Document 7423008
Download
Report
Transcript Document 7423008
TCP/IP from a Security
Standpoint
CS-480b
Dick Steflik
TCP/IP Guru-ism
You don’t have to know all of the
details
• You do need to know your system
What services it is providing
What protocols are involved
What vulnerabilities is has
• How to minimize the risks
Why TCP/IP ?
Packet based
Provides decentralized control
Devices are peers
Its routable
Independent of transmission medium
Open standard
Free
Robust
Flexible
Pragmatic
Physical Layer
Three major categories based on connection
behavior
• Dial-up
temporary point-to-point
• WAN and MAN
premanent point-to-point
• LAN
two or more devices communicating over a shared
broadcast media
Dial-up
Dial-up (and modems)
• Temporarily connected point-to-point
• uses telephone infrastructure
audio frequency modems
• vulnerabilities
Cannot provide physical security along entire
communications path
• Cables are usually run through public infrastructure
making physical security almost impossible
Peel back the insulation on the wire and connect
alligator clips
• Telephone connection panel in basements of buildings
Easy to just clip on to the connections
Punch panels
Screw terminal connections
WAN and MAN
WAN and MAN
• Constantly connected point-to-point
• uses telephone backbone, microwave, radio, fiber optic
• dedicated digital leased lines
specially conditioned telephone lines (guaranteed quality)
• 56Kbps - 9.95 Gbps
T1 - 56Kbps
T2 - 6.312 Mbps
T3 -44.736 Mbps
OC1 51.84 Mbps
OC48 - 2488 Mbps
OC192 - 9.95 Gbps
CSU/DSU - Carrier Set Unit / Data Set Unit (connection
device)
can be routed like a layer 3 protocol
WAN and MAN (more)
Vulnerabilities
• Because much is done using radio and microwave links
interception by a third party is pretty easy (especially
radio), laser communication is harder to intercept but is
overall less reliable due to environmental issues
Remedy
• Encrypt the data before placing it on an unsecured links
like radio, microwave laser
LAN
Two or more network devices communicating
over a shared broadcast media
• local area, shared communications medium
Ethernet, Token-ring, FDDI
Vulnerabilities
• Because much is done using radio and microwave links
interception by a third party is pretty easy (especially
radio), laser communication is harder to intercept but is
overall less reliable due to environmental issues
Remedy
• Encrypt the data before placing it on an unsecured links
like radio, microwave laser
Dial-up
Temporary connections
• Established as needed
• Cannot provide physical security along entire
communications path
Cables are usually run through public infrastructure making
physical security almost impossible
• Peel back the insulation on the wire and connect alligator clips
Telephone connection panel in basements of buildings
• Easy to just clip on to the connections
Punch panels
Screw terminal connections
Modems
Convert low speed digital signals to audio or
phase encoded signals for transmission through
the public access telephone system,
Most consumer used modems work over
unconditioned analog lines on the public access
telephone system
Vulnerabilities
• Because of the public access, hard to secure against
physical tampering
Tap on with another modem and listen as the data goes by
Remedy
• Encrypt data on the computer side of the sending and
receiving modems
ISDN
Integrated Services Digital Network
a system of digital phone connections that allows data to
be transmitted simultaneously across the world using endto-end digital connectivity.
• Available for > 10 years
• Data is sent digitally unlike modems
• Uses a Terminal Adapter rather than a modem
Must be with-in 18000 ft. to telco facilities
• > 18000 ft.requires expensive repeaters
• 16 or 64 kbps depending on service type
Vulnerabilities
• Same as modems, physical security
Remedy
• encryption
Data Link Layer
IEEE views the OSI Data Link Layer as 2 layers
• Media Access Control (MAC) Sublayer
Translates generic network requests into device specific
terms
• Logical Link Control (LLC) Sublayer
Provides the operating system link to the device driver
Media Access Control
This is the actual device driver that controls the
NIC
•
•
•
•
•
Reporting of and setting of device status
Packaging of outgoing data from the LLC layer
Sending of outgoing data
Receiving of incoming data
Unpacking of incoming data, error checking and passing
data to LLC layer
MAC addresses are burned into the NIC and
should be globally unique (by OEM agreement)
• But they are of local scope to the LAN, LAN protocols like
ethernet and token-ring have no provisions to pass data
from one LAN to another; so a LAN should always see
unique MAC addresses
Ethernet
Framing
• 6 byte Destination address (MAC address)
• 6 byte Source address (MAC address)
• 2 byte type (of packet in payload)
0800 – IP Datagram (46-1500 bytes)
0806 – ARP packet (28 bytes data+18 bytes of padding))
0835 – RARP packet (28 bytes + 18 bytes of padding)
• 4 byte CRC
Remember, the ethernet information will always
stay local to the LAN; it’s the IP, ARP or RARP
packet that will move it from LAN to LAN and
across the Internet
PPP
Designed to support multiple network types over
the same serial link
Supersedes SLIP (Serial Line Internet Protocol)
Framing
• 5 byte header
7E FF 03 (constant)
2 byte type field
• 0021 – IP Datagram
• Link control packet – C021
• Network control data - 8021
Link Establishment Subversion
Hacker can use call forwarding to forward an
incoming call to the hackers phone number
Since Windows supports other network protocols
(NetBEUI, IPX, IP over PPP) the hacker can then
attempt to use one of those protocols to break
into the calling machine
Dial-up connections via cell phones can be
hijacked right out of the air with a proper
receiver
• Harder to do with digital cell phones
Media Access Subversion
Its up to the MAC to reject all but the packets
destined for that machine a hacker can put their
MAC/NIC into promiscuous mode and receive all
packets on the LAN
• Most device drivers don’t support this mode so to do this
a new device driver must be introduced
It’s a good idea to every once in a while to scan
all of the machines on your network looking for
any machines that might be running
promiscuously
• Find out why they are running in promiscuous mode
Fix it
Logical Link Control
OS control of the Device Driver
•
•
•
•
Multiple instances of driver for multiple NICs
Multiple Device drivers for different kinds of devices
Windows – NDIS
UNIX – character mode device specification