Network Services

1
Network Services
2
Primary Network Services Messaging
services Malicious protection Web hosting Online
Applications
3
MESSAGING SERVICES IN NICNET
4
Current Architecture
5
Incoming Mail Traffic
6
Mail Access
7
Outgoing Mail Traffic
8
ANTIVIRUS DEPLOYMENT STRATEGIES
9
Definitions

• Virus
• A computer program that replicates by
  attaching itself to another object. It is a
  parasite program, needing another program to
  survive.
• Worms
• A self-contained program (or set of
  programs) that is able to spread functional
  copies of itself, or its segments, to other
  computer systems

10

• Trojan
• A program with hidden destructive
  functionality.An apparently useful and innocent
  program containing additional hidden code which
  allows the unauthorized collection, exploitation,
  falsification, or destruction of data
• Spyware
• A general term for a program that
  surreptitiously monitors your actions. While they
  are sometimes sinister, like a remote control
  program used by a hacker, software companies have
  been known to use spyware to gather data about
  customers. The practice is generally frowned
  upon.

11
Adware While not necessarily malware, adware
is considered to go beyond the reasonable
advertising that one might expect from freeware
or shareware. Typically a separate program that
is installed at the same time as a shareware or
similar program, adware will usually continue to
generate advertising even when the user is not
running the origianlly desired program. See also
cookies, spyware, and web bugs Spam It's an
electronic junk mail or junk newsgroup postings,
generally its an unsolicited e-mail. In addition
to being a nuisance, spam also eats up a lot of
network bandwidth.
12
Antivirus Deployment Strategies

• Desktop Level Security
• Gateway Level Security
• To support distributed antivirus products,
  antivirus protection technologies must
  incorporate management tools that are
  server-centric and browser based in order to meet
  new threats head-on and quickly
• Low cost to maintain the security infrastructure
  without sacrificing security.

13
Deployment Architecture
14
Desktop level security

• Centralized installation, deployment.
• Centralized real time status.
• Centralized on-demand control of antivirus
  solution.
• Centralized configuration, logs and reports,
  notification to administrator.
• Antivirus solution should support heterogeneous
  environment.
• Should have the ability to detect and clean
  spyware and adware from systems
• Desktop firewall
• Desktop IPS

15
END POINT COMPLIANCE
16

• New threats and motivations drive for new
  protection technologies
• Virus Destructive Virus Macro Virus
• Vulnerabilities
• Openly Discussed
• Mass Mailing Worms
• Network Worms
• Spam Tracking
• Cookies
• Spam Explodes
• Bots Botnets
• DDoS Attacks
• Bots Explode
• Paid Vulnerability
• Adware Spyware
• Rootkits
• Spyware Adware Explode
• Phishing Phishing Crimeware
• Zero Day Exploits Threats

17
Desktop requires Antivirus agent IPS (Host) IPS
(Network) Device Control Application
Control Antispyware Firewall Web reputation filter
18
End point compliance
19
Objectives of End Point Compliance Ensuring no
client connects to the network unless it has
latest Patches and patterns.
20

• OTHER CONCEPTS
• Domain keys
• Reverse DNS
• RBL
• SPAM

21
DomainKeys is an e-mail authentication system
designed to verify the DNS domain of an e-mail
sender and the message integrity. The DomainKeys
specification has adopted aspects of Identified
Internet Mail to create an enhanced protocol
called DomainKeys Identified Mail (DKIM).
DomainKeys is a method of e-mail
authentication. Unlike some other methods, it
offers almost end-to-end integrity from a signing
to a verifying Mail Transfer Agent (MTA). In most
cases the signing MTA acts on behalf of the
sender, and the verifying MTA on behalf of the
receiver DomainKeys is independent of Simple
Mail Transfer Protocol (SMTP) routing aspects
22
DomainKeys adds a header named "DomainKey-Signatur
e" that contains a digital signature of the
contents of the mail message. . The receiving
SMTP server then uses the name of the domain from
which the mail originated, the string _domainkey,
and a selector from the header to perform a DNS
lookup. The returned data includes the domain's
public key. The receiver can then decrypt the
hash value in the header field and at the same
time recalculate the hash value for the mail body
that was received, from the point immediately
following the "DomainKey-Signature" header. If
the two values match, this cryptographically
proves that the mail originated at the purported
domain and has not been tampered with in transit.
23

