information security advanced

C U S T O M R E P O R T

Information Security Advanced

R E P O R T | A . J A M I L A L A G H A

/JamiL.Alagha

/JamiLALagha

Agenda

Session Hijacking

Attack

SYN flood

Sequence predictability

Internet Control Message Protocol (ICMP)

Firewalls

The Demilitarized Zone – DMZ

E-Mail Security

Email Communication Risks and Problems

Report | A. Jamil Alagha ©2013

Session Hijacking

used against services with

persistent login sessions

as Telnet, rlogin, or FTP.

cause a great deal of damage.


Attacks

There are two attacks that use this technology

SYN flood

sequence predictability


SYN Flood Attack - 1

uses a TCP connection request (SYN).

SYN is sent to the target computer With

the source IP address in the packet “spoofed,”

that belongs to another computer. or

replaced with an address that is not in use on the Internet or


SYN Flood Attack -2

– When the target computer receives the connection request • it allocates resources (memory + wait) to handle and track the new

connection. • A SYN_RECEIVED state is stored in a buffer register awaiting the

return response (ACK) from the initiating computer – which would complete the three-way handshake.

• It then sends out an SYN-ACK. – If the response is sent to the “spoofed,” nonexistent IP address,

there will never be a response. – If the SYN-ACK is sent to a real computer, it checks to see if it

has a SYN in the buffer to that IP address. – Because it does not, it ignores the request. – The target computer retransmits the SYN-ACK a number of

times. – After a finite amount of wait time, the original SYN request is

purged from the buffer of the target computer.

• This condition is known as a half-open socket.


SYN Flood Attack - 3

• As an example

– the default configuration for a Windows NT 3.5x or 4.0 computer is to retransmit the SYNACK five times, doubling the timeout value after each retransmission.

• The initial timeout value is 3 seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds.

• After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response and deallocates the resources that were set aside earlier for the connection.

• The total elapsed time that resources are in use is 189 seconds.

• ASS: what about Linux


C S

SYNC1 Listening

Store data

SYNC2

SYNC3

SYNC4

SYNC5


SYN Flood Attack -4

• An attacker – will send many of these TCP SYNs

– to tie up as many resources as possible on the target computer.

• Because the buffer size for the storage of SYNs is a finite size, numerous attempts can cause a buffer overflow.

• The effect of tying up connection resources varies, depending on the TCP/IP stack and applications listening on the TCP port. – For most stacks, there is a limit on the number of connections that can

be in the half-open SYN_RECEIVED state.

– Once the limit is reached for a given TCP port, the target computer responds with a reset to all further connection requests until resources are freed.

– Using this method, an attacker can cause a DoS on several ports.


SYN Flood Attack -5

Finding the source of a SYN flood attack can be very difficult.

A network analyzer can be used to try to track down the problem

and it may be necessary to contact the ISP for assistance in attempting to trace the source.

Firewalls

should be set up to reject packets from the external network with any IP address from the internal network.


Sequence Predictability

• The ability to guess sequence numbers is very useful to intruders

– because they can create a short-lived connection to a host

without having to see the reply packets.

– This ability, taken in combination with the fact that many hosts have trust relationships that use IP addresses as authentication; that packets are easily spoofed; and that

individuals can mount DoS attacks, means one can

impersonate (present) the trusted systems to break into such machines without using source routing.



• If an intruder wants to spoof a connection between two computers so that the connection seems as if it is coming from computer B to computer A, using your computer C, it works like this:

1. the intruder uses computer C to

• mount (+) a SYN Flood attack on the ports on computer B where the impersonating will take place.

2. computer C

• sends a normal SYN to a port on computer A.

3. Computer A

• returns a SYN-ACK to computer C containing computer A’s current Initial Sequence Number (ISN).



4. Computer A - internally increments the ISN.

– This incrementation is done differently in different operating systems (OSs). » Operating systems such as BSD, HPUX, Irix, SunOS (not

Solaris), and others usually increment by $FA00 for each connection and double each second.

– With this information, the intruder can now guess the ISN that computer A will pick for the next connection.

– Now comes the spoof.

5. Computer C

– sends a SYN to computer A using the source IP spoofed as computer B.

6. Computer A

– sends a SYN-ACK back to computer B, containing the ISN. » The intruder on computer C does not see this, but the intruder

has guessed the ISN.



7. At this point, computer B – would respond to computer A with an RST. – This occurs because computer B does not have a SYN_RECEIVED

from computer A. – Since the intruder used a SYN Flood attack on computer B, it will

not respond. 8. The intruder on computer C

– sends an ACK to computer A, using the source IP spoofed as computer B, containing the guessed ISN+1.

– If the guess was correct, computer A now thinks there has been a successful three-way handshake and the TCP connection between computer A and computer B is fully set up.

– Now the spoof is complete.

– The intruder on computer C can do anything, but blindly. 9. Computer C

– sends echo + + >>/.rhosts to port 514 on computer A. 10. If root on computer A had computer B in its /.rhosts file, the intruder

has root.



11. Computer C

now sends a FIN to computer A.

could be brutal and send an RST to computer A just to clean up things.

could also send an RST to the synflooded port on B, leaving no traces.


SYN flood + sequence predictability

• To prevent such attacks – Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate

users) – one

• should NEVER trust anything from the Internet.

– Routers and firewalls • should filter out any packets that are coming from

– the external (sometimes known as the red) side of the firewall that has an IP address of a computer on the internal (sometimes known as the blue) side.

– This only stops Internet trust exploits; it will not stop spoofs that build on intranet trusts.

– Companies • should avoid using rhosts files wherever possible. • The /etc/hosts.equiv and .rhosts files provide the "remote authentication" database for

rlogin, rsh, and rcp • The files specify remote hosts and users that are considered "trusted" • Trusted users are allowed to access the local system without supplying a password • The /etc/hosts.equiv file applies to the entire system, while individual users can maintain

their own .rhosts files in their home directories


Internet Control Message Protocol (ICMP)

ICMP

A major component of the TCP/IP Internet Layer

is used for

flow control, detecting unreachable destinations, redirection routes, and checking remote hosts.

Most users are interested in.

Checking a remote host

• is accomplished by (PING)- sending an ICMP Echo Message.


ICMP

• When a system receives ICMP Echo Messages, – it places the message in a buffer and then retransmits the message from

the buffer back to the source. – Due to the buffer size, the ICMP Echo Message size cannot exceed 64K.

• UNIX hosts, – by default, will send an ICMP Echo Message that is 64 bytes long. – They will not allow a message of over 64K.

• Microsoft Windows NT, – longer messages can be sent. – The Windows NT hosts do not place an upper limit on these messages. – Intruders have been sending messages of 1 MB and larger. – When these messages are received, they cause a buffer overflow on the

target host.

– Different operating systems • will react differently to this buffer overflow. • The reactions range from rebooting to a total system crash.


Firewalls

• The first line of defense between the Internet and an intranet.

• a multi-homed host – placed in the Internet route, – such that it stops and can make decisions about each packet that

wants to get through.

• performs a different function from a router. – A router

• can be used to filter out certain packets that meet a specific criterion (e.g., an IP address).

• processes the packets up through the IP Layer.

– A firewall stops all packets. • All packets are processed up through the Application Layer. • Routers

– cannot perform all the functions of a firewall.


Firewalls

• A firewall should - meet at least, the following criteria

– For an internal or external host to connect to the other network, it must log in on the firewall host.

– All electronic mail is sent to the firewall, which in turn distributes it.

• Firewall should not

– mount file systems via NFS, nor should any of its file systems be mounted.

– run NIS (Network Information Systems).

– Only required users should have accounts on the firewall host.

– trust any other host.


The Demilitarized Zone - DMZ

• Companies - Internet presence.

– FTP + WWW sites.

– +setting up hosts

• to act as a proxy server for Internet mail and a Domain Name

Server (DNS).

• that sponsors these functions cannot be on the inside of the firewall.

– Therefore

• Create demilitarized zone (DMZ) or perimeter network

– a segment between the router that connects to the Internet and the firewall.


Proxy Servers – a One Image

A proxy host

is a dual-homed host - has at least two network interfaces.


Proxy Servers – a One Image

• A proxy host – is a dual-homed host - has at least two network interfaces. – that is dedicated to a particular service or set of services, such as mail. – All external requests to that service directed toward the internal network are routed to the

proxy. – The proxy host then evaluates the request and either passes the request on to the internal

service server or discards it. – The reverse is also true. – Internal requests are passed to the proxy from the service server before they are passed on to

the Internet.

• One of the functions – is to protect the company from advertising its internal network scheme.

• Most proxy software packages contain network address translation (NAT). • Take, for example, a mail server.

– The mail from [email protected] would be translated to [email protected] as it went out to the Internet.

– Mail sent to [email protected] would be sent to the mail proxy. – Here It would be readdressed to [email protected] and sent to the internal mail

server for final delivery.


Testing the Perimeter

• Use the Internet taking risks to be recognize.

• The Internet and intranets – Changes — new protocols, new applications, and new

technologies

• Company’s security practices

– to adapt to these changes.

• the security process should be viewed as forming a circle.

• The first step is to assess the current state of security within one’s intranet and along the perimeter.

• Once one understands where one is, then one can deploy a security solution.

• If you do not monitor that solution by enabling some detection and devising a response plan, the solution is useless.



• The assessment process may repeated – the solution is monitored and tested, – further weaknesses to be learned and dealt with. – Continuous improvement - ensure protection.

• As part of the process – a company must perform some sort of vulnerability checking on a

regular basis. – done by

• the company, or • it may choose to have an independent group do the testing.

– The company’s security policy should state how • the firewall and the other hosts in the DMZ are to be configured. • to be validated and then periodically checked to ensure that they have not

changed. • may find additional weaknesses - the policy needs to be changed. • Security = updated technology + clear policy (outline the procedures)



• DNS records - One source of information.

• Two basic DNS services – Lookup activities

• used to resolve IP addresses into host names or to do the reverse.

– A zone transfer

• happens when one DNS server (a secondary server) asks another DNS server (the primary server) for all the information that it knows about a particular part of the DNS tree (a zone).

• Only between DNS servers that are supposed to be providing the same information.

• Users can also request a zone transfer.


Testing the Perimeter A good security policy is to disallow zone transfers on external DNS servers.

– A zone transfer • is accomplished using the nslookup command in interactive mode.

• can be used to check for information leaks.

• This procedure can show hosts, their IP addresses, and operating systems.

– This information can be used by an intruder to attack or spoof other hosts.

– If this is not operationally possible, as a general rule, DNS servers outside of the firewall (on the red side) should not list hosts within the firewall (on the blue side).

• Listing internal hosts only helps intruders gain network mapping information and gives them an idea of the internal IP addressing scheme.



In addition to trying to do a zone transfer

the DNS records should be

checked to ensure that they are correct and that they have not changed.

Domain Information Gofer (DIG) is a flexible command-line tool that is used to

gather information from the DNS servers.



• The ping command, – has the ability to determine the status of a remote host using the ICMP Echo

Message. – If a host is

• running and is reachable by the message, the PING program will return an “alive” message.

• not reachable and the host name can be resolved by DNS, the program returns a “host not responding” message;

• otherwise, an “unknown host” message is obtained.

– An intruder can use • the PING program to set up a “war dialer.” • War dialer = wardialing

– is a program that systematically goes through the IP addresses one after another, looking for “alive” or “not responding” hosts.

• To prevent intruders from mapping internal networks, – the firewall should screen out ICMP messages. – This can be done by not allowing ICMP messages to go through to the internal

network or go out from the internal network.



• The traceroute program – useful for network debugging. – can use to test the corporate perimeter (network component). – used to check the “time-to-live” (ttl) parameter and routes.

• sends a series of three UDP packets with an ICMP packet incorporated during its check.

• The ttl of each packet is similar. • As the ttl expires, it sends the ICMP packet back to the originating host with the IP

address of the host where it expired. • Each successive broadcast uses a longer ttl. • By continuing to send longer ttls, traceroute pieces together the successive jumps.

