160 likes | 277 Views
Securing Network Services. How TCP Works. Set up connection between port on source host to port on destination host Each connection consists of sequence of numbered packets, with source (port, address), destination (port, address) and flags First packet – SYN (synchronize sequence numbers)
E N D
How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence of numbered packets, with source (port, address), destination (port, address) and flags • First packet – SYN (synchronize sequence numbers) • Response packet - SYN & ACK • Thereafter – ACK • Last packet – FIN & ACK Ports are associated with services: • 21 - FTP • 25 – e-mail • 80 - http • many many more Based on client-server model
How UDP works Unreliable (unwarranted) delivery of information between systems -- No acknowledgement Ports for UDP services • Port 123 -- Network Time • Port 53 -- DNS • Port 69 -- TFTP • Port 514 -- Syslog • Port 517 – Talk Based on stateless distribution of information
Application Services Domain Name Service (DNS) -- TCP/UDP • Replaced /etc/hosts files • Tree-structured query system • Replies -- either answer or reference to more refined domain Mail -- TCP (port 25) FTP -- file transfer protocol -- TCP HTTP -- World Wide Web -- TCP
TCP/IP Services Many have security risks • Ways to access your computers • Information on your computers and your users Can block them all (Paranoid approach) More often-- keep some, block others Blocking method -- firewalls
General Points Will discuss variety of services with security implications • Not full list of internet services • Not full list of security problems Administrators need to understand implications before offering service • CERT advisories • Configuration options • Prudent attitude
User Education • Suspicious network behavior • Suspicious user behavior • Who to contact • When to contact • Exercises
Web WWW: World Wide Web • System for automated information exchange • Allows rapid access to flexibly-presented information • Well over 50% of Internet traffic Presentation Options: • Formatted Hypertext • Bitmap graphics • Program execution (CGI scripts, Applets, etc.) • Audio • Movies • Many more
WWW Threats • Exploitation of server or script bugs • Disclosure of unauthorized information • Interception of confidential information • Information loading from web client by rogue server • Dependence on licensed software
WWW Risky Options • Server-side includes • Sending email from server • Accessing PERL on server • Spawning sub-processes • Calling scripts outside of controlled directories • Mixing HTTP and anonymous FTP
WWW Access Control • Configure scripts to be read and executed only by server • Use prudent access to exported files • Don’t use per-directory access files • Use certified public keys for access • Use server-side password for access
WWW Privacy Network-side: • Link encryption • Document encryption • Secure Socket Layer • Secure HTTP • All subject to limitations on Encryption Log files: • Restrict access • Don’t retain on server machine • Use syslogd • Warn users about logging
Web Browsers • Executing code from the net • Trusting vendors / Licensing • Dependence on third parties
RPC Remote Procedure Call • Calling program calls client code and waits • Client code bundles parameters into message to server (XDR - external data representation) • Server executes call with supplied data, returning result in message to client code • Client code returns result to calling program Requires: • Client knowing server • Client & Server agree on communication (portmapper) Authentication: • Auth_none - live fast, die young • Auth_UNIX - UID/GID authentication (trust client) • Auth_DES - Secret/public key authentication(Diffie/Hellman key exchange, DES encryption) • Auth_KERB - Kerberos authentication
Kerberos Produced for MIT project ATHENA Authenticates: • User to client and server • Client to server • Server to client Centralized and stateless • Passwords stored unencrypted on central server • Never transmitted across network
Kerberos Protocols Login: • User enters username and password • Client sends username and current time encrypted with password • Server decrypts information and verifies valid user • Returns session key encrypted with user password Service Request: • Client sends request to ticket-granting server, encrypted with session key • TGS responds with identity of server, encrypted ticket all encrypted with session key • Client passes encrypted ticket to server with client IP and username