Beruflich Dokumente
Kultur Dokumente
Chapter 9
Panko and Panko Business Data Networks and Security, 9th Edition
2013 Pearson
Layers
All 12 12
89
10 11
Internets
Wide Area Networks Applications
34
1-4 5
2
2013 Pearson
Chapter 8
Major TCP/IP standards
Router operation
Chapter 9
Managing Internets Securing Internets
2013 Pearson
IP Subnetting
Network Address Translation (NAT) DNS and DHCP SNMP Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson
Companies are given host parts by their ISP or an Internet number authority.
They divide the remaining bits between a subnet part and a host part. Larger subnet parts mean more subnets, but this results in smaller host parts, which means fewer hosts per subnet. The reverse is also true.
5
2013 Pearson
2N-2
2013 Pearson
Step
Description Total size of IP address (bits) Size of network part assigned to firm (bits)
1
2
32
16
By definition
Assigned to the firm
3
4
16
8/8
254 (28 - 2)
254 (28 - 2)
Step
Description Total size of IP address (bits) Size of network part assigned to firm (bits)
1
2
32
16
By definition
Assigned to the firm
3
4
16
6/10
62 (26 - 2)
1,022 (210 - 2)
Step
Description Total size of IP address (bits) Size of network part assigned to firm (bits)
1
2
32
8
By definition
Assigned to the firm
3
4
24
12/12
4,094 (212 - 2)
4,094 (212 - 2)
Step
Description Total size of IP address (bits) Size of network part assigned to firm (bits)
1
2
32
8
By definition
Assigned to the firm
3
4
24
8/16
254 (28 - 2)
65,534 (216 - 2)
10
Step 2 2 3 Added 4
Description Size of IP address Size of network part assigned to firm (bits) Remaining bits for firm to assign Selected subnet part size (bits) Host part size (bits) Number of possible subnets (2N - 2) 32 20 12 4 ? ? ?
Exercise
2013 Pearson
11
Step 2 2 3 Added 4
Description Size of IP address Size of network part assigned to firm (bits) Remaining bits for firm to assign Selected subnet part size (bits) Host part size (bits) Number of possible subnets (2N - 2) 32 20 12 6 ? ? ?
Exercise
2013 Pearson
12
IP Subnetting
13
NAT
Sends false external source IP addresses and port numbers that are different from internal source IP addresses and port numbers. For security purposes.
To have many more internal IP addresses than your ISP gives you external IP addresses.
2013 Pearson
14
NAT Firewall puts the real source IP address and port number in the table.
2013 Pearson
15
NAT Firewall replaces the source IP address and port number of the packet with a false source IP address and port number. Adds to table.
2013 Pearson
16
2013 Pearson
17
2013 Pearson
18
With NAT, attackers learn only false external IP addresses. Cannot use this information to attack internal hosts.
19
2013 Pearson
2013 Pearson
20
2013 Pearson
21
2013 Pearson
They must know the real IP address and port number of the host on the other side of the NAT firewall. There are NAT firewall traversal techniques, but they must be managed carefully.
2013 Pearson
23
24
2013 Pearson
25
Originating host needs the IP address of host dakine.pukanui.com. Asks its local DNS server at Hawaii.edu.
2013 Pearson
26
2013 Pearson
27
2013 Pearson
Note that the local DNS server always sends back the response message.
2013 Pearson
29
2013 Pearson
30
2013 Pearson
31
Generic top-level domains indicate organization type (.com, .edu, .gov, etc.).
Country top-level domains are specific to a country (.UK, .CA, .CH, etc.).
2013 Pearson
32
Traditionally, generic top-level domains were strongly limited in number. There have been a few additions over the year, such as .museum, .name, and .co.
As of 2013, any individual or company can propose to administer a generic top-level domain.
33
2013 Pearson
34
2013 Pearson
35
2013 Pearson
36
2013 Pearson
37
2013 Pearson
38
2013 Pearson
39
2013 Pearson
40
2013 Pearson
41
The two are often confused because both give a client PC an IP address.
DHCP gives a client PC its own dynamic IP address.
DNS gives a client PC the IP address of a host the client wishes to send packets to.
