1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part III
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
IP – The Internet Protocol
• Deals with transmission of packets
between end points
• The fundamental protocol of the
Internet
The Internet Protocol (IP) is the protocol by which information is sent from one computer to another on
the Internet. Each computer on the Internet has at least one address that uniquely identifies it from all other
computers on the Internet. When you send or receive data (for example, an e-mail note or a web page), the
message gets divided into little chunks called packets. Each of these packets contains both the sender's
Internet address and the receiver's address. Any packet is sent first to a gateway computer that understands
a small part of the Internet. The gateway computer reads the destination address and forwards the packet to
an adjacent gateway that in turn reads the destination address and so forth across the Internet until one
gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain.
That gateway then forwards the packet directly to the computer whose address is specified.
Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different
route across the Internet. Packets can arrive in a different order than the order they were sent in. The
Internet Protocol just delivers them. It's up to another protocol, the Transmission Control Protocol (TCP) to
put them back in the right order.
IP is a connectionless protocol, which means that there is no established connection between the end points
that are communicating. Each packet that travels through the Internet is treated as an independent unit of

data without any relation to any other unit of data. (The reason the packets do get put in the right order is
because of TCP, the connection-oriented protocol that keeps track of the packet sequence in a message.)
The most widely used version of IP today is Internet Protocol Version 4 (IPv4). However, IP Version 6
(IPv6) is also beginning to be supported. IPv6 provides for much longer addresses and therefore the
possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can
support IPv6 packets can also support IPv4 packets.
3
Information Security: The Big Picture - SANS GIAC
© 2000
3
TCP – The Transmission
Control Protocol
• Connection-oriented
communications
• Ensures reliable packet delivery
• Overhead can be “expensive”
The Transmission Control Protocol, or TCP, is called a connection-oriented protocol. That is because
it is primarily concerned with establishing connections between two computers and making sure that all
communication on that connection are orderly and complete. TCP works in combination with the
Internet Protocol, a combination usually referred to as TCP/IP. The IP layer provides the packet
delivery service and the TCP layer provides the packaging and sequencing of the packets.
TCP works by giving each packet a sequence number. When a packet is sent to a destination, the
sending computer waits for an acknowledgement from the destination that the packet was received. The
receiver will send the acknowledgement if it receives the packet and it was not damaged during the
transmission. If the sender does not receive the acknowledgement it will resend the packet. In that way
it ensures that every packet arrives at the destination in good order.
TCP is a good protocol for ensuring the delivery of packets to a destination. However, this assurance
comes at a price. All the work required to send, receive, and track acknowledgements takes a toll on the
network. However, when you want to make sure a message arrives, TCP is the way to go.
TCP is also good from a security standpoint. When compared to connectionless protocols (for example,

UDP, which we will examine closer in the next slide) the connection-oriented nature of TCP gives us
some assurance that information is coming from a genuine source and that packets received in a TCP
stream have some relationship to both each other and to the originating server. As we have seen in
previous slides, packets can be spoofed and transmissions can be interrupted, but compared to
connectionless protocols, like UDP, TCP provides a higher level safety.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
TCP Session Open & Close
SYN (100)
SYN (500), ACK (101)
ACK (501)
FIN (130)
FIN (570)
ACK (571)
ACK (131)
This slide shows a sample TCP session, illustrating how it opens and closes connections on the network. In the example, we
are assuming that a PC is connecting to some kind of server over the network, but this same process holds true for any TCP
session established between any two devices.
Just to get you familiar with the symbols on the chart, the arrows represent the direction of the communications. So, an arrow
going from the PC to the server means that the PC is sending a message to the server and an arrow going from the server to the
PC means that the server is sending a message to the PC. The SYN, ACK, and FIN labels represent the different types of
packets that are used during session setup and close. The SYN packet is used to “sync up”, or start the communications. The
ACK packet sends an acknowledgement of the message back to the originator, and the FIN packet starts the process of
finishing the connection. Finally, the numbers in parentheses are the sequence numbers that are sent along with each packet.
OK, now that you know who all the players are, we are ready to begin. When opening a two-way connection between two
machines, each end of the connection must connect to the other separately. The process starts when the PC sends a SYN
packet requesting a connection to the server with an initial sequence number of 100. The server responds back to the PC with a
SYN/ACK packet. This packet starts up the second half of the two-way connections (again with a starting sequence number).

It also acknowledges the packet sent originally by the PC (incrementing the PC’s sequence number by 1). Finally, the PC
acknowledges the server’s connection with an ACK packet and by incrementing the server’s sequence number. This sequence
is sometimes called the TCP Three Way Handshake.
After the opening sequence, the PC and the server will continue to exchange packets of information, each time increasing the
sequence number.
When the time comes to close the connection, once again each end of the connection must be closed separately. Assuming that
the PC wants to close the connection first, the process starts when the PC sends a FIN packet to the server. The FIN portion
indicates to the server that the PC wants to close the connection (continuing with the sequence count it has been using with the
server). The server responds by sending an ACK to the PC acknowledging the FIN sent by the PC. Next, the server sends a
FIN packet to the PC to close its side of the connection. Finally, the PC sends an ACK to the server to acknowledge the FIN.
Normally, you will never have to go into this much detail when talking about network security unless you are going into depth
on router or firewall configuration. However, a basic understanding of this diagram will come in handy when we talk later
about denial of service attacks, particularly SYN flood attacks. Understanding how the sequence numbers work will also help
when we discuss sequence prediction attacks.
5
Information Security: The Big Picture - SANS GIAC
© 2000
5
UDP – The User Datagram
Protocol
• Connectionless-oriented
communications
• Sends packets out, doesn’t care if
they get there
• Much less “overhead”
• Good if small amount of packet loss
is acceptable
The User Datagram Protocol (UDP) is a communications protocol that offers a limited amount of
connectivity when messages are exchanged between computers in a network that uses the Internet Protocol
(IP). Like TCP, UDP uses IP as its underlying delivery service to move pieces of information from one host

to another. Those pieces are called “datagrams.” Unlike TCP, however, UDP does not provide the service
of dividing a message into packets and reassembling it at the other end. Specifically, UDP doesn't provide
sequencing of the packets that the data arrives in. UDP will send the packets out, but it does not provide any
mechanism for ensuring they get there properly, intact, or in the right order. Whereas TCP will do its part to
ensure orderly delivery of packets, UDP leaves this task to the application itself. The application program
that uses UDP must be able to make sure that the entire message has arrived and is in the right order.
Because much of the disassembly, sequencing, and reassembly of packets is performed by the application
rather than built into the protocol, UDP as a protocol has less overhead than TCP. This makes it faster to
send information using UDP. Network applications that want to save processing time will use UDP rather
than TCP because they have very small data units to exchange, and therefore very little message
reassembling to do.
UDP is also a good choice for applications that can stand a small amount of packet loss. For example, a
broadcast of a musical program may consist of many packets of similar or repetitive sounds. If a packet or
two were to get lost, nobody will notice. If, however, a transmission consisted of the precise coordinates to
which to aim a space shuttle for landing, reliable transmission would be a priority and TCP would be a better
choice.
From a security standpoint, the “U” in UDP might as well stand for “Unreliable.” Because a UDP packet has
no information about the context of the information it contains, it should not be trusted without some kind of
supporting network or application information.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
ICMP
• Handles error and control information
• Works between gateways and hosts
• Sent as IP datagrams
• Generated by protocol, not by user
applications
• Most users access ICMP via “Ping”

