CSCI322 Systems Administration Security PDF

CSCI322 SystemsAdministration School of Computing and Information Technology University of Wollongong Courseware developed with input from Daniel Saffioti and William Tibben Is UNIX/Linux secure Of course not. UNIX is optimised for convenience and doesn’t make security easy or natural. The software that runs on UNIX systems is developed by a large community of programmers. Most administrative functions are implemented outside the kernel. Open source distributions may have better security than that of closed operating systems. How security is compromised? Social engineering – Human users are the weakest links on the chain of security – Ensure your user community has a high awareness of security threats Software vulnerabilities – Programming errors are exploited by hackers to manipulate systems into doing whatever they want – Patch the software Configuration errors – Software is developed to be useful instead of annoying – Balance security and usability Security tips Keep the system updated with the latest patches is an administrator’s highest-value security chore Disable any services that are not necessary Consider setting up a secure host to act as a central logging machine Regular system backups are an essential part of any site security plan UNIX is relatively immune from virus. Just because it is difficult does not mean it is impossible. A Trojan horse is a program which contains some hidden functionality. When an unsuspecting person executes the code, the hidden functionality does something to compromise security. – If I write a program to emulate ls, but also mail me a copy of /etc/shadow then somehow get my code executed as root, I can get a copy of a file I should not have been able to read. I could put my version of ls in /tmp, then hope that the root user has. (dot) in their path before /usr/bin. If the root user is in the /tmp directory and they type ls, then my code is run rather than the system ls (unlikely but possible). – I could use the same trick on non-root users since it is more likely they will have an insecure path. – Alternatively, I could mail my mates my great new program to do X, and put a Trojan horse in it to chmod their home directories to 777 and their profile to 666. A rabbit is a piece of code which reproduces itself at a high rate and consumes resources intended for other purposes. This is basically a denial of service attack. There are few effective defenses but it does require an active account. Rootkits are programs and patches that hide important system information such as process, disk, or network activity For example, the hacker might replace ls and ps with hacked version so that certain files and processes will be hidden Although tools like OSSEC and chkrootkit are available to detect the presence of known rootkits, the time it takes to do a thorough cleaning is very long Packet filtering and firewall are still powerful tools to block attacks from the outside world Remember, passwords provide some form of basic protection, simple but useful Be vigilant! General philosophy Effective system security based on common sense – Don’t put files on your system that are likely to be interesting to hackers – Your site’s security policy should specify how sensitive information is handled – Don’t provide places for hackers to build nests in your environment – Set traps to help detect intrusions and attempted intrusions – Religiously monitor the reports generated by security tools – Teach yourself about system security – Prowl around looking for unusual activity Security policy The System Administrator will often be expected to develop or assist in the development of IT policy within their organisation. If the organisation does not have a policy base you need to change the organisational perspective. If you can’t change their perspective you should consider changing your job Any organisation should have policy documents to cover each key operational area. – security policy – acceptable use policy – privacy policy Policy development Policy development is important to organisations as they define formal mechanisms for handling events. Policy is dynamic - it will need to be revisited as organisations aspects change. Policy development should draw on key areas of the organization – it should not be conducted in isolation from major actors Policies must be documented and be well known by staff in the organisation. Decisions making should be guided by policy. This is particularly true in security where things can get sensitive. Policy examples Acceptable Use Policy (AUP) describes who the legitimate users of network and information technology are. It describes what are acceptable and even unacceptable behaviors. Organisations may have multiple Acceptable Use policies representing varying levels of security (typically tied to job role and seniority). Privacy Policy describes how the organisation monitors computer and network resources e.g mail, network traffic, web logs, logging etc. Monitoring of such data may be considered a violation of privacy. Such policy needs to conform with State and Commonwealth legislations. Network Connection Policy defines how resources are connected to one another inside/ outside the organisation and what services they may/ may not offer. This may have implications for business relationships. Remote Access Policy should describe the risks associated with accessing resources remotely. It should provide details on how to ensure the security of credentials and what to do in the event they are lost. Log Retention Policy should explain what data is logged and for how long. This policy may be formulated after security policy to aide in the resolution of an incident. Writing Policy First establish a basis for writing policy. The best way to write security policy is by asking questions. You should be mindful that security depends on having a solid computer and network infrastructure. Policy depends on the right questions being asked. What do we have that needs protecting? – Assets can be tangible or intangible e.g. hardware? data? reputation? What might result from a failure to protect it? – Risks e.g. loss of business, perception, trust etc. How might it be attacked and by whom? – What channels/ mechanisms may we be compromised e.g. network, physical security etc. What is the cost of protecting it? or not protecting it? – Can we afford to do nothing? The answers to those previous questions will always vary between organisations and even between organisational units. (Never fall into the trap of assuming organisations are the same.) The answers to these questions allow us to conduct a proper risk analysis. Once we know what the risks are we can develop an appropriate security policy. Assessing and prioritising risk Security policy is about prioritising issues according to risk. Identify all of the resources in the system. This includes hardware, services and data. Identifying threats to the above resources that if realized would cause an interruption to the normal function of the system. Determining the probability that each risk will occur - calculating the risk. The threats do not have to be malicious. In most cases they are not. Non-malicious threats include such things as software bugs, power failures and fire. A cost/benefit analysis involves: – Determining the likelihood that the event will occur – Assigning a cost to the risk. – How much money will be lost if the risk is realised multiplied by the probability that it will be? Consider the following Scenario. If the cost of a fire in a network closet is $50,000 to replace equipment and cabling and the associated down time costs are $150,000 and we can expect that there will be one fire in the closet every 10 years then we can say that the cost of the risk is $20,000 pa. What typically happens is one or more strategies or measures are priced to significantly reduce the risk. You should choose the strategy that has the best balance between cost and reducing the risk. Bad and Good Policy Here is an example of a Bad Security Policy. “All passwords shall be a minimum of 8 characters in length and must include a letter, a digit and a punctuation character.” Why is it bad?- This policy contains specifics and may not scale with the technology/organisational procedures. A good policy is one that is well worded and not bound to any particular technology/procedure. “As far as is possible, machines shall be configured so as to enforce the use of passwords which are difficult to attack via brute force search methods.” Here we can change our definition of difficult in a procedure without changing the policy. Security procedures should appear in a separate document. Policy vs Procedure Policy is usually brief and general Procedures will change more frequently. Procedures should be documented in an operations manual which may be attached to or referred to from the security policy. The procedures are usually longer and far more specific. They describe the how to’s rather than the why’s. Procedure changes when technology and operational aspects change. The nature of IT requires that procedures need to change often. Thus the procedures manual requires frequent updates without the need to refer to upper management. Policy does not generally change over time. It is the founding principals governing why we do things. The need for management support For a security program to succeed you need to get the support of management. The administrator can influence the process, but management typically has the final say as its them who know the business imperatives. Fundamentally, its a SA’s job to inform them as to the possibilities, risks, threats and benefits. More than that, its important for the SA to be informed of the business imperatives and present solutions that are molded by these business requirements. Security should be seen as part of an organisations business capability. Policy models An organisations security stance can be catergorised by one of the following: – Passive security. – Reactive security. – Proactive security. Passive security This is the easiest approach to take. It is also the weakest approach. Examples of this model include: – Security through ignorance “what I don’t know can’t hurt me” – Security through obscurity “what they don’t know can’t hurt me” – Security through complexity “what I/they don’t understand can’t hurt me” Reactive security This approach is better than passive security. However, it is usually too little too late. Examples of this model include: – Shutting the stable door after the horse has bolted “we won’t have that problem again” “he/she won’t do that again” Systems administrators should design systems which are stable, scalable and secure. If you are not doing this - you are not doing your job. Proactive security Solve the security problem before it is exploited Hardest to implement – Requires the most work on the part of the SA – Requires the most knowledge on the part of the SA – Requires the most understanding on the part of the SA Examples of this model include: – Laissez Faire “what is not forbidden is permitted” – Draconian “what is not permitted is forbidden” More to