1 / 34

TCP/IP Applications

TCP/IP Applications. What you should be able to Do Describe the major TCP/IP Based services and Applications Describe the security risks involved in using these services. TCP/IP Applications. SMTP NNTP SNMP Telnet FTP RPC, NIS, NFS R-Commands X-Windows WWW. Sendmail .

devaki
Download Presentation

TCP/IP Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCP/IP Applications What you should be able to Do Describe the major TCP/IP Based services and Applications Describe the security risks involved in using these services

  2. TCP/IP Applications • SMTP • NNTP • SNMPTelnet • FTP • RPC, NIS, NFS • R-Commands • X-Windows • WWW

  3. Sendmail • Most popular SMTP-based transport agent • Configuration is difficult • Threat: Several security bugs - Mail Unix commands - Internet worm

  4. MIME • Multimedia internet Mail Extention • Encapsulates multimedia documents - sound, pictures, postscript files • Threat : postscript escape to system

  5. Usenet News • Usenet news, world wide bulletin board • Network News Transfer Protocol • Similar to SMTP • Nntpd • Authorization: accept connections only from known friendly neighbors

  6. Network Management (SNMP) • SNMP: Simple Network Management Protocol • Uses UDP • Architecture - The snmpd agent - Management Information Base (MIB) • Network Management stations is client • Threats: - Uses “community name” for authentication • Default community name is “public” • Community name is passed in the clear - Do not expose to outside SNMP v2 - provides Authentication of parties and Encryption of date

  7. Remote Login (Telnet) • Telnet: terminal access to remote host • Telnetd calls login to authenticate user • Threat: everything (password) is passed in the clear • Solutions • Encrypted telnet • uses encryption for data encryption • Not standard yet - one time passwords

  8. Trivial File Transfer Protocol (TFTP) • Trivial FTP • UDP - based • Boot X-terminals, diskless workstations • Threat: no authentication at all • Tftpd restricts access to “/usr/local/boot” - if not: get “/etc/password” • Don’t run tftp if you don’t need it

  9. File Transfer Protocol (FTP) • Internet standard for file transfer • User must log in (pwd sent in the clear) • Require 2 channels - Control channel to remote host - Separate data channel set-up by server • Request initiated from outside • Allow incoming TCP connections? • Better solution: PASV mode - Server creates random port and sends it to client - Data connection is established by client - Must be supported by vendor

  10. Remote Procedure Calls (RPC) • RPC message header includes - Program and procedure number - Sequence number to match queries with replies - Authentication area: easy to forge ! Null user ID, group ID name of calling machine • Portmapper - Provides clients with port number for service on servers - Provides a call to unregister a service - Provides info on services that it is running - May forward the client call directly to the sever carrying the Portmapper owns address, masking the source of the call! • Recommendation: bloc RPC calls from outside • Caution: NFS, NIS are based on RPC

  11. NFS, NIS • NIS, yellow pages (yp) - most dangerous RPC application -Weak authentication (domain name) - Distributes data (password file, hosts table) - Do not run on exposed machine - Secure (encrypted RPC) • Network File System - Based on RPC - Threat: lots of security problems - “showmount -e host.domain: shows all exported file systems • Do not run on exposed machine

  12. Remote Command Execution • rlogin, rsh, rcp, rexec • rlogin to remote machine if authentication is done as follows • - Call from reserved port • - Calling machine and user listed in /etc/hosts.equiv or $HOME/.rhosts- Callers name corresponds to IP address • Very weak authentication scheme • - Reserved port on PC’s doesn’t make and security sense • - Reading above files can be done through a number of ways such as ftp, uucp. Etc. • One subverted machine opens the door to many others

  13. X11 Systems • Users terminal is server which controls the interaction devices • Applications connect to the server and talk to the user just by knowing the server’s address • Exposure: passwords can be read remotely • Threat: X11 servers use port 6000, thus X11 servers on the internet can be probed

  14. THE World Wide Web • WWW (W3, the Web) most popular information service - Others: archie, gopher, veronica • CERN project on distributed hypermedia • Hypertext-based information service - Text points to other documents - may be on other hosts • Interactive, gui, multimedia (pictures, sound, video) • Browsers: Mosaic, Netscape, IE) • Companies on the net - Produce information - Software patches - Commercial transactions

