Vous êtes sur la page 1sur 50

Network Security

Lng Trn Hy Hin

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 1 HIENLTH

Chng 2: Nhc li kin thc TCP/IP

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 2 HIENLTH

Ni dung
Nhc li kin thc v TCP/IP, IP Packet Trao i thng tin ca mt s giao thc TCP/IP

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 3 HIENLTH

Computer Network

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 4 HIENLTH

M hnh OSI
M hnh truyn thng OSI (Open System Interconnect) do t chc ISO (International Standards Organization) xut (1982) Cc tng trong m hnh OSI:
Tng Tng Tng Tng Tng Tng Tng ng dng (Application Layer) trnh by (Presentation Layer) giao dch (Session Layer) vn chuyn (Transport Layer) mng (Network Layer) lin kt d liu (Data Link Layer) vt l (Physical Layer)

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 5 HIENLTH

M hnh OSI
C th chia thnh 2 loi
Application layers: lin quan ti ng dng Dataflow layers: m bo vic trao i d liu
Application Layers Application Presentation Session Dataflow Layers Transport Network Datalink Physical COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 6 HIENLTH

M hnh OSI
HOP NODE

Application Presentation Session Transport Network Datalink Physical Network Datalink Physical

Lin lc Lin lc

Application Presentation Session Transport Network Datalink Physical Network Datalink Physical

Lin kt vt l COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 7 HIENLTH

Tng vt l Physical
Vn chuyn cc bit d liu gia hai node k cn.

1010110101010

1010110101010

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 8 HIENLTH

Tng lin kt d liu Data link


m bo lin kt trc tip gia hai thit b.
IEEE 802.01

Ethernet

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 9 HIENLTH

Tng mng Network


m bo cc gi tin i t my tnh ny n my tnh kia trong mi trng lin mng

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 10 HIENLTH

Tn vn chuyn Transport
m bo mt lin kt gia hai tin trnh
Process B Process A

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 11 HIENLTH

Tng phin
Qun l cc yu cu gia cc ng dng. iu khin i thoi v ng b ha tin trnh.

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 12 HIENLTH

Tng trnh by representation


Chuyn i d liu, m ha, nn.

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 13 HIENLTH

Tng ng dng
Giao tip vi ngi dng, ng dng khc (User-OSI). Cung cp dch v. V d: HTTP, DNS

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 14 HIENLTH

M hnh OSI Nhn xt


Cng knh Dng trong dy hc

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 15 HIENLTH

OSI v TCP/IP

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 16 HIENLTH

CC GIAO THC THNG DNG


SSL

, IPSEC

ARP

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 17 HIENLTH

source
message segment
Ht M M M M

datagram Hn Ht frame Hl Hn Ht

application transport Internet N.Acc

Encapsulation

switch

destination
M Ht Hn Ht Hl Hn Ht M M M

application transport Internet N.Acc

Hn Ht H l H n Ht

M M

network N.Acc

Hn Ht

router

Introduction

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 18 HIENLTH

ng gi d liu

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 19 HIENLTH

IPv4 Addressing
202.155.43.2 11001010.10011011.00101011.00000010
ID NETWORK HOST

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 20 HIENLTH

IP CLASSES
Class A Class B Class C Class D Class E Private

1-126 128-191 192 223 224 239 240 247

10.0.0.0 10.255.255.255 172.16.0.0 172.16.255.255 192.168.0.0 192.168.255.255 169.254.x.y

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 21 HIENLTH

Subnet Mask
Class A Class B Class C 255.0.0.0 255.255.0.0 255.255.255.0

10100011.00011011.11100010.00001111 11111111.11111111.00000000.00000000 = 255.255.0.0 (subnet mask)


COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 22 HIENLTH

Subnet mask quick refernce

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 23 HIENLTH

Subnetting
Broadcasting IP: 165.134.8.123 Network: 165.134.0.0/16 Subnet mask: 255.255.0.0 Broadcast: 165.134.255.255

