---

MODULE 17

Hardening Host Network Services

---

In the previous module, we looked at protecting a host from various threats through hardening its operating system and applications via patching, secure configuration settings, and other methods. These methods go a long way toward stopping threats that might materialize on a host, but remember that hosts don’t live in an insulated world. They are connected to other hosts and the Internet via networks, and they require the use of network protocols and services to communicate. Even if we lock down the host configuration as much as possible, it can still be vulnerable because of network connections. These connections are an absolute necessity in the connected world we live in, so we can’t simply eliminate threats by unplugging the host from its connections. So what can we do about network-based threats to a host? In this module, we’ll examine one part of securing the network by looking at the ports, protocols, and services that run on a host and how we can use them securely. In later modules, we’ll look at the network itself and the different ways we can reduce threats before they even get to the host.

Host Network Services

In this module, you’ll need to draw from the networking knowledge you gained through your experience and Network+ exam studies. We’re going to examine the network protocols and services that commonly run on hosts, and look at how we can configure and use them securely. Although the discussion in this module is only a brief look at what is to come later on when we discuss local area networking (LAN) security topics, this module is important because it focuses on the host side of network security and goes with our discussions on host hardening and security. We’ll focus on securing common protocols and their associated ports and services, and discuss where they fit in the overall Open Systems Interconnection (OSI) model.

Network Protocols and the OSI Model

The network protocols discussed here certainly don’t include all the protocols that run on various hosts in every situation, but these are some of the more common ones you will likely encounter in your job. These protocols work at various layers of the OSI model, and each has its own security considerations as well as strengths and weaknesses. Figure 17-1 shows how each of these protocols fits within the OSI model. Keep this in mind when you’re working with protocols, because it helps you understand how the OSI layers and protocols work together for connectivity and security.

Figure 17-1 Protocols within the OSI model

Before we discuss the details of each protocol, let’s review what the OSI model is and what it does for us. The OSI model is simply a framework for describing how network technologies, such as communications protocols, interact with each other in delivering traffic from host to host, across networks. It is not a protocol suite, and in reality, no protocols exist purely in the OSI model. The model is simply a construct that lets networking professionals determine how to construct interoperable network technologies.

A protocol suite (or stack as it’s sometimes called) is actually an implementation of the model and contains protocols that are interoperable and based on how the OSI model describes network communications. You’ll encounter several different protocol suites. For example, AppleTalk is a protocol suite developed years ago by Apple that is used to create networks of Apple devices that exchange information on a network. Similarly, NetWare was a protocol developed to connect devices that used the Internetwork Packet Exchange (IPX)/Sequenced Packet Exchange (SPX) protocol suite. Both of these suites are also based upon and map to (to varying degrees) to the OSI model.

The advantage to using the OSI model as a framework is that at some point, standardization, and sometimes even interoperability, occurs between protocol suites. The OSI model allows this to happen if protocol suites follow some of the models’ rules—although, for the most part, interoperability might require a gateway device than runs more than one protocol suite.

TCP/IP

We discuss this relationship of protocol suites to the OSI model in depth because, as you should remember from your earlier networking studies, the Transmission Control Protocol/Internet Protocol (TCP/IP) suite maps very well to the OSI model, but not necessarily on a straightforward one-to-one basis. TCP/IP has four layers, where the OSI model lays out seven layers. There’s nothing wrong with this, simply because the functions that occur in TCP/IP are very similar to the functions that the OSI model calls for; it just categorizes some functions in different layers.

Because TCP/IP is the protocol of choice for the Internet, most of the other protocol suites that we mentioned have been pretty much replaced and aren’t used much anymore, except in legacy or specialized networks. That’s why TCP/IP is the most commonly discussed protocol stack. And because it is so intertwined with the OSI model, we as networking and security people sometimes discuss the protocols that are used in TCP/IP as if they are part of the OSI model; in reality, however, they are simply mapped to the model and are still part of the TCP/IP stack.

TCP/IP is composed of several protocols; as a protocol suite, it includes the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Protocol (IP) as its major pieces. Obviously, there are also application layer protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Domain Name System (DNS), and so on. So when we are discussing these protocols, you’ll understand exactly where in the TCP/IP stack they work and how they map to the OSI model. Just keep in mind that, technically speaking, these protocols are TCP/IP protocols and not OSI protocols. Figure 17-2 shows the comparison between the OSI model layers and the TCP/IP protocol suite.

