Some questions about TCP/IP

[xicepik]

Newbie questions about tcp/ip :

Hi, I read some things about TCP/IP, packets etc. etc.. And I got some questions :

the 3 first questions are "linked" together :

1 - If I'm behind a router, how is it possible for somebody to reach me? I understand that my MAC address is in the header when I initiate a connection, but how about when somebody wants to initiate a connection with a particular computer behind a router? It's impossible?

2- Another question... If somebody wants to hack somebody else who is behind a router, how can he know that there is more than 1 computer at this IP adress? (is that something to do with broadcasting?) Because there will be only 1 ip address for the router, right? And even if he knows that there is 3 computers (or whatever), how can he hack in one particular computer ? Let's say I open a port (honeypot), how is that possible that somebody will find it?

3- Let's say I got 3 computers on my router, and one of them is running an HTML server (apache, IIS, whatever)... Should I use port fowarding or something like that? Is that how someone could hack into a network: hack a computer (hacking the server running, for example, an old version of apache) and have access to all the computers on this network?


Finally, I'll probably build a little network here, with 4-5 old computers to test things about security. I already got a DSL router with 2 computers and a XBOX (what? :P) on it. What should I do? Can I add 1 other router to this router? How will this work with DHCP (is the new router will get an automatic IP with DHCP with the 1st router)? And what will happen to my computers that are behind the second router (wich is connected to the 1st router wich is connected to the internet). Will they be able to go on the net? And will they be able to talk to the computers wich are on the 1st router?

A drawing maybe? :P

Code:

                                                   ___ Computer 1 (IP: obtained with DHCP)
                                                  |___ XBOX (DHCP)
internet->1st router (ip: static) |___ Computer 2  (DHCP)    
                                                  |___ 2nd router (DHCP ??) ---- Comp. 4
                                                                                             |----Comp. 5

Wow my graph is almost working.. :|

(well, there is the internet, my dsl modem, a DSL router, some computers. And i would add one router on the first router and some computer on the 2nd router)

So.. As I understood, the 2nd router will got 2 IP addresses, one when you are from the 1st network, and another one when you are from the 2nd network. And since the 1st router is using DHCP, will I have to configure my computers and the 2nd router using static ip? And how the computer 4 and 5 will know how to get on the NET or to communicate with computer 1 for example? I read something about routing tables, and my router seems to have some configuration - Dynamic routing and static routing.. What's the difference?
(By the way, I got a DSL syslink router.)

4- So finally my question is : Will have have to turn off DHCP if I plug another router in my first router and use the Dynamic and static routing table? And what is the diff between the static and dynamic tables?

[spurious_inode]

Hi xicepik,

You have put a lot of effort into formulating your question(s). Reading over your post a third time,
it seems to me that if you understood routing better, the bulk of your question(s) would be answered.
Once you grok routing, the rest involves getting to know a little about how firewalls work and how to
build one, a bit on basic network services, and a dash of style here and there.

Listed below are the RFC's you _need_ to read to understand more about how packets are routed. For
each routing protocol I have listed the original RFC, and the modern updated standard, I recommend that
you read each of them.

RIP (Routing Information Protocol):
RFC 1058 Routing Information Protocol ftp://ftp.rfc-editor.org/in-notes/rfc1058.txt
RFC 2453 RIP Version 2, Carrying Additional Information ftp://ftp.rfc-editor.org/in-notes/rfc2453.txt

OSPF (Open Shortest Path First):
RFC 1311 Open Shortest Path First ftp://ftp.rfc-editor.org/in-notes/rfc1131.pdf
RFC 2328 OPSF Version 2 ftp://ftp.rfc-editor.org/in-notes/rfc2328.txt

BGP (Border Gateway Protocol):
RFC 1105 Border Gateway Protocol ftp://ftp.rfc-editor.org/in-notes/rfc1105.txt
RFC 1267 BGP-3 ftp://ftp.rfc-editor.org/in-notes/rfc1267.txt


Since you seem interested in DHCP, it wouldn't hurt to read it's RFC either...
RFC 1531 Dynamic Host Control Protocol ftp://ftp.rfc-editor.org/in-notes/rfc1531.txt

I also recommend that you have a look at the firewall-wizards mailing list (http://list.nfr.com/mailman/listinfo/firewall-wizards)
which is an outstanding resource, and maintains a searchable archive.

Also, read 'Building Internet Firewalls' by Elizabeth D. Zwicky ( I highly recommend that all Unix
folks google her name, she has godlike Unix kung-fu), Simon Cooper, and D. Brent Chapman,
Oreilly & Associates ISBN 1-56592-871-7.

If you have more questions, or need some clarification please ask.

Best of luck,

-- spurious

[gore]

Originally posted here by xicepik
2- Another question... If somebody wants to hack somebody else who is behind a router, how can he know that there is more than 1 computer at this IP adress? (is that something to do with broadcasting?) Because there will be only 1 ip address for the router, right? And even if he knows that there is 3 computers (or whatever), how can he hack in one particular computer ? Let's say I open a port (honeypot), how is that possible that somebody will find it?

Havn't read all of this because I'm busy, but for this one. Yes, with a ping sweep.

[qod]

Originally posted here by gore
Havn't read all of this because I'm busy, but for this one. Yes, with a ping sweep.

i think he meant with a nat on the router, any ways if you have a NAT isntalled on the router then it will be much difficult to detect those PCs, if you have a firewall configured right then it is almost imposible.
any ways just download Nmap from www.insecure.org and then run it as such
nmap -sP [ip_address]

check man nmap for more details.

[qod]

as for the questions, you need to read the RFCs and such, or get a good book about tCP/IP and how they work.

1) your MAC address is not in the header at the reciving end of the system, you will see only the last router's MAC address.

2) Are you talking about NAT, and a router will not make your network secure, you should use a combination of good administration, firewall, good policy, knowlege of the network, IDS, etc... to do that, it is a layered model and not just this one tool is going to do everything.

3) you should secure your network before thinking about honey pots etc... If however one your systems got compromise say using a tranversal IIS attack then the attacker will just own that system, he could however use this system to exploit the trust relasionship you have with other systems on the network, he could also launch attacks from that PC to try and bypass firewalls etc...

btw. you should not think about this for now, and in the topology diagram you will not need a second router.

i would recoment you start reading some of the RFCs they offer a wealth of information.
also there is a good document called "TCP\IP: A Mammoth Description By Ankit Fadia ankit@bol.net.in"
http://blacksun.box.sk/tcpip.txt


good luck

[Striek]

but how about when somebody wants to initiate a connection with a particular computer behind a router

In this case say if you were running a webserver you would tell the router to forward all connection requests on port 80 to the computer running the webserver. But unless port forwarding is set up to forward connection requests, it becomes very difficult to initiate a connection with a computer behind a NAT router. When *you* initiate the connection, the NAT router the establishes a state between your computer and the computer you are connecting to, and forwards packets from that remote computer accordingly. However, when recieving traffic that is unexpected, the router will not know what to do with it. In some cases, this causes problems with p2p networks, Instant Messaging, and online gaming, to name a few. This is because these applications need incoming messages on ports or with protocols with which a connection state is not maintained (i.e. the router is not expecting information from these remote computers).

So in short, Internet access behind a NAT router works most of the time, for most applications. But some more specialized applications will have problems with it due to the problems you mentioned in your question.

Hope this helps.

[xicepik]

Hum.. I'll think I'll have to read about NAT. I don't know what it is... (sorry I'm a newbie!)

qod : I know that my router won't make my network secure. (by the way, I'm not in charge of any networks, I'm just studying about security and networks for fun. For now I'm a programmer, but maybe in the long term I'll be a network admin, who knows). I was just concerned about how a computer behind a router can initiate a conversation with a computer on the internet. Striek answered my question there, I'll just have to read about NAT. Anyway, I read some text and books a little too advanced for my level I think.. I'm just trying to put some pieces together, but now I'm starting with the beginning : trying to understand TCP/IP! So I'll read the RFCs, and thank you for the links you provided (and thanks to spurious_inode too!) !

For nmap, I tried it but I'll have to understand what its really doing

[qod]

try getting a book called Network+, by david groth, and is published by sybex, that should give you a basic intro about networking, etc...


btw: NAT stands for Network Address Translator.

[xicepik]

Theres a lot of different Network + books at amazon by david groth. Is that the "Network+ Study Guide" ? There is the Deluxe edition, should I try this one?

[qod]

i read the 2nd edition but whatever that is uptodate is better