it than writing policy Many people think that security is about writing policy and putting it on the shelf. Security depends on procedure. A good administrator will always be on the lookout for changes in the industry, technology or organisation. The following section outlines things you should consider when working on security. Logging Logging does not increase the security of a system per se. It does give SA s a tool to help you increase the security of systems and detect when a compromise has occurred. If you log attempts to break in you can strengthen defenses in the area under attack. Logging should be done to at least 2 destinations. The local machine and a relatively secure log host. If a person gets root on a machine they can delete the log files, but not on the log host (hopefully). Alternatively, they may attack the log host first in which case the local machine logs may be your only record of events if the attack fails With all servers logging to a central syslog server, it becomes easier to correlate events across your company. syslog On Unix logging is typically performed by syslog. Syslog allows facilities to be defined. The logs can be stored on a local host or forwarded to a remote host. Configuring syslog server Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle: The first describes the function (facility) of the application that generated it. For example, applications such as mail generate messages with easily identifiable facilities named mail. The second describes the degree of severity of the message. syslog defines facilities which identify programs that can log. Facilities include: – auth, – kern, – mail, – cron, – lpr and – several others. syslog consults file /etc/syslog.conf to configure the daemon. Syslog facility The log files are usually kept in /var/log directory Sample of syslog.conf file – *.debug /var/log/messages – The above captures all messages from debug severity and above in the /var/log/ messages file. –.info;mail.none;authpriv.none;cron.none /var/log/messages – In the above, all messages of severity “info” and above are logged, but none from the mail, authentication facilities/subsystems or cron. For each facility we may specify where to put the log data via a path. We can also discriminate on each facility using severity levels. Examples include – info, – err, – crit, – emerg, – alert. It is also possible to configure syslog to accept syslog messages from remotes clients Syslog actions Action Meaning Filename Appends the message to a file on the local machine @hostname Forwards the message to the syslogd on hostname @ipaddr Forwards the message to the syslogd on host ipaddr | fifoname Writes the message to the named pipe fifoname user1,user2, Writes the message to the screen of users if … they are logged in * Writes the message to all users who are currently logged in What to log – that is the question Logging too much data is counter-productive since it becomes harder to identify the important log entries. There are things which you should always log. Below is a list: – Su attempts (switch user). – Network connections (tcpd does this). – Failed logins. – Rejected file system mount operations. – Transaction on services e.g. Mail, FTP etc. Typically we would use the cron job scheduler to check for anomalies in the logs. It is not practical for a SA typically to read the logs because of the volume of text. Whatever logging level you choose, you should automate the monitoring of logs. swatch and logsurfer are 2 shareware utilities for this task. They can inform you (via pager or mail) when they detect a problem. Never completely trust your logs The UNIX syslog daemon will accept log requests from anyone and, in the network case, from anywhere. This means people can, potentially, insert bogus log messages into your logs. Similarly, a hacker can flood a host with log messages to cover illicit activity. You should be able to detect this, however, by appropriate log filters. One technique is to flood a log host for a few hours to fill the filesystem where the log files are kept. Then launch an attack. If it succeeds, it will be possible to modify the local log files. The administrator will know that something occurred, but it will be harder to track the intruder down. Human factors You can never predict users. Users have this ability to effect security through behaviors. We have already covered passwords in a previous lecture. There are many others. Examples include: – People storing sensitive information on insecure machines for convenience. – Users letting their boy/girl friend use their account. – Users installing their own switches in their offices (not any more). When setting up site security, too many people focus exclusively on the external threat. They believe firewalls etc are vital, but internal security is not considered. It is best to assume a hostile user base even when that is not the case. Physical security As a general rule, no system is secure against an intruder who has physical access to the machine. This is often forgotten. An intruder can: – boot from alternate media. – remove (or copy) disks or tapes. – install additional hardware. (check out MIT Aaron Swartz case) Machine rooms need to be secure and the data they house needs to be protected. This can be very difficult especially in environments where you have contractors. Where possible you should design your machine room with this in mind. You should also, where possible, exploit some of the technologies in the actual machine. (Check out firmware password as an option) Servers need to be housed in secure environments. Auditors may insist on good physical security, as they should. In extreme cases, it can be better to destroy resources when physical security is compromised. Back ups Backup strategies are an important adjunct to system security since, if a compromise is detected, trusted data will have to reloaded from backups. Once a machine is root compromised - that’s it. You can not trust the machine and its data any more. However sometimes people when they attack organisations go after the backups. There should be procedures to make sure things work - this is disaster recovery policy. Data integrity check Ideally, all of the system components not required to be modified would be read only and not modifiable even by root. This is difficult to achieve. Integrity checking of important files one of the best ways to detect intrusion. The open source utility tripwire or ace compute file checksums and compares with previously computed values and thus detects when files change. Ideally, checksums should be stored where an intruder can not alter them (write once devices). Of course, the intruder may replace your version of tripwire with hacked version – or replace a shared library with a version with Trojan code but this type of intrusion is sophisticated and rare. Integrity checking is also a useful SA tool for detecting policy violations. Examples of this include installing software without updating software logs. Encryption Encryption is a basic tool of system security and should be used a lot more than it is. It is not used as much as it should be because of its high cost (in CPU) and difficulties of administration (PKI). Particularly sensitive information should be encrypted, especially for network transmission. Cryptographic hashes A hash function takes data (called the message) uses a cryptographic key to encode the message producing a condensed representation called the message digest It is hard to reverse Is applied in different ways: – To provide proof of authenticity (e.g. IP Security (IPSec) uses symmetric keys) – Provide authentication by generating one-time and one way response (password) – To provide message integrity check (digitally signed contracts) and using public key infrastructure certificates to enable secure site using a browser. Confidentiality through encryption Layers of encryption – Layer 2 proprietary methods – Layer 3 – IPSec – Layer 4/5 – Secure Socket Layer (SSL) or Transport Layer Security (TLS) provides session layer confidentiality – Application layer confidentiality – secure email, secure data base session Two classes of encryption algorithm – Symmetric algorithm – identical keys are shared between sender and receiver – Asymmetric algorithm - different keys are used to encrypt and decrypt messages. Block ciphers and stream ciphers Block ciphers transform a fixed length of plain text into blocks of cipher text 64-128 bits long. The plaintext can be retrieved by applying the secret key in reverse Stream ciphers encrypt text one byte at a time Asymmetric Encryption – Public Key Infrastructure (PKI) Asymmetric key algorithm does not require exchange of keys. Protocols that use asymmetric encryption include: – Internet Key Exchange (IKE) used in IPsec VPN – Secure Socket Layer or IETF standard TLS – SSH – Pretty Good Privacy Digital signatures Digital signatures – enable unique proof of a data source which can only be generated by a single party – authenticate a user by using the private key of that user and the signature it generates – to provide authenticity and integrity of PKI certificates – to provide a secure timestamp using a trusted time source Certificate Authorities X.509 is a well known standard that defines basic PKI formats such as certificates and certificate revocation. In order to administer PKI a number of authorities exist to issue keys. – Single Root authorities – Hierarchical CA Topology – Cross certified CA topology. Trust and IP/DNS Spoofing Spoofing refers to the general practice of forging either sources of information or the results of queries. Because most of the principles of trust across networks involves knowing the source of the packets, forging packets is an effective way of bypassing system security. This is obviously more important as the level of trust granted a machine increases e.g. DNS Servers need to be secure leading to DNSSec Kerberos Kerberos was designed to solve some of these problems. Users get “tickets” which can be passed around between machines so that servers can authenticate requests. Tickets are just like passwords, except that they can be safely passed around the network and are immune from sniffing (because user names and password are not transferred). Tickets may be passed around because they are always encrypted; with keys that are only known to the authenticated users and with the current time. Back to the Human Aspects of Security -focussing on the SA! We have already covered the potential security compromises generated by users. (These include: bad choices of passwords, letting other people use their account, leave sensitive information in insecure places such as email, introducing foreign/non-authorized equipment into the corporate environment) System Administrator errors also play a part – Simple typing errors – Bugs in code – Careless system configurations – Bad system default settings Examples of carelessness include: – System Administrator runs a script to dump the password and shadow files for some reason, then forgets to chmod them to 600. – Files left laying around containing encrypted passwords. – User finds and runs crack. These sorts