Security Concerns and TCPIP
|
|
Security Concerns and TCP/IP
You are probably wondering why TCP/IP shows up in this chapter. This section belongs here because as a security professional, one of your biggest problems is TCP/IP. You could say that the ease of connectivity TCP/IP offers is one of the biggest problems we face. Virtually all large networks, including the Internet, are built on the TCP/IP protocol. It has become an international standard for large and small networks.
TCP/IP was designed to connect disparate computer systems into a robust and reliable network. The protocol offers a richness of capabilities and support for many different protocols. Once TCP/IP is installed, it will generally operate reliably for years.
TCP/IP has been a salvation for organizations that need to connect different systems together to function as a unified whole. Because of this easy-to-use, well- documented network, the Internet has more holes than a block of Swiss cheese. You can easily close most of the holes, but you must first know about them.
| Note | You need to have a good understanding of the processes that TCP/IP uses in order to understand how attacks to TCP/IP work. The emphasis in this section is on the types of connections and services made. As the exam objectives state, the Security+ candidate should have basic hardware and network skills. |
The TCP/IP Protocol Suite
The TCP/IP protocol suite is broken down into four protocol or architecture layers:
-
Application Layer
-
Host-to-Host or Transport Layer
-
Internet Layer
-
Network Interface Layer
Computers using the TCP/IP protocol use the existing physical connection between the systems. TCP/IP does not concern itself with the network topology or physical connections. The network controller that resides in a computer or host is concerned with the physical protocol or topology. TCP/IP communicates with that controller and lets the controller worry about the network topology and physical connection.
In TCP/IP parlance, a computer on the network is a host. A host is any device connected to the network that runs a TCP/IP protocol suite or stack. Figure 2.6 shows the four layers in a TCP/IP protocol stack. Notice that this drawing includes the physical or network topology. Although not part of the TCP/IP protocol, topology is certainly essential to conveying information on a network.
Figure 2.6: The TCP/IP protocol architecture layers
The four layers of TCP/IP each have a unique set of functions and methods of accomplishing work. These layers talk to the layers that reside both above and below it. Each layer also has its own rules and capabilities.
The following sections discuss the specific layers of the TCP/IP protocol, as well as the common protocols used in the stack, and how information is conveyed between these layers. We also discuss some of the more common methods used to attack TCP/IP-based networks. Finally, we briefly discuss encapsulation, the process used to pass messages between the layers in the TCP/IP protocol.
Application Layer
The Application layer is the highest layer of the suite. This layer allows applications to access services or protocols to exchange data. Most programs, such as web browsers, interface with TCP/IP at this level. The most commonly used Application layer protocols include:
HTTP HTTP (Hypertext Transfer Protocol) is the protocol used for web pages and the World Wide Web. HTTP applications use a standard language called Hypertext Markup Language (HTML). HTML files are normal text files that contain special coding that allows graphics, special fonts, and characters to be displayed by a web browser or other web-enabled applications.
FTP FTP (File Transfer Protocol) is an application that allows connections to FTP servers for file uploads and downloads. FTP is a very common application used to transfer files between hosts on the Internet.
SMTP SMTP (Simple Mail Transfer Protocol) is the standard protocol for e-mail communications. SMTP allows e-mail clients and servers to communicate with each other for message delivery.
Telnet Telnet is an interactive terminal emulation protocol. Telnet allows a remote user to conduct an interactive session with a Telnet server. This session can appear to be the same as if the client were a local session.
DNS DNS (Domain Name System) allows hosts to resolve host names to an Internet Protocol (IP) address. IP is discussed in the Internet Layer section.
RIP RIP (Routing Information Protocol) allows routing information to be exchanged between routers on an IP Network.
SNMP SNMP (Simple Network Management Protocol) is a management tool that allows communications between network devices and a management console. Most routers, bridges, and intelligent hubs can communicate using SNMP.
POP POP (Post Office Protocol) is a protocol used in many e-mail systems. POP allows for advanced features and is a very standard interface in many e-mail servers. POP is used for receiving e-mail.
Host-to-Host or Transport Layer
The Host-to-Host or Transport layer provides the Application layer with session and datagram communications services. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are part of the definitions of this layer. These two protocols provide a huge part of the functionality of the TCP/IP network:
TCP TCP is responsible for providing a reliable one-to-one connection- oriented session. TCP establishes a connection and ensures that any packets received by the other end. Two hosts communicate packet results to each other. TCP also makes sure that packets are decoded and sequenced properly. This connection is persistent during the session. When the session ends, the connection is broken.