• Advantages
• There are three primary advantages of this system
  for e-mail recipients
• It allows the originating domain of an e-mail to
  be positively identified, allowing domain-based
  blacklists and whitelists to be more effective.
• This is also likely to make phishing attacks
  easier to detect.
• 2. It allows forged e-mail messages to be
  discarded on sight, either by end-user e-mail
  software (mail user agents), or by ISPs' mail
  transfer agents.
• 3. It allows abusive domain owners to be tracked
  more easily

24
REVERSE DNS Standard DNS is a well known
concept. You create a record with your domain
registrar pointing your domain name to an IP
address (ie your web server). Your DNS server
then propagates this record to DNS servers
around the world Reverse DNS is a bit
different
25
First of all Reverse DNS or rDNS works in the
opposite manner to standard DNS in that it
takes an IP address and resolves this to your
domain name. Reverse DNS lookups started to be
deployed a couple of years back as a way to
combat spam for large ISPs. Mail spammers
often use an IP address that does not correctly
resolve to their host name. AOL, Yahoo, Verizon,
and many others will not receive email from a
server that fails a Reverse DNS lookup. You
likely see these failed mail attempts in your
inbox.
26
RBL REALTIME BLACKLIST
27
A realtime blacklist refers to a list that is
updated on a regular basis And the changes are
propagated immediately in real time. Almost
all blacklists currently in operation may be
considered realtime blacklists in this sense,
although some lists are updated on a set
schedule such as daily.
28
SPAM
29
Unwanted or unsolicited electronic "junk" mail
has come to be known as SPAM. Be it an ad (which
is considered to be Unsolicited Commercial
Email, UCE) if you didn't ask for it, didn't
sign up on a mailing list related to it, and
didn't leave your e-mail address on a web form
asking for more information on it, it's spam!
SPAM usually has header information that is
forged and Generally is an advertisement. The
best course of action is to "just say no" and
delete the message without reading it. Usually
many copies are sent and often everyone on a
specific list will receive it. Spammers" find
your e-mail address in a number of different
ways.
30
Programs scan for e-mail addresses (called
"spiders"), some on-line merchants may sell your
e-mail address, you make your e-mail address
available whenever you post to internet news
groups or mailing lists, and some "spammers" just
use a name generation program of different
possibilities and send to a Domain. If you
buy something via the Internet or sign up for a
mailing list, we recommend that you obtain a
"throw away address. This is an email account
at an ISP that is free. If that account should
eventually become a spam target, you can
abandon that account and create a new one.
31
Protocols to be covered

