Top Three Layers

1
Top Three Layers

• Session Layer
• Presentation Layer
• Application Layer

2
Session Layer Design

• Marks the division between upper layers and
  lower layers
• lower layers end to end communications
• upper layers user-oriented services
• Invented by ISO
• Can support transport layer QoS
• Not explicitly used by TCP/IP
• Generally connection-oriented

3
Session Layer Transport Layer

• Usually a transport connection is required to
  establish a session
• Session Layer provides Control. It says what to
  do, not necessarily how to do it.
• Can provide redundancy and multiplexing of
  transport layer resources
• Administrative control point

4
Dialog Management

• In principle, all OSI connections are full duplex
• Some upper layer software is structured to be
  half-duplex
• This is to simplify the software and has nothing
  to do with hardware limitations
• The session layer supports data token schemes to
  support half-duplex transmissions

5
Synchronization

• Transport layer provides error recovery only from
  communication errors
• Synchronization in the transport layer provides
  for returning the session entries back to the
  last known correct state.
• Example Session established and large file
  transmitted receiving end has no storage and
  directly prints the incoming data. The printer
  dies and data is lost.
• Session users could split the text into pages and
  insert a synchronization point between each page.
  

6
Activity Management

• Users split the message stream into activities
• delimiters are added in the session to separate
  activities

First File Sent
Second File Sent
Session
Stop
Start
Start
Stop
7
Remote Procedure Calls

• Based on the connectionless model
• Generally outside the OSI model
• Can be implemented in the application layer
• Multiple Flavors
• Sun ONC RPC
• OSF DCE RPC

8
RPC School of Thought

• Clients sending messages are viewed as procedure
  calls with the reply being the return from the
  procedure
• Contrast this to the more conventional school
  which views I/O with primitives such as
  X-DATA.request and X-DATA.return as I/O and
  interrupts respectively.

9
RPC Invocation
Client Client Stub Network Portmapper Server
Stub Server
1
2
3
4
5
6
7
10
RPC Semantics and Orphans

• Operations
• exactly once
• at most once
• at least once
• Handling crashes
• 1. Hang forever, waiting for reply that never
  comes
• 2. Time out and raise an exception
• 3. Time out and retransmit
• Orphans
• extermination
• expiration
• reincarnation (kill restart)
• gentle reincarnation (selectively kill and
  restart)

11
Presentation Layer
Information Transformation
Network Format
Local Format
few standards, but a lot of ideas
12
Presentation Functions

• These are examples!
• Syntax (format) conversion
• Compression
• Encryption
• Sub-issue Does it belong here?

13
Presentation Layer, cont.

• Providing a way to specify complex data
  structures
• Managing the set of data structures required
• Converting data between internal and external form

14
Data Representation

• ASCII vs. EBCDIC
• twos complement vs. ones complement
• FFF0 hex is -15 1s complement -16 2s
  complement
• byte order right left vs. left right
• Text File formats

15
Abstract Syntax Notation 1 (ASN.1)

• Data Structures
• Abstract Syntax
• Transfer Syntax
• International Standard 8825
• Notation used to encode, transfer and decode data
  structures across a wide range of applications
• Both connection-oriented and connectionless
  primitives

16
Data Compression

• Encoding a Finite Set of Equally Likely Symbols
• Finiteness of the set of symbols.
• Frequency Dependent Coding
• The relative frequencies with which the symbols
  are used.
• Context Dependent Encoding
• The context in which a symbol appears.

17
Compression

• Elimination of Redundancy
• (increased susceptibility to error)
• Examples
• Run Length Encoding
• Predictive Codes
• Huffman
• LZW

18
Frequency Dependent Coding

• In English, E occurs 100 times more than the
  letter Q
• So give common symbols short codes and longer
  symbols longer codes.
• Theoretical minimum encoding often requires
  fractional bits, but close approximations
  available.

19
Huffman Coding

• 1. Write down all symbols and associated
  probability of each. Eventually a binary tree is
  built on these nodes, with the symbols
  representing terminal nodes.
• 2. Find the two smallest nodes and mark them.
  Add a new node with arcs to each of the nodes
  just marked. Set the probability of the new node
  to the sum of the probabilities of the two nodes
  connected to the new node.
• 3. Repeat until all symbols are marked except
  one. The probability of the unmarked node will
  always be 1.0.
• 4. The encoding for each symbol is found by
  tracing the path from the unmarked symbol to that
  symbol, recording the sequence of left and right
  branches taken. The code is the path, left 0,
  right 1.

20
Context Dependent Encoding

• Uses conditional probability instead of
  independent probability.
• What is P(uq)?
• So determine the conditional probability for each
  possible predecessor and store in a table.
• For k symbols this requires k2 entries.

21
Compression (Summary)

• Problem Domain determines the best compression
  scheme
• Lossy vs Loss-less schemes
• One-pass vs multi-pass schemes

22
Network Security and Privacy

• Protecting data from being read by unauthorized
  persons.
• Preventing unauthorized persons from inserting
  and deleting messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.

23
Cryptography

• Traditional Cryptography
• Substitution Ciphers
• Codes
• Transposition Ciphers
• Data Encryption Standard
• Key Distribution
• Public Key Crytography
• MIT Algorithm
• Authentication Digital Signatures
• Federal Standards

24
Cryptography Users

• Military
• Diplomatic
• Diarists
• Lovers
• Curmugdeons

25
Cyptography Terms

• Ciphertext or Cryptogram -- encrypted message
• Cryptanalysis -- breaking ciphers
• Cryptography -- devising ciphers
• Cryptology Cryptanalysis and Cryptography

26
Encryption Model
Passive Listener
Plaintext
Ciphertext
Plaintext
Key-1
Key-2
Active Intruder
27
Keys

• If Key-1 is the same as Key-2, then it has to be
  a secret key process. They can differ, making it
  a Public Key Process.
• Big Problems key distribution and key security

28
Fundamental Truths of Cryptology

• Potential intruders know the general encryption
  method.
• Message contents may be guessed.
• Cryptographic systems may be changed, but rarely
  are.
• Non-technical compromises always outnumber
  successful cryptanalysis.

29
Ciphers

• Substitution (preserve order, disquise)
• Caesar code shift 4
• Alphabet shifted by k letters --enigma
• Exhaustive search infeasible
• Words and phrases may be guessed
• Codes
• Purple code, Japanese translated into Latin
• Navajo talkers
• Transposition Ciphers (reorder, do not disguise)
• Game is up when key length is guessed
• Once close, easy to guess

30
Data Encryption Standard

• Developed by IBM in 1977
• Implemented in hardware
• Widely used
• 128 bit key proposed, 56 bit key specifiedAny
  guesses why?
• Now, study AES.

31
Public Key Encryption

• Applying the decryption key to an encrypted
  message must return the plaintext message.
• The decryption key cant be guessed from an
  encyption key.
• The encryption key cannot be broken by a
  plaintext attack.
• Key Point the decryption key must be privately
  held.

32
Digital Signatures

• As secret key must remain secret
• B has As public key and A has Bs public key
• B received a encypted message from A that he
  decypts with As public key
• B can later show that lacking As private key
  that he could not have produced the encrypted
  message

33
Politics of Cryptography

• Software as Munition
• Clipper Chip
• Digital Telephony Bill
• Digital Signature Standard
• Other Countries
• Current Legislation

34
Application Layer

• File Transfer, Access and Management
• virtual file store
• file servers and requesting clients
• Electronic Mail
• process to process traffic expected to dominate
  Internet
• actually email dominates the Internet
• Virtual Terminals
• representing the abstract state of the real
  terminal
• Remote Job Execution
• JTM Job Transfer and Manipulation

35
ISO Applications

• FTAM FTP File Transfer, Access Manipulation
• VTS TELNET Virtual Terminal Service
• JTM ??? Job Transfer Manipulation maybe rsh,
  RPC?
• MHS SMTP Message Handling System (X.400)

36
ISO Terminology
SpecificCommon Application Service
Elements think of them as programming libraries
or APIs
37
Electronic Mail

• Motis and X.400CCITT has aligned them for
  compatibilityWont replace SMTP!
• The user agentuser interface
• Message transfer agentpost office

38
Virtual Terminals

• Scroll mode terminalsno local resources dumb
  display and transmission
• Page mode terminals25 x 80 character
  displayscreen editing via termcap
• Form mode terminalslocal processing enabled
• Bitmapped terminals
• like X stations
• Browsers?

