Protocols

Protocols exist in today's networks to allow different types of computers to speak with each other. Without using a standard set of protocols, each network would only be able to communicate with other machines on the network. If data were sent from one of these networks to another, the receiving network would have no way to decipher the remote protocol. A protocol can be thought of a language in this sense. There are two basic types of network protocols:

• Connection-oriented   This type of connection requires a channel to be pre-established before data communications can begin. If a packet is lost during transmission, it will be rebroadcast so that there is no data loss. This type of connection is known as a reliable connection.

• Connectionless   This type of connection does not guarantee that the data packets have been received or that the packets were received in the correct order. This type of connection is referred to as an unreliable connection.

Internet Protocol

IP is located at Layer 3 of the OSI model. This protocol allows packets to be routed across a network and contains the addressing of the packet. IP is a connectionless protocol, and thus is unreliable. A packet, therefore, may be dropped during transmission. All IP packets contain both a header and a payload. The payload can be anywhere from 512 bytes to 64 kilobytes in size. An example of an IP header can be seen in Figure 7.12. The header of an IP packet consists of:

Figure 7.12: Diagram of an IP Header

• Version   The current widely deployed version is IP version 4, but IP version 6 will probably be the default standard in the next five to ten years. IP version 6 is commonly referred to as IP next generation (IPng). IPng makes several changes to IP version 4. One of these changes is increased IP size from 32 bits to 128 bits to allow for a greater number of hosts and a simplified IP header.

• Internet Header Length (IHL)   A header contains 32-bit words and, if necessary, padding to ensure that the header length is 32 bits.

• Type of Service (ToS)   Handles the delays that are allowed for the packet.

• Total Length   This is the total size of the entire packet and must be between 512 bytes and 64 kilobytes.

• ID   This is the identification of the packet that is used by the receiving machine to reorder packets if they are fragmented during transmission.

• Flags   The flag contains three bits that tell if the packet has been fragmented and, if it has, if this is the last fragment in the transmission.

• Fragment Offset   Thirteen bits that define the location of the fragment in the packet.

• Time to Live (TTL)   This field indicates the number of hops the packet can take before it is discarded. The default value is 32.

• Protocol   This defines what protocol is being used with IP. For example, the most common value is 6 for TCP.

• Checksum   This is used to ensure that the packet has not been corrupted or changed during the transmission.

• SA   This is the IP address of the sending machine.

• DA   This is the IP address of the destination machine.

• Options   These three option fields can be defined based on what protocol is using IP.

• Padding   This is used to make sure the header uses all 32 bits allowed.

• Data   This holds the actual data from the higher-level protocol.

Transmission Control Protocol

TCP is the protocol associated with IP that allows for reliable data communications. TCP facilitates two machines to establish a connection and exchange packets with each other, most commonly IP packets. TCP guarantees the IP packets will reach their destination and be received in the correct order. TCP packets contain the source and destination port number, which are used to determine the application or process that the TCP segments are sourced from and destined to. The TCP header includes sequence and acknowledgment numbers for reliable delivery. Each TCP packet contains a sequence number. This allows the sender and receiver to respond to the correct packet at any given time. The pitfall of TCP sequence numbers is that if an attacker is sniffing network traffic or can predict the next sequence number they could spoof a packet and send it to either to sender or receiver as a trusted packet. This is known as session hijacking.

Multi-Purpose Internet Mail Extensions

Before discussing Secure/Multipurpose Internet Mail Extensions (S/MIME), its parent product, Multi-Purpose Internet Mail Extensions (MIME) should be discussed. MIME is an extension of SMTP that provides the ability to pass different kinds of data files, including audio, video, images, and other files as attachments, on the Internet. The MIME header is inserted at the beginning of the e-mail, and then the mail client (such as Microsoft Outlook) uses the header to determine which program will be used on the attached data. For example, if an audio file is attached to an e-mail, Outlook will look at the file associations for audio files and use an audio player, such as Winamp, to open the file.

