100 likes | 163 Views
Overview of Networking & Operating System Security. Jagdish S. Gangolly School of Business State University of New York at Albany
E N D
Overview of Networking & Operating System Security Jagdish S. Gangolly School of Business State University of New York at Albany NOTE: These notes are based on the book Security in Computing, by Charles & Shari Pfleeger (3rd ed) and are prepared solely for the students in the course Acc 661 at SUNY Albany. They are not to be used by others without the permission of the instructor. Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Overview of Networking & Operating System Security • Networking • OSI Reference Model • The Internet Model • TCP/IP • TCP Vulnerabilities • UDP • UDP Vulnerabilities • IP • IP Vulnerabilities Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Networking I • OSI Reference Model • Layer 7: Application Layer • Layer 6: Presentation Layer • Layer 5: Session Layer • Layer 4: Transport Layer • Layer 3: Network Layer • Layer 2: Data Link Layer • Layer 1: Physical Layer Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Networking II • The Internet Model: • Application Layer (http, telnet, email client,…) • Transport Layer: Responsible for ensuring data delivery. (TCP and UDP) (Port-to-Port) • Network Layer:Responsible for communicating between the host and the network, and delivery of data between two nodes on network. (IP) (Machine-to-Machine) • Data Link Layer: Responsible for transporting packets across each single hop of the network (Node-to-Node) • Physical Layer: Physical media (Repeater-to-repeater) Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
TCP/IP • Applications using TCP: • FTP, telnet, SMTP, POP, HTTP • TCP header info • Source/Destination Port numbers • Sequence number • Acknowledgement number • Data offset, describes where the header ends • Reserved, for future use • Control bits (six bits – URG, ACK, PSH, RST, SYN, FIN) • Window, number of outstanding packets between systems • Checksum, to maintain the integrity of the TCP packets • Urgent pointer, to where urgent information is located in the packet • Options, additional information about TCP processing capabilities • Padding, to extend the boundary of TCP header to end on a 32-bit boundary Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
TCP Vulnerabilities • Vulnerabilities: • Scanning ports using tools such as N-map. (netstat command in Windows) • Attacker can mask port usage using kernel level Rootkits (which can lie about backdoor listeners on the ports) • Attacker can violate 3-way handshake, by sending a RESET packet as soon as SYN-ACK packet is received Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
UDP • Connectionless protocol • Used in streaming audio and video applications, and DNS query and response • No retransmission of lost packets • “Unreliable Damn Protocol” • UDP header info: • Source/Destination Port numbers • Message length • Checksum • Data Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
UDP Vulnerabilities • Lack of a 3-way handshake • Lack of control bits hinders control • Lack of sequence numbers also hinders control • Scanning UDP ports is also harder, since there are no code bits (SYN, ACK, RESET)False positives common since the target systems may n oty send reliable ICMP (port unreachable) messages. Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
IP • Used for all traffic moving across the internet • Dotted-quad notation (28.28.28.28) • Netmasks • Packet fragmentation in IP • Vulnerability 1: Tiny fragment attack (the first fragment does not have TCP port number; rest of the header in a different fragment • Vulnerability 2: Fragment overlap attack; first fragment carries a non-monitored port address, the second fragment’s offset overlaps the first to overwrite the header of the first fragment containing the port number Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
IP Vulnerabilities • Packet fragmentation in IP • Vulnerability 1: Tiny fragment attack (the first fragment does not have TCP port number; rest of the header in a different fragment • Vulnerability 2: Fragment overlap attack; first fragment carries a non-monitored port address, the second fragment’s offset overlaps the first to overwrite the header of the first fragment containing the port number • Attackers can map a network using TTL (Time-to-Live) field • Attackers can determine packet filtering firewall rule sets using Firewalk Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly