060-001

Intrusion Prevention Essentials

朱瑞狄
威播科技認證暨教育訓練中心

http://training.broadweb.com
 Course Outline

• OSI Model & TCP/IP Protocol Suite

• Introducing IDS/IPS Techniques
• Using Ethereal
• LAB: Analyzing Network Packets With
Ethereal

2
 Course Outline

• OSI Model & TCP/IP Protocol Suite

• Introducing IDS/IPS Techniques
• Using Ethereal
• LAB: Analyzing Network Packets With
Ethereal

3
 OSI Model & TCP/IP Protocol Suite

• OSI Model
– Introduction
– Layering Concept
– Seven Layers of OSI Reference Model
• TCP/IP Protocol Suite
– Introduction
– TCP/IP and TCP/IP Protocol Suite
– TCP/IP Layering
– TCP Communication Architecture
– UDP Communication Architecture
– IP/ TCP/ UDP/ ICMP/ IGMP

4
 OSI Model

• Introduction
• Layering Concept
• Seven Layers of OSI Reference Model

5
 OSI Model: Introduction

• OSI:Open Systems Interconnection Referenc

e Model
• Released by International Organization for St
andardization (ISO)
• Based on the idea called Protocol Layering

6
 Layering Concept

• Protocol Layering
– Systems need to have layered modules to do
different kind of tasks
– Each layered module is called a layer
– Each layer has a defined rule in the process of
data communication
– A stack that consists of different modules is called
a protocol stack

7
Layering Concept

8
Seven Layers of OSI Reference Model

9
 Seven Layers of OSI Reference Model

• Application Layer
– Provides services to application processes or users
– Example: Telnet, FTP, and SMTP
• Presentation Layer
– Ensures information sent from the application layer of one
system would be readable by application layer of another
system
– Character code translation/ data conversion, data
compression/expansion, data encryption/decryption
• Session Layer
– Establishes, manages, and terminates communication
sessions

10
 Seven Layers of OSI Reference Model

• Transport Layer
– Responsible for providing data transfer between two end
users at an agreed on level of quality
• Network Layer
– Responsible for routing data from one network node to
another
• Data Link Layer
– Responsible for providing reliable transit of data across a
physical network link.
• Physical Layer
– Defines the electrical, mechanical, procedural, and
functional specifications for activating, maintaining, and
deactivating the physical link between communicating
network systems
11
 TCP/IP Protocol Suite

• TCP/IP Model and TCP/IP Protocol Suite

• TCP/IP Layering
• TCP Communication Architecture
• UDP Communication Architecture
• IP: Internet Protocol
• TCP: Transmission Control Protocol
• UDP: User Datagram Protocol
• ICMP: Internet Control Message Protocol
• IGMP: Internet Group Management Protocol

12
TCP/IP Model and TCP/IP Protocol Suite

13
TCP/IP Layering

14
TCP Communication Architecture

15
UDP Communication Architecture

16
 IP: Internet Protocol

• Features
– Unreliable & Connectionless
• Primary Functions
– Addressing & Routing
– Fragmentation & Re-assembling

17
IP Datagrams

18
 IP Header

VER Hdr TOS Total Length

Len

• Version: 4 bits
– Version number of the Internet Protocol
• Hdr Len: 4 bits
– Length of the IP Header
– Actual IP header length is the value of Hdr Len multiplied by
4 bytes
• Type of Service: 8 bits
– Parameters of the quality of service desired

Precedence (3) D (1) T (1) R (1) C Reserved

(1) (1)
19
 IP Header
VER IHL TOS Total Length

Identification 0 Flags Fragment Offset

• Total Length: 16 bits

– Length of the IP datagram (or IP packet)
• Identification: 16 bits
– Uniquely identifies each datagram sent by a host
– Normally increments by one each time a datagram is sent
– When an IP datagram is fragmented, each of these divided IP
datagrams has the same identification field value that the
original datagram had
– Aid in assembling the fragments of a datagram

20
 IP Header
Identification 0 Flags Fragment
Offset

• Flags: 3 bits

– Bit 0: reserved, must be zero

– Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
– Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.

21
 IP Header
Identification 0 Flags Fragment
Offset

Time to Live Protocol Header Checksum

• Fragment Offset: 13 bits

– Indicates where in the datagram this fragment belongs
– Measured in units of 8 bytes
– The first fragment has offset zero
• Time to Live (TTL): 8 bits
– Indicates the maximum number of router-to router hops the
datagram can pass as it passes the network
– Prevents corrupted packets from circulating endlessly around
the Internet

22
 IP Header
Identification 0 Flags Fragment
Offset

Time to Live Protocol Header Checksum

• Protocol: 8 bits
– Indicates the next level protocol used in the data portion of
the Internet datagram

Value Protocol
1 ICMP Internet Control Message Protocol
2 IGMP Internet Group Management Protocol
6 TCP Transmission Control Protocol
17 UDP User Datagram Protocol
50 ESP Encap Security Payload for IPv6
51 AH Authentication Header for IPv6
115 L2TP Layer Two Tunneling Protocol
23
 IP Header
Time to Protocol Header Checksum
Live