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 24 HIENLTH

Bi tp 1
Cng ty HPT c 5 chi nhnh. Theo yu cu mi chi nhnh phi VLAN ring vi a ch Public IP. Bit rng HPT c s hu (thu) dy a ch 163.134.0.0. 1. Phi s dng thm bao nhiu bits cho subnet mask c 5 VLAN? 2. S lng ti a IP tht m mi office c th c?
Bi lm c nhn, np theo link trn Module, hn cht: 21/09/2013
COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 25 HIENLTH

SOCKET
Cng dch v 0-65535 Well-Known 0-1023 Registered 1024 49151 Dynamic 49152 - 65535 T hp (IP, PORTs) HTTP:80, SMTP:25;POP3:110; FTP:20,21 WIN SHARED: 137 DNS:53; Telnet:23; SSL:443

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 26 HIENLTH

TCP HEADER
0 - 15 Source Port Sequence Number Acknowledgment number IHL Resrved u a p r s f r c s s y i g k h t n n TCP Check sume Option Windows size 16 - 31 Destination Port

Urgent Pointer

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 27 HIENLTH

TCP FLAG
SYN Khi to kt ni ACK phn hi FIN Kt thc phin kt ni RESET khi to li PUSH chuyn d liu khng qua buffer URG Th hin quyn u tin ca d liu Sequence number : 32 bit sinh ra tng 4ms Acknowledgment number: 32 bit

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 28 HIENLTH

ID Protocol
ICMP TCP UDP -1 -6 - 17

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 29 HIENLTH

Quy tc bt tay 3 bc

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 30 HIENLTH

Quy tc bt tay 3 bc
Bc 1 - Host A gi segment cho Host B c: SYN =1, ACK = 0, SN = X, ACKN=0. Bc 2 - Sau khi nhn t A, Host B tr li SYN=1, ACK=1, SN=Y, ACKN=X+1 Bc 3 - Host A gi tip n B vi SYN=0, ACK=1, SN=X+1, ACKN=y+1
COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 31 HIENLTH

Kt thc kt ni
1. 2. 3. 4. FIN=1, FIN=0, FIN=1, FIN=0, ACK=1, ACK=1, ACK=1, ACK=1, SN=x, ACKN=y ACKN=x+1 SN=y, ACKN=x+1 ACKN=y+1

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 32 HIENLTH

Bi tp 2
Sau khi dng phn mm Sniffer phn tch gi thng tin gi i t host A
Gi 1: Protocol Destination Port Source IP Destination IP Gi 2: Protocol Destination Port Source IP Destination IP SYN=1, ACK=0 : : : : : : : : UDP 53 192.168.3.8 203.162.4.1 TCP 80 192.168.3.8 203.162.4.1

M t qu trnh lm vic ca host A, c nhn xt g t Source IP ca host A


COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 33 HIENLTH

IPv6
128 bits Address 8 block 16bits c th hin c s 16 71ab:1234:0:fdac:234f:2314:acde:0 Chuyn i t IPv4 sang IPv6 203.123.3.6::ffff:203.123.3.6 ::1 loopback ff01::1, ff02::01 - Multicasting ff01::02, ff02::02 - to all Gateways
COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 34 HIENLTH

IP HEADERS
0-7 Version IHL 8-15 Services Flags Source Address Destination Address Options Data Protocol 16 - 31 Length Fragment offset Header checksum

Indenfitication Time to Live

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 35 HIENLTH

IP HEADERS
IHL S word (32 bits) ca Header thng thng IHL =5 Type Of Services cht lng dch v Length chiu di headers tnh theo bytes Identification S th t Datagram (packets) Flags 3 bits, 0, DF=Dont fragment, MF = More Fragment Fragment Offset S th t FM trong Datagram (bt u t 0) TTL Thi gian sng to bi sender v gim dn khi i qua tng gateways. Option d liu b sung v c chn thm cho 32 bits
COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 36 HIENLTH

