9. Network Security

What We Will Cover Announcements Please sit at a computer station and start Apache or IIS I recommend you use same computer every week When class is over, please shut down your computer Log Tails 9.1: Networking Basics 9.1.1: Protocol Stacks 9.1.2: Packets 9.1.3: Hexadecimal--Decimal--Binary 9.1.4: IP Addresses and Subnets Lab Exercise 9.1 9.2: Packet Sniffing 9.2.1: Understanding Packet Sniffing 9.2.2: Installing and Starting Ethereal 9.2.3: Using Ethereal Lab Exercise 9.2 9.3: Other Network Vulnerabilities 9.3.1: Background on IP Spoofing 9.3.2: Changing Our IP Address Lab Exercise 9.3 9.4: Firewalls and Proxies 9.4.1: About Firewalls Lab Exercise 9.4 Wrap Up Assignments Due Next: N/A Log Tails IP Addresses No one can purchase an IP address For list of internet controlling bodies, see ICANN page: Glossary of Terms and Abbreviations Controlling body in US is: American Registry for Internet Numbers To request an IP from the controlling body, see: ARIN-NET-END-USER-3.0.1 Cost is surprisingly small: Fee Schedule Note that the smallest size block you can request from ARIN is /20 (212 = 4096 nodes) Visitor Access Visitors are people who view documents from a Web site using a browser. What is required to allow specific visitors access to your site? 1. A login account on the server 2. A dedicated network connection 3. An Access Control List (ACL) 4. A firewall Server-parsed HTML Which of the following is not server-parsed HTML (embeddded within the HTML)? 1. SSI 2. Active Server Pages (ASP) 3. CGI 4. Java Server Pages (JSP) 5. All of the above are server-parsed HTML From Last Lab Any questions? Quiz Review WebCT back to top 9.1: Networking Basics Objectives At the end of the lesson the student will be able to: Describe IP addresses and netmasks Identify IP addresses on the same subnet Dissect an IP packet First steps is to understand a little about computer networks Many different networking protocols Our focus is TCP/IP (Transmission Control Protocol and Internet Protocol) Internet protocol (IP) is the set of networking protocols used on the Internet Based on networking model called the Open Systems Interconnect (OSI) network protocol stack Defines a layered approach to network communications Gives protocol designers a modularity that allows each layer to interface more easily with other protocols back to top 9.1.1: Protocol Stacks OSI protocol stack is seven layers vs five for Internet stack OSI Protocol Stack Internet Protocol Stack Physical Physical layer is medium over which communication signal is sent Coaxial cable, fiber optic, or unshielded twisted pair (UTP) copper cable Data Link Controls how machines on the same network segment communicate Many different protocols at this layer: Ethernet, token ring, PPP, FDDI Network or IP Handles addressing a message to a machine and interface Uses an IP address Transport Responsible for assigning which logical port a message is intended for Also which logical port the message originated from Other transport protocols, such as UDP, operate here as well Session/Presentation Typically just incorporated as part of the application layer Internet protocol suite does not use these layers Application Defines communication method between programs such as Web browsers and Web servers Web protocol is HTTP Others include FTP (file transfer protocol), telnet, and POP (post office protocol) Further Information Introduction to the Internet Protocols Introduction to TCP/IP Networking Protocols.com Uri's TCP/IP Resources List back to top 9.1.2: Packets Networking is about moving data bits from one point to another Internet Protocol (IP) is used to move data in packets Data is bundled into a packet and more bits are added for each layer Packet is sent after each layer has appended its required data Destination address included in the packet by the network (IP) layer For Example Consider the data packet shown in hexadecimal format (from textbook on p. 291-2) 4500 002f cc2f 4000 ff06 eeb9 ac1c 0ac1 0a00 0002 0007 0443 1aae 67db 001c 8119 5018 2238 76c6 0000 6865 6c6c 6f0d 0a All of this data was added by the various layers to a data packet Appendix E of textbook has packet header breakdown for various protocols IP header information portion of this packet: 4500 002f cc2f 4000 ff06 eeb9 ac1c 0ac1 0a00 0002 Part we are interested in is in bold First digit (4) identifies the version of IP being used Next digit (5) tell us the size, in 32-bit words, of the IP header itself Used to determine where IP header ends and TCP/UDP header begins IP header size is usually 20 bytes long Tenth byte (06) specifies protocol type of the data section (06 = TCP) Bytes 13-16 (ac1c 