of problems are much more common than attacks against encryption keys. What Should an Administrator Do? Ensure physical security. Stay on latest OS release. Stay on latest patch releases. – A large number of break-ins occur exploiting bugs that have been fixed by new OS releases or patches. Experience indicates that staying on current OS and patch levels is the single most important step in ensuring system security. – After OS install, audit machine security. Remove unnecessary services. Check permissions on important files/directories. Set up logging properly and monitor important logs. Know and control your trust relationships. Useful information sources Administrators need to keep up to date with the world. Here are some common sites/ email addresses which can keep you informed about security. – CERT www.cert.org – AUSCERT www.auscert.org.au Network security Network security is a set of measures to mitigate risks to the network and devices using the network. Network security allows you to build layers of protection. You can erect multiple hurdles or “safety nets” to make life difficult for an attacker or to catch unexpected behavior at an early stage. A rationale for network security Are all devices on your network as secure as they should be? Most likely you will not have control over every device using the network. (Think BYOD – Bring your own device) Often you will not have the resources (time and knowledge) to make every device secure. Some devices just cannot be made sufficiently secure. There are certain threats that cannot be addressed without network security Threats The four basic categories of threats to networks and devices using networks are: – Eavesdropping – Spoofing (impersonation) – Modification of network communications – Denial of service These are often used in combination Eavesdropping An attacker listens to or watches the traffic on the network. This is a threat to confidentiality. The attacker may capture data that is confidential or secret. – (eg passwords) Think Wireshark… Spoofing An attacker impersonates a user or device by faking a protocol attribute that is used in an authentication process. This can be used to eavesdrop (man in the middle). Another common case is faking the source address on UDP packets – research this one for the wiki Modification of network communications An attacker hijacks communications between two devices and modifies the messages to influence the behavior of one or both parties. This is a threat to data integrity. Denial of Service attacks An attacker finds a way to cause a network service to stop functioning as expected This is a threat to accessibility. Often this is achieved by flooding the network with messages (classic is TCP SYN messages with fake IP source addresses). This is a common prelude to a spoofing attack. Determining what is required Computing security is really about ensuring that the system operates as expected (the way it was designed). Further, it attempts to limit the magnitude of the damage when things do go astray. To ensure consistency, clarity and that some body is assigned responsibility, security requirements should be codified in a “Security Policy” document. What level of security does your network require? A systematic method for answering this question is to conduct and risk analysis followed by a cost/benefit analysis. We have established this is an important step. Network security measures Network security measures can be implemented: – at the end host, – networking devices (routers, switches, etc) Generally there are two things that can be done to improve security. – Restrict who and what can access your network (both physically and otherwise). – Being careful about how data is transmitted on the network. Measures for end devices It makes sense to restrict access to services to only the people that require them (and that hopefully can be trusted). One method of limiting access to services is to use authentication. – Passwords. – Public key authentication (signatures). – One shot passwords. – Kerberos xinetd Use of xinetd can limit access to services (applications) through ACL. xinetd - listens for incoming requests over a network and launches the appropriate service for that request. Requests are made using port numbers as identifiers and xinetd usually launches another daemon to handle the request. xinetd features access control mechanisms such as TCP Wrapper ACLs, extensive logging capabilities, and the ability to make services available based on time. It can place limits on the number of servers that the system can start, and has deployable defense mechanisms to protect against port scanners, among other things. Measures for network devices Physical security is important when it comes to networks for a number of reasons: – Network infrastructure is often quite large and covers a large area. – Attacks can be made against the network if the attacker has physical access to the infrastructure. – Devices should be physically secured and authenticated secure. Data integrity Many protocols have been designed without much thought to security. This is true for IP in general. Most older protocols are susceptible to eavesdropping, spoofing, insertion attacks and denial of service. Rear guard actions include – Secure DNS – DNSSec – Secure IP - IPSec – Secure Shell – SSH (replaces Telnet) Virtual Private Networks A virtual private network is a tunnel over an insecure network connecting two or more trusted networks using the techniques just described. Specially designed routers are normally used to construct a VPN Two types of VPN – – Site to site VPN – VPN tunnel (encrypted) established between two sites using the public internet. – Remote Access VPN – Host has VPN client software which uses the public Internet to send it to the destination network VPN gateway. Packet filtering Access control lists Networking devices that understand the transport protocols and sometimes higher (typically routers) can decide which individual protocol data units (packets) it will allow into or out of the network. This can be used to permit or deny access to services based on rules. Firewalls Firewalls are systems that exercise a high level of control over what data enters and leaves a network. Typically they involve a couple of packet filters and one or more application proxies (commonly referred to as bastion hosts). Their role is to drastically reduce the ways an intruder can use to attack your systems. Intrusion Detection Systems Firewalls are not effect in protecting networks from worms, viruses malware etc. Analyzing logs is one measure but is after the event, complex and not scale. IDS passively monitors traffic by analyzing a copy of the traffic stream. Advantage is that IDS does not negatively effect actual traffic flow. Its disadvantage is that cant stop malicious attacks from reaching the target before being able to respond Intrusion Prevention Systems (IPS) In contrast IPS in contrast does not allow packets to enter the network until it has been analyzed. An IPS monitors Layer 3 and 4 traffic and analyses the content and the payload for embedded attacks. For example, Cisco’s IPS uses a combination of detection technologies, signature-based, profile-based and protocol analysis. Advantage is that single-packet attacks can be foiled Disadvantage is that network performance can suffer if not configured properly or inappropriate choice of IPS has been made. Incident response plan Somehow you’ve detected that an attack has occurred or is occurring now! What are you going to do about it? Be prepared. There are several options available when you discover an attack. The right decision will depend on the type of attack and the business requirements of your organization. – Is it more important to get the systems back to normal? – Is it important to attempt to discover who the intruder or attacker is? – Is it important to work out exactly what the attacker did? – Does evidence need to be collected for legal reasons? – Who should be notified? Report the incident to the authorities or keep it a secret? Devise and communicate a recovery plan. It is important to explain what happening (but where appropriate you should omit details). Final exam Date: check your exam timetable Venue: on campus Duration: 3 hours Items permitted: calculator Format: – Part A: MCQ (20 questions worth 20 marks) – Part B: short answer (10 questions worth 20 marks) – Part C: planning and design (2 questions worth 10 marks) Answer all the questions How many marks do I need? As many as possible! A minimum of 20 (out of 50) is needed to avoid TF. Supplementary exam will be offered on a case-by-case basis. Q&A Do I need to remember all commands? – No, but you need to remember some most basic ones, e.g., ping www.google.com Do I need to remember all the files and their formats? – No, but you need to remember some most basic ones, e.g., the password file. How do I prepare for the exam? – Everyone has his/her own way to prepare for the exam. It is suggested to focus on lecture notes/lab notes/assignments. What if I have questions before the exam? – Contact me to clear all the questions you have. Q&A I don’t feel well on the exam day, what should I do? – Do not attend the exam and apply for AC. If you have sat the exam, your AC will not be approved unless you have been sent to the hospital by an ambulance during the exam. I have been offered an AC supplementary exam but I feel sick on the supplementary exam day, do I get another supplementary exam? – No, you may be offered a “late withdrawal without academic penalty”. Sample questions Write a shell command to display all files in /etc. What is the difference between the absolute path and relative path in UNIX? How do you differentiate an absolute path with a relative path? Compare and contrast LVM with disk partitioning. Outline the strengths and advantages of using LVM. Good luck! CSCI322 SystemsAdministration School of Computing and Information Technology University of Wollongong Courseware developed with input from Daniel Saffioti and William Tibben Network management Keep the network healthy – Fault detection for networks, gateways, and critical servers – Schemes for notifying an administrator of problems – General network monitoring – Documentation and visualisation of the network – Administration of network devices from a central site FCAPS Fault Management Configuration Management Accounting Management Performance Management Security Management Some principles first Make one change at a time. Document the situation as it was before you got involved, and document every change you make Start at one end of a network and work through the system’s critical component Communicate regularly Work as a team Use the layers of the network to negotiate the problem. Start at the “top” or “bottom”. Network trouble shooting Do you have physical connectivity? Is your interface configured properly? Do your ARP tables show other hosts? Is there a firewall on your local machine? Is there a firewall anywhere between you and your destination? Is firewalls are involved, do they pass ping packets? Can you ping the localhost? Can you ping other local hosts by IP address? Is DNS