Network Security and Management

CS682 – Sessions 3 and 4Prof. Katz

Public-Key Cryptography

Concept created by Diffie and Hellman in 1976Two keys are used, one for encoding the other for decodingAlso usually supports Digital Signatures

Diffie – Hellman concepts

1. It is easy for party B to generate a public and private key

2. It is easy for sender A, knowing B’s public key and message M to generate the corresponding cyphertext

3. It is easy for B, knowing his private key and the cyphertext to compute the plain text

4. It is impossible for an opponent knowing B’s public key and the cyphertext to compute the plain text

5. It is impossible for an opponent knowing B’s public key and the cyphertext to compute the private key.

Network Protocols

A history of IP

Originally designed by the DOD for military purposesUsed to create the DARPANETDARPANET later evolved into the Internet for Educational purposesRecently been utilized more for commercial purposes

IP Header

0 1 2 3 4 5 6 7 8 910

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

bits

Ver IHL Type of Service Total Length

IP Header

(Minumum length 20 Octets)

Identifier Flags Fragment Offset

Time To Live Protocol Header Checksum

Source Address

Destination Address

Options + Padding

User Datagram Protocol (UDP)

A simple, connection-less layer 4 protocol for the transmission of non-critical dataNo reliability, No confirmation of delivery, No order of packets!Very Light protocol which sits on top of IP layer.Used by a number of ULPs including DNS, DHCP, and BootP.

Port numbers

UDP introduces the concept of port numbers as a layer 4 address.Ports are used to indicate which layer 7 service should receive the packet and which produced it.When a server program starts it “binds” to the port it will use for communication (usually <1024), UDP then knows that data received for that port should be delivered to that program.

Ports (cont.)

When a client service begins communication it can either request a specific port for communication or use a unique port provided by the OS.Server ports are static, client ports may be dynamic.

Common UDP port numbers

67 – BooTP Server68 – BootP client69 – Trivial FTP

UDP Header

0 1 2 3 4 5 6 7 8 91 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

2 5

2 6

2 7

2 8

2 9

3 0

3 1

Data

Source Port Destination PortLength checksum

Header Values

Source port – The port on the source host which generated this messageDestination Port – The port on the destination host which should receive this messageLength – The length of the header and data

UDP Checksum

The UDP checksum is calculated across the data and the header.The Checksum is the one’s compliment of the 16-bit sum of the words in the header and data.Additionally the 32-bit source and destination, the 8 bit protocol field, and the UDP length are included in the sum.

UDP Checksum

On the receiving end all words are added to the checksum and the result should be all ones.If the result is not all ones then an error has occurred.

Transport Control Protocol

Provides a connection oriented layer 4 serviceProvides guaranteesProvides sequence ability

TCP Header

0 1 2 3 4 5 6 7 8 9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

2 5

2 6

2 7

2 8

2 9

3 0

3 1

Source Port Destination Port

Sequence Number

Acknowledgement Number

Header len reserved

URG

ACK

PSH

RST

SYN

FI N Window size

Checksum Urgent Pointer

Options + padding

Data

TCP Header (cont.)

Source and destination ports – Which application produced the packet and which should receive itSequence number – Identification of the relative location of the first byte in the packet to the first byte in the stream.Acknowledgement number – The sequence number of the next byte which the receiving station expects

TCP Header (cont.)

UrgentAcknowledgementPushResetSynchronize sequence numbersFinal packet

TCP Connection Establishment

Client Sends SYNServer Replies with SYN-ACKClient Replies with ACK

TCP Connection maintenance

The Sequence number is incremented for every packet sentAn acknowledgement must be made before the window size is reached.An ack is sent for the next byte which the client expects to receive.

TCP State Diagram

Fundamentals of network security

To employ good network security requires that you know everything about the network!We will forfeit some usability for security.If your recommendations are not followed – CYA!

Common Network Protocols

HTTP – Used for traffic on the World Wide Web, usually port 80FTP – Used to transmit binary and ASCII data files, control connections on port 21Telnet – Used to obtain a shell on a remote system, usually on port 23POP3 – Used by clients to retrieve email on corporate servers, usually port 110SMTP – Used to transfer mail between domains/servers, usually port 25DNS – Used to Resolve Names, UDP port 54

Request for Comments

Maintained by the Internet Engineering Task Force (www.IETF.org)Protocol designers publish documents and release them to the Internet community for comments and implementationRFCs are accepted today as rules for implementing protocols

HyperText Transfer Protocol

Version 1.1 defined in RFC 2068No banner on connection establishmentClient should send all header information followed by a return character ‘\n’

URI Specifications

Uniform Resource IdentifierUsed to indicate resources available on a network<scheme>://<authority><path>?<query>Eg. http://search.microsoft.com/search.asp?find=MS

HTTP Options

Obtain all server information

HTTP GET

Request for one file

HTTP HEAD

Returns only the header information which would be obtained by a GET commandUseful for determining if a document should be downloaded or used from cache

HTTP POST

Used to send LARGE (>500 Bytes) of data to a remote systemCan be used for large forms or for uploading files

HTTP PUT

Same concept as POST but used only for uploading files

Security Problems with HTTP

Buffer Overflows are commonNon-anonymous users send their username/password as a BASE64 encodingExcessive client data transmittedSnooping possible when uploading dataCookies

FTP

Defined in RFC 959FTP Control connections are established on port 21USER is followed by a username and a return character and PASS followed by a password and a return character

FTP Standard Data Connections

User initiates the data transfer and sets up a listener on a specific port, server connects to that port and “dumps” the file.

