivery ensured by a higher level
4: Transport layer: supports comms and connections between apps - based on IP addresses and ports - 16 bit addresses for app level protocols to use. Protocol: TCP - creates virtual conneciton between client and server - guarantees delivery of all packets in order. UDP: assumes no prior setup and delivers packets ASAP, no delivery guarantees
5: App layer: provides protocols to support useful function on the internet. E.G: HTTP - using TCP, supporting web browsing. DNS: using UDP and supporting use of useful host names (not IP addresses) etc
OSI model different: 7 layers - application layer divided more.
Internet Protocol Suite:
Most of the IP stack designed when there was no malicious intent. Need to build in safety
Network Security Issues:
Confidentiality: Should explicitly encrypt network comms if they are meant to be confidential - can be done in application layer or revise a lower layer protocol to add encryption (IPsec specification)
Integrity: Headers and footers only have simple checksums that arent cryptographically secure - this should also be fixed at app layer or alternative protocols at lower levels
Availability: Hard to make sure web servers stay up if bombarded with data requests - could be legitimate or an attack - need apps to scale or block attacks from bad requests
Assurance: Introdcing permissions and policies need to be explicit additions. Firewalls for example block traffic in and out if the traffic violates policies set by admin
Authenticity: Headers and footers don’t have a place for digital signatures - no idea of user identities. Need to explicitly add these at application layer/alternative protocol
Anonymity: Built in anonymity - no default notion of identity. Can be good or bad.
230-231
Collisions
→ collisions between data: transmitting machine sboth wait a random amount of time and retransmit - hopefully no collision. Process is repeated for more collisions.
→ ethernet protocol designed so all machines in a network segment should eventually transmit its frame
→ modern network cables transmit data in two directions so this isnt needed for two machines directly connected by a modern Ethernet cable
→ Packet collisions still slows LANs significantlly if there are lots of machines connected - e,g home networks
Hubs/Switches
→ Simplest way to connect is using a hub- connects devices, creates a single network segment. Forwards all frames to all attached devices - broadcast
→ Problem with hubs: lots of unrequired traffic, can also increase ease of network eavesdropping
→ switch: initially acts like a hub, then learns addresses connected to various ports and sends traffic only to correct mac addresses - can still broadcast if required
→ switch can therefore increase speed of network by reducing traffic - increasing bandwidth, reduces likelihood of network eavesdropping
→ switches are de facto for link layer data forwarding
240-241
Internet Control Message Protocol: ICMP
→ network layer protocol used by hosts for basic testing and error notification tasks
→ primarily used for network diagnostics (determining if host is alive/finding path followed by a packet)
→ various messages for ICMP packets e.g: 1. Echo request: destination machine acknowledges receipt 2. Echo Response: reponse to echo request 3. Time exceeded: error notification packet has expired (TTL is 0)
Destination unreachable: packet could not be delivered error notification
→ many network management tools use ICMP, like PING
→ ping: utility using ICMP to verify if a host is receiving packets - sends echo request to destination, which should reply with an echo response. first diagnostic tool
→ traceroute: also uses ICMP messages, but to determine path a packet takes to reach another host. Uses TTL field on IP header.
Tries to send TTL of 1 - intermediate router will discard the packet and reply with time exceeded - revealing the first machine. Then traceroute sends a TTL of 2 - finding next router, as the first one decrements with one. and so on.