Professional Documents
Culture Documents
05 TCP IP Transport Applications Network Security
05 TCP IP Transport Applications Network Security
1/2
Agenda
Multiplexing using Ports Error Recovery Flow Control Connection Establishment & Termination Ordered Data Transfer & Data Segmentation Multiplexing using Ports
www.asghars.blogspot.com
2/2
TCP/IP Applications
QoS WWW Firewalls & ASA Intrusion Detection & Prevention Systems VPN
Network Security
www.asghars.blogspot.com
1/1
Introduction
OSI Transport Layer (L4) or TCP/IP Transport Layer protocols define several functions as:
Multiplexing using Ports Error Recovery Flow Control Connection Establishment & Termination Ordered Data Transfer & Data Segmentation
TCP UDP
www.asghars.blogspot.com
1/11
TCP provides a connection oriented and reliable service TCP relies on IP for end-to-end delivery of the data and routing TCP provides the following facilities:
Multiplexing Using Ports Error Recovery Flow Control Using Windowing Connection Establishment & Termination Data Segmentation & Order Data Transfer
2/11
TCP header and data field together are called a TCP segment TCP segment can also be named as L4 PDU as TCP is a layer 4 protocol Multiplexing Using Port Numbers
Multiplexing enables the receiving computer to know which application to give the data to (e.g. web browser, email client or VoIP application) Multiplexing relies on a concept called a socket, socket consists of:
3/11
Hosts typically allocate dynamic port numbers starting at 1024 bcz ports below 1024 are reserved for well known applications Table on next slide lists the popular applications and their well known port
Trivial File Transfer Protocol (TFTP) is a network protocol that does not have any authentication processes while FTP is a user-based password network protocol used to transfer data across a network Simple Network Management Protocol (SNMP) is application layer protocol used for network device management. E.g. Cisco Works network management software product family
www.asghars.blogspot.com
4/11
www.asghars.blogspot.com
5/11
To accomplish reliability , TCP numbers data bytes using the Sequence and Acknowledgment fields in the TCP header TCP achieves reliability in both directions, using the Sequence Number field of one direction combined with the Acknowledgement field in the opposite direction Figure shows the basic operation
www.asghars.blogspot.com
6/11
Acknowledgment field in the TCP header sent by the web client (4000) implies the next byte to be received; this is called forward acknowledgment The Sequence & Acknowledgment fields count the number of bytes Figure shows the same scenario but the second TCP segment was lost
www.asghars.blogspot.com
10
7/11
Flow control is achieved through Sequence & Acknowledgment fields in TCP header along with other filed called Window field The Window field implies the maximum number of unacknowledged bytes that are allowed to be outstanding at any instant in time The Window starts small and grows until errors occur, i.e why sometime called dynamic window Also as sequence & acknowledge numbers grow over time, i.e why it is also sometime called sliding window When the window is full, the sender doesnt send, which controls the flow of data
www.asghars.blogspot.com
11
8/11
Figure shows the windowing with a current window size of 3000, each TCP segment has 1000 bytes of data The term Positive Acknowledgment & Retransmission (PAR) Wait window exhausted After ACK, new is sometimes used to window is send describe error recovery 1000 and windowing process 1000
Sender Wait 4000 1000 1000 -----4000
12
www.asghars.blogspot.com
9/11
Connection establishment refers to the process of initializing sequence and acknowledgment fields and agreeing on the port numbers used TCP uses 3-Way Connection process
TCP signals connection establishment using 2-bits in flag fields, called SYN & ACK SYN means Synchronize the Sequence Numbers
www.asghars.blogspot.com
13
10/11
Termination sequence uses the additional flag called the FIN bit (FIN is short for finished)
14
www.asghars.blogspot.com
11/11
Each data link layer protocol has a limit on the Maximum transmission Unit (MTU) For many data link layer protocols, Ethernet included the MTU is 1500 bytes TCP segments large data into 1460-byte chunks Because IP routing can choose to balance traffic across multiple link, actual segments may be delivered out of order TCP receiver must performs the reassembly and reordering of the data
www.asghars.blogspot.com
15
1/1
UDP provides a connectionless oriented and unreliable service UDP provides the following facilities:
Note that other facilities like Error Recovery, Flow Control, Ordering of Data & Data Segmentation is not supported by the UDP Applications that use UDP are tolerant to the lost data, or they have some application mechanism to recover lost data For example; VoIP, DNS and Network File System (NFS)
16 www.asghars.blogspot.com
1/5
TCP/IP Applications
The goal of Enterprise network is to use applications; such as web browsing, e-mail, file downloads, voice & video Applications requires Quality of Service (QoS)
QoS refers to the entire topic of what an application needs from the network service Each type of application can be analyzed in terms of its QoS requirements on the network, so if the network meets those requirements, the application will work well
www.asghars.blogspot.com
17
2/5
TCP/IP Applications
Bandwidth; he maximum amount of information (in bits/second) that can be transmitted on a transmission medium Delay Jitter; it is the variation in delay Loss
The migration of voice & video to the data network puts more pressure on the data network to deliver required quality of network service
18
www.asghars.blogspot.com
3/5
TCP/IP Applications
Bandwidth i.e. 30 kbps Low Delay i.e. 200 ms (0.2 sec) Low Jitter i.e. 30 ms (0.03 sec) Loss; Bcz of delay & jitter issues, no need to recover, it would be useless by the time it was recovered. Lost packets can sound like a break in the sound of VoIP call
19
Video over IP has same performance issues, except that video requires more bandwidth (i.e. 300/400 kbps to 3/10 Mbps Routers & Switches can be configures with a variety of QoS tools
www.asghars.blogspot.com
4/5
TCP/IP Applications
20
www.asghars.blogspot.com
5/5
TCP/IP Applications
WWW
WWW consists of all the Internet-connected web servers in the world, plus all the Internet-connected hosts with web browsers You identify a web page when you click something on the web page or when you enter Universal Resource Locater (URL) in the browsers address bar Each URL defines the protocol , name of server and the particular page on that server (e.g. http://www.cisco.com/go/prepcenter)
21
Protocol is listed before // Hostname is listed b/w // and / Name of web page is listed after /
www.asghars.blogspot.com
1/13
Network Security
For the purposes of this book, and for the ICND1 exam, the goal is to know some of the basic terminology, types of security issues, and some of the common tools used to mitigate security risks The kinds of attacks that might occur:
Denial of service (DoS) attacks: DoS attacks called flooders flood the network with packets to make the network unusable, preventing any useful communications with the servers
22
www.asghars.blogspot.com
2/13
Network Security
Reconnaissance attacks: its goal is gathering information to perform an access attack. An example is learning IP addresses and then trying to discover servers that do not appear to require encryption to connect to the server Access attacks: An attempt to steal data, typically data for some financial advantage, or for international espionage
A higher percentage of security attacks actually come from inside the Enterprise network
23 www.asghars.blogspot.com
3/13
Network Security
PC1
24
www.asghars.blogspot.com
4/13
Network Security
List explains three ways in which the Enterprise network is exposed to the possibility of an attack from within
Access from the wireless LAN: an unsecured wireless LAN allows the user across the street in a coffee shop to access the Enterprise network, letting the attacker (PC1) begin the next phase of trying to gain access to the computers in the Enterprise Infected mobile laptops: the laptop (PC2)connects to the Enterprise network, with the virus spreading to other PCs, such as PC3. PC3 may be vulnerable in part because the users may have avoided running the daily anti-virus software scans that, although useful, can annoy the user
www.asghars.blogspot.com
25
5/13
Network Security
Disgruntled employees: The user at PC4 is planning to move to a new company. He steals information from the network and loads it onto an MP3 player or USB flash drive. This allows him to carry the entire customer database in a device that can be easily concealed and removed from the building To prevent such problems, Cisco uses the term security in depth to refer to a security design that includes security tools throughout the network, including features in routers and switches Cisco also uses the term self-defending network to refer to automation in which the network devices automatically react to network problems
www.asghars.blogspot.com
26
6/13
Network Security
For example, Network Admission Control (NAC) is one security tool to help prevent two of the attacks just described The following tools can be used to provide that indepth security
The firewalls role is to stop packets that the network or security engineer has deemed unsafe The firewall mainly looks at the transport layer port numbers and the application layer headers to prevent certain ports and applications from getting packets into the Enterprise
www.asghars.blogspot.com
27
7/13
Network Security
However, a perimeter firewall (a firewall on the edge, or perimeter, of the network) does not protect the Enterprise from all the dangers possible through the Internet connection Firewalls sit in the packet-forwarding path between two networks, often with one LAN interface connecting to the secure local network, and one to the other, lesssecure network (often the Internet) The DMZ LAN is a place to put devices that need to be accessible, but that access puts them at higher risk
28
www.asghars.blogspot.com
8/13
Network Security
29
www.asghars.blogspot.com
9/13
Network Security
The firewall needs to be configured to know which interfaces are connected to the inside, outside, and DMZ parts of the network Then, a series of rules can be configured that tell the firewall which traffic patterns are allowed and which are not The figure shows two typically allowed flows and one typical disallowed flow, shown with dashed lines In years past, Cisco sold firewalls with the trade name PIX firewall A few years ago, Cisco introduced a whole new generation of network security hardware using the trade name Adaptive Security Appliance (ASA)
www.asghars.blogspot.com
30
10/13
Network Security
Cisco ASA appliances can provide or assist in the overall in-depth security design with a variety of tools that prevent problems such as viruses Cisco uses the term anti-x to refer to the whole class of security tools that prevent these various problems, including the following:
Anti-virus Anti-spyware Anti-spam Anti-phishing URL filtering E-mail filtering
31
www.asghars.blogspot.com
11/13
Network Security
Some types of attacks cannot be easily found with antix tools A couple of tools that can be used to prevent such attacks are; Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) VPN might be better termed a virtual private WAN VPNs send packets through the Internet, which is a public network However, VPNs make the communication secure, like a private leased line
www.asghars.blogspot.com
32
12/13
Network Security
VPNs authenticate the VPNs endpoints, meaning that both endpoints can be sure that the other endpoint of the VPN connection is legitimate Additionally, VPNs encrypt the original IP packets so that even if an attacker managed to get a copy of the packets as they pass through the Internet, he or she cannot read the data Two types of VPNs:
Access VPN: supports a home or small-office user Site-to-site intranet VPN: typically connects two sites of the same Enterprise, the encryption could be done for all devices using different kinds of hardware, including routers, firewalls as shown in figure on next slide
33
www.asghars.blogspot.com
13/13
Network Security
34
www.asghars.blogspot.com