– Checking the various jumps not only shows the routes, but it can show possible problems that may give an intruder information or leads. • This information might show a place where an intruder might successfully launch

an attack.

– These are hops that could be used by intruders to create DoSs. – Duplicate entries for successive hops are indications of bugs in the kernel of that

gateway or looping within the routing table.



• Important aspect of firewall and proxy server testing – Checking the

• open ports and services available

– Tools • the freeware program strobe • IBM Network Services Auditor (NSA) • ISS Internet Scanner™, and • AXENT Technologies NetRecon™

– that can perform • a selective probe of the target UNIX or Windows NT network

communication services, operating systems and key applications. • use a comprehensive set of penetration() tests. • The software searches for

– weaknesses most often exploited by intruders to gain access to a network,

– analyzes security risks, and – provides a series of highly informative reports and recommended

corrective actions.



• There have been numerous attacks in the past year that have been directed at specific ports. – The teardrop, newtear, oob, and land.c are only a few of the recent

attacks.

• Firewalls and proxy hosts should have only the minimum number of ports open. – By default, the following ports are open as shipped by the vendor, and

should be closed: • echo on TCP port 7 • echo on UDP port 7 • discard on TCP port 9 • daytime on TCP port 13 • daytime on UDP port 13 • chargen on TCP port 19 • chargen on UDP port 19 • NetBIOS-NS on UDP port 137 • NetBIOS-ssn on TCP port 139



• Other sources of information leaks – Telnet, FTP, and Sendmail programs. – They all, by default, advertise the operating system or service type and

version. – They also may advertise the host name. – This feature can be turned off and a more appropriate warning messages

should be put in its place.

• Sendmail – has a feature that will allow the administrator to expand or verify users. This

feature should not be turned-on on any host in the DMZ. – An intruder

• would only have to Telnet to the Sendmail port to obtain user account names. • There are a number of well-known user accounts that an intruder would test. • This method works even if the finger command is disabled.



• VRFY and EXPN – VRFY

• asks the server to verify an address. • Its parameter may be an encoded address or a user name in a server-defined

format.

– EXPN • asks the server for the membership of a mailing list. • Its parameter may be an encoded address or a list name in a server-defined format.

– allow an intruder to determine if an account exists on a system and can provide a significant aid to a brute-force attack on user accounts.

– If you are running • Sendmail - add the lines Opnovrfy and Opnoexpn to your Sendmail

configuration file, usually located in /etc/sendmail.cf.

• With other mail servers - contact the vendor for information on how to disable the verify command.



• Another important check that needs to be run on these hosts in the DMZ is – a validation that the system and important application files are valid

and not hacked.

• This is done by running a checksum or a cyclic redundancy check (CRC) on the files.

• Because these values are not stored anywhere on the host, external applications need to be used for this function.

• Some suggested security products – freeware applications such as

• COPS and Tripwire, or

– third-party commercial products like

• AXENT Technologies Enterprise Security Manager™ (ESM), ISS RealSecure™ or Kane Security Analyst™.


E-Mail Security

Communication Layers


Current E-mail Standards

Four primary areas

SMTP (Simple Mail Transfer Protocol)

“Standard for the Format of ARPA Internet Text Messages

DNS (Domain Name System)

S/MIME (Secure/MIME), PEM (Privacy Enhancement for Internet Electronic Mail).

user

agent

sender’s mail

server

user

agent

SMTP SMTP Access protocls

POP3, http

IMAP receiver’s mail

server Report | A. Jamil Alagha ©2013

SMTP Simple Mail Transfer Protocol.

Specifies the format of e-mail messages

Header Readable text

Divided into lines of the form: <keyword>: <value>

• Keywords are either required, optional, or uninterpreted

Body Separated from the header by a blank line

No restrictions on format or contents

the details of e-mail exchange between two computers


SMTP: protocol for exchanging email msgs

RFC 822: standard for text message format:

• header lines, e.g.,

– To:

– From:

– Subject:

different from SMTP commands!