• Mailing Protocol (SMTP)
• Telnet
• SSH
• WWW
• ftp
• NTP

32
The Simple Mail Transfer Protocol, and you
One of the most attractive parts of the internet
and computers to many people is the ability to
send and receive email.
this protocol is responsible is for the sending
of email and is documented in RFC 821
That protocol would be SMTP, or as it also known
as, Simple Mail Transfer Protocol. This
protocol will be listening on port 25, or more
precisely the SMTP server will be listening for
client connections on port 25.
33
OSI Reference model ,SMTP would itself be an
application layer protocol. It uses TCP as a
transport protocol, and in turn uses IP for
routing. Much like HTTP, the SMTP protocol has
a number of status codes to enhance its
functionality.
34
RFC 1869 defined the capability for SMTP service
extensions, creating Extended SMTP, or
ESMTP ESMTP is by definition extensible,
allowing new service extensions to be defined
the most important extension currently
available is Delivery Status Notification (DSN),
defined in RFC 1891. SMTP has been extended to
support additional features. These enhancements
have been carefully designed to not disrupt the
original protocol. The notion of a "Service
Extension" has been defined as a general-purpose
mechanism for allowing enhancements to the basic
protocol. .
35
Collectively, these extensions are known as
Extended-SMTP (ESMTP). At the heart of the
service extensions is a new login command. The
original HELO command is replaced by the new
EHLO command. The EHLO command differs from HELO
by announcing to the mail server the desire to
use service extensions. The server reports back
to the client a list of supported service
extensions with parameters
36
Transmission Channel Opening and Closing Login
uses the HELO and EHLO commands for
identification to the server this command may
be interpreted as "Hello, I am ltdomaingt". The
normal response to HELO would be a single line
response 250 dbc.mtview.ca.us says hello. The
EHLO command further allows the server to issue
a multi-line response identifying any service
extensions or optional commands supported, such
as 250- dbc.mtview.ca.us says hello.250-EXPN250
-HELP250-8BITMIME250-SIZE250-XABC
37
S MAIL FROM ltSmith_at_Alpha.ARPAgtR 250 OKS
RCPT TO ltJones_at_Beta.ARPAgtR 250 OKS RCPT TO
ltGreen_at_Beta.ARPAgtR 550 No such user hereS
RCPT TO ltBrown_at_Beta.ARPAgtR 250 OKS DATAR
354 Start mail input end with ltCRLFgt . ltCRLFgtS
Blah blah blah...S ...etc. etc. etc.S
ltCRLFgt.ltCRLFgtR 250 OK The mail has now been
accepted for Jones and Brown. Green did not have
a mailbox at host Beta.
38
The objective of the Simple Mail Transfer
Protocol (SMTP) is to transfer mail reliably and
efficiently The SMTP Model Basic
Structure The SMTP design can be pictured as
User
Smtp client
SMTP Server
SMTP
File System
File System
commands/replies
39
Basic steps
a user SMTP process opens a TCP connection to a
server SMTP process on a remote host and
attempts to send mail across the connection
The server SMTP listens for a TCP connection on a
well-known port (25), and the user SMTP process
initiates a connection on that port.
When the TCP connection is successful, the two
processes execute a simple request/response
dialogue, defined by the SMTP protocol, in which
the user process transmits the mail addresses of
the originator and the recipient(s) for a
message
40
When the server process accepts these mail
addresses, the user process transmits the
message. The message must contain a message
header and message text formatted in accordance
with RFC 822
41
Mail Service Components Mail Addresses Mail
addresses identify both the originator and
recipient of a mail message. They generally take
this form X_at_Y where X is a string, often a user
or account, and Y is a string, often a host.X
represents the local part of the mail address and
Y represents the global part of the mail
address. Mail addresses appear in the To and
From fields of the message header and in the
X-from and X-to fields of the
envelope. Envelope The envelope is a header
containing the originator and recipient mail
addresses. It is prepended to each mail message
by the post office,
42
Message Header An RFC 822 message consists of
any number of header fields, optionally followed
by message text. Typical header fields include
Date, From, To, CC (carbon copy), and
Subject. The RFC 822 message header refers to
the collection of these header fields. Host
Names These are mnemonic name strings by which
hosts are known on the network. Each host has
one official host name Domain Name Resolver
Domain Name Resolver maps host names into the
appropriate network addresses
43
Email Protocols IMAP, POP3, SMTP and HTTP
IMAP Protocol IMAP (Internet Message Access
Protocol) Is a standard protocol for accessing
e-mail from your local server. IMAP is a
client/server protocol in which e-mail is
received and held for you by your Internet
server. As this requires only a small data
transfer this works well even over a slow
connection such as a modem. Only if you request
to read a specific email message will it be
downloaded from the server. You can also create
and manipulate folders or mailboxes on the
server, delete messages etc.
44

• POP3 Protocol
• The POP (Post Office Protocol 3) protocol
  provides a simple,
• standardized way for users to access mailboxes
  and download
• messages to their computers.When using the POP
  protocol all your eMail messages will be
• downloaded from the mail server to your local
  computer. You
• can choose to leave copies of your eMails on the
  server as well.
• The advantage is that once your messages are
  downloaded
• you can cut the internet connection and read your
  eMail at
• your leisure without incuring further
  communication costs.

45

• HTTP Protocol
• The HTTP protocol is not a protocol dedicated for
  email
• communications, but it can be used for accessing
  your
• mailbox. Also called web based email, this
  protocol can be
• used to compose or retrieve emails from an your
  account.
• Good link http//www.cs.tut.fi/jkorpela/rfc/822a
  ddr.html

