Upload
edgar-cain
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
Review For Exam 1
(February 6, 2013)
© Abdou Illia – Spring 2013
Introduction to Systems Security
3
The PTP framework
Any security system must have 3 key elements
People (users and IT staff)
Technology (firewall, IDS, antivirus, etc.)
Policies (Safe-Use policy, password policy, privacy policy, etc.)
People are usually the weakest link
4
Preventing Security Threats Use anti-virus software
Use software firewall
Use hardware/appliance firewall
Use Intrusion Defense Systems
Use Intrusion Prevention Systems
Install OS updates
Install applications’ updates
Not open file attachments from unknown sources
Not click URL in emails from unknown sources
Social engineering tests/Mock phishing schemes
Awareness training
Acceptable computer use policy
Password policy
Etc.
5
Countermeasures
Tools used to thwart attacks
Also called safeguards, protections, and controls
Types of countermeasures Preventative
Detective
Corrective
Question: Match each of the countermeasures from the previous slide with its type.
6
Dominates security management thinking
The Plan-Protect-Respond cycle
Figure 2-6
6
7
Dialog attack: Eavesdropping
Client PCBob Server
Alice
Dialog
Attacker (Eve) interceptsand reads messages
Hello
Hello
Intercepting confidential message being transmitted over the network
8
Dialog attack: Message Alteration
Client PCBob
ServerAlice
Dialog
Attacker (Eve) interceptsand alters messages
Balance =$1
Balance =$1 Balance =
$1,000,000
Balance =$1,000,000
Intercepting confidential messages and modifying their content
9
Denial-of-Service (DoS) attack
Message Flood
ServerOverloaded ByMessage Flood
Attacker
Resources Access Control
Resources Access ControlPart 1
12
Break-in and Dialog attacks: Security Goal If eavesdropping, message alteration attacks
succeeded, in which of the following ways the victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a certain period of time
f) The network might slow down
Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.Defense tool: encryption, hashing, etc.
13
Malware attacks: Security Goal
If virus attacks succeeded, in which of the following ways the victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a certain period of time
f) The network might slow down
Integrity = Main goal of implementing defense systems against malware attacks.Defense tool: antivirus, IDS, IPS
14
DoS attack: Security Goal
If a DoS attack succeeded, in which of the following ways the victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a certain period of time
f) The network might slow down
Availability = Main goal of implementing defense systems against DoS attacks.Defense tools: firewalls, IDS, IPS
15
Security GoalsThree main security goals:
Confidentiality of communications and proprietary information
Integrity of corporate data
Availability of network services and resources
CIA Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also
validating that both parties involved are who they claim to be.
Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
16
Opening Question
Which of the following action may be taken in order to strengthen the confidentiality of companies’ proprietary information?
a) Prevent employees from accessing files not needed in their job
b) Limit the number of computers each employee could use for logging in to the network
c) Encrypt any communications involving passwords
d) All of the above
17
What is Access Control?
Access control is the policy-driven limitation of access to systems, data, and dialogs
Access control prevents attackers from gaining access to systems’ resources, and helps stop them if they do
18
What is Access Control?
AAA process
Authentication: supplicant sends credentials to verifier to authenticate the supplicant
Authorization: what permissions the authenticated user will have
What resources he or she can get to at all
What he or she can do with these resources
Auditing: recording what people do in log files
Detecting attacks
19
Reusable Passwords
Used to repeatedly to get access to a resource on multiple occasions
Bad because attacker could have time to crack it
Difficult to crack by remote guessing
Usually cut off after a few attempts
However, if intruder steals the password file, he/she can crack passwords at leisure
20
Password Cracking
With physical access or with password file in hand, attacker can use password cracking programs
Program Windows Linux
L0phtcrack (now LC5) √
Ophcrack √
John The Ripper √ √
RainbowCrack (uses lookup tables and hash functions) √ √
Crack √
Cain & Abel √
Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds
Programs use brute-force cracking method Used by network admins to locate users with weak
password, and by attackers.
