|
|
Security products are still relatively immature and weakly integrated. It is, therefore, all the more important that the technologies you select provide a broad, cooperative, and tested security solution that complements the overall security policy you have established. The solution should, at a minimum, satisfy the five primary security functions, as follows:
Authentication—refers to the process of verifying the validity of a claimed individual or entity and identifying that individual or entity. This process offers confidence that we are who we say we are. A fingerprint is one way of identifying individuals with some degree of confidence.
Access control—assurance that each user or entity that requests the use of a service is permitted to do so (normally controlled by individual or group access rights). For example, does Fred have the right to download files from BIGSVR over a dial-up line on the weekend?
Confidentiality—sensitive information must not be revealed to third parties; it should be made available only to the intended recipients. Confidentiality is often referred to as privacy. One way of protecting data is to encrypt it using keys known only to the sender and receiver.
Integrity—assurance that the data transferred between trusted parties have not been altered or destroyed while in transit. In layman's terms this means that what was sent was actually received.
Nonrepudiation—assurance that the sender of a message cannot deny being the originator of that message and that the recipient of a message cannot deny the receipt of that message. With applications where payment and goods are exchanged (such as electronic commerce) proof of purchase is vital to gain customer confidence in the process.
Typically this will involve a combination of firewalls, encryption systems, and authentication systems. A layered approach stands a much better chance of alerting you to potential problems. The challenge to provide security for internal networks becomes increasingly difficult as more users access the Internet, internal networks grow in size and complexity, and the range of potential problems expands with new distributed applications and the move toward mobile internetworking. The task of identifying critical or sensitive resources and the threats placed upon them is essentially a process of identifying and quantifying risk. There may be less obvious risks associated with a resource—for example, if confidential user information (age, address, telephone numbers) is held on a networked database, there may be a legal imperative for a company to protect such resources to comply with data protection legislation.
We will first review some of the most common security attacks and illustrate some of the basic vulnerabilities inherent in common data networking protocols and services.
Networks need protection against malicious attacks and information leaks from both inside and outside the network, and the former is considerably harder than the latter. Attacks can be classified according to a number of broad characteristics, as follows:
Denial of Service (DOS)—To disable, severely impair, or corrupt network resources or servers. A DOS attack may be mounted from a single source or multiple sources concurrently. The latter scenario is classed as a Distributed Denial of Service (DDOS) attack. An example of a DOS attack is the SYN flood, described later.
Impersonation—To gain access to protected services or to falsely create transactions or e-mails. The most basic attack is called IP spoofing, where a hacker uses the IP address of a trusted host to gain access to protected resources.
Man-In-the-Middle attacks (MITM)—(sometimes referred to as message relay). To gain access to or change information in transit by either relaying session parameters or using keys to fool peers into believing they are communicating directly.
Sniffing the network—To discover cleartext passwords and sensitive data, using conventional network tools such as Tcpdump or a network analyzer.
Password and key guessing—To gain access to protected services and data (e.g., by using a brute-force attack, an automated dictionary attack, or planting a virus to discover and e-mail back passwords).
Viruses—To destroy, disable, or corrupt data or to recover sensitive information such as passwords and keys without the user's knowledge. There are several classes of virus, which we discuss later.
Many of the common network protocols and services in use today were designed originally without any security in mind, and their many vulnerabilities to security threats are widely documented. The IP protocol suite is a good example, designed for straightforward data communications. Although the latest version of IP (IPv6) has mandatory security elements in place, there were no security features built into IPv4 (the protocol was extended subsequently via security options, but these are not widely used). Likewise, TCP, UDP, and many of the services running above them are inherently insecure. This section reviews some of the basic vulnerabilities associated with these services and protocols. It is not meant to be exhaustive; for more information, refer to [3].
ICMP is essentially the diagnostic service that runs over IP. There are several exploits based on ICMP, including ping of death, ping sweep, and other hacks based on ICMP redirects and source quench.
IP is a connectionless network service. The next generation of IP (IPv6) includes two key enhancements to improve security: authentication and privacy. IPv6 requires the sender to log in to the receiver. If a sender does not have the prerequisite access rights, he or she cannot access the resource. Privacy is optionally provided by using encryption techniques to protect data. Privacy and authentication are provided by security associations. Either encryption or authentication can be applied first.
Since UDP is connectionless, UDP services are somewhat vulnerable to attack, although many of the original deficiencies have since been resolved. Table 5.1 lists port numbers associated with commonly used UDP protocols.
