Transcript Networking
Network Concepts and Troubleshooting:
A field guide for understanding IP networks
Laren Metcalf - Dir. IP Services
Networking History
Ethernet – Started as 10 Mbit Ethernet shared topology using coax cable, RG58 for thin net, RG-8 for thick net, terminated with a resister on each end. Connect a station using a tap into the coax Signalling CSMA/CD – Carrier Sense Multiple Access with Collision Detect 10 Base 5 Thick net Shared media- Collision Detect Check for idle on media Send If collision stop transmission frame Send Jam signal (32 bit binary pattern) Wait a backoff period Retry Max distance 500 meters (1640 ft) Max nodes 100 NIC – Network Interface Card MAC – Media Access Control. Each device has a unique MAC address 10 Base 2 Thin net Max distance 185 meters (607 ft) Max nodes of 30
Networking History
Ethernet – 10 Base T, 100 Base T, 1000 Base T Power Over Ethernet IEEE 802.3 af/at/ Ethernet over Coax was not flexible enough so 10 BASE-T developed using 8 wire standard twisted pair cabling using pins 1, 2, 3, and 6. Gigabit uses all four pairs. 10 Base T RJ45 8 wire Network Switch Every port is a separate bridge domain. Packets don’t go out all ports, only to the destination MAC address IP Phone getting power from network switch over RJ45 connection 5 Volts @ 7 Watts POE/POE+ Power Over Ethernet IEEE 802.3 af/at Distance is 100 meters, 328 ft., extenders for distance 802.3 af max 15.4 Watts, 802.3at max 34.20 Watts Voltage Range 44-57 V Wireless Access Point getting power from the RJ45 connection @ 15 Watts Max Current 350 mA – 600 mA 4 Power class levels negotiated at initial connection Class/mA 0/0-4, 1/9-12, 2/17-20, 3/26-30, 4/36-44 Power extenders – boost power, boost noise Can use to go 200 meters, 300 meters, + Better to get power and POE switch closer to device
Home Network
The fastest growing segment of the market. Simpler but still has to follow the rules WAN port Outside carrier connection comes in through a modem Connections are made in the back of the home router. It could be a wireless device as well Speed issues, applications are driving speeds up on the edge, then to the provider, then across the provider network.
Tablets Smartphones
Broadcom is coming out with a 2X2 MIMO chip, BCM4354 for smartphones, Called 5G WiFi MIMO. Current chips are 1x1 MIMO.
Appliances Smart TV
Networking
Classification of Traffic Each application on a network, data, voice, video, can have separate QoS VLANS, virtual LANs, used to separate each application Access Point When using multiple applications that require isochronous, consistent communications, Classify your data Video VLAN – Traffic needs to be identified and prioritized Voice VLAN – Devices need to be in a vlan with high priority Data VLAN – Low priority data, web browsing, email Access Point – Just like a switch offering connections Voice VLAN – HIGH QoS Data VLAN – Low QoS
Networking
Trunk vs. Access Ports Trunk ports have multiple vlans and connect switch to switch, multiple vlans If only one vlan is required on the port they can assign a vlan that applies to all traffic.
Untagged means no vlan embedded in them, port assigns vlan Tagged Packets have the vlan imbedded in the packet using 802.1q
802.1q packet
Access Tagged Voice vlan Trunk Access Tagged Data vlan
Networking Media Types
Gigabit/10 gigabit/40 gigabit/ 100 gigabit Ethernet 1 Gbit SFP Fiber SX black/beige lever 850nm 550 m LX Blue extractor lever 1310 nm 10 Km EX Blue extractor lever 1550 nm 40 km ZX Blue extractor lever 1550 nm 80 km 10 Gbit SFP+ Fiber 10 GBASE-SR Short Range 850nm 400 m 10 GBASE-LR Long Range 1310 nm 10 Km 10 GBASE-ER Ext Reach 1550 nm 40 km 10 GBASE-ZR ZR Reach 1550 nm 80 km
40 Gbit QSFP+
40GBase -SR4 Short Range OM3/OM4 100/125m 40GBase-LR4 Long Range 1310 nm 10 Km 40GBase-ER4 Ext Reach 1310 nm 40 km 40GBASE-T Cat8 copper 4 pair Copper 30m
100 Gbit Fiber*
100GBase-SR4 Short Range OM3/OM4 00/125m 100GBase-LR4 Long Reach 1310 nm 10 km 100GBase-ER4 Ext Reach 1310 nm 40 km * Remains a carrier platform. Vendors with products – Arista, Brocade, Huawei, Cisco (limited), Juniper (limited)
Wireless Networking
WiFi - 802.11 a/b/g/n/ac 802.11 a/b 11Mbit Old and slow. Devices using this require other wireless devices capable of faster speeds to slow down. 3 non overlapping channels.
802.11 g 54 Mbit (22.5 Mbit X 2), uses 2.4 GHz radio. Wide band (2 20MHz channels for a 40 MHz channel) for higher speed (simulated n), but it will conflict with channels in multiple AP environment. 3 non overlapping channels. 802.11n in 2.4 GHz uses 82% of the channels – 40 MHz wide channels 802.11 n 72Mbit/150 Mbit MIMO allows 300Mb, 450Mb, and 600Mb. 5GHz. MIMO Most common is 3X3:3, 3 Tx antennas, 3 Rx antennas, 3 streams 802.11 ac 433.3 Mbit per stream, 1300Mbit total. 80 or 160 MHz channels versus 40 MHz in 802.11 n. Limited distance. Wider channels, more steams Future – 802.11ad “WiGig” 60 MHz channels and 7 Gbit speed, 802.11af based on 802.11ac, geo discovery for optimal connection, 568.9 Mbit
MIMO - Spatial Multiplexing using multiple antennas Tx Rx : Strms
Requirements: Adaptive Beamforming manipulates the phase and amplitude of the signal at each transmitter and rejects unwanted signals Precoding – Multi-stream beamforming, improves the received signal quality at the decoding stage, spatial multiplexing creates spatial beam patterns in same frequency channel Space-Time coding/processing – separates each antenna element
802.11n has max of 4X4 MIMO and channel width of 40 MHz.
8 spatial streams with 80 MHz channel width 256-QAM modulation, up from 64-QAM in 802.11n
Quadrupling spectral efficiency over 802.11n
Wireless Networking
WiFi – 2.4GHz
2.4GHz only has 13 channels (US) with 3 that don’t overlap. Power and channel are critical for it to function in multi radio environment. SNR – Power determines the signal to noise ratio critical for communication SNR of -40db Excellent, -25 to 40 very good, -15 to 25 low, -10 to 15 very low
Wireless Networking
802.11n 5GHz 7x more channels 5 GHz 24 non overlapping channels, use dynamic frequency selection (DFS) and transmit power control (TPC) to avoid interference with weather radar and military applications.
Wireless Wifi
inSSIDr tool to see wireless power and channel
Wireless Wifi
Xirrus Wifi Inspector FREE from Xirrus
Break?
Next Section OSI 7 Layer model
OSI 7 Layer model
Soup to Nuts - Everything
OSI 7 Layer model
Simplify - Break it Down
Specialized Applications
Network Access
OSI 7 Layer model
The dividing line between the end device and the network
Network Access
Example: TCP/IP
Transmission Control Protocol / Internet Protocol Example: LAN, WAN, Wireless LAN, SONET, ATM
OSI 7 Layer model
TCP/IP Protocols
Server
Example – FTP connection
Client
Example – Email
Outlook client requests email data from the mail server
Security Are Firewalls enough?
They’ve been around for 20+ years!!
Perimeter Defense is still needed, they’ve evolved and aren’t perfect.
Stateful Inspection –
CBAC Context Based Access Control
Inspects packets from the external network, only allowing traffic when the connection is initiated from the inside network. Examines network, transport, and application layer information, deep packet inspection, DPI.