21
22
Brute-force password cracking Dictionary cracking vs. hybrid cracking
Try all possible character combinations
Longer passwords take longer to crack
Combining types of characters makes cracking harder
Alphabetic, no case (26 possibilities)
Alphabetic, case (52)
Alphanumeric (letters and numbers) (62)
All keyboard characters (~80)
23
Figure 2-3: Password Length
PasswordLength In
Characters
1
2 (N2)
4 (N4)
6
8
10
Alphanumeric:Letters &
Digits (N=62)
62
3,844
14,776,336
56,800,235,584
2.1834E+14
8.39299E+17
All KeyboardCharacters
(N=~80)
80
6,400
40,960,000
2.62144E+11
1.67772E+15
1.07374E+19
Alphabetic,Case
(N=52)
52
2,704
7,311,616
19,770,609,664
5.34597E+13
1.44555E+17
Alphabetic,No Case
(N=26)
26
676
456,976
308,915,776
2.08827E+11
1.41167E+14
Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?
24
Dictionary and Hybrid cracking
Dictionary cracking1
Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly
Hybrid cracking2
Used when dictionary cracking fails Common word with one or few digits at end, etc.
1 Also called dictionary attack2 Also called to as hybrid attack
25
Password Policies Good password policy
At least 8 characters long
Change of case not at beginning
Digit (0 through 9) not at end
Other keyboard characters not at end
Example: triV6#ial
Completely random passwords are best but usually are written down
Password duration
Regularly test the strength of internal passwords
Disable passwords no longer valid
26
Password Policies (cont)
Shared passwords Not a good policy
Remove ability to learn who took actions; loses accountability
Usually is not changed often or at all because of need to inform all sharers
27
Questions
Q.1. ABC Inc. has a network with three users. The users have the following
usernames: aillia, jwillems, vhampton. A shared-password policy implemented by
the network administrator allowed the users to logon with the password abc123.
Last night someone committed an attack stealing sensitive corporate information
after elevating the privileges associated with the account they used to logon.
Which of the following is true? (Choose all that apply)
a) the audit log file could be checked to determine at what time the attacker logged in
b) the audit log file could be checked to determine which user account was used in committing the attack
c) the audit log file could be checked to determine who committed the attack
d) all of the above.
Q.2. If your answer to Q.1 above indicates that at least one of the statements is not
true, explain why.
________________________________________________________________
________________________________________________________________
28
Summary Questions
What are the three main security goals?
What security goal is jeopardized by a successful eavesdropping attack?
What is the difference between dictionary cracking and hybrid cracking?
What is a shared password? Do you recommend shared passwords? Why?
29
Alternativesto password
Access Cards Magnetic stripe cards Smart cards
Have a microprocessor and RAM
Can implement public key encryption for challenge/response authentication
Token Constantly changing password devices for one-
time passwords USB plug-in tokens
30
Alternatives to password (cont.)
Proximity Access Tokens
Use Radio Frequency ID (RFID) technology
Supplicant only has to be near a door or computer to be recognized
Two-Factor Authentication◦ Access card: 1st factor◦ PINs for the second factor
Short: 4 to 6 digits Can be short because attempts are manual Should not choose obvious combinations (1111,
1234) or important dates
31
Alternatives to password (cont.)
Biometric Authentication
Authentication based on biological (bio) measurements (metrics).
Biometric authentication is based on something you are (your fingerprint, iris pattern, face, hand geometry, and so forth)
Or something you do (write, type, and so forth)
The major promise of biometrics is to make reusable passwords obsolete
32
Alternatives to password (cont.)
Resources Access ControlPart 2
34
Wireless telecomm control
IEEE* is a professional association that Is dedicated to advancing technological
innovations
Develops standards for wired LAN devices
Develops standards for Wireless LAN (WLAN) devices
Wi-Fi Alliance is a trade association that at promotes Wireless LAN technology
Certifies products if they conform to certain standards
* Institute of Electrical and Electronics Engineers
35
802.11b 802.11a 802.11g
2.4 GHz 5 GHz 2.4 GHzUnlicensed Band
≤11 Mbps ≤ 54 Mbps ≤ 54 MbpsRated Speed
IEEE 802.11 WLAN standards
802.11n
2.4 GHz or 5 GHz
≤ 150 Mbps
3 12 13# of channels 13
* Under development
AM radio channels have a 10KHz bandwidth FM radio channels: 200KHz bandwidth
Service band 2.4 - 2.4835 GHz divided into 13 channels Each channel is 40 MHz wide Channels spaced 5 MHz apart Channel 1 centered on 2412 MHz. Channel 13 centered on 2472 MHz Transmissions spread across multiple channels 802.11b and 802.11g devices use only Channel 1, 6, 11 to avoid transmission overlap.
