The upcoming section covers some important protocols in OSI layers. Application layer protocols, presentation layer protocols, session layer protocols, and their security are covered in this chapter. The remaining layers are covered in the next chapter.
This section also gives an overview of security weaknesses in such layer/protocols as well as security measures to mitigate such weaknesses.
In the application layer, some of the important protocols are Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), TELNET, Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), and Simple Network Management Protocol (SNMP).
DNS works at the application layer. DNS translates domain names into IP addresses. DNS's main purpose is to resolve host names to matching numeric IP addresses, as well as maintaining resource records for e-mail and other services where end-to-end delivery needs to be assured.
A common threat to DNS is spoofing. It is a terminology used in computer security to refer to the successful masquerading of one entity as another. An entity can be a person or program. Masquerading refers to disguising, impersonating, or masking.
Many spoofing attacks exist. Some of them are as follows:
- Man-in-the-Middle-Attack: This refers to spoofing the systems in order to listen to the network traffic between two computers and capture data packets. In other words, attackers insert themselves in the communication path between hosts.
- URL spoofing: Uniform Resource Locator (URL) is the method by which a web page or website is identified by the browser. This is also called the website or webpage address. In URL spoofing, a web browser is led to believe that it is accessing the requested legitimate website. However, the browser accesses the attacker-directed website due to spoofing.
- Phishing: This is a spoofing technique used by fraudsters to capture sensitive information, such as user name, password, credit card details, and more. In Phishing, URL spoofing is used to redirect a user to the attacker-constructed illegitimate website, and e-mail spoofing is used to lure the user to open an illegitimate spoofed URL.
- E-mail spoofing: This is a technique used to masquerade as a legitimate source address (such as a bank) of the e-mail. Due to this, the user is led to believe that the e-mail is from a trusted source.
- SMS spoofing: This is similar to e-mail spoofing, but in this case, the mobile number of the source is masqueraded by a malicious entity to send a spoofed text message.
- DNS cache poisoning: This relates to altering the DNS cache data with illegitimate entries. A cache data is the information stored in the host memory. Since DNS resolves IP addresses, a poisoned data would redirect a legitimate address request to an illegitimate address.
Countermeasures provide methods to address security threats. A countermeasure can be a technical solution or a kind of best practice. Some of the countermeasures for the common security threats and attacks include.
Domain Name System Security Extensions (DNSSEC): They are a set of extensions that provide origin authentication, data integrity, and the authenticated denial of existence. The primary purpose of DNSSEC is to prevent Zone Enumeration.
In an Internet Protocol (IP) network, client devices obtain necessary network parameters from a centralized server(s) using this protocol. One of the primary parameters obtained is the IP address itself. DHCP helps in reducing manual configurations.
DHCP is primarily used for assigning IP addresses to servers and clients. This protocol also uses Point-to-Point Protocol (PPP) and Network Address Translation (NAT) for assigning IP addresses to on-demand hosts such as dialup and broadband.
The IP address allocation is either automatic or manual depending upon the level of user intervention required. The address allocation method used is called as Discover, Offer, Request, Acknowledge (DORA).
This protocol has similar threats as DNS, such as cache poisoning and masquerading.
Vulnerabilities are generally in the form of misconfigured DHCP and DNS server (misconfiguration), and lack of session authentication and encryption.
Few unique attacks exist in the protocol such as birthday attack and DNS forgery:
- Birthday attack: This is a cryptographic attack to guess a random input data. It works on a mathematical probability theory that there is a chance that more than 50% of randomly chosen people in a group of 23 may have the same birthday. The probability increases to 99% when the group is more than 57.
- DHCP exhaustion due to DOS attacks or Man-in-the-Middle-Attacks to access alt gateways.
- DNS Forgery: This is a type of DNS cache poisoning. Countermeasures for the preceding security threats, vulnerabilities, or attacks include:
- Transport Layer Security (TLS) and Secure Sockets Layer (SSL): These are cryptographic protocols. The purpose of these protocols is to provide a secure communication by way of encryption.
- Secure Shell (SSH): This is a network protocol that facilitates secure encrypted communications between two computers.
- Digital Signature: This is used in a public key cryptography where the message is digitally signed using the sender's private key. The purpose here is to authenticate the sender.
The Internet web pages on the World Wide Web (WWW) are coded in the Hyper Text Markup Language (HTML). HTTP is a communication protocol that enables retrieval and transfer of hypertext pages. HTTP uses Transmission Control Protocol (TCP) for connections.