working properly? Can you ping other local hosts by hostname? Can you ping hosts on another network? Do high level services work? ping The ping command send an ICMP ECHO_REQUEST packet to a target host and waits to see if the host answers back. Routing tables, physical networks, and gateways are all involved. The output for ping shows the host’s IP address, the ICMP sequence number of each response packet, and the round trip travel time. Use –n option if you suspect that DNS is not working What information can you get from ping ICMP sequence number tells you if packets have been dropped. If packets have been dropped, then – run traceroute to discover the route to the target host – ping the intermediate gateways in sequence The round trip time gives you insights into the overall performance of a path through a network. traceroute The traceroute command uncovers the sequence of gateways through which an IP packet travels to reach its destination. traceroute works by setting the time-to-live field (TTL) of an outbound packet to an artificially low number. There are traceroute-like utilities, try mtr Inverse traceroute, see http://traceroute.org netstat netstat collects a wealth of information about the state of your computer’s networking software – Interface statistics – Routing information – Connection tables netstat can be used to – Inspect interface configuration information – Monitor the status of network connections – Identify listening network services – Examine the routing table – View the operational statistics for various network protocols Inspecting interface configuration Errors can show up. A large number of errors on a single machine suggests a problem – What are the error rates of the neighbouring machines? – Is there a problem with that machine’s interface or connection? – Or is there a media or network problem? You should not see collisions even when the network is under heavy load – Is the flow control enabled on your switches and routers? Monitoring the status of network Document title Send-Q and Recv-Q show the sizes of the local host’s send and receive queues for the connection – These numbers should tend toward 0 State has meaning for TCP only – LISTEN – ESTABLISHED – TIME_WAIT netstat –a is primarily useful for debugging higher-level problems once you have determined that basic networking facilities are working correctly – E.g., the state SYN_SENT identifies a process that is trying to contact a non-existent network server – What about SYN_WAIT? Identifying listening network services What processes on this machine are listening on the network for incoming connections? It’s also helpful to look at machines from an outsider’s perspective by running a port scanner such as nmap. Examining the routing table Flags characterise the route – U means up – G is a gateway – H is a host route – D indicates a route resulting from an ICMP redirect Viewing operational statistics Document title netstat –s dumps the contents of counters that are scattered throughout the network code. The output has separate sections for IP, ICMP, TCP, and UDP Pay attention to number of packets that are dropped or discarded It’s a good idea to develop a feel for the normal ranges of these statistics so that you can recognise pathological states. Inspection of live interface activity One good way to identify network problems is to look at what’s happening right now Linux uses a too called sar sar –n DEV 2 30 shows – Number of packets – Bandwidth in use – Number of compressed packets – Number of multicast packets Evert 2 seconds for 1 minute tcpdump tcpdump is a packet sniffer that listens to network traffic and record packets that meet criteria of your choice, for example – Inspect all packets send to or from a particular host – TCP packets related to one particular network connection Do not invade the privacy of your users. Sniffers must run as root. Packet sniffers can produce an overwhelming amount of information. You might want to try another tool called Wireshark Common options -i: force an interface -n: stop name lookups -v: increase the information you see about packets -vv: even more data -w: store packets to a file (only header) -r: read packets from a file Some examples $ sudo tcpdump host bull $ sudo tcpdump src net 192.168.1.0/24 and dst port 80 SNMP Simple Network Management Protocol – Is governed by IETF (RFC 1157) – Is designed to be simple Only five commands in version 1 – Is concerned with network management Manage network performance Identify and diagnose issues Baseline/plan for network growth – Key elements Management Station/Manager Agent Management Information Base Network Management Protocol SNMP Uses an agent/station model – An SNMP agent is software capable of answering valid queries from an SNMP station – An SNMP station, such as a network management system, is software capable of forming queries based on information defined in the MIB SNMP A client/server architecture SNMP SNMP configuration SNMP Three basic ideas – A manager checks an agent by requesting information that reflects the behaviour of the agent – A manager forces an agent to perform a task by resetting values in the agent database – An agent contributes to the management process by warning the manager of an unusual situation SNMP V1 Get-Request – Polls agents for information Get-Next-Request – Requests the next item in a dataset Set – Requests a change to a value Get-Response – Sends a response to a Manager request Trap – Informs a Manager of an event SNMP traps Seven types of SNMP traps are defined – Coldstart of a system – Warmstart of a system – Link Down – Link Up – Failure of authentication – Exterior Gateway Protocol (EGP) neighbour loss – Enterprise specific SNMP Structure of Management Information (SMI) – Data definition language for objects Management Information Base – Distributed network management data What Is an SNMP-Compliant MIB? Each management station or agent in an SNMP- managed network maintains a local database of information relevant to network management, known as the management information base (MIB). An MIB contains definitions and information about the properties of managed resources and the services that the agents support. The manageable features of resources, as defined in an SNMP-compliant MIB, are called managed objects or management variables (or just objects or variables). What Is an SNMP-Compliant MIB? Each management station or agent in an SNMP- managed network maintains a local store of information relevant to network management, known as the management information base (MIB). An MIB contains definitions and information about the properties of managed resources and the services that the agents support. The manageable features of resources, as defined in an SNMP-compliant MIB, are called managed objects or management variables (or just objects or variables). Categories of management information State information – – this is information about the current state of physical and logical resources along with operational data – provides an instantaneous snapshot in a table Physical configuration information – how devices are physically configured (device type, physical configuration serial numbers and MAC addresses) Categories of management information Logical configuration information – how devices are configured such as IP addresses information; protocols implemented – managed using a CLI (command line interface) Historical information – Snapshots of performance-related states information (such as packet-counts for each 15 minute interval over the past 24 hours) (usually proprietary format) Categories of management information My observations – These categories of information are used and treated differently by management applications – Some information can’t be set (e.g. serial number of a device) – These categories will make more sense after you develop deeper knowledge of the topic The difference between a MIB and a database Footprint: regular DBMS mechanisms are heavier weight and require more processing resources than management interfaces. Specific management requirements: DBMSs are not well suited to capturing some of the constraints that are specific and common to management, for example, hierarchical management information. The difference between a MIB and a database Real effects: a MIB is not a “passive” database, but a view on an “active” real-world system. Information in the MIB is accessed through and affected by not only management operations, but many other means as well. Characteristics of the contained data: A database typically contains large volumes of data that is largely of the same structure. A MIB contains many different types of information with relatively few instances of each. MIB All names are globally unique All nodes of the name tree are assigned numeric values by standards authorities – iso.org.dod.internet.mgmt.mib.ip.ipInReceives has the value 1.3.6.1.2.1.4.3 All names are specified using a subset of Abstract Syntax Notation (ASN.1) MIB Namespace MIB Naming Examples MIB-II An example of a base set of parameters to monitor can be developed from the standard MIB-II. The following parameters can be collected on a per-interface basis: – ifInOctetsNumber of bytes received – ifOutOctetsNumber of bytes sent – ifInUcastPktsNumber of unicast packets received – ifOutUcastPktsNumber of unicast packets sent – ifInNUcastPktsNumber of multicast/broadcast packets received – ifOutNUcastPktsNumber of multicast/broadcast packets sent – ifInErrorsNumber of erroneous packets received – ifOutErrorsNumber of packets that could not be sent Limitations and problems with SNMP It is officially only standardised for use on IP networks It is inefficient at large table retrievals It uses cleartext strings for security SNMP v2 Same basic function as SNMP Original enhancement proposal was concerned primarily with security enhancement – Authentication – Message integrity – Privacy – Authorisation and access control nmap: network port scanner nmap checks a set of target hosts to see which TCP and UDP ports have servers listening on them Find out what a system looks like to someone on the outside who is trying to break in Do not run nmap on someone else’s network without permission from that network’s administrator Domain Name System (DNS) – There are hundreds of countries, millions of networks and millions of hosts. – How do we keep track of all the nodes and networks. – Well we use a service called DNS (Domain Name Service). – The Domain Name Service is a distributed database which provides a lookup table for hostnames and IP addresses. – Humans prefer to refer to nodes on the internet by names, rather than IP addresses. In order for this to work, we need to convert these high level names into addresses. DNS performs name resolution to IP address (and also the opposite direction). – The Domain Name System also gives us a network hierarchy. It is responsible for giving structure to the Internet (from the users perspective). The History Behind the Domain Name Service – When the Internet was first born (ARPANET)- the mapping between Hostnames and IP addresses was done in small files. – If a site wished to add a new computer to the