Вы находитесь на странице: 1из 31

Network Security Administrator

Module II: Network Protocols

Module Objectives
~Overview

of Network Protocols ~Serial Line Internet Protocol ~Point-to-point Protocol ~Internet Protocol ~Address Resolution Protocol ~Reverse Address Resolution Protocol ~Internet Group Management Protocol ~Internet Control Message Protocol ~Transmission Control Protocol

~ User

Datagram Protocol ~ File Transfer Protocol ~ Trivial File Transfer Protocol ~ Telnet Protocol ~ Simple Mail Transfer Protocol ~ Network News Transfer Protocol ~ Simple Network Management Protocol ~ Hyper Text Transfer Protocol ~ POP, IPV6

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Module Flow
Network Protocol: Overview Serial Line Internet Protocol Point-to-Point Protocol Internet Protocol Address Resolution Protocol Reverse Address Resolution Protocol EC-Council Internet Group Management Protocol Internet Control Message Protocol Transmission Control Protocol Trivial File Transfer Protocol Telnet Protocol Simple Mail Transfer Protocol Network News Transfer Protocol Simple Network Management Protocol Hyper Text Transfer Protocol
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

User Datagram Protocol

File Transfer Protocol

Network Protocols: Overview

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Serial Line Internet Protocol


~ ~ ~ ~ ~

Introduced in 1980 and functions in the data link layer Offered a way to send IP datagrams over serial connections Provides dial-up access to Internet and LANs Preferred way for encapsulating IP packets due to less overhead Appends slip end character to datagram thus distinguishing the same
No method for detection or correction of error in transmission Doesnt support encryption of data or authentication of connection

~Limitations:

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Point-to-Point Protocol
~ ~

Introduced in 1994 and functions in the data link layer Creates the session between the user system and the ISP for transferring IP packets over a serial link Encapsulates packets in HDLC based frames Broad framing mechanism as compared to the single END character in SLIP Supports encryption of data and authentication of connection
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

~ ~

EC-Council

Internet Protocol
~

Introduced in 1970 and functions in the network layer Data-oriented protocol used by source and destination hosts for communicating data across a packetswitched internetwork Features:
Provides universally defined addresses Allows transmission that is independent of any lower level protocol Connectionless and unreliable protocol Doesnt use acknowledgement after delivery

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Internet Protocol: Attacks and Countermeasures


~

Attacks: Source Routing An attacker can pick any source IP address desired if weak source routing is present Routing Information Protocol Attacks Used to propagate routing information on local networks so easy for attacker to route active host Exterior Gateway Protocol Attacks Easy for the attacker to impersonate a second exterior gateway for the same autonomous system Countermeasures: Reject pre-authorized connections if source routing information was present Use paranoid gateway that can block any form of host spoofing Authenticate RIP packets in the absence of economical public-key signature schemes
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Address Resolution Protocol


~

Introduced in 1982 and functions in the network layer Dynamic resolution protocol, used for finding hosts Ethernet address from its IP address Encodes the IP address of the recipient in a broadcast message For correlation of addresses, two basic methods used are: Direct Mapping Converts layer three addresses to layer two addresses Dynamic Resolution Resolves layer three addresses into layer two addresses when only layer three address is known

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Address Resolution Protocol: Vulnerabilities and Security Measures


~

Vulnerabilities Absence of authentication enables the attacker to forge ARP requests Stateless protocol enables sending replies without corresponding ARP request Vulnerable to ARP spoofing and Man-in-the-Middle attacks

Security Measures Use DHCP to stop spoofed IP conflicts Firewall should be configured to block ARP Run a batch file with static ARP entries

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Reverse Address Resolution Protocol


~ ~ ~

Introduced in 1984 and functions in the network layer Protocol used to obtain the IP address from the given Ethernet address Features:
Solves the bootstrapping problem Backward use of ARP

Limitations:
Manual configuration of each clients MAC address on the central server Non-IP protocol that cannot be handled with TCP/IP stack present on client computer

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Internet Group Management Protocol


