Xem mẫu
- Security Essentials
Day 3
Security Essentials
The SANS Institute
Network Fundamentals - SANS ©2001 1
1-1
- Agenda
• Network fundamentals
– Network topologies
• IP concepts – 1
– Protocol stacks
– IP
• IP concepts – 2
– TCP
– UDP
– ICMP
Network Fundamentals - SANS ©2001 2
This page intentionally left blank.
1-2
- Agenda (cont.)
• IP Behavior
– TCP dump
– Analyzing network traffic
• Routing
– Routing protocols
• Host perimeter defense
– Personal firewalls
Network Fundamentals - SANS ©2001 3
This page intentionally left blank.
1-3
- Network Fundamentals
Security Essentials
The SANS Institute
Network Fundamentals - SANS ©2001 4
Hello. Welcome to Network Fundamentals. Over the next several modules we are going to look at
various aspects of networking and how computers connect over a network. Understanding the key
issues of networking is critical to being able to secure a network. The basic question comes down to
if you do not understand how a network operates, how are you going to be able to secure it? In this
module, we are going to cover some of the fundamental principles of networking that you will need
to understand in order to build a secure network.
1-4
- Agenda
• Topology
• Ethernet, Token Ring, Wireless
• Wiring
• Network Devices
• VLANs
Network Fundamentals - SANS ©2001 5
In this module, we are going to cover various aspects of networking. First we are going to look at
various topologies you can use to design a network, including covering how Ethernet and Token
Ring networks operate. Since it is becoming more popular we are also going to look at wireless
networks. Then, we are going to cover the different types of wiring and how you would connect
computers together so that they can communicate. Lastly, we are going to look at various devices,
like hubs, switches, bridges and routers, that you would use to connect computers together. We will
finish this section with looking at how we can use these devices to create virtual LANS or VLANS.
1-5
- Physical vs Logical Topologies
• Physical topology
– Defines how systems are connected
together
– bus, ring, star, and point-to-point
• Logical topology
– Defines the rules of communication across
the logical topology
– Ethernet, Fiber Distributed Data Interface
(FDDI), Frame Relay
Network Fundamentals - SANS ©2001 6
There are two types of topologies: Physical and logical. A physical topology describes the way the
network is wired together. This is the logical layout of how the computers are actually connected via
physical wires or wireless devices. In order for computers to communicate with each other they must
be connected in some fashion. The physical topology is independent of the logical topology which
describes the communication rules which are to be used when systems exchange data on the logical
topology.
Physical and logical topologies are independent of each other and you can actually mix and match.
For example, a logical topology can be wired using different physical topologies.
Just to emphasize the difference between the two, let’s look at how humans communicate. In most
cases, the logical topology we use to communicate or the rules we would use to communicate would
be the English language. The English language has a lot of rules that dictate how we form words and
sentences, to help provide meaning to what we say. The physical topology would be the system we
would use to communicate. For example a telephone could be one physical topology or using the
mail could be another. As you can see in this example, the English language is the logical topology
or the rules of communications and there are several physical topologies we can use to actually send
the information.
1-6
- Bus Topology
• All systems connect
to the same
segment of wire
– Poor scalability
– Poor traffic isolation
– Low fault tolerance
– Troubleshooting
nightmare
Network Fundamentals - SANS ©2001 7
Bus topology is the first physical topology that we will look at. This topology is dated and used very
little today. It is very simple, so for small networks it does have some usefulness. With a bus
topology, all of the computers are connected to the same segment of wire. Depending on where the
computers are located this type of topology can be easier and cheaper to install. For example, if I
have five computers in one room and a server in another room, with a bus topology I only have to run
a single wire between the two rooms and all computers would connect to the same wire. With other
topologies, you would have to run a wire for each computer back to a central spot. Some of the
negative aspects of using a bus topology are: Since all of the computers share a single segment, if
that segment fails then the entire network is down, which causes a single point of failure for the
entire network. It is also very hard to troubleshoot and difficult to isolate particular traffic, since all
traffic is going over a single wire. Since all computers share the same wire, it is very difficult to add
additional computers because a new wire would have to be run. As you can see for certain small
environments from an ease of implementation and cost standpoint, the bus topology has some
usefulness, but overall for most companies the drawbacks outweigh the benefits.
1-7
- Ring Topology
• Multiple point-to-
point connections
forming a ring
• Systems transmit on
one side and receive
on another
– Dual ring can provide
fault tolerance
Network Fundamentals - SANS ©2001 8
The next topology we will look at is the ring topology. An easy way to think of this is a bunch of
kids standing in a circle playing the telephone game and you’ll get a good idea of how ring topology
works. Each station transmits on one side while receiving on the other. So if I have something to say
to a person on the other side of the ring, I tell the person on my left and they pass it along.
