tcp ip management security

TCP/IP Networks Management

and Security

Presented by:

David M. Litton, CPA, CISA, CGFM

Deputy Director, Audit and Management ServicesVirginia Commonwealth University

May 7, 2001

5/7/2001 TCP/IP Networks Management and Security 2


Course Objectives:

• What is a TCP/IP Network?

• Common components of a TCP/IP network

• Network environment: TCP/IP protocol and associated devices functionality

• General network risks

• Specific risks and compensating controls for TCP/IP network devices

• Areas of a TCP/IP Infrastructure Audit


What is a TCP/IP Network?

• Envelope and post office concept

• Ethernet Frames

• Internet Protocol (IP) – Connectionless datagram; tries to send but not sure if it gets there

• Transmission Control Protocol (TCP)

• Alternatives to TCP: UDP and ICMP

• Ports

• Socket (Combination of port# & IP address)

• Connection (pair of sockets for a session)

Host

(Ex. Unix/Win NT

Server)

Client

(Ex. Win 98/2000)

Telnet (Also: HTTP, SMTP, POP3...)

Single Control and Data Circuit

IP

128.172.161.139IP

128.172.2.30

High Random Port

(Ex. Port #3003)Port 23

FTP

Seperate Control and

Data Circuits

Host

(Ex. Unix/Win NT

Server)

Client

(Ex. Win98/2000)

IP

128.172.161.139

IP

128.172.22.9

Port 21

Port 20High Random

Port (Ex. Port

#2987)

High Random

Port (Ex. Port

#2986)

(7)

Application

Layer

(6)

Presentation

Layer

(5)

Session Layer

(4)

Transport Layer

(3)

Network Layer

(2)

Data Link Layer

(1)

Physical Layer

Logical Link

Media Access

Control

(MAC)

FTP, Telnet,

HTTP

TCP, UDP

IP

Ethernet,

Frame Relay,

Token Ring

Twisted Pair,

Fiber

(4)

Application

Layer

(3)

Transport Layer

(2)

Internet Layer

(1)

Network

Interface Layer

OSI Reference

Model ExamplesTCP/IP

Protocol Stack

OSI Model

and

TCP/IP

Compared


Common components of a

TCP/IP network

• Cat 5 UTP Wiring & fiber optics lower layer 1

• Hubs emphasis layer 1

• Bridges layer 1 or lower-part of layer 2 (MAC)

• Switches – some layer 1 & emphasis layer 2

• Routers – emphasis layer 3 & some layer 4

• Applications/network utilities: layers 5-7; FTP, HTTP, NFS, X-Windows, Telnet…

• Protocol Stacks: part of server/work station O/S

• Servers - physical and logical contrasted

• Specialized IP servers: DHCP, BOOTP, DNS…


Network Environment: TCP/IP

Protocol and Associated Devices

Functionality

Ethernet

Token-ring

Ethernet

Workstation

w/s Laptop

Laser printer

Hub

Router

Firewall

`

WAN

(ATM)

(T-1)

(ISDN)

(Frame Relay)

(SMDS)

Firewall

Router

IBM Compatible

Laptop computer

Workstation

HUB

MAU

w/s

Laptop

w/s

Laser printer

Router

Router

Enet[IP[TCP[Data]]]

Enet[IP[TCP[Data]]]

TRing[IP[TCP[Data]]]

ATM[IP[TCP[Data]]]

LAN/WAN Protocol

Example


General network risks

• Inconsistently applied

back-up procedures for

Network Equipment and

Servers

• Lack of a test lab and

change control procedures

• Intercepting clear text,

log-on identifiers and

passwords

• Staff turn-over

• Use of unauthenticated services on network hosts and pass through routers

• Lack of spoofing prevention measures

• Use of default passwords on network equipment

• Lack of password change procedures for network equipment

• Poor O/S controls on network devices


General network risks

• Improper access to restricted systems (patient information, financial records, payroll, etc.)

• Release of sensitive information

• Prolonged outages and inconsistent availability

• Lack of documentation

• Non-compartmentalized traffic

• Trojan Horses

• Lack of expertise, training, and cross-training

• Lack of restoration plans or spare parts

• Ineffective procedures

• Masquerading as another individual

• Spying, Sabotage

• Risk from easy-to-use freeware utilities

• Stolen Passwords


Specific risks and compensating

controls for TCP/IP network

devices


Router Risks and Controls

Inappropriate addresses

or dangerous protocols

accessing hosts/servers

Access Control Lists – filter

through router

Inappropriate addresses

conducting router

maintenance

ACLs to restrict IP

addresses to router

Unauthenticated or

trusted services used for

maintenance

Turn off these services in

router configuration, use

services with stronger

authentication



Damaged router/network

device configuration

Create backups of the

configuration file, store on

network, hard copy, and

“secret” backup

Failed upgrades or changes Development and

maintenance controls &

“back-out” plans

Not capturing network events Turn on logging, secure the

host that the logs are

streaming to



Default passwords and

clear text passwords

transmitted over the

network

Change passwords

periodically with

timeouts

No console passwords Add passwords with

timeouts

Community strings =

PUBLIC, PRIVATE and

pass network in clear text

Change Community

strings and use encrypted

SNMP


Router Risks and Controls:

Methods of Accessing Routers

• Console

• TFTP

• Telnet

• TACACS

• MOP (maintenance

operation protocol by

DEC for CISCO

routers)

• SNMP

• R-Shell

• R-Copy

• FTP

• HTTP

• More being added, check manufacturer documentation


Domain Name Service:

Risks and ControlsAllowing zone file transfers to

unauthorized clients provides

MX and HINFO records

Use router filters for TCP port

53 (DNS) or control servers

that receive DNS zone files

Updates require time to

propagate usually 24 hours

Use strong change control

procedures – management

review

Providing information about

internal devices one at a time

Configure external name

servers to provide info on

Internet connected machines

Whois Command Whois returns the DNS IP

addresses + sensitive info.


Network Address Translation

Static translation does not

hide the device from the

Internet

Port translation is needed

to get the full benefit for

security.

Reduced router

performance and can

interfere with

authentication schemes

that verify integrity of the

entire packet

Must weigh these costs

when reviewing NAT

INTERNET

NAT

Router

DHCP Server

Hub

10.xxx.xxx.001

10.xxx.xxx.002

10.xxx.xxx.003

10.xxx.xxx.004

INTERNET

NAT

Router

DHCP Server

Hub

10.xxx.xxx.001

10.xxx.xxx.002

10.xxx.xxx.003

10.xxx.xxx.004

Primary

DNS

Secondary

DNS

TCP/IP Environment Example


Wiring/Hubs:

Risks and ControlsInability to track wiring

problems

Diagrams, labeling

Sniffing equipment, theft,

inappropriate access to

equipment

Secure wiring

concentrations (closets)

No redundant paths for

backbone/WAN connections

Redundant Layer 1 path

Power surges Surge protectors or UPSs

Heat and water damage Design of locations that

house equipment


Additional Server

Risks and Controls Legitimate network access

can cause security

problems. Example: Sun

Telnet hack, Microsoft IIS

hacks

Install up to date patches,

Backup (OS, applications &

database) , password

controls, file permissions,

restrict privileges, logging,

disable unnecessary

services

Differences in server

configurations

Use consistent setup

checklists and/or scripts for

servers and user profiles


Dangerous Services to be

RestrictedZone Transfers

UDP&TCP 53

Link

TCP 87

LPD

TCP 515

BOOTP

UDP 67

RPC

TCP & UDP 111

NFS

UDP 2049

TFTP

UDP 69

SNMP

UDP 161,162

X-Windows

TCP 6000+

Finger

UDP 79

Berkley R-Commands

TCP 512-514

Windows Sharing

TCP 135-139,445

Chargen,Discard

,Echo TCP/UDP

9,19,7

Block ICMP redirects *Internal address

from outside the

network


Work Stations Risks and Controls

Trojan Horses: key

capture, sniffers, remote

control

BOClean, up to date virus

software (for detection)

Viruses Virus software up to date

Modem Lines exposures Policy, inventory,

standardization, dial-in

servers, Unique id &

complex passwords,

Wardial company #s


Encryption• Examine Encryption Practices

• Determine where the traffic is the most exposed –

going out on the Internet, between business

partners…

• Look for controls like compartmentalization &

VLANs to reduce internal exposure

• Use Encrypted methods like SNMP V.2 and

CHAP V.2 to communicate to network devices

• Consider testing encryption controls with a sniffer


Sniffed PPP Connection in Clear

Text


Areas of a TCP/IP Infrastructure

Audit: Why Examine Network

Infrastructure

• Rarely examined

• Large investment

• Basis for most technology - the “common denominator”

• Connects to the World

• Lost Revenue on E-Commerce

• Susceptible to Denial of Service Attacks


Areas of a TCP/IP Infrastructure

Audit: Recommended Objectives

• Continuity (consistent reliability and availability

of system -- back-up and ability to recover)

• Management and Maintenance (additions,

change procedures, upgrades, and documentation)

• Security (appropriate physical and logical access

to network devices and hosts)


Auditing TCP/IP Infrastructure• Review network policies and procedures

• Review network diagrams (layer 1 & 2), design, and walk-

through, list of network equipment and IP address list

• Verify diagrams with Ping and Trace Route

• Review utilization, trouble reports & helpdesk procedures

• Probe systems (Netscan tools and Portscanner)

• Interview network vendors, users, and network technicians

• Review software settings on network equipment

• Inspect computer room and network locations

• Evaluate back-up and operational procedures


Conclusion

• Identify the paths and equipment used to navigate the network

• Identify TCP/IP infrastructure areas of concern

• Break into manageable pieces

• Every network is different and the components and risks must be fully understood

• Identify risks and prioritize

• Dedicate more upfront planning

• RELAX !! It’s not that bad !


Additional Information

• Presentation located on line at URL:

http://www.vcu.edu/iaweb/iam_welc.html

• Contact information:

[email protected]

(804) 828-9248

http://www.vcu.edu/iaweb/iam_welc.html

mailto:[email protected]

tcp ip management security

Technology