TCP/IP Applications

1
TCP/IP Applications

• What you should be able to Do Describe the major
  TCP/IP Based services and Applications
• Describe the security risks involved in using
  these services

2
TCP/IP Applications

• SMTP
• NNTP
• SNMPTelnet
• FTP
• RPC, NIS, NFS
• R-Commands
• X-Windows
• WWW

3
Sendmail

• Most popular SMTP-based transport agent
• Configuration is difficult
• Threat Several security bugs
• - Mail Unix commands
• - Internet worm

4
MIME

• Multimedia internet Mail Extention
• Encapsulates multimedia documents
• - sound, pictures, postscript files
• Threat postscript escape to system

5
Usenet News

• Usenet news, world wide bulletin board
• Network News Transfer Protocol
• Similar to SMTP
• Nntpd
• Authorization accept connections only from known
  friendly neighbors

6
Network Management (SNMP)

• SNMP Simple Network Management Protocol
• Uses UDP
• Architecture
• - The snmpd agent
• - Management Information Base (MIB)
• Network Management stations is client
• Threats
• - Uses community name for authentication
• Default community name is public
• Community name is passed in the clear
• - Do not expose to outside
• SNMP v2 - provides Authentication of parties and
  Encryption of date

7
Remote Login (Telnet)

• Telnet terminal access to remote host
• Telnetd calls login to authenticate user
• Threat everything (password) is passed in the
  clear
• Solutions
• Encrypted telnet
• uses encryption for data encryption
• Not standard yet - one time passwords

8
Trivial File Transfer Protocol (TFTP)

• Trivial FTP
• UDP - based
• Boot X-terminals, diskless workstations
• Threat no authentication at all
• Tftpd restricts access to /usr/local/boot
• - if not get /etc/password
• Dont run tftp if you dont need it

9
File Transfer Protocol (FTP)

• Internet standard for file transfer
• User must log in (pwd sent in the clear)
• Require 2 channels
• - Control channel to remote host
• - Separate data channel set-up by server
• Request initiated from outside
• Allow incoming TCP connections?
• Better solution PASV mode
• - Server creates random port and sends it
  to client
• - Data connection is established by client
• - Must be supported by vendor

10
Remote Procedure Calls (RPC)

• RPC message header includes
• - Program and procedure number
• - Sequence number to match queries with
  replies
• - Authentication area easy to forge !
• Null
• user ID, group ID
• name of calling machine
• Portmapper
• - Provides clients with port number for
  service on servers
• - Provides a call to unregister a service
• - Provides info on services that it is
  running
• - May forward the client call directly to
  the sever carrying the Portmapper owns address,
  masking the source of the call!
• Recommendation bloc RPC calls from outside
• Caution NFS, NIS are based on RPC

11
NFS, NIS

• NIS, yellow pages (yp)
• - most dangerous RPC application
• -Weak authentication (domain name)
• - Distributes data (password file, hosts
  table)
• - Do not run on exposed machine
• - Secure (encrypted RPC)
• Network File System
• - Based on RPC
• - Threat lots of security problems
• - showmount -e host.domain shows
  all exported file systems
• Do not run on exposed machine

12
Remote Command Execution

• rlogin, rsh, rcp, rexec
• rlogin to remote machine if authentication is
  done as follows
• - Call from reserved port
• - Calling machine and user listed in
  /etc/hosts.equiv or HOME/.rhosts- Callers name
  corresponds to IP address
• Very weak authentication scheme
• - Reserved port on PCs doesnt make and security
  sense
• - Reading above files can be done through a
  number of ways such as ftp, uucp. Etc.
• One subverted machine opens the door to many
  others

13
X11 Systems

• Users terminal is server which controls the
  interaction devices
• Applications connect to the server and talk to
  the user just by knowing the servers address
• Exposure passwords can be read remotely
• Threat X11 servers use port 6000, thus X11
  servers on the internet can be probed

14
THE World Wide Web

• WWW (W3, the Web) most popular information
  service
• - Others archie, gopher, veronica
• CERN project on distributed hypermedia
• Hypertext-based information service
• - Text points to other documents
• - may be on other hosts
• Interactive, gui, multimedia (pictures, sound,
  video)
• Browsers Mosaic, Netscape, IE)
• Companies on the net
• - Produce information
• - Software patches
• - Commercial transactions

15
HTTP and HTML

• HTTP HyperText Transport Protocol
• HTTPD WWW server process
• HTML HyperText Markup Language
• - Standard scripting language for
  hypermedia documents
• Hyperlink in document
• - points to other server
• URL (Uniform Resource Locator)
• - specifies an object on the internet
• - http//www.company.com/dir/home-page.htm
  l
• - ftp//ftp.site.edu/path/file

16
WWW Security

• Data-driven attacks
• HTML may include scripts (Java)
• Secure HTTP
• - Uses cryptography
• - SHTTP
• - SSL (secure sockets layer)
• Secure e-commerce

17
Firewall Components

• What you should be able to do
• Describe the following
• Packet filters
• Proxy Servers
• Sock Servers

18
Objectives

• Describe the purposes of
• - Packet filter
• - Proxy Server
• - Socks Server

19
Firewall Security Policy

• A firewall is not a host, router, but a
  systematic approach to network security
• A firewall implements a security policy in terms
  of
• - network configuration
• - hosts
• - routers
• - other security measures (one-time passwords)

20
Firewalls Implement Policies

• Interface Policy - allow or disallow direct
  routing between secure networks and internet
• Internal Policy - allow some or all protocols for
  some or all users
• External Policy - allow some or all or no
  protocols from some or all internet sources
• Security guidelines define the network
  configuration and application services
• Network configuration and application services
  define end-user capabilities/constraints

21
Packet Filtering

• Forward/drop packets based on IP information
• Typically implemented in router (screening
  router)
• Each packet is filtered separately, no context
• Rules
• - Allow, deny forwarding of packets
• - Matched in order, stops at first match
• - Default rule deny
• - Wildcards for addresses, ports
• - Vendor specific syntax

22
Filtering Rules

• Rules based on hosts
• - Only permit access to mail host
• On direction
• - Rules apply to specific interface
• - incoming, outgoing
• On Protocol (TCP. UDP, ICMP.)
• On Port Service
• - Destination port only (most routers)
• - Some services use random ports (RPC,
  portmapper)
• Established connections
• - TCP handshake
• - SYN and ACK filed
• - Connection request has SYN but not ACK
  Field

23
Filtering Guidelines

• Default Block everything
• Add services you want to use explicitly
• - Mail
• - To Mail host only
• Filtering rules are complex
• - Order Dependent\
• - No Testing facility
• - Difficult to manage

24
Proxy Server

• Mediates IP traffic between protected internal
  network and the Internet
• Work on the application Level
• Each proxy server understands its own application
  protocol
• - Different proxy servers telnet, WWW, FTP
• - Also called an application gateway

25
Proxy Advantages

• Information hiding (host name, IP address)
• Authentication and logging
• Secure a proxy for the service must exist
• Less complex filtering of screening router
• - allow only application gateway
• Drawbacks
• - Two-step process
• - Modified client (sometimes)
• Sendmail as a proxy server

26
Socks Server

• Socks stands for Internal Socket Service
• Socks works on the TCP layer ( less protocol
  processing than proxies)
• sockd daemon runs on the firewall host and
  intercepts and redirects TCP/IP packets
• Clients tell the sockd where to connect which
  requires modified clients
• socks can authenticate the users/clients (identd
  Handshake)
• - Protocol which allows the client host to ask a
  server whether a User ID is valid (RFC 1413)

27
Socks Advantages

• Information Handling (host name, IP address)
• Authentication and logging
• Secure a permission for the services must exist
• Less complex filtering of screening router
• Better performance that a proxy server
• Drawback - Modified client

28
Screening Router

• Most IP routers also implement packet filtering
• Filtering rules are complex
• Not very safe
• If compromised whole network is exposed

29
Bastion Host

• Bastion Highly-fortified host, has strong
  walls
• Only visible machine exposed to the outside
• Only exposed host should be well protected
• Not user accounts
• A bastion host may be single-homed or dual-homed

30
Dual-homed Gateway

• Two network interfaces
• No IP forwarding
• Simple but not very secure

31
Screened Host

• Consists of a screening router, bastion host
  (functioning as an application gateway) using
  proxies or socks
• Very Flexible

32
Screened Subnet (DMZ)

• Separate network with 2 screening routers one
  connects to the internal network and the other to
  the internet.
• More complex
• 2 routers should not allow for any direct IP
  traffic through the DMZ
• No internal system is allowed direct connections
  to the internet (socks or proxies only) and no
  internal system is reachable from the internet

33
A New Set of Problems

• DNS domain names are sensitive information
• - Run two DNS servers (split DNS)
• e-mail reconfigured
• Client applications reconfigured
• UDP
• - No established connections for returned data
• - Temporary hole
• FTP PASV Mode

34
Firewall Solutions?

• Many factors
• Cost
• Corporate policy
• Existing networks
• International - Global
• Politics