network, they choose a name and added it to such files. – These files were distributed to other sites. Such a process consumed considerable bandwidth. – That said there were consistent problems keeping the data between sites up to date and in sync. – It soon became clear that this technique simply did not scale. – This mapping between names and IP addresses is extremely important because as humans we prefer to remember names as opposed to long sequences of numbers. – On Unix, you have already seen how the /etc/hosts file may contain such mappings; 130.130.217.198 wumpus.its.uow.edu.au The exchange of host files between sites was too expensive, complex and inefficient. The History Behind the Domain Name Service The Domain Name System was created to address two problems; – The organization of the internet. As ARPANET grew researchers began to realize that names for hosts were running out. So they needed to impose a hierarchy/ structure. – The synchronization of host databases. Again as ARPANET grew it become more and more difficult to keep track of nodes. Data quickly became dated. The History Behind the Domain Name Service – DNS was formally introduced by Paul Mockapetris in RFC’s 882 and 883 (around 1983). – The original version of DNS was designed and implemented at the University of California at Berkeley in 1984. – In 1985 the Berkeley Computer Systems Research Group absorbed the graduate students work and rolled it into the BSD project (Berkeley Software Distribution) – Kevin Dunlap in 1985 released BIND (Berkeley Internet Name Domain system) which has grown in popularity over the years. – Bind is currently in release 9 and an organisation called the Internet Software Consortium (ISC) has evolved from the work done at Berkeley. The ISC is a non-profit organisation funded by the USA government, community and private sector. The History Behind the Domain Name Service – DNS has evolved since those early days and continues to evolve. Initiatives include: DNSSEC Secure DNS transactions i.e. the ability to move data between servers in a secure and trusted fashion. IPv6 Support With the adoption of IPv6, DNS has had to change only slightly. – It has also been an interesting time because vendors such as Microsoft have come up with several good ideas which have been rolled back into the DNS system. For example Microsoft has developed the notion of Dynamic DNS which has had a profound impact. So What is DNS? – In order to understand DNS, you need to understand the Internet. – The internet is made up of sites. These sites reflect networks or organisations. – Organisations can be grouped together depending on type. – Entities can be grouped together based upon geographic locality. – Ultimately DNS provides the following kind of functionality; A hierarchal namespace for IP addresses. A distributed database of host information. A mechanism for finding services and nodes on a network. A protocol for exchanging naming information to keep data current and synchronised between sites. The Domain Name System Architecture But how does it work? – The Domain name system defines a tree of domains. Each domain represents a chunk or grouping of the network which is managed by a single administrative entity. – The Domain Name Service is a global infrastructure managed by ICANN. – The Domain Name System defines what are known as Top Level Domains (TLDs). – These TLDs had not been changed in years. It used to be that certain TLDs represented specific kinds of networks. – But as the Internet has grown, ICANN added a few top level domains. And more recently, hundreds more! gTLD – Top level domains are sometimes referred to in the literature are gTLD’s (generic top level domains). Domain Use Domain Use Commercial com net Network Providers Entities Non profit edu Education Entities org organisations gov Government int International mil Military Networks arpa Old Style Arpanet ccTLD – Most of the top level domains are used within the United States. Outside the United states there are a number of top level country code domains ccTLD’s. Some common country codes are Code County Code Country Code Country au Australia fi Finaland hk Hong Kong ca Canada fr France ch Switzerland br Brazil jp Japan mx Mexico de Germany se Sweden mu Hungary – Most of these countries produce second level domains which are similar to the top level domains offered by the US. For example the internet has the following structure. So considering this, www.uow.edu.au belongs to the uow domain which is part of the edu domain which is in au’s namespace. Subdomain – You can infer from the DNS model that domains can be delegated to other authorities (sub domains). –.au has its own authority – And at the University, EIS have their own subdomain beneath the uow domain. The management of this eis.uow.edu.au domain is partially delegated. Regional domains – Domains largely emerge due to congestion in the namespace - think about how many movies have been put in the.com domain! – Regional top level domains are managed by local authorities. For example in Australia.au domain registry is performed by AusRegistry, overseen by industry regulator auDA (.au Domain Administration). The control is authorised by ICANN. – The management of educational domains in Australia is done by a single private sector organization (Educause http://www.educause.edu/edudomain/) – If an organisation wishes to have a.com.au or.edu.au domain they need to speak to the appropriate authority. – Each domain on the Internet has at least one DNS server which keeps track of the network. – These DNS servers talk to the parent server and serve requests of clients around the world. – The top level domains have what are known as ‘root’ name servers. These process a huge number of requests and updates. Obtaining a Domain. – Depending upon where you wish to create a domain you need to work with different agencies. – ICANN is responsible for delegating ‘authority’ to agencies to handle certain top level domains. – In Asia Pacific, www.apnic.net has a registry of all the domain and organisations that are managed. Technical Details of DNS – There is no implicit tie between network numbers and domain names – However, it makes administrative sense to keep some relationship between networks and names. – The University of Wollongong domain happens to map nicely onto our network (although we have some smaller ranges in there as well). 130.130 - uow.edu.au – Because we are responsible for the domain we run a DNS server such as bind. – The people in the domain above us (edu.au) have told their DNS server that our DNS server is authoritative for the uow.edu.au sub domain. – The domain uow.edu.au is a delegation point in the edu.au domain. Small organisations can run servers on their own hosts or ask their ISP to supply DNS service Medium-sized sites should run multiple DNS servers to reduce query latency A very large site can divide its DNS domain into subdomains and run several server for each subdomain Technical Details of DNS – Inside uow.edu.au there is a sub domain cs.uow.edu.au (plus many others). – Although it is a sub domain, it is not a delegation point since the uow.edu.au DNS server is authoritative for that domain. – A DNS server may be authoritative for sub domains or may delegate responsibility to other DNS servers. Types of DNS – There are several kinds of DNS Server Authoritative An authoritative server is one that is authorised to answer queries for a domain. It is guaranteed to be up to date. It is considered the official representative of a zone/domain. Non-Authoritative. A non-authoritative server answers a query typically from a cache. It does not know if the data is still valid. – In the Authoritative grouping we typically have these kinds of servers Masters (Primary) Slaves (Secondary) – The slave gets a copy of its records from the master using the SOA (Start of Authority) record for the zone. – Data is maintained between the master and slave using Zone Transfers (over TCP). We can control zone transfers using software e.g. ndc. – Non-Authoritative servers typically include things such as caches and forwarders. Recursive vs Non Recursive Queries There are two ways in which DNS servers can answer queries – Non-Recursive If a DNS server is non-recursive it will only answer queries that it has the answer for. These may be cached or they may be authoritative. If it does not have the answer it returns the address of the server that is likely to know the answer. – Recursive A recursive DNS server returns only names or errors. It follows the referrals to yield the answer. The way this is done is by forwarding the query to a root server that is known. Zone A zone is essentially a domain minus its subdomains Each zone typically has one master name server that keeps the official copy of the zone's data on disk A zone can have several slave name servers that get their data from the master server through a zone transfer operation Typically we have two zones; – Forward zone name to address mapping. – Reverse zone address to name mapping. You may hear things like catching-only name server, non-authoritative name server, recursive name server, etc. DNS Records The information in the DNS system consists of records – SOA Start of Authority – NS Identifies Zones Servers – A Name to Address Mapping – PTR Address to Name Mapping – MX Mail Exchange (used for mail routing) – CNAME Synonyms for hosts i.e. Nicknames – Glue A Record for a Nameserver SOA – The SOA record indicates the beginning of a Zone. – In many regards a zone can be considered a grouping in the DNS namespace. – Typically we have two zones Forward zone for name to address mapping. Reverse zone for address to name mapping. – The SOA record typically contains the following The name of the Zone. The administrator for the Zone. Timeout information e.g. – Serial is typically used to indicate last change. – Refresh specifies how often slave servers check with the master to see if the serial has changed. – Retry specifies how long after a failure a slave checks the master. – The SOA information is used by slaves to identify when it is necessary to do a Zone Transfer. – A Zone Transfer allows master and slave DNS servers to remain in sync. NS – The NS record identifies which servers are authoritative for a zone. This is how we define master and secondary DNS servers. – If we do the following we get some interesting results: $ dig uow.edu.au NS – Each domain should have a primary server and at least one secondary. – Primary and secondary name servers talk among themselves to ensure the consistency of the database. A – The A records provide the name to address mappings in the DNS database. They basically represent the /etc/hosts file. – An A record would typically look like this: yoshi IN A 130.130.64.68 This entry would be in the zone file representing the cs subdomain for the University. PTR – The PTR records do the reverse of the A records. – A reverse DNS lookup for an IP address is NOT a search of the A records in reverse; it is a search of the PTR records for the IP address. – PTR records exist in a special part of the DNS namespace called in-addr.arpa. In-addr.arpa – Domains under in-addr.arpa are