OSI Layer and TCP/IP Model - Shon Harris
Examples of Non-traditional protocols
1. DNP 3 2. CANBus Page 496
TCP/IP Model Layers
1. Network Interface 2. Internet 3. Transport 4. Application
What is covered in each of the protocol layers?
Each layer has a special interface to interact with three other layers: (1) layer above it (2) layer below it (3) Same layer in the interface of the target packet address The headers and trailers of the packet form the control functions added by the protocols at each layer.
Internet Protocol
IP is a network layer protocol and provides datagram routing services. IP's main task is to support internetwork addressing and packet routing. It is a connectionless protocol that envelops data passed to it from the transport layer. The IP protocol addresses the datagram with the source and destination IP addresses.
syn cache
One of the most effective techniques described in RFC 4987 is the use of SYN caches, which delays the allocation of a socket until the handshake is completed.
Datalink Layer Protocols
Some of the protocols that work at the data link layer are ARP, RARP, Point-to-Point Protocol - PPP, ATM, Layer 2 Tunneling Protocol L2TP, FDDI, Ethernet, and Token Ring.
UDP Header
Source port Destination port Length Checksum
TCP
TCP is a reliable and connection-oriented protocol, which means it ensures packets are delivered to the destination computer. If a packet is lost during transmission, TCP has the ability to identify this issue and resend the lost or corrupted packet. TCP also supports packet sequencing (to ensure each and every packet was received), flow and congestion control, and error detection and correction.
TCP session hijacking
When an attacker takes control of an existing TCP session. If attacker can predict the ISN they can hijack a TCP connection.
Difference between Session and Transport Layer
Session layer protocols control application-to-application communication, whereas the transport layer protocols handle computer-to-computer communication
WLAN technologies
Conform to a variety of standards and offer varying levels of security features. 802.11a, 802.11b, 802.11c, d,e,f... 802.11ac, etc.
TCP and UDP
Connection-oriented protocols, such as Transmission Control Protocol (TCP), provide reliable data transmission when compared to connectionless protocols, such as User Datagram Protocol (UDP).
Functional sub-layers in Data link layer
Layer 2, Datalink layer has two sublayers. 1. Logical Link Control or LLC that communicates with network layer protocol immediately above it. 2. Media Access Control or MAC. The MAC will have the appropriately loaded protocols to interface with the protocol requirements of the physical layer.
Session Layer - Layer 5 definition
Layer 5-session layer is responsible for establishing a connection between the two applications, maintaining it during the transfer of data, and controlling the release of this connection. 3 phases of this network traffic cop are: 1. connection establishment. 2. Data transfer. 3. Connection release.
Primary functions of Presentation Layer (OSI)
Layer 6 has only services no protocols. 1. Formatting: converts data to from standardized formats. MIME types, character sets. 2. Compression/expansion: reduces large amounts of data into smaller file sizes. multimedia formats, codecs 3. Encryption/decryption: protects data with correct key.
Who is responsible for movements of individual bits from one hop (node) to the next.
Physical Layer (Layer 1)
Physical Layer (Layer 1)
Physical layer accepts frames from data link layer and converts frame into bits and converts bits into different voltage schemes for transmission across different LAN and WAN technologies. It manages synchronization, line noise, medium access, digital/analog/light pulses determination.
Layer 6 - Presentation Layer Definition
Presentation layer is a common means of representing data in a structure that can be properly processed. Sender system's presentation layer encodes the file and adds a descriptive header in accordance with the Multipurpose Internet. Character encoding, application encryption, often combined w/ application layer (SSL/TLS)
Datalink Layer
The outer format of the data packet needs to be translated into the LAN or wide area network (WAN) technology specific format for proper line transmission. Data link layer transforms it to frame with header control, address information and error detection code as per the right physical protocols.
Examples of transport layer protocols
The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. The following protocols work at this layer: 1. Transmission Control Protocol (TCP). 2. User Datagram Protocol (UDP). 3. Sequenced Packet Exchange (SPX).