Platforms -
New platforms – Palo Alto, FireEye, granular network and device permissions. Application aware Older - Checkpoint, Cisco, Juniper, Sonicwall, Fortinet, Watchguard Linux – iptables Basis for most linux firewalls, packet filtering, IPCop, Shorewall (iptables with a GUI), UFW (iptables netfilter). Don’t ignore Vyatta, m0n0wall,
Access List
Filter by IP address or transport protocol. Not a secure method to block traffic, no monitoring and tracking of sessions, only ability to see hits on the access list rules.
NAT – Network Address Translation
One to one NAT, one to many NAT (conserve Ip addresses). Not a secure method to block traffic.
Security
Intrusion Detection/ Intrusion Prevention IDS/IPS Detect it and you can address it
• • • • • • Systems are inline with traffic and monitor for attacks as they occur. Must have a signature database – updates are critical Day Zero attacks – How can they be detected?
Forensics – Capture the traffic and reconstruct what was compromised, understand the scope and extent of the attack Seen as high end appliances, only in large enterprise and uber secure networks IDS/IPS components in security/firewall devices including wireless • It only takes a signature database and DPI…
Security
Small and Midsize Companies vs Large corporations
• • • • • • They do what they can – Anti Virus, Perimeter Firewall, compliance requirements Viruses and malware are spreading and evolving, attack patterns are changing Since 2008 viruses have taken off, come in through mobile device with corporate email Do it yourself hacker kits, identify what they want to do – a whole new level of sophistication Security companies get called in and block known attacks and find unknown attacks only after forensics (decoding packet traces to and from devices) The nature of Wireless makes it easiest target. Aircrack tools for WEP and WPA cracking just needs enough data to sift through to figure out the keys.
Malware
Types of threats
• • • • • • Android OS – HEUR.Trojan-Spy- intercept SMS messages and upload to a server with encrypted URL – Appears on Android phone as a Blue shield named Android Security Suite Premium Adobe PDF reader used to deliver malicious payloads which evade malware and intrusion detection software, prior to version 9.
Linksys/Cisco “Moon” worm connects to port 8080, loads a worm 2MB in size, scans for 670 different networks, try to infect other systems, new code for fix, disable remote management.
DDoS attacks – 100 Gbpsec using an old NTP command requesting data be sent to another server. Amplification directs thousands of NTP servers to a targeted system. Up 371% in last 30 days. Mt.GOX, the worlds largest bitcoin exchange, coin stealer on MAC or Windows, TibanneSocket.exe, seeks out bitcoins.conf and wallet.dat and send them to a command server in Bulgaria. Hackers posted a zip file supposed to be a data dump and tools found on Mark Karpeles (Bitcoin’s CEO) personal blog and reddit account that would allow access MtGox data but they turned out to be Bitcoin wallet stealing malware.
Facebook – ‘See your friends naked’ Over 2 million people fell for this. It showed a picture of one of your contacts saying click here to see a video of them naked. Brought the user to a youtube page stating they needed to upgrade their flash player, if they downloaded it malware loaded that steals your photos and adds a browser extension to spread the scam.
Companies offer rewards
• Facebook and Microsoft rewards hackers finding security holes • Wurm online offering $13,000 bounty for info on a DDoS attack • Most hacking not reported, banks and institutions fear publicity
If you get caught…
• • • Hacker joined a DDoS attack for one minute and fined $183,000 for causing website to be down for 15 minutes Hacker could face 10 years in prison for breaking into a intelligence company, Stratfor Aaron Swartz’s worldwide attention for felony charges for hacking MIT academic files led to his suicide.
Financial Malware most popular threat in 2013
1400 Financial Institutions in 88 targeted by Banking Trojan in 2013 337% increase
Antivirus firm Symantec has released a Threat report, called “The State of Financial Trojans: 2013”. Over 1,400 financial institutions have been targeted and millions of computers have been compromised around the globe with 71.5% of US banks as the most targeted of all analyzed Trojans.