2013 Pearson
42
SNMP
Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson
43
Agents
Manager Managed Devices
2013 Pearson
44
Manager
MIB
2013 Pearson
45
Messages
Commands (sent by a manager to an agent) Get (to get information from the agent) Set (to tell the agent to change how the managed devices is operating)
Responses (sent from agent to manager) Get or Set Command Response
2013 Pearson
46
Messages
Traps (alarms sent by agents). SNMP uses UDP at the transport layer to minimize the burden on the network.
Trap
2013 Pearson
47
Set Commands
Dangerous if used by attackers. Many firms disable Set to thwart such attacks. However, they give up the ability to manage remote resources without travel. SNMPv1: community string shared by the manager and all devices (poor).
48
49
Categories of Objects
System objects (one set per managed device) System name System description System contact person System uptime (since last reboot)
2013 Pearson
50
Categories of Objects
IP objects (one set per managed device)
Forwarding (for routers), Yes if forwarding (routing), No if not
2013 Pearson
51
Categories of Objects
TCP objects (one set per managed device)
Retransmission time Maximum number of TCP connections allowed
Opens/failed connections/resets
Segments sent Segments retransmitted
52
Categories of Objects
UDP objects (one set per host)
Traffic statistics ICMP objects (one set per host) Number of ICMP errors of various types
2013 Pearson
53
Categories of Objects
One set per managed device: System IP TCP UDP ICMP Interface objects: one set per interface (port)
2013 Pearson
54
Categories of Objects
Interface objects (one set per interface)
Type (e.g., 69 is 100Base-FX; 71 is 802.11) Status: up/down/testing Speed Errors: discards, unknown protocols, and so on
2013 Pearson
55
Visualization Program.
The administrators interface to the MIB. Helps the administrator visualize patterns in the MIB data. Can order the SNMP Manager to collect certain data or to send set commands to change the configurations of managed devices.
2013 Pearson
56
User Functionality
Reports, diagnostics tools, and so on, are very important. They are not built into the standard. They are added by network visualization program vendors. Critical in selection of a network management vendor.
57
2013 Pearson
58
Routers route each packet individually, going through the three steps we saw in the last chapter.
Even if the next packet is going to the same destination IP address, the router will go through all three steps. This consumes a great deal of processing power per packet. This makes traditional routing expensive.
59
2013 Pearson
2013 Pearson
60
2013 Pearson
61
2013 Pearson
62
Label sits between the frame header and the IP packet header. IP Packet Header MPLS Label Frame Header
2013 Pearson
63
64
2013 Pearson
65
2013 Pearson
66
Implementing MPLS is difficult. Many individual ISPs and corporations do it. Some individual ISPs have peering arrangements with other individual ISPs to do it. There is no general way to move MPLS out to all ISPs and organizations.
2013 Pearson
67
IP Subnetting Network Address Translation (NAT) DNS and DHCP SNMP Multiprotocol Label Switching
68
Today, firms are adding security to their transmissions through IPsec VPNs.
2013 Pearson
69
A virtual private network (VPN) is a cryptographically secured transmission path through an untrusted environment.
The Internet A wireless network Communication in a foreign country
2013 Pearson
2013 Pearson
71
There are two types of VPN: Remote access VPNs connect a remote user to a corporate site. The user connects to a VPN gateway at the site.
2013 Pearson
72
There are two types of VPNs: Site-to-site VPNs protect all traffic traveling between two sites. Each site has a gateway to encrypt outgoing traffic and decrypt incoming traffic.
2013 Pearson
73
Each mode has strengths and weaknesses. Selecting an IPsec mode option is very important to security.
2013 Pearson
74
In transport mode, IPsec provides protection over the Internet and also over site networks between the hosts.
2013 Pearson
75
Transport mode requires a digital certificate and configuration work on each host. This is expensive.
2013 Pearson
76
In tunnel mode, IPsec only provides protection over the Dangerous Internetnot within site networks.
2013 Pearson
77
Only the two IPsec gateways need digital certificates and configuration work.
2013 Pearson
78
Criterion Security
Tunnel Mode
Not as good because it only provides security over the But firewalls cannot Internet or another trusted network (a read encrypted wireless network, traffic. etc.). Higher because of configuration work on each host. Lower because IPsec operates only on the IPsec gateway .
79
Cost
2013 Pearson
2013 Pearson
80
2013 Pearson
81
2013 Pearson
82
Purpose
To provide a secure connection between a client browser and a webserver application on a webserver host Use is indicated by https:// in the URL
Very widely used
2013 Pearson
83
Origin
Created by Netscape as SSL. IETF took over the standard.
2013 Pearson
84
Attraction of SSL/TLS
Universally supported by browsers and webserver applications. So no added cost on the client to use it! No extra software on the server is needed, but SSL/TLS must be configured, which usually is simple.
2013 Pearson
85
Limitations of SSL/TLS
Operates at transport layer so no protection for IP or transport headers
Limited to applications written to work with SSL/TLS: HTTP and e-mail, primarily
Cryptographically weaker than IPsec Has been partially cracked No policy servers for centralized management
2013 Pearson
86
Overall
Decent quality, cheap, and easy security
Limited in how it can be used and managed
2013 Pearson
IP Subnetting Network Address Translation (NAT) DNS and DHCP SNMP Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson
88
Extending DNS
Replacing the Address Resolution Protocol
2013 Pearson
89
Must transition all clients, routers, firewalls, and so on The IETFs plan
No backward compatibility
Instead, add both IPv4 and IPv6 protocol stacks at the internet layer to all new devices
As soon as most devices have IPv6 protocol stacks, configure the devices and add IPv6 support to IPv4 support Eventually, turn off IPv4 support
2013 Pearson
90
Now some clients, such as mobile phones, only have IPv6 stacks at the protocol layer.
To serve them, companies are rushing to turn on and configure IPv6 support.
2013 Pearson
91
IPv6 Address Part Corresponding IPv4 Address Part Routing Prefix Network Part Subnet ID Subnet Part Interface ID Host Part Total 32 bits
2013 Pearson
2013 Pearson
93
Interface ID is not of variable length like IPv4 host parts. Waste 64 bits, but have plenty to lose.
94
2013 Pearson
m bits 64 bits m + n = 64
n bits
2013 Pearson
95
2013 Pearson
AD-B1-C2-D3-E5-F5 adb1c2d3e5f5
2013 Pearson
97
adb1c2fffed3e5f5
2013 Pearson
98
afb1c2fffed3e5f5
99
2013 Pearson
2013 Pearson
2013 Pearson
101
Stateless Autoconfiguration
The client configures itself, without using a DHCPv6 server.
2013 Pearson
102
If the client does not need a global IP address, the autoconfiguration process can stop here.
2013 Pearson
103
2013 Pearson
104
2013 Pearson
105
2013 Pearson
106
The router advertisement message may state that autoconfiguration is not allowed.
If this is not the case, the message gives the routing prefix and subnet ID. The client now has a global unicast IPv6 address.
2013 Pearson
107
Limits
More limited than traditional DHCP autoconfiguration.
At a minimum, router advertisement messages give only a routing prefix and subnet ID.
Of course, the packet containing the router advertisement message gives the IPv6 address of the router, which becomes the default router.
2013 Pearson
108
Uses
How can a client get other IPv6 configuration information?
If a client is a dual-stack client, the IPv4 stack can obtain full configuration information, which the IPv6 stack can use.
2013 Pearson
109
Uses
If the client is not a dual-stack client, it needs at least one more piece of configuration informationthe IPv6 addresses of DNS servers. The IETF has extended router advertisement messages to provide the IPv6 addresses of DNS servers. However, this is only an option.
2013 Pearson
110
An attacker may create an address that uses the EUI-64 of another host to impersonate it.
Several operations can be used to create flooding denial-of-service attacks.
2013 Pearson
111
2013 Pearson
112
ICMPv6
Many new types were created for neighbor discovery, stateless autoconfiguration, and so on.
2013 Pearson
113
DNS A Record. The A record contains the IPv4 address for the target host.
DNS AAAA Record. For IPv6 addresses, a new address record had to be added. IPv6 addresses are four times as long as IPv4 addresses, so the added record is called the AAAA record.
2013 Pearson
114
2013 Pearson
115
116
Title Core Concepts Single Networks Internets Wide Area Networks Networked Applications
2013 Pearson
117
2013 Pearson
118