39
File Transfer Protocol

• FTP recognizes four file types
• 1. Image
• bit by bit transfer
• 2. ASCII
• 3. EBCDIC
• 4. Logical Byte files
• binary files which use byte size other than 8 bits

40
Electronic Mail

• Pioneered by ARPANET
• RFC 822 (widely used)
• Simple Mail Transfer Protocol (SMTP)
• Supports only ASCII text(see MIME)
• name_at_domain addressing

41
Virtual Terminals - TELNET

• Designed for scroll mode terminals
• Hit a key , 8-bit bytes are sent
• 95 ASCII and 7 control characters legal

42
The Web

• the killer application for the Internet
• Two components for popularity
• http combines multiple access (gopher, ftp, etc)
  methods
• hypertext interface supports point-and-click
  interface
• Who will organize the information?
• No one...
• Database experts
• Librarians (!)

43
Web Future Directions

• HTML Enhancements
• Secure Transactions
• Uniform Naming
• Librarians Brokers
• Information push or pull

44
Layer 7 Summary

• Service Element Model
• Not all Apps belong here...
• Common Network Services

45
What is a Distributed System?
Just insert a network?
Mass Storage
Computing (CPU)
User Interface
46
Distributed System
Services
Servers (Storage, Compute)
Network
User Interfaces
Users
Users
47
D.S. Design Issues

• Transparency
• Flexibility
• Reliability
• Performance
• Scalability

48
More Design Issues

• Global Clocks?
• Causality
• Information Consistency

49
Distributed Control

• Master/Slave (Issue Response Time)
• Polled
• Command -gt lt-Response
• Schedule under control of server
• Client/Server (Issue Server Size)
• Interrupt, or Event, Driven
• Aperiodic Scheduling
• Peer-to-Peer (Issue Coordination)
• No single critical node
• Hard to describe or predict

50
Distributed SystemWhy or Why not?

• Performance
• Economics
• Reliability
• Security

51
D. S. Architectures

• Cooperating Peers
• Client-Server
• Tiered Client-Server
• Data Repository
• Compute Servers
• Client Stations

52
Intranets

• Definition
• Using Internet protocols, especially Web tools,
  for internal MIS
• Motivation
• Information push vs pull
• Problems
• User Capabilities
• Corporate Policy or Personal Opinion

53
Key Protocol Areas

• Directory Services
• RPCs
• Security/Authentication
• (Performance) Management
• Programming Models

54
References

• ISO RM-ODP
• ITU-T X.901/ISO 10746-1/2/3/4
• Amjad Umar Distributed Computing A Practical
  Synthesis
• PTR Prentice-Hall, Englewood Cliffs, NJ, 1993
• Sape Mullender Distributed Systems, 2d ed.
• Addison Wesley, 1993

55
Network ManagementDefinition
"...deploying and coordinating resources in
order to plan, operate, administer, analyze,
evaluate, design and expand communication
networks to meet service-level objectives at all
times, at a reasonable cost, and with optimum
capacity."
56
Network ManagementFunctional Areas
Fault Management detect -- diagnose --
repair Configuration/Name Mgmt a database
problem... Performance Mgmt measure and
predict Accounting Mgmt look at individual
usage Security Mgmt access control and
encryption
57
Management Protocols

• SNMP - Simple Network Management Protocol
• Internet
• CMIP - Common Management Information Protocol
• ISO
• TMN - Telecommunications Management Network
• ITU-T

58
Management ProtocolsPhilosophy

• SNMP - Simple Network Management Protocol
• keep it simple! (cf the Internet toaster)
• CMIP - Common Management Information Protocol
• the bazaar whatever you want
• TMN - Telecommunications Management Network
• actually a separate network specification

59
SNMP vs CMIP round 1
SNMP
CMIP
Requirements from various vendors and user
communities
60
ISO Management Overview
System Management Functions
Object Mgmt Alarm Mgmt Event Report Mgmt
Workload Monitoring State Mgmt Log Control
Security Alarm Security Reporting Measurement
Summarization Bill Verification
Billing Resource Utilization Test Mgmt
Relation Mgmt
CMISE Services
Initialize Event Report Terminate Action Create Ab
ort Set Get Delete Cancel Confirmed Event
Report Confirmed Get
61
SNMP Architecture

