250 likes | 398 Views
ITP 457 Network Security. Networking Technologies III IP, Subnets & NAT. Internet Protocol( IP). IP handles end-to-end delivery Most commonly used network layer protocol All traffic on the internet uses IP. Internet Protocol ( IP).
E N D
ITP 457Network Security Networking Technologies III IP, Subnets & NAT
Internet Protocol( IP) • IP handles end-to-end delivery • Most commonly used network layer protocol • All traffic on the internet uses IP
Internet Protocol ( IP) • Upon receiving packet from Transport layer, IP layer generates a header • Header includes : source and destination IP addresses • Header is added to front of TCP packet to create a resulting IP packet. • Purpose of IP is to carry packets end to end across a network.
IP header Source IP address Destination IP address Data
IP addresses • Identify each individual machine on the internet • 32 bits in length • Hackers attempt to determine all IP address in use on a target network – “network mapping” • Hackers generate bogus packets appearing to come from a given IP address – “IP address spoofing”
IP Addresses in depth • 32 bits, with 8 bit groupings • E.x: 192.168.0.1 • Each number between the dots can be between 0 and 255 • 4 billion combinations • Not really • Allocated in groups called address blocks • 3 sizes, based on the class of the address • Class A, Class B, and Class C
Class A Addresses • Giant organizations • There are no more available • All IP addresses are of the form: 0 – 126.x.x.x x can be between 0 and 255 • The first octet is assigned to the owner, with the rest being freely distributable to the nodes • Has a 24 bit address space • Uses up to half of the total IP addresses available!!! • Who owns these??? • Internet Service Providers • Large internet companies • Google, CNN, WB
Class B Addresses • Large Campuses or Organizations • Example: Colleges, including USC • These are running out!!! • All Class B Addresses are of the form: 128 - 191.x.x.x Where x can take any number between 0 and 255 • The first two octets are assigned to the address block owner, with the last two being freely distributable • Example: 128.125.x.x USC • Example: 169.232.x.x UCLA • 16-bit address space • ¼ of all IP addresses belong to Class B Addresses
Class C Addresses • Small to mid-sized businesses • A fair number left • All Class C Addresses have the following format: 192-232.x.x.x • The first three octets are assigned, with the last being freely distributable • Only 253 distributable addresses within a Class C Address
Reserved Addresses • Private Networks (no public connections) • 10.x.x.x • 172.16.x.x • 192.168.x.x • 127.x.x.x – local network (loopback) • 255.255.255.255 – broadcast – sends to everyone on the network
Netmasks • IP address has 2 components • Network address • Host address • Determined by the address and the class of the address • Example (Class C): • IP Address: 192.168.3.16 • Network address: 192.168.3 • Host address: 16
Packet Fragmentation • Various transmission media have different characteristics • Some require short packets others require longer packets • E.g. satellite – longer packets • Local LAN – shorter packets
Packet Fragmentation • To optimize packet lengths for various communication links, IP offers network elements (routers and firewalls) the ability to slice up packets into smaller pieces, a process called fragmentation. • The end system’s IP layer is responsible for reassembling all fragments • Hackers use packet fragmentation to avoid being detected by Intrusion Detection Systems
Lack of Security in IP • IP version 4 does not include any security • All components of packets are in clear text, nothing is encrypted • Anything in the header or data segment can be viewed or modified by the hacker • TCP/UDP Hijacking • “Man-in-the-middle” attack
ICMP • ICMP – Internet Control Message Protocol • It is the Network Plumber • Its job is to transmit command and control information between networks and systems
ICMP examples • “ping” request = ICMP Echo message • If the “pinged” system is alive it will respond with ICMP Echo Reply Message • Try pinging • www.google.com • www.yahoo.com • www.cnn.com • Will they all work? • Some sites have disabled ping. Why? • Ping-of-death a ping too big • Ping flooding type of denial-of-service attack
Routers and packets • Routers • Transfer packets from network to network • They determine the path that a packet should take across the network specifying from hop to hop which network segments the packets should bounce through as they travel across the network • Most networks use dynamic routing • RIP, EIGRP • We will be discussing these technologies later in the course
Network address translation • NAT • Blocks of addresses are allotted to ISP’s and organizations • Classes of IP Addresses • What happens when we have more computers than IP Addresses? • We have a Class C address – allows 253 computers • Our organization has 1000 computers • What do we do???
Solution? • Reserve a range of IP addresses to build your own IP network • 10.x.y.z - un-routable IP addresses • 172.16.y.z • 192.168.y.z • How to connect these machines to Internet?
Network Address Translation • Use a gateway /router to map invalid addresses to valid IP addresses • Translates your local address to a routable address • Router receives one IP Address • Either dynamically assigns addresses to all the nodes behind the router, or it is assigned statically using non-routable addresses • If dynamic, uses DHCP (Dynamic Host Configuration Protocol) • When someone inside the network wants to access a computer outside the local network (the internet), the request is sent to the router, which uses NAT to send the request to the internet
NAT and security? • Does NAT improve security? • It hides internal IP addresses from hacker • NAT must be combined with “firewalls” for optimum security
Firewalls • Network traffic cops • Tools that control the flow of traffic going between networks • By looking at addresses associated with traffic, firewalls determine whether connections should be transmitted or dropped • We will cover the setup and configuration of firewalls in great depth later in class