Figure 17-2 Comparison of the seven OSI model layers and the four parts of the TCP/IP protocol suite

IPv4

Remember that IP is concerned with logical IP addressing and routing between local area networks (LANs). All the hosts within a LAN adhere to a particular logical addressing scheme. They are usually on the same logical subnet and communicate with each other without the need for routing to take place. If Host 1 needs to communicate with a host beyond its subnet, to networks that use a different logical IP addressing scheme, a router is required to send the traffic from the Host 1 LAN to another LAN (usually via a wide area connection, or WAN). IP version 4 (IPv4) has been used for several years now to route packets across internal networks as well as the Internet and to assign logical addresses to hosts.

IPv4 has different security vulnerabilities associated with it, in addition to growth issues. First of all, there’s no real authentication between devices built in to IPv4, so that’s why it’s so easy for attackers to spoof IP addresses on networks. Outside authentication methods can be used, of course, such as digital certificates, but they require additional infrastructure. There’s also no native encryption built into IPv4. In addition to other protocols that can protect communications, the IP Security (or IPsec) protocol was developed to add authentication and encryption methods to IP traffic. (We’ll discuss IPsec a bit later in the module.)

Another issue with IPv4 is that the number of publicly available IP addresses has been exhausted, and with the rapid increase in Internet-facing hosts that require IP addresses, technologies such as network address translation (NAT) and private IP addressing were developed to take care of this problem temporarily. The next version of IP, version 6, was developed to take care of not only the numbers of available IP addresses in the world, but also the inherent security issues of IPv4.

IPv6

IPv6 was developed and formalized in 1998 and was expected to be widely implemented across the entire Internet by now—but, unfortunately, that hasn’t happened yet. As of the summer of 2014, very little traffic on the Internet used IPv6 (less than 5 percent). Legacy systems could support IPv6 only with additional protocol stacks and software, but most modern operating systems, as well as host and network devices, now natively support it—and, in fact, most of these systems have IPv6 turned on by default.

IPv6 addresses several IPv4 issues, including exhausted address space. Where IPv4 had only 32-bit addresses, IPv6 has 128-bit addresses, so the address space is much larger (2¹²⁸, which is 3.4×10³⁸ versus the 4,294,967,296 addresses available to IPv4). This means that private IP addressing and NAT aren’t so important any more, and every single device can have its own IPv6 address (with a lot of addresses left over). IPv6 also takes care of authentication and encryption. Protections are built into IPv6 that help prevent address spoofing, for example, and IPv6 natively uses IPsec, without requiring any user interaction.

The slowness with which IPv6 has been implemented is caused by many things, including stopgap measure of implementing NAT and private IP addressing. There has also been a lack of infrastructure support from Internet service providers (ISPs), application support, and so on. However, once IPv6 has been widely implemented across the Internet, many of the threats that we see with network attacks may be significantly reduced.

SNMP

The Simple Network Management Protocol (SNMP) works at the application layer of the TCP/IP protocol suite. It’s used primarily to manage network infrastructure devices; although in more recent years it has also been used to manage individual hosts, such as workstations and servers, as well. SNMP uses UDP ports 161 and 162. SNMP uses a concept called community strings, which are really nothing more than passwords used either to read or read/write to the configuration of the device. Unfortunately, some versions of SNMP use very weak community strings, such as the string “private” for the read/write string, and “public” for the read-only string. These are well-known strings, and unfortunately administrators don’t always change them from their defaults.

SNMP uses agents installed on the different devices to send data back to a centralized collection facility or server. The type of information sent back from a device is based upon a concept called a Management Information Base, or MIB. There are different MIBs for each kind of operating system and device, depending upon what its function is and what it is running. MIBs allow SNMP to send back different types of information particular to a device to the central collection device. This data can come in the form of alerts, called traps.

SNMP has had several different versions, with version 3 being the current secure version. Versions prior to SNMP v3 had issues with the SNMP community strings being stored and transmitted in plaintext. SNMP version 3 encrypts community strings, so if they are intercepted, the attacker won’t be able to read configuration information easily from a device and get information that may help them formulate an attack or write to the configuration of the device in order to conduct the attack. There’s also a secure version of SNMP, called Secure SNMP, which uses UDP ports 10161 and 10162 (for the trap).

SSH

Secure shell (SSH) is not only a protocol, but also a suite of applications that can be used to connect to and administer network hosts securely. SSH uses TCP port 22 and resides at the application layer. It replaces older, nonsecure protocols, such as Telnet, remote shell (rsh), FTP, and so on, which send traffic (including usernames, passwords, and other data) across the network unencrypted. This means that traffic using these older protocols could easily be intercepted and viewed by an attacker. Secure shell is seen natively on UNIX-like systems, including Linux, Berkeley Software Distribution (BSD), and so on. Although SSH is not native to Windows operating systems, several third-party applications can be used to implement SSH on Windows.