Introduced in 1990 and functions in the network layer ~ Used to manage the multicast group in TCP/IP network ~ Features of three versions: IGMP Version 0 Supports the allocation of temporary group addresses between IP hosts and their immediate neighbor multicast agents IGMP Version 1 Supports the creation of transient groups IGMP Version 2 Supports group membership termination for quick report to routing protocol ~ Message Types: Host Membership Report Host Membership Query Leave Group
~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Internet Control Message Protocol


~ ~ ~

Introduced in 1995 and functions in the network layer Allows devices to send error and control messages ICMP Messages: Error Message Gives feedback to the source about the occurred error Informational Message Allows the user to exchange information, implement IP related features and perform testing

Limitation: Delivery of message is not assured if encapsulated directly within a single IP datagram

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Internet Control Message Protocol: Attacks and Security Measures


~

ICMP Attacks:
Redirect Message Attacks Subnet Mask Reply Attacks Denial of Service Attacks

Security Measures:
Restrict route changes to the specified location to prevent redirect attacks Check the reply packet only at suitable time to block the subnet mask attacks Authentication mechanism

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Transmission Control Protocol


~

Introduced in 1970 and functions in the transport layer Byte-stream connection oriented protocol providing reliable delivery Features and Functions:
Supports acknowledgement of received data by sliding window acknowledgement system Automatic retransmission of lost or unacknowledged data Provides addressing and multiplexing of data Establishes, manages and terminates the connection Offers reliability and transmission quality service Provides flow control and congestion management

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

User Datagram Protocol


~

Introduced in 1980 and functions in the transport layer Connectionless protocol used by applications that stress on fast rather than reliable delivery of datagrams Applications:
Used for streaming audio and video, videoconferencing Trivial File Transfer Protocol, Simple Network Management Protocol and online games Doesnt support acknowledgement for received data or retransmission of lost messages Doesnt offer flow control and congestion management
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Disadvantages:

EC-Council

TCP, UDP: Attacks and Countermeasures


~

Transmission Control Protocol


TCP Sequence Number Prediction Attack
Constructs a TCP packet sequence without server response so allowing hacker to spoof a trusted host on a local network

Countermeasures
Randomize the increment in number Good logging and alerting mechanisms

User Datagram Protocol


Attack
Easy to spoof UDP packets than TCP packets, as there are no handshakes or sequence numbers

Countermeasures
Applications that are using UDP should make their own arrangements for authentication

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

File Transfer Protocol


~

Introduced in 1971 and functions in the application layer Protocol used to exchange files over the Internet and uses TCP for transfer Features: Promotes sharing of files Supports indirect or implicit use of remote computers Reliable and efficient transfer of data

Disadvantages: Hard to filter the active mode FTP traffic on client side More overhead since more number of commands are needed to start the transfer

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Trivial File Transfer Protocol


~ ~ ~ ~

Introduced in 1980 and functions in the application layer Protocol used to exchange files over Internet and uses UDP for transfer Preferred in situations where fast and simple transfer of small files are necessary Disadvantages compared to FTP: Limited command set only for sending and receiving files No authentication or encryption mechanism Allows only simple ASCII or binary file transfer

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

FTP, TFTP: Vulnerabilities


~

FTP Vulnerabilities: Directory Traversal Allows remote attackers to escape the FTP root and read arbitrary files Buffer Overflow Allows remote attackers to gain root privileges SITE EXEC Command Attack Allows remote attackers to execute arbitrary commands via the SITE EXEC command Vulnerability FTP Server Allows local and remote attackers to cause a core dump in the root directory possibly with world-readable permissions

TFTP Vulnerabilities: TFTP Vulnerability Allows access to files outside the restricted directory by Linux implementations of TFTP

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

TELNET
~ ~ ~

Introduced in 1971 and functions in the application layer TCP based client-server protocol used on Internet and LAN connections Features: Offers user oriented command line login sessions between hosts on the Internet Allows user for remote login by opening connection to remote server Network Virtual Terminal (NVT) used for universal communication by all devices Avoids incompatibilities between devices by providing common base representation Symmetric operation for client and server

