Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
SSL VPN : Understanding, evaluating and planning secure, web-based remote access

You're reading from   SSL VPN : Understanding, evaluating and planning secure, web-based remote access Understanding, evaluating and planning secure, web-based remote access

Arrow left icon
Product type Paperback
Published in Mar 2005
Publisher Packt
ISBN-13 9781904811077
Length 212 pages
Edition 1st Edition
Tools
Arrow right icon
Toc

Table of Contents (14) Chapters Close

SSL VPN
Credits
About the Authors
1. Introduction
1. Introduction to SSL VPN 2. SSL VPN: The Business Case FREE CHAPTER 3. How SSL VPNs Work 4. SSL VPN Security 5. Planning for an SSL VPN 6. Educating the User 7. Legacy Data Access 8. The Future of SSL VPN Technology A Review of TCP, IP, and Ports SSL VPN Gateways

Appendix A. A Review of TCP, IP, and Ports

DARPA and OSI

Overall, there is no formal correlation between the TCP protocol model and the OSI model. But, they are roughly equivalent in the services that are provided. The following diagram shows a comparison between the models:

Protocol Implementation

     

DARPA Layer

   

OSI

 

Process/

Application

FTP

SMTP

TELNET

RFC: 959, 821, 854

TFTP

NFS

SNMP

RFC: 783, 1094

 

Application

Presentation

Session

 

Transport

Transmission Protocol

(TCP) RFC793

User Datagram Protocol (UDP) RFC768

 

Transport

 

Internet

(ARP) Address Resolution

RFC826, 903

(IP) Internet Protocol

RFC791

Internet Control Message Protocol

RFC792

Network

 

Network Interface

Network Interface Cards:

Ethernet, Token Ring

RFC894 RFC1024

  

Data Link

 
 

Transmission

Twisted Pair, Coax, Fiber, Wireless, etc.

  

Physical

 

Network Interface

The first layer of the DARPA model is the Network Interface Layer; it links the local host to the local network hardware. This loosely maps to the Physical and Data Link layers of the OSI reference model. The Network Interface Layer makes the physical connection to the network, be it wireless, Ethernet cables, or Token Ring cables (an IBM legacy protocol). In each case a frame is generated with data from the upper layers. The Internet Layer transfers the packets between systems (or hosts). A host, in this definition, can be a client, server, or a peer in a peer-to-peer transfer. Each packet will contain address information relating to the source and destination of the packet. The Transport Layer is responsible for providing communication between applications residing on different hosts. This can also be called the host-to-host layer. Depending on the application, the Transport Layer will provide two types of service—a reliable service (TCP) or an unreliable service (UDP). In a reliable service the receiving station acknowledges the receipt of a datagram. The unreliable service does not provide a mechanism to acknowledge packets. The top layer of the DARPA model is the Application Layer. This is where actual applications like Trivial File Transfer Protocol and Telnet reside.

Note

TFTP and Telnet

Trivial File Transfer Protocol (TFTP) is a simple form of the FTP. TFTP uses the UDP and provides no security features. It is often used by servers to boot diskless workstations, X-terminals, and routers. Telnet is a terminal emulation program for TCP/IP networks such as the Internet. The Telnet program runs on your computer and connects your PC to a server on the network. You can then enter commands through the Telnet program and they will be executed as if you were entering them directly on the server console. This enables you to control the server and communicate with other servers on the network. To start a Telnet session, you must log in to a server by entering a valid username and password. Telnet is a common way to control web servers remotely.

Packets

So we have seen a network packet and where it lives in the TCP/IP model. Next let’s look at the IP packet. The IP packet is how the TCP packet finds which computer it is destined for. The Internet Protocol is defined in RFC 791 (http://info.internet.isi.edu:80/in-notes/rfc/files/rfc791.txt). IP provides the most basic level of service in the Internet. IP is the basis upon which the other protocols stand. IP provides the protocol above it with a basic service model. IP is similar to a postal service (like the ones in which you get your bills). Using an address scheme, a packet is routed from a source to a destination, much like a letter having a street address. Overall IP does not promise a perfect network connectivity service, hence it is known as a Best Effort Service. If you send a postal message from your house, you rely on this best effort believing that your message will arrive at its destination. Without special handling you will not know if the letter (like your utility bill) has been delivered to its intended destination.

Packet Routing

Once the packet has been created, it is routed from a source system to a target system:

In this example, the Laptop computer is sending an IP packet to the Server. The Source IP Address is 10.10.10.11 and the Target address is 10.10.10.12. Using this nomenclature the server now knows how to respond back to the Laptop computer. This address scheme is how computers talk to each other on the Internet or any IP network. So back to our postal analogy: the IP address is much like the address on the letter, or the address of your house. So the letter (packet) is dropped into the postal box and it is sent via a network of postal employees, with one finally dropping the letter at your house or mailbox. In this example we have delivered a message to your house. But how do we know the person that should be receiving the message? This same question and its subsequent solution also present themselves in networking. TCP rides in the network packet after the IP packet. The TCP packet contains information about the application. Although IP routes packets through the Internet using the destination address, more information is needed to identify which application on the destination host should receive the data once it arrives. This is accomplished via ports.

TCP Ports

Both sending and receiving applications are assigned port numbers to send and receive data. Coupled with the source and destination IP address, the source and destination port number, a small integer number, identifies which application is associated with any given data transfer. As mentioned before, the IP address is like the addressing scheme of a postal service. Once the Postal Service delivers the letter to your house, further addressing on the letter (the recipient’s name which appears above the destination address) determines who actually gets the letter. This is where TCP helps out. The TCP port addresses (source and target) provide a mechanism to direct data to a specific application. Once the IP packet arrives at the host then the port determines which application receives the data. The addressing scheme in IP uses 2 bytes of data to determine how to deliver the message. With 2 bytes (16 bits) of data you can have up to 65,000 different ports per IP address—that is, 65,000 different recipients per IP Address.

Port numbers are divided into three ranges:

  • Well Known Ports:0 through 1023

  • Well Known Ports: 0 through 1023Registered Ports: 1024 through 49151

  • Dynamic and/or Private Ports: 49152 through 65535

To ensure consistency across networks, the Internet Assigned Numbers Authority (IANA: http://www.iana.org/) assigns specific port numbers to popular applications. The port numbers are known as well-known port numbers and are de facto standards. For that reason, you can expect SMTP mail service to always be available on port 25, NNTP news service to be on port 119, HTTP to be served on port 80, HTTPS encrypted web traffic to be sent on port 443, Telnet to be available via port 23, and so on. For more information on well known port assignments please consult http://www.iana.org/assignments/port-numbers.

The use of ports is actually a very simple process. In the TCP world there is a listener device (that listens for communications sent to a specific port number) and the instantiation device (that establishes communication to a specific address and port number). One example would be a client and a server. The server would be the listener, example: port 80 for an HTTP web server. The client, in this example, would use a random port to communicate out to the server’s port 80. The random port used by the client is known as an ephemeral port number. Ephemeral ports are temporary ports assigned by a machine’s TCP/IP stack, and are assigned from a pre-determined range of ports. When the TCP connection terminates, the use of the client (ephemeral) port is terminated and then is available for reuse.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image