Implications of Multilayer Protocols

464
Chapter 11 
■
Secure Network Architecture and Securing Network Components
in TCP, which in turn is encapsulated in IP, which is in turn encapsulated in Ethernet. This 
could be presented as follows:
[ Ethernet [ IP [ TCP [ HTTP ] ] ] ]
However, this is not the extent of TCP/IP’s encapsulation support. It is also possible to 
add additional layers of encapsulation. For example, adding SSL/TLS encryption to the 
communication would insert a new encapsulation between HTTP and TCP:
[ Ethernet [ IP [ TCP [ SSL [ HTTP ] ] ] ] ]
This in turn could be further encapsulated with a Network layer encryption such as 
IPSec:
[ Ethernet [ IPSec [ IP [ TCP [ SSL [ HTTP ] ] ] ] ] ]
However, encapsulation is not always implemented for benign purposes. There are 
numerous covert channel communication mechanisms that use encapsulation to hide or 
isolate an unauthorized protocol inside another authorized one. For example, if a network 
blocks the use of FTP but allows HTTP, then tools such as HTTP Tunnel can be used to 
bypass this restriction. This could result in an encapsulation structure such as this:
[ Ethernet [ IP [ TCP [ HTTP [ FTP ] ] ] ]
Normally, HTTP carries its own web-related payload, but with the HTTP Tunnel tool, 
the standard payload is replaced with an alternative protocol. This false encapsulation can 
even occur lower in the protocol stack. For example, ICMP is typically used for network 
health testing and not for general communication. However, with utilities such as Loki, 
ICMP is transformed into a tunnel protocol to support TCP communications. The encapsu-
lation structure of Loki is as follows:
[ Ethernet [ IP [ ICMP [ TCP [ HTTP ] ] ] ] ]
Another area of concern caused by unbounded encapsulation support is the ability to 
jump between virtual local area networks (VLANs). VLANs are network segments that are 
logically separated by tags. This attack, known as VLAN hopping, is performed by creat-
ing a double-encapsulated 
IEEE 802.1Q VLAN tag
:
[ Ethernet [ VLAN1 [ VLAN2 [ IP [ TCP [ HTTP ] ] ] ] ] ]
With this double encapsulation, the first encountered switch will strip away the first 
VLAN tag, and then the next switch will be fooled by the interior VLAN tag and move the 
traffic into the other VLAN.
Multilayer protocols provide the following benefits:
■
A wide range of protocols can be used at higher layers.
■
Encryption can be incorporated at various layers.

TCP/IP Model 
465
■
Flexibility and resiliency in complex network structures is supported.
There are a few drawbacks of multilayer protocols:
■
Covert channels are allowed.
■
Filters can be bypassed.
■
Logically imposed network segment boundaries can be overstepped.
dNP3
DNP3 (Distributed Network Protocol) is primarily used in the electric and water utility and 
management industries. It is used to support communications between data acquisition 
systems and the system control equipment. This includes substation computers, RTUs 
(remote terminal units) (devices controlled by an embedded microprocessor), IEDs (Intel-
ligent Electronic Devices), and SCADA master stations (i.e., control centers). DNP3 is an 
open and public standard. DNP3 is a multilayer protocol that functions similarly to that of 
TCP/IP, in that it has link, transport, and transportation layers. For more details on DNP3, 
please view the protocol primer at 
https://www.dnp.org/AboutUs/DNP3%20Primer%20
Rev%20A.pdf
.

Download 19,3 Mb.

Do'stlaringiz bilan baham: