Tcp ip applications
1 / 34

TCP/IP Applications - PowerPoint PPT Presentation

  • Uploaded on

TCP/IP Applications. What you should be able to Do Describe the major TCP/IP Based services and Applications Describe the security risks involved in using these services. TCP/IP Applications. SMTP NNTP SNMP Telnet FTP RPC, NIS, NFS R-Commands X-Windows WWW. Sendmail .

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'TCP/IP Applications' - devaki

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Tcp ip applications

TCP/IP Applications

What you should be able to Do Describe the major TCP/IP Based services and Applications

Describe the security risks involved in using these services

Tcp ip applications1
TCP/IP Applications

  • SMTP

  • NNTP

  • SNMPTelnet

  • FTP


  • R-Commands

  • X-Windows

  • WWW


  • Most popular SMTP-based transport agent

  • Configuration is difficult

  • Threat: Several security bugs

    - Mail Unix commands

    - Internet worm

Tcp ip applications

  • Multimedia internet Mail Extention

  • Encapsulates multimedia documents

    - sound, pictures, postscript files

  • Threat : postscript escape to system

Usenet news
Usenet News

  • Usenet news, world wide bulletin board

  • Network News Transfer Protocol

  • Similar to SMTP

  • Nntpd

  • Authorization: accept connections only from known friendly neighbors

Network management snmp
Network Management (SNMP)

  • SNMP: Simple Network Management Protocol

  • Uses UDP

  • Architecture

    - The snmpd agent

    - Management Information Base (MIB)

  • Network Management stations is client

  • Threats:

    - Uses “community name” for authentication

  • Default community name is “public”

  • Community name is passed in the clear

    - Do not expose to outside

    SNMP v2 - provides Authentication of parties and Encryption of date

Remote login telnet
Remote Login (Telnet)

  • Telnet: terminal access to remote host

  • Telnetd calls login to authenticate user

  • Threat: everything (password) is passed in the clear

  • Solutions

  • Encrypted telnet

  • uses encryption for data encryption

  • Not standard yet - one time passwords

Trivial file transfer protocol tftp
Trivial File Transfer Protocol (TFTP)

  • Trivial FTP

  • UDP - based

  • Boot X-terminals, diskless workstations

  • Threat: no authentication at all

  • Tftpd restricts access to “/usr/local/boot”

    - if not: get “/etc/password”

  • Don’t run tftp if you don’t need it

File transfer protocol ftp
File Transfer Protocol (FTP)

  • Internet standard for file transfer

  • User must log in (pwd sent in the clear)

  • Require 2 channels

    - Control channel to remote host

    - Separate data channel set-up by server

  • Request initiated from outside

  • Allow incoming TCP connections?

  • Better solution: PASV mode

    - Server creates random port and sends it to client

    - Data connection is established by client

    - Must be supported by vendor

Remote procedure calls rpc
Remote Procedure Calls (RPC)

  • RPC message header includes

    - Program and procedure number

    - Sequence number to match queries with replies

    - Authentication area: easy to forge !


    user ID, group ID

    name of calling machine

  • Portmapper

    - Provides clients with port number for service on servers

    - Provides a call to unregister a service

    - Provides info on services that it is running

    - May forward the client call directly to the sever carrying the Portmapper owns address, masking the source of the call!

  • Recommendation: bloc RPC calls from outside

  • Caution: NFS, NIS are based on RPC

Nfs nis

  • NIS, yellow pages (yp)

    - most dangerous RPC application

    -Weak authentication (domain name)

    - Distributes data (password file, hosts table)

    - Do not run on exposed machine

    - Secure (encrypted RPC)

  • Network File System

    - Based on RPC

    - Threat: lots of security problems

    - “showmount -e host.domain: shows all exported file systems

  • Do not run on exposed machine

Remote command execution
Remote Command Execution

  • rlogin, rsh, rcp, rexec

  • rlogin to remote machine if authentication is done as follows

  • - Call from reserved port

  • - Calling machine and user listed in /etc/hosts.equiv or $HOME/.rhosts- Callers name corresponds to IP address

  • Very weak authentication scheme

  • - Reserved port on PC’s doesn’t make and security sense

  • - Reading above files can be done through a number of ways such as ftp, uucp. Etc.

  • One subverted machine opens the door to many others

X11 systems
X11 Systems

  • Users terminal is server which controls the interaction devices

  • Applications connect to the server and talk to the user just by knowing the server’s address

  • Exposure: passwords can be read remotely

  • Threat: X11 servers use port 6000, thus X11 servers on the internet can be probed

The world wide web
THE World Wide Web

  • WWW (W3, the Web) most popular information service

    - Others: archie, gopher, veronica

  • CERN project on distributed hypermedia

  • Hypertext-based information service

    - Text points to other documents

    - may be on other hosts

  • Interactive, gui, multimedia (pictures, sound, video)

  • Browsers: Mosaic, Netscape, IE)