0ac1) are IP source address Bytes 17-20 (0a00 0002) are IP destination address Further Information IP Packet Header IP Packet Structure back to top 9.1.3: Hexadecimal--Decimal--Binary Computers use binary numbers (base 2) Convenient to group binary numbers in groups of 4 and use hexadecimal notation Convenient part is we can represent 4 bits using one character First 9 digits of hexadecimal are same as decimal Bin Dec Hex 0000 = 0 = 0 0001 = 1 = 1 0010 = 2 = 2 0011 = 3 = 3 0100 = 4 = 4 0101 = 5 = 5 0110 = 6 = 6 0111 = 7 = 7 1000 = 8 = 8 1001 = 9 = 9 Since hexadecimal needs extra 6 symbols, we use a through f as numbers Bin Dec Hex 1010 = 10 = a 1011 = 11 = b 1100 = 12 = c 1101 = 13 = d 1110 = 14 = e 1111 = 15 = f Easy to remember since 1010 is 10 = 'a' and you can count upwards from 10 Can easily convert between hexadecimal and binary using above tables Convert between hexadecimal and decimal with a little math or a hex table Using Math Add each "decimal place" together after multiplying by 16hexPlace ac = 10 x 161 + 12 x 160 = 160 + 12 = 172 What is hexadecimal 'ed' in binary? What is hexadecimal 'ed' in decimal? Further Information Binary Arithmetic Conversion Table back to top 9.1.4: IP Addresses and Subnets Converting between number systems important for: Calculating IP addresses Calculating subnets Interpreting hexadecimal packet representation IP Addresses and Subnets Every machine on the Internet has at least one IP address ac1c 0ac1 IP address is 32 bits (4 bytes) long However, an IP address has two parts: network and host Subnet mask used to determine network and host portions Subnet mask is the same length as an IP address (32 bits) Network portion of IP address is where both IP address and subnet mask have 1's in same position Host portion is where subnet mask has 0's For Example 4500 002f cc2f 4000 ff06 eeb9 ac1c 0ac1 0a00 0002 0007 0443 1aae 67db 001c 8119 5018 2238 76c6 0000 6865 6c6c 6f0d 0a Using the source address from above example ac1c 0ac1 Convert it to octets ac.1c.0a.c1 Convert each octet from hexadecimal to binary 10101100.00011100.00001010.11000001 Assume our subnet mask is 255.255.248.0 and convert this mask to binary 11111111.11111111.11111000.00000000 First 21 bits are network portion and last 11 bits are host portion 10101100.00011100.00001010.11000001 More on Addresses and Subnets Machines with exactly the same network portion are on the same subnet Subnet itself is the IP first address Host portion is made up of all 0 bits 10101100.00011100.00001000.00000000 Broadcast address is last IP address on network Host portion is all 1 bits 10101100.00011100.00001111.11111111 Packet addressed to broadcast address is meant for all machines residing on that subnet Subnets are connected by machines that have more than one network interface Each interface has its own IP address Each interface resides on a different subnet Known as a router Routers are responsible for passing packets from one subnet to another Packets may pass through many routers before finally arriving at the network where the machine matching the destination IP address resides. back to top Lab Exercise 9.1 Use the next 15 minutes to complete the following. Start a text file named exercise9.txt Will be adding to this file during the lesson -- save it often. Prepare the exercise header as described in the HowTo on submitting exercises Label this exercise: Lab 9.1 Complete the following exercises and answer the questions. Exercises Understand IP Addresses and Netmasks Using the IP address 172.20.134.174 and netmask 255.255.192.0, answer the following. What are the hexadecimal and binary equivalents of this IP address? What are the hexadecimal and binary equivalents of this netmask? What is the network portion of this IP address? What is the host portion of this IP address? Identify IP Addresses on the Same Subnet Given the IP addresses 172.16.157.181, 172.16.154.99, 172.16.152.200, and 172.16.151.200 all with a netmask of 255.255.252.0: What network(s) do each of these IP addresses reside on? Which of these IP addresses are on the same subnet as another IP address listed? Dissect an IP Packet Using the following hexadecimal representation of a packet, give your answers in decimal form. Refer to Appendix E of the textbook. 4500 012f ba00 0000 2006 41bf c0a8 0459 0a00 cf08 0410 0050 000e 681a 43ec fb08 5018 2238 6428 0000 4745 5420 2f74 6573 742e 6874 6d6c What is the source IP address this packet originated from? What is the destination IP address this packet is intended for? What is the source port this packet originated from? What is the destination port this packet is intended for? What type of packet is this (telnet, FTP, http , etc.)