Transcript tcpip applications2.p+

TCP/IP Applications
•What you should be able to Do Describe the major TCP/IP
Based services and Applications
•Describe the security risks involved in using these services
TCP/IP Applications
• SMTP
• NNTP
• SNMP
Telnet
• FTP
• RPC, NIS, NFS
• R-Commands
• X-Windows
• WWW
Sendmail
• Most popular SMTP-based transport agent
• Configuration is difficult
• Threat: Several security bugs
- Mail Unix commands
- Internet worm
MIME
• Multimedia internet Mail Extention
• Encapsulates multimedia documents
- sound, pictures, postscript files
• Threat : postscript escape to system
Usenet News
•
•
•
•
•
Usenet news, world wide bulletin board
Network News Transfer Protocol
Similar to SMTP
Nntpd
Authorization: accept connections only
from known friendly neighbors
Network Management (SNMP)
• SNMP: Simple Network Management Protocol
• Uses UDP
• Architecture
- The snmpd agent
- Management Information Base (MIB)
• Network Management stations is client
• Threats:
- Uses “community name” for authentication
• Default community name is “public”
• Community name is passed in the clear
- Do not expose to outside
SNMP v2 - provides Authentication of parties and Encryption of date
Remote Login (Telnet)
• Telnet: terminal access to remote host
• Telnetd calls login to authenticate user
• Threat: everything (password) is passed in
the clear
• Solutions
• Encrypted telnet
• uses encryption for data encryption
• Not standard yet - one time passwords
Trivial File Transfer Protocol (TFTP)
•
•
•
•
•
Trivial FTP
UDP - based
Boot X-terminals, diskless workstations
Threat: no authentication at all
Tftpd restricts access to “/usr/local/boot”
- if not: get “/etc/password”
• Don’t run tftp if you don’t need it
File Transfer Protocol (FTP)
• Internet standard for file transfer
• User must log in (pwd sent in the clear)
• Require 2 channels
- Control channel to remote host
- Separate data channel set-up by server
• Request initiated from outside
• Allow incoming TCP connections?
• Better solution: PASV mode
- Server creates random port and sends it to client
- Data connection is established by client
- Must be supported by vendor
Remote Procedure Calls (RPC)
• RPC message header includes
- Program and procedure number
- Sequence number to match queries with replies
- Authentication area: easy to forge !
Null
user ID, group ID
name of calling machine
• Portmapper
- Provides clients with port number for service on servers
- Provides a call to unregister a service
- Provides info on services that it is running
- May forward the client call directly to the sever carrying the
Portmapper owns address, masking the source of the call!
• Recommendation: bloc RPC calls from outside
• Caution: NFS, NIS are based on RPC
NFS, NIS
• NIS, yellow pages (yp)
- most dangerous RPC application
-Weak authentication (domain name)
- Distributes data (password file, hosts table)
- Do not run on exposed machine
- Secure (encrypted RPC)
• Network File System
- Based on RPC
- Threat: lots of security problems
- “showmount -e host.domain: shows all exported file systems
• Do not run on exposed machine
Remote Command Execution
•
•
•
•
•
•
•
•
rlogin, rsh, rcp, rexec
rlogin to remote machine if authentication is done as follows
- Call from reserved port
- Calling machine and user listed in /etc/hosts.equiv or $HOME/.rhosts
- Callers name corresponds to IP address
Very weak authentication scheme
- Reserved port on PC’s doesn’t make and security sense
- Reading above files can be done through a number of ways such as
ftp, uucp. Etc.