Secure Multi-Purpose Internet Mail Extensions

Since MIME does not offer any security features, developers at RSA Security created S/MIME. S/MIME, like MIME, is concerned with the headers inserted at the beginning of an e-mail. However, instead of determining the type of program to use on a data file, S/MIME looks to the headers to determine how data encryption and digital certificates must be handled. Messages are encrypted using a symmetric cipher (method of encrypting text), and a public-key algorithm is used for key exchange and digital signatures. S/MIME can be used with three different symmetric encryption algorithms: DES, 3DES, and RC2. Free versions of S/MIME are available for Microsoft Outlook Express as well as for Netscape Communicator. However, newer versions of Outlook Express and Microsoft Outlook come with S/MIME installed.

Hacking tools come in all shapes and sizes, but this has to be one of the strangest. A screensaver was developed that could crack 40-bit encryption S/MIME keys (encryption "strength" is based on the number of bits in the key). The screensaver took about a month to crack the key using a single computer. However, it also had the ability to use the processing power of multiple computers on a local network to crack the key in as little as one hour. This has since been repaired in newer versions, but it shows the level of creativity that hackers possess. To learn more about this vulnerability, see www.wired.com/news/technology/0,1282,7220,00.html.

Secure Socket Layer

Secure Socket Layer (SSL) was developed by Netscape to allow documents to be transmitted over the Internet privately. SSL uses a public key from a trusted source to encrypt data as it travels across a secure connection. Most major browsers today support using SSL to make secure transactions.

SSL functions on port 443. It is then necessary for a site that uses SSL for secure communications to open port 443 for incoming and outgoing traffic on the firewall protecting the site.

Transport Layer Security (TLS) protocol is the renamed version of SSL. RFC 2246 documents TLS, but also identifies it as SSL version 3.1. Note that TLS and SSL are the same thing and TLS version 1 is actually SSL version 3.1.

SSL and TLS

SSL and TLS provide a connection between a client and a server, over which any amount of data can be sent securely. Both the server and browser generally must be SSL- or TLS-enabled to facilitate secure Web connections, while applications generally must be SSL- or TLS-enabled to allow their use of the secure connection. However, a recent trend is to use dedicated SSL accelerators as VPN terminators, passing the content on to an end server. The Cisco CSS Secure Content Accelerator 1100 is an example of this technique.

For the browser and server to communicate securely, each needs to have the shared session key. SSL and TLS use public-key encryption to exchange session keys during communication initialization. When a browser is installed on a workstation, it generates a unique private/public key pair.

HTTP over SSL (HTTP/S) is the protocol responsible for encryption of traffic from a client browser to a Web server. HTTP/S uses port 443 instead of HTTP port 80.

When a URL begins with "https://," you are using HTTP/S. Both HTTP/S and SSL use a X.509 digital certificate for authentication purposes from the client to the server. For detailed information about SSL and HTTP/S, visit Netscape's Web site at http://wp.netscape.com/eng/ssl3/ssl-toc.html.

SSL suffers from security vulnerabilities caused by small key sizes, expired certificates, and other weaknesses that can plague any public key implementation. Many servers running SSL on the Internet are still using an older, flawed version (SSLv2), or they use 40-bit encryption, or their certificates are expired or self-signed. There is an online resource at www.lne.com/ericm/papers/check_server.html that allows users to check the strength of an SSL server. You simply type in the URL of the server and SSL version numbers and certificate information are returned (see Figure 7.13).

Figure 7.13: Checking the Strength of an SSL Server

Secure Electronic Transaction

Secure Electronic Transaction (SET) is a fairly new protocol that supports secure credit card transactions over the Internet. Both major software vendors and credit card suppliers have endorsed SET for secure credit card transactions. SET uses digital signatures to verify who the purchaser is and allows a purchase to be made without the supplier ever knowing the users actual credit card number.

Authentication Protocols

There are two major authentication protocols that are used to allow user verification before access is given to a particular resource.

Password Authentication Protocol

Password Authentication Protocol (PAP) is the most common authentication protocol used to verify a person's identity. It allows a username and password to be transmitted across a network and compared to a list of known usernames and passwords. If the username and password sent match a set contained in the known list, the user is authenticated to the network. PAP is used with basic HTTP to transmit usernames and passwords across the Internet.

The main downfall of PAP is that the username and password are transmitted in cleartext across the network. This could allow anyone viewing the transmission to extract the username and password to be used for later attacks. However, the known list of usernames and passwords is typically encrypted though.

Challenge Handshake Authentication Protocol

One of the methods that can be used to protect information when using remote access to a resource is the Challenge Handshake Authentication Protocol (CHAP). CHAP is a remote access authentication protocol used in conjunction with Point-to-Point Protocol (PPP) to provide security and authentication to users of remote resources. PPP replaced the older Serial Line Internet Protocol (SLIP). PPP not only allows for more security than SLIP, but also does not require static addressing to be defined for communication. PPP allows users to use dynamic addressing and multiple protocols during communication with a remote host. CHAP is described in RFC 1994, available at www.cis.ohio-state.edu/cgi-bin/rfc/rfc1994.html. CHAP is used to periodically to verify the identity of the peer using a three-way handshake. This is done upon initial link establishment, and may be repeated any time after the link has been established. The RFC describes a process of authentication that works in the following manner:

1. After the link establishment phase is complete, the authenticator sends a "challenge" message to the peer.

2. The peer responds with a value calculated using a "one-way hash" function.

3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection should be terminated.

4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps one through three.

CHAP operates in conjunction with PPP to provide protection of the credentials presented for authentication and to verify connection to a valid resource. It does not operate with encrypted password databases, and therefore is not as strong a protection as other levels of authentication. The shared secrets may be stored on both ends as a cleartext item, making the secret vulnerable to compromise or detection. CHAP may also be configured to store a password using one-way reversible encryption, which uses the one-way hash noted earlier. This provides protection to the password, because the hash must match the client wishing to authenticate with the server that has stored the password with the hash value. CHAP is better than PAP, however, since it sends passwords across the network in cleartext.

Remote Access Protocols

There are two common protocols used that allow remote users to connect to remote systems using a standard serial line such as a modem. This facilitates allowing a remote computer to become a node on a network and run network applications via this connection.

Point-to-Point Protocol

Point-to-Point Protocol (PPP) allows a remote machine to dial up to a remote server using a standard serial connection. PPP is a remote communication method that supports full-duplex transmissions. This is the most commonly used connection method for most dial-up accounts that exist today. PPP assumes that all packets are received in the same order that they are sent. PPP is unique because it can transport multiple protocols through its encapsulation method. The encapsulation method is compliant with a majority of network devices that support serial connections. Link Control Protocol (LCP) is used by a PPP connection to determine a variety of different settings such as

• Encapsulation format

• Sizes of packets

• Detects common misconfiguration errors

• Terminates the link

In addition to the services provided by LCP, there are Network Control Protocols (NCPs) that further simplify a PPP connection. The dynamic assignment of an IP address and the configuration of remote IP address are made much easier because each function is handled by a specific NCP.

Serial Line Interface Protocol

In 1984, one of the first widely used access methods was released that allowed users an easy way to connect to TCP/IP devices over a serial connection. Serial Line Interface Protocol (SLIP) is an older protocol than PPP and is typically associated with older UNIX workstations. The only purpose that SLIP serves is to pass IP packets across a serial connection in a particular sequence. It is easier to misconfigure because as the user you must define the IP address assigned to you by your provider, or know how to configure your specific software to accept dynamic IP address assignment. You also have to configure the IP address of the host PC that you are connecting to. From a functional standpoint, after the initial connection is made, SLIP and PPP provide the exact same function.