A network intruder will look for security weaknesses at every point in your
network architecture. If you have adequately locked down the Physical, Data
Link, Network, and Transport layers of your network, the wily hacker will simply
move up to those protocols and services your network does expose to the
Internet. These application-specific protocols are actually much easier to
exploit, so many hackers start there and drop down to the Network or Transport
level when they need to circumvent a protocol's security mechanisms. In this
article, we'll go over each of the most commonly used Internet services, briefly
examining each for their weaknesses and abuse potential. First, however, we'll
discuss sockets and services ingeneral, identifying typical service
vulnerabilities so you can identify potential problems when you need to install
services on your own network. In this article, we'll go over each of the most
commonly used Internet services, briefly examining each for their weaknesses and
abuse potential. First, however, we'll discuss sockets and services ingeneral,
identifying typical service vulnerabilities so you can identify potential
problems when you need to install services on your own network.
Evaluating Socket-Based Services
Which services are safe to allow
through your firewall, which are not safe, and which ones do you do need to keep
an eye on? When a new service becomes popular, or when you want to give your
network clients a new Internet-based tool, what do you look for when you
evaluate the service?
How Complex Is the
Service?
Complex services are easier to exploit than simple
services. The Echo service, for example, simply transmits back to the client
whatever the client sends to it. The Echo service is useful for debugging and
for network connectivity testing, but it is difficult to see how the Echo
service could be exploited to gain control of the computer running the service.
Since the Echo service accepts data from theclient, however, it must be
programmed to correctly handle being fed too much data at once.
The mail
service, on the other hand, is a large, complex piece of software that accepts
data (mail)from and returns data to the client, as well as reads and stores data
and configuration information on the computer's hard drive. Many mail services
(POP and IMAP, for example) require authentication before the client can use the
service. SMTP, on the other hand, allows any connecting user to send mail as
though it came from any user even a non-existent one. If the authentication
mechanism can be subverted, the passwords hacked, or the service tricked into
sending out private data (such as your password file), the hacker can use the
service to get enough information to break into your computer through other
means, such as FTP or Telnet.
How Might the Service Be
Abused?
Some services might be simple and innocuous in them
selves, but can be turned to unexpected and detrimental uses. Chargen, for
example, is a simple Unix service that sends out ASCII characters over and over.
Chargen is a useful network programming and testing tool, because there are
certain classes of networking problems that become evident when you can look at
a stream of data spanning a whole range of binary representations. A
communications channel that clears (or sets)the top two bits of every data word,
for example, becomes obvious because the pattern of characters from Chargen will
change as well.
An unscrupulous hacker, however, might exploit this
protocol by forging a SYN packet (connection request) that redirects the output
of Chargen to another computer and port. This way the hacker can flood the
target computer with data that doesn't even originate from his own
computer!
What Information Does the Service
Dispense?
Some services may be simple, terse, and still dangerous
to your network security. Finger, for example, was designed to help Unix users
contact each other. A Finger request will tell you whatever there is an account
for an individual on a computer, what that account name is, when the user last
logged on, additional contact information for the user, and whatever else that
user would like to tell the world.
That information is certainly useful
if you need to know a coworker's e-mail address or phone extension. It is also
incredibly useful for a hacker who wants to verify the existence of an
account,find a dormant one, or get clues to the identity and personality of an
account holder. You won't find many computers on the modern Internet that
support the Finger protocol. The Whois service is another one that you might not
want to run on your network due to the amount of information it can give to a
network intruder
Services such as Whois and Finger are excellent
timesaving tools for use within an organization,but you should never allow
access to these services from beyond your internal network or your
intranet
How Much of a Dialog Does the Service
Allow?
A simple service with a regular interface is easier to
secure than a complex service that uses an extensive dialogue with the client to
provide its functionality. HTTP, for example (disregarding CGI,server applets,
and Active Server Pages for the moment), is easy to secure because all the
client can do is ask for a resource, and the server does not maintain data about
the state of the connection between client requests (i.e. the protocol is
stateless).
A stateful protocol is more difficult to secure, especially
if the protocol requires client authentication at the beginning of the session
and allows for many requests, replies, and state changes after authentication. A
stateful protocol must be tested for security holes for every state the client
may place the server in. It is possible, for example, to hijack a Telnet session
after an authorized client has established the connection and provided correct
credentials.
Also, the more dialog a service allows, the more dangerous
the service is when compromised. If a hacker arranges the Finger service to run
at the wrong permissions level (such as root or Administrator), the hacker would
still just get account and contact information from it. An FTP session at the
supervisor level, however, could send the hacker any file in the computer. A
root Telnet session would allow the intruder to do anything at all, including
running programs, shutting down or starting services, replacing operating system
code, as well as creating and deleting accounts.
