Basic Networking

COMPUTER SECURITYBasic Networking Principles

The basics of computer security are:

ConfidentialityAvailabilityIntegrity

Non-repudiation


The world’s most secure computer network!

How secure is it?


Network

Cable

How secure is this?


Wall sockets

Building wiring

… and this?


Building wiring

… and this?

EthernetSwitch

Physical or logical admin

port


Building wiring

… and this?

EthernetSwitch

Router

To other networks (private & public)

Physical or logical admin

port


Public Switched Telephone Network (PSTN)

Homes, offices, etc individually wired to “concentration points”Concentration points wired to other “concentration points”, etc to exchange

Internet Service Providers

Banks of modems (from PSTN)Broadband connections (from PSTN!)Leased lines (from PSTN!!)WirelessEtc

Concentrated into switches, then routers to other networks


All network connected devices are allocated a unique Media Access Control (MAC) address at manufacture (12 hex digit). This gives 2^48 possible addresses.

Network

Cable

For devices connected to the same sub-network (including through switches and bridges, but not routers) this is all that is needed.

However, MAC addresses can be overridden! Thus one device can “spoof” another device!


When a device wants to send a message to another device, it formulates that message in a buffer, with the destination address first, its own address second, then the rest of the message.

In traditional Ethernet, each device looks at each message, checks the destination address to see if it for that device, and either copies the message if it is, or leaves it if it isn’t.

In an Ethernet switch, the switch performs this function, and send the appropriate message to the appropriate port.


However, humans dislike remembering 12 digit MAC addresses, and what happens when the hardware is changed?

An Address Resolution Protocol exists to convert MAC addresses to “names”.

This is a simple look-up table:-

12 34 56 78 90 ab Fred21 43 65 87 09 cdGeorge

Etc.

Thus the user can specify “Fred” as the destination, and the app will do the conversion. Clearly all ARP tables must be the same at all times.

(WINS is similar)


IP assigns addresses to networks and devices. IP addresses take the form of

a.b.c.d, where a,b,c & d can between 1 and 254 (with exceptions)

The address is split into two parts: the network identifier and the device identifier.

Thus for CPUT, the first two number groups are “155.238” and this UNIQUELY identifies CPUT’s network on the Internet. (It is possible to have a non-Internet connected network with the same address, more of which later)

A device is configured with an IP address. A device can have more than one IP address, but an IP address can have only one MAC address.

MAC IP is done in ARP tables


11 22 33Router

100.1.1.1

MAC

IP 1.1.1.1 1.1.1.2 1.1.1.99 1.1.2.99 1.1.2.1

99

MAC

IP

ProtocolStack

Messagepassing


Interconnected networks need a “default gateway” configured. This device takes all non-local traffic and forwards it to another device, either to the destination network or another router than get it to the destination network. This is called “routing”.

Routers attempt to find out as much about the world as they can, so that they can optimise their routes between routers.

If you can configure a network(s) so that all traffic goes through your router, YOU CAN SEE EVERYTHING!

(Been done! See cisco router security breach some years ago. Similarly ISP security breaches.)


Having found the device we want to connect to, now we must organise a mechanism whereby we can control the flow of messages (sharing bandwidth, waiting for applications, etc). Enter TCP.

TCP is responsible (inter alia) for synchronising messages, breaking large messages into smaller ones and reassembling fragments into the original whole, handshaking, etc. This is done by using sequence numbers and message offsets. Bits of messages may arrive out of sequence because they take different routes through the network.

MAC

IP

ProtocolStack

Messagepassing

TCP


A device may have several IP addresses, with several services talking to several other devices. Eg an Internet server may have HTTP, Mail, FTP, etc running, with multiple network cards (to spread traffic).

How does a device/application know how to contact another device/application?

A port number is used to identify different communication channels for each device. Thus

1.1.1.1:100

is the same device, but a different communication channel, to

1.1.1.1:200

We then associate different applications to different port numbers. The TCP layer will send its message to the relevant application, which in due course will respond.

Typically, an application will negotiate a different port number for the subsequent conversation, leaving its default open for further use.

Common port numbers.

Generally (by agreement rather than law), the following applications use the following initial ports:

HTTP 80FTP 20&21Telnet 23 (Remote terminal session)SMTP 25 (Simple Mail transfer protocol)DNS 53 (explained later)POP3 110 (Post Office Protocol)NetBIOS 137-139IRC 194HTTPS 443 (Secure HTTP)Etc

All “pre-allocated” port numbers are below 1024.Negotiated ports are from 1025-65535.

Not every application conforms to this!!!


MAC

IP

ProtocolStack

Messagepassing

TCP

App1 App2 App(n)

Port 80 25 110


Network names

Humans aren’t good at numbers, they prefer names. This is achieved by a service called “Dynamic Name Service” or DNS

Names are managed at a high level (national, “,org”, “.edu”, etc). Distinct records of names and associated networks/application services are circulated throughout the network. Each device will have a configured (DNS server). If that server can’t find what it’s looking forward, it will relay it to a higher level authority. If the highest authority doesn’t know the name, it is assumed not to exist.


All of the above is done using well formed, well documented messages, and is done in plain text, or with well documented coding.

Anyone who can construct a legitimate message at any of the protocol layers can/will be seen as a legitimate traffic source/destination.

This can be done even a MAC layer!

All that is needed is knowledge and good (low level – assembler or ‘c’) programming capabilities.


Firewalls

If all inbound and outbound traffic for a network is forced through a single device, that device can be used to effect some control over the traffic.

Router

Firewall

To other networks, eg Internet


Packet Filtering

These firewalls look at traffic, and compare the source, destination and port number details to an “access control list (ACL)” in the firewall configuration

Source Dest Port Permission Explain

1.1.1.* * 80 Allow HTTP

1.1.1.* 2.2.2.2 25 Allow Specific email server

1.1.1.1 * 23 Allow Admin Telnet

* * * Deny Default rule


Packet Filtering:

•can be complex to configure, since all traffic details must be known

•is normally very secure, as long as the default rule is DENY ALL

•is independent of actual application

•cannot easily be used for address translation (see later)

•can and often is done in the router itself


Proxy firewalls – application gateways

These receive traffic from a source, detect the destination and application, then call the destination on behalf of the source. They remember the connection, and then redirect the destination response back to the source.

Thus:

•Source (1.1.1.1) calls destination (99.99.99.99) on port 80 (HTTP)•Proxy intercepts this call•Proxy strips out the “payload”•Creates a message identical to the original but with itself as the source•Remembers both parts of this action

When 99.99.99.99 replies

•Proxy receives the reply•Looks up who made this call•Forwards the reply to 1.1.1.1


Proxy firewalls:

•facilitate address translation (see later)•are relatively simple to configure•may need to be “application aware”

In practice both packet filters AND proxy servers are used in tandem.


Address Translation

IP numbers are allocated by a central body. An organisation can ask for a “block” of numbers which, when allocated, become unique to you and may not be used anywhere else on the Internet.

If a network is not connected to the Internet, it can use any numbering scheme it likes.

The Internet (actually IPv4) is running out of unique addresses! Two schemes exist to counter this – Dynamic Host Configuration Protocol (DHCP), and Address Translation.

DHCP “over-subscribes” number blocks, on the basis that not every machine is “on” at the same time, and that an organisation may not use the complete “block” of numbers it has been allocated. ISPs use this for dial-up, etc.


Address Translation

It is possible to allocate a single address to a proxy firewall, that is the only one used/seen on the Internet.

Since all traffic is seen to come from the firewall, the Internet cannot “see” the network addresses on the inside of the firewall, so they can’t be attacked.