• Header Checksum: 16 bits

– Make sure IP header does not get corrupted
– Recalculated at each router hop

24
 IP Header
Source IP Address

Destination IP Address
Options Padding

• Source IP Address: 32 bits

– Source IP address
• Destination IP Address: 32 bits
• Options: Length is variable
– May appear or not in datagrams
– Indicates extended information for IP layers

25
 TCP: Transmission Control Protocol

• Uses IP as the network layer

• Connection-oriented
– Has distinct openings and closings
– Use TCP Three-way handshake to open a
connection
– Has a normal four-way close procedure to close
a connection
• Reliable
– Send back an ACK for each correctly received
segment
– Retransmit segments for lost packets
26
 PC Webserver
Transport Process Transport Process

1. SYN (Open)

Open 2. SYN, ACK (1) (Acknowledgement of 1)

3. ACK (2)

4. HTTP request for data

HTTP 5. ACK (4)

Data Req.
& Resp. 6. HTTP response data

7. ACK (6)

8. HTTP request for data

(packet lost)
9. HTTP request for data (No ACK so Retransmit)
HTTP
Data Req.
10. ACK (9)
& Resp.

11. HTTP response data

12. ACK (11)

13. FIN (intends to close the session)

14. ACK (13)

Close
15. FIN

16. ACK (15)

Note: An ACK may be combined with the next segment if the next segment is sent
quickly enough.

This figure is from the idea of Corporate Computer and Network Security, Prentice Hall
TCP Segment

28
 TCP Header
Source Port (16 Bits) Destination Port (16
Bits)

Sequence Number (32 Bits)

Acknowledgment Number (32 Bits)

• Source Port Number: 16 bits

– The source port number
• Destination Port Number: 16 bits
– The destination port number
• Sequence Number: 32 bits
– Indicates the segment’s place in the sequence of segments
within a connection
• Acknowledgement Number: 32 bits
– Allows the receiving transport process to indicate which
segment is received and acknowledged

29
 TCP Header
Hdr Len Reserved Flags Windows
6Bits (6Bits) (6Bits) (16Bits)

• Hdr Len (Header Length): 4 bits

– Length of TCP Header
– Also called Data Offset
• Reserved: 6 bits
– Reserved for future use. Must be Zero

30
 TCP Header

• Flag Fields: 6 bits

– URG: The Urgent Pointer in the TCP Header is significant
– ACK: The acknowledgement is significant. This packet is
used to acknowledge earlier packets.
– PSH: This is the Push Function, used to flush data through
the TCP layer.
– RST: Reset. The connection should be reset.
– SYN: Synchronize sequence numbers
– FIN: Finish. There is no more data from the sender.
Therefore, the session should be torn down.

Reference: Skoudis, Counter Hack, Prentice Hall

31
 TCP Header

• Windows Size: 16 bits

– Control the number of outstanding packets sent
between systems
– Flow control

32
 TCP Header
Checksum (16 Bits) Urgent Pointer (16 Bits)

• Checksum (16 bits)

– Used to verify that the TCP packet was not
corrupted during transmission
• Urgent Pointer (16 bits)
– Indicate where urgent information is located

33
 UDP: User Datagram Protocol

• Connectionless and Unreliable

– No need for acknowledgements, sequence
numbers, flags, and other complexities of TCP

34
IP Packet with an ICMP Message

35
 ICMP: Internet Control Message Protocol

• Created for Internet supervisory information

Three major categories:
– Network analysis messages
• Ex: Ping (ICMP echo message and echo reply)
– Error advisement messages
• Ex: ICMP destination unreachable and ICMP time
exceeded
– Control messages
• Ex: ICMP source quench

36
 IGMP: Internet Group Management
Protocol

• Designed to allow Internet hosts to participate

in multicasting

37
 Course Outline

• OSI Model & TCP/IP Protocol Suite

• Introducing IDS/IPS Techniques
• Using Ethereal
• LAB: Analyzing Network Packets With
Ethereal

38
Introducing IDS Technologies

39
Introducing IPS Technologies

40
 Features of IPS

• Deep packet inspection

• Inline mode
• Real-time detection
• Proactive prevention
• Wire-line speed

41
 Course Outline

• OSI Model & TCP/IP Protocol Suite

• Introducing IDS/IPS Techniques
• Using Ethereal
• LAB: Analyzing Network Packets With
Ethereal

42
 Using Ethereal

• Introduction
• Start Capturing Packets
• Useful Tips
– Changing Ethereal file format
– Exporting a packet as plain text file
– Finding a packet
– Marking a packet
– Copying a packet’s data
– Viewing capture interfaces status
– Defining capture filters
– Defining display filters
– “Apply As Filters” Function
– Saving a TCP stream of data
– “Coloring Rules” Function

43
 Course Outline

• OSI Model & TCP/IP Protocol Suite

• Introducing IDS/IPS Techniques
• Using Ethereal
• LAB: Analyzing Network Packets
With Ethereal

44
 LAB: Analyzing Network Packets With
Ethereal

• Tracert
• IP Sweep (in the same sub net)
• IP Sweep (in different sub net)
• Port Scan
• DNS Query
• POP3
• SMTP
• HTTP
• Trojan Horse

45
Q&A

46