How Programmable
or Configurable is the Service?
The more configurable a service,
the easier it is to get the configuration wrong. The more programmable the
service, the more likely bugs are to pop up, creating loopholes for network
intruders to jump through. So, Exchange Server (which has more configuration
options than you can shake a stick at) and Internet Information Server (or any
other web server that allows you to run arbitrary scripts to generate web pages)
are more likely to contain security weaknesses than simpler
services,
What Sort of Authentication Does the Service
Use?
Any service that requires authentication from the client is
a potential security risk for two reasons:the authentication protocol may be
weak, and users tend to use the same account names and passwords across multiple
services.
POP is one example of weak authentication. The username and
password are sent from the client to the server unencrypted, and the password is
sent complete and unsalted. In POP, the server asks for the username and
password, and the client just sends them. Compare this to MAPI (used by
Microsoft Exchange), which uses a challenge-and-response protocol. With MAPI,
the server requests the username and password, but also sends a value for the
client to salt (prepend to) the password before the client hashes (scrambles)
the password. The username and hashed password are then sent to the server. The
server can compare the hash to a known hashed password to determine if the
client should have access to the service. No eavesdropping computer can
determine what the password is from the hash, and the same hash cannot be used
more than once because the server changes the hash every time.
Password
hashing works by storing an encrypted version of a password rather than storing
the password itself. The encryption algorithm is similar to a public-key
protocol in that it can only be used to encrypt the password, not to decrypt it.
Retrieving a stored password then doesn't reveal the password because the hash
cannot be reversed.
Challenge-response protocols are used to ensure that
a hacker can't use a password hash. In a challenge-response protocol, a random
number is transmitted by the server to the client. The client then encrypts the
random number using the password hash and transmits the result back to the
server, which uses its copy of the hash to decrypt the random number. If the
decrypted random number matches the original random number, then the client has
proven that it knows the hash and the server can trust it. On the wire, only a
random number and permuted random number have been transmitted, both of which
are worthless and cannot be reused.
The purpose of a challenge-response
protocol is to keep the hacker from intercepting the passwords as they travel
from the client to the server. If the hacker can't intercept the password, he
may just try to guess it. This is another area in which many protocols fail. A
properly implemented protocol will detect an unusual number (three or greater)
of failed password attempts, after which it will not allow any more logon
attempts to that username or from that client. A weak protocol will allow as
many attempts as the hacker can perform, and a clever hacker can write a program
to perform hundreds of attempts per second, determining the true password by
brute force. Windows will by default lock out any account but the Administrator
account when there are too many failed password attempts.
It is easier to
remember one password than a half-dozen, so many computer users use exactly the
same password for all of their computer accounts. This means that if a network
intruder penetrates one computer and captures the password list for that
computer, one or more passwords and usernames from that computer are very likely
to also work in another computer that is otherwise secure. Your
password-protected service gives the hacker a double resource—if the hacker can
find a password that works on that service, she'll try it elsewhere, and if she
can find a password elsewhere, she'll try it on that service as
well.
Your Network Profile
One thing that you should
realize as you consider which services you will expose to the Internet is that
the more services you choose to expose, the less secure your network will be.
Each protocol you decide to allow may have a low probability of being
compromised, but those probabilities are additive and it only takes one hole to
negate all your security efforts. So remember, less is more in this case, fewer
services exposed is more security for your network.
In addition, hackers
use the services you expose to profile your servers and they use that
information to select which attacks to run in an attempt to penetrate your
network. If you expose all of the ports that a default Windows server exposes,
then the hacker is much more likely to pull out his Windows hacking scripts
rather than his Linux hacking scripts, for example.
Common Internet
Services
he following services (and their Port and Protocol
types) are covered:
DNS (53 UDP) FTP (20 and 21 TCP) HTTP (80
TCP) IMAP (143 TCP) NTP (123 UDP) POP (110 TCP) SMTP (25
TCP) HTTPS (443 TCP)
DNS (53 UDP) While this protocol is
a prime target for network intruders, you can't disable it without disabling all
your network clients as well. You should protect your DNS servers by blocking
zone transfer packets or by using a DNS proxy service.