To further assist this, certain IP address ranges have been “banned” from the Internet. Any ISP detecting traffic to or from those addresses is required to simply drop that traffic.


Router

Firewall

To other networks, eg Internet

10.1.1.1 10.1.1.2 10.1.1.99

10.2.1.200

10.2.1.201

155.238.100.100

To the Internet


Simple Internet attacks

Attacking a single machine

If a machine address is known (and there’s no firewall), then anyone can direct any traffic at that machine.

Eg if the machine is running an Internet server (eg IIS), the contents will be visible to anyone browsing to that address on Port 80.

If a machine is running software that enables a remote session (eg Telnet), then that will be available too.



Denial of Service (DoS)

A special IP message called “ICMP” exists for testing/management purposes. This message format is used by “ping”, “traceroute” and other functions, and can be very useful.

However, responding to “pings” takes time. If an “automated ping” is used, the “ping” packets can be sent at the rate of several millions per second. This swamps all other traffic, to the point where the machine can do nothing else.

It is now possible to switch off both the processing and forwarding of these “ICMP” messages, stopping DoS attacks, but also limiting network functionality.

DoS attacks can be made on regular Port numbers, but they are less successful.



Port/Address Scanning

It is very easy to write a system (batch/script) that will test an IP address port numbers to see if an application is listening on that port. When found, the port can be selectively attacked.

Address scanning is the same, detecting all valid IP addresses in a network.

“War dialing” phones phone numbers looking for modem responses. When found, the number is noted for a later port scan.



Traffic Sniffing

It is possible by a variety of means to see traffic on a network. If an attacker can change the route of traffic to go through a machine under her control, sniffing becomes easy. Otherwise, find a way to put a “sniffer” on a remote machine, and then remotely monitor it.



Man-in-the-middle or replay attacks

If you can arrange for the traffic to go through your machine, you can act as a proxy, thus trapping all of the content, and being able to change the content at will. Similarly the content can be recorded, and replayed at some future time to “spoof” the original traffic.


The “demilitarised zone” – DMZ

Where do you put Web services such as Web servers?

Putting them outside the firewall makes them vulnerable to all sorts of attack, but everybody MUST be able to see these serves. Normally there will be some kind of “trust relationship” between the web services and at least one person in the company – thus if the server is compromised, so is the trust relationship, and thus so is the internal network.

If we put the web server inside the firewall, no-one can see it – it becomes an “intranet server”. We can put a “hole” in the firewall to allow that specific traffic, but then we defeat the point of a firewall!


Router

Firewall 2

10.1.1.1 10.1.1.2

10.1.1.99

10.2.1.201

10.3.1.201

155.238.100.100

To the Internet

DMZ

Webserver

Emailserver

10.2.1.200

10.3.1.110.3.1.1

10.3.1.200

Firewall 1


Thus Firewall 1 can be configured to allow appropriate traffic through, including the “trust relationship” with an inside machine.

Firewall 2 can be configured to allow only ports 80 & 25 through from the Internet, thus stopping any other traffic.


Router

Firewall 3

10.1.1.1 10.1.1.2

10.1.1.99

155.238.100.100

To the Internet

DMZ 1

Firewall 1

DMZ 2

Webserver

Emailserver

Firewall 2Databaseserver


MAKE SURE ALL UNUSED SERVICES AND ACCOUNTS ARE

REMOVED

MAKE SURE ALL OSes AND APPS ARE PATCHED WITH THE LATEST

SECURITY PATCHES

MAKE SURE THE ROUTERS AND FIREWALLS ARE THEMSELVES

SECURE


The essential elements of N/W security

SecrecyMaking sure unauthorised eyes do not see a message

AuthenticationMaking sure the parties are who they say they are

Non-repudiationProof of integrity of messages sent and received

IntegrityMaking sure messages are not tampered with

Basic Networking

Documents

secure computer network

device identifier

exceptionsthe address

ip addresses

latera device

network identifier

digit mac addresses

cputs network