Eventually, I will get a reply to my message from the person standing on my right.
There are two major reasons why you do not see ring topology in wide use today. The first is that it is
not supported by Ethernet. Since Ethernet came out on top in the logical topology wars, people don’t
use rings because you can’t run Ethernet on them. The other major factor was cost. Each system’s
network card acts like a repeater (discussed in greater detail later) which increases the cost of
hardware.
The major logical topology that uses a ring is Token Ring. A Token Ring network is setup so each
computer receives information and passes it on to the next computer in a ring. FDDI or fiber
distributed data interface is an enhancement to Token Ring and uses two rings, one for transmission
and one for redundancy purposes.
1-8
- Star Topology
• Multiple point-to-
point connections to
a central device
(hub or switch)
– Good fault tolerance
– Certain hardware can
provide traffic
isolation
– Scales well
Network Fundamentals - SANS ©2001 9
Star is the most common physical topology used today. With a star topology, all systems are
connected together through a central device such as a hub or a switch. While the central device is a
central point of failure, star is usually resilient enough to deal with any one circuit or system failing.
For example, if the cable leading to the desktop system is cut, the Mac and the server would be
unaffected.
Traffic control is also improved. Since all circuits are tied to a single device I can build intelligence
into that device in order to control traffic flow on my network. Star topology is a little more
expensive to implement depending on distance because each computer has a dedicated wire that is
run from the computer to a central location. Now, if new systems are added to the network a new
wire has to be run from the new location to the central location and the computer can now
communicate on the network.
1-9
- Logical Topologies
• Independent of physical topologies
• Logical Topologies
– Ethernet
– Token Ring
– Fiber Distributed Data Interface
(FDDI)
– Frame Relay
Network Fundamentals - SANS ©2001 10
Now that we have covered the major physical topologies, let’s look at the major logical topologies.
Remember, the logical topologies are independent of the physical topologies. As we will see at the
end of this section, there is sometimes a relationship between the two or based on best practices a
certain logical topology is sometimes often used with a particular physical topology.
The main logical topologies that we are going to look at are: Ethernet, Token Ring, FDDI or fiber
distributed data interface, and Frame Relay.
1 - 10
- Ethernet
• Ethernet is “baseband” or shared media
• Only one station is allowed to be
transmitting at any given time within a
single collision domain
• All stations are required to listen before
they transmit
• All stations are required to monitor their
transmission to check for collisions
• CSMA/CD
Network Fundamentals - SANS ©2001 11
Ethernet is by far the most popular logical topology. Ethernet is cost-effective and scales fairly well.
While Ethernet itself is not fault tolerant, other technologies can be leveraged to increase Ethernet’s
availability. Ethernet is based on a shared media approach where only one station is allowed to be
transmitting at a given time. The way that Ethernet works is often referred to as CSMA/CD or
carrier sense multiple access / collision detection. A more detailed explanation might be-- before a
station transmits on the wire they listen to see if anyone else is transmitting. If someone else is
transmitting, then they wait. When the station determines that no one else is transmitting, it would
transmit its data on the wire and then listen to see if a collision occurs. If a collision does not occur,
then everything is fine. If a collision does occur, then that station would stop transmitting and back
off a period of time and repeat all of the steps.
As you can see, with Ethernet there are multiple systems accessing the media at the same time and
they are all in the same collision domain. Once a station determines that the media is free and starts
transmitting, it monitors the communication to make sure a collision did not occur and if it does, it
backs off and repeats the process.
There are two general types of Ethernet: 10base T and 100 base T. Lets look at each of these in the
next two slides.
1 - 11
- Token Ring and FDDI
• Communication is token-based
• Each station conditions/amplifies the
token as it is passed
• Typically, only one token is allowed per
ring but there may be two (early release)
• FDDI adds a second ring for fault
tolerance
Network Fundamentals - SANS ©2001 12
With Token Ring and FDDI networks a token is used to carry the data around the network. The logical topology is one of a
ring where each station would receive the token and see if it has data for that station. If there is data for that station, it would
process the token and pass it on to the next station. If there is not data for that station then it would just pass it on to the next
station. The way this topology works is a station would start with a token and if it has data to send it would put data in the
token and pass it to the next station. Each station would see if that data was for that system and if it was it would process it
and then it would pass it on to the next station. When the token got back to the original station that sent the data, it would
remove the data, mark the token as empty and pass it on to the next station. When a station receives an empty token it can
either put data in the token and have it sent to all stations or pass the empty token on to the next station in the ring.