UDP UDP provides an unreliable connection-less communications method between hosts. UDP protocol is considered a best-effort protocol, but it is considerably faster than TCP. The sessions do not establish a synchronized session like the kind used in TCP. UDP does not guarantee error-free communications. The primary purpose of UDP is to send small packets of information. The application would be responsible for acknowledging the correct reception of the data. UDP, however, is very fast.
Internet Layer
The Internet layer is responsible for routing, IP addressing, and packaging. Four core protocols are used in the Internet layer. The Internet layer protocols accomplish most of the "hauling" and "heavy lifting" of information between hosts. Here are the four standard protocols of the Internet layer:
IP IP (Internet Protocol) is a routable protocol, and it is responsible for IP addressing. IP also fragments and reassembles message packets. IP only routes information; it does not verify it for accuracy. Accuracy checking is the responsibility of TCP. IP will determine if a destination is known, and if so it will route it to that destination. If the destination is unknown, IP will send the packet to the router, which sends it on.
ARP ARP (Address Resolution Protocol) is responsible for resolving IP addresses to Network Interface layer addresses, including hardware addresses. ARP can resolve an IP address to a Media Access Control (MAC) address. MAC addresses are used to identify hardware network devices such as a Network Interface Card (NIC).
| Note | Do not confuse the term MAC. You will find MAC used to identify Media Access Control, which is the physical address of a network device. You will also find MAC used to identify Mandatory Access Control, which defines how access control operates in an authentication model. You will also see MAC used in cryptography. The MAC in cryptography is the Message Authentication Code. This MAC code verifies that an algorithm is accurate. |
ICMP
ICMP (Internet Control Management Protocol) provides maintenance and reporting functions. ICMP is the protocol used by the PING program. When a user wants to test the connectivity to another host, they can enter the PING command with the IP address and the system will test connectivity to that system. If connectivity is good, ICMP will return data to the originating host. ICMP will also report if a destination is unreachable. Routers and other network devices report path information between hosts with ICMP.
IGMP
IGMP (Internet Group Management Protocol) is responsible primarily for managing IP multicast groups. IP multicasts can send messages or packets to a specified group of hosts. This is different from a broadcast, which all users in a network receive.
Network Interface Layer
The lowest level of the TCP/IP protocol suite is the Network Interface layer. This layer is responsible for placing and removing packets on the physical network. This is accomplished through communications with the network adapters in the host. This allows TCP/IP to work with virtually any type of network topology or technology with little modification. If a new physical network topology were installed, say a 10GB Fiber Ethernet connection, TCP/IP would only need to know how to communicate with the network controller in order to function properly. TCP/IP also has the capability to communicate with more than one network topology simultaneously. This allows the protocol to be used in virtually any environment.
Encapsulation
One of the key points in understanding this layering process is the concept of encapsulation. The encapsulation process allows a transport protocol to be sent across the network and utilized by the equivalent service or protocol at the receiving host. Figure 2.7 shows how an e-mail is encapsulated as it moves from the application protocols through the transport and Internet protocols. Each layer adds header information as it moves down the layers.
Figure 2.7: The encapsulation process of an e-mail message
Transmission of the packet between the two hosts occurs through the physical connection in the network adapter. Figure 2.8 illustrates this process between two hosts. Again, this process is not comprehensive but illustrates the process of message transmission.
Figure 2.8: An e-mail message sent by an e-mail client to an e-mail server
Notice that in Figure 2.8 the various layers or protocols facilitate a connection between the client and server. The e-mail client does not know how the message is delivered. The Server application does not care how the message got there. This makes designing and implementing services such as E-mail possible in a global or Internet environment.
Protocols and Services
This section will discuss in more detail how TCP/IP hosts communicate with each other. We will discuss the concepts of ports, handshakes, and applications interfaces. The objective here is not to make you an expert on this subject, but to help you understand what you are dealing with when attempting to secure a TCP/IP network.
Ports
Simply, ports identify how a communication process occurs. Ports are special addresses that allow communication between hosts. A port number is added from the originator indicating which port to communicate with on a server. If a server has this port defined and available for use, it will send back a message accepting the request. If the port is not valid, the server will refuse the connection. The Internet Assigned Numbers Authority (IANA) has defined a list of ports called well-known ports.