• Keep the agent as simple as possible
• Support remote management operations to the
  fullest extent possible
• Plan for future additions expansion
• Be independent of specific hosts or devices
• Operate at the Application level

62
Internet Management Model
Managed Entities
Agent
Network Management
Managed Entities
Proxy Agent
63
SNMP

• Intersection of vendor/user requirements
• Few verbs
• get / get-next
• get-bulk SNMPv2
• set
• trap
• Polled, Master-Slave, Request-Response

64
SNMP Format

• ltheadergtltverbgtltvaluegtltvariablegtltverbgtltvaluegtltvari
  ablegt
• ASN.1 subset to describe value format
• MIB-IIManagement Information Base to identify
  variables
• UDP as a Transport layer
• Now out! SNMPv2

65
The MIB

• Standard set of data for managing network devices
• Variable names are part of the ISO/CCITT object
  identifier namespace
• Provides globally unique identifiers
• Variables governed by Structure of Management
  Information (SMI) specification

66
Accessing MIB Data

• SNMP Communities
• SNMP Views
• SNMP Authentication

67
Abstract Syntax Notation 1 (ASN.1)

• Data Structures
• Abstract Syntax
• Transfer Syntax
• International Standard 8825
• Notation used to encode, transfer and decode data
  structures across a wide range of applications
• Both connection-oriented and connectionless
  primitives

68
Example SNMP PDU using ASN.1

• SEQUENCE len41 INTEGER len1 vers0
• 30 29 02 01 00
• string len6 p u b l i c
• 04 06 70 75 62 6C 69 63
• getreq. len28 INTEGER len4 -------request
  ID----------------
• A0 1c 02 04 05 AE 56 02
• INTEGER len1 status INTEGER len1 error index
• 02 01 00 02 01 00
• SEQ. len14 SEQ len12 objectid len8
• 30 0E 30 0C 06 08
• 1.3 6 1 2 1 1 1 0
• 2B 06 01 02 01 01 01 00
• null len0
• 05 00

69
SNMP vs SNMPv2

• History in Brief
• More features (more complex)
• BIG increase in security
• authentication and integrity
• access controls
• security and privacy
• Better access controls in Views
• Trap confirmations
• Knowledge of multiple managers

70
Enterprise Architecture

• SNMP is designed for simple, manager-to-agent
  communications
• CMIP is complex and bulky, but complete
• Most Enterprise networks cant be managed
  directly from a single place

71
Enterprise Management
CMIP Managers
Separate Organization
SNMP Managers
Local Networks
72
Management Tools

• Packet Analyzer
• Media Analyzers (TDR, OTDR, BER Tester)
• RMON devices
• Hosts (?)

73
Software Tools

• Hosted on PCs
• Hosted on Unix Workstations
• Commercial Packages

74
Decent Books

• Network Management Standards 2d ed
• Uyless Black
• The Simple Book, 2d ed
• Marshall T. Rose
• Communication Networks Management, 2d ed
• Kornel Terplan
• Internetworking with TCP/IP, Vol I, 3d ed
• Douglas E. Comer

75
Defining Network Security

• Security is prevention of unwanted information
  transfer
• What are the components?
• ...Physical Security
• Operational Security
• Human Factors
• Protocols

76
Areas for Protection

• Privacy
• Data Integrity
• Authentication/Access Control
• Denial of Service

77
Regulations and Standards

• Computer Crime Laws
• Encryption
• Government as Big Brother

78
Security

• Threat, Value and Cost Tradeoffs
• Identify the Threats
• Set a Value on Information
• Add up the Costs (to secure)
• Cost lt Value Threat

79
Threats

• Hackers/Crackers (Joyriders)
• Criminals (Thieves)
• Rogue Programs (Viruses, Worms)
• Internal Personnel
• System Failures

80
Network Threats

• IP Address spoofing attacks
• TCP SYN Flood attacks
• Random port scanning of internal systems
• Snooping of network traffic
• SMTP Buffer overrun attacks

81
Network Threats (cont.)

• SMTP backdoor command attacks
• Information leakage attacks via finger, echo,
  ping, and traceroute commands
• Attacks via download of Java and ActiveX scripts
• TCP Session Hijacking
• TCP Sequence Number Prediction Attacks