Token Ring and FDDI have a certain level of fault tolerance built right in. When a station does not see a token within a
specific window of time, it will begin to send a beacon. A beacon is simply the station’s way of saying, “Hey, I have not seen
the token in awhile, there may be a problem down stream from my location.” This allows systems on the network to
automatically isolate the problem area and attempt to take some form of corrective action. For example, in a Token Ring
environment, a system which is identified as having a problem will pull itself out of the ring and perform a self-diagnostic. If
it finds a problem, the system will remain out of the ring allowing other systems to continue communicating normally. If the
self-check passes, the station jumps back into the ring.
One of the nice things about FDDI is that it has a fail safe against this self check. Think about this for a moment, a card that
may be faulty is running a check to see if it is faulty. Does this sound like a good idea? In the case of FDDI there is a backup
plan. If the upstream and downstream systems realize that the ring fails every time the faulty system jumps in, they can take it
upon themselves to isolate the offending system. This greatly increases the availability of the network.
The main difference between Token Ring and FDDI is that FDDI has a second ring. The second ring is not for
communication, just as a backup. If the primary ring fails, then all communication will switch to the second ring, but at any
given time only one ring is being used for communication.
1 - 12
- Asynchronous Transfer Mode
(ATM)
• ATM utilizes both OSI layer 2 and layer
3 communication properties
• Like combining Ethernet and IP
• Encapsulates common protocols
• Uses Virtual Path Identifiers (VPI) to
create end-to-end connectivity
• ATM uses a fixed cell size (48 bytes) for
better Quality of Service (QoS)
Network Fundamentals - SANS ©2001 13
ATM is a bit of a strange beast. It has properties that make it a logical topology like Ethernet or
FDDI as well as properties that make it a protocol like IP or IPX. Unless you have a pure ATM
environment, all traffic must be encapsulated.
ATM stations create permanent virtual circuits (PVC) and switched virtual circuits (SVC) across
shared media. Think of making a phone call and you’ll get the idea. When you dial a number the
phone company sets up a circuit from your phone to the phone you just dialed. When the call is
complete, the circuit is torn down. This is useful because the network can provide a quality guarantee
for your traffic. For example when the VPI sets up the PVC it can state to each switch along the way
“I need 512 Kb/s to support a video conference, do you have that much bandwidth available?” If the
answer is yes, the PVC is setup through the ATM switch. If the answer is no, then the VPI will
attempt to create a path through some other switch.
There has been a lot of talk of ATM’s speed, this is due to pipe size rather than efficiency. As we will
discuss later ATM’s cell size kills potential transfer rates when working with raw data. I’ve
personally found that when passing typical network data, a 100 Mb Ethernet network will greatly
outperform a 155 Mb ATM network at about 1/4 the price.
1 - 13
- What is Supported?
• Bus
– Ethernet, Token Bus
• Ring
– Token Ring, FDDI
• Star
– Ethernet, FDDI, Asynchronous Transfer
Mode (ATM), (Voice Grade)VGAnyLAN
• Point-to-Point
– Dial-up, DSL, T1, Frame Relay
Network Fundamentals - SANS ©2001 14
Now let’s look at what is supported. As mentioned, not all physical topologies are supported by a
logical topology. So let’s look at each physical topology to see what is supported. Ethernet networks
typically use a bus or star network topology. Token Ring typically utilizes a ring topology, but can
also use a bus topology under certain circumstances. As you can see there is not a one-to-one
mapping between logical and physical topologies but there are common topologies that are often
grouped together.
1 - 14
- Twisted Pair Cabling
Categories
• Category 1 and 2 - Voice, low
speed data
• Category 3 - 10 Mb
• Category 4 - 16 Mb
• Category 5 - 100 Mb to 1 Gb
Network Fundamentals - SANS ©2001 15
Now that we understand the logical and physical topologies, let’s look at the actual cabling that we
would use to connect systems together. Cabling, particularly twisted pair, is designed to meet the
criteria of a specific category. The supported category indicates what level of bandwidth can be
pushed through the cable without error. While you can use category 3 (CAT3) cabling on a 100 Mb
network you would probably end up having intermittent communication problems and failures.
Therefore while CAT 3 is suitable for 10 base T communication, for 100 base T communication you
would need to use CAT 5.
Remember that your cabling is only as good as your weakest link. For example, I’ve seen
environments using CAT5 cables and connectors but the punch downs were only rated for CAT3.
The best way to verify compliance is to use a cable tester and verify the entire circuit, including patch
cables.
