Transcript FTP, Telnet, Sockets, Security

Class 12
CSCI 6433
Dave Roberts
1
Agenda
•
FTP
•
TELNET
•
SSH
•
Programming for the Internet
•
Internet Security
•
Summary
2
2
FTP
3
File Transfer Protocol FTP
FTP provides the ability to transfer files between
computers.
FTP uses two TCP connections between client and server:
•
control connection is maintained throughout the session,
used only for passing control information
•
data connection is established each time data is sent
from server to client or client to server
4
4
An FTP Session
5
5
TELNET
6
TELNET
•
Telnet provides a bidirectional, interactive text-oriented
facility using a virtual terminal connection.
•
User data is sent in-band with Telnet control
information
•
Telnet provides a command-line interface (usually, to an
operating system) on a remote host
Question: what transport protocol does Telnet use?
7
7
TELNET and Security
•
Original TELNET implementation had no security
•
Dialogues can be intercepted, including passwords
•
New protocol, SSH, provides features of TELNET along
with encryption of communications and authentication
•
Most TELNET installations are now being updated to
new security features; SSH is used instead
8
8
Secure Shell SSH
•
Cryptographic network protocol for secure data
communication, remote command-line login between two
networked computers.
•
Connects using a secure channel over an insecure
network
•
Server and client run SSH server and SSH client
•
Designed as replacement for TELNET
9
9
Programmed File Transfer
10
Program Use of TCP
•
Sockets available for programming are:
 Datagram sockets using UPD
 Stream sockets using TCP
 Raw sockets that use IP
•
Most applications use datagram or stream sockets
•
A socket is identified by:
•
Local socket address (IP address and port number)
•
For TCP only: Remote socket address (IP address and port number)
•
Socket pairs:
•
Socket pair is a 4-tuple of local and remote IP addresses, port numbers
 TCP: each socket pair has a socket number
 UDP: each socket pair has a socket number
•
How to implement API is left to each operating system
11
11
Windows Socket API
(Winsock)
•
Provides access to network services in Windows
environment
•
Uses TCP/IP
•
Based on Berkeley sockets API
•
API guarantees that conforming application will work
with a conforming protocol implementation from any
vendor
12
12
Winsock Operation
Client
Server
•
Initialize Winsock.
•
Initialize Winsock.
•
Create a socket.
•
Create a socket.
•
Connect to the server.
•
Bind the socket.
•
Send and receive data.
•
•
Disconnect.
Listen on the socket for a
client.
•
Accept a connection from a
client.
•
Receive and send data.
•
Disconnect.
13
Some Winsock Commands
•
Accept—permits an incoming connection attempt on a
socket
•
Bind—associates a local address with a socket
•
Listen—places a socket in a state of listening for an
incoming connection
•
Connect—establishes a connection to a specified socket
•
Send—send data on a connected socket
•
Recv—receive data from a connected socket
•
Transmitfile—transmits file data over a connected
socket
•
Closesocket—close an existing socket
14
14
Internet Security
15
First…
•
A general comment about security.
•
The greatest security weakness is…
•
•
People!
Often, technical weaknesses are exploited by obtaining
help from people.
16
Information Policy
•
Information policy is essential for security
 Who is allowed to access what information
 Rules associated with dissemination
 Rules for acting on violations
•
People are always the weak links in security
 Policy weaknesses cause mistakes
 Policy weaknesses can be exploited
17
17
•
Tonight we talk about Internet security, so we’ll omit
people from the discussion. But understand that people
are the weakest link, and that security policy is required
in order for technical protections to work.
18
Agenda
•
The Problem
•
Attacks
•
Security measures
19
Early vs. later design
Later designs tend to have protection features
•
•
•
DNS
SMTP
HTTP
The “guts” don’t have good security
•
•
IP
Network Layer
20
Early IPv6
•
The first spec for IPv6 incorporated mandatory
encryption for all communications
•
Later, encryption was made optional
•
In IPv6, encryption is part of IP itself, can span packets
•
Great improvement over IPv4, where IPSec is above IP,
so IP header is not protected
21
21
Attacks
•
Malware
•
Denial-of-service attack
•
Social engineering
•
Eavesdropping
•
Password guessing
•
War dialing—software and modem calls desktop computers, looks for
paths into corporate networks
•
Denial of service attacks—overwhelms capacity of a computer so that it
can’t process legitimate work
•
Protocol-based attacks—exploiting weaknesses in protocols
•
Source Quench
•
ARP Spoofing
•
Host attacks—exploiting weaknesses in hosts
22
Malware
•
Viruses—program that can replicate itself and spread
to other computers
•
Trojan horse—program that appears to be harmless
but hides malicious functions
•
Spyware—program that collects information with the
user’s knowledge
•
Worm—standalone malware that replicates itself in
order to spread to other computers
•
Bot—program that runs an automated task over the
Internet
23
Internet Protocol security
Network layer security
•

IPsec Protocol

TLS (formerly known as SSL)
•
Email security
•
Background
•
Pretty Good Privacy (PGP)
•
Multipurpose Internet Mail Extensions (MIME)
•
Message Authentication Code
Firewalls
•
•
Role of firewalls in Internet security and web security
•
Types of firewalls
•
Packet filters
•
Circuit-level gateways
•
Application-level gateways
24
Ipsec core protocols
25
IPsec Authentication Header
26
IPsec Encapsulating Security
Payload
27
IPSec Implementation
•
Two methods:
1.
Router implementation: implement for pairs of
routers that route datagrams outside the organization
(“bump in the wire”)
2.
End Host Implementation: enables end-to-end
security between any two devices on the network
(“bump in the stack”)
28
IPSec “bump in the wire”
29
IPSec “bump in the stack”
30
IpSec Modes
1.
Transport Mode: protocol protects the message
passed from the transport layer
2.
Tunnel Mode: protocol protects a complete
encapsulated IP diagram after the IP header has been
applied
31
Transport mode
32
Tunnel mode
33
TLS (formerly SSL)
•
SSL was originally developed by Netscape through
Version 3.0
•
Now called Transport Layer Security (TLS)
•
Encryption takes place at the application layer
•
Uses asymmetric cryptography for key exchange,
symmetric cryptography for information protection,
message authentication codes for message integrity
34
Uses of SSL
•
Variations of TLS are now in use in
•
HTTP
•
SMTP
•
Internet faxing
•
VOIP
35
Connecting
•
Some protocols use a different port number (i.e., port
443 for HTTPS)
•
Others use regular port number, have the client request
switching the connection to TLS (i.e., STARTTLS
command for SMTP)
•
Once connection is made, then asymmetric cryptography
is used to negotiate the session and authenticate
•
Then symmetric cryptography is used to protect the data
transfer
36
SMTP Security
•
SMTP-AUTH extension (RFC 2554) defines
authentication methods for SMTP
•
SMTP-AUTH provides a method to specify a security
mechanism, authenticate the exchange and negotiate a
security profile
•
Felt to be too complex for widespread adoption
•
Anti-Spam Research Group of the ITEF is working on
flexible, lightweight, scalable methods for source
authentication
37
Security Techniques
•
Perimeter security—provide some kind of network
boundary and divide service and network availability
between “inside” and “outside”, determining the services
and networks available to outsiders, extent to which
outsiders can use resources
•
Encryption—used to hide data, used for many aspects of
security
•
Authentication and authorization—reliably identify
authorized users and allow access
•
Intrusion detection—detecting actions that attempt to
compromise confidentiality, integrity or availability of a
resource
38
38
Internet Security
•
Security is difficult because datagram
contents cannot be trusted
• Datagrams pass through uncontrolled
intermediaries, can be changed
• Authentication based on source addresses can’t
be trusted
• Strong authentication based on encryption is
more trustworthy
•
Encryption protects information in
transit from change or access
•
A trusted key authority is needed if
encryption is to offer more than protection
of information while in transit.
39
39
Intrusion detection
•
Detecting all possible intrusion attempts is not
computable; too many computations, always one more
method
•
Typically heuristics, clustering algorithms, statistics
are used as the basis for techniques
•
Network IDS (NIDS) examines traffic at all layers,
analyzes for suspicious activity
•
WLAN IDS also looks for attempts to connect to rogue
devices
•
Host-based IDS (HIDS) analyze traffic and systemspecific settings. Installed, configured on each
machine.
40
IDS Types
•
Signature-based—relies on known traffic patterns,
looks for anomalous patterns. Can be fooled by attack
that is a small change from normal traffic. Usually
very effective.
•
Anomaly-based—detects any traffic that is incorrect or
otherwise not normal.
•
Stateful protocol inspection—like anomaly-based
detection, but can examine traffic at network,
transport layer and vendor-specific traffic at the
application layer
41
SMTP Security
•
•
Easy to spoof an email address
Many security changes to SMTP have been resisted;
some popular features:
• Checking IP address of a device attempting connection
against a “white list”
• Limiting commands such as EXPN to prevent
unauthorized users from determining the e-mail
addresses of users on mailing lists.
• Checking validity of envelope information before
accepting a message for delivery.
• Limiting the size of e-mail messages that may be sent or
the number that may be sent in a given period of time.
• Logging all access to the server to keep records of server
use and check for abuse.
•
Encryption can be used along with MIME encoding
42
Firewalls
•
Housing—separates garage from house or one
apartment from another
•
Automobiles—separates engine from passenger
compartment
•
Firewalls are intended to keep a fire localized until
residents can escape and help can arrive
43
Firewalls
Often must protect a network from
unwanted communication
• Internet firewall is the common
mechanism for internet access control
• Firewall placed at the connection to
external networks, partitions into two
regions, inside and outside
• Firewalls must be placed at all
Internet connections, forming a
security perimeter
• A firewall is a router with filtering
capabilities
•
44
44
Firewall Properties
1.
Single point connection between 2 or more networks
where all traffic must pass
2.
Traffic can be controlled through the device
3.
All traffic is logged
45
Firewall Implementation
•
Routers usually have a function called packet filter—
will block datagrams by source, by application, etc.
•
This is most often stateless filtering
•
Often, packet filter is a board in the router
•
No TCP/IP standard for packet filters, left up to vendors
46
46
Types of Packet Filters
1.
Static—filter rules must be changed manually
2.
Dynamic—outside process changes the rules
dynamically
3.
Stateful inspection—dynamic, but including detailed
inspection of data contained in the IP packet
Dynamic and stateful firewalls keep a dynamic state
table to make changes to the filtering rules based on
events
47
Packet Filtering Example
48
48
Stateful Firewalls
Allows clients inside firewall to use
services outside the firewall by keeping
track of the state of network
connections
• Watches outgoing connections, passes
only packets that follow known
connection patterns
• Techniques:
•
• Soft state—timer removes inactive state
information after a timeout
• Connection monitoring—firewall watches
packets, removes information when flow
terminates
49
49
Application Firewalls
•
Firewall function at the application level
•
Provides multiple application proxies
•
Understand the operation of an application
•
•
•
Check messages and ensure that they follow the
pattern of the application
Bad messages are not passed on
Proxies can sometimes be tricked; important to install
new software releases promptly
50
Proxy Access
Generally it’s impossible to make all
computers in an organization secure
• So one is made secure with application
gateways, placed between firewalls
• This bastion host serves as a proxy for
computers inside the network to access
the Internet
• Firewalls are configured to pass only
traffic to or from the bastion host
• Bastion host can inspect contents of
traffic going through it, or it can just
pass the traffic
•
51
51
One-router DMZ
52
52
One-router DMZ
53
53
Firewall effect
From this
level of
risk
To this
Summary
•
Internet must connect organizations with limited mutual trust
•
IPsec protects at the IP layer, allows authentication or encryption of data,
tunneling to protect packet content
•
TLS is used for protection at the transport layer, added to applications
•
IDSes watch for behavior that indicates inappropriate activity
•
Firewalls are used at Internet connections
•
DMZs can provide considerable isolation
•
Note that all of these have been added on to the Internet, rather than
designed in at the outset
55
55
What we’ve talked about
Protocol Dependencies
•
We can now look at a complete picture of Internet
protocols and how they depend on each other.
•
The chart illuminates some basic choices of
Internet protocol architecture
•
Does today’s technology still require the difference
between UDP and TCP?
•
Could ECC be used and a single protocol used to
replace both UDP and TCP?
57
57
Protocol Dependencies
58
58
IP as Universal Connector
59
59
Summary
•
Rich functionality of TCP/IP comes from
services provided by applications
•
Client on one machine can communicate with
a server on a different type of machine
•
Intermediate machines do not have to
forward whole messages
•
There are complex interdependencies among
the protocols
60
60