Transcript Securing Network Services

Securing Network Services
1
How TCP Works
Set up connection between port on source host to port on destination
host
Each connection consists of sequence of numbered packets, with
source (port, address), destination (port, address) and flags
–
–
–
–
First packet – SYN (synchronize sequence numbers)
Response packet - SYN & ACK
Thereafter – ACK
Last packet – FIN & ACK
Ports are associated with services:
–
–
–
–
21 - FTP
25 – e-mail
80 - http
many many more
Based on client-server model
2
How UDP works
Unreliable (unwarranted) delivery of information
between systems -- No acknowledgement
Ports for UDP services
–
–
–
–
–
Port 123 -- Network Time
Port 53 -- DNS
Port 69 -- TFTP
Port 514 -- Syslog
Port 517 – Talk
Based on stateless distribution of information
3
Application Services
Domain Name Service (DNS) -- TCP/UDP
– Replaced /etc/hosts files
– Tree-structured query system
– Replies -- either answer or reference to more
refined domain
Mail -- TCP (port 25)
FTP -- file transfer protocol -- TCP
HTTP -- World Wide Web -- TCP
4
TCP/IP Services
Many have security risks
– Ways to access your computers
– Information on your computers and your users
Can block them all (Paranoid approach)
More often-- keep some, block others
Blocking method -- firewalls
5
General Points
Will discuss variety of services with security
implications
– Not full list of internet services
– Not full list of security problems
Administrators need to understand
implications before offering service
– CERT advisories
– Configuration options
– Prudent attitude
6
User Education
•
•
•
•
•
Suspicious network behavior
Suspicious user behavior
Who to contact
When to contact
Exercises
7
Web
WWW: World Wide Web
– System for automated information exchange
– Allows rapid access to flexibly-presented information
– Well over 50% of Internet traffic
Presentation Options:
–
–
–
–
–
–
Formatted Hypertext
Bitmap graphics
Program execution (CGI scripts, Applets, etc.)
Audio
Movies
Many more
8
WWW Threats
•
•
•
•
Exploitation of server or script bugs
Disclosure of unauthorized information
Interception of confidential information
Information loading from web client by
rogue server
• Dependence on licensed software
9
WWW Risky Options
•
•
•
•
•
Server-side includes
Sending email from server
Accessing PERL on server
Spawning sub-processes
Calling scripts outside of controlled
directories
• Mixing HTTP and anonymous FTP
10
WWW Access Control
• Configure scripts to be read and executed
only by server
• Use prudent access to exported files
• Don’t use per-directory access files
• Use certified public keys for access
• Use server-side password for access
11
WWW Privacy
Network-side:
–
–
–
–
–
Link encryption
Document encryption
Secure Socket Layer
Secure HTTP
All subject to limitations on Encryption
Log files:
–
–
–
–
Restrict access
Don’t retain on server machine
Use syslogd
Warn users about logging
12
Web Browsers
• Executing code from the net
• Trusting vendors / Licensing
• Dependence on third parties
13
RPC
Remote Procedure Call
a) Calling program calls client code and waits
b) Client code bundles parameters into message to server (XDR external data representation)
c) Server executes call with supplied data, returning result in message
to client code
d) Client code returns result to calling program
Requires:
– Client knowing server
– Client & Server agree on communication (portmapper)
Authentication:
– Auth_none - live fast, die young
– Auth_UNIX - UID/GID authentication (trust client)
– Auth_DES - Secret/public key authentication
(Diffie/Hellman key exchange, DES encryption)
– Auth_KERB - Kerberos authentication
14
Kerberos
Produced for MIT project ATHENA
Authenticates:
• User to client and server
• Client to server
• Server to client
Centralized and stateless
• Passwords stored unencrypted on central server
• Never transmitted across network
15
Kerberos Protocols
Login:
– User enters username and password
– Client sends username and current time encrypted with
password
– Server decrypts information and verifies valid user
– Returns session key encrypted with user password
Service Request:
– Client sends request to ticket-granting server, encrypted with
session key
– TGS responds with identity of server, encrypted ticket all
encrypted with session key
– Client passes encrypted ticket to server with client IP and
username
16