Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 0 times |
Network Security and Management
CS682 – Sessions 3 and 4Prof. Katz
Public-Key Cryptography
Concept created by Diffie and Hellman in 1976Two keys are used, one for encoding the other for decodingAlso usually supports Digital Signatures
Diffie – Hellman concepts
1. It is easy for party B to generate a public and private key
2. It is easy for sender A, knowing B’s public key and message M to generate the corresponding cyphertext
3. It is easy for B, knowing his private key and the cyphertext to compute the plain text
4. It is impossible for an opponent knowing B’s public key and the cyphertext to compute the plain text
5. It is impossible for an opponent knowing B’s public key and the cyphertext to compute the private key.
Network Protocols
A history of IP
Originally designed by the DOD for military purposesUsed to create the DARPANETDARPANET later evolved into the Internet for Educational purposesRecently been utilized more for commercial purposes
IP Header
0 1 2 3 4 5 6 7 8 910
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
bits
Ver IHL Type of Service Total Length
IP Header
(Minumum length 20 Octets)
Identifier Flags Fragment Offset
Time To Live Protocol Header Checksum
Source Address
Destination Address
Options + Padding
User Datagram Protocol (UDP)
A simple, connection-less layer 4 protocol for the transmission of non-critical dataNo reliability, No confirmation of delivery, No order of packets!Very Light protocol which sits on top of IP layer.Used by a number of ULPs including DNS, DHCP, and BootP.
Port numbers
UDP introduces the concept of port numbers as a layer 4 address.Ports are used to indicate which layer 7 service should receive the packet and which produced it.When a server program starts it “binds” to the port it will use for communication (usually <1024), UDP then knows that data received for that port should be delivered to that program.
Ports (cont.)
When a client service begins communication it can either request a specific port for communication or use a unique port provided by the OS.Server ports are static, client ports may be dynamic.
Common UDP port numbers
67 – BooTP Server68 – BootP client69 – Trivial FTP
UDP Header
0 1 2 3 4 5 6 7 8 91 0
1 1
1 2
1 3
1 4
1 5
1 6
1 7
1 8
1 9
2 0
2 1
2 2
2 3
2 4
2 5
2 6
2 7
2 8
2 9
3 0
3 1
Data
Source Port Destination PortLength checksum
Header Values
Source port – The port on the source host which generated this messageDestination Port – The port on the destination host which should receive this messageLength – The length of the header and data
UDP Checksum
The UDP checksum is calculated across the data and the header.The Checksum is the one’s compliment of the 16-bit sum of the words in the header and data.Additionally the 32-bit source and destination, the 8 bit protocol field, and the UDP length are included in the sum.
UDP Checksum
On the receiving end all words are added to the checksum and the result should be all ones.If the result is not all ones then an error has occurred.
Transport Control Protocol
Provides a connection oriented layer 4 serviceProvides guaranteesProvides sequence ability
TCP Header
0 1 2 3 4 5 6 7 8 9
1 0
1 1
1 2
1 3
1 4
1 5
1 6
1 7
1 8
1 9
2 0
2 1
2 2
2 3
2 4
2 5
2 6
2 7
2 8
2 9
3 0
3 1
Source Port Destination Port
Sequence Number
Acknowledgement Number
Header len reserved
URG
ACK
PSH
RST
SYN
FI N Window size
Checksum Urgent Pointer
Options + padding
Data
TCP Header (cont.)
Source and destination ports – Which application produced the packet and which should receive itSequence number – Identification of the relative location of the first byte in the packet to the first byte in the stream.Acknowledgement number – The sequence number of the next byte which the receiving station expects
TCP Header (cont.)
UrgentAcknowledgementPushResetSynchronize sequence numbersFinal packet
TCP Connection Establishment
Client Sends SYNServer Replies with SYN-ACKClient Replies with ACK
TCP Connection maintenance
The Sequence number is incremented for every packet sentAn acknowledgement must be made before the window size is reached.An ack is sent for the next byte which the client expects to receive.
TCP State Diagram
Fundamentals of network security
To employ good network security requires that you know everything about the network!We will forfeit some usability for security.If your recommendations are not followed – CYA!
Common Network Protocols
HTTP – Used for traffic on the World Wide Web, usually port 80FTP – Used to transmit binary and ASCII data files, control connections on port 21Telnet – Used to obtain a shell on a remote system, usually on port 23POP3 – Used by clients to retrieve email on corporate servers, usually port 110SMTP – Used to transfer mail between domains/servers, usually port 25DNS – Used to Resolve Names, UDP port 54
Request for Comments
Maintained by the Internet Engineering Task Force (www.IETF.org)Protocol designers publish documents and release them to the Internet community for comments and implementationRFCs are accepted today as rules for implementing protocols
HyperText Transfer Protocol
Version 1.1 defined in RFC 2068No banner on connection establishmentClient should send all header information followed by a return character ‘\n’
URI Specifications
Uniform Resource IdentifierUsed to indicate resources available on a network<scheme>://<authority><path>?<query>Eg. http://search.microsoft.com/search.asp?find=MS
HTTP Options
Obtain all server information
HTTP GET
Request for one file
HTTP HEAD
Returns only the header information which would be obtained by a GET commandUseful for determining if a document should be downloaded or used from cache
HTTP POST
Used to send LARGE (>500 Bytes) of data to a remote systemCan be used for large forms or for uploading files
HTTP PUT
Same concept as POST but used only for uploading files
Security Problems with HTTP
Buffer Overflows are commonNon-anonymous users send their username/password as a BASE64 encodingExcessive client data transmittedSnooping possible when uploading dataCookies
FTP
Defined in RFC 959FTP Control connections are established on port 21USER is followed by a username and a return character and PASS followed by a password and a return character
FTP Standard Data Connections
User initiates the data transfer and sets up a listener on a specific port, server connects to that port and “dumps” the file.