named liked IP addresses with their bytes reversed. For example at the University the cs zone is (was) 130.130.64.0/24 Thus the in-addr.arpa file will be called 64.130.130.in-addr.arpa. – It will typically contain records such as: 68 PTR yoshi – Some software requires names to be reversed for security purposes e.g. Telnet or SSH. MX – MX records are created to help routing of email. – A MX record knows where mail should be routed. – For a domain we can have more then one MX record. The mail router uses the MX record with the lowest priority that is available. MX Example – If I run: $ dig uow.edu.au MX ;; ANSWER SECTION: uow.edu.au. 3600 IN MX 100 smtp-gateway.uow.edu.au. I will get the MX record for the domain which points to the host smtp- gateway.its.uow.edu.au. It has a priority of 100. – If I do the same thing at gmail $ dig gmail.com MX ;; ANSWER SECTION: gmail.com. 455 IN MX 10 alt1.gmail-smtp-in.l.google.com. gmail.com. 455 IN MX 5 gmail-smtp-in.l.google.com. gmail.com. 455 IN MX 40 alt4.gmail-smtp-in.l.google.com. gmail.com. 455 IN MX 30 alt3.gmail-smtp-in.l.google.com. gmail.com. 455 IN MX 20 alt2.gmail-smtp-in.l.google.com. we see five hosts. The priority decides where mail goes. We use this for redundancy purposes. CNAME CNAMES describe canonical names for hosts in the DNS namespace. In the namespace we will typically see things like this: wyrm IN A 130.130.68.3 smtp IN CNAME wyrm ftp IN CNAME wyrm Other records There are a few other records which are important to mention: – SRV records SRV records describe priority, ports and other information for network resources/ hosts. This is particularly important in Zero Configuration networking. – TXT records A TXT record adds arbitrary text to a hosts DNS record. Adding a new machine to DNS (Bind server) 1. Assign an unused name and address to the new machine 2. Log into the master names server (use dig to find it) 3. Find the name server configuration file (usually /etc/named.conf). Find the zone data files in the zone statement, e.g., zone “example.com” { type master; file “filename”; zone “188.77.208.in-addr.arpa” { type master; file “filename”; 4. Identify the record of a similar machine in the same subnet, e.g., template IN A 208.77.188.100 IN MX 10 mail-hub 5. Duplicate this record and change it accordingly 6. Edit the reverse zone file 100 IN PTR template.example.com. 7. Change the serial number in the SOA record at the beginning of the file 8. Reload the domain sudo rndc reload forward-zone-filename sudo rndc reload reverse-zone-filename Hosts on the Network. – Machines may have many IP addresses, either on different hardware interfaces or the same hardware interface. – Each IP address may have its own name or not. – The name of the machine (uname) may not match any interface name. – Sensible people adopt a sensible naming scheme. – For example, Machine name matches DNS name for main interface. Each IP address has its own name. Each interface has a single IP address and name. Secondary interface names are derived from the primary name e.g. wraith-1 The Importance of DNS – Management of their IP addresses and DNS configuration is a complex and onerous task for an organisation of any size. – Do not underestimate the size of this problem or the complexity of DNS configuration. – Remember that nearly all network services depend on name resolution. – If DNS fails, most of your services will be down. – After your network fabric, DNS is probably the most important network service you will ever have. The Resolver. – The resolver on a host is responsible for converting names to addresses. It forwards queries to the appropriate DNS servers. – Name server configuration is typically via a single configuration file. For Unix, that configuration file is called /etc/resolv.conf. (not a typo!) – Such a file looks like this: domain its.uow.edu.au nameserver 130.130.68.1 nameserver 130.130.64.1 nameserver 129.78.64.1 options retry:2 retrans:5 search uow.edu.au cs.uow.edu.au resolv.conf example The file has a number of directives. The first is the Primary DNS domain for the current host. domain its.uow.edu.au The next group of directives specify the name server to use to resolve queries. Queries are sent to each server in order. nameserver 130.130.68.1 nameserver 130.130.64.1 nameserver 129.78.64.1 For each server we can specify a series of option. In this case we are saying: options retry:2 retrans:5 – Wait 5 seconds for a reply. – Retry each nameserver 2 times before moving on and trying the next. This is a very aggressive configuration. If name does not resolve, try these domains as well. search uow.edu.au cs.uow.edu.au This is typically used when we do not provide a fully qualified DNS name. Multi-homed Hosts – Machines may have multiple interfaces. We often see these devices in the device tree. /dev/le0 /dev/hme4 – Individual interfaces may be up or down. – The ifconfig command is used to display information about or configure an interface. – Information displayed includes the hardware address, the IP address, the broadcast address, the netmask, the MTU and some flags. Important Files – Under Solaris, /etc/hostname.X controls the name (and therefore the IP address) of each interface. – /etc/nodename contains the nodename or system name of the machine. – Name/IP information comes from /etc/hosts (needed since before interface operational, no way to get information from DNS) – Netmask information from /etc/netmasks – Network/name translation from /etc/networks As a systems administrator you need to remember these files. On most Unix implementations they are the same. CSCI322 SystemsAdministration School of Computing and Information Technology University of Wollongong Courseware developed with input from Daniel Saffioti and William Tibben Layered Communication Models In the 70’s and 80’s a number of vendors produced hardware for computing networking which could only work in homogenous computing environments and with particular kinds of equipments. Examples include IBM’s networking technologies such as SNA, Apples Appletalk and even DEC’s networking infrastructure. As a result a model was developed for communications which clearly articulated components of such system which could be modified within its parameters and have no effect on the remainder of the system. Layered models typically provide – independence. – flexibility. – standardisation. – simplified implementation and maintenance. The OSI Reference Model Open Systems Interconnection (OSI) Reference Model – An ISO standard that covers all aspects of network communications – First introduced in the late 1970s – Is NOT a protocol – Is a model for understanding and designing a network architecture The OSI Reference Model To allow access to network resources 7 Application To translate, encrypt, and compress data 6 Presentation To establish, manage, and 5 Session terminate sessions To provide reliable process-to-process 4 Transport message delivery and To move packets from error recovery 3 Network source to destination, to provide internetworking To orgnise bits into frames, to provide hop-to- 2 Data Link To transmit bits over a hop delivery medium, to provide 1 Physical mechanical and electrical specifications Here is a brief description of each layer. Physical Layer (layer 1) – Provides the physical connection between the computer and the network wiring. – It specified cable pin assignment, voltage on the wire etc. – Data is transferred in bits. Datalink Layer (layer 2) – Provides the packaging and unpackaging of ‘bits’ of data for transmission - we commonly call this the structure of the hardware packet. – Some basic error checking is performed on transmission data. – There is also what we know as hardware level addressing at this layer. – Data is transferred in Frames. Things such as ATM and 802.3 Ethernet operate at this layer. Network layer (Layer 3) – Provides routing of data through the network (end to end). In this layer the most appropriate route is chosen for the data. – The layer is also concerned about packaging data so it can be routed between two points and addressing. – The data is referred to as datagram's/packets at this layer. IP, and IPX (Novells Internetwork Packet Exchange) are examples of protocols at this layer. Transport Layer (Layer 4) – This layer is largely concerned with error correction and synchronization (virtual circuit). TCP is an example of a protocol that operates at this layer. Session Layer (Layer 5) – The session layer is concerned with the establishment of connections between two points. It ensures a high level of reliability. Presentation Layer (Layer 6) – Basically involves the translation of data formats i.e. ASCII, Unicode etc. You may also see compression at this layer e.g. streams module implemented using gzip. Has no interaction with the user. Application Layer (Layer 7) – Provides functionality to the user, security and access to resources. Dependant on all layers beneath it. Examples include SMTP, POP, IMAP etc. Protocol data units (PDU) For data to move from source to destination it travel through each layer in the OSI model. Each layer communicates with its Peer Layer. Between layers Protocol Data Units are converted through a process of encapsulation/ de-encapsulation. For a layer to provide a service a upper layer it adds header information to perform its function. This is called encapsulation. (going down the OSI model) When a layer receives data, (going up the OSI model) it de-encapsulates the incoming stream into the layers PDU’s, typically done by removing headers and checking before passing upwards. Each layer’s PDU Intermediate Intermediate A B node node 7 Application 7 Application 7-6 interface 7-6 interface 6 Presentation 6 Presentation 6-5 interface 6-5 interface 5 Session 5 Session 5-4 interface 5-4 interface 4 Transport 4 Transport 4-3 interface 4-3 interface 3 Network 3 Network 3 Network 3 Network 3-2 interface 3-2 interface 3-2 interface 3-2 interface 2 Data Link 2 Data Link 2 Data Link 2 Data Link 2-1 interface 2-1 interface 2-1 interface 2-1 interface 1 Physical 1 Physical 1 Physical 1 Physical physical communication Transmission at Layer 1 Layer one is concerned primarily with media and how to send bits (0 and 1) over the wire or air. There are three ways in which this is done. – Voltage as is the case in Copper media. – Light as is the case in Optical media. – Radio waves over a spectrum as is the case in Wireless media. At this layer we tend to find cable specifications specified by organisations such as TIA and EIA. Some common examples of cabling standards include Cat 1 (Voice Grade), Cat 3 (10Mbps), Cat 5 and Cat5e (Data Grade - 100/1000Mbps). At this layer we also see rules of thumb for example; – 10 Base T – Refers to an Layer 2 Ethernet standard which operates at 10 Mbps, is base band (digital) and uses Twisted pair. Not more than 100m. Others include: – 10Base2, (10 Mbps over Coax Media (thinnet), Maximum of 200m) – 10Base5, (10 Mbps over Coax Media (thicknet), maximum of 500m) In general think of this layer a defining physical standards for how the media works. These rules are defined to minimize attenuation over the media so everything actually works. Standards at the Data Link Layer - Ethernet and ATM Again standards are really important - as different vendors and organisations have different beliefs and opinions on the way things should be done. The IEEE have defined a number of the standards which describe how hardware can be used to group and transmit data in a sensible/ orderly fashion. Ethernet A Ethernet frame may be up to 1500 bytes in size and contains a header and data. – 1000BaseX allows for systems to negotiate a larger maximum frame size if they want. – This size is commonly known as a MTU (Maximum Transfer Unit) and is dependant upon the media. Each packet has a source and destination address of 48 bits. Layer 2 of the OSI model defines addressing for hardware on a single network segment. Special addresses allow for broadcast (all 1s). Ethernet may be shared media but more commonly is point to point via a switch. Ethernet can be Half or Full duplex on twisted pair or fibre. Performs amazingly well, even on shared media when network built to correct specifications. Most problems caused by out of specification networks. – Length restrictions must be adhered to. – Avoid electrical interference from power, lights etc. Predominant network technology. Ethernet uses CSMA/CD (Carrier Sense Multiple Access/ Collision Detection) to detect and handle collisions. When two nodes transmit at the same time the following happens: – Prior to transmission a node looks to see if anyone is sending data (frames). – Nodes transmit data (frames) – Whilst transmitting the nodes also listen for other data on the segment. – If someone else is communicating at the same time then a collision occurs. – Devices transmitting will see the collision and then back off for a random period of time. Ethernet Naming Rules The term Ethernet refers to a family of networking technologies including Fast Ethernet, Gigabit Ethernet and 10Gb Ethernet. The most common names are below, and are under the IEEE 802.3 standard: – 10 Base 2 (IEEE 802.3a) – 10 Base 5 (IEEE 802.3) – 100 Base T (IEEE 802.3i) – 1000 Base TX (IEEE 802.3X) Ethernet encapsulates data from high layers in the OSI model into frames. Within the Ethernet standard a standard called Media Access Control (MAC) defines how to encode information into frames and how to transmit it over the wire. Not so much of an issue today with switching. The lowest level of addressing is dictated by the network hardware and is encoded in Ethernet frames. Ethernet devices (NIC’s - Network Interface Card) are assigned unique 6 byte addresses (48 bits) at the time of manufacturing. (sometimes this isn’t true) For example the Ethernet controller on my Macintosh has the address 00:0a:95:9e:cd:76. This is used to uniquely identify my computer on the local network also known as segment. It is used by the link layer to transmit frames and helps in routing. Layer 3 - Network Layer. The Internet Protocol The contents of a frame is a packet - an IP (RFC791) packet generally has the following elements. – Source Address. – Destination Address. – Time (TTL - time to live). – Options (define extra behavior). – Checksums. IP packets generally contain all the information essential to send a message to a destination. When a computer is preparing to transmit data the data is broken down into packets (layer 3), which are then framed (layer 2) and transmitted over a particular media. Framing means adding extra information. You need to understand that at the Network layer other protocols may exists e.g. IPX, Appletalk. Things like ICMP also operate at this layer. IP as a protocol also defines routing. The internet is a collection of networks which are interlinked using a number of varied links. Routing is the notion of moving a packet from one network to another and ultimately its destination. Each packet is independent and is routed independently. Packets may arrive via different routes and in any order. Packets may have to be transmitted as multiple frames with each frame containing an IP fragment. Frames may arrive out of order or be missing. If a packet cannot be assembled inside a reasonable time, it is discarded. There is no acknowledgement of packets or fragments. If you want reliability, you need higher levels in the protocol stack to arrange for acknowledgement and/or retransmission of packets. If whole IP packet is discarded. – The source must retransmit the entire packet. – There is no way to retransmit just the missing fragments. In addition to defining the layout of data in a packet, IP defines how hosts on a network are identified. Specifically IP defines a concept called IP addresses, which are used to uniquely identify hosts on a network or broader internet. The addressing scheme is hierarchal in nature. That said the hardware also plays a significant role here too. IP addressing IP addresses are used to uniquely identify hosts on a network. Currently most use the IPv4 protocol which is 4 byte address. This means there can be a maximum of 232 Nodes on the Internet (this can be fudged). The address is divided into two parts - the network and host. The network component identifies the grouping of addresses the host belongs too. The addresses are written in 4 octets (32 bits in groups 8) e.g. – 130.130.68.12 A special address exists called loopback which refers to the host 127.0.0.1 A network controller can have one or more IP addresses bound to it. We use the ifconfig program to manage IP addresses on interfaces in Unix. Document title IP address structure IP addresses have been broken into classes (groupings) since the dawn of time. The class determined the size of the network and host portion of each address. This has changed though due to the fact that addresses were being wasted. Classful addressing Classless addressing Class A, B and C once had fixed subnet masks. This thus resulted in wastage of addresses. CIDR (Classless Inter-Domain Routing) was created allowing IP addresses to be broken down into any manner. Same can be said for VLSN (Variable Length Sub netting). Typically the netmask is bitwise AND with the IP address to identify its network address i.e. which grouping it belongs too. For example lets consider the example – 130.130.68.1 – with a netmask of 255.255.255.0 If we write it down on paper we get (notice the 4 octets): 10000010 | 10000010 | 01000100 | 00001100 AND 11111111 | 11111111 | 11111111 | 00000000 Produces 10000010 | 10000010 | 01000100 | 00000000 Meaning the network address is: 130.130.68.0 CIDR notation An classless IP address is often represented using the slash notation, which is the IP address followed by a slash and the length of the mask, for example – 202.23.23.44/22 The number of hosts in a subnet is calculated by using the following formula; – 2 32 - maskbits - 2 Broadcast address is reserved for each IP subnet. The address is used to speak to all IP’s on the subnet with one packet. You can compute the broadcast address by bitwise OR’ing the IP address with the one’s compliment of the mask. The host address bits are always set to 1. It is always the highest address in the subnet. Calculating parameters Lets imagine we have the IP address 192.168.40.31 with the mask of 255.255.255.0 (/24). Lets calculate the network address, broadcast address Subnetting By looking at an address we can identify what class it belongs to e.g. 151.30.22.12 is a class B network /16. Sometimes though these groupings are too restrictive. You may want to break a group of addresses into smaller chunks. To do this you have to choose the number of subnet you want OR the number of hosts you want in each subnet. Lets imagine we have the address space 192.168.18.0/24. This is a class C (Private) network. Lets say we want to divide it into 8 subnets. In order to do this we work out how many bits are needed to represent 8. In this case 23 = 8. We need three additional bits to represent the subnet so we simply add 3 to the mask. The result is 8 subnet with the network addresses of 192.168.18.n/27. We now need to find the 8 values of n which identify each subnet. To do this we need to work out how many hosts we will have in each subnet. – 232 - 27 = 32 However each subnet will have 30 hosts in it. (network and broadcast) This thus means that our class C is now broken down into 8 smaller subnet. – 192.168.18.0/27 – 192.168.18.32/27 – 192.168.18.64/27 – 192.168.18.96/27 – 192.168.18.128/27 – 192.168.18.160/27 – 192.168.18.192/27 – 192.168.18.224/27 Supernetting Lets now consider a different example. In this example lets say we want to have at least 1400 hosts in each subnet. How many bits will we need to represent this - 11 (211 = 2048). We now know that for a subnet to have 2048 address(a little more than we need but the only game in town) - we need 11 bits. Now if we have a class A or B - we have more than enough bits for the host. All you do is simply choose one network address and tell it that its now a /21. However sometimes we may need to use an aggregate of Private Class C’s e.g. 192.168.n.n. We know we need 21 bits for the network. To do this we write down the subnet mask. 11111111.11111111.11111000.00000000 Once we have done this - we want to find a network address that does not spill into the last 11 bits. These would be; – 192.168.0.0/21 – 192.168.8.0/21 – 192.168.16.0/21 – 192.168.24.0/21 –... – 192.168.248.0/21 Each of these networks has room for 2046 hosts. In this example we combined several private class C networks to form a larger network. Network allocation Allocation of networks is controlled by organisations such as ICANN. In Asia Pacific we depend on APNIC to allocate addresses. Private addresses RFC1918 defines a class of addresses which are Private. This thus means anyone can use them in there networks. The only problem is the are not routable i.e. they can not be reached from the Internet - for the very reason they are private. 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Network Address Translation What if you had a private network but wanted to talk to the Internet? you need a router (gateway) running a piece of software e.g. ipf (BSD Firewall Software). The machine providing the NAT service would be multi-homed i.e. have multiple network interfaces. In the previous diagram you saw that gateways machines Ethernet (hme0) interface has the address 192.168.1.1 The gateway machine is connected to the Internet with a modem (ppp0). The address of the interface is 130.130.68.16 with a mask of 255.255.255.0. Network Address Translation works by rewriting packets. When a packet is sent from a host in the internal network it source address is rewritten by the gateway (if destination is outside). The gateway maintains a list of all rewrites so responses can be forward on. The outgoing packets port number may be altered (originating) allowing many internal addresses to be mapped onto one public address. Routers and Routing Protocols Routers can determine the best route between two or more networks. A router operates at the network layer of the OSI model Because routers work at the network layer they do not care about Link layer protocols. Hence you can have a router with multiple interfaces using different protocols. Routers are commonly known as Gateways or forwarders. IP Routing A router is a device for routing IP packets. It assembles the IP packet from incoming fragments, does a checksum validation, then sends the packet to the next destination, possibly as fragments. Actually, modern switch/routers may do cut through switching of fragments but conceptually this is the same. Each link in the network may have differing low level protocols (Ethernet, gig Ethernet, ATM, FDDI, SLIP, PPP, IP over SONET) with differing frame sizes. Thus a packet may be fragmented on some links but not others. Before an IP packet can be sent to its destination, a route must be determined. There are only 2 possibilities. – The destination address belongs to a machine on the same subnet as the source. The packet can be sent directly to the destination. – The destination address belongs to a machine on a different subnet from the source. The packet must be sent to a router which will arrange for the packet to be forwarded, possibly via additional routers, to the destination. Routers are also called gateways (they gateway from one network to another). A route maps a destination IP address to a local network (interface) or to a router. If the destination is not on a locally connected network, the route table will indicate a router to send the packet to. Remember that IP routing does not require any entity to know the entire network. A route in this case is not a path through the network to the destination. It is a single step to the destination or a single step to a router which will send the packet further on its way. A simple example Lets consider a real simple example: – Machine A has a single interface with address 130.130.68.4 (netmask 255.255.255.0) – It wants to send a packet to 130.130.68.36 The first step is to work out what network. Apply subnet mask to determine destination network. – 130.130.68.36 & 255.255.255.0 = 130.130.68.0 The next step is to find destination in route table. Simplified route table is generated by the netstat –r command. Destination Mask Gateway Flags Interface 130.130.68.0 255.255.255.0 130.130.68.4 U hme0 default 0.0.0.0. 130.130.68.254 UG – This sort of small route table is typical of hosts. – Since they usually have a single interface on a single subnet, they only require a few entries in the table and a default route to the router off the subnet. – The special entry "default" matches anything. – It is only used if no other match is found. First entry matches This entry has no G flag (means is not a gateway (router)) so it must be an interface. Thus destination is directly reachable. We can now send out an ARP packet on the interface to find the MAC address of the destination. If we get a reply, we can send the IP packet via Ethernet packet(s) to the destination. If we get no reply from the ARP request, the target machine cannot be reached. – Return a “destination unreachable” error code back to the client application. Lets consider a slightly different example where the destination is 192.56.24.5. Mask to find the network – 192.56.24.5 & 255.255.255.0 = 192.56.24 – The entry "default" matches, since it matches everything. In this case, the G flag indicates the entry refers to a router. The address of the router is 130.130.68.254 So, now we have the interface, send ARP request to get the MAC address of the router. In the more likely case that the destination address is not the router itself, it will use a very similar algorithm to send the packet to someone else. A route table example Here is a simple routing table on a BSD/Linux machine. The machine in question has multiple interfaces. # netstat -r Destination Mask Gateway Flags If 132.236.227.0 255.255.255.0 0.0.0.0 U e0 default 0.0.0.0 132.236.227.1 UG e0 132.236.212.0 255.255.255.192 0.0.0.0 U e1 132.236.220.64 255.255.255.192 132.236.212.6 UG e1 127.0.0.1 255.255.255.255 255.0.0.0 U lo0 What do you think this network looks like diagramatically? The fourth route says to reach network 132.236.220.64/26 we must send packets to gateway 132.236.212.6 via interface e1. We can add routes by using the route command; # route add -net 132.236.220.64 netmask 255.255.255.192 \ 132.236.212.6 # route add default 132.236.227.1 Routes can be dynamic - i.e. routers can learn from one another. To do this we typically use a daemon called routed or gated. These daemons communicate with one another to find out the routes to distant destinations. Final example Lets consider the following network topology. Here is the routing table for this ‘mess’. This is the table for R1. # netstat -r Destination Mask Gateway Flags If 192.168.5.20 255.255.255.255 192.168.10.7 UGH e1 192.168.1.81 255.255.255.255 192.168.10.5 UGH e1 192.168.10.0 255.255.255.0 0.0.0.0 U e1 192.168.18.0 255.255.254.0 0.0.0.0 U e0 192.168.64.0 255.255.192.0 192.168.10.5 UG e1 192.168.128.0 255.255.192.0 192.168.10.7 UG e1 127.0.0.1 0.0.0.0 255.0.0.0 U l0 Default 0.0.0.0 192.168.10.20 UG e1 First two entries are host routes (denoted by the H and the mask of 255.255.255.255), both these routes have a gateway on the 192.168.10.0/24 network. In effect they are routes to hosts. A U means the route is usable. The next two entries are typically access to a local network interface e1 and e0. The 0.0.0.0 implies a local interface. The router has legs into both networks and thus has two interfaces. This is implied by the lack of a G. The next two entries are connected routes which point out over gateways on the router network. The last route is the default route - all traffic that has not been passed on somewhere else goes here. In this example the default route points to the host 192.168.10.20. This machine could be an internet router or a firewall. Route Propagation So far we have seen how we can manually encode routes into devices. This is great but does not scale in the enterprise. Normally in the enterprise we use routing protocols to ‘broadcast’ such route information to other nodes in the network. Routing protocols There are two classes of routing protocols: – Intra Domain - within the confines of an organisation. Examples of such protocols are RIP and OSPF. – Inter Domain - routing between organisations/ networks. Examples include BGP. The RIP protocol Routers and hosts talk to each other to exchange route information. The simplest protocol is RIP (routing information protocol). This is a distance vector routing algorithm. In this model each node in the network (capable of routing) maintains a table with the distance to each node. Such information is shared periodically and when there is a change to topology. Each router will broadcast a RIP packet every 30 seconds. If a router fails, nearby routers will discover this within 30 seconds. They will update their route tables accordingly. When they broadcast their route tables, other routers will be aware of the route changes. Obviously, this can take a few minutes to propagate to all the routers who need to know. Routes may also be set up statically by the SA and machines instructed not to listen to RIP for security of reliability reasons. RIP is too simple for large complex routing problems or systems requiring security. Other protocols such as BGP, IGRP and OSPF were developed to make the Internet work with large complex routing configurations. In the case of OSFP this is a Link State Routing Protocol which is much more efficient then others. The routing problems for Internet routers is beyond the scope of this course. ICMP ICMP (Internet Control Message Protocol) Used for error or control (query) messages between hosts, not applications. Examples of such errors include; – destination unreachable – source quench ICMP is used to solve this problem. ICMP is part of the network layer and uses IP as its encapsulation PDU. Error Report: – Destination Unreachable. If a router can not route a packet to a destination it will return this ICMP error. Such messages indicate errors associated with fragmentation, unknown networks and network/ host unreachable. – Source Quench - flow control mechanism. – Time Exceeded - partly as a result of routing loops OR exceeded times on frame reassembly as a result of fragmentation. Query: – Echo Request/ Reply. – Timestamp Request / Reply. Transmission Control Protocol Layered over the top of IP. Provides a reliable full duplex virtual circuit. Takes care of packets out of order, retransmit and variable data rates. Used by things like telnet, ftp and ssh where a reliable, full-duplex data stream is required. TCP Session Establishment, Maintenance and Termination One of the functions of the transport layer is to establish a connection oriented session with its peer. For data transfer to begin both sending and receiving applications inform their respective operating systems that a connection will be initiated. One machine will attempt to connect to the other after this is done. When the machine connects to its destination for the first time we call this a synchronisation handshake. The second and third handshakes negotiate the connection and confirm it from the other side. The last handshake is used to confirm the session which is then established. When the session is being negotiated a number of parameters are agreed upon one being the sliding window Three way handshakes Before a connection is established, the two hosts must synchronize their initial sequence numbers. Packets have sequence numbers which identify them in a session. This allows us to resend them in the event they get lost. The sequence numbers are randomly generated by the hosts - this has the good side effect of making it slightly more difficult to hack e.g. injecting data into the session. The process requires both sides of the connection to send their own initial sequence number via a SYN packet. Each side must receive the other sides SYN and confirm it with a ACK (acknowledgment) packet. The three way handshake is important to not only negotiate the sequence number for packets but other parameters such as window size. We call this the SYN/ACK sequence. As I said it is used to negotiate the connection and set parameters e.g. window size and starting sequence number for Congestion As data transfers between the two end points congestion can occur. This congestion occurs for a number of reasons e.g. throughput and network latencies. If too much traffic arrives quickly at the destination then there is the possibility that the buffer in which the data is stored before overflows from the internal buffer. TCP solves this problem by sending to the peer on the other end flags which indicate whether or not data should be sent. If TCP did not do this data would be lost hence corrupting a session. Windowing in TCP TCP is a reliable protocol. It ensures packets are delivered to their destination. Packets must be delivered to host in the same way they are transmitted. If a sender has to wait for an acknowledgement on sending each packet/ segment then this would yield poor throughput. As a result most protocols allow more than a single packet/segment to be outstanding at a time. The number of data packets the sender is allowed to have outstanding without receiving an ackn

CSCI322 Systems Administration Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue