3.7. Securing Internet Connections

The Internet is perhaps the area of largest growth for networks. The Internet is a worldwide network that offers the capability of instantaneous connections between networks, no matter where they're located. The technology started as a research project funded by the Department of Defense and has grown at an enormous rate. Within a few years, virtually every computer in the world is expected to be connected to the Internet. This situation creates a security nightmare and is one of the primary reasons the demand for professionals trained in information and computer security is expected to grow exponentially.

The following sections describe ports and sockets and then some of the more common protocols, including e-mail, web, and FTP.

3.7.1. Working with Ports and Sockets

As we've already discussed, the primary method of connection between systems using the Internet is the TCP/IP protocol. This protocol establishes connections and circuits using a combination of the IP address and a port. A port is an interface that is used to connect to a device. Sockets are a combination of the IP address and the port. For example, if you attempt to connect to a remote system with the IP address 192.168.0.100, which is running a website, you'll use port 80 by default. The combination of these two elements gives you a socket. The full address and socket description would then be 192.168.0.100:80.

IP is used to route the information from one host to another through a network. The four layers of TCP/IP encapsulate the information into a valid IP packet that is then transmitted across the network. Figure 3.15 illustrates the key components of a TCP packet requesting the home page of a website. The data will be returned from the website to port 1024 on the originating host.

The source port is the port that is addressed on the destination. The destination port is the port to which the data is sent. In the case of a web application, the data for port addresses would both contain 80. A number of the fields in this packet are used by TCP for verification and integrity, and you need not be concerned with them at this time.

However, the data field contains the value Get/. This value requests the home or starting page from the web server. In essence, this command or process requested the home page of the site 192.168.0.100 port 80. The data is formed into another data packet that is passed down to IP and sent back to the originating system on port 1024.

The connections to most services using TCP/IP are based on this port model. Many of the ports are well documented, and the protocols to communicate with them are well known. If a vendor has a technological weakness or implements security poorly, the vulnerability will become known and exploited in a short time.

3.7.2. Working with E-Mail

E-mail is one of the most popular applications in use on the Internet. Several good e-mail servers and clients are available. Figure 3.16 demonstrates the process of transferring an e-mail message.

The most common e-mail systems use the following protocols, which use the TCP protocol for session establishment:

Simple Mail Transport Protocol

Simple Mail Transport Protocol (SMTP) is a mail delivery protocol that is used to send e-mail between an e-mail client and an e-mail server as well as between e-mail servers. Messages are moved from client to server to client via the Internet. Each e-mail message can take a different path from the client to the server. In the case of Figure 3.16, the clients are on two different e-mail servers; they could both be on the same server, and the process would appear transparent to the user. SMTP uses port 25 and TCP for connections.

Post Office Protocol

Post Office Protocol (POP) is a newer protocol that relies on SMTP for message transfer to receive e-mail. POP provides a message store that can be used to store and forward messages. If a server isn't operating, the originating server can store a message and try to resend it later. POP3, the newest version of POP, allows messages to be transferred from the waiting post office to the e-mail client. The current POP standard uses port 109 for POP2 and 110 for POP3. The POP protocol uses TCP for connections.

Internet Message Access Protocol

Internet Message Access Protocol (IMAP) is the newest player in the e-mail field, and it's rapidly becoming the most popular. Like POP, IMAP has a store-and-forward capability. However, it has much more functionality. IMAP allows messages to be stored on an e-mail server instead of being downloaded to the client. It also allows messages to be downloaded based on search criteria. Many IMAP implementations also allow connections using web browsers. The current version of IMAP (IMAP 4) uses port 143 and TCP for connections.

3.7.3. Working with the Web

When two hosts communicate across the Web, data is returned from the host using Hypertext Markup Language (HTML). HTML is nothing more than a coding scheme to allow text and pictures to be presented in a specific way in a web browser. HTML can be created any number of ways, including via manual coding and in graphical design programs. HTML files are read, interpreted by your browser, and displayed on your system. If you want to see what HTML looks like, you can set your browser to view source code—you'll see things similar to word-processor coding for virtually every characteristic of the web page you're viewing.

Websites are collections of these pages, which are called into your browser when you click a link or scroll through the pages. Most developers want more than the ability to display pages and pages of colored text on your computer. To make creative and sophisticated websites possible, web browsers have become more complicated, as have web servers. Current browsers include audio, visuals, animations, live chats, and almost any other feature you can imagine.

Figure 3.17 illustrates some of the content that can be delivered over the Internet via a web server.

This ability to deliver content over the Web is accomplished in one of several ways. The most common approach involves installing applications that talk through the server to your browser. The applications require additional ports to be opened through your firewall and routers. Unfortunately, doing so inherently creates security vulnerabilities.

Each of the popular web services is now offered in conjunction with web-enabled programs such as Flash and Java. These services use either a socket to communicate or a program that responds to commands through the browser. If your browser can be controlled by an application, your system is at great risk of being coerced into giving attackers information you don't want them to have. Servers are also vulnerable to this issue because they must process requests from browsers for information or data. A little research into the vulnerabilities of a proposed new service may save you a lot of time later should you become the target of an attack.

The best solution for many of the vulnerabilities that exist on the Web is to implement secure web connections—the topic of our next section.

3.7.3.1. Secure Web Connections

There are two common ways to provide secure connections between a web client and a web server:

Secure Sockets Layer and Transport Layer Security

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are two common protocols used to convey information between a web client and a server. The SSL protocol uses an encryption scheme between the two systems. The client initiates the session, the server responds, indicating that encryption is needed, and then they negotiate an appropriate encryption scheme. TLS is a newer protocol that merges SSL with other protocols to provide encryption. TLS supports SSL connections for compatibility, but it also allows other encryption protocols, such as Triple DES, to be used. SSL/TLS uses port 443 and TCP for connections.

HTTP/S

HTTP Secure (HTTP/S) is a protocol that is used for secure connections between two systems that use the Web. It protects the connection, and all traffic between the two systems is encrypted. HTTP/S uses SSL or TLS for connection security, and it uses port 443 and TCP for connections.

3.7.3.2. Vulnerabilities of Web Add-ins

The growth of the Web and demands from users for more features has spurred the creation of a new set of vulnerabilities that must be evaluated and managed. Increasingly, web browsers and other web-enabled technologies allow servers to send instructions to the client to provide multimedia and other capabilities. This is creating a problem for security professionals because these protocols offer potential weaknesses.

The following sections discuss the more common web-based applications, such as JavaScript and applets, and the vulnerabilities you should be aware of. These vulnerabilities can include malicious code, viruses, and exploitations.

3.7.3.2.1. ActiveX

ActiveX is a technology that was implemented by Microsoft to customize controls, icons, and other features, which increases the usability of web-enabled systems. ActiveX runs on the client. It uses a method called Authenticode for security. Authenticode is a type of certificate technology that allows ActiveX components to be validated by a server.

ActiveX components are downloaded to the client hard disk, potentially allowing additional security breaches. Web browsers can be configured so that they require confirmation to accept an ActiveX control. However, many users don't understand these confirmation messages when they appear, and they automatically accept the components. Automatically accepting an ActiveX component or control creates the opportunity for security breaches on a client system when the control is used because an ActiveX control contains programming instructions that can contain malicious code or create vulnerabilities in a system.

It's highly recommended that browsers be configured so that they do not allow ActiveX to run without prompting the user because of the potential security hole that could be opened.

3.7.3.2.2. Buffer Overflows

Buffer overflows occur when an application receives more data than it's programmed to accept. This situation can cause an application to terminate or to write data beyond the end of the allocated space. Termination may leave the system sending the data with temporary access to privileged levels in the attacked system, while overwriting can cause important data to be lost. This exploitation is usually a result of a programming error in the development of the software.

Buffer overflows, while a less common source of exploitation than in the past, still crop up.

3.7.3.2.3. Common Gateway Interface

Common Gateway Interface (CGI) is an older form of scripting that was used extensively in early web systems. CGI scripts were used to capture data from a user using simple forms. They aren't widely used in new systems and are being replaced by Java, ActiveX, and other technologies.

CGI scripts run on the web server and interact with the client browser. CGI is often frowned upon in new applications because of its security issues, but it's still widely used in older systems. Vulnerabilities in CGI are the result of its inherent ability to do what it is told. If a CGI script is written to wreak havoc (or carries extra code added to it by a miscreant) and it is executed, your systems will suffer. The best protection against any weaknesses is to not run applications written in CGI but rather to opt for those written in the newer languages where possible.

3.7.3.2.4. Cookies

Cookies are text files that a browser maintains on the user's hard disk in order to provide a persistent, customized web experience for each visit. A cookie typically contains information about the user. For example, a cookie can contain a client's history to improve customer service. If a bookstore wants to know your buying habits and what types of books you last viewed at its site, it can load this information into a cookie on your system. The next time you return to that store, the server can read your cookie and customize what it presents to you. Cookies can also be used to time-stamp a user to limit access. A financial institution may send your browser a cookie once you've authenticated. The server can read the cookie to determine when a session is expired.

Obviously, cookies are considered a risk because they have the potential to contain your personal information, which could get into the wrong hands. If security is your utmost concern, the best protection is to not allow cookies to be accepted. Almost every browser offers the option of enabling or disabling cookies. If you enable them, you can usually choose whether to accept/reject all or only those from an originating server.

3.7.3.2.5. Cross-site scripting (XSS)

Using a client-side scripting language, it is possible for a ne'er-do-well to trick a user into visiting their site and having code then execute locally. When this is done, it is known as cross-site scripting. As an example, UserA may get a message telling him that he needs to make changes to his XYZ account, but the link in the message is not really to the XYZ site (a phishing ploy). When he clicks on the link, a JavaScript routine begins to run on his machine. Since the script is running on UserA's system, it has his permissions and can begin doing such things as running malevolent routines to send/delete/alter data.

The best protection against cross-site scripting is to disable the running of scripts.

3.7.3.2.6. Input Validation

Anytime a user must supply values in a session, validation of the data entered should be done. Many vendors, however, have fallen prey to input validation vulnerabilities within their code. In some instances, empty values have been accepted, while others have allowed privilege escalation if certain backdoor passwords were used.

The best protection against input validation vulnerabilities is for developers to follow best practices and always validate all values entered. As an administrator, when you learn of an input validation vulnerability with any application on your system, you should immediately stop using it until a patch has been released and installed.

3.7.3.2.7. Java Applets

A Java applet is a small, self-contained Java script that is downloaded from a server to a client and then run from the browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they're becoming one of the most popular tools used for website development.

Java-enabled applications can accept programmed instructions (Java scripts) from a server and control certain aspects of the client environment. Java requires you to download a virtual machine in order to run the Java applications or applets. Java scripts run on the client.

The applets run in a restricted area of memory called the sandbox. The sandbox limits the applet's access to user areas and system resources. An applet that runs in the sandbox is considered safe, meaning it won't attempt to gain access to sensitive system areas. Errors in the Java virtual machine that runs in the applications may allow some applets to run outside of the sandbox. When this occurs, the applet is unsafe and may perform malicious operations. Attackers on client systems have exploited this weakness. From a user's standpoint, the best defense is to make certain you run only applets from reputable sites you're familiar with. From an administrator's standpoint, you should make certain programmers adhere to programming guidelines when creating the applets.

3.7.3.2.8. JavaScript

JavaScript is a programming language that allows access to system resources of the system running a script. A JavaScript script is a self-contained program that can be run as an executable file in many environments. These scripts can interface with all aspects of an operating system, just as programming languages such as the C language can. This means that JavaScript scripts, when executed, can potentially damage systems or be used to send information to unauthorized persons. JavaScript scripts can be downloaded from a website and executed.

3.7.3.2.9. Popups

While not technically an add-in, popups (also known as pop-ups) are both frustrating and chancy. Whenever a user visits a website and another instance (either another tab or another browser window) is opened in the foreground, it is called a popup; if it opens in the background, it is called a popunder. Both popups and popunders are opening pages or sites that you did not specifically request and may only display ads or bring up applets that should be avoided.

Popup blockers are used to prevent both popups and popunders from appearing. While older browsers did not incorporate an option to block popups, most newer browsers now have that capability built in.

3.7.3.2.10. Signed Applets

Signed applets are similar to Java applets, with two key differences: A signed applet doesn't run in the Java sandbox, and it has higher system access capabilities. Signed applets aren't usually downloaded from the Internet; this type of applet is typically provided by in-house or custom-programming efforts. These applets can also include a digital signature to verify authenticity. If the applet is verified as authentic, it will be installed. Users should never download a signed applet unless they're sure the provider is trusted. A signed applet from an untrustworthy provider has the same security risks as an unsigned applet.

A vulnerability reveals itself when an applet is always assumed to be safe because it is signed. Being signed, it may have the ability to do things outside the realm of normal applets, such as execute programs. A disgruntled programmer can create a malicious signed applet and wreak havoc until stopped.

Most web browsers have settings that can be used to control Java access. This allows clients to control resource access using Java applets or scripts.

3.7.3.2.11. SMTP Relay

SMTP relay is a feature designed into many e-mail servers that allows them to forward e-mail to other e-mail servers. Initially, the SMTP relay function was intended to help bridge traffic between systems. This capability allows e-mail connections between systems across the Internet to be made easily.

Unfortunately, this feature has been used to generate a great deal of spam on the Internet. An e-mail system that allows this type of forwarding to occur is referred to as an open relay. Unscrupulous individuals can use open relays to send advertisements and other messages through open relay servers. SMTP relaying should be disabled on your network unless it's limited to the e-mail servers in your domain.

SMTP Relaying in Action You've just received a call from a client indicating that their e-mail server is acting peculiarly. When you arrive at the site, you notice that there are more than 20,000 e-mails in the outbound mail folder and that the system has no disk space available. When you shut down the e-mail software, you delete these files and restart the e-mail server. You see that the outbound mail folder begins to fill up again. What problem could this server be encountering? E-marketers may be using the server as a relay. This hijacking will continue until you disable the SMTP relay capabilities in the server. Many older systems don't allow SMTP relaying to be turned off; such servers must be upgraded or replaced to prevent this from continuing.

3.7.4. Working with File Transfer Protocol

File Transfer Protocol (FTP) was the most common protocol used to transfer files between systems on the Internet for many years, and it's available on most major server environments.

The Internet has replaced many of the functions FTP served in the past. FTP is still commonly used, but it's becoming less popular as other methods of file downloading are made available. Most popular browsers allow an FTP site to be accessed as a website, and HTTP supports file transfer capabilities. A browser provides a graphical interface that users can use without having to be exposed to the command structure that FTP uses by default.

The following sections discuss FTP, its vulnerabilities, and ways to secure it.

3.7.4.1. Blind/Anonymous FTP

Early FTP servers didn't offer formal security—security was based on the honor system. In most cases, the honor system was used strictly for downloading files from an FTP server to a client; a client couldn't upload files without using a different logon ID. In some cases, the opposite situation existed, and a client could "blindly" upload files for others but could not download—or even see—any files.

Most logons to an FTP site used the anonymous logon; by convention, the logon ID was anonymous, and the password was the user's e-mail address. This honor system is still used in systems that want to allow public access to files, and it simplifies administration because only one account is used.

The cost of this implementation, however, is the risk that is taken on. In this situation, the only security offered is what is configured by the operating system.

3.7.4.2. Secure FTP

Secure FTP (S/FTP) is accomplished using a protocol called Secure Shell (SSH)—a type of tunneling protocol that allows access to remote systems in a secure manner. As discussed earlier, SSH allows connections to be secured by encrypting the session between the client and the server. SSH is available for Unix and other systems that provide capabilities similar to FTP.

3.7.4.3. Sharing Files

File sharing is accomplished by storing files at an assigned location on the server or workstation. When files are stored on a workstation, the connection is referred to as a peer-to-peer connection. The assigned location is typically a subdirectory located on one of the disk drives on the server or another workstation.

In an FTP connection, you can upload a file from a client using the PUT command. You download using the GET command. Most modern servers and applications allow an application program to access shared files at the record level. This type of sharing allows multiuser applications, such as databases, to function. Web browsers typically accept files from a web server by downloading them from the server. These downloaded files are then processed through the browser and displayed to the user.

3.7.4.4. FTP's Vulnerability

FTP has a major flaw: The user ID and password aren't encrypted and are subject to packet capture. This creates a major security breach—especially if you're connecting to an FTP server across the Internet. There is also a problem if you're allowing the use of the anonymous version of FTP: Trivial File Transfer Protocol (TFTP).

Remote File Transfers Your organization has a large number of remote users who transfer files to your system across the Internet. These file transfers are an essential part of your business, and they must be allowed to continue. You want to provide additional security to your users so that information won't be compromised. How might you accomplish this? You could implement SSH or other secure protocols for FTP file transfers. Doing so would allow information to be sent across the Internet in a secure manner. You may also be able to use TLS, SSL, or another secure format.