4. Computer networking
• Need for communication between computer systems or devices
• Systems are connected via physical networks and talk to each other
using standard protocols
• Networking, routers, routing protocols, etc., are specified by the
Internet Engineering Task Force (IETF)
• Published in Requests for Comments (RFCs)
• ISO standard for worldwide communication: Open Systems
Interconnect (OSI) reference model
Computer Security Management
Page 4
5. The OSI Reference Model (1)
• abstract description for layered communications and computer
network protocol design
• it divides network architecture into seven layers
– Application
– Presentation
– Session
– Transport
– Network
– Data-Link
– Physical Layer
• Layer: collection of conceptually similar functions that provide
services to the layer above it and receives service from the layer
below it
Computer Security Management
Page 5
6. The OSI Reference Model (2)
• Application Layer
– interacts with software applications that implement a communicating component
– Examples: File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP),
etc.
• Presentation Layer
– establishes a context between Application Layer entities
• Session Layer
– controls the dialogues/connections (sessions) between computers
– establishes, manages and terminates the connections between the local and
remote application
• Transport Layer
– provides transparent transfer of data between end users
– provides reliable data transfer services to the upper layers
Computer Security Management
Page 6
7. The OSI Reference Model (3)
• Network Layer
– provides the functional and procedural means of transferring variable length
data sequences from a source to a destination via one or more networks
– Maintains the quality of service requested by the Transport Layer
• Data Link Layer
– provides the functional and procedural means to transfer data between network
entities
– detects and possibly corrects errors that may occur in the Physical layer
• Physical Layer
– defines the electrical and physical specifications for devices
– includes the layout of pins, voltages, cable specifications, Hubs, repeaters,
network adapters, Host Bus Adapters, etc
Computer Security Management
Page 7
8. The OSI Reference Model (4)
Layer Data Unit Function
Application 7 Network process to application
Presentation 6 Data Data representation and encryption
Session 5 Inter-host communication
End-to-end connections and
Transport 4 Segment
reliability
Path determination and logical
Network 3 Packet
addressing
Data link 2 Frame Physical addressing (MAC & LLC)
Physical 1 Bit Media, signal and binary transmission
Computer Security Management
Page 8
9. OSI Reference Model vs. TCP/IP
Layer OSI Reference Model TCP/IP
7 Application
6 Presentation Application
5 Session
4 Transport Transport
3 Network Internet
2 Data link Network access
1 Physical
Computer Security Management
Page 9
10. Network devices (1)
• Network Interface Card (NIC)
– computer hardware
– designed to allow computers to communicate over a computer network
– provides physical access to a networking media and often provides a low-level
addressing system through the use of Media Access Control (MAC) addresses
• Repeater
– electronic device that receives a signal and retransmits it at a higher power level
so that the signal can cover longer distances without degradation
– Example: in most twisted pair Ethernet configurations, repeaters are required
for cable runs longer than 100 meters away from the computer
Computer Security Management
Page 10
11. Network devices (2)
• Hub
– contains multiple ports
– when a packet arrives at one port, it is copied to all the ports of the hub for
transmission
• Example:
Workstation
Network
Hub
Workstation
Workstation
Computer Security Management
Page 11
12. Network devices (3)
• Router
– networking device that forwards data packets between networks using headers
and forwarding tables to determine the best path to forward the packets
– work at the network layer of the TCP/IP model or layer 3 of the OSI model
– Embedded computer system running dedicated OS, e.g. IOS (Cisco) or JUNOS
(Juniper Networks)
• Example:
LAN
LAN
Internet
Router Router
Computer Security Management
Page 12
13. Network devices (4)
• Switch
– Hardware that allow traffic to be sent only where it is needed
– Ethernet switch: operates at the data-link layer to create a different collision
domains (segments) per switch port
• Example:
Workstation A Workstation B
Network
Switch
Workstation D Workstation C
Computer Security Management
Page 13
14. Network-based attacks
• Primary attempt to
– forge or steal data
– gain unauthorised access to a system
• Means
– Sniffing data
– Redirecting data
• Take advantage of vulnerabilities of OS and by exploiting inherent
weaknesses of the Internet, Transport, and/or Application layer of
TCP/IP
• Usually involves a sequence of preceding steps to identify a
potential vulnerability that can be exploited
– Reconnaissance
– Scanning
Computer Security Management
Page 14
15. Reconnaissance phase
• Information gathering step
• intruder ties to gather as much information about the network and
the target computer(s) as possible
• avoids to raise alarms about his/her activities
• collects data regarding network settings, subnet ids, router
configurations, host names, DNS server information, security level
settings, etc.