82

• Threat, Value and Cost Tradeoffs
• Operations Security
• Host Security
• Firewalls
• Cryptography Encryption/Authentication
• Monitoring/Audit Trails

83
Host Security

• Security versus Performance Functionality
• Unix, Windows NT, MVS, etc
• PCs
• Security Through Obscurity L

84
Host Security (cont)

• Programs
• Configuration
• Regression Testing

85
Network Security

• Traffic Control
• Not a replacement for Host-based mechanisms
• Firewalls and Monitoring, Encryption
• Choke Points Performance

86
Access Control

• Host-based
• Passwords, etc.
• Directory Rights
• Access Control Lists
• Superusers L
• Network-based
• Address Based
• Filters
• Encryption
• Path Selection

87
Network Security and Privacy

• Protecting data from being read by unauthorized
  persons.
• Preventing unauthorized persons from inserting
  and deleting messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.

88
FIREWALLS

• Prevent against attacks
• Access Control
• Authentication
• Logging
• Notifications

89
Types of Firewalls

• Packet Filters
• Network Layer
• Stateful Packet Filters
• Network Level
• Circuit-Level Gateways
• Session Level
• Application Gateways
• Application Level

Application
Presentation
Session
Transport
Network
Data Link
Physical
90
Packet Level

• Sometimes part of router
• TAMU Drawbridge

ROTW
Router
Drawbridge
Campus
91
Circuit Level

• Dedicated Host
• Socket Interfaces

Local
FW
ROTW
92
Application Level

• Needs a dedicated host
• Special Software most everywhere

Firewall
telnet
ROTW
93
Firewall Installation Issues
DNS
FTP
Web
Mail
Router
94
Firewall Installation Issues

• DNS Problems
• Web Server
• FTP Server
• Mail Server
• Mobile Users
• Performance

95
Address Transparency

• Need to make some addresses visible to external
  hosts.
• Firewall lets external hosts connect as if
  firewall was not there.
• Firewall still performs authentication

96
Network Address Translation
10.0.0.0
128.194.103.0
Gateway
Firewall
97
Network Address Translation
Host A Internal Host
Gateway Host
Host B External Host
gw control
ftp
proxy ftp
TCP
TCP
IP
IP
Data Link
Data Link
Hardware
Hardware
98
IP Packet Handling

• Disables IP Packet Forwarding
• Cannot function as a insecure router
• eg. ping packets will not be passed
• Fail Safe rather than Fail Open
• Only access is through proxies

99
DNS Proxy Security
External DNS Server
Eagle Gateway eagle.xyz.com
finance.xyz.com
marketing.xyz.com
sales.xyz.com
100
Virtual Private Tunnels
INTERNET
Creates a Virtual Private Network
101
VPN Secure Tunnels

• Two types of Tunnels supported
• SwIPe and IPsec tunnels
• Encryption
• DES, triple DES and RC2
• Secret key used for used for authenticatio and
  encryption
• Trusted hosts are allowed to use the tunnel on
  both ends

102
Designing DMZs
DMZ
Screening Router
Web
FTP
Company Intranet
Mail
103
Firewall Design Project
San Jose
File Server
Mail Server
Wide Area Router Dallas
Raptor Eagle
Internet Router
Raptor Remote Hawk Console
104
Monitoring

• Many tools exist for capturing network traffic.
• Other tools can analyze captured traffic for
  bad things.
• Few tools are real-time.

105
Summary

• Security must be comprehensive to be effective.
• Remember threat, value, cost when implementing a
  system.
• Security is achievable, but never 100.
• Make your system fault tolerant.

106
Where Do the 7 layers fit?
7
6
Or, where is the dividing line between hdw s/w?
?
5
4
3
?
2
1
107
Implementing the Model
User Space Software
OS Space Software
Firmware
Hardware
108
Some More Definitions

• User Space Software - Code that executes as any
  program that a normal user could compile and run
• OS Space Software - Code that executes on the
  host CPU but in a mode or with special access
  that normal users can not use
• Firmware - Code that executes on a processor
  (special or general purpose) that is different
  from the host CPU may be in PROM or RAM
  downloaded from another source
• Hardware - Generally special purpose VLSI and
  analog/linear interface components

109
Assigning the 7 layers

• Performance
• vs
• Flexibility