2.3. Identifying TCP/IP Security Concerns
As a security professional, one of your biggest problems is working with TCP/IP. You could say that the ease of connectivity TCP/IP offers is one of the most significant difficulties we face. Virtually all large networks, including the Internet, are built on the TCP/IP protocol suite. It has become an international standard.
TCP/IP was designed to connect disparate computer systems into a robust and reliable network. It offers a richness of capabilities and support for many different protocols. After TCP/IP has been installed, it will generally operate reliably for years.
|
Responding to an AttackTCP/IP has been a salvation for organizations that need to connect different systems together to function as a unified whole. Unfortunately, a downside that comes with being an easy-to-use, well-documented network that has been around for many years is numerous holes. You can easily close most of these holes in your network, but you must first know about them.
NOTE
You need to have a good understanding of the processes TCP/IP uses in order to know how attacks to TCP/IP work. The emphasis in this section is on the types of connections and services. If you're weak in those areas, you'll do well to supplement your study with basic networking information that can be found on the Web.
The following sections delve into issues related to TCP/IP and security. Many of these issues will be familiar to you if you've taken the Network+ or Server+ exam from CompTIA. If there are any gaps in your knowledge of the topics, however, be sure to read the sections carefully.
2.3.1. Working with the TCP/IP Suite
The TCP/IP suite is broken into four architectural layers:
Computers using TCP/IP use the existing physical connection between the systems. TCP/IP doesn't concern itself with the network topology, or physical connections. The network controller that resides in a computer or host deals with the physical protocol, or topology. TCP/IP communicates with that controller and lets the controller worry about the network topology and physical connection.
In TCP/IP parlance, a computer on the network is a host. A host is any device connected to the network that runs a TCP/IP protocol suite, or stack. Figure 2.6 shows the four layers in a TCP/IP protocol stack. Notice that this drawing includes the physical, or network, topology. Although it isn't part of the TCP/IP protocol, the topology is essential to conveying information on a network.
Figure 2.6. The TCP/IP protocol architecture layers
The four layers of TCP/IP have unique functions and methods for accomplishing work. Each layer talks to the layers that reside above and below it. Each layer also has its own rules and capabilities.
The following sections discuss the specific layers of the TCP/IP protocol as well as the common protocols used in the stack and how information is conveyed between the layers. I also discuss some of the more common methods used to attack TCP/IP-based networks. Finally, I briefly discuss encapsulation, the process used to pass messages between the layers in the TCP/IP protocol.
2.3.1.1. The Application Layer
The Application layer is the highest layer of the suite. It allows applications to access services or protocols to exchange data. Most programs, such as web browsers, interface with TCP/IP at this level. The most commonly used Application layer protocols are as follows:
Hypertext Transfer Protocol
Hypertext Transfer Protocol (HTTP) is the protocol used for web pages and the World Wide Web. HTTP applications use a standard language called Hypertext Markup Language (HTML). HTML files are normal text files that contain special coding that allows graphics, special fonts, and characters to be displayed by a web browser or other web-enabled applications.
File Transfer Protocol
File Transfer Protocol (FTP) is an application that allows connections to FTP servers for file uploads and downloads. FTP is a common application used to transfer files between hosts on the Internet.
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol (SMTP) is the standard protocol for e-mail communications. SMTP allows e-mail clients and servers to communicate with each other for message delivery.
Telnet
Telnet is an interactive terminal emulation protocol. It allows a remote user to conduct an interactive session with a Telnet server. This session can appear to the client as if it were a local session.
Domain Name Service
Domain Name Service (DNS) allows hosts to resolve hostnames to an Internet Protocol (IP) address. IP is discussed in the section on the Internet layer.
Routing Information Protocol
Routing Information Protocol (RIP) allows routing information to be exchanged between routers on an IP network.
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is a management tool that allows communications between network devices and a management console. Most routers, bridges, and intelligent hubs can communicate using SNMP.
Post Office Protocol
Post Office Protocol (POP) is a protocol used in many e-mail systems. It allows for advanced features and is a standard interface in many e-mail servers. POP is used for receiving e-mail.
NOTE
One of the key things to know when securing any network is that you are only running the protocols needed for operations. Make certain that antiquated protocols—those once needed but now no longer used are removed. If you do not, you are leaving an opening for an attacker to access your system through weaknesses in that protocol.
2.3.1.2. The Host-to-Host or Transport Layer
The Host-to-Host layer, also called the Transport layer, provides the Application layer with session and datagram communications services. The TCP and User Datagram Protocol (UDP) operate at this layer. These two protocols provide a huge part of the functionality of the TCP/IP network:
TCP
TCP is responsible for providing a reliable one-to-one, connection-oriented session. TCP establishes a connection and ensures that the other end receives any packets. Two hosts communicate packet results to each other. TCP also makes sure that packets are decoded and sequenced properly. This connection is persistent during the session. When the session ends, the connection is broken.
UDP
UDP provides an unreliable connectionless communication method between hosts. UDP protocol is considered a best-effort protocol, but it's considerably faster than TCP. The sessions don't establish a synchronized session like the kind used in TCP, and UDP doesn't guarantee error-free communications. The primary purpose of UDP is to send small packets of information. The application is responsible for acknowledging the correct reception of the data.
2.3.1.3. The Internet Layer
The Internet layer is responsible for routing, IP addressing, and packaging. The Internet layer protocols accomplish most of the behind-the-scenes work in establishing the ability to exchange information between hosts. Here are the four standard protocols of the Internet layer:
Internet Protocol
Internet Protocol (IP) is a routable protocol, and it's responsible for IP addressing. IP also fragments and reassembles message packets. IP only routes information; it doesn't verify it for accuracy. Accuracy checking is the responsibility of TCP. IP determines if a destination is known and, if so, routes the information to that destination. If the destination is unknown, IP sends the packet to the router, which sends it on.
Address Resolution Protocol
Address Resolution Protocol (ARP) is responsible for resolving IP addresses to Network Interface layer addresses, including hardware addresses. ARP can resolve an IP address to a Media Access Control (MAC) address. MAC addresses are used to identify hardware network devices such as a network interface card (NIC).
NOTE
You'll notice the acronym MAC used a lot. It's also used to identify Mandatory Access Control, which defines how access control operates in an authentication model. You'll also see MAC used in cryptography, where it stands for Message Authentication Code. This MAC verifies that an algorithm is accurate.
Internet Control Message Protocol
Internet Control Message Protocol (ICMP) provides maintenance and reporting functions. It's used by the Ping program. When a user wants to test connectivity to another host, they can enter the PING command with the IP address, and the user's system will test connectivity to the other host's system. If connectivity is good, ICMP will return data to the originating host. ICMP will also report if a destination is unreachable. Routers and other network devices report path information between hosts with ICMP.
Internet Group Management Protocol
Internet Group Management Protocol (IGMP) is responsible primarily for managing IP multicast groups. IP multicasts can send messages or packets to a specified group of hosts. This is different from a broadcast, which all users in a network receive.
2.3.1.4. The Network Interface Layer
The lowest level of the TCP/IP suite is the Network Interface layer. This layer is responsible for placing and removing packets on the physical network through communications with the network adapters in the host. This process allows TCP/IP to work with virtually any type of network topology or technology with little modification. If a new physical network topology were installed—say, a 10GB Fiber Ethernet connection—TCP/IP would only need to know how to communicate with the network controller in order to function properly. TCP/IP can also communicate with more than one network topology simultaneously. This allows the protocol to be used in virtually any environment.
2.3.2. Understanding Encapsulation
One of the key points in understanding this layering process is the concept of encapsulation. Encapsulation allows a transport protocol to be sent across the network and utilized by the equivalent service or protocol at the receiving host. Figure 2.7 shows how e-mail is encapsulated as it moves from the application protocols through the transport and Internet protocols. Each layer adds header information as the e-mail moves down the layers.
Transmission of the packet between the two hosts occurs through the physical connection in the network adapter. Figure 2.8 illustrates this process between two hosts. What's shown in the figure isn't comprehensive but illustrates the process of message transmission.
After it is encapsulated, the message is sent to the server. Notice that in Figure 2.8 the message is sent via the Internet; it could have just as easily been sent locally. The e-mail client doesn't know how the message is delivered, and the server application doesn't care how the message got there. This makes designing and implementing services such as e-mail possible in a global or Internet environment.
Figure 2.7. The encapsulation process of an e-mail message
Figure 2.8. An e-mail message that an e-mail client sent to an e-mail server across the Internet
2.3.3. Working with Protocols and Services
It's imperative that you have a basic understanding of protocols and services to pass this exam. Although it isn't a requirement, CompTIA recommends that you already hold the Network+ certification before undertaking this exam. In case you're weak in some areas, the following sections will discuss in more detail how TCP/IP hosts communicate with each other. I'll discuss the concepts of ports, handshakes, and application interfaces. The objective isn't to make you an expert on this subject, but to help you understand what you're dealing with when attempting to secure a TCP/IP network.