? back to top 9.2: Packet Sniffing Objectives At the end of the lesson the student will be able to: Use a packet sniffer Describe the risks of packet sniffing Determine what data is sent in an http packet back to top 9.2.1: About Packet Sniffing Information on the Internet is exchanged in chunks of data called packets To send information to another machine, applications bundle data into a number of packets and transmit them Other machines on a network may share the connection with your machine All machines look at the destination address to determine if that packet is meant for them If the packet is not meant for them, they simply ignore it Our machine does not have to ignore it Can view the packet’s contents just as easily as the intended recipient Special programs available called a packet sniffer Packet sniffer will listen to all packets on the network Allows user of the packet sniffer to see anything and everything Packet sniffer is an excellent tool to use when debugging network problems Or just snooping Will make use of a packet sniffer today Further Information Ethereal: Free packet sniffer for Unix and Windows with a GUI Example Web Packet Sniffer: Written in Perl Protocol Analyzers: Google directory Packet Sniffing: Article on packet sniffing and how to protect yourself tcpdump: Protocol packet capture and dumper program WinDump: Port of tcpdump to Windows back to top 9.2.2: Installing and Starting Ethereal Will use Ethereal for our packet sniffing Free and open source Works on Unix and Windows Has a GUI for the casual user Uses tcpdump filter language for compatibility with textbook Linux Installation and Startup Download the following binaries from Ethereal's Downloads Choose the local archive, which opens an ftp listing From the listing, download the following packages to /home/cis164/ Make sure each of the x.x.x-x.x.x are the same (e.g.0.9.10-1.7.2) ethereal-base-x.x.x-x.x.x.rpm ethereal-gtk+-x.x.x-x.x.x.rpm ethereal-usermode-x.x.x-x.x.x.rpm ethereal-gnome-x.x.x-x.x.x.rpm Open a terminal emulation window by clicking the icon in the bottom panel Login as the superuser, if you are not already. su You will be prompted for the root password Move to the /home/cis164/ directory, if you are not already there cd /home/cis164/ For each RPM, in the order shown above, run the following command: rpm -ivh <packageName> Start Ethereal by typing at the command line: ethereal & Windows Installation and Startup Download and open the following binaries to install them: WinPcap: choose the auto-installer version Win32 Binary Distribution: choose ethereal-setup-x.x.x.exe (x = don't care) Follow the default instructions for installation. Start Ethereal from the Start menu Start => All Programs => Ethereal => Ethereal back to top 9.2.3: Using Ethereal Getting Your IP Address Need the address of your computer for some of the exercises On Linux/UNIX, run the ifconfig program Open a command prompt (e.g. Terminal Emulation in Linux) Make sure you are the super user su -l root Type ifconfig at the command prompt On Windows, run the ipconfig program From the Start menu, select Run Type in command for Win98/ME or cmd for NT/2000/XP At the command prompt, type ipconfig Capturing Packets Start Ethereal, if not already running Click on the Capture menu and select Start You should see the Ethereal: Capture Options dialog appear Can select the network interface you are interested in eth0: usual interface lo: local loop any: all the interfaces Can limit the size of packets, if desired Capture packets in promiscuous mode enables you to collect all packets that reach your network card Filter allows to select which packets to collect (see below) File allows you to save captured data Capture limits specifies how much data to collect Name resolution asks Ethereal to translate names About Filtering Ethereal uses the libcap (tcpdump) filter language for capture filters Textbook exercises use tcpdump packet sniffer For example: tcpdump -x host <your_IP_address> Bold part of above example is the filter Copy the filter information into the filter box of the capture dialog Produces same filter results as the textbook exercises Further Information Ethereal User's Guide back to top Lab Exercise 9.2 Use the next 15 minutes to complete the following. Label this exercise: Lab 9.2 Note that each station number is part of the IP address of your computer. Exercises and Questions Use a Packet Sniffer Start Ethereal and start capturing all packets (no filter). What is the output you see from the packet sniffer? Now try filtering on your IP address. host <your_IP_address> What is different about this command’s output? Run the packet