46
Why do email bounce?
In computer jargon, a bounced e-mail is one that
never arrives in the recipient's inbox and is
sent back, or bounced back, to the sender with
an error message that indicates to the sender
that the e-mail was never successfully
transmitted. But what happens when someone
sends an e-mail out into cyberspace, and why do
e-mails sometimes bounce back?
47
What is a Digital Signature and its use in
messaging?
A digital signature is a number attached to a
document. For example, in an authentication
system that uses public-key encryption, digital
signatures are used to sign certificates. This
signature establishes the following information
The integrity of the message Is the message
intact? That is, has the message been modified
between the time it was digitally signed and now?
The identity of the signer of the message Is
the message authentic? That is, was the message
actually signed by the user who claims to have
signed it? A digital signature is created in two
steps. The first step distills the document into
a large number. This number is the digest code or
fingerprint. The digest code is then encrypted,
which results in the digital signature. The
digital signature is appended to the document
from which the digest code is generated.
48
When the message is received, the recipient
follows these steps to verify the signature
Recomputes the digest code for the message.
Decrypts the signature by using the sender's
public key. This decryption yields the original
digest code for the message. Compares the
original and recomputed digest codes. If these
codes match, the message is both intact and
authentic. If not, something has changed and the
message is not to be trusted.
49
THE WWW PROTOCOL
50
WWW is not synonymous with Internet
Many people use the terms Internet and World Wide
Web interchangeably, but in fact the two terms
are not synonymous. The Internet and the Web are
two separate but related things.
The Internet is a massive network of networks, a
networking infrastructure. It connects millions
of computers together globally, forming a
network in which any computer can communicate
with any other computer as long as they are both
connected to the Internet. Information that
travels over the Internet does so via a variety
of languages known as protocols.
51
The Web is just one of the ways that information
can be disseminated over the Internet. The
Internet, not the Web, is also used for e-mail,
which relies on SMTP, Usenet news groups, instant
messaging and FTP. So the Web is just a portion
of the Internet, albeit a large portion
52
World Wide Web
A system of Internet servers that support
specially formatted documents. The documents are
formatted in a markup language called HTML
(HyperText Markup Language) that supports links
to other documents, as well as graphics, audio,
and video files. This means you can jump from
one document to another simply by clicking on
hot spots. Not all Internet servers are part of
the World Wide Web. There are several
applications called Web browsers that make it
easy to access the World Wide Web Two of the
most popular being Netscape Navigator and
Microsoft's Internet Explorer.
53
How Web search Engines work?

• There are basically three types of search
  engines
• Those that are powered by crawlers, or spiders
• those that are powered by human submissions
• and those that are a combination of the two.

54

• Crawler-based engines send crawlers, or spiders,
  out into cyberspace.
• These crawlers visit a Web site, read the
  information on the actual
• site, read the site's meta tags and also follow
  the links that the site
• connects to.
• The crawler returns all that information back to
  a central depository
• where the data is indexed.
• The crawler will periodically return to the
  sites to check for
• any information that has changed, and the
  frequency with which
• this happens is determined by the administrators
  of the search engine.
• Human-powered search engines rely on humans to
  submit
• information that is subsequently indexed and
  catalogued.
• Only information that is submitted is put into
  the index.

55
meta tag Last modified Friday, January 27, 2006 
A special HTML tag that provides
information about a Web page. Unlike normal HTML
tags, meta tags do not affect how the page is
displayed. Instead, they provide information
such as who created the page, how often it is
updated, what the page is about, and which
keywords represent the page's content.
56
In both cases, when you query a search engine to
locate information, you are actually searching
through the index that the search engine has
created you are not actually searching the Web
These indices are giant databases of information
that is collected and stored and subsequently
searched. This explains why sometimes a search
on a commercial search engine, such as Yahoo! or
Google, will return results that are in fact
dead links. Since the search results are based
on the index, if the index hasn't been updated
since a Web page became invalid the search
engine treats the page as still an active link
even though it no longer is. It will remain that
way until the index is updated.
57
So why will the same search on different search
engines produce different results?
because not all indices are going to be exactly
the same. It depends on what the spiders find
or what the humans submitted. But more
important, not every search engine uses the same
algorithm to search through the indices. The
algorithm is what the search engines use to
determine the relevance of the information in
the index to what the user is searching for.
58
One of the elements that a search engine
algorithm scans for is the frequency and
location of keywords on a Web page. Those with
higher frequency are typically considered more
relevant.
Another common element that algorithms analyze is
the way that pages link to other pages in the
Web. By analyzing how pages link to each other,
an engine can both determine what a page is about
(if the keywords of the linked pages are similar
to the keywords on the original page) and
whether that page is considered "important and
deserving of a boost in ranking.
59
Short for HyperText Transfer Protocol, the
underlying protocol used by the World Wide Web.
HTTP defines how messages are formatted and
transmitted, and what actions Web servers and
browsers should take in response to various
commands. For example, when you enter a URL in
your browser, this actually sends an HTTP
command to the Web server directing it to fetch
and transmit the requested Web page. The other
main standard that controls how the World Wide
Web works is HTML, which covers how Web pages
are formatted and displayed.
60
HTTP is called a stateless protocol because each
command is executed independently, without any
knowledge of the commands that came before it.
This is the main reason that it is difficult to
implement Web sites that react intelligently to
user input. This shortcoming of HTTP is being
addressed in a number of new technologies,
including ActiveX, Java, JavaScript and cookies.

61
The Hypertext Transfer Protocol (HTTP) is an
application-level protocol with the lightness
and speed necessary for distributed,
collaborative, hypermedia information systems.
It is a generic, stateless, object-oriented
protocol which can be used for many tasks, such
as name servers and distributed object
management systems, through extension of its
request methods (commands).
62
Common Gateway Interface The Common Gateway
Interface (CGI) is a standard for interfacing
external applications with information servers,
such as HTTP or Web servers. A plain HTML
document that the Web daemon retrieves is
static, which means it exists in a constant
state a text file that doesn't change. A CGI
program, on the other hand, is executed in
real-time, so that it can output dynamic
information.
63
JPG vs. GIF
JPEG/JPGShort for Joint Photographic Experts
Group, the original name of the committee that
wrote the standard
JPG is a lossy compression technique that is
designed to compress color and grayscale
continuous-tone images. The information that is
discarded in the compression is information that
the human eye cannot detect.
JPG images support 16 million colors and are best
suited for photographs and complex graphics. The
user typically has to compromise on either the
quality of the image or the size of the file.
JPG does not work well on line drawings,
lettering or simple graphics because there is
not a lot of the image that can be thrown out in
the lossy process, so the image loses clarity
and sharpness.
64
GIF
Short for Graphics Interchange Format, another of
the graphics formats supported by the Web.
Unlike JPG, the GIF format is a lossless
compression technique and it supports only 256
colors. GIF is better than JPG for images with
only a few distinct colors, such as line
drawings, black and white images and small text
that is only a few pixels high. With an
animation editor, GIF images can be put together
for animated images. GIF also supports
transparency, where the background color can be
set to transparent in order to let the color on
the underlying Web page to show through
65
How the WWW works When you browse the web the
situation is basically this you sit at your
computer and want to see a document somewhere on
the web, to which you have the URL. Since the
document you want to read is somewhere else in
the world and probably very far away from you
some more details are needed to make it
available to you. The first detail is your
browser. You start it up and type the URL into it
. But the Browser can't read the document
directly from the disk where it's stored if that
disk is on another continent.
66
So for you to be able to read the document the
computer that contains the document must run a
web server. A web server is a just a computer
program that listens for requests from browsers
and then execute them.
It's worth noting that HTTP only defines what the
browser and web server say to each other, not
how they communicate. The actual work of moving
bits and bytes back and forth across the network
is done by TCP and IP.
67
What happens when I follow a link?
Step 1 Parsing the URL Most URLs have this basic
form "protocol//server/request-URI".
Protocol protocol part describes how to tell the
server which document the you want and how to
retrieve it.
Server The server part tells the browser which
server to contact,
Request URL and the request-URI is the name used
by the web server to identify the document.
68
Step 2 Sending the request
Usually, the protocol is "http". To retrieve a
document via HTTP the browser transmits the
following request to the server
"GET /request-URI HTTP/version", where
version tells the server which HTTP version is
used
One important point here is that this request
string is all the server ever sees. So the
server doesn't care if the request came from a
browser, a link checker, a validator, a search
engine robot or if you typed it in manually. It
just performs the request and returns the result.
69
The first line is followed by some lines called
the header, which contains information about the
document. The header ends with a blank line,
followed by the document content. This is a
typical header HTTP/1.0 200 OK Server
Netscape-Communications/1.1 Date Tuesday,
25-Nov-97 012204 GMT Last-modified Thursday,
20-Nov-97 104453 GMT Content-length 6372
Content-type text/html lt!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 3.2 Final//EN"gt ltHTMLgt
...followed by document content...
70
Step 3 The server response
When the server receives the HTTP request it
locates the appropriate document and returns
it. However, an HTTP response is required to
have a particular form. It must look like this
HTTP/VER CODE TEXT Field1 Value1
Field2 Value2 ... Document content here...
The first line shows the HTTP version used,
followed by a three-digit number (the HTTP
status code) and a reason phrase meant for
humans. Usually the code is 200 and the phrase
"OK".
71
Interpretation We see from the first line that
the request was successful. second line is
optional and tells us that the server runs the
Netscape Communications web server, version
1.1 We then get what the server thinks is the
current date and when the document was modified
last, followed by the size of the document in
bytes and the most important field
"Content-type". The content-type field is used
by the browser to tell which format the document
it receives is in. HTML is identified with
"text/html", ordinary text with "text/plain", a
GIF is "image/gif" and so on
72
Invoking HTTP
cd /etc/rc.d/init.d/then type./httpd start
OR
Service httpd start
73
THE TEL NET PROTOCOL
74
What is telnet? Basically telnet a.k.a(also know
as) terminal emulator is a console based tool
which enables an user to use the resources of
another system by connection to it using its IP
address and a valid shell in the target system
The default port for telnet is port 23,RFC 854
What can I do with telnet? Generally hackers aims
at connecting to the daemon of a open port of a
particular system and tries to get root on that
system. First you need a good port scanner to
scan down the open ports of a particular system.
75
The TELNET Protocol is built upon three main
ideas first, the concept of a "Network Virtual
Terminal" second, the principle of negotiated
options and third, a symmetric view of
terminals and processes.
76
Telnetgtopen anisurrahman.net 25Connecting.Conne
cted to anisurrahman.net220 Welcome to
anisurrahman.net ESMTP service 8.9.3HELO
Abhisek220 Welcome to sendmail AbhisekMAIL
FROMabhisek_at_fakemail.com240 Sender set to
abhisek_at_fakemail.comRCPT TOme_at_anisurrahman.net2
40 Recipient set to me_at_anisurrahman.netDATA220
End with "."Subject Hello RonyHey whats up
boss I am sending fake mail using you SMTP
service.240 CA55910 Message accepted for
delivery..
77
Edit the file /etc/xinetd.d/telnetdchanging the
two lines to default ondisabled nothen
try doing this/etc/rc.d/init.d/xinetd restart
78
THE SSH PROTOCOL
79
"Using encryption on the Internet is the
equivalent of arranging an armored car to deliver
credit-card information from someone living in a
cardboard box to someone living on a park bench"
80
Encryption A way of coding the information in a
file or e-mail message so that if it is
intercepted by a third party as it travels over a
network it cannot be read. Only the persons
sending and receiving the information have the
key and this makes it unreadable to anyone
except the intended persons.
The level of protection provided by encryption is
determined by an encryption algorithm. In a
brute-force attack, the strength is measured by
the number of possible keys and the key size.
For example, a Triple-Data Encryption Standard
system (3 DES) uses 168-bit keys and, based on
currently available processing power, is
virtually immune to brute-force attacks.
81