• Application servers are often targets of attacks
– web servers
– DNS servers
– SMTP mail servers
– Etc.
Computer Security Management
Page 15
16. Scanning phase
• Network scanning
– Sending probing packets to the identified network-specific devices to gain
information about their configuration settings
– Example: get IP address from DNS server etc.
• Host scanning
– Connect to target host
– probe target machine to check if any known vulnerabilities specific to the OS are
present
– Example: using port scanning to identify services running on the host system
Computer Security Management
Page 16
17. Attacks (1)
• Sniffing
• IP address spoofing
• Man-in-the-middle attack
• Denial-of-service attack (DoS)
– SYN flooding
– Smurf attack
– Distributed Denial of Service attack (DDoS)
Computer Security Management
Page 17
19. Sniffing (1)
• computer software or computer hardware (sniffer) intercepts and
logs traffic passing over a digital network (eavesdropping)
• Works on data link layer of TCP/IP
• as data streams flow across the network, the sniffer captures each
packet and eventually decodes and analyses its content according to
the appropriate specifications, e.g. RFC
• Not only done by criminals: legally used by network administrator,
e.g. for fault detection
• In the UK: it is legal to monitor network traffic only if you get
official permission from the dedicated network administrator
Computer Security Management
Page 19
20. Sniffing (2)
• sniffer needs to be placed inside the network
• When nodes are connected to a hub: easy to monitor traffic
• When nodes are connected to a switch port rather than a hub the
sniffer will be unable to read the data due to the intrinsic nature of
switched networks
• Exception: when a network switch with a so-called monitoring port
is in use it is easy to monitor all data packets in a LAN
Computer Security Management
Page 20
21. Sniffing (3)
• Legally used for:
– Analyse network problems
– Detect network intrusion attempts
– Gain information for affecting a network intrusion
– Monitor network usage
– Gather and report network statistics
– Filter suspect content from network traffic
– Debug client/server communications
– Debug network protocol implementations
• Criminal use:
– Spy on other network users and collect sensitive information, e.g. passwords
– Reverse engineer protocols used over the network
Computer Security Management
Page 21
22. Sniffing (4)
• Sniffers usually software based
• tcpdump
– common packet sniffer used on UNIX machines
– runs under the command line
– allows the user to intercept and display TCP/IP and other packets being
transmitted or received over a network to which the computer is attached
• Wireshark:
– Free tool
– Available for a wide range of OSs, including Linux, Mac OS, MS Windows, etc.
– similar to tcpdump but offers a graphical user interface
– More information: www.wireshark.org
• Commercial tools
– E.g. Microsoft Network Monitor, NetScout, etc.
Computer Security Management
Page 22
23. Sniffing (5)
• Hardware network sniffers: Network Taps
• Network Tap
– hardware device for monitoring the network traffic between two points in the
network
– has at least three ports: A port, a B port, and a monitor port
– To place the Tap between points A and B, the network cable between point A
and point B is replaced with a pair of cables, one going to the Tap's A port, one
going to the Tap's B port
– The Tap passes through all traffic between A and B, so A and B still think they
are connected to each other, but the Tap also copies the traffic between A and B
to its monitor port, enabling a third party to listen
• Problem: expensive to monitor all data in a 10Gbit network
• Solution: use of filterable Tap, parse off the data, applications,
VLAN...etc to a 1 Gig port for deep analysis and monitoring
Computer Security Management
Page 23
24. Next week …
… we will continue looking at network-based attacks
Computer Security Management
Page 24