Hey, my name is Patrick Brannelly and I'm a security trading engineer with Palo Alto Networks. Today, I want to discuss protocols and packet filtering. Transmission Control Protocol, or TCP defines how to establish and maintain a network conversation for application programs to exchange data. TCP resides on layer 4, which is the layer charged with handling end to end communication. For protocols like TCP that send and accept packets from the network layer, numbers are assigned and TCP is protocol number 6. TCP is connection oriented, meaning it exists to maintain and established connection until the two ends of the conversation have finished exchanging the messages. TCP organizes application data in the packets which networks can deliver, and it manages flow control, meaning TCP will ensure a receiver is not overwhelmed by a sender sending packets faster than can be consumed. It also ensures error-free data transmission by retransmitting any dropped or garbled packets and acknowledging all arriving packets. When TCP generates a conversation, it's going to do so with a source IP and a source port and that source port is going to be generated from a 16 bit range. It's actually 65,536 total ports but starts with zero so zero through 65,535. These ports are reserved by the Internet Assigned Numbers Authority or IANA. Now it breaks up these ports into three areas. There's the well-known ports, which is zero through 1,023. Then there's the registered ports which is 1,024 through 40,151. Finally, there's the dynamic or private ports that is 49,152 through 65,535. These are also known as the ephemeral ports. Different OSs will use different ranges of ephemeral ports, so for instance Linux will use 32,768 through 61,000. Windows starting at around Windows Vista and Server 2008 uses 49,162 through 65,535. Now, another use of ports is with network address translation and the Palo Alto Networks firewall when it uses dynamic IP in port and this is where it assigns one IP address but can assign multiple ports to that address. In other words, one host will be assigned the IP address and a port and another host will have the same IP address but assigned a different port. It uses one 1,024 through 65,535. That's a total of 64,512 ports and basically uses every port except those well-known ports that zero through 1,023. Getting back to TCP starting a conversation, we're going to use our laptop here and we'll say that it has an IP address of 10.1.1.100. Now, this is the source IP address. Because we're going to be doing some Web surfing here and we're going to start at our laptop. Now, it's going to generate a source port like we just talked about. Let's say that that source port is 49, 200. Now it's going to send out to wherever its destination is let's say is a Web server here. This Web server is www.example.com. That address will just make up one here will say that it is 90.3.4.2. That's our destination IP address, now because we're going to be using a web conversation here, we'll say it's HTTP which equals port 80 on TCP. The destination port is port 80. In all, we have the source IP and source port. Going to the destination IP and destination port and it is going on TCP which is protocol number 6. Now remember, TCP is connection oriented. In addition to this source and destination information it's going to use to have a conversation, TCP also wants to make sure that the conversation is actually going to happen. It has a mechanism where it can confirm that both sides are sending and receiving information. What it does is it sends what we call a TCP or three way handshake. That handshake is done through particular packets. To begin this handshake, the source is going to send what's called a syn packet, which stands for synchronization to the destination. It's also going to attach a sequence number and since this is the beginning of the conversation, it'll be a zero. It sends this over to the destination, where the destination is going to send an acknowledgment of this, of receiving the syn packet with a sequence number that comes after the syn packet sequence number, so a one but it's also going to send its own syn packet to the source. We have what's called a Syn arch so it'll be a syn with a zero and then it'll be an arc. With the one and that gets sent back. Then the source is going to acknowledge this impact it received with a sequence number, so it will send its own ACK and the sequence number of one back and that completes that handshake. Once that's been done, TCP has confirmed that both sides are talking and then it can start sending the data. This is very similar to a handshake between human beings. If I walk up to you and I put my hand out and shake your hand and say, "Hello, how are you?" You say, "I'm fine, thank you. How are you?" Then we may change names, but we are now conversing. But we each know that the other is directing his attention to the other. User Datagram Protocol or UDP, uses protocol number 17. Now, UDP is connectionless, and this means that, like TCP, it's going to use source and destination ports, and source and destination IPs, but unlike TCP, it has no handshaking dialogues and it doesn't ensure reliability. There's no guarantee of delivery, ordering or duplication protection. But it does provide what's called checksums for data integrity, and this means it runs an algorithm to make sure nothing has changed in transit. When we say UDP is connectionless, unlike the scenario I just gave about the handshake, UDP is more like I walk by the room you're in, yell something and continue on my way. I don't know that you received it, but I did send it. In a scenario, where UDP is used would be with a protocol like TFTP, Trivial File Transfer Protocol. Let's say we have a TFTP server over here. We'll say that it's at 90.3.4.2 and then we'll have our laptop here again at 10.1.100, and it's going to generate that source port again. We'll say that's once again, 49,200. Now it's going to use UDP Port 69 for TFTP. Now I've got a source IP of 10.1.100, source port of 49,200, destination IP of 90.3.4.2, destination port 69. When my laptop uses TFTP, it'll send a connection to TFTP server, to either push or pull some files from it, but there's nothing that's going to happen to ensure that there's any reliable transfer of this data. The other thing is, because there's no handshake, the data can start flowing right away in that first packet. If you were using a firewall and analyzing the traffic, you would be able to see the data or the file that's being sent almost right away. Domain Name System, or DNS, is the naming system for devices and services connected to the Internet or a private network. Consider it like the network phone book, in that it translates domain names like www.example.com to numerical addresses, which we call IP addresses. Without this, then every website that we want to go to would have to be an IP address we have to know, and that would just be too difficult. DNS is one of the few protocols that actually uses both TCP and UDP, and it uses port 53 for both. A DNS server will maintain the domain name hierarchy and it provides that translation services between it and the address spaces. A DNS name server stores the DNS records for a domain and then responds with answers to queries against the database. If this were a DNS server here, and actually, let's say we have one internally here and we want to go to www.example.com, so we send out a query. We put out in our browser www.example.com and DNS is