TCP/IP from a Security Standpoint

dingdongboomNetworking and Communications

Oct 27, 2013 (3 years and 9 months ago)

70 views

TCP/IP from a Security
Standpoint

CS
-
480b

Dick Steflik

TCP/IP Guru
-
ism


You don’t have to know all of the
details


You do need to know your system


What services it is providing


What protocols are involved


What vulnerabilities is has


How to minimize the risks

Why TCP/IP ?


Packet based


Provides decentralized control


Devices are peers


Its routable


Independent of transmission medium


Open standard


Free


Robust


Flexible


Pragmatic



Physical Layer



Three major categories based on connection
behavior


Dial
-
up


temporary point
-
to
-
point


WAN and MAN


premanent point
-
to
-
point


LAN


two or more devices communicating over a shared
broadcast media


Dial
-
up


Dial
-
up (and modems)


Temporarily connected point
-
to
-
point


uses telephone infrastructure


audio frequency modems


vulnerabilities


Cannot provide physical security along entire
communications path


Cables are usually run through public infrastructure
making physical security almost impossible


Peel back the insulation on the wire and connect
alligator clips


Telephone connection panel in basements of buildings


Easy to just clip on to the connections


Punch panels


Screw terminal connections

WAN and MAN


WAN and MAN


Constantly connected point
-
to
-
point


uses telephone backbone, microwave, radio, fiber optic


dedicated digital leased lines


specially conditioned telephone lines (guaranteed quality)


56Kbps
-

9.95 Gbps


T1
-

56Kbps


T2
-

6.312 Mbps


T3
-
44.736 Mbps


OC1 51.84 Mbps


OC48
-

2488 Mbps


OC192
-

9.95 Gbps


CSU/DSU
-

Carrier Set Unit / Data Set Unit (connection
device)


can be routed like a layer 3 protocol


WAN and MAN (more)


Vulnerabilities


Because much is done using radio and microwave links
interception by a third party is pretty easy (especially
radio), laser communication is harder to intercept but is
overall less reliable due to environmental issues


Remedy


Encrypt the data before placing it on an unsecured links
like radio, microwave laser


LAN


Two or more network devices communicating
over a shared broadcast media


local area, shared communications medium


Ethernet, Token
-
ring, FDDI


Vulnerabilities


Because much is done using radio and microwave links
interception by a third party is pretty easy (especially
radio), laser communication is harder to intercept but is
overall less reliable due to environmental issues


Remedy


Encrypt the data before placing it on an unsecured links
like radio, microwave laser


Dial
-
up


Temporary connections


Established as needed


Cannot provide physical security along entire
communications path


Cables are usually run through public infrastructure making
physical security almost impossible


Peel back the insulation on the wire and connect alligator clips


Telephone connection panel in basements of buildings


Easy to just clip on to the connections


Punch panels


Screw terminal connections

Modems


Convert low speed digital signals to audio or
phase encoded signals for transmission through
the public access telephone system,


Most consumer used modems work over
unconditioned analog lines on the public access
telephone system


Vulnerabilities


Because of the public access, hard to secure against
physical tampering


Tap on with another modem and listen as the data goes by


Remedy


Encrypt data on the computer side of the sending and
receiving modems

ISDN


Integrated Services Digital Network


a system of digital phone connections that allows data to
be transmitted simultaneously across the world using end
-
to
-
end digital connectivity.


Available for > 10 years


Data is sent digitally unlike modems


Uses a Terminal Adapter rather than a modem


Must be with
-
in 18000 ft. to telco facilities


> 18000 ft.requires expensive repeaters


16 or 64 kbps depending on service type


Vulnerabilities


Same as modems, physical security


Remedy


encryption


Data Link Layer


IEEE views the OSI Data Link Layer as 2 layers


Media Access Control (MAC) Sublayer


Translates generic network requests into device specific
terms


Logical Link Control (LLC) Sublayer


Provides the operating system link to the device driver


Media Access Control


This is the actual device driver that controls the
NIC


Reporting of and setting of device status


Packaging of outgoing data from the LLC layer


Sending of outgoing data


Receiving of incoming data


Unpacking of incoming data, error checking and passing
data to LLC layer


MAC addresses are burned into the NIC and
should be globally unique (by OEM agreement)


But they are of local scope to the LAN, LAN protocols
like ethernet and token
-
ring have no provisions to pass
data from one LAN to another; so a LAN should always
see unique MAC addresses


Ethernet


Framing


6 byte Destination address (MAC address)


6 byte Source address (MAC address)


2 byte type (of packet in payload)


0800


IP Datagram (46
-
1500 bytes)


0806


ARP packet (28 bytes data+18 bytes of padding))


0835


RARP packet (28 bytes + 18 bytes of padding)


4 byte CRC


Remember, the ethernet information will always
stay local to the LAN; it’s the IP, ARP or RARP
packet that will move it from LAN to LAN and
across the Internet

PPP


Designed to support multiple network types over
the same serial link


Supersedes SLIP (Serial Line Internet Protocol)


Framing


5 byte header


7E FF 03 (constant)


2 byte type field


0021


IP Datagram


Link control packet


C021


Network control data
-

8021

Link Establishment Subversion


Hacker can use call forwarding to forward an
incoming call to the hackers phone number


Since Windows supports other network protocols
(NetBEUI, IPX, IP over PPP) the hacker can then
attempt to use one of those protocols to break
into the calling machine


Dial
-
up connections via cell phones can be
hijacked right out of the air with a proper
receiver


Harder to do with digital cell phones

Media Access Subversion


Its up to the MAC to reject all but the packets
destined for that machine a hacker can put their
MAC/NIC into promiscuous mode and receive all
packets on the LAN


Most device drivers don’t support this mode so to do this
a new device driver must be introduced


It’s a good idea to every once in a while to scan
all of the machines on your network looking for
any machines that might be running
promiscuously


Find out why they are running in promiscuous mode


Fix it

Logical Link Control


OS control of the Device Driver


Multiple instances of driver for multiple NICs


Multiple Device drivers for different kinds of devices


Windows


NDIS


UNIX


character mode device specification