You can see the full description of the ports defined by IANA on the following website: www.iana.org. There are many thousands of ports available for use by servers and clients.
A port is nothing more than a bit of additional information added to either the TCP or UDP message. This information is added in the header of the packet. The layer below it encapsulates the message with its header.
Many of the services you will use in the normal course of utilizing the Internet use the TCP port numbers identified in Table 2.1. Table 2.2 identifies some of the well-known UDP ports that are common.
| TCP Port Number | Service |
|---|---|
| 20 | FTP (Data Channel) |
| 21 | FTP (Control channel) |
| 23 | Telnet |
| 25 | Simple Mail Transfer Protocol |
| 80 | HTTP Used for World Wide Web |
| 139 | NetBIOS Session Service |
| 443 | HTTPS Used for Secure Web Connections |
| UDP Port Number | Service |
|---|---|
| 53 | Domain Name System Name Queries |
| 69 | Trivial File Transfer Protocol |
| 137 | NetBIOS Name Service |
| 138 | Net Bios Datagram Service |
| 161 | Simple Network Management Protocol |
| 162 | SNMP Trap |
The early definition of these ports specified that ports below 1024 were restricted to administrative uses. Enforcement of this has been voluntary and is creating problems for computer security professionals. As you can see, each of these ports potentially requires different security considerations depending on the application that they are assigned for. Each of these ports allows access to your network. Even if you establish a firewall, if you want to provide e-mail or web services, you must have these ports open.
TCP Three-Way Handshake
TCP, which is a connection-oriented protocol, establishes a session using a three-way handshake. A host called a client originates this connection. The client sends a TCP segment, or message, to the server. This client segment includes an Initial Sequence Number (ISN) for the connection and a window size. The server responds with a TCP segment that contains its Initial Sequence Number, and a window size indicating its buffer or window size. The client then sends back an acknowledgement of the server's sequence number. Figure 2.9 shows this three-way handshake occurring between a client and a server. When the session or connection is over, a similar process occurs to close the connection.
Figure 2.9: The TCP connection process
A World Wide Web request uses the TCP connection process to establish the connection between the client and the server. After this occurs, the two systems communicate with each other using TCP Port 80. The same thing occurs when an e-mail connection is made, with the difference that Port 25 is used.
In this way, a server can handle many requests simultaneously. Each session will have a different sequence number even though all sessions use the same port. All of the communications in any given session use this sequence number to keep the sessions from becoming confused.
Application Interfaces
Interfacing to the TCP/IP protocol is much simpler than interfacing to earlier network models. A well-defined and establish set of Application Programming Interfaces (APIs) are available from most software companies. These APIs allow programmers to create interfaces to the protocol. When a programmer needs to create a web-enabled application, they can call or use one of these APIs to make the connection, send or receive data, and end the connection. The APIs are prewritten, and they make the job considerably easier than manually coding all of the connection information.
Microsoft uses an API called a Windows socket to interface to the protocol. It can access either TCP or UDP protocols to accomplish the needed task. Figure 2.10 illustrates how the Windows socket connects to the TCP/IP protocol suite.
Figure 2.10: The Windows socket interface
TCP/IP Attacks
Attacks on TCP/IP usually occur at the Host-to-Host or Internet layers. Any layer of the protocol is potentially vulnerable though. TCP/IP is vulnerable to attacks from both outside and inside an organization. This section discusses some of the more common attacks carried out against TCP/IP-based networks.
The opportunities for external attacks are somewhat limited by the devices in the network, including the router. The router blocks many of the protocols from exposure to the Internet. Some protocols, such as ARP, are not routable and are not generally vulnerable to outside attacks. Other protocols, such as SMTP and ICMP, pass through the router and comprise a normal part of Internet and TCP/IP traffic. TCP, UDP, and IP are all vulnerable to attack.
Your network is very vulnerable to inside attacks. Any network-enabled host has access to the full array of protocols used in the network. A computer with a network card has the ability to act as a network sniffer with the proper configuration and software.
The following sections introduce you to the specific attacks that a TCP/IP- based network is susceptible to when using, in many cases, off the shelf software or shareware.
Network Sniffers
A network sniffer is merely a device that captures and displays network traffic. Your existing computers have the ability to operate as sniffers. Network cards usually only pass information up to the protocol stack if the information is intended for that computer; any network traffic not intended for that computer is ignored. Most NIC cards can be placed into what is called promiscuous mode. Promiscuous mode allows the NIC card to capture all information that it sees on the network. Most networks are bus-oriented, in that all traffic is sent to all internal computer systems. Devices such as routers, bridges, and switches can be used to separate or segment networks within a larger network. Any traffic in a particular segment is visible to all stations in that segment.