Application | Protocol | Port No | Application | Protocol | Port No |
---|---|---|---|---|---|
Reserved | TCP&UDP | 0 | ISO-TSAP | TCP | 102 |
Remote Job Entry | TCP | 5 | X.400 | TCP | 103 |
Echo | TCP | 7 | X.400 Sending Service | TCP | 104 |
Discard | TCP | 9 | SUN Remote Procedure Call (RPC) | UDP | 111 |
Systat | TCP | 11 | Network News Transfer Protocol (NNTP) | TCP | 119 |
Daytime | TCP | 13 | Network Time Protocol (NTP) | TCP&UDP | 123 |
NetStat | TCP | 15 | NetBIOS session source | TCP | 139 |
Quote of the Day (Qotd) | TCP | 17 | NeWS | TCP | 144 |
File Transfer Protocol (FTP) Data | TCP | 20 | Simple Network Management Protocol (SNMP) | UDP | 161 |
File Transfer Protocol (FTP) Control | TCP | 21 | SNMP (traps) | UDP | 162 |
Telnet | TCP | 23 | Border Gateway Protocol (BGP) | TCP | 179 |
Simple Mail Transfer Protocol (SMTP) | TCP | 25 | exec | TCP | 512 |
time | TCP | 37 | rlogin | TCP | 513 |
TACACS | UDP | 49 | rexec | TCP | 514 |
Domain Name Server (DNS) | TCP&UDP | 53 | Line Printer Daemon (Ipd) | TCP | 515 |
Trivial File Transfer Protocol (TFTP) | UDP | 69 | talk | TCP&UDP | 517 |
Gopher | TCP | 70 | ntalk | TCP&UDP | 518 |
Finger | TCP | 79 | Open Windows (Sun) | TCP&UDP | 2000 |
World Wide Web (HTTP) | TCP | 80 | Network File System (NFS) | UDP | 2049 |
Kerberos | TCP | 88 | X11 | TCP&UDP | 6000+ |
TCP is connection oriented. Although more difficult to hack than UDP, there are, nevertheless, well-known hacks that have been used, particularly to deny service. Table 5.1 lists port numbers associated with commonly used TCP protocols. One of the best-known security exploits using TCP is called the SYN Attack. This uses knowledge of the TCP three-way handshake.
Telnet is a virtual terminal protocol that runs over TCP (port 23). It is the basic remote access terminal emulator that runs on a range of hosts and operating systems, including native router and firewall OSs. There are several issues with Telnet that are dealt with by a range of authentication mechanisms. From the client perspective one of the potential problems is users leaving authenticated Telnet sessions open.
FTP is used for file transfer and runs over TCP (ports 20/21). It has several security holes. The user name and password used with FTP sessions are transmitted in cleartext and can be accessed by any serious hacker. Anonymous FTP service allows anyone to access a host, without requiring a user account. FTP uses two types of sessions: a control session (TCP port 21) for managing the connection and dynamic data sessions (TCP port 20) for carrying information requested by the user.
HTTP is a stateless, object-oriented protocol that runs over TCP port 80. HTTPv1.0 is supported by all Web servers in the market today. A variation, called HTTP-NG (next generation), is being developed to use bandwidth more efficiently. HTTP is highly flexible and makes it difficult to secure resources effectively. You need to be cautious in particular about proxy and gateway applications. HTTP can forward requests to other applications called viewers if it cannot understand the data it receives. HTTP also allows users to execute commands remotely. HTTP allows sensitive log information to be retrieved without authentication. HTTP proxies are men in the middle, the perfect place for a man-in-the-middle attack. A discussion of this is found in section 15 of [4].
TFTP runs over UDP. TFTP is mainly used for transferring boot images or configuration data for networked devices that have no local permanent storage and is designed to function without operator intervention. Consequently, it allows unauthorized remote access to file systems, since it does not require a user or password to initiate automated data transfer. For example, on the AIXv3.x operating system remote users could upload /etc/ passwd! One of the problems of TFTP from the firewall perspective is that it dynamically changes ports once a connection is established (i.e., a session starts by using destination port 69 and is then handed off to a new port number from the pool—this clearly cannot be handled by static filters and requires real stateful session and protocol tracking).
