456
Chapter 11
■
Secure Network Architecture and Securing Network Components
Size in bits
Field
16
Checksum
16
Urgent pointer
Variable
Various options; must be a multiple of 32 bits
All of these fields have unique parameters and requirements, most of which are beyond
the scope of the CISSP exam. However, you should be familiar with the details of the flags
field. The flags field can contain a designation of one or more flags, or control bits. These
flags indicate the function of the TCP packet and request that the recipient respond in a
specific manner. The flags field is 8 bits long. Each of the bit positions represents a single
flag, or control setting. Each position can be set on with a value of 1 or off with a value
of 0. There are some conditions in which multiple flags can be enabled at once (in other
words, the second packet in the TCP three-way handshake
when both the SYN and ACK
flags are set). Table 11.2 details the flag control bits.
TA b l e 11. 2
The TCP header flag field values
Flag bit designator
Name
Description
CWR
Congestion Window Reduced
Used to manage transmission over
congested links; see RFC 3168
ECE
ECN-Echo (Explicit
Congestion Notification)
Used to manage transmission over
congested links; see RFC 3168
URG
Urgent
Indicates urgent data
ACK
Acknowledgment
Acknowledges synchronization or
shutdown request
PSH
Push
Indicates need to push data imme-
diately to application
RST
Reset
Causes immediate disconnect of
TCP session
SYN
Synchronization
Requests synchronization with new
sequencing numbers
FIN
Finish
Requests graceful shutdown of TCP
session
TA b l e 11.1
TCP header construction (ordered from beginning of header to
end)
(continued)
TCP/IP Model
457
An additional important tidbit is that the IP header protocol field value for TCP is 6
(0x06). The protocol field value is the label or flag found in the
header of every IP packet
that tells the receiving system what type of packet it is. The IP header’s protocol field indi-
cates the identity of the next encapsulated protocol (in other words, the protocol contained
in the payload from the current protocol layer, such as ICMP or IGMP, or the next layer
up, such as TCP or UDP). Think of it as like the label on a mystery-meat package wrapped
in butcher paper you pull out of the freezer. Without the label,
you would have to open it
and inspect it to figure out what it was. But with the label, you can search or filter quickly
to find items of interest. For a list of other protocol field values, please visit
www.iana.org/
assignments/protocol-numbers
.
unskilled Attackers Pester real Security Folk
It might be a good idea to memorize at least the last six of the eight TCP header flags in
their correct order. The first two flags (CWR and ECE) are rarely used today and thus are
generally ignored/overlooked. However, the last six (URG, ACK, PSH, RST, SYN, and FIN)
are still in common widespread use.
Keep in mind that these eight flags are eight binary positions (i.e., a byte) that can be
presented in either hex or binary format. For example, 0x12 is
the hex presentation of the
byte 00010010. This specific byte layout indicates that the fourth and seventh flags are
enabled. With the flag layout (using one letter per flag and leaving out CWR and ECE and
replacing them with XX), XXUAPRSF is 000A00S0, or the SYN/ACK flag set. Note: the hex
presentation of the TCP header flag byte is typically located in the raw data display of a
packet capturing tool, such as Wireshark, in offset position 0x2F. This is based on a stan-
dard Ethernet Type II header, a standard 20-byte
IP header, and a standard TCP header.
You can memorize this flag order using the phrase “Unskilled Attackers Pester Real Secu-
rity Folk,” in which the first letter of each word corresponds to the first letter of the flags
in positions 3 through 8.
Protocol discovery
Hundreds of protocols are in use on a typical TCP/IP network at any given moment.
Using a sniffer, you can discover what protocols are in use on your current network.
Before using a sniffer, though, make sure you have the proper permission or authoriza-
tion. Without approval, using a sniffer can be considered a security violation because it
enables you to eavesdrop on unprotected network communications. If you can’t obtain
permission at work, try this on your home network instead.
Download and install a
458
Chapter 11
■
Secure Network Architecture and Securing Network Components
sniffer, such as Wireshark. Then use the sniffer to monitor the activity on your network.
Discover just how many protocols (in other words, subprotocols of TCP/IP) are in use on
your network.
Another step in using a sniffer is to analyze the contents of captured packets. Pick out a
few different protocol packets and inspect their headers. Look for TCP, ICMP, ARP, and
UDP packets. Compare the contents of their headers. Try to locate any special flags or
field codes used by the protocols. You’ll likely discover that there is a lot more going on
within a protocol than you ever imagined.
If performing packet capturing is a task that you are unable to accomplish or should not
(due
to rules, regulations, policies, laws, etc.), then consider perusing the samples pro-
vided by Wireshark at
https://wiki.wireshark.org/SampleCaptures
.
User Datagram Protocol (UDP) also operates at layer 4 (the Transport layer) of the OSI
model. It is a connectionless “best-effort” communications protocol. It offers no error
detection or correction, does not use sequencing, does not
use flow control mechanisms,
does not use a preestablished session, and is considered unreliable. UDP has very low
overhead and thus can transmit data quickly. However, UDP should be used only when
the delivery of data is not essential. UDP is often employed by real-time or streaming
communications for audio and/or video. The IP header protocol field value for UDP is
17 (0x11).
As mentioned earlier, the UDP header is relatively simple in comparison with the TCP
header. A UDP header is 8 bytes (64 bits) long. This header is divided into four sections, or
fields (each 16 bits long):
■
Source port
■
Destination port
■
Message length
■
Checksum
Do'stlaringiz bilan baham: 
