Beruflich Dokumente
Kultur Dokumente
SEC400
TCP/IP for Security Administrators
Microsoft Corporation
7. application
6. presentation
5. session
4. transport
3. network
2. link
1. physical
SEC400 1
Microsoft IT Forum 2004 Europe
SEC400 2
Microsoft IT Forum 2004 Europe
ARP
Address Resolution Protocol RFC 826
ARP format
0 8 16 24 31
hardware type protocol type
HA length PA length operation
sender MAC address (bytes 053)
sender MAC address (bytes 455) sender IP address (bytes 051)
sender IP address (bytes 253) target MAC address (bytes 051)
target MAC address (bytes 255)
target IP address (bytes 053)
SEC400 3
Microsoft IT Forum 2004 Europe
ARP operation
1.1.1.1
1.1.1.2
ARP operation
1.1.1.1
1.1.1.2
SEC400 4
Microsoft IT Forum 2004 Europe
1.1.1.1
1.1.1.2
ARP defenses
None built into protocol
arpwatch: Monitoring tool
Must mirror all traffic on one switch port
Switch features
Allow only one MAC address per port
Stops people from using hubs
Compare requests and replies to other mapping
information
SEC400 5
Microsoft IT Forum 2004 Europe
IP
Internet Protocol RFC 791
SEC400 6
Microsoft IT Forum 2004 Europe
IP format
0 8 16 24 31
header
version length type of service datagram length
identification flags fragment offset
time to live next protocol header checksum
source IP address
destination IP address
options, if any (variable length) (padding)
version: 4
TOS: differentiated services codepoints (no guarantee of honoring)
dg length, ID, flags, offset: for fragmentation (will examine later)
TTL: max. hops through network (decremented by routers); usually 32
next protocol: TCP, 6 | UDP, 17 | ICMP, 1 | IPsec AH, 51 | IPsec ESP, 50
header checksum: 165bit one’s compliment of sum
options: restrictions, record route, record timestamp, source5routing
IP routing
Two types of network nodes—
nodes—
Hosts
Don’t forward datagrams between interfaces
Routers
Do forward datagrams between interfaces
Hosts can be routers if appropriate software is
installed and enabled
Presents security risks
SEC400 7
Microsoft IT Forum 2004 Europe
IP routing operation
search routing
Is it totable
and decrement
my IP?TTL
Datagra
1.1.1.254
m Is it to
for network my IP?
1.1.1.5
9.8.7.6 1.1.1.0/24
SEC400 8
Microsoft IT Forum 2004 Europe
Source routing
131.107.0.254 10.0.0.254
10.0.0.1
ICMP
Internet Control Message Protocol RFC 792
SEC400 9
Microsoft IT Forum 2004 Europe
ICMP format
0 8 16 24 31
type code checksum
ICMP messages
Type Code Description Code Description Query Error
0 0 echo reply
3 destination unreachable
0 network unreachable 8 source host isolated (obsolete)
1 host unreachable 9 destination network administratively prohibited
2 protocol unreachable 10 destination host administratively prohibited
3 port unreachable 11 network unreachable for DiffServ
4 fragmentation needed but don’t5
don’t5 12 host unreachable for DiffServ
fragment bit is set
5 source route failed 13 communication administratively
prohibited by filtering
6 destination network unknown 14 host precedence violation
7 destination host unknown 15 precedence cutoff in effect
4 0 source quench
5 redirect
0 for network 2 for DiffServ and network
1 for host 3 for DiffServ and host
8 0 echo request
9 0 router advertisement
10 0 router solicitation
11 time exceeded
0 TTL = 0 during transit 1 TTL = 0 during reassembly
12 parameter problem
0 IP header bad (catchall error) 1 required option missing
13 0 timestamp request
14 0 timestamp reply
15 0 information request (obsolete)
16 0 information reply (obsolete)
17 0 address mask request
18 0 address mask reply
SEC400 10
Microsoft IT Forum 2004 Europe
ICMP echo
0 8 16 24 31
type code checksum
identifier sequence number
SEC400 11
Microsoft IT Forum 2004 Europe
Wake up!
Ping!
Reply!
SEC400 12
Microsoft IT Forum 2004 Europe
ICMP defenses
Limit which ICMP types and codes you allow into
your network
Don’t permit “unreachable” messages outside
your border
Let the absence of a reply imply a problem
Transport LayerProtocols
SEC400 13
Microsoft IT Forum 2004 Europe
UDP
User Datagram Protocol RFC 768
Datagram55oriented
Datagram
vs. TCP’s stream orientation (later)
No transport reliability
No delivery guarantees
Some applications work better with app5
app5level error
handling
UDP format
0 8 16 24 31
source port destination port
length checksum
SEC400 14
Microsoft IT Forum 2004 Europe
Spoof!
from A:19/udp
to B:7/udp (echo)
UDP defenses
Use application5
application5aware proxies to improve
security
Don’t expose applications that you don’t need
echo
daytime
SEC400 15
Microsoft IT Forum 2004 Europe
TCP
Transmission Control Protocol RFC 793
TCP format
0 8 16 24 31
source port destination port
sequence number
acknowledgement number
header
length reserved flags window size
checksum urgent pointer
options (if any) (variable length)
data (variable length)
SEC400 16
Microsoft IT Forum 2004 Europe
B sends
A sends packet
packet to
to A
B with:
• SYN with
•ACK set B’s SYN+1
• Destination
B’s ISN port number
• ACK with
A’s ISN (initial sequence
A’s SYN+1
number)
SEC400 17
Microsoft IT Forum 2004 Europe
B sends
A sends packet
packet to
to A
B with:
• FIN with
•ACK set•ACK with A’s SYN+1
B’s SYN+1
•A’s next
•B’s next sequence
sequence number
number
SEC400 18
Microsoft IT Forum 2004 Europe
SEC400 19
Microsoft IT Forum 2004 Europe
ACKset
SYN B (predicted!)
ISN
source=A
E
source=A
Huh? SYNset
SYN set
RSTset
SYN ISN
ISNBB
ISN A ACK
ACKEA
TCP defenses
Better sequence number generation
Random
Cryptographic
Router rules to block spoofed packets
TCP attacks are almost always spoofed
SEC400 20
Microsoft IT Forum 2004 Europe
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
SEC400 21