SMTP is vulnerable to several attacks. E-mail bombing is an attack that can form a denial-of-service attack by overloading the mail server. In e-mail spamming a malicious user (spammer) sends thousands of copies of an e-mail to several mailing lists. Another twist to this problem is e-mail hijacking, in which the spammer uses your mail relay to forward this spam mail. Potential vulnerability is present, since e-mail servers do not receive the same degree of attention as Web servers, These exploit otherwise legal applications, and security tends to be more lapse. A recent study [5] found that 38 percent of mail servers in .gov domains had security weaknesses.
DNS is used to convert IP addresses to domain names and vice versa. The protocol has no authentication, and recipients of DNS data automatically assume responses to be valid. There are several techniques that can be employed to modify how the DNS system works, as follows:
Break into the target network DNS server—Buffer overflow vulnerabilities can be exploited by hackers to deny service. It is possible to break into the machine via a service such as rlogin. By spoofing DNS and redirecting mail users, login details could be collected, and UNIX-based platforms via the rlogin and NFS services could be exploited. Once owned by the attacker, it is easy to modify the information being sent out in response to DNS queries.
Spoof DNS responses—If a hacker can observe DNS queries, he or she can easily spoof bogus responses. These responses will be believed by other DNS servers or clients implicitly. Places to observe DNS queries are either on the target network, outside the perimeter firewall, or on the same network as the DNS server.
DNS cache poisoning—Most DNS servers cache the information they process for a finite amount of time, in order to speed up DNS resolution. Unfortunately, there are several techniques used by hackers to poison a DNS cache.
A hacker can corrupt zone information or spoof DNS and offer incorrect name-address associations, causing a denial-of-service attack by rerouting connections or worse, still, allowing the hacker to redirect sensitive information to his or her own machine.
Many Web servers use some sort of Server Side Include (SSI) to maintain state. This allows a Web server to recognize a previous visitor and maintain the illusion of a session. This may allow the Web user to custom generate HTML code for the particular user. Unfortunately, sometimes the SSI feature is used for security purposes. By spoofing the SSI, a Web user can access other sessions that contain sensitive information.
There are also a number of nonstandard services that provide value-added services for Internet and WWW access; they are quite sophisticated and difficult to handle from the security perspective. Examples of these services are World Wide Web (WWW), Wide Area Information Service (WAIS), Gopher, and Mosaic. Historically, the PoP and REXEC services have been targets of brute-force attempts simply because they did not have their login failures logged.
The ease of use of open network access is in many ways in direct conflict with the provisioning of tight security. Serious vulnerabilities include buffer overruns, inadequate authentication/password protection mechanisms, and the ability to download executable code onto hosts. These types of known vulnerabilities still enable unscrupulous users to crash systems remotely, steal or destroy valuable data, or gather information that enables them to mount a more sophisticated attack later on. Well-known UNIX vulnerabilities exist with services such as echo, chargen, portmap, the r-utilities, rstatd, and tooltalk, and these should be secured, particularly on public-facing servers. Another worrying trend for security designers is the increasing complexity of operating systems (see Figure 5.1). In Figure 5.1 the number of system calls available in Windows also dwarfs other operating systems. For example, Windows NT 4.0 has nearly 3,500 system calls compared with various flavors of UNIX and LINUX with less than 300.
Figure 5.1: Growth in complexity of the Microsoft Windows operating systems between 1992 and 2000, showing the estimated number of lines of code used in each OS [2].
The best approach to protect your OS is to ensure that it is patched at the very latest level and that your firewall and intrusion detection systems are armed with the latest attack signatures. Another factor to consider is the level of certification offered. For further information, refer to [6].
Security is largely dependent upon trust, and data networks today often need to allow third parties to access their resources for business or operational reasons based solely on who they are (e.g., extranet applications, VPNs, or home working). Some examples are as follows:
Accepting named IP addresses through the perimeter firewall—Many network organizations allow remote access to their networks by setting an access filter or firewall rule. In this case authentication is often based solely on source IP address. Some allow complete ranges of IP network or subnetwork addresses from certain ISPs because of the lack of fixed IP addresses. If a hacker can spoof these addresses or owns a machine on the trusted external network, then he or she can easily break into the target network.
Trusting ISP-originated protocols or services—Aside from DNS there are other types of information, such as routing information (e.g., OSPF or BGP for peering) and network management traffic (for maintenance or SLA monitoring). An Application Service Provider (ASP) may also be hosting a customer server that needs to communicate with internal systems. All of these interactions require communications through the firewall and are potential security holes for a hacker.