Network Layer - Layer 3 definition
The third layer in the OSI model. Protocols in this layer translate network addresses into their physical counterparts and decide how to route data from the sender to the receiver. This layer does not ensure delivery of the packets, but depend on protocols at transport layer to detect and retry.
UDP
UDP, on the other hand, is a best-effort and connectionless protocol. It has neither packet sequencing nor flow and congestion control, and the destination does not acknowledge every packet it receives.
DNP3 based attacks
Unfortunately, security wasn't considered until much later. Encryption and authentication features were added as an afterthought, though not all implementations have been thus updated. Network segmentation is not always present either, even in some critical installations. Perhaps most concerning is the shortage of effective intrusion prevention systems (IPSs) and intrusion detection systems (IDSs) that understand the interconnections between DNP3 and IP networks and can identify DNP3-based attacks.
TCP Attack Vectors
1. SYN Flood 2. TCP Session Hijacking
Layer 5 Session communication modes
1. Simplex Communication is one direction communication and seldom in use. 2. Half-duplex Communication is bi-directional communication, but only one application at a time. 3. Full-duplex Communication takes place in both directions, and both applications can send information at the same time.
Difference between TCP and UDP
1. TCP ensures that packets reach destination, while UDP doesn't 2. TCP is connection based, UDP is connectionless 3. TCP uses sequence number to keep connections in order 4. TCP uses congestion control and slow down when there is too much traffic. UDP Cannot 5. TCP should be used when reliable delivery is required. 6. TCP uses more resources and is slower. 2. Bandwidth for TCP is more 2. TCP header is bigger 3. TCP has source port, destination port, checksum, and data, sequence
CAN Bus
The Controller Area Network bus (CAN bus) is a protocol designed to allow microcontrollers and other embedded devices to communicate with each other on a shared bus. Over time, these devices have diversified so that today they can control almost every aspect of a vehicle's functions, including steering, braking, and throttling.
Give some examples of Datalink layer protocol stack
The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. So when you see a reference to an IEEE standard, such as 802.11, 802.16, or 802.3, it refers to the protocol working at the MAC sublayer of the data link layer of a protocol stack.
Transport Layer
The OSI layer 4 that accepts data from the upper layers, and breaks it up into smaller units known as segments. Layer 4 services include flow control, acknowledgment, error correction, segmentation, reassembly, and sequencing. It ensures that data are transferred from point A to point B reliably and without errors.
OSI Encapsulation
A message is constructed from a sender program and passed down through the network protocol's stack. Protocol at each layer adds its own header and message grows as it goes down the stack. Each layer on destination extracts pertinent information and sends message to the next layer.
TCP SYN flood
An attack by which the attacker initiates many TCP connections to a server, but does not complete the TCP connections, by simply not sending the third segment normally used to establish the connection. The server may consume resources and reject new connection attempts as a result.
TCP/IP Model Compared to OSI Model
Application layer: Application, Presentation and Session layer of the osi model Transport layer:Transport layer also called as host to host layer sometimes Internet layer: Network layer Network interface layer: Data link layer and Physical layer
7 layers of the OSI model
Application, Presentation, Session, Transport, Network, Data Link and Physical. Easy to remember as "All people seem to need data processing"
CANBUS Vulnerability
As cars started getting connected via Wi-Fi and cellular data networks, their designers didn't fully consider the new attack vectors this would introduce to an otherwise undefended system. That is, until Charlie Miller and Chris Valasek famously hacked a Jeep in 2015 by connecting to it over a cellular data network and bridging the head unit (which controls the sound system and GPS) to the CAN bus (which controls all the vehicle sensors and actuators) and causing it to run off a road. As cars become more autonomous, security of the CAN bus will become increasingly important.
Session authentication
Authentication to be made whenever a client wants to connect to a network resource and establish a session. Authentication can take place using shared secrets, public keys, or Kerberos tickets. Session layer protocols need to provide secure authentication capabilities.
Explain the data structures used in OSI layer
Data to be transmitted over the network is called message or data at the application layer. At transport layer, if TCP is used, it is segment.; If it is UDP, it is datagram. Network layer adds routing and addressing, to the packets. Data link layer, adds header and a trailer and makes it a frame.