802.11ac*
2.4/5 GHz?
≤866 Mbps
802.11n
36
802.11 FrameContaining Packet
802.11 Wireless LAN operation
802.11 refers to the IEEE Wireless LAN standards
Notebookwith wireless NIC
EthernetSwitch
AccessPoint
Server
802.3 FrameContaining Packet
(2)
(3)
Client PC
(1)
37
802.11 Wireless LAN operation
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.11 FrameContaining Packet
802.3 FrameContaining Packet
(2)
(1)
Client PC
(3)
1. If the AP is 802.11n-compliant, it could communicate with the notebook even if the notebook has a 802.11a NIC. T F
2. Given what you know about WLAN operation, where (i.e. on which device) security should be implemented to prevent unauthorized devices from accessing network services?
38
Summary Question (1)
Which of the following is among Wireless Access Points’ functions?
a) Convert electric signal into radio wave
b) Convert radio wave into electric signal
c) Forward messages from wireless stations to devices in a wired LAN
d) Forward messages from one wireless station to another
e) All of the above
f) Only c and d
39
MAC Filtering
The Access Point could be configured to only allow mobile devices with specific MAC addresses
Today, attack programs exist that could sniff MAC addresses, and then spoof them to gain access
AccessPoint
MAC Access Control List
O9-2X-98-Y6-12-TR
10-U1-7Y-2J-6R-11
U1-E2-13-6D-G1-90
01-23-11-23-H1-80
……………………..
40
IP Address Filtering
The Access Point could be configured to only allow mobile devices with specific IP addresses
Attacker could Get IP address by guessing based on companies
range of IP addresses Sniff IP addresses, then spoof them to gain access
AccessPoint
IP Address Access Control List
139.67.180.1/24-139.67.180.30/24
139.67.180.75
139.67.180.80
139.67.180.110
……………………..
41
Access control at EIU
What is used at EIU today to control access to the WLAN?
42
SSID: Apparent 802.11 Security Service Set Identifier (SSID)
It’s a “Network name” of up to 32 characters Access Points come with default SSID. Example: “tsunami”
for Cisco or “linksys” for Linksys All Access Points in a WLAN have same SSID Mobile devices must know the SSID to “talk” to the access
points SSID frequently broadcasted by the access point for ease
of discovery. SSID in frame headers are transmitted in clear text SSID broadcasting could be disabled but it’s a weak
security measure Sniffer programs (e.g. Kismet, inSSIDer) can find SSIDs
easily
43
Wired Equivalent Privacy (WEP) Standard originally intended to make wireless networks
as secure as wired networks
With WEP, mobile devices need to provide a shared key to be authenticated and gain access Typical WEP key length: 40-bit, 128-bit, 256-bit
If a hacker intercepts, decrypts, and compares two messages encrypted with the same key, he/she will know the key
Question: Besides through hacking, how can a WEP key be leaked? What can be done to limit access by unauthorized users?
1. Wireless station sends authentication request to AP2. AP sends back a 128 bits challenge text in plaintext3. Wireless station uses the RC4 encryption scheme to encrypt the challenge text
and its WEP key and sends result to AP4. AP regenerate the WEP key from received result, then compare WEP key to its
own WEP key5. AP sends a success or failure message
WEP authentication process
aircrack-ngweplabWEPCrack airsnort
Open Source WEP Cracking software
44
Wired Equivalent Privacy (WEP)
Using a Initialization Vectors (IV) To make the shared key hard to crack, WEP
uses a per-frame key that is the shared key plus a 24-bit initialization vector (IV) that is different for each frame/packet.