UDP Headers
0 - 15 S.Port UDP Length Data 16 - 31 D.Port Checksum

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 37 HIENLTH

ICMP Headers
0 - 15 TYPE CODE Contents 16 - 31 CHECKSUM

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 38 HIENLTH

ICMP
Type 0 3 3 3 3 3 3 4 8 9 10 11 12 Code 0 0 1 2 3 6 7 0 0 0 0 0 0 description echo reply (ping) dest. network unreachable dest host unreachable dest protocol unreachable dest port unreachable dest network unknown dest host unknown source quench (congestion control - not used) echo request (ping) route advertisement router discovery TTL expired bad IP header

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 39 HIENLTH

BI TP 3
Bn cn cm vic d qut t mng khc theo giao thc ICMP. Bn phi set lnh deny ICMP vi tham s no?
Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 40 HIENLTH

Packet Fragmentation
MTU Maximum Transmission Unit MDS Maximum Datagram Size MSS Maximum Segment Size Default MDS=576, MSS=536 Mt s MTU (bytes) PPP=296, Ethernet=1500 FDDI = 4352, Token Ring 4464

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 41 HIENLTH

ARP Address Resolution Protocol


MAC Media Access Control MAC Address 48 bits a ch

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 42 HIENLTH

LAN Addresses and ARP


Each adapter on LAN has unique LAN address

1A-2F-BB-76-09-AD

Broadcast address = FF-FF-FF-FF-FF-FF

LAN (wired or wireless)


71-65-F7-2B-08-53 58-23-D7-FA-20-B0

= adapter

0C-C4-11-6F-E3-98

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 43 HIENLTH

LAN Address (more)


MAC address allocation administered by IEEE manufacturer buys portion of MAC address space (to assure uniqueness) Analogy: (a) MAC address: like Social Security Number (b) IP address: like postal address MAC flat address portability
can move LAN card from one LAN to another

IP hierarchical address NOT portable


depends on IP subnet to which node is attached

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 44 HIENLTH

ARP: Address Resolution Protocol


Question: how to determine MAC address of B knowing Bs IP address?
137.196.7.78 1A-2F-BB-76-09-AD 137.196.7.23 137.196.7.14

Each IP node (Host, Router) on LAN has ARP table ARP Table: IP/MAC address mappings for some LAN nodes
< IP address; MAC address; TTL>

LAN
71-65-F7-2B-08-53 58-23-D7-FA-20-B0

TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min)

0C-C4-11-6F-E3-98 137.196.7.88

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 45 HIENLTH

ARP protocol: Same LAN (network)


A wants to send datagram to B, and Bs MAC address not in As ARP table. A broadcasts ARP query packet, containing B's IP address Dest MAC address = FFFF-FF-FF-FF-FF all machines on LAN receive ARP query B receives ARP packet, replies to A with its (B's) MAC address A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state: information that times out (goes away) unless refreshed

ARP is plug-and-play:
nodes create their ARP tables without intervention from net administrator

frame sent to As MAC address (unicast) COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 46 HIENLTH

Routing to another LAN


walkthrough: send datagram from A to B via R assume A knows B IP address

A
Two ARP tables in router R, one for each IP network (LAN)

In routing table at source Host, find router 111.111.111.110 B In ARP table at source, find MAC address E6-E9-00-17-BB-4B, etc

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 47 HIENLTH

V nh - Nhc nh
Cp nht danh sch nhm chn ti, hn cht: Th t ngy 30/09/2013 (kha s). Login vo h thng Moodle, enrol mn

hc Computer Network Security, hn cht th 6 ngy 30/9/2012 (kha s). Hn cht np bi tp ch nht ngy 22/9/2013.
COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 48 HIENLTH

Q&A

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 49 HIENLTH

THE END

COMP1049 - Bo mt v An ninh Mng Network Security C2 Part 1 - 50 HIENLTH