TCP/IP and Internet Security

CSEM02

University of Sunderland

Harry R. Erwin, PhD

Resources

• Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O’Reilly, ISBN: 1-56592-148-8

• B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0-471-25311-1.

• Daniel J. Barrett and Richard E. Silverman, 2001, SSH, the Secure Shell, O’Reilly, ISBN: 0-596-00011-1

• Eric Rescorla, 2001, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, ISBN: 0-201-61598-3

TCP/IP

• The most general packet and message-level protocol in use.

• Operates on LANs, WANs and other network protocol.

• We will discuss IPv4

• There will be some overlap with lecture 6b.

Internet Addresses

• Dotted quartile– 4 8-bit integers

• Unique in some sense (except that a local LAN may have only one address visible to the outside)

• Multiple address classes mean that not all addresses are usable. Classless InterDomain Routing (CIDR) has been introduced to address this.

Routing

• Routing is transparent

• Local hosts send packets to their gateway.

• The gateway is a router and handles matters from that point.

• The architecture routes around outages and failures.

Hostnames

• The name of the computer (not its address).• Hostname<-->IP Addresses may be many to

many!• Hostnames begin with an alphanumeric

character and may contain letters, numbers, and a few symbols. Case is ignored.

• Two parts: machine name and domain. The first period is the separator.

Packets and Protocols

• ICMP—for control

• TCP—for connection-oriented service

• UDP—for connectionless service

• IGMP—for multicasting control

ICMP

• In-band control of internet operations.

• Examples:– Echo request and echo reply– Destination unreachable– Source quench– Redirect– Etc…

TCP

• Reliable, ordered, connection-oriented service.• Connects (16 bit) ports at (32 bit) IP addresses.• SYN and ACK bits in the packet header are used

to negotiate new connections.– SYN set to request the connection– SYN and ACK set to ack the request– ACK set to confirm the connection– Three-way handshake

• This protocol allows unfriendly outsiders to detect which ports are being listened to.

UDP

• Unreliable connection-less service

• 10 times more throughput than TCP

• 53—dns

• 69—tftp

• 111—sunrpc

• 137—windows blithering

• 161—snmp

Clients and Services

• Clients initiate connections to servers. Sometimes this is logically backwards as in X-Windows, where the client is the sender of the information, and the server is the machine requesting the information.

• Daemons are servers that wait for user requests.

Name Service

• The conversion from a name to an address is handed by a domain name server (DNS).

• UDP is used, so a workstation may need to make multiple requests.

• In UNIX systems, DNS is usually handled by bind.

• Alternatives:– NIS– NetInfo– DCE

TCP Services• 21—ftp• 23—telnet• 25—smtp• 42—nameserver• 43—whois• 79—finger• 80—http• 109, 110—pop• 113—auth• 119—nntp

TCP/IP Security

• Risks include:– Sniffers– IP spoofing– Connection hijacking– Data spoofing

Causes of Weak Internet Security

• Underestimation of the hostility of the internet environment

• Overriding importance of message/packet transfer

• Evolution

Alternatives

• Encrypt the link

• Protect the link

• Encrypt the packets

• Encrypt the message

• Encrypt the session

Peter Dunne has discussed this.

Limitations of Encryption

• Does not protect against deletion

• Trapdoors may exist in the encryption program

• Data can be accessed when not encrypted.

• Encryption can be broken.

• Keys can be weak.

The Problem

• IPv4 is insecure. Most TCP/IP services are unencrypted. This allows anyone to monitor and reconstruct connection traffic on the internet.

• Requirements for the following can be identified:– Encrypted connections between parties known to each other.

– Third-party authentication and encrypted connection establishment when parties are not known to each other.

Solutions

• SSH to support encrypted sessions

• SSL to provide trusted third-party authentication and to support encrypted sessions.

SSH

• “Secure shell”

• Transparent encryption.

• Modern, secure encryption algorithms

• Reliable, fast, and effective

• Client/server interaction

• Eliminates .rhosts and hosts.equiv

Services Provided

• Replaces:– rsh and telnet with ssh– rlogin with slogin– rcp with scp– ftp with sftp

• Protocols– ssh-1– ssh-2

SSH1 Authentication Mechanisms

1. Kerberos

2. Rhosts (trusted host authentication, insecure)

3. RhostsRSA (trusted host authentication, insecure)

4. Public-key (RSA)

5. TIS

6. Password (various flavors, relatively insecure)

SSH2 Authentication Mechanisms

1. Public-key (DSA, RSA, OpenPGP)

2. Hostbased

3. Password

Ciphers

• SSH1– 3DES, IDEA, ARCFOUR (alleged RC4), DES

• SSH2– 3DES, Blowfish, Twofish, CAST-128, IDEA,

ARCFOUR

Port Forwarding

• SSH can forward or tunnel ports, allowing you to run insecure services securely.

ssh -L 3002:localhost:119 news.yoyo.com

A Simple Example

• ssh -l harry harry.sunderland.ac.uk

• This allows me to log into harry@harry.sunderland.ac.uk

• Another way of doing the same thing is

• ssh harry@harry.sunderland.ac.uk

Using scp

• scp harry@harry.sunderland.ac.uk:myfile afile• This transfers myfile from my home directory on

harry.sunderland.ac.uk to afile locally.• You can also use sftp similarly to ftp.

Threats Countered by SSH

• Eavesdropping

• DNS and IP Spoofing

• Connection Hijacking

• Man-in-the-Middle Attacks

• Insertion Attack

SSL

• Secure Sockets Layer• An authentication and encryption technique that

provides security services to TCP by a socket-style API.

• Relies on certificates issued by a trusted third party.

• Invented by Netscape.• Is being replaced by TLS (Transport Layer

Security)

Services Provided• Secure http• pop• imap• smtp• ftp• rmi• corba• iiop• telnet• ldap

SSL Functions

• Confidential transmission

• Message integrity

• Endpoint authentication

How It Works

• An understanding of how SSL works is necessary to use it safely.

• Uses public key cryptography.

• Trusted third parties (Certificate Authorities) provide the certificates that contain the public keys.

• Supports many encryption algorithms.

SSL-Enabled UNIX Clients

• curl, • ethereal, • ettercap, • lynx, • stunnel, • gabber, • links, • mutt,

• xchat,

• bitchx,

• lftp,

• neon,

• openldap,

• openslp,

• pine,

• various database managers.