1 - 15
- Pin Assignments
• Ethernet 10BT uses pins 1-3, 2-6
• Ethernet 100BTx uses pins 1-3, 2-6
• Ethernet 100BT4 uses pins 1-2,
3-6, 4-5, 7-8
• Token Ring uses pins 3-6, 4-5
• ATM uses pins 1-2, 7-8
Network Fundamentals - SANS ©2001 16
If you look closely at network cabling or cut it open you will notice that it is composed of several
wires. When you put a connector onto the end of these wires, the connector assigns pin positions to
each of the wires and the pin positions determine what the wire is used for. This slide shows the pin
outs for some common network cabling. Note that 10BT and 100BTx Ethernet only uses two of the
four wire pairs found in CAT5 twisted pair cabling.
Ethernet uses the following pin outs:
1 = Transmit +
2 = Transmit -
3 = Receive +
6 = Receive –
Wiring both ends with this pinout creates a “Straight Through” cable.
1 - 16
- Crossover Cable
• Wire 2 Ethernet devices without
hub, switch, or bridge
• 2 and only 2 devices
• Cross:
– +TX to +RX
– –TX to -RX
Network Fundamentals - SANS ©2001 17
I can’t tell you how many times I’ve needed a crossover cable and not had one handy. A crossover
cable allows you to directly connect to ethernet devices without a switch, hub, or bridge between
them. You may also find that you need a crossover cable to wire your router to your switch if the
switch does not have “switchable” ports to control what type of cable it expects or an “Uplink” port.
Since these cables are so handy, here are the wiring connections you need to create one:
Pin 1 to Pin 3
Pin 2 to Pin 6
Pin 3 to Pin 1
Pin 6 to Pin 2
1 - 17
- Frames vs Packets
• A frame describes an OSI layer 2
chunk of data
– Ethernet, Token Ring, Frame Relay
• A packet is an OSI layer 3 chunk of
data
– IP, IPX, AppleTalk
Network Fundamentals - SANS ©2001 18
During conversation, you might hear people talk about frames and packets. Well, in most cases they
are describing the same thing as it appears at different layers in the OSI protocol stack. Just as a
point of clarification, a frame refers to an OSI layer 2 chunk of data. For example, when talking
about a chunk of data which includes Ethernet delivery information, the proper term is “frame.”
A packet refers to an OSI layer 3 chunk of information. For example, if you are looking at just the IP
or IPX delivery information (i.e. without the Ethernet information) you would refer to the chunk as a
“packet.”
1 - 18
- Frame Info Includes
• Media Access Control (MAC) source and
destination address
• Header may have a type or length field
• Trailer with a CRC check
• Frames are used to encapsulate packets
– Packet is with frame’s data section
Network Fundamentals - SANS ©2001 19
A frame includes MAC source and destination information. At the end of a frame is a CRC trailer
which verifies the integrity of the rest of the frame.
The data portion of the frame is actually an OSI layer 3 “packet.” In other words, packets get
encapsulated inside of frames.
1 - 19
- Anatomy of an Ethernet
Frame
• An ethernet frame can be anywhere
from 64 to 1,518 bytes in size
• Organized into four sections
– Preamble (not included in frame size)
– Header (source anddestination MAC)
– Data (protocol header and data)
– Frame check sequence (FCS)
Network Fundamentals - SANS ©2001 20
Let’s look at what a frame contains in a little more detail. A preamble is a defined series of
communication pulses that tells all receiving stations, “Get ready—I’ve got something to say.” The
Ethernet preamble is always eight bytes long.The preamble is considered to be “overhead” in the
communication process and is not included when measuring a frame’s actual size. For example,
when we say an Ethernet frame is 64 bytes long, this does not include the 8 byte preamble.
An Ethernet header always contains information regarding who sent the frame and where they are
trying to send it. It may also contain other information, such as how many bytes the frame contains,
or an indicator as to what type of Ethernet frame it is. For example TCP/IP typically uses an
Ethernet_II frame type. The Ethernet header size is always 14 bytes.
The data section of the frame contains the actual data the station needs to transmit as well as any
protocol information such as source and destination IP address. As mentioned earlier, the data field
can be anywhere from 46 to 1,500 bytes in size.
The frame check sequence is used to ensure that the data received is actually the data sent. The
transmitting system processes the frame check sequence portion of the frame through an algorithm
called a cyclic redundancy check or CRC. This CRC takes the values of the above fields and creates
a 4-byte number. When the destination system receives the frame, it runs the same CRC and
compares it to the value within this field.
1 - 20
nguon tai.lieu . vn