One final protocol you should be aware of is the Internet Control Message Protocol, or ICMP.
ICMP is a protocol that handles traffic flow between network elements. In particular, it provides
feedback about problems in the communication and network environment.
A typical use of ICMP is as follows: every network uses devices called routers to move packets
from one local network to another. Each network has a “default route”, that is, the router that will
be used if no other access out of the network is available. For most situations, the default route works
best. However, occasionally the default route may not be the best path between two points. This may
be because of problems in the network, network service outages, traffic congestion, or some other
reason. When this happens, the default router will send an ICMP message back to the machine that
sent the packet stating, “it would be better if you sent your packets some other way” and specifies a
new path the sending machine should use.
ICMP messages are sent in several situations: for example, when a datagram cannot reach its
destination, when the gateway does not have the capacity to forward a datagram, and when the
gateway can direct the host to send traffic on a shorter route.
ICMP uses the Internet Protocol to transfer messages, but instead of full packets it sends
“datagrams”, much like UDP. ICMP is actually an integral part of IP, and must be implemented
within the IP software itself. Most user-level applications will never concern themselves with ICMP
directly, rather relying on TCP or UDP for their transmissions.
There is one exception, however. The ping program is a user-level application that uses ICMP to
give information about network conditions and availability. If a user wants to know if a host is
available, he will use ping to test if the machine is on the network. If it is, ping will send a positive
reply back. If it is not available, or there is network trouble between the two hosts, ping will also
indicate that.
7
Information Security: The Big Picture - SANS GIAC
© 2000
7
Protocol “Stacks”
• Divides network communications
into layers

• Each layer interfaces with above
and below layers
• Divide task of communication into
pieces for easier implementation
Having all these protocols is nice, but how does information actually get from one place to another? In the next few
slides we will examine exactly how this happens. We will start by discussing protocol stacks. And to discuss
protocol stacks, we need a good real-life example.
Imagine, if you will, a five-story apartment building. This building, however, is very special (or very strange,
depending on your point of view). First of all, the really important things happen on the top floor, floor 5. Second, the
only way the people on the fifth floor can get anything done is by asking the people on the floors below them to do it.
For example, the people on the fifth floor want to make dinner. They tell this to the people on the fourth floor. The
people on the fourth floor figure out that dinner requires a soup, salad, main course and dessert. They tell this to the
people on the third floor. The people on the third floor decide that the courses will be onion soup, a garden salad, beef
stew, and apple pie, and they tell this to the people on the second floor. The people on the second floor figure out
what ingredients will be needed for this dinner (for example, chicken broth, lettuce, vegetables, beef, etc.) and give
this information to the people on the first floor. The people in the first floor actually go to the store, buy all the
ingredients, and bring them back to the apartment building.
Once the ingredients are purchased, the process goes in reverse. The first floor gives the raw ingredients to the second
floor. The second floor checks that all the ingredients are there and then hands them off to the third floor. The third
floor prepares the various courses by making the soup, tossing the salad, cooking the beef, and baking the pie. Once
all this is done they hand the food off to the fourth floor. The fourth floor people package all the food up into nice
courses and bring it up to the fifth floor residents so they can eat a delicious meal.
Well, in essence, that’s how protocol stacks work. Protocol stacks divide network communications into different
layers, like the floors in the apartment building. Each layer in the stack works on the packet in different ways. Some
layers make sure the packet has all the information it needs, some layers make sure the packet is ready for an
application to work with, and some layers make sure the packet gets onto the network properly. Each layer works
directly with the layer above and below it, just as in the apartment building example. As packets are passed from one
layer to the next, each layer examines or modifies the packet in some way. Once the packet has reached the “ground
floor” of the network it is sent to its destination.
The use of protocol stacks in network communications makes the task of implementing protocols much easier. By

making communications more modular, a service, process or application need only concern itself with the layers it
needs, leaving the other layers to someone else.
8
Information Security: The Big Picture - SANS GIAC
© 2000
8
The OSI Protocol Stack
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
One of the most widely known protocol stacks is the International Standards Organization (ISO) Open Systems
Interconnect (OSI) model. The OSI model divides network communications into seven layers.
The Physical Layer handles transmission across the physical media. This includes such things as electrical pulses on
wires, connection specifications between hardware, voltage and current, etc.
The Data Link Layer connects the physical part of the network (e.g. cables and electrical signals) with the abstract part
(e.g. packets and data streams). It also creates the headers and validation information that get attached to packets.
The Network Layer handles interaction with the network address scheme and connectivity over multiple network
segments. It describes how systems on different network segments find and communicate with each other.
The Transport Layer actually interacts with your information and prepares it to be transmitted across the network. It is

