HC110310001 HCNA-Security-CBSN Chapter 1 Network Security Overview V2.0

Chapter 1
Network Security
Overview
www.huawei.com
Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved.

Objectives
Upon completion of this course, you will be able to
understand:
OSI model
TCP/IP principles
TCP/IP security issues
Common attack means for TCP/IP
Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved. Page 2
Agenda
1. TCP/IP Introduction
2. TCP/IP Security Issues
3. Common Network Attacks
OSI Model Introduction
Purposes
Design principles
Strengths
Introduction to the Seven Layers of
the OSI Model
APDU Application layer 7 Providing inter-application
communication
Upper
layers PPDU Presentation layer 6 Processing data formats and
data encryption
SPDU Session layer 5 Setting up, maintaining, and managing
sessions
Segment Transport layer 4 Establishing E2E connections between

hosts
Packet Network layer 3 Addressing and routing

Lower
layers
Frame Data link layer 2 Providing medium access and link
management
Bit Physical layer 1 Transmitting bit streams
Communication Between Peer Layers
Each layer communicates with its peer layer using the service provided by the
lower layer.
APDU
Application Application
PPDU
Presentation Presentation
SPDU
Session Session
Segment
Transport Transport
Packet
Network Network
Host A Host B
Frame
Data link Data link
Bit
Physical Physical
Procedure for Processing Network
Data Streams
D
C
Presentation Presentation
A
Session Session
B E
Transport Router A Router B Router C Transport
Network Network Network Network Network
Data link Data link Data link Data link Data link
Physical Physical Physical Physical Physical
Mapping Between the TCP/IP Model
and OSI Model
TCP/IP is simply tiered, and its layers clearly map with OSI model
layers.
OSI TCP/IP
Application layer
Presentation layer Application layer
Session layer
Transport layer Transport layer
Network layer Network layer
Data link layer

Data link layer
Physical layer
Encapsulation and Decapsulation
Processes of TCP/IP Packets
Sender Recipient
layer APP DATA
layer
Encapsulation process
Decapsulation process
Transport
Transport
layer TCP APP DATA
layer
Network Network
IP TCP APP DATA layer
layer
Data link Data link

Eth IP TCP APP DATA
layer layer
10101011010101001010100011101010010
Functions of Each TCP/IP Layer
Application
HTTP, Telnet, FTP,TFTP, DNS Providing a network interface
layer
for applications
Transport
TCP/UDP Establishing E2E connections
layer
Network ICMP, IGMP

IP Addressing and routing
layer ARP, RARP
Data link Ethernet, 802.3, PPP, HDLC, FR

layer Accessing physical media
Socket
HTTP FTP Telnet SMTP DNS TFTP SNMP
80 20/21 23 25 53 69 161
TCP UDP
IP data packets
Source socket: source IP address + protocol + source port

Socket
Destination socket: destination IP address + protocol + destination port
Data Link Layer Protocol
Ethernet protocol encapsulation
Destination Source
Type Data CRC
address address
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Type
Type 0800: indicates IP.
Type 0806: indicates ARP.
Type 8035: indicates RARP.
Network Layer Protocol
0 4 8 16 19 31
Version Header Type of service Total length

length
Identifier Flag Fragment offset
TTL Protocol Head checksum
Source IP address
Destination IP address
IP option Padding
Transport Layer Protocol
0 8 16 24 31
Source port Destination port
UDP length UDP checksum (optional)
Data
UDP packet format
Source port Destination port
SN
Acknowledgement number
URG
ACK
PSH
SYN
RST
FIN
Data offset Reserved (6 bits) Window size
TCP checksum Urgent pointer
Option
Data
TCP packet format
Establishing a TCP Connection
Three-way handshake
Client Server
Closing a TCP Connection
Four-way handshake
Proactively cut off

the connection Passively cut off the
connection
Agenda
TCP/IP Security Risks
Lacking a data source

authentication mechanis
1 m
3 2
Lacking an integrity
Lacking a confidentiality check mechanism
guarantee mechanism
TCP/IP Common Security Risks
Vulnerabilities, buffer overflow attacks,
Web application attacks, viruses and Application
Trojans layer
TCP spoofing, SYN flood, UDP flood,