FTP PASV Data Connections
User indicates that passive mode data transfer should occurUser selects file which should be transferredServer creates a listener and allows client to connect to it, once the connection is established, server “dumps” the file
Security Problems with FTP
Buffer overflowsSecurity credentials are sent in cleartextOpens dynamic ports which firewalls may allow throughData is sent in cleartext
Telnet
User connects to server port and server displays a welcome banner (usually /etc/issue.net) then requests loginClient responds to server’s login request with a valid username/passwordShell is activated STDOUT and STDERR mapped to client’s terminal
Security Problems with Telnet
All data (including username/password) is sent in cleartextBuffer overflows and root attacks possible
Post Office Protocol version 3
Defined in RFC 1725Used to download mail from a server for local reading when direct file access is not available or advisableVery popular on the Internet, almost the prime source of email
Operation of POP3
User establishes a connection to the server port (Usually 110/tcp)Server greets userUser issues the USER command with a valid usernameServer will always respond with “+OK”User issues the PASS command with the passwordServer will attempt to authenticate the userIf successful “+OK” is returned otherwise “-ERR”
Transaction state commands
STAT – see the total number of messages and bytesUIDL (#)– obtain the Unique ID Listing for messages in the mailboxRETR # – Retrieve one messageDELE # – Mark one message for deletionLIST (#) – Show the size of each a/all message(s)RSET – Mark all messages as undeletedTOP M# N# - Return the first N# lines from message M#
Normal POP3 session
Pop3.txt
Implementing POP3
When the user is authenticated open the mailbox and parse the messages in it into memoryRead in each command and respond appropriatelyWhen QUIT is received copy the contents of memory to the mailbox
Problems with POP3
Authentication information is sent in clear text (although POP3 supports MD5 hashed authentication it’s not commonly used)Messages are sent in clear textBuffer overflowsRoot level attacks
Simple Mail Transport Protocol
Defined in RFC 821Used for transmitting mail between servers and domainsTHE definitive solution for inter-domain mail transfer on the Internet
Operation of SMTP
Remote server connects to the local machine, local machine greetsRemote machine introduces itselfRemote machine indicates who message is fromRemote machine indicates one or more recipientsRemote machine transmits data of the message
Commands
HELO or EHLO – Command for remote machine to introduce itself to local machineMAIL FROM:<w@x> - indicates the sender of the messageRCPT TO:<y@z> - indicates the recipient of the messageDATA – indicates the start of the data transfer (concluded with a CRLF.CRLF string)
Problems with SMTP
Buffer Overflows are commonMessages are sent in cleartext (by default)
Normal SMTP sessionduke% telnet login.dataixl.com 25Trying 64.2.85.40...Connected to unix.dataixl.com.Escape character is '^]'.220 unix.dataixl.com ESMTP Sendmail 8.11.0/8.11.0; Wed, 14 Feb 2001 16:42:33 -0500HELO duke.poly.edu250 unix.dataixl.com Hello [email protected] [128.238.2.92], pleased to meet youMAIL FROM:<[email protected]>250 2.1.0 <[email protected]>... Sender okRCPT TO:<[email protected]>250 2.1.5 <[email protected]>... Recipient okRCPT TO:<[email protected]>250 2.1.5 <[email protected]>... Recipient okDATA354 Enter mail, end with "." on a line by itselfSubject: Hello
This is just a hello message.250 2.0.0 f1ELgoO22093 Message accepted for deliveryQUIT221 2.0.0 unix.dataixl.com closing connectionConnection closed by foreign host.
The Domain Name System
Defined in RFC 1035Designed to resolve names into addressesDesigned to be a distributed systemDifferent Types of records for different purposes
Types of Records
A – a host addressNS – Authoritative name Server addressSOA – Start Of AuthorityMX – Mail ExchangerHINFO – Hardware infoCNAME – Canonical name for an alias
Operation of DNS
0. User types in www.microsoft.com into Web Browser Client requests the address of www.microsoft.com (A) from local DNS Local DNS checks it’s cache, if address is known it is immediately
returned to client otherwise Local DNS requests microsoft.com (NS) from root-server
Root-server responds to Local DNS with appropriate address for microsoft.com DNS
Local DNS contacts Microsoft.com DNS to resolve www.microsoft.com (A)
Microsoft.com DNS responds to Local DNS with address of www.microsoft.com (A)
Local DNS Responds to client with address of www.microsoft.com (A) Client Initiates TCP session to IP address associated with
www.microsoft.com (A)
Authority
When you “Own” a domain name, you are responsible for maintaining at least one authoritative name serverThis server NEVER checks a cache and is the authority for queries to your domainIf this server goes down, so does your domain
Authoritative domain file@ IN SOA dan.spacelab.net. dkatz.dan.spacelab.net. (
2001010801 ; serial number
86400 ; refresh: 24 hours
3600 ; retry: 1 hour
432000 ; expire: 5 days
86400 ) ; minimum: 1 week
IN A 64.2.85.40
IN NS unix
IN MX 0 unix
Localhost IN A 127.0.0.1
Unix IN A 64.2.85.40
IN HINFO P100/48MB/4.0GB LINUX
www IN CNAME unix
ftp IN CNAME unix
login IN CNAME unix
irc IN CNAME unix
nt IN A 209.14.148.179
IN HINFO K62-400/128MB/4.0GB WIN95
me IN CNAME nt
www2 IN A 209.14.148.180
IN HINFO 2xP90/100MB/4.0GB WINNT
Diagnostic Tools (use with discretion)
DigNslookupWhois (available at
www.networksolutions.com)