sniffer again, filtering on telnet packets (port 23) and use telnet to log in to a remote machine. You may telnet to the instructor's machine using the login guest and password penguin. port 23 and host <your_IP_address> To run telnet at the command line: telnet 172.30.1.100 What does the output show as you type your username and password? Do the same test again, but filter on another service such as FTP. port 21 and host <your_IP_address> What does the packet sniffer output show as you type your username and password? What does this tell you about remote logins? Run the packet sniffer program again on your machine, filtering on the telnet port and some other machine’s IP address. port 23 and host <other_IP_address> This time, telnet from the other machine on your network to a remote host. What does the output show as you type your username and password? Expanding on your previous answer, what more does this tell you about remote logins? Note that the classroom network is on a switch rather than a hub. Determine What Data Is Sent in an HTTP Packet Connect to the companion Web site and then take a look at the source HTML for the page: http://www.phptr.com/phptrinteractive/webarchitecture. You can do this by viewing the page source through the browser or by saving a copy of the index.html file and viewing it in a text editor. Use the packet sniffer program to filter on HTTP packets. port 80 What do you see in the output of the packet sniffer? Continue running the packet sniffer and complete the form and press the submit button. What do you see in the output of the packet sniffer after you submit the form data? What does this tell you about submitting information via the Web? back to top 9.3: Other Network Vulnerabilities Objectives At the end of the lesson the student will be able to: Describe IP spoofing Describe network denial of service attacks Describe other network attacks back to top 9.3.1: Background on IP Spoofing IP spoofing is sending packets with a forged IP address Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address That address is only used by the destination machine when it responds back to the source "IP spoofing" can not be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth Cannot create a normal network connection Forging the source IP address causes the responses to be misdirected Spoofing the IP address is used to hide the identity of attackers Need a program to manually construct a packet and send it Demonstrate concept by changing address of your machine on our subnet Further Information IP-spoofing Demystified A short overview of IP spoofing back to top 9.3.2: Changing Your IP Address Can change your computer IP address to another on our subnet If you try to use the IP address on a remote subnet, cannot talk to our switch Book shows an example using a hole in old Solaris networking Networking kernels have improved since the book was written Would need a special program to spoof a remote subnet IP Spoofing On Our Subnet Note: do NOT try this at home. View and record the original IP setting ifconfig Set a new IP address ifconfig eth0 172.30.1.99 View the new IP setting ifconfig Start Ethereal In another terminal window, ping another address ping 172.30.1.1 Read the source address reported by Ethereal Restoring the Network Configuration Use netconfig to restore the network configuration netconfig Manually enter the following information IP address: 172.30.1.1XX (xx = station number) Netmask: 255.255.255.0 Default gateway (IP): 172.30.1.1 Primary nameserver: 172.16.1.7 Finish entering data and tab to "OK" to exit the program Reboot your system Foot -> Logout -> Reboot back to top Lab Exercise 9.3 Use the next 10 minutes to complete the following. Label this exercise: Lab 9.3. Understand IP Spoofing Follow the above instructions to spoof the IP address and answer the following questions. What is your source IP address shown in the sniffer output? What does this tell you about IP addresses? Understand Network Denial of Service Attacks Run the sniffer and connect into a machine, using your spoofed IP address. For instance, sniff on port 23 and run telnet 172.30.1.100 in another terminal window. What is the first packet you see each time you connect (i.e., what is its length, what characteristics make it different from other packets)? Hint: SYN packets have an "S" in the interpreted TCP header. ACK packets have an "ack", and SYN-ACK have both. What packets are sent next in the connection? What packets are sent next in a normal (non-IP-spoofed) connection? What is happening to your spoofed IP client’s connection? Now change your IP address to be one that is in use and that does