First 3 quarters of 2013 Number of computers compromised: 2M – Zbot + Gameover 125K – Cridex 33K – Shylock
The Botnet Population is Huge
26K – Spyeye According to a study by McAfee 21K – Bebloh Guatemala 9K – Mebroot 2K - Tilon * Source: thehackernews.com
Understanding TCP Syn Attack
It can be used for nefarious activity, same scenario with a phone call In a SYN flood attack the malicious client sends the SYN packet to the server without the intent of setting up a connection. It doesn’t wait for a SYN ACK packet, it sends another SYN packet trying to setup another connection. The server keeps the connection active for 2 minutes before letting it go and as new SYN requests come in the server will eventually be unable to keep up and will either refuse new connections or reboot.
About DDoS attacks
DoS attack multiplied
Multiple attacks launched from many computers unknowingly infected with a virus or Trojan allowing them to be controlled by a ‘bot herder’. An attacker can issue commands to the entire herd ordering them to attack a specific target.
Immediately the target goes down and doesn’t come back up until
Low Orbit Ion Cannon LOIC – ‘Hive Mind’ allows a single user to control a network of LOIC deamons distributed globally
Tools like Low Orbit Ion Cannon make it easy for anyone to maliciously take a nearly any size target anywhere offline. DDoS attacks are escalating and occurring for reasons of extortion, political and ideological agenda, anti competitive intitatives, and suppression of free speech.
Mitigation of DDoS – Filter/Control/Back Hole Traffic Purpose Built packet filter
Linux Server
ps –aux | grep –I HTTP|wc -1 Identify the traffic, if it’s port 80 Netstate –lpn|grep :80|awk ‘{print $5}’ |sort If there are more than 30 sessions you are under attack Iptables – A INPUT –s <Attacking Network IP Address> -j DROP Stop the attacking network OR Route add
*This can be used to implement a bogon, bogus IP address block list
Screen traffic on border routers
• • • • • Drop packets that – Have internal IP addresses from your network Are from known black hat sources Incomplete or malformed Are for services not utilized - Only allow traffic you should see, i.e. HTTP/port 80 Utilize a DNSBL list - A known list of IP addresses associated with spamming, zombie computers Cisco has a white paper on RTBH, remotely triggered black hole filtering Use IP route statement to black hole a route Ip route 192.0.2.0 255.255.255.0 Null0 Use BGP to map a route prefix to null in the redistribute static section STATIC-TO-BGP match tag 66 route-map STATIC-TO-BGP permit 10 set ip next-hop 192.0.2.1
… Ip route 171.xxx.xxx.1 255.255.255.255 Null0 Tag 66
Simple hosts file blocking using 127.0.0.1
• Hosts file – the first internet dns. On all Windows, Unix, Macs… • Located – C:\Windows\System32\drivers\etc
Anything Else?
Target PoS systems, credit card info scraped to an internal server compromised by hackers Eset, a company based in the Czech Republic, found a worm designed to steal AutoCAD drawings and transmit them to China. More than 10,000 ACAD/Medre.A infections have been found in Latin America NSA spies on Huawei servers, communication between top company officials, internal documents, and source code of individual Huawei products – The US and Australia have barred Huawei from broadband projects over espionage fears Cisco’s own VPN product has a vulnerability in the client enabling access to malicious sites and allow an attacker to execute remote code using ActiveX or Java. They issues a patch and also warned of a software downgrade vulnerability allowing a hacker to change to an earlier exploitable version of the software US-CERT issued an advisory that some 64-bit Intel based systems are susceptible to local privilege escalation attack to allow control over virtual machines AhnLab, Inc., a South Korean security vendor, issued a warning about variations to the SpyEye Trojan and ZeuS bot that attempts to steal personal banking data Stuxnet, Flame both used against Iran stunting it’s ability to build nuclear weapons
New Security Products
ThreatSecure from ThreatTrack Security detects malware based on anomalous network behavior. This is the next generation of day zero countermeasures a step above using signature based defenses.
McAfee unveiled new next generation firewall defense leveraging acquisition StoneSofts malware detection engine. It updates endpoint protection for endpoints when threat is detected.
Fortinet upgrades OS to version 5 adding integrated reporting, protection vs. targeted attacks, faster SSL inspection, and strong authentication.
HP unveils Threat Central, a security intelligence platform allowing sharing of threat data integrating with HP Tippingpoint and Arcsight appliances.
Huawei Rolls out Anti-DDoS appliance for carriers and datacenters. 1 Tbpsec, and protection from application layer mobile devices and outbound DDoS Barracuda announces NG Firewall for Windows Azure cloud platform coupled with the Web Application Firewall to provide app security and secure remote access.
Best Practices
Layered Protection – Perimeter Firewall, antivirus, IDS/IPS, desktop firewall, OS patches Reduce the attack Surface – Restricting applications, devices access to resources and allowed to connect – example BYOD – only access to outside facing portal and internet Browser plugins – Patch them and monitor and eliminate the holes. Most hacked is Microsoft Internet Explorer, Adobe Reader, Acrobat, and Flash. Vulnerabilities are documented and maintained, stay up to date and try alternatives.
Block P2P – The simplest method to distribute malware is hidden files in peer to peer networks. Eliminate any P2P file sharing with resources including Application and Device Control (ADC) component at the desktop.
Turn off Autorun – Stop Conficker/Downadup and other network based worms from jumping from USB keys and network drives
Monitor, Analyze, Patch, Repeat…
Calix MSAP Multi Service Access Platform
• • •
GPON – Gigabit Passive Optical Network. Supports multiple services in their native formats Gigabit Ethernet 2.448 Gbit downstream/1.25 Gbit upstream Equal, fixed time slots for all endpoints using TDM
Home Network
Every home is an IP network with an outside IP to the Internet There are two parts to an IPv4 address Network and Mask Almost all network devices have default IP of 192.168.168.1 with subnet mask of 255.255.255.0
ONT Internal IP subnet used for home network In IPv4 this is represented as 192.168.168.0/24 IP Address Mask Network | Hosts 192.168.168.0
255.255.255.0
External IP on Internet through Carrier connection
?
Device ?
What to do to test local network
Do I have an IP address?
Ipconfig –
Network Tools
Test the outside network
Ping DNS Server IP, ping a known web page – www.yahoo.com
Now check your browser Ping – I’m good on the local network!
Management, topology, device discovery –
Solarwinds, What’s up gold, NetInfo, Netsurveyor Download.cnet.com/windows/network-tools TechRepublic – http://www.techrepublic.com/blog/five-apps/five-apps-to-help-with network-discovery/1230/
Wireshark – Protocol analysis
Free download – Capture traffic – Wired, wireless, Bluetooth, USB…
Solarwinds
S-flow monitoring protocols
IPv4 Address Primer
Each Number in an IP address represents an Octet
192.168.5.1
There are 4 octets in an IP address. Each octet can be represented in an 8 bit binary number The mask represents the dividing line where the network number ends and the host identifier begins The last octet is used for identifying hosts. In this example the host is 130. Hosts can be numbered from 1-254 The last octet can be used as the broadcast to all hosts in a subnet using 255, all 1’s in binary
IPv4 Address Primer
Using variable Masks By manipulating the mask you can conserve IP addresses, only using what you need.
You can break up your 192.168.5.0 subnet into multiple subnets using a longer mask
IPv6 Addressing
Intended to replace IPv4 to deal with long anticipated IPv4 address exhaustion 2013 only 2% of users reaching Google services used an IPv6 address IPv6 allows 2 128 , or 3.4 X 10 38 address using a 128 bit IP address vs. IPv4 using 32 bit addressing Uses 8 groups of four hexadecimal digits separated by colons 2001:0db8:85a3:0000:0000:8a2e:0370:7334 - All leading zeros can be dropped shortening the address to 2001:db8:85a3:::8a2e:370:7334
3 Types of networking methodologies:
Unicast – Identifying each individual network interface Anycast – Identifies a group of interfaces, usually at different locations using nearest first Multicast – Used to deliver one packet to many interfaces Broadcast is not implemented in IPv6
Questions
?