tcp ip applications
Skip this Video
Download Presentation
TCP/IP Applications

Loading in 2 Seconds...

play fullscreen
1 / 34

TCP/IP Applications - PowerPoint PPT Presentation

  • Uploaded on

TCP/IP Applications. What you should be able to Do Describe the major TCP/IP Based services and Applications Describe the security risks involved in using these services. TCP/IP Applications. SMTP NNTP SNMP Telnet FTP RPC, NIS, NFS R-Commands X-Windows WWW. Sendmail .

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' TCP/IP Applications' - devaki

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tcp ip applications

TCP/IP Applications

What you should be able to Do Describe the major TCP/IP Based services and Applications

Describe the security risks involved in using these services

tcp ip applications1
TCP/IP Applications
  • SMTP
  • NNTP
  • SNMPTelnet
  • FTP
  • R-Commands
  • X-Windows
  • WWW
  • Most popular SMTP-based transport agent
  • Configuration is difficult
  • Threat: Several security bugs

- Mail Unix commands

- Internet worm

  • Multimedia internet Mail Extention
  • Encapsulates multimedia documents

- sound, pictures, postscript files

  • Threat : postscript escape to system
usenet news
Usenet News
  • Usenet news, world wide bulletin board
  • Network News Transfer Protocol
  • Similar to SMTP
  • Nntpd
  • Authorization: accept connections only from known friendly neighbors
network management snmp
Network Management (SNMP)
  • SNMP: Simple Network Management Protocol
  • Uses UDP
  • Architecture

- The snmpd agent

- Management Information Base (MIB)

  • Network Management stations is client
  • Threats:

- Uses “community name” for authentication

  • Default community name is “public”
  • Community name is passed in the clear

- Do not expose to outside

SNMP v2 - provides Authentication of parties and Encryption of date

remote login telnet
Remote Login (Telnet)
  • Telnet: terminal access to remote host
  • Telnetd calls login to authenticate user
  • Threat: everything (password) is passed in the clear
  • Solutions
  • Encrypted telnet
  • uses encryption for data encryption
  • Not standard yet - one time passwords
trivial file transfer protocol tftp
Trivial File Transfer Protocol (TFTP)
  • Trivial FTP
  • UDP - based
  • Boot X-terminals, diskless workstations
  • Threat: no authentication at all
  • Tftpd restricts access to “/usr/local/boot”

- if not: get “/etc/password”

  • Don’t run tftp if you don’t need it
file transfer protocol ftp
File Transfer Protocol (FTP)
  • Internet standard for file transfer
  • User must log in (pwd sent in the clear)
  • Require 2 channels

- Control channel to remote host

- Separate data channel set-up by server

  • Request initiated from outside
  • Allow incoming TCP connections?
  • Better solution: PASV mode

- Server creates random port and sends it to client

- Data connection is established by client

- Must be supported by vendor

remote procedure calls rpc
Remote Procedure Calls (RPC)
  • RPC message header includes

- Program and procedure number

- Sequence number to match queries with replies

- Authentication area: easy to forge !


user ID, group ID

name of calling machine

  • Portmapper

- Provides clients with port number for service on servers

- Provides a call to unregister a service

- Provides info on services that it is running

- May forward the client call directly to the sever carrying the Portmapper owns address, masking the source of the call!

  • Recommendation: bloc RPC calls from outside
  • Caution: NFS, NIS are based on RPC
nfs nis
  • NIS, yellow pages (yp)

- most dangerous RPC application

-Weak authentication (domain name)

- Distributes data (password file, hosts table)

- Do not run on exposed machine

- Secure (encrypted RPC)

  • Network File System

- Based on RPC

- Threat: lots of security problems

- “showmount -e host.domain: shows all exported file systems

  • Do not run on exposed machine
remote command execution
Remote Command Execution
  • rlogin, rsh, rcp, rexec
  • rlogin to remote machine if authentication is done as follows
  • - Call from reserved port
  • - Calling machine and user listed in /etc/hosts.equiv or $HOME/.rhosts- Callers name corresponds to IP address
  • Very weak authentication scheme
  • - Reserved port on PC’s doesn’t make and security sense
  • - Reading above files can be done through a number of ways such as ftp, uucp. Etc.
  • One subverted machine opens the door to many others
x11 systems
X11 Systems
  • Users terminal is server which controls the interaction devices
  • Applications connect to the server and talk to the user just by knowing the server’s address
  • Exposure: passwords can be read remotely
  • Threat: X11 servers use port 6000, thus X11 servers on the internet can be probed
the world wide web
THE World Wide Web
  • WWW (W3, the Web) most popular information service

- Others: archie, gopher, veronica

  • CERN project on distributed hypermedia
  • Hypertext-based information service

- Text points to other documents

- may be on other hosts

  • Interactive, gui, multimedia (pictures, sound, video)
  • Browsers: Mosaic, Netscape, IE)
  • Companies on the net

