TCP/IP and Internet Security CSEM02 University of Sunderland Harry R. Erwin, PhD
Resources Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O’Reilly, ISBN: B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: Daniel J. Barrett and Richard E. Silverman, 2001, SSH, the Secure Shell, O’Reilly, ISBN: Eric Rescorla, 2001, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, ISBN:
TCP/IP The most general packet and message-level protocol in use. Operates on LANs, WANs and other network protocol. We will discuss IPv4 There will be some overlap with lecture 6b.
Internet Addresses Dotted quartile –4 8-bit integers Unique in some sense (except that a local LAN may have only one address visible to the outside) Multiple address classes mean that not all addresses are usable. Classless InterDomain Routing (CIDR) has been introduced to address this.
Routing Routing is transparent Local hosts send packets to their gateway. The gateway is a router and handles matters from that point. The architecture routes around outages and failures.
Hostnames The name of the computer (not its address). Hostname IP Addresses may be many to many! Hostnames begin with an alphanumeric character and may contain letters, numbers, and a few symbols. Case is ignored. Two parts: machine name and domain. The first period is the separator.
Packets and Protocols ICMP—for control TCP—for connection-oriented service UDP—for connectionless service IGMP—for multicasting control
ICMP In-band control of internet operations. Examples: –Echo request and echo reply –Destination unreachable –Source quench –Redirect –Etc…
TCP Reliable, ordered, connection-oriented service. Connects (16 bit) ports at (32 bit) IP addresses. SYN and ACK bits in the packet header are used to negotiate new connections. –SYN set to request the connection –SYN and ACK set to ack the request –ACK set to confirm the connection –Three-way handshake This protocol allows unfriendly outsiders to detect which ports are being listened to.
UDP Unreliable connection-less service 10 times more throughput than TCP 53—dns 69—tftp 111—sunrpc 137—windows blithering 161—snmp
Clients and Services Clients initiate connections to servers. Sometimes this is logically backwards as in X-Windows, where the client is the sender of the information, and the server is the machine requesting the information. Daemons are servers that wait for user requests.
Name Service The conversion from a name to an address is handed by a domain name server (DNS). UDP is used, so a workstation may need to make multiple requests. In UNIX systems, DNS is usually handled by bind. Alternatives: –NIS –NetInfo –DCE
TCP Services 21—ftp 23—telnet 25—smtp 42—nameserver 43—whois 79—finger 80—http 109, 110—pop 113—auth 119—nntp
TCP/IP Security Risks include: –Sniffers –IP spoofing –Connection hijacking –Data spoofing
Causes of Weak Internet Security Underestimation of the hostility of the internet environment Overriding importance of message/packet transfer Evolution
Alternatives Encrypt the link Protect the link Encrypt the packets Encrypt the message Encrypt the session Peter Dunne has discussed this.
Limitations of Encryption Does not protect against deletion Trapdoors may exist in the encryption program Data can be accessed when not encrypted. Encryption can be broken. Keys can be weak.
The Problem IPv4 is insecure. Most TCP/IP services are unencrypted. This allows anyone to monitor and reconstruct connection traffic on the internet. Requirements for the following can be identified: –Encrypted connections between parties known to each other. –Third-party authentication and encrypted connection establishment when parties are not known to each other.
Solutions SSH to support encrypted sessions SSL to provide trusted third-party authentication and to support encrypted sessions.
SSH “Secure shell” Transparent encryption. Modern, secure encryption algorithms Reliable, fast, and effective Client/server interaction Eliminates.rhosts and hosts.equiv
Services Provided Replaces: –rsh and telnet with ssh –rlogin with slogin –rcp with scp –ftp with sftp Protocols –ssh-1 –ssh-2
SSH1 Authentication Mechanisms 1.Kerberos 2.Rhosts (trusted host authentication, insecure) 3.RhostsRSA (trusted host authentication, insecure) 4.Public-key (RSA) 5.TIS 6.Password (various flavors, relatively insecure)
SSH2 Authentication Mechanisms 1.Public-key (DSA, RSA, OpenPGP) 2.Hostbased 3.Password
Ciphers SSH1 –3DES, IDEA, ARCFOUR (alleged RC4), DES SSH2 –3DES, Blowfish, Twofish, CAST-128, IDEA, ARCFOUR
Port Forwarding SSH can forward or tunnel ports, allowing you to run insecure services securely. ssh -L 3002:localhost:119 news.yoyo.com
A Simple Example ssh -l harry harry.sunderland.ac.uk This allows me to log into Another way of doing the same thing is ssh
Using scp scp This transfers myfile from my home directory on harry.sunderland.ac.uk to afile locally. You can also use sftp similarly to ftp.
Threats Countered by SSH Eavesdropping DNS and IP Spoofing Connection Hijacking Man-in-the-Middle Attacks Insertion Attack
SSL Secure Sockets Layer An authentication and encryption technique that provides security services to TCP by a socket- style API. Relies on certificates issued by a trusted third party. Invented by Netscape. Is being replaced by TLS (Transport Layer Security)
Services Provided Secure http pop imap smtp ftp rmi corba iiop telnet ldap
SSL Functions Confidential transmission Message integrity Endpoint authentication
How It Works An understanding of how SSL works is necessary to use it safely. Uses public key cryptography. Trusted third parties (Certificate Authorities) provide the certificates that contain the public keys. Supports many encryption algorithms.
SSL-Enabled UNIX Clients curl, ethereal, ettercap, lynx, stunnel, gabber, links, mutt, xchat, bitchx, lftp, neon, openldap, openslp, pine, various database managers.