port scanning Transport layer
IP spoofing, Smurf attacks,

ICMP flood attacks, IP sweep
Network layer
MAC spoofing, MAC

flooding, ARP spoofing Data link layer
Equipment damage,
Network interception Physical layer
Equipment Damage
Damage of physical devices
Direct damage to physical network facilities, such as server

infrastructure and network transmission and communication
facilities
Equipment damage attacks mainly aim to disrupt network services.
Defense against equipment damage
Mainly relies on non-technical factors, such as constructing a solid

equipment room and formulating strict security management
regulations.
Network Interception
Physical-layer devices
Hub
Repeater
Wireless network
Defense Interceptor
Replace hubs and repeaters with switches.
On wireless networks, use strong authentication and encryption

mechanisms.
MAC Spoofing Attack
MAC spoofing is a type of very intuitive attacks. The attacker changes
its own MAC address to the address of a trusted system.
Defense
Configure static entries on the switch and bind MAC addresses

with specific port.
F0-DE-F1-33-7F-DA E0
E1
I am also: F0-DE-F1-33-7F-DA
Impostor
MAC Flooding Attack
MAC flooding attacks utilize:
MAC address learning mechanism of switches
Number limit of MAC entries

Attacker
Switch forwarding mechanism
Defense
Configure static MAC entries.
Configure a limit for the number of MAC entries on the port.
ARP Spoofing Attack
A B
Hacker
When A needs to communicate with B:

A sends an ARP request to ask for the MAC address of B.
B sends an ARP reply to notify A of its MAC address.
IP Spoofing Attack
Why IP address is
easily spoofed?
Sniffer
A: 192.168.0.1 192.168.0.1 B:192.168.0.6
Makes it paralyzed Spoofed reply
sniffed
request
The trust relationship between hosts are build through IP addresses.

Attakcs can forge legitimate IP addresses to obtain confidential
information.
Smurf Attack
ICMP echo request,

src = 128.100.100.2 The attacker
192.168.1.2
dest = 192.168.1.255 controls this
host.
192.168.1.3
192.168.1.1
192.168.1.4
ICMP echo replies Victim:

128.100.100.2
192.168.1.5
ICMP Redirect Packet and
Unreachable Packet Attack
Many ICMP dest

unreachable flood to The attacker
192.168.1.2
192.168.1.x, controls this
src=128.100.100.2 host.
192.168.1.3
192.168.1.1
Why cant
I receive
192.168.1.4 the packet?
The gateway
Many ICMP cannot receive
the packet. Victim
redirect
The attacker 128.100.100.2
192.168.1.5 controls this
host.
IP Sweep Attack
An attacker uses ICMP packets or TCP/UDP packets to initiate
connections to certain IP addresses. By checking whether there are
response packets, the attacker can determine which target systems
are alive and connected to the target network.
192.168.1.2
192.168.1.3
192.168.1.4 192.168.1.
1 Attacker
192.168.1.5
TCP Spoofing Attack
Unauthorize
d connection
Host A
Host C SYN SEQ ACK
(Attacker) 1 11001 0
Spoofed packet from C to A
SYN ACK SEQ ACK
ACK SEQ ACK 1 1 5400211001
1 1100154003
Spoofed packet from B to A
Denial of A trusts B
service attacks
from C to B
Host B
SYN Flood Attack
SYN
Attacker Server
The SYN packet is the first packet in a TCP connection. The attacker
sends a large number of SYN packets. Then lots of half-open
connections are established on the attacked host, exhausting
resources of the attacked host.
UDP Flood Attack
UDP
Attacker Server
The attacker sends a large number of UDP packets to the