  15. HTTP and HTML • HTTP: HyperText Transport Protocol • HTTPD: WWW server process • HTML: HyperText Markup Language - Standard scripting language for hypermedia documents • Hyperlink in document - points to other server • URL (Uniform Resource Locator) - specifies an object on the internet - http://www.company.com/dir/home-page.html - ftp://ftp.site.edu/path/file

  16. WWW Security • Data-driven attacks • HTML may include “scripts” (Java) • Secure HTTP - Uses cryptography - SHTTP - SSL (secure sockets layer) • Secure e-commerce

  17. Firewall Components • What you should be able to do • Describe the following: • Packet filters • Proxy Servers • Sock Servers

  18. Objectives • Describe the purposes of - Packet filter - Proxy Server - Socks Server

  19. Firewall Security Policy • A firewall is not a host, router, but a systematic approach to network security • A firewall implements a security policy in terms of: - network configuration - hosts - routers • - other security measures (one-time passwords)

  20. Firewalls Implement Policies • Interface Policy - allow or disallow direct routing between secure networks and internet • Internal Policy - allow some or all protocols for some or all users • External Policy - allow some or all or no protocols from some or all internet sources • Security guidelines define the network configuration and application services • Network configuration and application services define end-user capabilities/constraints

  21. Packet Filtering • Forward/drop packets based on IP information • Typically implemented in router (screening router) • Each packet is filtered separately, no “context” • Rules: - Allow, deny forwarding of packets - Matched in order, stops at first match - Default rule : deny - Wildcards for addresses, ports - Vendor specific syntax

  22. Filtering Rules • Rules based on hosts - Only permit access to mail host • On direction - Rules apply to specific interface - incoming, outgoing • On Protocol (TCP. UDP, ICMP….) • On Port Service - Destination port only (most routers) - Some services use random ports (RPC, portmapper) • Established connections - TCP handshake - SYN and ACK filed - Connection request has SYN but not ACK Field

  23. Filtering Guidelines • Default: Block everything • Add services you want to use explicitly - Mail - To Mail host only • Filtering rules are complex - Order Dependent\ - No Testing facility - Difficult to manage

  24. Proxy Server • Mediates IP traffic between protected internal network and the Internet • Work on the application Level • Each proxy server understands its own application protocol - Different proxy servers: telnet, WWW, FTP - Also called an application gateway

  25. Proxy Advantages • Information hiding (host name, IP address) • Authentication and logging • Secure: a proxy for the service must exist • Less complex filtering of screening router • - allow only application gateway • Drawbacks • - Two-step process • - Modified client (sometimes) • Sendmail as a proxy server

  26. Socks Server • Socks stands for: ”Internal Socket Service” • Socks works on the TCP layer ( less protocol processing than proxies) • sockd daemon runs on the firewall host and intercepts and redirects TCP/IP packets • Clients tell the sockd where to connect which requires modified clients • socks can authenticate the users/clients (identd Handshake) • - Protocol which allows the client host to ask a server whether a User ID is valid (RFC 1413)

  27. Socks Advantages • Information Handling (host name, IP address) • Authentication and logging • Secure: a permission for the services must exist • Less complex filtering of screening router • Better performance that a proxy server • Drawback - Modified client

  28. Screening Router • Most IP routers also implement packet filtering • Filtering rules are complex • Not very safe • If compromised: whole network is exposed

  29. Bastion Host • Bastion: Highly-fortified host, “has strong walls” • Only visible machine exposed to the outside • Only exposed host: should be well protected • Not user accounts • A bastion host may be single-homed or dual-homed

  30. Dual-homed Gateway • Two network interfaces • No IP forwarding • Simple but not very secure

  31. Screened Host • Consists of a screening router, bastion host (functioning as an application gateway) using proxies or socks • Very Flexible

  32. Screened Subnet (DMZ) • Separate network with 2 screening routers: one connects to the internal network and the other to the internet. • More complex • 2 routers should not allow for any direct IP traffic through the DMZ • No internal system is allowed direct connections to the internet (socks or proxies only) and no internal system is reachable from the internet

  33. A New Set of Problems • DNS: domain names are sensitive information • - Run two DNS servers (“split DNS”) • e-mail reconfigured • Client applications reconfigured • UDP • - No established connections for returned data • - Temporary hole • FTP PASV Mode

  34. Firewall Solutions? • Many factors • Cost • Corporate policy • Existing networks • International - Global • Politics

More Related