OSI Model
ISO Standard - 7498-1. Developed in 1984 after internet was in use. Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to internal structure or technology.
What is the differnce between segment and datagram?
If the message is being transmitted over TCP, it is referred to as a "segment." If it is being transmitted over UDP, it is referred to as a "datagram."
What is a frame?
When the data link layer applies the last header and trailer to the data message, this is referred to as framing. The unit of data is now called a frame.
Layer 5-Session Dialog Management
In ISO protocols, Data token is used to deciding whose turn it is to talk. Token is sent back and forth and user may transmit only when it possesses the token. Some applications operate in half-duplex mode, with two sides alternating between sending and receiving messages, and never simultaneously.
EPA
Instead of using the OSI seven-layer model, its developers opted for a simpler three-layer model called the Enhanced Performance Architecture (EPA) that roughly corresponds to layers 2, 4, and 7 of the OSI model. There was no encryption or authentication, since the developers did not think network attacks were feasible on a system consisting of devices connected to each other and to nothing else
Layer 7-Application Layer Protocols
Layer 7 protocols give meaning to the bits sent by lower-level protocols. Some examples are: 1. Utility protocols like DNS, SNMP, DHCP. 2. Messaging protocols like IRC and SMTP. 3. Data Transfer protocols like Http, NFS, FTP, TFTP, and line printer daemon (LPD Protocol). 4. Interactive protocols (Telnet).
Application layer (OSI model)
Layer 7 provides application services to a network. An important, and an often-misunderstood concept, is that end-user applications do not reside at the application layer. Application layer supports services used by end-user applications. It also advertises available services.
OSI Layer attack
Network can be used as a 1. Channel for an attack using network as a resource. Such as sending a virus from one system to another system as a channel 2. Target of an attack such as denial-of-service (DoS) attack, which sends a large amount of bogus traffic over a network link to bog it down
Physical Layer Protocols
Network interface card drivers convert bits into electrical signals, control physical transmission, including optical, electrical & mechanical requirements. Some examples: RS/EIA/TIA 10Base-X Integrated Services Digital Network (ISDN) Digital subscriber line (DSL) Synchronous Optical Networking (SONET)
RPC vulnerability
One security issue common to RPC is the lack of authentication or the use of weak authentication. Secure RPC (SRPC) can be implemented, which requires authentication to take place before two computers located in different locations can communicate with each other.
Name a potential RPC and Netbios vulnerability
RPC, NetBIOS, and similar distributed computing calls usually only need to take place within a network. Firewalls should be configured to disallow such traffic into or out of a network. Firewall filtering rules should be in place to stop this type of unnecessary and dangerous traffic.
TCP Handshake
SYN, SYN/ACK, ACK The protocol by which a client and server machine establish communication for the transfer of data. This completes the handshaking phase, after which a virtual connection is set up, and actual data can now be passed. The connection that has been set up at this point is considered full duplex, which means transmission in both directions is possible using the same transmission line.
Network Layer Protocols
Some of the protocols on Layer 3 include: 1. Internet Protocol. 2. Internet Control Message Protocol-ICMP. 3. Routing Information Protocol - RIP. 4. Open Shortest Path First OSPF. 5. Border Gateway Protocol - BGP. 6. Internet Group Management Protocol-IGMP. 7. Radio Resource Control - RRC. 8. AppleTalk. 9. Internetwork Packet Exchange - IPX•
TCP Header
Source Port, Destination Port, Sequence Number, Acknowledgment Number, Header Number, Reserved, Code Bits, Window, Checksum, Urgent, Options, Data
Is TLS session layer or transport layer protocol?
Specific protocols can be subjectively placed at different layers. Transport Layer Security (TLS) protocol is placed in both session layer and transport layers. It is not that one is right or wrong. The OSI model tries to draw boxes around reality, but some protocols straddle the different layers.
Well Known Ports
port numbers in the range of 1-1024 that identify network applications that are well known such as web, email, and remote login applications. Telnet port 23 SMTP port 25 • HTTP port 80 • SNMP ports 161 and 162 • FTP ports 21 and 20