FTP PASV Data Connections

User indicates that passive mode data transfer should occurUser selects file which should be transferredServer creates a listener and allows client to connect to it, once the connection is established, server “dumps” the file

Security Problems with FTP

Buffer overflowsSecurity credentials are sent in cleartextOpens dynamic ports which firewalls may allow throughData is sent in cleartext

Telnet

User connects to server port and server displays a welcome banner (usually /etc/issue.net) then requests loginClient responds to server’s login request with a valid username/passwordShell is activated STDOUT and STDERR mapped to client’s terminal

Security Problems with Telnet

All data (including username/password) is sent in cleartextBuffer overflows and root attacks possible

Post Office Protocol version 3

Defined in RFC 1725Used to download mail from a server for local reading when direct file access is not available or advisableVery popular on the Internet, almost the prime source of email

Operation of POP3

User establishes a connection to the server port (Usually 110/tcp)Server greets userUser issues the USER command with a valid usernameServer will always respond with “+OK”User issues the PASS command with the passwordServer will attempt to authenticate the userIf successful “+OK” is returned otherwise “-ERR”

Transaction state commands

STAT – see the total number of messages and bytesUIDL (#)– obtain the Unique ID Listing for messages in the mailboxRETR # – Retrieve one messageDELE # – Mark one message for deletionLIST (#) – Show the size of each a/all message(s)RSET – Mark all messages as undeletedTOP M# N# - Return the first N# lines from message M#

Normal POP3 session

Pop3.txt

Implementing POP3

When the user is authenticated open the mailbox and parse the messages in it into memoryRead in each command and respond appropriatelyWhen QUIT is received copy the contents of memory to the mailbox

Problems with POP3

Authentication information is sent in clear text (although POP3 supports MD5 hashed authentication it’s not commonly used)Messages are sent in clear textBuffer overflowsRoot level attacks

Simple Mail Transport Protocol

Defined in RFC 821Used for transmitting mail between servers and domainsTHE definitive solution for inter-domain mail transfer on the Internet

Operation of SMTP

Remote server connects to the local machine, local machine greetsRemote machine introduces itselfRemote machine indicates who message is fromRemote machine indicates one or more recipientsRemote machine transmits data of the message

Commands

HELO or EHLO – Command for remote machine to introduce itself to local machineMAIL FROM:<w@x> - indicates the sender of the messageRCPT TO:<y@z> - indicates the recipient of the messageDATA – indicates the start of the data transfer (concluded with a CRLF.CRLF string)

Problems with SMTP

Buffer Overflows are commonMessages are sent in cleartext (by default)

Normal SMTP sessionduke% telnet login.dataixl.com 25Trying 64.2.85.40...Connected to unix.dataixl.com.Escape character is '^]'.220 unix.dataixl.com ESMTP Sendmail 8.11.0/8.11.0; Wed, 14 Feb 2001 16:42:33 -0500HELO duke.poly.edu250 unix.dataixl.com Hello dkatz@duke.poly.edu [128.238.2.92], pleased to meet youMAIL FROM:<dkatz@duke.poly.edu>250 2.1.0 <dkatz@duke.poly.edu>... Sender okRCPT TO:<dkatz@dataixl.com>250 2.1.5 <dkatz@dataixl.com>... Recipient okRCPT TO:<root@dataixl.com>250 2.1.5 <root@dataixl.com>... Recipient okDATA354 Enter mail, end with "." on a line by itselfSubject: Hello

This is just a hello message.250 2.0.0 f1ELgoO22093 Message accepted for deliveryQUIT221 2.0.0 unix.dataixl.com closing connectionConnection closed by foreign host.

The Domain Name System

Defined in RFC 1035Designed to resolve names into addressesDesigned to be a distributed systemDifferent Types of records for different purposes

Types of Records

A – a host addressNS – Authoritative name Server addressSOA – Start Of AuthorityMX – Mail ExchangerHINFO – Hardware infoCNAME – Canonical name for an alias

Operation of DNS

0. User types in www.microsoft.com into Web Browser Client requests the address of www.microsoft.com (A) from local DNS Local DNS checks it’s cache, if address is known it is immediately

returned to client otherwise Local DNS requests microsoft.com (NS) from root-server

Root-server responds to Local DNS with appropriate address for microsoft.com DNS

Local DNS contacts Microsoft.com DNS to resolve www.microsoft.com (A)

Microsoft.com DNS responds to Local DNS with address of www.microsoft.com (A)

Local DNS Responds to client with address of www.microsoft.com (A) Client Initiates TCP session to IP address associated with

www.microsoft.com (A)

Authority

When you “Own” a domain name, you are responsible for maintaining at least one authoritative name serverThis server NEVER checks a cache and is the authority for queries to your domainIf this server goes down, so does your domain

Authoritative domain file@ IN SOA dan.spacelab.net. dkatz.dan.spacelab.net. (

2001010801 ; serial number

86400 ; refresh: 24 hours

3600 ; retry: 1 hour

432000 ; expire: 5 days

86400 ) ; minimum: 1 week

IN A 64.2.85.40

IN NS unix

IN MX 0 unix

Localhost IN A 127.0.0.1

Unix IN A 64.2.85.40

IN HINFO P100/48MB/4.0GB LINUX

www IN CNAME unix

ftp IN CNAME unix

login IN CNAME unix

irc IN CNAME unix

nt IN A 209.14.148.179

IN HINFO K62-400/128MB/4.0GB WIN95

me IN CNAME nt

www2 IN A 209.14.148.180

IN HINFO 2xP90/100MB/4.0GB WINNT

Diagnostic Tools (use with discretion)

DigNslookupWhois (available at

www.networksolutions.com)