2.3.3.1. Well-Known Ports
Simply stated, ports identify how a communication process occurs. Ports are special addresses that allow communication between hosts. A port number is added from the originator, indicating which port to communicate with on a server. If a server has this port defined and available for use, it will send back a message accepting the request. If the port isn't valid, the server will refuse the connection. The Internet Assigned Numbers Authority (IANA) has defined a list of ports called well-known ports.
NOTE
You can see the full description of the ports defined by IANA on the following website: www.iana.org. Many thousands of ports are available for use by servers and clients.
A port is nothing more than a bit of additional information added to either the TCP or UDP message. This information is added in the header of the packet. The layer below it encapsulates the message with its header.
Many of the services you'll use in the normal course of utilizing the Internet use the TCP port numbers identified in Table 2.1. Table 2.2 identifies some of the more common, well-known UDP ports.
| TCP Port Number | Service |
|---|---|
| 20 | FTP (data channel) |
| 21 | FTP (control channel) |
| 22 | SSH |
| 23 | Telnet |
| 25 | SMTP |
| 49 | TACACS authentication service |
| 80 | HTTP (used for the World Wide Web) |
| 110 | POP3 |
| 119 | NNTP |
| 139 | NetBIOS session service |
| 143 | IMAP |
| 389 | LDAP |
| 443 | HTTPS (used for secure web connections) |
| UDP Port Number | Service |
|---|---|
| 53 | DNS name queries |
| 69 | Trivial File Transfer Protocol (TFTP) |
| 137 | NetBIOS name service |
| 138 | NetBIOS datagram service |
| 161 | SNMP |
| 162 | SNMP trap |
The early documentation for these ports specified that ports below 1024 were restricted to administrative uses. However, enforcement of this restriction has been voluntary and is creating problems for computer security professionals. As you can see, each of these ports potentially requires different security considerations, depending on the application they're assigned for. All the ports allow access to your network; even if you establish a firewall, you must have these ports open if you want to provide e-mail or web services.
2.3.3.2. TCP Three-Way Handshake
TCP, which is a connection-oriented protocol, establishes a session using a three-way handshake. A host called a client originates this connection. The client sends a TCP segment, or message, to the server. This client segment includes an Initial Sequence Number (ISN) for the connection and a window size. The server responds with a TCP segment that contains its ISN and a value indicating its buffer, or window size. The client then sends back an acknowledgment of the server's sequence number.
Figure 2.9 shows this three-way handshake occurring between a client and a server. When the session or connection is over, a similar process occurs to close the connection.
A web request uses the TCP connection process to establish the connection between the client and the server. After this occurs, the two systems communicate with each other; the server uses TCP port 80. The same thing occurs when an e-mail connection is made, with the difference being that the client (assuming it's using POP3) uses port 110.
Figure 2.9. The TCP connection process
In this way, a server can handle many requests simultaneously. Each session has a different sequence number even though all sessions use the same port. All the communications in any given session use this sequence number to keep the sessions from becoming confused.
2.3.3.3. Application Programming Interface
Interfacing to TCP/IP is much simpler than interfacing to earlier network models. A well-defined and well-established set of Application Programming Interfaces (APIs) is available from most software companies. APIs allow programmers to create interfaces to the protocol. When a programmer needs to create a web-enabled application, they can call or use one of these APIs to make the connection, send or receive data, and end the connection. The APIs are prewritten, and they make the job considerably easier than manually coding all of the connection information.
Microsoft uses an API called a Windows socket (WinSock) to interface to the protocol. It can access either TCP or UDP protocols to accomplish the needed task. Figure 2.10 illustrates how the Windows socket connects to the TCP/IP protocol suite.
Figure 2.10. The Windows socket interface
2.3.4. Recognizing TCP/IP Attacks
Attacks on TCP/IP usually occur at the host-to-host or Internet layer, although any layer is potentially vulnerable. TCP/IP is susceptible to attacks from both outside and inside an organization.
The opportunities for external attacks are somewhat limited by the devices in the network, including the router. The router blocks many of the protocols from exposure to the Internet. Some protocols, such as ARP, aren't routable and aren't generally vulnerable to outside attacks. Other protocols, such as SMTP and ICMP, pass through the router and form a normal part of Internet and TCP/IP traffic. TCP, UDP, and IP are all vulnerable to attack.
Your network is easily exposed to inside attacks. Any network-enabled host has access to the full array of protocols used in the network. A computer with a network card has the ability to act as a network sniffer with the proper configuration and software.