One subverted machine opens the door to many others
X11 Systems
• Users terminal is server which controls the interaction
devices
• Applications connect to the server and talk to the user just
by knowing the server’s address
• Exposure: passwords can be read remotely
• Threat: X11 servers use port 6000, thus X11 servers on the
internet can be probed
THE World Wide Web
• WWW (W3, the Web) most popular information service
- Others: archie, gopher, veronica
• CERN project on distributed hypermedia
• Hypertext-based information service
- Text points to other documents
- may be on other hosts
• Interactive, gui, multimedia (pictures, sound, video)
• Browsers: Mosaic, Netscape, IE)
• Companies on the net
- Produce information
- Software patches
- Commercial transactions
HTTP and HTML
• HTTP: HyperText Transport Protocol
• HTTPD: WWW server process
• HTML: HyperText Markup Language
- Standard scripting language for hypermedia documents
• Hyperlink in document
- points to other server
• URL (Uniform Resource Locator)
- specifies an object on the internet
- http://www.company.com/dir/home-page.html
- ftp://ftp.site.edu/path/file
WWW Security
• Data-driven attacks
• HTML may include “scripts” (Java)
• Secure HTTP
- Uses cryptography
- SHTTP
- SSL (secure sockets layer)
• Secure e-commerce
Firewall Components
•
•
•
•
•
What you should be able to do
Describe the following:
Packet filters
Proxy Servers
Sock Servers
Objectives
• Describe the purposes of
- Packet filter
- Proxy Server
- Socks Server
Firewall Security Policy
• A firewall is not a host, router, but a systematic
approach to network security
• A firewall implements a security policy in terms
of:
- network configuration
- hosts
- routers
• - other security measures (one-time passwords)
Firewalls Implement Policies
• Interface Policy - allow or disallow direct routing between
secure networks and internet
• Internal Policy - allow some or all protocols for some or all
users
• External Policy - allow some or all or no protocols from
some or all internet sources
• Security guidelines define the network configuration and
application services
• Network configuration and application services define enduser capabilities/constraints
Packet Filtering
•
•
•
•
Forward/drop packets based on IP information
Typically implemented in router (screening router)
Each packet is filtered separately, no “context”
Rules:
- Allow, deny forwarding of packets
- Matched in order, stops at first match
- Default rule : deny
- Wildcards for addresses, ports
- Vendor specific syntax
Filtering Rules
• Rules based on hosts
- Only permit access to mail host
• On direction
- Rules apply to specific interface
- incoming, outgoing
• On Protocol (TCP. UDP, ICMP….)
• On Port Service
- Destination port only (most routers)
- Some services use random ports (RPC, portmapper)
• Established connections
- TCP handshake
- SYN and ACK filed
- Connection request has SYN but not ACK Field
Filtering Guidelines
• Default: Block everything
• Add services you want to use explicitly
- Mail
- To Mail host only
• Filtering rules are complex
- Order Dependent\
- No Testing facility
- Difficult to manage
Proxy Server
• Mediates IP traffic between protected internal network and
the Internet
• Work on the application Level
• Each proxy server understands its own application protocol
- Different proxy servers: telnet, WWW, FTP
- Also called an application gateway
Proxy Advantages
•
•
•
•
•
•
•
•
•
Information hiding (host name, IP address)
Authentication and logging
Secure: a proxy for the service must exist
Less complex filtering of screening router
- allow only application gateway
Drawbacks
- Two-step process
- Modified client (sometimes)
Sendmail as a proxy server
Socks Server
• Socks stands for: ”Internal Socket Service”
• Socks works on the TCP layer ( less protocol processing
than proxies)
• sockd daemon runs on the firewall host and intercepts and
redirects TCP/IP packets
• Clients tell the sockd where to connect which requires
modified clients
• socks can authenticate the users/clients (identd Handshake)
• - Protocol which allows the client host to ask a server
whether a User ID is valid (RFC 1413)
Socks Advantages
•
•
•
•
•
•
Information Handling (host name, IP address)
Authentication and logging
Secure: a permission for the services must exist
Less complex filtering of screening router
Better performance that a proxy server
Drawback - Modified client
Screening Router
• Most IP routers also implement packet
filtering
• Filtering rules are complex
• Not very safe
• If compromised: whole network is exposed
Bastion Host
•
•
•
•
•
Bastion: Highly-fortified host, “has strong walls”
Only visible machine exposed to the outside
Only exposed host: should be well protected
Not user accounts
A bastion host may be single-homed or dualhomed
Dual-homed Gateway
• Two network interfaces
• No IP forwarding
• Simple but not very secure
Screened Host
• Consists of a screening router, bastion host
(functioning as an application gateway)
using proxies or socks
• Very Flexible
Screened Subnet (DMZ)
• Separate network with 2 screening routers: one connects to
the internal network and the other to the internet.
• More complex
• 2 routers should not allow for any direct IP traffic through
the DMZ
• No internal system is allowed direct connections to the
internet (socks or proxies only) and no internal system is
reachable from the internet
A New Set of Problems
•
•
•
•
•
•
•
•
DNS: domain names are sensitive information
- Run two DNS servers (“split DNS”)
e-mail reconfigured
Client applications reconfigured
UDP
- No established connections for returned data
- Temporary hole
FTP PASV Mode
Firewall Solutions?
•
•
•
•
•
•
Many factors
Cost
Corporate policy
Existing networks
International - Global
Politics