TCP/IP Applications •What you should be able to Do Describe the major TCP/IP Based services and Applications •Describe the security risks involved in.
Download ReportTranscript TCP/IP Applications •What you should be able to Do Describe the major TCP/IP Based services and Applications •Describe the security risks involved in.
TCP/IP Applications •What you should be able to Do Describe the major TCP/IP Based services and Applications •Describe the security risks involved in using these services TCP/IP Applications • SMTP • NNTP • SNMP Telnet • FTP • RPC, NIS, NFS • R-Commands • X-Windows • WWW Sendmail • Most popular SMTP-based transport agent • Configuration is difficult • Threat: Several security bugs - Mail Unix commands - Internet worm MIME • Multimedia internet Mail Extention • Encapsulates multimedia documents - sound, pictures, postscript files • Threat : postscript escape to system Usenet News • • • • • Usenet news, world wide bulletin board Network News Transfer Protocol Similar to SMTP Nntpd Authorization: accept connections only from known friendly neighbors Network Management (SNMP) • SNMP: Simple Network Management Protocol • Uses UDP • Architecture - The snmpd agent - Management Information Base (MIB) • Network Management stations is client • Threats: - Uses “community name” for authentication • Default community name is “public” • Community name is passed in the clear - Do not expose to outside SNMP v2 - provides Authentication of parties and Encryption of date Remote Login (Telnet) • Telnet: terminal access to remote host • Telnetd calls login to authenticate user • Threat: everything (password) is passed in the clear • Solutions • Encrypted telnet • uses encryption for data encryption • Not standard yet - one time passwords Trivial File Transfer Protocol (TFTP) • • • • • Trivial FTP UDP - based Boot X-terminals, diskless workstations Threat: no authentication at all Tftpd restricts access to “/usr/local/boot” - if not: get “/etc/password” • Don’t run tftp if you don’t need it File Transfer Protocol (FTP) • Internet standard for file transfer • User must log in (pwd sent in the clear) • Require 2 channels - Control channel to remote host - Separate data channel set-up by server • Request initiated from outside • Allow incoming TCP connections? • Better solution: PASV mode - Server creates random port and sends it to client - Data connection is established by client - Must be supported by vendor Remote Procedure Calls (RPC) • RPC message header includes - Program and procedure number - Sequence number to match queries with replies - Authentication area: easy to forge ! Null user ID, group ID name of calling machine • Portmapper - Provides clients with port number for service on servers - Provides a call to unregister a service - Provides info on services that it is running - May forward the client call directly to the sever carrying the Portmapper owns address, masking the source of the call! • Recommendation: bloc RPC calls from outside • Caution: NFS, NIS are based on RPC NFS, NIS • NIS, yellow pages (yp) - most dangerous RPC application -Weak authentication (domain name) - Distributes data (password file, hosts table) - Do not run on exposed machine - Secure (encrypted RPC) • Network File System - Based on RPC - Threat: lots of security problems - “showmount -e host.domain: shows all exported file systems • Do not run on exposed machine Remote Command Execution • • • • • • • • rlogin, rsh, rcp, rexec rlogin to remote machine if authentication is done as follows - Call from reserved port - Calling machine and user listed in /etc/hosts.equiv or $HOME/.rhosts - Callers name corresponds to IP address Very weak authentication scheme - Reserved port on PC’s doesn’t make and security sense - Reading above files can be done through a number of ways such as ftp, uucp. Etc. One subverted machine opens the door to many others X11 Systems • Users terminal is server which controls the interaction devices • Applications connect to the server and talk to the user just by knowing the server’s address • Exposure: passwords can be read remotely • Threat: X11 servers use port 6000, thus X11 servers on the internet can be probed THE World Wide Web • WWW (W3, the Web) most popular information service - Others: archie, gopher, veronica • CERN project on distributed hypermedia • Hypertext-based information service - Text points to other documents - may be on other hosts • Interactive, gui, multimedia (pictures, sound, video) • Browsers: Mosaic, Netscape, IE) • Companies on the net - Produce information - Software patches - Commercial transactions HTTP and HTML • HTTP: HyperText Transport Protocol • HTTPD: WWW server process • HTML: HyperText Markup Language - Standard scripting language for hypermedia documents • Hyperlink in document - points to other server • URL (Uniform Resource Locator) - specifies an object on the internet - http://www.company.com/dir/home-page.html - ftp://ftp.site.edu/path/file WWW Security • Data-driven attacks • HTML may include “scripts” (Java) • Secure HTTP - Uses cryptography - SHTTP - SSL (secure sockets layer) • Secure e-commerce Firewall Components • • • • • What you should be able to do Describe the following: Packet filters Proxy Servers Sock Servers Objectives • Describe the purposes of - Packet filter - Proxy Server - Socks Server Firewall Security Policy • A firewall is not a host, router, but a systematic approach to network security • A firewall implements a security policy in terms of: - network configuration - hosts - routers • - other security measures (one-time passwords) Firewalls Implement Policies • Interface Policy - allow or disallow direct routing between secure networks and internet • Internal Policy - allow some or all protocols for some or all users • External Policy - allow some or all or no protocols from some or all internet sources • Security guidelines define the network configuration and application services • Network configuration and application services define enduser capabilities/constraints Packet Filtering • • • • Forward/drop packets based on IP information Typically implemented in router (screening router) Each packet is filtered separately, no “context” Rules: - Allow, deny forwarding of packets - Matched in order, stops at first match - Default rule : deny - Wildcards for addresses, ports - Vendor specific syntax Filtering Rules • Rules based on hosts - Only permit access to mail host • On direction - Rules apply to specific interface - incoming, outgoing • On Protocol (TCP. UDP, ICMP….) • On Port Service - Destination port only (most routers) - Some services use random ports (RPC, portmapper) • Established connections - TCP handshake - SYN and ACK filed - Connection request has SYN but not ACK Field Filtering Guidelines • Default: Block everything • Add services you want to use explicitly - Mail - To Mail host only • Filtering rules are complex - Order Dependent\ - No Testing facility - Difficult to manage Proxy Server • Mediates IP traffic between protected internal network and the Internet • Work on the application Level • Each proxy server understands its own application protocol - Different proxy servers: telnet, WWW, FTP - Also called an application gateway Proxy Advantages • • • • • • • • • Information hiding (host name, IP address) Authentication and logging Secure: a proxy for the service must exist Less complex filtering of screening router - allow only application gateway Drawbacks - Two-step process - Modified client (sometimes) Sendmail as a proxy server Socks Server • Socks stands for: ”Internal Socket Service” • Socks works on the TCP layer ( less protocol processing than proxies) • sockd daemon runs on the firewall host and intercepts and redirects TCP/IP packets • Clients tell the sockd where to connect which requires modified clients • socks can authenticate the users/clients (identd Handshake) • - Protocol which allows the client host to ask a server whether a User ID is valid (RFC 1413) Socks Advantages • • • • • • Information Handling (host name, IP address) Authentication and logging Secure: a permission for the services must exist Less complex filtering of screening router Better performance that a proxy server Drawback - Modified client Screening Router • Most IP routers also implement packet filtering • Filtering rules are complex • Not very safe • If compromised: whole network is exposed Bastion Host • • • • • Bastion: Highly-fortified host, “has strong walls” Only visible machine exposed to the outside Only exposed host: should be well protected Not user accounts A bastion host may be single-homed or dualhomed Dual-homed Gateway • Two network interfaces • No IP forwarding • Simple but not very secure Screened Host • Consists of a screening router, bastion host (functioning as an application gateway) using proxies or socks • Very Flexible Screened Subnet (DMZ) • Separate network with 2 screening routers: one connects to the internal network and the other to the internet. • More complex • 2 routers should not allow for any direct IP traffic through the DMZ • No internal system is allowed direct connections to the internet (socks or proxies only) and no internal system is reachable from the internet A New Set of Problems • • • • • • • • DNS: domain names are sensitive information - Run two DNS servers (“split DNS”) e-mail reconfigured Client applications reconfigured UDP - No established connections for returned data - Temporary hole FTP PASV Mode Firewall Solutions? • • • • • • Many factors Cost Corporate policy Existing networks International - Global Politics