what's going to respond with the IP address that corresponds to the name. Let's say we go to first to our internal DNS server and we send that query up, and that query gets sent up and our DNS server says, "I don't know who it is, but I will forward that query to a public DNS server." Then it goes down and up through, and then this DNS server will answer that query with the IP address, and let's say that IP address is 90.3.4.2. Now- The destination IP address that we require is known to the source as it sends its packets over to visit that website. Earlier, I mentioned trivial file transfer protocol. Well, there's another file transfer of protocol, and it's actually called file transfer protocol or FTP. FTP is different because it uses TCP, not UDP, and in fact it uses more than one port. If we have an FTP server up here, FTP will use port 21 as the server command port. Then it will use Port 20 for data. If I'm going to communicate with a FTP server as an FTP user, I will send a connection to FTP using that handshake and then the other side of this, I'm going to authenticate with using a username and password, or it can actually be configured to connect anonymously. Now, it's important to remember that while this is reliable, it is not a secure transmission, so that username and password are not protected by encryption. FTP runs in either active mode or passive mode. In active mode, the client starts listening for incoming data connections from the server, and when it receives the incoming connection, it then initiates a data channel to the client from Port 20. In passive mode, the client uses the control connection to send a command to the server and then receives a server IP address and server port number from the server. Hypertext Transfer Protocol, or HTTP. It's the TCP protocol that we used to send and receive web pages and files on the Internet. It works by using a Web browser to connect to a server, usually over TCP port 80. The server is located using what's called a Uniform Resource Locator, or URL, which is another name for a web address. This always contains HTTP:// at start. If I was going to www.example.com this is what a true URL looks like. There's a more secure version of HTTP, and it's called HTTPS, and that just stands for Hypertext Transfer Protocol Secure, and it uses port 443 on TCP. If I were going to go to, say, my bank's website, and it's going to be a secure connection, then it would be https:// and then whatever the bank is that I'm going to whatever it's URL is or domain name. Internet Control Message Protocol, ICMP is used by networked devices to send error messages and operational information indicating whether a service is available or a host or router is reachable. It uses protocol number 1. Now, it's different from transport protocols such as TCP and UDP, because its purpose is not to exchange data between systems, but it uses tools like Ping and Traceroute to test connectivity. Now, the way Ping works is that it sends echo request to a host, which, if it is connected to the network will reply. Ping not only checks host connectivity, but also test bandwidth by showing how fast the echo replies are being received. For example, I'm sitting here on my laptop and I want to know if this server is responding and maybe my firewall and maybe my router. I would send a ping to each of its IP addresses, so we'll say that the server here is ping is at 10.1.1.1 and my firewall maybe is 10.2.1.1 and my router might be something totally different. We'll say it's actually the other side of this connection, so 10.2.1.2. I can send a ping up to here, and it's going to respond back with an echo reply, and it may send a few and those will all show me not only do I know it's there because it's actually replying, but I'm also seeing how fast it gets there because it sends me the measurement of time that it sends. I can also send pings up to my firewall and up to my router. My firewall might actually be configured not to respond to pings because it's a secure device, but usually, internally we can have it there. Going back to our firewall, our firewall may be designed not to respond, so that people aren't just looking for our firewalls out on the Internet. Traceroute is a tool that records the route to the hops on a network between your computer and a specified destination host. Traceroute also calculates and displays the amount of time each hop takes. Let's say I want to see how many hops it takes to get to this server up here at, let's say, 90.4.2.3? I will say a traceroute and depending on what OS I'm using, will depend on exactly how that command is written out, but I'll do a traceroute to 90.4.2.3. It's going to send out the traceroute. Let's just say that we have a couple more routers in the process. My traceroute goes up and through my network and it goes back and then each hop sends back information about itself and the time it takes. I can see how many hops are in between and how long it takes to get there. It's another way to measure my speed of my connection and the connections of others along the way. Network Time Protocol or NTP is a protocol for distributing the coordinated universal time, or UTC, by synchronizing the clocks of computer systems over IP networks. NTP is actually one of the oldest Internet protocols and it's still in use and it uses UDP port 123. The reason we would want to use something like this is, we want to have our devices synchronized. Let's say here we've got a server here, we've got our firewall here, our switch here and our router here. This is in our own network. Now, we want these to be synchronized because in the event of something happening, we want our logs to all be synchronized together so we can see the event occurring on different devices and at the same time. If all of these were running their own individual clocks, you might have some variances or variation in the timestamps, and that could make it difficult to pinpoint when something happened or to prove something happened. If we set this up, all these devices up to talk to an NTP server, let's just say we use like a public NTP server. Many universities have them and they can be used and they tend to be very accurate because they're using maybe more resources than we would have available to our own private network. We'll say this is an NTP server up here, and each of these devices is configured to pull their time from this NTP server. All of them synchronize with this server, so all of them carry the same UTC time stamp. By the way, it is good idea to use UTC because then they're all running at the same time, there's no difference in time zones, makes it a lot easier in terms of viewing the time spent stamps and when things happened. When it comes to sending and receiving email, there's a couple of different protocols we use. The first one, is called POP3 and it stands for Post Office Protocol and it's the Version 3. Now, it's a protocol used by email clients to get mail from a remote server over TCP IP; and it uses two ports, port 110 and this is the default POP3 non encrypted port or port 995, which is the encrypted version of the port. Now email clients use pop, generally connect and retrieve all their messages and store them on the user's PC as new messages and delete them from the server, then disconnect. If this was our mail server up here, and I connected to it, and I pulled all my email down from it, it's going to retrieve it, bring it down, store it here on my laptop and delete it from the server.