HTTP works in the application layer of the TCP/IP model, and HTTP is the default protocol for serving web pages. Hence, the primary delivery mechanisms for web pages use this protocol.
Some of the common threats for HTTP include spoofing, unauthorized disclosure, and path traversal; and vulnerabilities include weaknesses in coding header information and weak encoding of get methods.
DNS spoofing attacks exist for HTTP as well. Besides attacks such as Denial-of-Service (DoS) and Eavesdropping are also popular attacks to HTTP.
Countermeasures include strict validation techniques and using HTTPS protocol during sensitive information transmission. For example, Secure Hyper Text Transfer Protocol (S-HTTP or HTTPS) uses Secure Sockets Layer (SSL) for encrypting the session between the server and the client.
FTP is a network protocol and is used to transfer files from one computer to another over a TCP/IP network. The main application of FTP is to transfer files between computers. FTP is not suitable for executing programs in the target servers.
TELNET stands for TELecommunication NETwork and is used to access remote computer resources using a communication shell. The purpose of TELNET is to log into the remote server and perform maintenance works in the system from a remote location.
Some of the common threats for FTP and TELNET include unauthorized data capture including the password capture. Vulnerabilities that aid such a threat include sending passwords in clear text as well as the clear text transmission of sensitive information.
Similar to HTTP, eavesdropping attacks are possible on FTP and TELNET. Sniffing is another common attack on these protocols.
Adapting to Secure File Transfer Protocol (SFTP) and using Secure Shell (SSH) for sensitive information transmission will act as a countermeasure to such attacks. Hence, countermeasures are using SFTP instead of FTP and using SSH instead of TELNET.
POP3 and IMAP protocols are used to retrieve e-mails from the e-mail servers over the TCP/IP connection.
The POP3 protocol is used by e-mail clients to download e-mail messages from the remote e-mail server. Unless configured, this protocol is designed to delete the e-mails after download.
IMAP is used to view the e-mail messages in the server. Unless offline mode is enabled, the messages are not stored in the local machine, and the messages in the server are not deleted.
Some of the common threats to POP3 and IMAP include the non-delivery of e-mails and Unsolicited Commercial E-mail (UCE), which is popularly known as SPAM. Vulnerabilities are generally related to the misconfiguration of the e-mail servers.
Attacks include e-mail relay and spoofing. Countermeasures are implementing strong authentication such as two-factor solutions as well as source-verification methods.
As the name implies, this network protocol is used for managing administrative tasks in the network. Managing the uptime of the network, network query, and measuring throughput are some of the primary applications of this protocol/service
Some of the common threats to SNMP include unauthorized data capture and the disclosure of sensitive information such as community strings. Vulnerabilities are related to the misconfiguration of SNMP servers and using default values for community strings and other data.
Common attacks to SNMP include packet sniffing, brute force and dictionary attacks, as well as IP spoofing.
Enforcing stronger passwords and a secure configuration of servers are some of the countermeasures for such attacks. Using SNMP3 is also a countermeasure as this version addresses many of the security issues.
In the presentation layer, some of the important protocols are Multi-Purpose Mail Extensions (MIME),Secure Shell(SSH), and Transport Layer Security(TLS).
TLS is used to ensure the confidentiality and integrity of data while being transmitted. SSL is a predecessor of TLS. This protocol is used in encrypting sessions and transported data. Both these protocols are cryptographic protocols.
The most common threat for TLS and SSL is unauthorized information access, and software vulnerabilities help such threats to materialize.
A common attack is the replay attack. It uses a session or data capture to replay the data to the server such that a software vulnerability can be exploited to gain unauthorized access to the system or data.
Validating the session data and source authenticity verification are some of the common countermeasures against Replay attacks.
Session layer sockets are primarily used for a session establishment of protocols, such as TCP. This layer is responsible for a session between applications. Some of the functions pertaining to sessions include the opening/closing of connections, maintaining the sessions, and managing request/response mechanisms between end-user applications.
Some of the important protocols in this layer are Network Basic Input Output System (NetBIOS), Network File System (NFS), and Server Message Block (SMB).
The most common threats for the session layer are hijacking and unauthorized information disclosure.
There are many vulnerabilities that are present in the session layer protocols. Weaknesses in session management and weak access mechanisms are common vulnerabilities of the same.
A common attack is session hijacking. Specifically, when NetBIOS is used over TCP/IP, attacks on the vulnerabilities will allow the exposure of a network or file share information to the attackers.
SMB signing and limiting NetBIOS to intranet are some of the countermeasures for the attacks.