Adding a network sniffer such as the one included by Microsoft in its SMS package allows any computer to function as a network sniffer. This software is widely available and is a very capable network sniffer. A number of public domain or shareware sniffers are available online.
Using a sniffer, an internal attacker can capture all of the information transported by the network. Many advanced sniffers can reassemble packets and create entire messages including user IDs and passwords. This vulnerability is particularly acute in environments where network connections are easily accessible to outsiders. An attacker could put a laptop or a portable computer in your wiring closet and attach it to your network. This information would create vulnerabilities in your network.
Port Scans
A TCP/IP network makes many of the ports available to outside users through the router. These ports will respond in a predictable manner when queried. For example, TCP will attempt synchronization when a session initiation occurs. An attacker can systematically query your network to determine which services and ports are open. This process is called port scanning, and it can reveal a great deal about your network. Port scans can be performed both internally and externally. Many routers, unless configured appropriately, will let all of the protocols pass through them.
Individual systems within a network may also have applications and services running that the owner does not know about. These services could potentially allow an internal attacker to gain access to information by connecting to that port. Many Microsoft Internet Information Server (IIS) users did not realize the weak security offered by this product. If they did not install all of the security patches when they installed IIS on their desktops, attackers could exploit the weaknesses of IIS and gain access to information. This has been done in many cases without the knowledge of the owner. While these attacks might not technically be considered TCP/IP attacks, they are because they use the inherent trust of TCP to facilitate the attacks.
Once they know the IP addresses of your systems, external attackers can attempt to communicate with the ports open in your network, sometimes simply using Telnet.
| Note | If you wanted to check whether a system has a particular protocol or port available, all you have to do is use the Telnet command and add the port number. For example, you could check to see if a particular server is running an e-mail server program simply by entering telnet www.yourintrouble.com 25. This initiates a Telnet connection to the server on Port 25. If the server is running SMTP, it will immediately respond with logon information. It doesn't take much to figure out how to talk to SMTP; the interface is well documented. If an e-mail account did not have a password on it, this system is now vulnerable to attack. |
This process of port scanning can be expanded to develop a footprint of your organization. If your attacker has a single IP address of a system in your network, they can probe all of the addresses in the range and probably determine what other systems and protocols your network is utilizing. This allows the attacker to gain knowledge about the internal structure of your network.
TCP Attacks
TCP operates using synchronized connections. This synchronization is vulnerable to attack and is probably the most common attack used today. As you may recall, the synchronization, or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as a TCP SYN flood attack. The protocol is also susceptible to access and modification attacks that are briefly explained in the following sections.
TCP SYN or TCP ACK Flood Attack
The TCP SYN flood, also referred to as the TCP ACK attack is very common. The purpose of this attack is simply to deny service. The attack begins as a normal TCP connection. A TCP connection begins by the client and server exchanging information in packets. These packets are called TCP packets. Figure 2.11 illustrates how this attack occurs. Notice that in this attack, the TCP client continues to send ACK packets to the server. These ACK packets tell the server that a connection is requested. The server responds with an ACK packet to the client. The client is supposed to respond with another packet accepting the connection, and a session is established.
Figure 2.11: TCP SYN flood attack
In this attack, the client continually sends and receives the ACK packets but does not open the session. The server will hold these sessions open awaiting the final packet in the sequence. This causes the server to fill up the available sessions and denies other clients the ability to access the resources.
This attack is virtually unstoppable in most environments. Many newer routers can track and attempt to prevent this attack. They can set limits on the length of an initial session to force sessions that do not complete to close out. This type of attack can also be undetectable. An attacker can use an invalid IP address, and TCP will not care because TCP will respond to any valid request presented from the IP layer.
TCP Sequence Number Attack
TCP sequence attacks occur when an attacker takes control of one end of a TCP session. This attack is successful when the attacker kicks the attacked end off the network for the duration of the session. Each time a TCP message is sent, a sequence number is generated by either the client or server. In a TCP sequence number attack, the attacker intercepts and then responds with a sequence number similar to the one used in the original session. This sequence number attack can either disrupt a session or hijack a valid session. If a valid sequence number is guessed, the attacker can place himself between the client and server. Figure 2.12 illustrates a sequence number attack in process against a server. In this example, the attacker guesses the sequence number and replaces a real system with their own.
