
about
firewall primer details knock lab download implementations documentation FAQ images resources contact ![]() ![]()
The port knocking Perl prototype is licensed under the GPL license.
GPL License
![]() |
Firewall PrimerPerl prototype: v0.30
2004-Nov-14 18:59 | ...more new Net::Pcap support added to sniff packets directly ...more
This section introduces the idea of communication ports and firewalls at a very introductory level. If you are familiar with TCP/IP and firewalls, you can skip past this section and go straight to the details of the port knocking implementation. This introduction is not a technical document and is targetted at a non-technical audience or novices computer users and administrators.
packetsRecall that a
socket
In order to transmit data reliably (more on this term later), computers divide the data up into smaller pieces. These pieces are called
packets
TCP/IP SuiteNow that you know a bit out packets, let's turn to how they're created. Consider two computers on a network. Each computer has a network card, an operating system, and some software to send and receive the packets. All components must be able to communicate with one another in order for the packets to flow from one application on one computer (e.g. web browser) to another application on the other computer (e.g. web server). In order to formulate a model that describes the communication between these components two frameworks have been designed. First is the
OSI
Both of these frameworks try to abstract the flow of data and identify tiers at which data is handed off between subsystems. The frameworks look slightly different but encompass the same process. I'll briefly mention the TCP/IP Suite here to give you a sense of how you should think about network data transfer. The TCP/IP Suite is considered to be composed of 5 layers. Each layer works independently of one another and only adjacent layers can communicate. When data flows up the stack (1, 2, 3 and so on), the previous layer strips headers from the packet (in analogy, takes the letter out of the envelope) and passes the data payload (in analogy, the letter) to the next layer. When data flows down the stack (5, 4, 3, and so on), the top-most layer adds a new header to the data (in analogy, puts the letter in an envelope) and passes it down to the next layer down. The layers in the TCP/IP Suite are as follows.
Figure 1 illustrates how a packet may look once it's made its way down from the application layer (e.g. web browser) down to the physical layer. The data payload bundled between the many headers is the information provided by the application. This data is formatted specific to the application and presumably in such a way that the receiving application (e.g. web server) can interpret it. At the transport layer a UDP or TCP header is added, then an IP header at the Network Layer and finally an Ethernet header at Layer 2. You can see that there can be quite a bit of overhead in the headers when sending a very small amount of information (e.g. <100 bytes). ![]() ![]() ![]()
Figure 1 | A packet sent using TCP or UDP protocol contains three headers: Ethernet (22 bytes), IP (20 bytes) and TCP or UDP (8 or 20 bytes), a variable-length data payload section and a final frame checksum which is added at the network access layer. Generally the MTU is 1,500 bytes, which is very small compared to present network speeds.
A datagram is a specific packet format defined by the IP protocol. The datagram contains the IP header, protocol-specific header (TCP, UDP, etc.) and the data payload. Within each header, a variety of information is stored to provide the hardware and software that operates at that layer to correctly deliver the data up or down the TCP/IP stack. Packet HeadersAt three of the four TCP/IP stack layers, another header is added. The Ethernet header is added at the network access layer, the IP header at the internet layer and protocol-specific header (e.g. TCP or UDP) at the transport layer. In each case the header of a layer further up the stack is part of the data payload of the previous layer. The Ethernet standard (IEEE 802.3) permits the data payload at the network access layer to be up to 1500 bytes (Maximum Transfer Unit, or MTU). With recent advancements in data transfer speeds, it is commonly thought that the MTU is too small, causing too much protocol overhead, and there is an ongoing effort to include support for larger MTUs (12kb for a 100Mbit link, for example). ![]() ![]() ![]()
Figure 2 | The data payload and header of a layer becomes the data payload of the layer immediately below it in the TCP/IP stack. (zoom).
All this business about packets and headers is important because some port knocking systems inject information into the headers for authentication purposes. From Figure 2 you can see that there are a lot of fields a TCP header. These fields store a variety of data used in the delivery process. Some fields are not critical for delivery and can be freely modified. Additional ResourcesThe wikipedia has excellent and lucid descriptions of the Internet Protocol Suite, OSI Model and packets. Network Sorcery has a very detailed and complete list of TCP/IP Suite headers (e.g. TCP, UDP) and protocols. last updated 2005-Oct-25 13:26
|