  • Companies on the net

    - Produce information

    - Software patches

    - Commercial transactions

Http and html

  • HTTP: HyperText Transport Protocol

  • HTTPD: WWW server process

  • HTML: HyperText Markup Language

    - Standard scripting language for hypermedia documents

  • Hyperlink in document

    - points to other server

  • URL (Uniform Resource Locator)

    - specifies an object on the internet



Www security
WWW Security

  • Data-driven attacks

  • HTML may include “scripts” (Java)

  • Secure HTTP

    - Uses cryptography

    - SHTTP

    - SSL (secure sockets layer)

  • Secure e-commerce

Firewall components
Firewall Components

  • What you should be able to do

  • Describe the following:

  • Packet filters

  • Proxy Servers

  • Sock Servers


  • Describe the purposes of

    - Packet filter

    - Proxy Server

    - Socks Server

Firewall security policy
Firewall Security Policy

  • A firewall is not a host, router, but a systematic approach to network security

  • A firewall implements a security policy in terms of:

    - network configuration

    - hosts

    - routers

  • - other security measures (one-time passwords)

Firewalls implement policies
Firewalls Implement Policies

  • Interface Policy - allow or disallow direct routing between secure networks and internet

  • Internal Policy - allow some or all protocols for some or all users

  • External Policy - allow some or all or no protocols from some or all internet sources

  • Security guidelines define the network configuration and application services

  • Network configuration and application services define end-user capabilities/constraints

Packet filtering
Packet Filtering

  • Forward/drop packets based on IP information

  • Typically implemented in router (screening router)

  • Each packet is filtered separately, no “context”

  • Rules:

    - Allow, deny forwarding of packets

    - Matched in order, stops at first match

    - Default rule : deny

    - Wildcards for addresses, ports

    - Vendor specific syntax

Filtering rules
Filtering Rules

  • Rules based on hosts

    - Only permit access to mail host

  • On direction

    - Rules apply to specific interface

    - incoming, outgoing

  • On Protocol (TCP. UDP, ICMP….)

  • On Port Service

    - Destination port only (most routers)

    - Some services use random ports (RPC, portmapper)

  • Established connections

    - TCP handshake

    - SYN and ACK filed

    - Connection request has SYN but not ACK Field

Filtering guidelines
Filtering Guidelines

  • Default: Block everything

  • Add services you want to use explicitly

    - Mail

    - To Mail host only

  • Filtering rules are complex

    - Order Dependent\

    - No Testing facility

    - Difficult to manage

Proxy server
Proxy Server

  • Mediates IP traffic between protected internal network and the Internet

  • Work on the application Level

  • Each proxy server understands its own application protocol

    - Different proxy servers: telnet, WWW, FTP

    - Also called an application gateway

Proxy advantages
Proxy Advantages

  • Information hiding (host name, IP address)

  • Authentication and logging

  • Secure: a proxy for the service must exist

  • Less complex filtering of screening router

  • - allow only application gateway

  • Drawbacks

  • - Two-step process

  • - Modified client (sometimes)

  • Sendmail as a proxy server

Socks server
Socks Server

  • Socks stands for: ”Internal Socket Service”

  • Socks works on the TCP layer ( less protocol processing than proxies)

  • sockd daemon runs on the firewall host and intercepts and redirects TCP/IP packets

  • Clients tell the sockd where to connect which requires modified clients

  • socks can authenticate the users/clients (identd Handshake)

  • - Protocol which allows the client host to ask a server whether a User ID is valid (RFC 1413)

Socks advantages
Socks Advantages

  • Information Handling (host name, IP address)

  • Authentication and logging

  • Secure: a permission for the services must exist

  • Less complex filtering of screening router

  • Better performance that a proxy server

  • Drawback - Modified client

Screening router
Screening Router

  • Most IP routers also implement packet filtering

  • Filtering rules are complex

  • Not very safe

  • If compromised: whole network is exposed

Bastion host
Bastion Host

  • Bastion: Highly-fortified host, “has strong walls”

  • Only visible machine exposed to the outside

  • Only exposed host: should be well protected

  • Not user accounts

  • A bastion host may be single-homed or dual-homed

Dual homed gateway
Dual-homed Gateway

  • Two network interfaces

  • No IP forwarding

  • Simple but not very secure

Screened host
Screened Host

  • Consists of a screening router, bastion host (functioning as an application gateway) using proxies or socks

  • Very Flexible

Screened subnet dmz
Screened Subnet (DMZ)

  • Separate network with 2 screening routers: one connects to the internal network and the other to the internet.

  • More complex

  • 2 routers should not allow for any direct IP traffic through the DMZ

  • No internal system is allowed direct connections to the internet (socks or proxies only) and no internal system is reachable from the internet

A new set of problems
A New Set of Problems

  • DNS: domain names are sensitive information

  • - Run two DNS servers (“split DNS”)

  • e-mail reconfigured

  • Client applications reconfigured

  • UDP

  • - No established connections for returned data

  • - Temporary hole

  • FTP PASV Mode

Firewall solutions
Firewall Solutions?

  • Many factors

  • Cost

  • Corporate policy

  • Existing networks

  • International - Global

  • Politics