tcp/ip - security perspective upper layers

TCP/IP - Security PerspectiveUpper Layers

CS-431

Dick Steflik

Application Layer Protocols• Messaging Protocols

• SMTP, POP, MIME, IMAP, IM• Telephony

• H.323, SIP (used with VoIP)• RPC Based Protocols

• NIS, NFS, Andrew• File Transfer Protocols

• TFTP, FTP, SMB

• Remote Login• Telnet, rlogin, Ssh,

• Information Services• Finger, whois, LDAP, WWW,NNTP

• Proprietary Protocols• RealAudio, SQL’Net, VNC

SMTP

• Biggest problem is figuring out who a piece of mail is really from• Must use a higher level mechanism for trust or

privacy• Most SMTP clients use sendmail which has

been a constant source of security problems for years

MIME

• MIME headers could be hand crafted by hacker to overwrite data

• MIME fragmentation could subvert virus checkers ability to detevt embedded virus’

• Mailing of executable programs

POP

• Pretty insecure• Passwords not secure, sent as clear text• Exchanges are done as clear text• Can be done over SSL/TLS • Some UNIX systems POP runs as root until

user is authenticated and then switches to that userid, never good to have servers running as root (many sysadmins set up to run servers as nobody)

IMAP

• Authentication is better than in POP but still not great (shared secret)

• Complex protocol, leaves many possibilities for hackers to try to subvert the protocol

• Not as popular as POP

• Used more on intranets than the internet

IM

• Very popular on the Internet but very dangerous on intranets connected to the internet due to employees inadvertently leaking private data onto the public media.

• Use commercial systems if needed on an intranet, possibly with encryption

RPC & Rpcbind• Developed by Sun Microsystems• Popular way of implementing distributed

computing• Authentication is weak, some versions used

Kerberos based some use DES based shared session keys

• Rpcbind will advertise all registered services and allow them to be unregistered (by a wiley hacker)

• Rpcbind calls can be indirectly forwarded making verification of source hard to determine

NIS (Network Information Service)

• Used to distribute certain databases– Password files– Hosts file– Public and private key databases

• Never run NIS on exposed (to the internet) machines

• Configuration is very important.

NFS (Network File System)

• RPC and UDP based

• Pools unused storage on distributed machines into a virtual hard disk (rpcbind provides addressing information)

• Port 2049 (normally)

• Same problems as other RPC based systems

AFS (Andrew File System)

• Developed by Carnagie-Mellon, takenover by IBM

• Same goal as NFS, global disk pooling for an organization

• Kerberos based authentication

• More secure than NFS (but is a product and must be purchased ($))

TFTP (Trivial FTP)

• Simple UDP based protocol

• No authentication

• Used to update flash memories in many appliance type devices and mother boards

• Also used in booting routers, diskless workstations and X11 terminals

• Should only be run locally, never expose to internet as a fast version of FTP

FTP

• Command channel uses telnet, so same problems as telnet

• Port command often used as a source of attacks• Anonymous FTP is very common, make sure that files

owned or writeable by the FTP login are in the anonymous area

• Avoid any system type files in the anonymous area• Place FTP servers supporting anonymous areas in your

protected DMZ don’t expose internal FTP servers to the Internet

• Better to use SSH based file transfer programs

Telnet

• Though commonly used better to have users use Ssh– Most UNIX/Linux machines have SSH built in

to the OS distribution, no reason not to use

• Use telnet on intranet not on Internet

SSH

• Designed to replace rlogin, rdist, rsh, rcp• Custom designed protocol but includes

encryption– IETF currently working on standardization

• Can safely tunnel X11 or arbitrary TCP ports• Commercial and Open versions

– OpenSSH on most Linux – Putty is a free windows client– Can tunnel other protocols through a firewall