The following
bulleted items summarize this protocol's security profile (we'll provide a
similar bulleted list for each protocol we discuss):
-
Complexity-Complex - Abuse Potential-High - Information
Sensitivity-Minimal - Dialog-Minimal - Programmability and
Configurability-High
File Transfer Protocol (20 and 21
TCP)
FTP is a useful command-line protocol for transferring files
over the Internet. FTP is often used to remotely update web content on HTTP
servers. For this reason, among others, it may be necessary to allow FTP traffic
through your firewall.
FTP's development predates the development of
firewalls and it is therefore a little more difficult to pass through a firewall
than newer protocols such as HTTP. When a client opens a connection with the
service (using port 21, the command channel), the server opens a second
connection to the client (using port 20, the data channel). If the firewall is
using IP translation to hide the client computers behind a single public IP
address, the data channel connection attempt will fail unless special measures
are taken in the firewall to identify and pass through the incoming data
channel.
You should be exceedingly careful in configuring FTP security
because FTP establishes a dialog with the client in which the client can browse
files on the FTP server and download them, and because FTP authentication is
made using operating system usernames and passwords. Even if someone accesses
the FTP server as the "anonymous user," the user can gain access to critical
operating system files if you have set up file and directory security
incorrectly, (especially if you have established symbolic links that allow the
anonymous user out of the typical safety sandbox).
When you set up an FTP
server for access that is external to your network, do not use the same account
names and passwords on the FTP server as are used for LAN logon.
Here's a
rundown of the security characteristics of FTP:
- Complexity-Complex -
Abuse Potential-High - Information Sensitivity-Medium -
Dialog-Complex - Programmability and Configurability-High
HTTP (80
TCP)
The Web uses the HTTP protocol to transfer text, video, sound,
and even programs over the Internet. Initially, web servers were very simple
(merely sending out to a client whatever page the client requested), but the
exploding World Wide Web demands more and more features from webservers. Now a
web server is a complex piece of software, with many configuration options, a
complicated dialog, and infinite programmability.
The hacker exploitation
of HTTP can go both ways a hacker may try to exploit your website using HTTP,
and a hacker website may contain dangerous web page components such as malicious
ActiveX controls or Java applets.
a client computer on your network, can
do absolutely anything any other program on that computer can do. You should
require that on your network only those ActiveX controls that have been
digitally signed by organizations you trust will be downloaded. You can use the
Internet Explorer Administration Kit to lock down this Internet Explorer
setting. If you can get away with it, disable ActiveX controls
entirely.
Java is a little safer. Make sure that all of the computers in
your network are configured not to allow Java applets access to hardware
resources unless they are digitally signed by organizations you trust.
On
the server side, be extremely careful with remote web administration software.
Most of the website hacking done by Internet vandals has been accomplished by
exploiting security holes in remote website management tools.
Scrutinize
server-side applets and CGI scripts. Do not make script directories browsable.
Do not allow arbitrary scripts to be uploaded. Do not allow scripts to be
executed from directories that contain other web data.
If you can,
maintain web page usernames and passwords separately from operating system
usernames and passwords. Log web access, and look for unusual patterns
(excessive 404 errors,etc.).
Security characteristics of HTTP:
-
Complexity-Complex - Abuse Potential-High - Information
Sensitivity-Medium - Dialog-High - Programmability and
Configurability-High
IMAP (143 TCP)
This is the protocol
used by network clients to retrieve mail from servers that are configured to
retain-mail on the server rather than transfer it to the client. The protocol
itself, while more complex than POP, is slightly more secure (passwords aren't
sent in the clear, at least).
Security characteristics of IMAP:
-
Complexity-Simple - Abuse Potential-Medium - Information
Sensitivity-Medium - Dialog-Low - Programmability and
Configurability-Low
NTP (123 UDP)
This is the protocol used
by network devices, including firewalls, to reliably update and synchronize
their time and date settings. Many implementations of NTP have proven vulnerable
to buffer overrun exploit that allows remote root access. This is the perfect
example of why even the simplest services should be inspected for security
regularly.
Security characteristics of NTP:
-
Complexity-Simple - Abuse Potential-Medium - Information
Sensitivity-Medium - Dialog-Low - Programmability and
Configurability-Low
POP3 (110 TCP)
The Post Office Protocol allows
clients to check their e-mail over the LAN or over the Internet. POP is easy to
configure and use, but the protocol is a little too simple it doesn't encrypt
usernames or passwords. Avoid allowing access to internal mail accounts from
outside the firewall using POP and if you do, do not allow POP account names and
passwords to be the same as LAN usernames and passwords. Consider using IMAP
instead.
Security characteristics of POP3:
-
Complexity-Simple - Abuse Potential-Medium - Information
Sensitivity-Medium - Dialog-Minimal - Programmability and
Configurability-Low
SMTP (25 TCP)
Most of the mail exchanged over
the Internet is done using the Simple Mail Transport Protocol(SMTP). This
protocol simply accepts mail in a simple dialog (without checking the authority
or eventhe identity of the sender).
Although the protocol is simple, the
software that processes the mail (once it's received) is often not so simple.
Many SMTP packages have complex configuration options and forwarding rules, and,
if incorrectly configured, these can adversely affect network performance or
crash the mail server when large amounts of mail are being processed. Also, the
lack of sender authorization leaves SMTP open to spam attacks and e-mail
flooding.
Unfortunately, if you want to receive Internet mail you need to
support SMTP. You should choose mail server software that is as bulletproof as
possible and use care when configuring it, paying attention to details like
available hard disk space, network bandwidth, and so on. Install a server-based
virus scanner to sanitize e-mail attachments as well.
Security
characteristics of the SMTP protocol:
- Complexity-Complex - Abuse
Potential-High - Information Sensitivity-Medium - Dialog-Minimal -
Programmability and Configurability-High
HTTPS (443 TCP)
HTTP
transfers (on port 80) traverse the Internet unencrypted, so web traffic using
it should not be trusted. Internet commerce requires trust, however, as do
private communications and secure Intranet use. Fortunately, the Secure Socket
Layer provides a way for HTTP traffic to be encrypted between the client and the
server. Other protocols may use SSL as well to encrypt their session data, but
the network clients and servers must be written to allow this option. SSH is one
other such service, as is SFTP (FTP over SSL).
Security characteristics
of HTTPS:
- Complexity-Simple - Abuse Potential-Low - Information
Sensitivity-Medium - Dialog-Minimal - Programmability and
Configurability-Low
Other Common Services:
DNS is
one service you must allow through your firewall in one manner or another,
because without it your network clients won't be able to find anything. There
are many more services you may want to support on your network, or that you may
elect to block depending on the needs of your network users. Each has its
strengths and vulnerabilities, Note that nearly all services are available for
all platforms through the use of third-party applications. We've divided the
services based on the standard configurations of these operating
systems.
Unix has a bevy of
simple legacy services from early in the development of the Internet—when
security was less of an issue and it was useful to have a service that cycled
through the character set, so you could see if one of the routers between your
computer and that host was chopping off the top bit of all the bytes in the
network packet and there by garbling your e-mail. Since then, the world has
standardized on eight-bit bytes and hackers have learned to exploit unchecked
buffer copies; so while the majority of these protocols are harmless, it makes
no sense to leave them exposed at the firewall.
Chargen (19 UDP and
TCP)
Chargen continuously sends out the printable ASCII characters.
It is useful for testing network applications. Any service that could be stopped
or swamped by a stream of ASCII characters is broken anyway and shouldn't be let
past your firewall. It is extremely unlikely that a network intruder could use
Chargen to break into your system.
Daytime (13 UDP)
This
service sends the date and time at the server to the client. It would take a
very clever hacker to find a security weakness in this
protocol.
Discard (9 UDP and TCP)
This protocol throws away
any data sent to it. It is useful for developing network tools. It is as secure
as it is useless.
Echo (7 UDP)
Echo repeats to the
connected client whatever the connected client sends to it. It is useful for
testing network applications. It is extremely unlikely that a network intruder
could use Echo to break into your system, as long as Echo properly manages its
input buffers.
Finger (79 TCP)
The Finger service was
designed to help network users communicate by providing system information, such
as the last time a user checked their e-mail, and real-world data, such as the
user's office hours, telephone number, or current projects. Unfortunately, this
data is as good as gold to hackers looking for potential account names and
passwords. Also, some hackers will even go so far as to call an office
pretending to be the help desk staff and trick users into giving up their
account names and passwords over the phone.
NFS (2049 TCP and
UDP)
NFS is the Unix equivalent of NetBIOS; it gives LAN clients
access to file server storage. If you need to allow remote clients access to NFS
resources, establish an encrypted tunnel to do it, don't just open up the NFS
ports. Improperly configured NFS servers can be easily exploited to gain root
access, and it's easy to spoof NFS legitimate connections.
Quote (17
UDP)
This protocol merely sends any connecting client a random
selection from a file full of quotes. Quote provides little leverage for
abuse.