However, many frames “leak” a few bits of the key
With high traffic, an attacker using readily available software can crack a shared key in 2 or 3 minutes
45
Wi-Fi Protected Access (WPA) WPA extends the security of WEP/RC4 primarily by:
increasing the IV from 24 bits to 48 bits
Implementing a system for automatic rekeying called TKIP (Temporal Key Integrity Protocol)
Cryptographic Characteristic
WEP WPA 802.11i (WPA2)
Cipher for Confidentiality
RC4 with a flawed implementation
RC4 with 48-bit initialization vector (IV)
AES with 128-bit keys
Automatic Rekeying None Temporal Key Integrity Protocol (TKIP), which has been partially cracked
AES-CCMP Mode
Overall Cryptographic Strength
Negligible Weaker but no complete crack to date
Extremely strong
46
802.11i (or WPA2)
In 2004, the IEEE 802.11 working group developed a security standard called 802.11i to be implement in 802.11 networks.
802.11i tightens security through the use of the AES encryption scheme with a 128-bit key
802.11i can be added to existing AP and NICs
The128-bit key changes
47
Other protocols used in 802.11i
Authentication and data integrity in 802.11i and 802.11x rely on the Extensible Authentication Protocol (EAP) which has different options: Wireless Transport Layer Security (WTLS) protocol
Server and mobile devices must have digital certificates
Requires that Public Key Infrastructure (PKI) be installed to manage digital certificates
Tunneled WTLS Digital certificates are installed on the server only
Once server is securely authenticated to the client via its Certificate Authority, a secured tunnel is created.
Server authenticates the client through the tunnel.
Client could use passwords as mean of authentication
48
Using Authentication server
AccessPoint
1.Authentication
Request
2.Pass on Request to
RADIUS Server
3.Get User Lee’s Data(Optional; RADIUSServer May Store
Authentication Data)
4. AcceptApplicant Key=XYZ 5. OK
UseKey XYZ
DirectoryServer orKerberos
Server
RADIUS Server / WAP Gateway
RADIUS is an AAA (Authentication, Authorization, Accounting) protocol Once user authenticated, AP assigns user individual key, avoiding shared key.
Applicant(Lee)
TCP/IP Internetworking
50
Layered Communications: Encapsulation – De-encapsulation Application programs on different computers cannot
communicate directly There is no direct connection between them! They need to use an indirect communication system
called layered communications or layer cooperation
BrowserBrowser
TransportTransport
InternetInternet
Data LinkData Link
PhysicalPhysical
User PC
Web AppWeb App
TransportTransport
InternetInternet
Data LinkData Link
PhysicalPhysical
Webserver
HTTP RequestHTTP Request
51
PPP-TPPP-T
Layer Cooperation on the User PC
Encapsulation on the sending machine Embedding message received from upper layer
in a new message
ApplicationApplication
TransportTransport
InternetInternet
Data LinkData Link
HTTP req.HTTP req.
PhysicalUser PC
HTTP req.HTTP req. TCP-HTCP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H
IP Packet
TCPsegment
HTTP request
Frame
Encapsulation of HTTPrequest in data field ofa TCP segment
52
Layer Cooperation on the Web server
De-encapsulation Other layers pass successive data fields (containing next-lower layer
messages) up to the next-higher layer
ApplicationApplication
TransportTransport
InternetInternet
Data LinkData Link
Transmission mediaWebserver
PPP-TPPP-T
HTTP req.HTTP req.
HTTP req.HTTP req. TCP-HTCP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H
IP Packet
TCPsegment
HTTP request
Frame
53
Questions
1. What is encapsulation? On what machine does it occur: sending or receiving machine?
2. If a layer creates a message, does that layer or the layer below it encapsulate the message?
3. What layer creates frames? Segments? Packets?
54
IP Packet
Total Length(16 bits)
Identification (16 bits)
Header Checksum (16 bits)Time To Live
(8 bits)
Flags
Protocol (8 bits)1=ICMP, 6=TCP,17=UDP
Bit 0 Bit 31IP Version 4 Packet
Source IP Address (32 bits)
Fragment Offset (13 bits)
QoS(8 bits)
HeaderLength(4 bits)
Version(4 bits)
Destination IP Address (32 bits)
Options (if any) Padding
Data Field
0100
QoS: Also called Type of Service, indicates the priority level the packet should have Identification tag: to help reconstruct the packet from several fragments Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether more fragments of a packet follow (MF: More Fragments or NF: No More Fragments) Fragment offset: identify which fragment this packet is attached to TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it. Header checksum: to check for errors in the headers only
55
Questions
What is the main version of the Internet Protocol in use today? What is the other version?
