Transcript TCPIP

TCP/IP from a Security
Standpoint
CS-480b
Dick Steflik
TCP/IP Guru-ism

You don’t have to know all of the
details
• You do need to know your system



What services it is providing
What protocols are involved
What vulnerabilities is has
• How to minimize the risks
Why TCP/IP ?










Packet based
Provides decentralized control
Devices are peers
Its routable
Independent of transmission medium
Open standard
Free
Robust
Flexible
Pragmatic
Physical Layer

Three major categories based on connection
behavior
• Dial-up

temporary point-to-point
• WAN and MAN

premanent point-to-point
• LAN

two or more devices communicating over a shared
broadcast media
Dial-up

Dial-up (and modems)
• Temporarily connected point-to-point
• uses telephone infrastructure

audio frequency modems
• vulnerabilities

Cannot provide physical security along entire
communications path
• Cables are usually run through public infrastructure
making physical security almost impossible
 Peel back the insulation on the wire and connect
alligator clips
• Telephone connection panel in basements of buildings
 Easy to just clip on to the connections
 Punch panels
 Screw terminal connections
WAN and MAN

WAN and MAN
• Constantly connected point-to-point
• uses telephone backbone, microwave, radio, fiber optic
• dedicated digital leased lines

specially conditioned telephone lines (guaranteed quality)
• 56Kbps - 9.95 Gbps
 T1 - 56Kbps
 T2 - 6.312 Mbps
 T3 -44.736 Mbps
 OC1 51.84 Mbps
 OC48 - 2488 Mbps
 OC192 - 9.95 Gbps


CSU/DSU - Carrier Set Unit / Data Set Unit (connection
device)
can be routed like a layer 3 protocol
WAN and MAN (more)

Vulnerabilities
• Because much is done using radio and microwave links
interception by a third party is pretty easy (especially
radio), laser communication is harder to intercept but is
overall less reliable due to environmental issues

Remedy
• Encrypt the data before placing it on an unsecured links
like radio, microwave laser
LAN

Two or more network devices communicating
over a shared broadcast media
• local area, shared communications medium


Ethernet, Token-ring, FDDI
Vulnerabilities
• Because much is done using radio and microwave links
interception by a third party is pretty easy (especially
radio), laser communication is harder to intercept but is
overall less reliable due to environmental issues

Remedy
• Encrypt the data before placing it on an unsecured links
like radio, microwave laser
Dial-up

Temporary connections
• Established as needed
• Cannot provide physical security along entire
communications path

Cables are usually run through public infrastructure making
physical security almost impossible
• Peel back the insulation on the wire and connect alligator clips

Telephone connection panel in basements of buildings
• Easy to just clip on to the connections
 Punch panels
 Screw terminal connections
Modems



Convert low speed digital signals to audio or
phase encoded signals for transmission through
the public access telephone system,
Most consumer used modems work over
unconditioned analog lines on the public access
telephone system
Vulnerabilities
• Because of the public access, hard to secure against
physical tampering


Tap on with another modem and listen as the data goes by
Remedy
• Encrypt data on the computer side of the sending and
receiving modems
ISDN


Integrated Services Digital Network
a system of digital phone connections that allows data to
be transmitted simultaneously across the world using endto-end digital connectivity.
• Available for > 10 years
• Data is sent digitally unlike modems
• Uses a Terminal Adapter rather than a modem

Must be with-in 18000 ft. to telco facilities
• > 18000 ft.requires expensive repeaters
• 16 or 64 kbps depending on service type

Vulnerabilities
• Same as modems, physical security

Remedy
• encryption
Data Link Layer

IEEE views the OSI Data Link Layer as 2 layers
• Media Access Control (MAC) Sublayer

Translates generic network requests into device specific
terms
• Logical Link Control (LLC) Sublayer

Provides the operating system link to the device driver
Media Access Control

This is the actual device driver that controls the
NIC
•
•
•
•
•

Reporting of and setting of device status
Packaging of outgoing data from the LLC layer
Sending of outgoing data
Receiving of incoming data
Unpacking of incoming data, error checking and passing
data to LLC layer
MAC addresses are burned into the NIC and
should be globally unique (by OEM agreement)
• But they are of local scope to the LAN, LAN protocols like
ethernet and token-ring have no provisions to pass data
from one LAN to another; so a LAN should always see
unique MAC addresses
Ethernet

Framing
• 6 byte Destination address (MAC address)
• 6 byte Source address (MAC address)
• 2 byte type (of packet in payload)



0800 – IP Datagram (46-1500 bytes)
0806 – ARP packet (28 bytes data+18 bytes of padding))
0835 – RARP packet (28 bytes + 18 bytes of padding)
• 4 byte CRC

Remember, the ethernet information will always
stay local to the LAN; it’s the IP, ARP or RARP
packet that will move it from LAN to LAN and
across the Internet
PPP



Designed to support multiple network types over
the same serial link
Supersedes SLIP (Serial Line Internet Protocol)
Framing
• 5 byte header


7E FF 03 (constant)
2 byte type field
• 0021 – IP Datagram
• Link control packet – C021
• Network control data - 8021
Link Establishment Subversion



Hacker can use call forwarding to forward an
incoming call to the hackers phone number
Since Windows supports other network protocols
(NetBEUI, IPX, IP over PPP) the hacker can then
attempt to use one of those protocols to break
into the calling machine
Dial-up connections via cell phones can be
hijacked right out of the air with a proper
receiver
• Harder to do with digital cell phones
Media Access Subversion

Its up to the MAC to reject all but the packets
destined for that machine a hacker can put their
MAC/NIC into promiscuous mode and receive all
packets on the LAN
• Most device drivers don’t support this mode so to do this
a new device driver must be introduced

It’s a good idea to every once in a while to scan
all of the machines on your network looking for
any machines that might be running
promiscuously
• Find out why they are running in promiscuous mode

Fix it
Logical Link Control

OS control of the Device Driver
•
•
•
•
Multiple instances of driver for multiple NICs
Multiple Device drivers for different kinds of devices
Windows – NDIS
UNIX – character mode device specification