this layer that ensures reliable connectivity from end-to-end. The Transport Layer also handles the sequencing of
packets in a transmission.
The Session Layer handles the establishment and maintenance of connections between systems. It negotiates the
connection, sets it up, maintains it, and makes sure that information exchanged across the connection is in sync on both
sides.
The Presentation Layer makes sure that the data sent from one side of the connection is received in a format that is
useful to the other side. For example, if the data is compressed by the sender prior to transmission, the Presentation
Layer on the receiving end would have to decompress it before it can be used by the receiver.
The Application Layer is responsible for interacting with the application to determine whether network services will
be required. When a program requires access to the network, the Application Layer will manage requests from the
program to the other layers down the stack.
Why is all this important, and do you really need to memorize all this for an Introduction course? Well, only sort of.
You need to have at least a passing familiarity with the OSI model because you will hear network engineers and
vendors talk about “Layer 2 Switches” or “Layer 3 Protocols.” The layers they are referring to are the OSI model
layers. Understanding basically what each layer does will go a long way in both understanding the conversation and
securing your network services.
9
Information Security: The Big Picture - SANS GIAC
© 2000
9
The TCP/IP Protocol Stack
• Application
• Transport
• Internet
• Network
In comparison to the OSI protocol stack, the TCP/IP stack is much simpler. The TCP/IP model
predates the OSI model and, as the underlying protocol of the Internet, is more widely used than
OSI-based protocols. The TCP/IP stack only has four layers: the Application Layer, the Transport
Layer, the Internet Layer, and the Network Access Layer. (Editor’s note: the four layers of the
TCP/IP stack are sometimes referred to as the Application Layer, the Transport Layer, the Network

Layer, and the Link Layer. – JEK)
The definition of the TCP/IP layers is as follows:
The Network Layer (sometimes called the Link Layer – ed.) defines how to access a specific
network topology, for example Ethernet, Token Ring, etc.
The Internet Layer (sometimes called the Network Layer – ed.) defines how datagrams are
formatted and handles the routing of data through the network. Examples of Internet Layer protocols
include IP and ICMP.
The Transport Layer provides end-to-end data delivery service. This is the layer that assembles
packets and sends them to the Internet layer for processing. Examples of Transport Layer protocols
are TCP and UDP.
Finally, the Application Layer consists of application programs and serves as the network interface
into user applications. Examples of application layer service are Telnet, FTP, and DNS.
10
Information Security: The Big Picture - SANS GIAC
© 2000
10
OSI vs. TCP/IP
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Transport (TCP)
Internet (IP)
Network
OSI TCP/IP
7

6
5
4
3
2
1
This diagram shows a comparison between the OSI model and the TCP/IP model. As you can see,
the OSI model has more granularity than the TCP/IP model. In addition, the OSI model chose to split
apart some functionality that was combined in the TCP/IP model.
For example, the Network Layer in the TCP/IP model comprises both the Physical Layer and the
Data Link Layer in the OSI model. And the Application Layer in TCP/IP encompasses the
Application, Presentation, and Session Layers of the OSI model. The OSI model is more detailed and
more granular because it was designed to encompass protocols other than just TCP/IP. By creating
more layers the designers of OSI made it easier to break down the functionality of each protocol and
build more specific interfaces and linkages between the layers.
Unless you plan on becoming a network engineer or a network application designer, it is not so
important to remember each of the different layers in the two models, or even remember the
functionality that each layer has. It is, however, important to know that no matter which model you
use, it must perform all the functions required to take a piece of application data, place it into a
packet, place that packet on the wire, and handle its safe and efficient delivery to its destination.