• Most computer encryption systems belong in one of
  two categories
• Symmetric-key encryption
• Public-key encryption

Symmetric Key In symmetric-key encryption, each
computer has a secret key (code) that it can use
to encrypt a packet of information before it is
sent over the network to another computer.
Symmetric-key requires that you know which
computers will be talking to each other so you
can install the key on each one. Symmetric-key
encryption is essentially the same as a secret
code that each of the two computers must know in
order to decode the information.
82
Public Key Public-key encryption uses a
combination of a private key and a public key.
The private key is known only to your computer,
while the public key is given by your computer
to any computer that wants to communicate
securely with it. To decode an encrypted
message, a computer must use the public key,
provided by the originating computer, and its
own private key.
83
SSH (Secure Shell) is a protocol which provides a
secure means of logging into and executing
commands on another network computer running
Unix (or VMS), and transferring files between
computers. It negotiates and establishes an
encrypted connection between an SSH client and
an SSH server, authenticating the client and
server using any of several available encryption
algorithms, such as RSA.
84
SSH is used to create secure remote login and
session encryption, effectively replacing
commands such as telnet, rlogin, and rsh. It can
be configured to give the remote user a
full-featured X11 windowing environment, with
secure access to mail, the Web, file sharing,
FTP, and other services. SSH protects against
some of the common forms of masquerade and
pretence by which unauthorised persons use the
internet to gain access to other computers, for
instance IP spoofing (remote hosts send out
packets which pretend to come from another
trusted host), forgery of names server records,
interception of passwords, etc.
85
Authentication and Authorisation
86
The process of identifying an individual, usually
based on a username and password. In security
systems, authentication is distinct from
authorization , which is the process of giving
individuals access to system objects based on
their identity. Authentication merely ensures
that the individual is who he or she claims to
be, but says nothing about the access rights of
the individual.
87
The Dark Ages

• Before SSH, before the age of enlightenment the
  world was shrouded in darkness
• Telnet and ftp were used everywhere, and thus
  passwords were sent over the wire.