What does a router do with an IP packet if it decrements its TTL value to zero?
Assume that a router received an IP packet with the Protocol in header set to 6. What Transport layer protocol is used in the message: TCP, UDP, or ICMP?
56
IP Fragmentation
When a packet arrives at a router, the router selects the port and subnet to forward the packet to
If packet too large for the subnet to handle, router fragments the packet; ie.
Divides packet’s data field into fragments Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet First fragment is given Fragment Offset value of 0
Subsequent fragments get Fragment Offset values consistent with their data’s place in original packet
Last fragment’s Flag is set to “No More Fragments”
Destination host reassemble fragments based on the offsets.
Identification (16 bits) Flags Fragment Offset (13 bits)
Subnet 1
Subnet 2
57
Firewalls and Fragmented IP Packet
5. Firewall 60.168.47.47
Can Only Filter TCP
Header in First Fragment
Attacker 1.34.150.37
2. Second Fragment
4. TCP Data Field
NoTCP Header
IP Header
TCP Data Field
1. First Fragment
IP Header
3. TCP Header Only in First Fragment
Fragmentation makes it hard for firewalls to filter individual packets TCP or UDP header appears only in the first fragment
Firewall might drop the first fragment, but not subsequent fragments Some firewalls drop all fragmented packets
Router
58
TCP Segment
Source Port Number (16 bits) Destination Port Number (16 bits)
Bit 0 Bit 31
Acknowledgment Number (32 bits)
Sequence Number (32 bits)
TCP Checksum (16 bits)
Window Size(16 bits)
Flag Fields:ACK, SYN,…
(6 bits)
Reserved(6 bits)
HeaderLength(4 bits)
Urgent Pointer (16 bits)
Data Port number: identifies sending and receiving application programs. Sequence number: Identifies segment’s place in the sequence. Allows receiving Transport layer to put arriving TCP segments in order. Acknowledgement number: identifies which segment is being acknowledged Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0 (off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization.
Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?
59
TCP and use of Flags TCP is a connection-oriented protocol
Sender and receiver need to establish connection Sender and receiver need to agree to “talk” Flags are used for establishing connection
Sender requests connection opening: SYN flag set to 1 If receiver is ready to “talk”, it responds by a SYN/ACK segment Sender acknowledges the acknowledgment
If sender does not get ACK, it resends the segment
PCTransport Process
WebserverTransport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
Note: With connectionless protocols like UDP, there is no flags. Messages are just sent. If part of sent messages not received, there is no retransmission.
3-way Handshake
Flag Fields(6 bits)
ACK SYN FIN RSTURG PSH
60
Communication during a normal TCP Session
Note: At any time, either process can send a TCP RST (reset) segment with RST bit set to 1 to drop the connection (i.e. to abruptly end the connection).
Q1: How many segments are sent in a normal TCP communication opening? ____
Q2: How many segments are sent in a normal TCP communication closing? ____
61
SYN/ACK Probing Attack
SYN/ACK Segment
Victim 60.168.47.47
Attacker 1.34.150.37
1. Probe 60.168.47.47
5. 60.168.47.47
is Live! 4. Source IP Addr=
60.168.47.473. Go Away!
2. No SYN (Open): Makes No Sense!
IP Hdr RST Segment
Sending SYN/ACK segments helps attackers locate “live” targets
Older Windows OS could crash when they receive a SYN/ACK probe
62
TCP and use of Port numbers Port Number identify applications
Well-known ports (0-1023): used by major server applications running at root authority.
HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and server applications.
Ephemeral/dynamic/private ports (49152-65535) Not permanently assigned by ICANN.
Web server applicationswww:80 FTP:21 SMTP:25
Operating System
Computer hardware
HDRAM chip
Processor
Socket notation:IP address:Port #
Source Port Number (16 bits) Destination Port Number (16 bits)
63
Questions
A host sends a TCP segment with source port number 25 and destination port number 49562.
