1

Securing Network Services

2

How TCP WorksSet up connection between port on source host to port on destination

hostEach connection consists of sequence of numbered packets, with

source (port, address), destination (port, address) and flags– First packet – SYN (synchronize sequence numbers)– Response packet - SYN & ACK– Thereafter – ACK– Last packet – FIN & ACK

Ports are associated with services:– 21 - FTP– 25 – e-mail– 80 - http– many many more

Based on client-server model

3

How UDP works

Unreliable (unwarranted) delivery of information between systems -- No acknowledgement

Ports for UDP services– Port 123 -- Network Time– Port 53 -- DNS– Port 69 -- TFTP– Port 514 -- Syslog– Port 517 – Talk

Based on stateless distribution of information

4

Application Services

Domain Name Service (DNS) -- TCP/UDP– Replaced /etc/hosts files– Tree-structured query system– Replies -- either answer or reference to more

refined domain

Mail -- TCP (port 25)

FTP -- file transfer protocol -- TCP

HTTP -- World Wide Web -- TCP

5

TCP/IP Services

Many have security risks– Ways to access your computers– Information on your computers and your users

Can block them all (Paranoid approach)

More often-- keep some, block others

Blocking method -- firewalls

6

General Points

Will discuss variety of services with security implications– Not full list of internet services– Not full list of security problems

Administrators need to understand implications before offering service– CERT advisories– Configuration options– Prudent attitude

7

User Education

• Suspicious network behavior

• Suspicious user behavior

• Who to contact

• When to contact

• Exercises

8

Web

WWW: World Wide Web– System for automated information exchange– Allows rapid access to flexibly-presented information– Well over 50% of Internet traffic

Presentation Options:– Formatted Hypertext– Bitmap graphics– Program execution (CGI scripts, Applets, etc.)– Audio– Movies– Many more

9

WWW Threats

• Exploitation of server or script bugs

• Disclosure of unauthorized information

• Interception of confidential information

• Information loading from web client by rogue server

• Dependence on licensed software

10

WWW Risky Options

• Server-side includes

• Sending email from server

• Accessing PERL on server

• Spawning sub-processes

• Calling scripts outside of controlled directories

• Mixing HTTP and anonymous FTP

11

WWW Access Control

• Configure scripts to be read and executed only by server

• Use prudent access to exported files

• Don’t use per-directory access files

• Use certified public keys for access

• Use server-side password for access

12

WWW Privacy

Network-side:– Link encryption– Document encryption– Secure Socket Layer– Secure HTTP– All subject to limitations on Encryption

Log files:– Restrict access– Don’t retain on server machine– Use syslogd– Warn users about logging

13

Web Browsers

• Executing code from the net

• Trusting vendors / Licensing

• Dependence on third parties

14

RPCRemote Procedure Calla) Calling program calls client code and waitsb) Client code bundles parameters into message to server (XDR -

external data representation)c) Server executes call with supplied data, returning result in message

to client coded) Client code returns result to calling programRequires:

– Client knowing server– Client & Server agree on communication (portmapper)

Authentication:– Auth_none - live fast, die young– Auth_UNIX - UID/GID authentication (trust client)– Auth_DES - Secret/public key authentication

(Diffie/Hellman key exchange, DES encryption)– Auth_KERB - Kerberos authentication

15

Kerberos

Produced for MIT project ATHENA

Authenticates:• User to client and server• Client to server• Server to client

Centralized and stateless• Passwords stored unencrypted on central server• Never transmitted across network

16

Kerberos Protocols

Login:– User enters username and password– Client sends username and current time encrypted with

password– Server decrypts information and verifies valid user– Returns session key encrypted with user password

Service Request:– Client sends request to ticket-granting server, encrypted with

session key– TGS responds with identity of server, encrypted ticket all

encrypted with session key– Client passes encrypted ticket to server with client IP and

username