© itt educational services, inc. all rights reserved. is3220 information technology infrastructure...

© ITT Educational Services, Inc. All rights reserved.

IS3220 Information Technology Infrastructure Security

Unit 1Essential TCP/IP Network Protocols and

Applications

• Name: Williams Obinkyereh MSc. IT, Post Masters Software

Engineering DSC (Doctor of Computer Science)

Student.• Contacts: • Phone: 612-516-9712• Email: [email protected]

mailto:[email protected]

Introduction• Class introduction• Introduction of Course Syllabus.

– Course Summary– Lab Infrastructure (Mock)– Course Plan– Evaluation– Academic integrity

• Discussion and questions about syllabus.

© ITT Educational Services, Inc. All rights reserved.IS3220 Information Technology Infrastructure Security

Learning Objective

Review essential Transmission Control Protocol/Internet Protocol (TCP/IP) behavior and applications used in IP networking


Key Concepts TCP/IP protocol analysis using NetWitness

Investigator

Differentiating clear-text from cipher-text

Essential TCP/IP characteristics

IP networking protocol behavior

Network management tools


EXPLORE: CONCEPTS


TCP/IP Networking and OSI Reference Models7. Application

6. Presentation

5. Session

4. Transport

3. Network

2. Data link

1. Physical

Application

Transport

Internet

Network Interface


TCP/IP Protocol Suite

• Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Hypertext Transfer Protocol (HTTP), Tele-network (Telnet), File Transfer Protocol (FTP)

Application

• Transmission Control Protocol (TCP), User Datagram Protocol (UDP)

Transport

• Internet Protocol (IP), IPSec, Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and Internet Group Management Protocol IGMP

Internet

• Serial Line Internet Protocol (SLIP), Purchasing Power Parity (PPP)

Network Interface


The Structure of a Packet


A Packet Moves Through the Protocol Stack


Protocol Analysis Functions of a Protocol Analyzer

Why analyze data packets?• Detect network problems, such as bottlenecks• Detect network intrusions• Check for vulnerabilities• Gather network statistics

What does a protocol analyzer do?• Captures and decodes data packets traveling on a

network• Allows you to read and analyze them


NetWitness Investigator Threat analysis software

− Protocol Analyzer

Captures raw packets from wired and wireless interfaces

Analyzes real-time data throughout the seven layers


NetWitness Investigator (cont.)

Filters by Media Access Control (MAC) address, IP address, user, and more

Supports Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)

Gets daily threat intelligence data from the SANS Internet Storm Center

Freely available


Wireshark Network protocol analyzer Captures Ethernet, IEEE 802.11, PPP/HDLC,

ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other packets

Analyzes real-time and saved data Runs on Windows, Linux, OS X, Solaris,

FreeBSD, NetBSD, and others Supports IPv4 and IPv6 Allows Voice over IP (VoIP) analysis Freely available


EXPLORE: PROCESS


Packet Capture Using NetWitness Investigator

Start the capture

Verify capture configuration settingsNetwork Adapter, Advanced Capture Settings, and Evidence Handling

Define rules or captureFilters and alerts

Select parsers to use with captureGeolocation IP (GeoIP), Search, FLEXPARSE


Trace Analysis Using NetWitness Investigator

Navigation SearchSelect a

collection.

Click Navigation.

Select a report.

Select a group of sessions.

Search for specific content.

Open a collection.

Click the Content Search icon.

Search on keyword or regular

expression.


TCP/IP Transaction Sessions Connection-oriented• Sender

- Breaks data into packets- Attaches packet numbers

• Receiver- Acknowledges receipt; lost packets are resent- Reassembles packets in correct order


TCP Three-Way Handshake

ServerHost

1 - SYN

2 - SYN/ACK

3 - ACK

Synchronize (SYN)Acknowledge (ACK)


TCP Connection Termination

Acknowledge (ACK) Finish (FIN)

ServerHost

1 – ACK/FIN

2 –ACK

4 - ACK

3 –ACK/FIN


TCP Connection Reset

ServerHost

1 - SYN

2 –SYN/ACK

3 - RST

Synchronize (SYN)Acknowledge (ACK)Reset (RST)


EXPLORE: CONTEXT


IPv4 Addressing Assigned to computers for identification on a

network 32-bit address space Internet routing uses numeric IP addresses Dotted decimal notation

• Example: 192.168.0.10 IP addresses in packet headers A packet makes many hops between source and

destination


Network Protocol Examination Normal Packet

• Connecting to an FTP server• Port 53 (dns) in UDP• Three-way handshake completes

Packet Showing Evidence of Port Scan• Series of TCP packets, part of three-way handshake• Arrange segments in sequential order by source port• Destination ports also in sequential order• Classic TCP port scan


Clear-Text Vs Encrypted Protocols Clear-text Protocols

• Are human readable• FTP, Telnet, Simple Mail Transfer Protocol (SMTP),

HTTP, Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAPv4), Network Basic Input/Output System (NetBIOS), Simple Network Management Protocol (SNMP)

Encrypted Protocols• Are not human readable• Secure Shell (SSH), SSH File Transfer Protocol

(SFTP), HTTP Secure (HTTPS)


Summary TCP/IP protocol analysis using NetWitness

Investigator

Differentiating clear-text from cipher-text

Essential TCP/IP characteristics

IP networking protocol behavior

Network management tools

© itt educational services, inc. all rights reserved. is3220 information technology infrastructure...

Documents