Virtual Private Networks (VPNs)—VPNs rely on secure tunneling protocols to encrypt traffic between two end-points. VPNs may be terminated inside the network at a workstation or server. The firewall then has no way of examining the incoming traffic, so a VPN hijacker could use this tunnel to bypass key security features (such as virus checking) at the perimeter. A hacker may also attempt to defeat the encryption used to protect the tunnel in order to monitor traffic on the wire (either to recover password and key information or to recover sensitive data). Some VPN protocols are more secure than others.
Modem access—Modems are regularly overlooked as a backdoor route into the network. They may be required for network maintenance or out-of-band management purposes. Often the security on modems is weak, and once compromised a hacker may be able to bypass perimeter defenses.
There are many well-known attacks that exploit security weaknesses in operating systems, applications, and protocols. Figure 5.2 illustrates some of the key areas of the IP stack where vulnerabilities are mounted.
Figure 5.2: Common protocol features used for IP-based hacking.
Some of the better-known attacks, together with a brief description, are as follows:
IP spoofing—The main vulnerability associated with IP spoofing basically involves a hacker masquerading as a trusted client on your network using a trusted IP address. IP's source routing option can be used to discover useful information about your topology. Clearly, on a bridged or switched network you are much more vulnerable to spoofing.
SYN attack—One of the best known denial-of-service security hacks involves knowledge of the three-way handshake used by all TCP services to open a session. In essence the problem is outlined as follows:
Step 1: A TCP host on the internal network receives a perfectly reasonable connection request with the SYN bit set (in the TCP header) to initiate a TCP connection.
Step 2: Upon receipt of a SYN packet the host will acknowledge by sending a TCP packet with both the SYN and ACK bits set.
Step 3: The host then sets a timer and waits for a reply from the client, which should have the ACK bit set to complete the three-way handshake.
Step 4: The host on the internal network receives several more connection requests from different source IP addresses. It goes through steps 2 and 3 for each outstanding connection attempt.
Stateless (filter-based) firewalls may counteract this problem with customized code. Stateful firewalls use a number of methods to resolve the problem; the most common approaches are SYN proxy and SYN relay.
Ping of death—The basic idea is that the malicious user sends an illegal echo packet with more than 65,507 bytes of data (IP_header + ICMP_header + MaxIPsize = 20 + 8 + 65,535 = 65,507 bytes). These data will be fragmented and, typically, the receiving station will not process the packet until all fragments have been received, leading to buffer overflows and potential crashes, kernel dumps, and so on. More information on this problem can be found in [7].
Ping sweep—A well-known denial-of-service exploit using ICMP is the ping sweep; an ICMP echo request is sent to a broadcast or subnet broadcast IP address, forcing a major traffic spike when all IP members of the network or subnet reply.
Smurf—This is a denial-of-service attack that consumes bandwidth. It is mounted by injecting many ICMP echo requests (i.e., ping) into a network with the source address spoofed to match a victim inside that network. The destination address for the faked ping is a network broadcast (e.g., 196.128.32.255 or 140.178.255.255, another variation being 255.255.255.255). This results in the victim being inundated with ICMP echo replies from all IP hosts listening on that network.
Land attack—A well-known denial-of-service attack that works by spoofing the source IP address to match that of a victim inside a network and making the destination IP address the same. When sent to certain ports (such as HTTP), this can cause some systems to crash.
Teardrop—This is based on UDP, which uses IP fragmentation to attack vulnerable operating systems. The source IP address is invariably spoofed. The basic idea is that after the first fragment is sent, one or more subsequent fragments will overlap the previous fragment (so-called pathological fragmentation). This causes some operating systems to treat the pointer as a negative number (and hence an unsigned integer) memory copy. Unless the host has huge amounts of memory, this will result in a memory write way above the actual memory range, causing a system crash (a known vulnerability on some implementations of LINUX).
WinNuke—Another denial-of-service attack similar to the land attack (sometimes called OOBNuke) crashes older unpatched Windows systems by typically sending a TCP packet to port 139 (NetBIOS) and setting the so-called Out-of-Band (OOB) flags (in fact, this is the urgent flag in the TCP header, which enables the urgent pointer—see Figure 5.2). The attack will work on other ports Windows is listening to.
Christmas tree—Another denial-of-service attack based on setting all flags in the TCP header (thereby making many actions placed on the receiver contradictory and forcing a system crash on unpatched systems).
For more detailed information on security exploits, many of the attack signatures required to identify and deal with these hacks are discussed in [6].
|
|