- Produce information

- Software patches

- Commercial transactions

http and html
  • HTTP: HyperText Transport Protocol
  • HTTPD: WWW server process
  • HTML: HyperText Markup Language

- Standard scripting language for hypermedia documents

  • Hyperlink in document

- points to other server

  • URL (Uniform Resource Locator)

- specifies an object on the internet



www security
WWW Security
  • Data-driven attacks
  • HTML may include “scripts” (Java)
  • Secure HTTP

- Uses cryptography


- SSL (secure sockets layer)

  • Secure e-commerce
firewall components
Firewall Components
  • What you should be able to do
  • Describe the following:
  • Packet filters
  • Proxy Servers
  • Sock Servers
  • Describe the purposes of

- Packet filter

- Proxy Server

- Socks Server

firewall security policy
Firewall Security Policy
  • A firewall is not a host, router, but a systematic approach to network security
  • A firewall implements a security policy in terms of:

- network configuration

- hosts

- routers

  • - other security measures (one-time passwords)
firewalls implement policies
Firewalls Implement Policies
  • Interface Policy - allow or disallow direct routing between secure networks and internet
  • Internal Policy - allow some or all protocols for some or all users
  • External Policy - allow some or all or no protocols from some or all internet sources
  • Security guidelines define the network configuration and application services
  • Network configuration and application services define end-user capabilities/constraints
packet filtering
Packet Filtering
  • Forward/drop packets based on IP information
  • Typically implemented in router (screening router)
  • Each packet is filtered separately, no “context”
  • Rules:

- Allow, deny forwarding of packets

- Matched in order, stops at first match

- Default rule : deny

- Wildcards for addresses, ports

- Vendor specific syntax

filtering rules
Filtering Rules
  • Rules based on hosts

- Only permit access to mail host

  • On direction

- Rules apply to specific interface

- incoming, outgoing

  • On Protocol (TCP. UDP, ICMP….)
  • On Port Service

- Destination port only (most routers)

- Some services use random ports (RPC, portmapper)

  • Established connections

- TCP handshake

- SYN and ACK filed

- Connection request has SYN but not ACK Field

filtering guidelines
Filtering Guidelines
  • Default: Block everything
  • Add services you want to use explicitly

- Mail

- To Mail host only

  • Filtering rules are complex

- Order Dependent\

- No Testing facility

- Difficult to manage

proxy server
Proxy Server
  • Mediates IP traffic between protected internal network and the Internet
  • Work on the application Level
  • Each proxy server understands its own application protocol

- Different proxy servers: telnet, WWW, FTP

- Also called an application gateway

proxy advantages
Proxy Advantages
  • Information hiding (host name, IP address)
  • Authentication and logging
  • Secure: a proxy for the service must exist
  • Less complex filtering of screening router
  • - allow only application gateway
  • Drawbacks
  • - Two-step process
  • - Modified client (sometimes)
  • Sendmail as a proxy server
socks server
Socks Server
  • Socks stands for: ”Internal Socket Service”
  • Socks works on the TCP layer ( less protocol processing than proxies)
  • sockd daemon runs on the firewall host and intercepts and redirects TCP/IP packets
  • Clients tell the sockd where to connect which requires modified clients
  • socks can authenticate the users/clients (identd Handshake)
  • - Protocol which allows the client host to ask a server whether a User ID is valid (RFC 1413)
socks advantages
Socks Advantages
  • Information Handling (host name, IP address)
  • Authentication and logging
  • Secure: a permission for the services must exist
  • Less complex filtering of screening router
  • Better performance that a proxy server
  • Drawback - Modified client
screening router
Screening Router
  • Most IP routers also implement packet filtering
  • Filtering rules are complex
  • Not very safe
  • If compromised: whole network is exposed
bastion host
Bastion Host
  • Bastion: Highly-fortified host, “has strong walls”
  • Only visible machine exposed to the outside
  • Only exposed host: should be well protected
  • Not user accounts
  • A bastion host may be single-homed or dual-homed
dual homed gateway
Dual-homed Gateway
  • Two network interfaces
  • No IP forwarding
  • Simple but not very secure
screened host
Screened Host
  • Consists of a screening router, bastion host (functioning as an application gateway) using proxies or socks
  • Very Flexible
screened subnet dmz
Screened Subnet (DMZ)
  • Separate network with 2 screening routers: one connects to the internal network and the other to the internet.
  • More complex
  • 2 routers should not allow for any direct IP traffic through the DMZ
  • No internal system is allowed direct connections to the internet (socks or proxies only) and no internal system is reachable from the internet
a new set of problems
A New Set of Problems
  • DNS: domain names are sensitive information
  • - Run two DNS servers (“split DNS”)
  • e-mail reconfigured
  • Client applications reconfigured
  • UDP
  • - No established connections for returned data
  • - Temporary hole
  • FTP PASV Mode
firewall solutions
Firewall Solutions?
  • Many factors
  • Cost
  • Corporate policy
  • Existing networks
  • International - Global
  • Politics