1) Is the source host a server or a client? Why?
2) If the host is a server, what kind of service does it provide?
3) Is the destination host a server or a client ? Why?
64
TCP and Port spoofing
Most companies set their firewall to accept packet to and from port 80
Attackers set their client program to use well-know port 80
Attackers set their application to use well-known port despite not being the service associated with the port
65
Questions1. What is IP Fragmentation? Does IP fragmentation
make it easier for firewall to filter incoming packets? Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server applications, such as email service, use?
4. What kind of port numbers do client applications usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to being scanned, exploited, or attacked?
66
IP Routing
Network60.x.x.x
Packet to 60.3.47.129
Router B
Router C
Interface1
Interface2
Network60.x.x.x
IP Routing
Network60.3.x.x
Route
123456
IP AddressRange
60.3.x.x128.171.x.x60.3.47.x10.5.3.x
128.171.17.x10.4.3.x
Metric
928622
Router A
Routing Table for Router A
Host60.3.45.129
Next-HopRouter
BBCB
LocalC
Routing
Matches
Host60.3.47.129
Because of multiple alternative routes in router meshes,routers may have several rows that match an IP address.
Routers must find All matches and then select the BEST ONE.This is slow and therefore expensive compared to switching.
Router A
67
Vertical Communication on Routers
Port 1DL
Port 2DL
Port 3DL
Port 4DL
PHY PHY PHY PHY
Internet Layer Process Packet
Frame
Router 1A
Decapsulation
Notes:A. Router R1 receives frame in Port 1.
Port 1 Data Link decapsulates the IP packet.Port 1 Data Link passes packet to internet Layer.
68
Vertical Communication on Routers
Port 1DL
Port 2DL
Port 3DL
Port 4DL
PHY PHY PHY PHY
Internet Layer Process Packet
Frame
Router 1
Router 2
B
Encapsulation
B. Internet layer sends packet out on Port 4.Data Link process on Port 4 encapsulates packet in a DL frame.Data Link process passes frame to Port 4 PHY.
69
Summary Questions (Part 1)
How many layers are there in a router? Can a router be a software program? Suppose that Computer 1 sends a message to
Computer 2. Assume that there are two routers (R1 and R2) along the route that leads to Computer 2. Assume that a frame from the message is received by R1 in Port 2. Which of the following will happen next?
a) The Data Link layer process in Port 1 will de-encapsulate the IP packet from the frame
b) The Physical layer will pass the frame to the Data Link layer process in Port 2
c) The Data Link layer process in Port 2 will de-encapsulate the IP packet from the frame
d) None of the above
70
IP Address IP is a connectionless protocol
IP address is like postal addresses Postal addresses are hierarchical: state, city, postal zone, street, house
address
IP Addresses have the following hierarchy
Network number (tells what network the host is on)
Subnet number (tells what segment of network the host is on)
Computer number (identifies a particular computer on the segment)
Routers look at network part (and segment part for some) to make routing decisions
Final router looks at Host part
71
Hierarchical IP Address
Network Part (not always 16 bits)
Subnet Part (not always 8 bits)
Host Part (not always 8 bits)
Total always is 32 bits.
139.67.130.13
Host 13139.67.130.13
School of Business Subnet(130)
EIU Network(139.67)
The Internet 13
72
IP Address notations IP addresses
Are really strings of 32 bits (1s and 0s) Example: 10000000101010100001000100001101
Usually represented by four number segments separated by dots: dotted decimal notation
Example: 128.171.17.13
127.18.47.145127.47.17.47
73
IP Address Spoofing
Trusted Server60.168.4.6
Victim Server60.168.47.47
1. Trust Relationship
From: 60.168.4.6To: 60.168.47.47
2. Spoofed Source IP Address
60.168.4.6 is used.
Attacker’s Client PC1.34.150.37
Reasons for IP spoofing: Anonymity Exploiting trust relationship
IP address spoofing is sending a message with a false IP address with the intent to mislead the receiving device and gain access
74
Questions
1. Make sure you can answer the TCP/IP questions posted to the Notes’ section of the class website