Major Concepts Of Foundation:

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Simple Mail Transfer Protocol


~ ~ ~ ~

Introduced in 1981 and functions in the application layer Text-based protocol that defines one or more recipients for transferring the text messages SMTP uses MIME to encode binary text and multimedia files for transfer Features: Defines the message format and Message Transfer Agent (MTA) that stores and forwards the mail Direct transfer of users mail to the server that can handle the mail using Domain Name Service Acts as a push protocol by restricting users to pull messages from remote server

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

TELNET, SMTP: Vulnerabilities


~

TELecommunication NETwork: Vulnerability Allows an attacker to bypass the normal system libraries and gain root access Guessable Passwords A Unix account has a guessable password

Simple Mail Transfer Protocol: Vulnerability Allows remote attackers to execute arbitrary code via a malicious DNS response message Security Issues Use a firewall to block incoming TCP protocol network traffic Block TCP protocol network traffic on Windows Server 2000 because it handles Domain Name System (DNS) lookups

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Network News Transfer Protocol


~ ~

Introduced in 1986 and functions in the application layer Protocol used to connect Usenet group on the Internet and carry Usenet traffic over TCP/IP Functions: Propagates messages between NNTP servers Allows NNTP clients to post and read articles Handles both inter-server and clientserver communication using NNTP command set

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Network News Transfer Protocol: Vulnerability and Countermeasures


~

NNTP Vulnerability: Allows remote attackers to execute arbitrary code via XPAT patterns that are related to improper length validation

Countermeasures: Enable advanced TCP/IP filtering on systems that support NNTP Block the affected ports by using IPSec on the affected systems Remove or disable NNTP if there is no need for it

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Simple Network Management Protocol


~

Introduced in 1987 and functions in the application layer Protocol used to communicate management information between network management stations and managed devices Components: Master Agents Responds to SNMP requests made by a management station Subagents Implements the information and management functionality Management Stations Receives requests for management operations on behalf of administrator

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Simple Network Management Protocol: Security Issues And Models


~

Security Issues MIB objects contain critical information about network devices Community strings are passed in clear text in messages, easily sniffed and provides weak authentication Party Based Security Model A logical entity called party specifies a particular authentication protocol and privacy protocol User Based Security Model Provides the security based on access rights of a user of the machine View Based Access Control Model Well control for accessing objects on a device

Security Models

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Hyper Text Transfer Protocol


~

Introduced in 1990 and functions in the application layer Communication protocol used to establish a connection with a Web server and transmit HTML pages to the client browser Stateless request/response system between client and server Features: Supports multiple host name Performance enhancement due to multiple requests in a single TCP session Improved efficiency due to method caching and proxying support Provides security by authentication methods

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Hyper Text Transfer Protocol: Vulnerabilities


~

Cross-site Scripting
Allows remote attackers to execute arbitrary Javascript on other web clients

Directory Traversal
Allows attackers to access restricted directories and execute commands outside of the web server's root directory

MailMan Webmail
Allows remote attackers to execute arbitrary commands via shell metacharacters

Buffer Overflow
Allows remote attackers to execute arbitrary commands via a long password value in a form field

eWave
Allows remote attackers to upload files

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Post Office Protocol


~

A protocol used to retrieve emails from a email server Indicates the action of transferring emails from the inbox of mail server to the inbox of the client POP3 is an enhanced version that works with/without SMTP mail gateways POP3 services run on port number 110 as defined by the IANA Features: Supports offline mail processing and persistent message IDs Offers access to new mail from various client platforms anywhere across the network

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Summary
~

TCP/IP suite offers protocols at four different layers:


Data Link Layer
Point-to-Point Protocol Creates the session between the user system and the ISP for transferring IP packets over a serial link

Network Layer
Internet Protocol is data-oriented protocol used by source and destination hosts for communicating data across a packet-switched internetwork

Transport Layer
Transmission Control Protocol is byte-stream connection oriented protocol providing reliable delivery

Application Layer
File Transfer Protocol is used to exchange files over the Internet and uses TCP for transfer
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Вам также может понравиться