• body

– the “message”, ASCII characters only

header

body

blank line


SMTP

Send email without using email client Try telnet servername 25

see 220 reply from server

enter HELO, MAIL FROM, RCPT TO, DATA, QUIT commands

how a client on one machine transfers e-mail to a server on another

machine Client

establishes a connection to the server (typically using TCP)

waits for server to send a 220 READY FOR MAIL message

sends a HELO message

Server replies 250 <server>, hello <client>, pleased to meet you

Client sends a MAIL FROM: <sender> message


Sample SMTP interaction

S: 220 hamburger.edu

C: HELO crepes.fr

S: 250 Hello crepes.fr, pleased to meet you

C: MAIL FROM: [email protected]

S: 250 [email protected]... Sender ok

C: RCPT TO: [email protected]

S: 250 [email protected] ... Recipient ok

C: DATA

S: 354 Enter mail, end with "." on a line by itself

C: Do you like ketchup?

C: How about pickles?

C:

S: 250 Message accepted for delivery

C: QUIT

S: 221 hamburger.edu closing connection

HELO - Initial State Identification MAIL- Mail Sender Reverse Path RCPT - One Recipient’s Forward Path DATA - Mail Message Text State RSET - Abort Transaction and Reset all

buffers NOOP - No Operation QUIT- Commit Message and Close Channel

required command set:


mailto:[email protected]

mailto:[email protected]

SMTP

Mail servers: Always on and always accessible, Transferring e-mail to and from other servers

User agents: Sometimes on and sometimes accessible, Intuitive interface for the user

user agent

mail server

mail server

user agent

1

2 3 4 5 6

1) Alice uses UA to compose message “to” [email protected]

2) Alice’s UA sends message to her mail server; message placed in message queue

3) Client side of SMTP opens TCP connection with Bob’s mail server

4) SMTP client sends Alice’s message over the TCP connection

5) Bob’s mail server places the message in Bob’s mailbox

6) Bob invokes his user agent to read message


SMTP Security

SMTP does not provide any protection of e-mail messages

Intermediate hosts (MTA - message Transfer Agents) can:

Read, Modify, Delay, Destroy

Sender Authentication limitation

e-mail forgery

Easy to create phony (fraud) e-mail messages that appear to have come from an arbitrary source

E-mail spamming is still a major problem.

SMTP-AUTH


Standard for the Format of ARPA Internet Text Messages

defines

the format of the messages to be exchanged.

Important- MIME

Multipurpose Internet Mail Extensions

that specify a standard method to encode multi-part message bodies, including nontextual information.


DNS

DNS (Domain Name System).

Purpose

to relate Internet IP addresses with computer names.

Extended

to aid SMTP e-mail routing.

Currently - MX (Mail eXchanger) records.

Use over the Internet

Replaced the routing originally defined in SMTP. Report | A. Jamil Alagha ©2013

S/MIME, PEM

PEM (Privacy Enhancement for Internet Electronic Mail) & S/MIME (Secure/MIME)

allow for a variety of security features Including

encryption and decryption of e-mail content

message integrity protection

nonrepudiation of origin.


Access Protocol :Standards to Retrieve Msg from servers

IMAP (Interactive Mail Access Protocol).

POP (Post Office Protocol).

user

agent

sender’s mail

server

user

agent

SMTP SMTP POP3 or

IMAP receiver’s mail

server


IMAP

IMAP - Interactive Mail Access Protocol defines

a standard for client/server interaction between e-mail clients and servers.

It is currently the de facto standard for open-standards e-mail systems but is also available as an alternate access method for many proprietary e-mail server systems.

designed to allow clients extensive control message store Retrieval Deletion server-based searches refiling messages between folders message status shared public (multiuser) folders etc.


POP

POP - Post Office Protocol.

defines

a standard for how e-mail clients can

retrieve headers or messages from a server

request messages to be deleted from the server.

While still in widespread use, it is currently relegated to minimal client and server implementations, and is being overtaken in robust systems by IMAP.


GOALS AND NON-GOALS

Basic design goals of email

an effective e-mail system

communication

ease of use

reliability.

Security - Policies, plans, techniques, and devices DO NOT

unduly limit the functionality

prevent ease of use of the application.


GOALS AND NON-GOALS

Basic elements of email application

Standard format

message format

users to exchange messages

Organization

All messages include fields

originator (from), recipients (to, and possibly cc bcc), submission date, and subject.

Security

Users can only read

their own mail,

messages they create are identified as originating from their accounts.


GOALS AND NON-GOALS

Improve the elements: ≠ often in direct conflict with security

Interoperability (to be solve)

The ability to exchange messages between networks of individual

computer systems.

Transport of contextual information

The capability to include or attach computer data types such as

audio, video, static images, databases, spreadsheets, executable files or scripts, etc.


Elements with Security Areas

Control access

only legitimate users can access systems and services.

Prevent

loss of or damage to data.

theft of data or services.

inappropriate dissemination of data.

Monitor

for compliance with

law

organizational policies.


Email Communication

Risks and Problems

Limiting network connectivity from the Internet to e-mail servers.

Communication e-mail to allow the users in different organization to communicate

(Internet).

it does not require direct network connectivity between those e-mail servers and the Internet.

To limit network connectivity from the Internet to an organization’s e-mail servers

one will have

standard bastion network between the Internet (insecure) and the organization’s internal network, and

a mail relay device will need to be installed on the bastion network


Limiting network connectivity from the Internet to e-mail servers.


Email Communication

Risks and Problems

Exterior firewall provide

some protection to the e-mail relay system,

must allow some communications between the e-mail relay and external servers.

Hackers have the opportunity to attempt attacks through the e-mail channels provided.

The protections: implementing the relay system in the bastion network include the following:

intrusion detection - ID Because it is the only system that can be directly attacked from the Internet.

transient messages - TM If compromised, the relay system contains only transient messages.

Denial-of-service attacks - DoS launched against the relay may not prevent intra-organizational traffic from functioning

normally.


Email Communication

Risks and Problems

Hacker

will only be able to do

limited damage and

disrupt service between internal users and external users.

will need to

have the ability to fully compromise the relay server,

spend the time and effort to do so before being able to use it as a platform to directly attack the internal mail servers.


Email Communication

Risks and Problems

Some firewall vendors

provide a similar functionality within a single firewall.

the firewall itself assumes the role of the e-mail relay.

not as robust a solution as a functionally separate

allowing direct network communications between the insecure network and the internal mail servers.


Email Communication

Risks and Problems

Problem: sensitive information

Content of e-mail messages traveling over the Internet

need to be protected from third-party monitoring.

Solution: encryption

Multiple standards for e-mail encryption

none is currently widely deployed.

achieved by utilizing encryption that occurs within each user’s e-mail client software.


Encryption


Encryption

Message

encrypted within the sender’s system.

Problems

Encryption only occurs when the sender remembers to activate the feature.

Two sides must agree on

utilizing the same encryption schemes (S/MIME, PGP, etc.).

Key(s) - exchange


Solution: Encrypted VPN

for network connectivity between geographically separate offices of the same or related organizations.


Encrypting Appliance ??

encrypting appliance

For communications between

two business partners’ systems ≠ VPN

can be installed between

the internal mail servers and the insecure networks.

is configure to

encrypt/decrypt traffic exchanged with specific configured sites

allowing traffic to

pass through nonencrypted to nonconfigured sites


Encrypting Appliance


Encryption Standards

For massage passing

between the servers and the users’ workstations.

Most e-mail application software systems

have the ability to encrypt the communications channel between the client and server software.

encryption using increases the load on the server.

it is generally disabled by default.

Some systems utilize encryption schemes (SSL/TLS).


Access Methods

Special attention for users accessing (remotely) e-mail from home

or while traveling. Economically increasingly utilizing the Internet as

connectivity. Access methods - need to be considered when planning this encryption SMTP, POP, IMAP, etc.

Alternative encryption-capable remote access servers


Encryption-capable remote access servers

used to form encrypted tunnels directly to software installed on the user’s workstation.

Forming VPN tunnels

Provides more than e-mail connectivity.


F O R Q U E S T I O N | C O N T A C T T O M E

Thanks to watching

/JamiLALagha

/JamiL.Alagha

information security advanced

Education