RPC (Unix) (111 UDP)
Remote Procedure Call is a
protocol that allows two computers to coordinate executing software. A program
on one computer can use RPC to transfer the execution of a subroutine to another
computer, and have the result returned via RPC to the first.RPC is a fragile
service, and most operating systems cannot handle arbitrary data being sent to
an RPC port. RPC is best used in trusted LAN environments, and you should not
let RPC traffic through your firewall.
RSH (514 TCP)
The
Remote Shell protocol makes up for deficiencies in Telnet. There are always
dangers when you allow remote command-line access to computers through your
firewall, and RSH is better than Telnet because RSH at least protects the
passwords as they are exchanged between the client and the server, but SSH is
better than either because it encrypts the session data as well. Use SSH for
remote console access and block Telnet and RSH.
SSH (22
TCP)
The Secure Shell protocol makes up for deficiencies in RSH and
Telnet. SSH uses SSL encryption to securely authenticate communications and
encrypt session data. You can configure it to allow usernames and pass-phrases
or cryptographic key exchange (or both) to authenticate the user,public keys to
specify authorized client computers, and a range of algorithms to encrypt the
session data with. If you are going to allow any kind of remote control through
your firewall this is a good choice.
Platform Neutral
Services
There are some services that you may find running on
both Windows computers and Unix computers because their universal utility. Not
all of them must be exposed to the Internet, however,because many of them are
primarily used in a LAN environment; DHCP is one such example.Others—Gopher, for
example—have been superceded by later protocols. Some others are current and
often used in an Internet setting but must be treated with care; LDAP is one
such.
Telnet (23 TCP)
Telnet is extremely simple it's just
a connection opened to a command line interpreter. Whatever you type is sent to
the interpreter on the server, and the interpreter's response is returned to
you.The data traffic is not encrypted, and when you log on, the username and
password are readable by any computer on any intermediate LAN.Do not allow
Telnet access to computers inside your firewall. If you require command-line
access,use a more secure protocol such as SSH.
TFTP (69
UDP)
TFTP is used with BootP and DHCP to allow diskless workstations
to load their operating system and other configuration over the LAN. TFTP does
not have the two-channel problem that FTP has(and therefore it inter operates
well with a firewall), but there is little reason to allow TFTP through a
firewall when you already have FTP and HTTP for file distribution. Also, hackers
have developed tools for using unprotected TFTP servers as pirated software
dumping grounds, so you should use a more secure file transfer protocol through
your firewall.
BootP/DHCP (67 and 68 UDP)
BootP was
developed as a simple mechanism for allowing simple network terminals to load
their operating system from a server over the LAN. Over time it has expanded to
provide for centralized control of many aspects of a computer's identity and
behavior on the network, including allocating IP addresses, configuring gateway,
DNS, and router settings, dispensing NetBIOS names, as well as downloading
operating system files. The greatest danger from BootP and DHCP is from a
network intruder impersonating a DHCP server on your network and there by
misconfiguring the DHCP clients. As long as you do not allow DHCP to pass your
firewall, you should be able to use DHCP internally without
problems.
LDAP (389 TCP and UDP)
The Lightweight Directory
Access Protocol is a flexible and distributed way of maintaining contact
information (including usernames and passwords) over the Internet. Several
Internet services use LDAP to maintain user information rather than relying on
the operating system user accounts. This is more secure because it separates
operating system functionality from service functionality, and a hacker who gets
a service password will not necessarily be able to log on to the server with it.
If you want to maintain contact information on your network to facilitate
communication with people in your organization, you should consider using LDAP
instead of Finger and Whois.
SNMP (161 UDP)
The Simple
Network Management Protocol is a useful tool for remotely managing network
devices such as routers, servers, hubs, clients, and terminal servers. You can
use it to enable and disable ports, measure bandwidth, reboot devices, and
gather statistics. However, it should be used to manage your network only, not
to allow hackers to watch every aspect of the data flow on your network. Block
SNMP traffic at your firewall
VNC (5800, 5900
VNCTCP)
Virtual Network Computing (VNC) allows for remote control of
computers' desktops, much like Terminal Services does for Windows. Unlike
Terminal Services however, VNC is cross-platform clients exist for Windows,
Unix, and many other operating systems besides. While the authentication between
the VNC server and the client is encrypted the session information(keystrokes
and window contents exchanged) are not. If you require remote control of
computersinside your network from the outside, consider requiring other security
mechanisms as well such as a VPN tunnel between the client and the server
network.
Last words
Security is not a static thing, it's a
continually evolving process. You can't just plug in a firewall and expect it to
solve your security problem forever. Attacks change, methods become obsolete,
and so do firewalls. To obtain true security, you have to maintain constant
vigilance
Be first to comment this article