88
Reasons to use SSH.

• Designed to be a secure replacement for rsh,
  rlogin, rcp, rdist, and telnet.
• Strong authentication. Closes several security
  holes (e.g., IP, routing, and DNS spoofing).
• Improved privacy. All communications are
  automatically and transparently encrypted.
• Secure X11 sessions. The program automatically
  sets DISPLAY on the server machine, and forwards
  any X11 connections over the secure channel.

89
Reasons to use SSH

• No retraining needed for normal users.
• Never trusts the network. Minimal trust on the
  remote side of the connection. Minimal trust on
  domain name servers. Pure RSA authentication
  never trusts anything but the private key.
• Client RSA-authenticates the server machine in
  the beginning of every connection to prevent
  trojan horses (by routing or DNS spoofing) and
  man-in-the-middle attacks, and the server
  RSA-authenticates the client machine before
  accepting .rhosts or /etc/hosts.equiv
  authentication (to prevent DNS, routing, or
  IP-spoofing).

90
Reasons to use SSH

• Host authentication key distribution can be
  centrally by the administration, automatically
  when the first connection is made to a machine.
• Any user can create any number of user
  authentication RSA keys for his/her own use.
• The server program has its own server RSA key
  which is automatically regenerated every hour.
• An authentication agent, running in the user's
  laptop or local workstation, can be used to hold
  the user's RSA authentication keys.

91
Reasons to use SSH

• Arbitrary TCP/IP ports can be redirected through
  the encrypted channel in both directions
• The software can be installed and used (with
  restricted functionality) even without root
  privileges.
• Optional compression of all data with gzip
  (including forwarded X11 and TCP/IP port data),
  which may result in significant speedups on slow
  connections.

92

• Before using SSH..
• SSH 1 and SSH2 have different protocols and
  licensing
• restrictions
• The RSA algorithm that SSH uses is patented in
  the US
• Know the difference between commercial and
  non-commercial
• Some known vulnerabilities

• SSH1 v.s. SSH2?
• SSH version 1.2.7
• Uses RSA algorithm which is patented until Sept
  2000.
• Well tested and free
• SSH version 2.0.13
• Totally rewritten
• Improved privacy
• More restricted license than SSH1 Free for
  non-commercial use only

93

• How does SSH work?
• Encryption
• Uses IDEA, DES and Blowfish for encryption
• Authentication
• Uses RSA and DSA for authentication

94

• Authentication Methods (1)
• 1. Host-based trust files
• Use the --with-rhosts option at compile time
• /etc/hosts.equiv
• .rhosts

• Authentication Methods (2)
• 2. RSA based User authentication
• User creates public/private keys
  (encryption/decryption) using
• ssh-keygen
• Public key is put in users /.ssh/authorized_keys
  
• When connecting, user name and chosen public key
  is sent to
• remote host. Remote hosts sends a random
  sequence session
• key with users public key
• Session key is decrypted with users private key
  and sent
• back to remote host
• User is authenticated

95

• Authentication Methods (3, 4)
• 3. rhosts with RSA based authentication
• Uses RSA key exchange
• Then consults host-based trust file
• (This method protects against DNS, IP and source
  routing
• spoofing attacks)
• 4. Authentication using password Since traffic
  is encrypted,
• password cannot be sniffed

96

• How to Install
• gunzip ssh-2.0.13.tar.gz tar -xvf -
• cd ssh-2.0.13
• ./configure
• make
• make install (as superuser)

• Build Options
• ./configure
• --prefix
• --with(without)-rsh
• --with-libwrap/path/to/libwrap.a
• (for TCP wrappers also add sshdfwd line in
  hosts.allow)
• --with-x (ssh_config - Yes for X forwarding

97

• Configuration Files
• sshd /etc/sshd_config
• ssh /etc/ssh_config , /.ssh/config (home)
• Order in which options are read
• command line options, configuration files, users
  config file

• After installation
• Creates binaries in the ssh directory
• ssh (ssh client), sshd (daemon), sftp, scp,
  ssh-keygen, ssh-agent
• Creates the host key during the make install