Figure 2.12: TCP sequence number attack
In this case, the attacker effectively hijacks the session and gains access to the session privileges of the victim's system. The victim's system may get an error message indicating that it has been disconnected, or it may re-establish a new session. In this case, the attacker gains the connection and access to the data from the legitimate system.
The attacker then has access to the privileges established by the session when it was created. This weakness is again inherent in the TCP protocol and very little can be done to prevent it. Your major defense against this type of attack is knowing that it is occurring. This attack will also frequently be a precursor to a targeted attack on a server or network.
TCP/IP Hijacking
TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all of the information on the original system. The server will not know this has occurred and will respond as if the client is trusted. Figure 2.13 shows how TCP/IP hijacking occurs. In this example, the attacker forces the server to accept its IP address as valid.
Figure 2.13: TCP/IP hijacking attack
TCP/IP hijacking presents the greatest danger to a network because the hijacker will probably acquire privileges and access to all of the information on the server. As with a sequence number attack, there is very little you can do to counter the threat. Fortunately, these attacks require fairly sophisticated software and are harder to engineer than a DoS attack, such as a TCP SYN attack.
UDP Attack
A UDP attack attacks either a maintenance protocol or a UDP service in order to overload services and initiate a DoS situation. UDP attacks can also exploit UDP protocols.
UDP packets are not connection-oriented and do not require the synchronization process described in the previous section. UDP packets, however, are susceptible to interception, and UDP can be attacked. UDP, like TCP, does not check the validity of IP addresses. The nature of this layer is to trust the layer below it, the IP layer.
The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target. This causes the UDP services on that host to shut down. UDP floods also overload the network bandwidth and cause a DoS situation to occur.
ICMP Attacks
ICMP attacks occur by triggering a response from the ICMP protocol when it responds to a seemingly legitimate maintenance request.
ICMP supports maintenance and reporting in a TCP/IP network. ICMP is part of the IP level of the protocol suite. Several programs, including PING, use the ICMP protocol. Until fairly recently, ICMP was regarded as a benign protocol that was incapable of very much damage. ICMP has now joined the roles of common attack methods used in DoS attacks. Two primary methods use ICMP to disrupt systems: smurf attacks and ICMP tunneling.
SMURF ATTACKS
Smurf attacks are becoming common and can create pure havoc in a network. A smurf attack uses IP spoofing and broadcasting to send a PING to a group of hosts in a network. When a host is pinged, it sends back ICMP message traffic information indicating status to the originator. If a broadcast is sent to a network, all of the hosts will answer back to the ping. The result of this is an overload of the network and the target system. Figure 2.14 shows a smurf attack underway in a network. The attacker sends a broadcast message with a legal IP address. In this case, the attacking system sends a broadcast Ping request. This request is sent to all of the machines in a large network. The reply is then sent at the machine identified with the ICMP request. This creates a DoS attack that consumes network bandwidth of the replying system, while the victim system deals with the flood of ICMP traffic it receives.
Figure 2.14: A Smurf Attack underway against a network
Smurf attacks are very popular. The primary method of eliminating smurf attacks involves prohibiting ICMP traffic through a router. If the router blocks ICMP traffic, smurf attacks from an external attacker are not possible.
ICMP TUNNELING
ICMP messages can contain data about timing and routes. This packet can be used to contain information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. This is a relatively new opportunity to create havoc and mischief in networks.
The countermeasures for these ICMP attacks are to deny ICMP traffic through your network. You can disable ICMP traffic in most routers. You should consider this in your network.
 |
The attacks described in this section are not comprehensive. New methods are being developed as you read this book. Your first challenge in these situations is to recognize that you are fighting the battle on two fronts.
The first front involves the inherent open nature of TCP/IP and its protocol suite. The TCP/IP protocol is a robust and rich environment. This richness allows many opportunities to exploit the vulnerabilities of the protocol. The second front of this battle involves the implementation of TCP/IP by the various vendors. A weak TCP/IP implementation will be susceptible to all forms of attacks, and there is very little you will be able to do about this, except to complain to the software manufacturer. Fortunately, most of the credible manufacturers are now taking these complaints seriously and doing what they can to close the holes they have created in your systems. Keep your updates current, as this is where most of the corrections for security problems are implemented.
|
|
|
EAN: 2147483647
Pages: 167