Web Security, DNS Security, and the Internet
To understand information security in regard to the Internet, we must start by discussing how the Internet works, examining the Internet Protocol (IP) and the Transmission Control Protocol (TCP), routing protocols, and Domain Name System (DNS) servers, including the technology employed as well as their various vulnerabilities.
The Internet is the global interconnection of computer networks (which we all use now on an everyday basis) that makes use of the TCP/IP to establish sessions between source and destination sites (TCP) and for addressing packets to be routed across the Internet to the desired destination.
Whereas the IP deals only with addressing packets that are to be routed across the network, TCP enables two hosts on both ends of the connecting network to establish a connection session and exchange a designated stream of data, which is transferred either individually or as a negotiated “window” of a specified number of IP packets. TCP guarantees delivery of the data and also guarantees that packets will be delivered in the same order in which they were sent by rearranging them in the transmitted order at the destination site. It also provides for retransmission of those packets if one of a “window” of packets is not delivered over a period of transmission time.
IP is the method or protocol by which data is addressed for transmission from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it among all the other computers on the Internet.
An IP address is a numerical label assigned to each device (whether it be a computer, printer, tablet, or smartphone) participating in a computer network that uses the IP for communication. An IP address serves two principal addressing functions: first, to identify a particular host or network interface with a unique identification; and second, to use that identity for the addressing of source and destination locations.
The Internet, then, is a network of various component subnetworks that have been interconnected. These can include public, private, academic, government, personal, and corporate networks that are spread across the globe. Making use of this interconnection are a variety of information services providing websites that connect to the Internet. The contents of such websites can be accessed via local routed networks or by means of an interconnected and interdomain-routed set of networks. For this purpose, TCP/IPs and the DNS is required. Figure 13.1 shows an example of such interconnected local and backbone Internet networks.
Figure 13.1 Local networks interconnected by backbone Internet network.
TCP is a connection-oriented protocol that establishes the flow of packet transmission and reinstates the original order when they arrive at the destination in a different order than they were transmitted. When packets are transmitted across a network to another host (or network node), they have a transmission number inserted in a field that is then used to reorder them on the receiving end. Moreover, once the packets are received by the intended destination host, a receipt acknowledgment is sent back to the originating host. If any packets are missing, those are not included in the acknowledgments, resulting in the original sender resending the missing packets. While this is a nice control protocol, there are security flaws associated with it. For example, IP packets with TCP information can be intercepted and read by a packet sniffer such as Wireshark. Once the TCP state has been obtained, an attacker can send a “reset” packet to an open socket, which can create a denial of service for the original sender.
IP is the Internet addressing protocol that addresses packets, and those addresses are used to route and ultimately deliver packets to the destination host. For destinations outside a given network, the IP address will be the location of the default gateway. Although there is no error reporting if a packet is dropped (requiring non-acknowledgment as an indicator), a time-to-live field helps prevent endless loops of packets continually being transported and clogging up the network bandwidth. However, a security downside of the IP is that there is no authentication of the source IP address. This means that attackers can send packets from a fake source IP address to launch anonymous denial-of-service attacks or attempt to send an overwhelming amount of “ping” messages and essentially ping a server to death.
Beyond our discussion of the TCP and IP, there are a number of routing and associated protocols, which include Address Resolution Protocol (ARP), Border Gateway Protocol (BGP), Open Shortest Path First Protocol (OSPF), and Cisco’s Enhanced Interior Gateway Routing Protocol (EIGRP), as well as the original Routing Information Protocol (RIP). A security flaw of ARP is that proxy traffic can inject large amounts of broadcast packets into a network seeking a particular hardware address and blocking legitimate traffic. Also, with BGP, hackers can hijack a route to a victim of an attack, most likely as part of a denial-of-service attack, and can eavesdrop on packets that are being routed on a specific network. An example of this process is the situation wherein Russian attackers are reputed to have rerouted and sniffed packets that were not meant to have been routed through the Russian network (Figure 13.2).
Figure 13.2 How Russian attackers could sniff packets.
Another important component to know is the DNS. Domain names provide a means of translating an alias destination name, such as [email protected], that stands in place of a real IP address such as 176.52.27.12, which is the real IP address (although in binary form). When a user’s browser requests the IP address of another user or website by entering the alias name (jjstone) and the destination domain name (bsu.edu), the website’s DNS server will respond with the IP address to be inserted in packets to be routed to that specific user’s computer or to a specified website. These entries are cached at the local DNS server, allowing for a quick response time for repeated transmissions. There are security flaws in this system that can be exploited by hackers. For instance, interceptions of DNS requests or compromised DNS servers can send malicious responses to the requesting host. This can result in DNS poisoning attacks, which can send user packets to websites for which they were not intended.
The Internet is a large and complex interconnection of networks that is in no way free from the numerous hackers and the vast array of threats that are lurking and searching for appropriate and vulnerable victims.
QUESTIONS
1. Describe what IPSec is and what layer it is in.
2. What two encryption modes does IPSec support?
3. Which one encrypts both header information and data?
4. What is the function of secure socket layer?
5. Snort is used for a distributed intrusion detection. What is its advantage over a firewall?