98

• How to run SSH
• To login to a remote host
• ssh lthostnamegt
• To login to a remote host with a different user
  name
• ssh -l ltusernamegt lthostnamegt
• To login to a remote host and send a command
• ssh lthostnamegt ltcommandgt

99
THE FTP PROTOCOL
100
FTP is a TCP based service exclusively. There is
no UDP component to FTP. FTP is an unusual
service in that it utilizes two ports, a 'data'
port and a 'command' port (also known as the
control port). Traditionally these are port 21
for the command port and port 20 for the data
port. The confusion begins however, when we find
that depending on the mode, the data port is not
always on port 20.
101
TCP VS UDP
TCP offers error correction. When the TCP
protocol is used there is a "guaranteed
delivery. This is due largely in part to a
method called "flow control. Flow control
determines when data needs to be re-sent, and
stops the flow of data until previous packets
are successfully transferred. This works because
if a packet of data is sent, a collision may
occur. When this happens, the client re-requests
the packet from the server until the whole
packet is complete and is identical to its
original. UDP is commonly used for streaming
audio and video. Streaming media such as Windows
Media audio files (.WMA) , Real Player (.RM), and
others use UDP because it offers speed! The
reason UDP is faster than TCP is because there is
no form of flow control or error correction. The
data sent over the Internet is affected by
collisions, and errors will be present.
Remember that UDP is only concerned with
speed. This is the main reason why streaming
media is not high quality.
102

• Active FTP
• In active mode FTP the client connects from a
  random
• unprivileged port (N gt 1024) to the FTP server's
  command port,
• port 21. Then, the client starts listening to
  port N1 and sends
• the FTP command PORT N1 to the FTP server.
• The server will then connect back to the client's
  specified data
• port from its local data port, which is port 20.
  
• From the server-side firewall's standpoint, to
  support active
• mode FTP the following communication channels
  need to be opened
• FTP server's port 21 from anywhere (Client
  initiates connection)
• FTP server's port 21 to ports gt 1024 (Server
  responds to client's
• control port)
• FTP server's port 20 to ports gt 1024 (Server
  initiates data connection
• to client's data port)
• FTP server's port 20 from ports gt 1024 (Client
  sends ACKs to
• server's data port)

103
the client's command port contacts the server's
command port and sends the command PORT 1027 The
server then sends an ACK back to the client's
command port in step 2. In step 3 the server
initiates a connection on its local data port to
the data port the client specified earlier.
Finally, the client sends an ACK back as shown
in step 4.
104
Problem with Active FTP The main problem with
active mode FTP actually falls on the client
side. The FTP client doesn't make the actual
connection to the data port of the server--it
simply tells the server what port it is
listening on and the server connects back to the
specified port on the client. From the client
side firewall this appears to be an outside
system initiating a connection to an internal
client--something that is usually blocked
105
Passive FTP In order to resolve the issue of the
server initiating the connection to the client a
different method for FTP connections was
developed. This was known as passive mode, or
PASV, after the command used by the client to
tell the server it is in passive mode.
106
In step 1, the client contacts the server on the
command port and issues the PASV command server
then replies in step 2 with PORT 2024, telling
the client which port it is listening to for the
data connection. In step 3 the client then
initiates the data connection from its data port
to the specified server data port. Finally, the
server sends back an ACK in step 4 to the
client's data port.
107
While passive mode FTP solves many of the
problems from the client side, it opens up a
whole range of problems on the server side. The
biggest issue is the need to allow any remote
connection to high numbered ports on the server.
Fortunately, many FTP daemons, including the
popular WU-FTPD allow the administrator to
specify a range of ports which the FTP server
will connect to
With the massive popularity of the World Wide
Web, many people prefer to use their web browser
as an FTP client. Most browsers only support
passive mode when accessing ftp// URLs. This
can either be good or bad depending on what the
servers and firewalls are configured to support
108
Configuring FTP Edit the file /etc/xinetd.d/wu-ft
pdchanging the two lines to default
ondisabled nothen run the command/etc/rc.d/in
it.d/xinetd restart
109
NTP Network Time Protocol
110
The Network Time Protocol (NTP) is a protocol for
synchronizing the clocks of computer systems .
NTP uses UDP port 123 as its transport layer.
NTP is one of the oldest Internet protocols
still in use (since before 1985). NTP was
originally designed by Dave Mills of the
University of Delaware, who still maintains it,
along with a team of volunteers.