Communication Protocols. A network is just a bunch of devices communication. There are all sorts of protocols out there today being used: 3GPP/GSM/SS7,

INTRODUCTION TO INFORMATION

SECURITYCommunication Protocols

Communication Protocols

A network is just a bunch of devices communication.

There are all sorts of protocols out there today being used: 3GPP/GSM/SS7, TCP/IP, Ethernet, W/LAN, Bluetooth, ATM, HDMI, USB, etc.

All protocols have been designed to serve different purposes, their purpose usually demands their structure and services they provide.

Of course the most important of all is the Internet Protocol (IP).

Secured Communication

Securing Transfer of Information is a problem of centuries. In the middle ages pigeons with notes were captured in order to intercept communication.

Our computer systems are valuable because they can communicate. Can you find a computer with out internet ?

Communications are an essential part of the security trust-base.

Communication compromise types

Communication denial types

Communication compromise types

Eavesdropping - information leaves a device it can be intercepted.

Man in the middle– communication is routed through a 3rd party.

Man on the side– eavesdropping information is used to for impersonation.

Denial of Service (DoS). Distributed Denial of Service (DDoS). In other words, a hackers goals by priority is:

Divert traffic for man in the middle. Eavesdrop on traffic.

Popular Communication Defenses

Firewalls - used to protect against unwanted packets, limiting in advance to a set of rules of acceptable traffic only.

VLAN – separate the network into different Virtual LAN, every virtual LAN is a different trust base segment. Needs to be carefully designed.

End-to-End encryption, who cares what happens in between its all encrypted and most importantly authenticated/signed, eg. SSH, SSL.

Intrusion Detection/Prevention Systems (IDS/IPS) – passively monitors data and looks for signs of “bad” behavior, and can then deny traffic.

Ethernet

Destination (Media Acess Control) MAC Address denotes the target device in the local network.

If the MAC Address is FF:FF:FF:FF:FF:FF the message is broadcast to all devices in the local network.

IP

Typical IP Routing Scheme

TCP

Typical TCP Connection

A is connecting to B using the 3-way hand-shake

A sends a TCP-SYN from a random source port to a specific destination port (eg. Port 80 for HTTP)

B replies with TCP-SYN+ACK from the source port 80 to the random destination port.

A replies with an ACK. DATA is exchanges. A or B initiate a TCP-FIN to end the

connection.

Our tools

Wireshark – a spin-off from ethereal which started as a GUI interface for tcpdump. Wireshark sniffs communications and records

them in capture files .cap or .pcap Has many modules supporting enormous

amount of protocol types. Straight-forward interface.

Scapy – Another useful python module. Also available for perl, don’t tell Itamar. (http://

sylv1.tuxfamily.org/projects/scaperl.html) But we’ll use python anyhow.

Demos

[Demo sniffing a cookie with wireshark. [Demo using scapy].

Wireshark – setup capture filter

Wireshark – capture filter

Capture filter are very fast and tell wireshark which data to record.

Recording data

Alternatively you can also record .pcap files with tcpdump.

eg.: tcpdump –ni any –w out.pcap Reading files is also possible with scapy:

from scapy.all import * all_packets = rdpcap(“data01.pcap”)