SSH can use not only usernames and passwords for authentication, but also digital certificates. It can also use a wide variety of encryption protocols, some of which are more secure than others but may be necessary for compatibility purposes between different systems. In addition to the SSH utility, which allows users to establish and maintain a remote connection securely between two hosts, SSH also has other utilities, such as secure FTP (SFTP) and secure copy (SCP), which are used to transfer files between hosts. We’ll discuss SCP in the next section. Figure 17-3 shows an SSH session set up between two hosts.

Figure 17-3 An SSH session between two hosts

SCP

Secure copy (SCP) is a utility within the SSH suite that allows file transfers between two hosts running SSH. SCP, since it uses SSH, also goes over TCP port 22. SCP is primarily used for ad-hoc or single-session file exchanges between two hosts. This is unlike a secure FTP server (using SFTP, another utility in SSH) set up over SSH, which may be more of a permanent or static connection allowing a host to upload and download files securely from a server. Figure 17-4 shows an example of an SCP session.

Figure 17-4 An SCP session

NetBIOS

NetBIOS stands for Network Basic Input/Output System. Although in common use, IT professionals call it a session-layer protocol, but in the truest sense of the word, it’s not a protocol at all; instead, it is an application programming interface (API). Developed by Microsoft, NetBIOS allows applications to communicate with each other over LANs. It’s usually implemented as NetBIOS over TCP/IP (NBT), meaning that it can be used in TCP/IP to provide communications services for applications that use it, usually in small Windows networks.

Although NetBIOS is primarily seen in older Windows implementations, you can still see throwbacks to this protocol, even in modern Windows operating systems. Unfortunately, it does not scale very well in larger networks and has some security issues. Windows hosts running NBT will have TCP and UDP 137 for name registration and resolution, UDP 138 for the NetBIOS datagram distribution service, and TCP 139 for connection-oriented sessions. Later versions of Windows will have the Microsoft Active Directory and SMB file sharing ports, TCP 445, running in place of these ports, since NBT is no longer used in larger environments. The issues with NBT are primarily with information leakage; it is easy to get information about usernames, hosts, shares, and the Windows network by querying NetBIOS, which requires no authentication.

RDP

Remote Desktop Protocol (RDP) was developed to connect remotely to a host and access it using a graphical interface. Since it’s a Microsoft protocol, it runs on most versions of Windows and is a client-server type of technology. Users gets a full Windows desktop when using RDP to connect to another host; they are able to use applications and administer the host the same as they would if they were physically sitting at the box. RDP clients and servers are built into most Windows versions, but third party software packages can also be used to get a remote desktop from a Linux box to a Windows host.

RDP uses both TCP and UDP ports 3389, has 128-bit encryption, and uses the RC4 as its encryption protocol. Despite this, RDP has several security issues, and different versions of it that come with the different flavors of Windows (including Windows 8.1) are vulnerable to man-in-the-middle attacks, unauthenticated access, information leakage, and, most recently, pass-the-hash attacks.

IPSec

Internet Protocol Security (IPsec) is a security protocol that works at the Internet layer of the TCP/IP model (or the network layer of the OSI model, if you are inclined to view it that way). It was developed to provide security services (authentication and encryption) for IP traffic, since IP does not have any built-in native security protections. In actuality, IPsec is more of a family of security protocols; three major protocols make up IPsec. The first is the Authentication Header (AH) protocol, which provides authentication and integrity services for IP traffic. AH can be used on the entire IP packet, including the header and data payload. The second protocol takes care of encryption services, and it’s called the Encapsulating Security Payload (ESP) protocol. ESP can provide protection for the entire IP packet as well, depending upon which mode IPsec is used in. Obviously, encrypting the IP header can cause problems if routers and other devices can’t read the header information, including the source and destination IP addresses. Between hosts on a network, the header information isn’t usually required to be encrypted, so ESP doesn’t have to be used. This is called IPsec’s transport mode. In transport mode, header information is not encrypted so that hosts and network devices can read it. The data, on the other hand, can be encrypted to protect it, even within a LAN.

The other mode that IPsec is associated with is called tunnel mode. Tunnel mode is used when IP traffic is encapsulated and sent outside of a LAN, across WAN links to other networks. This is what happens in virtual private networking (VPN) implementations that use IPsec. In tunnel mode, since the IP packet is encapsulated in a tunneling protocol (such as L2TP), all of the information in the packet, including headers and data payload, can be encrypted. So ESP is typically used only in tunnel mode.

The third protocol that you will find in IPsec is called the Internet Security Association and Key Management Protocol (ISAKMP). This protocol is used to negotiate a mutually acceptable level of authentication and encryption methods between two hosts. This acceptable level of security is called the Security Association (SA). An SA between two hosts defines the encryption type and method, algorithms used, types of cryptographic keys and key strengths, and so on. The Internet Key Exchange (IKE) protocol is used in ISAKMP to negotiate the SA between hosts. IKE uses UDP port 500 to accomplish this.

While IPsec is usually seen in VPN implementations, paired up with L2TP as its tunneling protocol, IPsec can be very effective in securing traffic within a LAN, particularly sensitive traffic between hosts that an organization wouldn’t want to be intercepted and examined. IPsec offers a wide variety of choices for encryption algorithms and strengths and is very flexible in its configuration. You can choose to protect all traffic between certain hosts or protect only certain aspects of traffic, such as certain protocols or traffic that travels between certain ports.

ICMP

Internet Control Message Protocol (ICMP) is a maintenance protocol that works at the Internet layer of the TCP/IP protocol stack (or the network layer of the OSI model). It’s primarily used to determine if a host is alive on the network. Most people see ICMP implemented when they use the ping or traceroute command. While ICMP is a very useful protocol for network professionals, it can also be used maliciously to help conduct denial-of-service attacks on hosts and networks. For example, ICMP can be used to send broadcast ping packets to a network, using a spoofed source IP address, which results in a massive storm of ping replies back to an unsuspecting host. This can result in the host being flooded with ICMP, effectively knocking it off the network. Many organizations block ICMP at their perimeter network or within their network on different network devices. Intrusion detection systems are also usually configured to watch for either oversized ICMP packets (another variation of ICMP attack) or massive amounts of ICMP traffic to a host.

Module 17 Questions and Answers

Questions

1. Which of the following statements is true regarding TCP/IP? (Choose two.)

A. TCP/IP protocols are part of the OSI model.

B. TCP/IP is a protocol stack containing multiple protocols.

C. TCP/IP closely maps to the OSI model.

D. TCP/IP protocols are part of the transport and network layers of the OSI model.

2. Which of the following is an important security issue with IPv4?

A. Use of NAT to conserve IP addresses

B. Lack of interoperability with IPsec

C. Lack of built-in authentication and encryption services

D. Use of 32-bit addresses

3. Which of the following is a true statement regarding IPv6?

A. IPv6 requires the use of NAT to help conserve IP addresses.

B. It has been implemented on the Internet worldwide.

C. It has 4,294,967,296 available IP addresses.

D. IPsec is natively included with IPv6.

4. Your manager wants you to investigate possible security issues with your network devices. You discover that your network devices are all running an older version of the SNMP protocol. Which of the following best describes weaknesses associated with older versions of SNMP? (Choose two.)

A. Default community strings of “public” and “private”

B. Weak mutual authentication between devices

C. Lack of encrypted community strings

D. Use of weak DES encryption algorithm

5. All of the following protocols provide for secure communications, except:

A. SSH

B. SCP

C. IPsec

D. Telnet

6. Which of the following is an older Microsoft-proprietary application programming interface used to allow applications to communicate with each other over local area networks?

A. IPsec

B. NetBIOS

C. RDP

D. SSH

7. Which of the following protocols uses TCP port 3389?

A. Remote Desktop Protocol

B. Secure Shell

C. IPsec

D. NetBIOS over TCP/IP (NBT)

8. Which of the following IPsec protocols is used to provide authentication and integrity for an entire IP packet?

A. Encapsulating Security Payload (ESP)

B. Authentication Header protocol (AH)

C. Internet Key Exchange (IKE)

D. Internet Security Association and Key Management Protocol (ISAKMP)

9. Which of the following IPsec modes should be used within a local area network?

A. Authentication mode

B. Tunnel mode

C. Transport mode

D. Encryption mode

10. Which of the following types of attacks can be carried out by ICMP?

A. Brute-force attack

B. Denial-of-service attack

C. Man-in-the-middle attack

D. Injection attack

Answers

1. B, C. TCP/IP is a protocol suite that has multiple protocols in it, and it closely maps to the OSI model layers.

2. C. The lack of built-in authentication and encryption services is an important security issue with IPv4.

3. D. IPsec is natively included with IPv6.

4. A, C. Older versions of the SNMP protocol suffer from a lack of any encryption, as well as weak default community strings that are frequently not changed by administrators.

5. D. Telnet does not provide for secure communications.

6. B. NetBIOS is an older Microsoft-proprietary application programming interface used to allow applications to communicate with each other over local area networks.

7. A. Remote Desktop Protocol (RDP) is a Microsoft-proprietary protocol that uses TCP port 3389.

8. B. The Authentication Header (AH) protocol is used to provide authentication and integrity for an entire IP packet, regardless of whether it is in transport mode or tunnel mode.

9. C. Transport mode should be used within a local area network, since the IP header can’t be encrypted.

10. B. A denial-of-service attack can be carried out by ICMP, using either oversized ICMP packets or massive amounts of ICMP packets sent to a particular host.