The OSI Model: Part 3 - Network Layer

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> As promised, let's keep climbing
00:00
the OSI model and let's take a look at the network layer.
00:00
Now, in the network layer,
00:00
layers 1 and 2 are primarily hardware.
00:00
Layers 4, 5, 6,
00:00
and 7 are primarily software,
00:00
but Layer 3 has both software and hardware.
00:00
We'll look at the Layer 3 protocols.
00:00
We've already mentioned routers work at Layer 3.
00:00
Now we're going to focus on the protocols,
00:00
like IP and so on, that are Layer 3.
00:00
We'll also talk about a couple of
00:00
Layer 3 attacks as well.
00:00
As very comparable to what we had drawn earlier,
00:00
in the center of the connectivity,
00:00
the two different broadcast domains,
00:00
the cylinder with the arrows
00:00
facing different directions,
00:00
that's the standard diagram symbol for a router.
00:00
You can see that that router is being used to isolate
00:00
traffic into two different broadcast domains.
00:00
That's the purpose of a router, but again,
00:00
a router is cheap and
00:00
the same functionality can usually be
00:00
done with a VLAN and a Layer 3 switch,
00:00
which is much cheaper.
00:00
Routers are expensive.
00:00
I may have said routers are cheap.
00:00
Routers are very expensive.
00:00
Just that illustration, that reminder
00:00
that we could do the same functionality with the VLAN.
00:00
Then if we're going to have
00:00
VLANs that we want to communicate,
00:00
we need Layer 3 switches.
00:00
But let's go ahead and shift over to
00:00
talking about the Layer 3 protocols.
00:00
What I'm going to tell you is
00:00
every protocol for this class,
00:00
every protocol that starts with the letter I with
00:00
one exception is going to be a Layer 3 protocol.
00:00
That one exception is a protocol called IMAP.
00:00
It stands for Internet mail application protocol.
00:00
That's up at Layer 7.
00:00
Not worried about that just yet,
00:00
but every other protocol starting with I,
00:00
Layer 3, so IP,
00:00
IPSEC, IGMP, IGRP,
00:00
ICMP, ISAKMP, just on and on.
00:00
Now this is not a challenge.
00:00
Don't take it as a challenge to go out and find
00:00
that one protocol that starts with I that's not Layer 3.
00:00
I'm just giving you this generalization for the exam.
00:00
If the protocol starts with I,
00:00
it's almost assuredly a Layer 3 protocols.
00:00
We have some really important protocols here.
00:00
We've just talked about IP and the essential nature
00:00
of IP to provide a dressing on the network.
00:00
I'll also mention specifically ICMP,
00:00
Internet Control Messaging Protocol.
00:00
An ICMP is the protocol
00:00
behind our echoing utilities, like ping.
00:00
I send a ping to your host,
00:00
your host replies with
00:00
an acknowledgment that you received the ping.
00:00
Ultimately, because it's an echoing utility,
00:00
ping makes a great or ICMP
00:00
makes a great protocol to be exploited.
00:00
We'll see that a lot of
00:00
Layer 3 exploits do focus on ping.
00:00
Up at the top, in the center we see the ping of death.
00:00
We like to be dramatic,
00:00
but a ping of death is when I send
00:00
an oversized ping packet to your system.
00:00
Within the IP protocol, the TCP-IP protocol,
00:00
there's something defined as a maximum transmission unit,
00:00
which means this is
00:00
the largest packet you can send an IP network.
00:00
If I send a packet that exceeds that amount,
00:00
your system may not know how to process it and it
00:00
may cause your system to lock up and become unavailable.
00:00
It's a denial-of-service attack.
00:00
Now, honestly, a lot of the attacks on
00:00
the screen we've had mitigation in place for years.
00:00
These are not the most current attacks,
00:00
but it's important to understand our configuration.
00:00
The way we configure our systems now
00:00
is the result of being compromised
00:00
earlier. That's ping of death.
00:00
I could also send a ping flood,
00:00
which means I'm sending
00:00
a whole lot of pings to a specific host.
00:00
There's a Loki attack and
00:00
the Loki attack stores information
00:00
behind the ICMP header.
00:00
That is not what the ICMP header is for.
00:00
In storing information so that
00:00
it escapes detection by
00:00
things like intrusion detection systems,
00:00
that's what we refer to as a covert channel.
00:00
It's a path that's being used for communication that
00:00
isn't designed or expected to be used for communication.
00:00
That was a covert way to
00:00
transmit data from system to system.
00:00
Now, another attack that
00:00
exploits ICMP is called a Smurf attack.
00:00
The Smurf attack uses
00:00
a spoofed source address to be that of the target.
00:00
I have a system that I want
00:00
to take down, that's my target.
00:00
I'm going to create a ping message to
00:00
the broadcast address that
00:00
looks like it comes from the target computer.
00:00
Now, when I ping to the broadcast address,
00:00
every host on that network gets that ping.
00:00
They're all going to respond to
00:00
the target because they think that's who initiated.
00:00
What I'm essentially doing is I'm commandeering
00:00
a large network to send ping messages to a target,
00:00
ping replies hoping to
00:00
overwhelm that target into being so busy with
00:00
these ping replies that it can't perform
00:00
normal services and that's called the Smurf attack.
00:00
Now, the thing about a Smurf attack is it's
00:00
really easy to eliminate that threat
00:00
because most of the time you
00:00
have ICMP blocked at your firewall.
00:00
There's never really a good reason that we're
00:00
going to allow ICMP through the firewall.
00:00
It doesn't help me.
00:00
It's not warranted for the security breaches that it
00:00
allows so we just block ICMP at the firewall.
00:00
We also block what we refer to as directed broadcast,
00:00
which means somebody outside
00:00
my network shouldn't be able to
00:00
broadcast inside our network
00:00
and that's really blocked by default today.
00:00
The Smurf attacks really are not relevant.
00:00
We haven't seen those around in years.
00:00
Now, an attack that came after
00:00
the Smurf attack was called the Fraggle Attack.
00:00
The difference in the Fraggle and the Smurf,
00:00
I can't believe I went to college to teach this.
00:00
But the difference between a Fraggle and a Smurf is that
00:00
a Fraggle uses UDP segments instead of ICMP.
00:00
The reason for that is I just
00:00
mentioned you can easily block
00:00
ICMP at the firewall and you won't have
00:00
any negative impact or very little.
00:00
But you cannot block UDP at the firewall without having
00:00
major implications because UDP is
00:00
a Layer 4 protocol that
00:00
many upper layer protocols need to work.
00:00
A lot of protocols piggyback on
00:00
UDP to work so if you shut down UDP at the firewall,
00:00
you're going to have a lot of
00:00
unexpected traffic that's not
00:00
able to come through anymore.
00:00
We're going to look at UDP
00:00
as we move into the next section.
00:00
Now, the question I often get is why
00:00
are these attacks called Smurfs?
00:00
Why is this attack called the Fraggle?
00:00
The best answer I've got for you is
00:00
because the person that named them was
00:00
probably high at the time
00:00
and they were sitting around in
00:00
their mother's basement giggling,
00:00
you know what, we should name this a Smurf attack.
00:00
I know what would be funny,
00:00
let's call this one a Fraggle.
00:00
That's the best answer I've got for you right there.
00:00
Wrapping up Layer 3,
00:00
we talked about the network layer of the OSI model.
00:00
We said we've got routers here and
00:00
all the protocols except
00:00
IMAP that start with the letter I.
00:00
Particularly ICMP being a very exploited protocol,
00:00
we focused on some of
00:00
the attacks that were at this layer as well.
Up Next