TCPIP Basics

1
TCP/IP Basics

• A review for firewall configuration

2
Configuring a firewall

• Primary approach to configuring a firewall
• Study service
• IP ADDRESSES
• PORTS
• Set up rules for allowing or denying access to
  the services you want utilized.
• Problem
• Some of the issues are more subtle than IP/PORT

3
IP Basics

• IP encapsulates TCP
• IP packets travel through many different routers
  (hops) before reaching its destination
• MTU variation at the physical layer requires IP
  to fragment the message into smaller units along
  the way
• Reassembly is an option at each hop.
• IP does NOT guarantee delivery!

4
IP Fragmentation
R
R
R
1000 b
500 b
500 b
250 b
250 b
250 b
250 b
Every link has the potential to dictate adjusting
size of frames. It is possible to reassemble
at any point.
R
R
R
1000 b
500 b
500 b
1000 b
5
What if frames are lost?
Receive Computer
R
R
250 b
250 b
250 b
250 b
2
3
4
1
Receive computer will hold the first 2 frames
awaiting the 3rd. After a period of time, a
timer expires and IP level passes the 500 bytes
up and stops looking for the other pieces. TCP
(NOT IP) then will acknowledge receipt of 500
more bytes to the sending TCP layer. If the first
frame is lost, NONE are passed up to TCP
6
IP Summary

• Fragmentation results in delivery of frames which
  are potentially smaller than the original
  transmission.
• Some of the frames can be lost
• If a message is fragmented and frames are lost,
  all frames up to the first lost frame are passed
  up to the receiving TCP and all subsequent
  frames are dropped.
• TCP views this as a stream and is unaware of the
  loss of frames. It just accepts the next n
  bytes, acks the receipt, and waits for subsequent
  data.

7
TCP basics

• Connection-oriented
• Sets up the connection prior to data transmission
• SYN and 3-way handshake
• Guarantees delivery of data
• Sender holds a copy of the data for
  retransmission if necessary
• Receiver ACKS specific byte positions in the
  stream so sender can resend from any byte
  position
• Encapsulated by IP
• Receiver tells sender its receive window size to
  limit rate of data arrival (flow control)

8
Consider How TCP and IP Work Together
9
TCP handling of fragmentation
(Send 2000 bytes)
Transport
Transport
(ACK 500 bytes)
2000
500
Network(IP)
Network(IP)
2501
2502
1000
2504
2503
1000
Network(IP)
Physical
Physical
Physical
10
What does the TCP frame look like?
Data
Source Port
Destination Port
Length
Checksum
11
And after TCP is encapsulated in IP?
IP Header
IP Trailer
TCP
12
And if the encapsulated frame is fragmented?
IP Header
IP Trailer
Assume fragmented in 2 parts
Port info Included
Has headers
NO Port Info Included
No headers
13
Back to the Firewall!
Port info Included
CAN See ports
Knows what to do!
No headers
CANT See ports
?
14
Options to Solve Fragmentation

• Reassembly can be forced at the firewall
• Slows down transmission
• Lets the firewall process the entire frame
  identically
• Make sure the sender doesnt send frames which
  will be fragmented.
• Path MTU discovery
• uses ICMP to test for deliverability
• Sends a message and marks it not to be fragmented
• Looks for ICMP response saying too large
• Repeat the process with a smaller packet if
  necessary
• Firewall must allow ICMP

15
Options to Solve Fragmentation

• Only filter the first frames in a fragmented
  sequence
• Allow all others to pass through
• Assume other frames will be trashed at receiver
  if the first one doesnt make it through
• Places undue traffic on network and receiver if
  the unfragmented sequence is to be filtered
• Can be used to create denial of service
• Allows attackers to substitute overlapping tail
  frames
• Different OSs handle the repeated packets
  differently. I.e. which one do you keep?

16
More TCP Issues
17
TCP handshake/setup
Host A
Host B
Ack 0, Syn 1
Ack 1, Syn 1
Ack 1, Syn 0
Ack 1, Syn 0
. . .
time
setup
data
18
TCP Connection Issues

• Once you make a connection it can be used to
  transmit data bi-directionally
• Inside clients-gt out, is ok
• Outside clients -gt inside, is NOT ok (usually)
• Deny the setup sequence and no connection can be
  established
• If hacker can determine setup sequence number and
  window size, noise packets can be injected
• Not a typical problem but possible

19
UDP Issues
20
UDP basics

• No connection establishment
• No special features of the frame to identify
  connection information
• Requires a little more effort on the part of the
  firewall
• Must remember what has happened in previous
  transmissions
• This is a STATEFUL packet filter firewall

21
Stateful Packet FilterAllowing if connected from
inside
Host B O U T S I D E
Host A I N S I D E
UDP SP 2987 SA 137.155.2.20 DP 1000 DA
168.17.2.5
F I R E W A L L
UDP SP 1000 SA 168.17.2.5 DP 2987 DA
137.155.2.20
22
ICMP
23
ICMP Basics

• Lower than IP
• Doesnt use ports
• Frequently used at the firewall to
• deny ping of death (too large message), and
• denial of service (ping flood)
• Denying is message-type specific
• Denying precludes utility of a useful tool

24
ICMP Message types

• Echo Request
• Echo Response
• Time Exceeded
• Destination Unreachable
• Redirect

25
IP Tunnelling
Apple talk
Apple talk
Transport
Transport
(IP)
(IP)
Network(IP)
Physical
Physical
Physical
Intermediate Routers only See IP
Firewalls CAN do AT in IP
Receiving Firewall
Connected Network
Inside Network
26
IP Tunnelling at one end
Apple talk
Transport
(IP)
Appletalk
Appletalk
AT
IP
Physical
Physical
Physical
AT
IP
Route to Destination As IP
Appletalk to local
Appletalk to non-local
27
Tunnelling Problem

• Firewall sees IP not what is embedded
• Packets can be hidden inside IP
• Not as problematic as it seems
• Usually the tunneller at each end is set up by
  the network admin to implement a desired policy
• Still provides a leak into the other network