The following sections introduce you to the specific attacks that a TCP/IP-based network is susceptible to when off-the-shelf software or shareware is used.
2.3.4.1. Sniffing the Network
A network sniffer, or scanner, is a device that captures and displays network traffic. Your existing computers have the ability to operate as sniffers. Network cards usually only pass information up to the protocol stack if the information is intended for the computer on which they're installed; any network traffic not intended for that computer is ignored. Most NICs can be placed into what is called promiscuous mode, which allows the NIC to capture all information that it sees on the network. Devices such as routers, bridges, and switches are used to separate or segment networks within a larger network (known as virtual LANs, or VLANs). Any traffic in a particular segment is visible to all stations in that segment.
Adding a network sniffer such as the one included by Microsoft in its Systems Management Server (SMS) package allows any computer to function as a network sniffer. This software is widely available and is very capable. A number of public domain or shareware sniffers are also available online, such as Wireshark (http://www.wireshark.org).
By using a sniffer, an internal attacker can capture all the information transported by the network. Many advanced sniffers can reassemble packets and create entire messages, including user IDs and passwords. This vulnerability is particularly acute in environments where network connections are easily accessible to outsiders. For example, an attacker could put a laptop or a portable computer in your wiring closet and attach it to your network.
2.3.4.2. Scanning Ports
A TCP/IP network makes many of the ports available to outside users through the router. These ports respond in a predictable manner when queried. For example, TCP attempts synchronization when a session initiation occurs. An attacker can systematically query your network to determine which services and ports are open. This process is called port scanning, and it is part of fingerprinting a network; it can reveal a great deal about your systems. Port scans are possible both internally and externally. Many routers, unless configured appropriately, will let all protocols pass through them.
|
Individual systems within a network might also have applications and services running that the owner doesn't know about. These services could potentially allow an internal attacker to gain access to information by connecting to the port associated with those services. Many Microsoft Internet Information Server (IIS) users don't realize the weak security that this product offers. If they didn't install all of the security patches when they installed IIS on their desktops, attackers can exploit the weaknesses of IIS and gain access to information. This has been done in many cases without the knowledge of the owner. These attacks might not technically be considered TCP/IP attacks, but they are because the inherent trust of TCP is used to facilitate the attacks.
After they know the IP addresses of your systems, external attackers can attempt to communicate with the ports open in your network, sometimes simply by using Telnet.
NOTE
To check whether a system has a particular protocol or port available, all you have to do is use the telnet command and add the port number. For example, you can check to see if a particular server is running an e-mail server program by entering telnet www.youreintrouble.com 25. This initiates a Telnet connection to the server on port 25. If the server is running SMTP, it will immediately respond with logon information. It doesn't take much to figure out how to talk to SMTP; the interface is well documented. If an e-mail account didn't have a password, this system is now vulnerable to attack.
This process of port scanning can be expanded to develop a footprint of your organization. If your attacker has a single IP address of a system in your network, they can probe all the addresses in the range and probably determine what other systems and protocols your network is utilizing. This allows the attacker to gain knowledge about the internal structure of your network.
NOTE
A study done by the University of Maryland's A. James Clark School of Engineering found that 38 percent of attacks were preceded by vulnerability scans. The combination of port scans with vulnerability scans created a lethal combination that often led to an attack.
In addition to scanning, network mapping allows you to visually see everything that is available. The most well-known network mapper is nmap, which can run on all operating systems and is found at http://nmap.org/.
2.3.4.3. TCP Attacks
TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. As you may recall, the synchronization, or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as a TCP SYN flood attack. The protocol is also susceptible to access and modification attacks, which are briefly explained in the following sections.
2.3.4.3.1. TCP SYN or TCP ACK Flood Attack
The TCP SYN flood, also referred to as the TCP ACK attack, is common. The purpose is to deny service. The attack begins as a normal TCP connection: The client and server exchange information in TCP packets. Figure 2.11 illustrates how this attack occurs. Notice that the TCP client continues to send ACK packets to the server. The ACK packets tell the server that a connection is requested. The server responds with an ACK packet to the client. The client is supposed to respond with another packet accepting the connection, and a session is established.
Figure 2.11. TCP SYN flood attack
In this attack, the client continually sends and receives the ACK packets but doesn't open the session. The server holds these sessions open, awaiting the final packet in the sequence. This causes the server to fill up the available sessions and deny other clients the ability to access the resources.
This attack is virtually unstoppable in most environments without working with upstream providers. Many newer routers can track and attempt to prevent this attack by setting limits on the length of an initial session to force sessions that don't complete to close out. This type of attack can also be undetectable. An attacker can use an invalid IP address, and TCP won't care because TCP will respond to any valid request presented from the IP layer.
2.3.4.3.2. TCP Sequence Number Attack
TCP sequence number attacks occur when an attacker takes control of one end of a TCP session. This attack is successful when the attacker kicks the attacked end off the network for the duration of the session. Each time a TCP message is sent, either the client or the server generates a sequence number. In a TCP sequence number attack, the attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can either disrupt or hijack a valid session. If a valid sequence number is guessed, attackers can place themselves between the client and server. Figure 2.12 illustrates a sequence number attack in process against a server. In this example, the attacker guesses the sequence number and replaces a real system with one of their own.
In this case, the attacker effectively hijacks the session and gains access to the session privileges of the victim's system. The victim's system may get an error message indicating that it has been disconnected, or it may reestablish a new session. In this case, the attacker gains the connection and access to the data from the legitimate system. The attacker then has access to the privileges established by the session when it was created.
Figure 2.12. TCP sequence number attack
This weakness is again inherent in the TCP protocol, and little can be done to prevent it. Your major defense against this type of attack is knowing that it's occurring. Such an attack is also frequently a precursor to a targeted attack on a server or network.
2.3.4.3.3. TCP/IP Hijacking
TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system. The server won't know this has occurred and will respond as if the client is trusted. Figure 2.13 shows how TCP/IP hijacking occurs. In this example, the attacker forces the server to accept its IP address as valid.
TCP/IP hijacking presents the greatest danger to a network because the hijacker will probably acquire privileges and access to all the information on the server. As with a sequence number attack, there is little you can do to counter the threat. Fortunately, these attacks require fairly sophisticated software and are harder to engineer than a DoS attack such as a TCP SYN attack.
Figure 2.13. TCP/IP hijacking attack
2.3.4.4. UDP Attacks
A UDP attack attacks either a maintenance protocol or a UDP service in order to overload services and initiate a DoS situation. UDP attacks can also exploit UDP protocols.
NOTE
One of the most popular UDP attacks is the ping of death discussed earlier in the section "Identifying Denial-of-Service and Distributed Denial-of-Service Attacks."
UDP packets aren't connection oriented and don't require the synchronization process described in the previous section. UDP packets, however, are susceptible to interception, and UDP can be attacked. UDP, like TCP, doesn't check the validity of IP addresses. The nature of this layer is to trust the layer below it, the IP layer.
The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target, causing the UDP services on that host to shut down. UDP floods also overload the network bandwidth and cause a DoS situation to occur.
ICMP Attacks
ICMP attacks occur by triggering a response from the ICMP protocol to a seemingly legitimate maintenance request. From earlier discussions, you'll recall that ICMP is often associated with echoing.
ICMP supports maintenance and reporting in a TCP/IP network. It is part of the IP level of the protocol suite. Several programs, including Ping, use the ICMP protocol. Until fairly recently, ICMP was regarded as a benign protocol that was incapable of much damage. However, it has now joined the ranks of protocols used in common attack methods for DoS attacks. Two primary methods use ICMP to disrupt systems: smurf attacks and ICMP tunneling.
Smurf Attacks
Smurf attacks can create havoc in a network. A smurf attack uses IP spoofing and broadcasting to send a ping to a group of hosts in a network. An ICMP ping request (type 8) is answered with an ICMP ping reply (type 0) if the targeted system is up, otherwise an unreachable message is returned. If a broadcast is sent to a network, all of the hosts will answer back to the ping. The result is an overload of the network and the target system.
Figure 2.14 shows a smurf attack under way in a network. The attacker sends a broadcast message with a legal IP address. In this case, the attacking system sends a ping request to the broadcast address of the network. The request is sent to all the machines in a large network. The reply is then sent to the machine identified with the ICMP request (the spoof is complete). The result is a DoS attack that consumes the network bandwidth of the replying system, while the victim system deals with the flood of ICMP traffic it receives.
The primary method of eliminating smurf attacks involves prohibiting ICMP traffic through a router. If the router blocks ICMP traffic, smurf attacks from an external attacker aren't possible.
Figure 2.14. A smurf attack under way against a network
ICMP Tunneling
ICMP messages can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. This is a relatively new opportunity to create havoc and mischief in networks.
The countermeasure for ICMP attacks is to deny ICMP traffic through your network. You can disable ICMP traffic in most routers, and you should consider doing so in your network.
|