reside on the local subnet. Next, continuously ping the broadcast address for the local subnet. Remember that the broadcast address is the last host address on the subnet (i.e., the IP address whose host portion is all 1-bits). ping 172.30.1.255 -b What happens to the machine whose IP address you are spoofing? Understand Other Network Attacks Return your machine to its original configuration with its correct IP address and start up your packet sniffer. What do you see when you ping another IP address? What do you see when you ping the broadcast address? What might happen if every machine on the network started pinging the broadcast address at once? back to top 9.4: Firewalls and Proxies Objectives At the end of the lesson the student will be able to: Describe the benefit of filtering by IP and port Describe the limitations of firewalls Describe other benefits that firewalls provide back to top 9.4.1: About Firewalls Three types of firewalls Packet Filtering Examine packets entering and leaving the machines network interfaces Filters the packets based on certain characteristics Might filter based on source and destination IP address or port Stateful Inspection Firewall More advanced packet filtering firewall is a stateful inspection firewall Filtering ruleset can dynamically change depending on its current state and the packets it is filtering Proxy Firewall Acts as a relay between the client and server host Client connecting to a server actually connects to the firewall instead Firewall relays data between client and server after it examines it Any attack is on the proxy rather than the machine being protected Proxies can be used for incoming or outgoing connections To the Internet it appears as though the proxy is the only machine For Example Consider the following network: Notice how machine R has two network interfaces One interface on the internal network One external interface connecting to the Internet Any data to or from this company’s network must pass through machine R Machine R in this case is a router Firewall on machine R can examine all the packets and only pass through those believed to be safe If machine A runs a Web server: firewall needs a packet-filtering rule: Source Destination Service Action Any 10.3.19.8 TCP/80 Accept E-mail sent or received through machine B would need more rules: Source Destination Service Action Any 10.19.4.8 TCP/80 Accept Any 10.19.4.40 TCP/25 Accept 10.19.4.40 ANY TCP/25 Accept If not explicitly granted permission then packets are discarded Firewall allows opening small holes so only necessary packets enter or leave your subnet Further Information I use a personal firewall at home Agnitum: Download Outpost Firewall FREE free-firewall.org PC World.com: Free Firewall Utilities Shields Up! Sygate Personal Firewall 5.0 ZoneAlarm 3.7.143 back to top Lab Exercise 9.4 Use the next 10 minutes to complete the following. Label this exercise: Lab 9.4 Understand the Benefit of Filtering by IP and Port Consider the network diagram: How could a firewall on machine A prevent an IP spoofing attack originating from subnet A? If the only machines that require telnet and FTP access to host X reside on subnet B, what benefits could a firewall on machine B provide? Read through CERT Advisory CA-1998.01. How could a firewall protect your network from an external attack of this type? Understand the Limitations of Firewalls Again consider the network diagram: Why can't a firewall on machine D be configured in a manner that prevents IP spoofing attacks? Assume that host W in the diagram runs a Web server that must be accessible via the Internet. Why can't any of the firewalls protect the Web server from a TCP SYN attack as described in CERT Advisory CA-1996.21? Pay special attention to the sequence of messages in the TCP protocol. Understand Other Benefits That Firewalls Provide Firewalls disallow all packets destined to blocked ports, including the initial SYN packet. How might an attacker determine which TCP ports are not blocked by a firewall? Firewalls typically log packets that are sent to blocked ports. How could a firewall alert you that an attacker has chosen your site to attack next? back to top Wrap Up When class is over, please shut down your computer => Logout => Shut Down Due Next: N/A You may complete unfinished exercises at any time before the next class. Be sure to submit the file to the instructor before the beginning of the next class to receive credit. Instructions on submitting exercises are available from the HowTo's page. back to top Home | WebCT | Announcements | Schedule | Expectations | Syllabus | Help | FAQ's | HowTo's | Links Last Updated: 7/16/2003 4:45:40 PM