Beruflich Dokumente
Kultur Dokumente
Lecture 1
Course Overview
http://web.uettaxila.edu.pk/CMS/coeCCNbsSp09/index.asp
Waleed Ejaz
waleed.ejaz@uettaxila.edu.pk 1
Overview
Goal of this course
Grading
Prerequisites
Tentative Schedule
Security Goals
2
Goal of This Course
3
CERT
4
Prerequisites
5
Prerequisites
ISO/OSI reference model
TCP/IP protocol stack
Full-Duplex vs half-duplex
UTP vs Wireless
Cyclic Redundancy Check (CRC)
CRC Polynomial
Ethernet
IEEE 802 MAC Addresses
Bridging and Routing
IEEE 802.11 LAN
6
Prerequisites (contd.)
IP Address
Subnets
Private vs Public Addresses
Address Resolution Protocol (ARP)
Internet Control Message Protocol (ICMP)
Routing - Dijkstra's algorithm
Transport Control Protocol (TCP)
User Datagram Protocol (UDP)
TCP connection setup
TCP Checksum
Hypertext Transfer Protocol (HTTP)
7
Text Book
Charlie Kaufman, Radia
Perlman, and Mike Speciner,
"Network Security: Private
Communication in a Public
World," 2nd Edition, Prentice
Hall, 2002, ISBN: 0130460192.
8
Reference Book
9
Course Outline
Course Overview
Security Concepts
TCP/IP Security Attacks
Security Key Cryptography (Chapter 3)
Modes of Operation (Chapter 4)
Hashes and Message Digest (Chapter 5)
Public Key Cryptography (Chapter 6)
Authentication: Passwords, Biometrics (Chapter 10)
Kerberos (Chapter 14)
Public Key Infrastructure (Chapter 15)
IPSec (Chapter 17)
10
Course Outline (contd.)
Internet Key Exchange (IKE) (Chapter 18)
Web Security: SSL/TLS (Chapter 19)
Email Security: PGP (Chapter 22)
Firewalls (Chapter 23)
VPNs
DNS Security
Network Access Controls: AAA
Wireless Security
Intrusion Detection
DMZ (LAN->WAN)
11
Grading
Assignments 0%
Quizzes 15%
Research Paper 15%
MID 20%
Final Exam 50%
12
Term Project
A survey paper on a network security topic
Wireless Network Security
13
Project Schedule
14
Office Hours
15
FAQs
16
Quiz 0: Prerequisites
True or False?
1. Subnet mask of 255.255.255.254 will allow 254 nodes on the
LAN.
2. Time to live (TTL) of 8 means that the packet can travel at most 8
hops.
3. IP Address 128.256.210.12 is an invalid IP address
4. CRC Polynomial x32+x15+1 will produce a 32 bit CRC.
5. DHCP server is required for dynamic IP address assignment
6. DNS helps translate an name to MAC address
7. Port 80 is used for FTP.
8. IPv6 addresses are 32 bits long.
9. New connection setup message in TCP contains a syn flag.
10. 192.168.0.1 is a public address.
Marks = Correct Answers _____ - Incorrect Answers _____ =
______
17
Quiz 0: Prerequisites (Solution)
True or False?
1. Subnet mask of 255.255.255.254 will allow 254 nodes on the
LAN. False
2. Time to live (TTL) of 8 means that the packet can travel at most 8
hops. True
3. IP Address 128.256.210.12 is an invalid IP address. True
4. CRC Polynomial x32+x15+1 will produce a 32 bit CRC. True
5. DHCP server is required for dynamic IP address assignment. True
6. DNS helps translate an name to MAC address. False
7. Port 80 is used for FTP. False
8. IPv6 addresses are 32 bits long. False
9. New connection setup message in TCP contains a syn flag. True
10. 192.168.0.1 is a public address. False
Marks = Correct Answers _____ - Incorrect Answers _____ =
______
18
Network Security
Lecture 1
TCP/IP Security Attacks
http://web.uettaxila.edu.pk/CMS/coeCCNbsSp09/index.asp
Waleed Ejaz
waleed.ejaz@uettaxila.edu.pk 19
Overview
TCP Segment Format, Connection Setup, Disconnect
IP: Address Spoofing, Covert Channel, Fragment Attacks, ARP,
DNS
TCP Flags: Syn Flood, Ping of Death, Smurf, Fin
UDP Flood Attack
Connection Hijacking
Application: E-Mail, Web spoofing
20
Security Goals
Security Goals
Confidentiality: Need access control,
Cryptography, Existence of data
Integrity: No change, content, source, prevention
mechanisms, detection mechanisms
Availability: Denial of service attacks,
Confidentiality, Integrity and Availability (CIA)
21
Security Attacks
Security Attacks
Repudiation
Threat to Integrity
22
Passive Versus Active Attacks
Bob
Alice
23
Categorization of passive and active
attacks
Attacks Passive/Active Threatening
Snooping Passive Confidentiality
Traffic Analysis
24
TCP segment format
20 to 60 Byte header
25
Connection establishment using three-way
handshaking
A SYN segment
cannot carry data,
but it consumes one
sequence number.
A SYN + ACK
segment cannot
carry data, but does
consume one
sequence number.
An ACK segment, if
carrying no data,
consumes no
sequence number.
26
Connection termination using three-way
handshaking
The FIN segment
consumes one
sequence
number if it does
not carry data.
The FIN + ACK
segment
consumes
one sequence
number if it
does not carry
data.
27
IP address Spoofing
Send requests to server with someone X's IP
address. The response is received at X and
discarded. Both X and server can be kept
busy ⇒ DoS attack
28
TCP Flags
Invalid combinations
29
Syn Flood
A sends Syn request with IP address of X to Server
V.
V sends a syn+ack to X
X discards syn+ack leaving an half open connection
at V.
Many open connections exhausts resources at V ⇒
DoS
30
Ping of Death
31
Smurf
32
Fin
33
Connection Hijacking
H sends packets to server X which increments
the sequence number at X.
All further packets from V are discarded at X.
Responses for packets from H are sent to V -
confusing him.
34
Address Resolution Protocol
35
ARP: Address Resolution Protocol
Mapping from IP addresses to MAC addresses
192.168.0
Reply
08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5
192.168.0
37
DNS Spoofing
38
Email Spoofing
From address is spoofed.
Malware attachment comes from a friendly
address.
From: God@heavens.com
39
Web Spoofing
40
Summary
1. TCP port numbers, Sequence numbers, ack, flags
2. IP addresses are easy to spoof. ARP and DNS are
not secure.
3. Flags: Syn Flood, Ping of Death, Smurf, Fin,
Connection Hijacking
4. UDP Flood Attack
5. Application addresses are not secure
41
References
42
Lab Home Work 1: Gathering Information
Learn about IPconfig, ping, arp, nslookup, whois, tracert, netstat, route, hosts
file
1. Find the IP addresses of www.google.com
2. Modify the hosts file to map www.google.com to 128.252.166.33 and do a
google search. Remove the modification to the host file and repeat.
3. Find the domain name of 128.272.165.7 (reverse the address and add
.inaddr. arpa)
4. Find the owner of www.google.com domain
5. Find route from your computer to www.google.com
6. Find the MAC address of your computer
7. Print your ARP cache table. Find a server on your local network. Change its
ARP entry in your computer to point to your computer’s MAC address. Print new
ARP cache table. Now use the service and see what happens.
8. Print your routing table and explain each line (up to line #20 if too many)
9. What is the number of packets sent with “destination unreachable”
10. Find the location of 128.252.166.33 (use www.ipaddresslocation.org)
43
Questions!
44