server to occupy the bandwidth of the server. As a result, the
server is overloaded and cannot provide services for external
users.
Port Scanning Attack
Port scanning attacks generally use the port scanning software
to initiate connections to a series of TCP or UDP ports on a
wide range of hosts. According to the response packets, the
attacker can determine whether hosts are providing services
through these ports.
Port scanning
Attacker
Buffer Overflow Attack
The most common among all software system
attack behaviors
Stack
Can be launched locally or remotely
Exploiting the loopholes in the various
software systems, including operating
systems, network services, and application
software, to launch attack code
The vulnerabilities are related to the
operating system and architecture, and the Data
attacker needs to have high-level
knowledge/skills.
Code
Web Application Attack
Common attacks
Targeting at clients
Web page that contains malicious code, the use of
browser vulnerabilities, threats to the local system
Targeting at servers
Use Apache / IIS ... loopholes
Use CGI implementation language (PHP / ASP / Perl ...)
and the implementation process loopholes
Database intrusion using the Web server
Agenda
Passive Attack
Internet
Host A Host B
Monitoring
I need to obtain
confidential
information.
Active Attack
Internet
Host A
Service resources of
an enterprise
Spoofing attack Falsification attack DoS attack
Spoofed part Data payload Packet header Falsified part
Man-in-the-Middle Attack
Internet
Falsify information
Host A Host B
Steal information
Active attack
Passive attack
Attacker
Summary
OSI model
TCP/IP principles
TCP/IP security issues
Common attack means
Question
Why is ARP spoofing easily initiated?
How to initiate IP spoofing attacks?
What is the difference between TCP and UDP?
Why does TCP have header length, but UDP does not?
Why does TCP connection establishment require a three-way

handshake, but disconnection require a four-way handshake?
Thank you
www.huawei.com

HC110310001 HCNA-Security-CBSN Chapter 1 Network Security Overview V2.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HC110310001 HCNA-Security-CBSN Chapter 1 Network Security Overview V2.0

Uploaded by

Copyright:

Available Formats

Chapter 1

Copyright 2013 Huawei Technologies Co., Ltd. All rights reserved.

TCP/IP security issues

Common attack means for TCP/IP

2. TCP/IP Security Issues

3. Common Network Attacks

Segment Transport layer 4 Establishing E2E connections between

Packet Network layer 3 Addressing and routing

Bit Physical layer 1 Transmitting bit streams

Network Network Network Network Network

Physical Physical Physical Physical Physical

Presentation layer Application layer

Transport layer Transport layer

Network layer Network layer

Data link layer

Data link Data link

Network ICMP, IGMP

Data link Ethernet, 802.3, PPP, HDLC, FR

HTTP FTP Telnet SMTP DNS TFTP SNMP

Source socket: source IP address + protocol + source port

Destination socket: destination IP address + protocol + destination port

6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes

Type 0800: indicates IP.

Type 0806: indicates ARP.

Type 8035: indicates RARP.

Version Header Type of service Total length

Identifier Flag Fragment offset

TTL Protocol Head checksum

UDP packet format

Source port Destination port

TCP packet format

Proactively cut off

2. TCP/IP Security Issues

3. Common Network Attacks

Lacking a data source

TCP spoofing, SYN flood, UDP flood,

IP spoofing, Smurf attacks,

MAC spoofing, MAC

Direct damage to physical network facilities, such as server

Equipment damage attacks mainly aim to disrupt network services.

Defense against equipment damage

Mainly relies on non-technical factors, such as constructing a solid

Replace hubs and repeaters with switches.

On wireless networks, use strong authentication and encryption

Configure static entries on the switch and bind MAC addresses

MAC address learning mechanism of switches

Number limit of MAC entries

Configure static MAC entries.

Configure a limit for the number of MAC entries on the port.

When A needs to communicate with B:

B sends an ARP reply to notify A of its MAC address.

Makes it paralyzed Spoofed reply

The trust relationship between hosts are build through IP addresses.

ICMP echo request,

ICMP echo replies Victim:

Many ICMP dest

The attacker sends a large number of UDP packets to the

2. TCP/IP Security Issues

3. Common Network Attacks

Spoofing attack Falsification attack DoS attack

Spoofed part Data payload Packet header Falsified part

TCP/IP security issues

Common attack means

How to initiate IP spoofing attacks?