Information SecurityInternet, Intranet, Extranet Prof. dr. P.M.E. De Bra Department of Computing Science Eindhoven University of Technology
Parts / Topics / Issues • Basics of Internet technology / Organization • Principles of Firewalls / Virtual Private Networks. • Basics of World Wide Web technology • Server-side security issues • Client-side security issues • Privacy (and anonimity) on Internet
What is Internet? • A network of networks based on the TCP/IP protocols. • A community of people who use and develop those networks. • A collection of resources that can be reached from those networks. Internet standards are defined in RFCs. Informal definition of Internet is rfc 1462: http://www.normos.org/ietf/rfc/rfc1462.txt
Layered Internet protocols • Hardware-level protocol (wire without protocol, ethernet protocol, X.25, ATM, ...). • IP (lowest level Internet Protocol). • TCP, UDP, ICMP: TCP is used most, provides reliable connections. • SMTP, FTP, Telnet, ...: Application-level protocols (mostly on top of TCP/IP). We look at 1) TCP, 2) IP, 3) UDP and ICMP, 4) Application-level protocols, 5) Ethernet
Internet Basics: Addressing • Every computer has a 32 bit (4 octet) address: e.g. 22.214.171.124. Addresses reveal something about the associated network: • First octet 1..126: A networks, very large. (Arpanet is one of these 126 networks.) • First two octets 128.1 .. 191.254: B networks, maximum of 64516 computers in each network. • First three octets 192.1.1 .. 223.254.254: C networks, maximum of 254 computers in each. • Addresses above 224.1.1 are reserved for the future, for still undefined D and E networks.
Internet Basics: Addressing • Some addresses are never used. They can be used behind firewalls on company Intranets: • 10.0.0.0 to 10.255.255.255 can be used for an A class Intranet. • 172.16.0.0 to 172.16.255.255 can be used for a B class Intranet. • 192.168.0.0 to 192.168.255.255 can be used for C class Intranets. • First octet 127 is not used on Internet or Intranets. (127.0.0.1 is the “loopback” on every machine.)
Internet Basics: TCP protocol • Provides connections of connectionless IP protocol, through the use of ports. • A connection is defined by a source and destination IP address and a source and destination port. (A TCP header contains ports, the IP header the IP addresses.) • “Standard” servers “listen” to predefined (privileged) ports, with numbers below 1024. • Clients use unprivileged ports. • One computer can have many simultaneous connections to many other computers. All connections between a pair of computers must use different source or destination port numbers.
Internet Basics: TCP protocol • Data to be transmitted is divided in (a sequence of) datagrams. • TCP software on both ends says how large a datagram may be. The smaller size is chosen. Each datagram consists of a header and data. • Each datagram gets a sequence number. Each received datagram is acknowledged by returning a datagram with an acknowledgement number. • The acknowledgement contains a window size, indicating how many datagrams may be sent before the sender has to stop. • Every datagram gets a checksum to verify that the contents has arrived correctly.
Internet Basics: IP • IP sends datagrams from a source IP address to a destination IP address. (It may also split the datagram when needed.) • Each datagram contains an IP header, with a checksum (of the header only). • The header contains a protocol (code) to indicate whether it is a TCP, UDP or ICMP datagram. • Each datagram is routed separately. • Some datagrams may arrive faster than others. • Some datagrams may be lost. Each header has a time to live to indicate how much longer (number of hops) the datagram may live.
Internet Basics: Routing • Routing is the task of finding how to get a datagram to its destination. • Each machine can send datagrams directly to some other machines on a local network. • Each machine knows a gateway machine it can send datagrams to. • A gateway has connections to a number of networks and maintains a routing table of which connection to use for which destination. • A gateway can respond to a request with “I’m not the best gateway for this destination”.
Internet Basics: Domain Names • Most applications and users use domain names instead of IP numbers. A redundant hierarchy of name servers provides translation of names to numbers. • Name to reach: pcnov290.win.tue.nl • Ask a root server for an nl server. • Ask a server for the nl domain for a tue server. • Ask a server for the tue domain for a win server. • Ask a server for the win domain for the address of pcnov290.
Internet Basics: UDP and ICMP • UDP: User Datagram Protocol • Provides port numbers like TCP. • Provides a checksum for header + data. • Does not split data into separate datagrams. • Does not put sequences of datagrams together. • Does not keep track of lost datagrams, for retransmission. • ICMP: Internet Control Message Protocol • Used for messages (that fit into a single datagram). • Interpreted by IP itself. There are no port numbers.
Application level Protocols • Many TCP/IP protocols are text-based so that humans can easily interpret them: Example: Mail dialog between client and server svis01: 220 svis01.win.tue.nl ESMTP Sendmail 8.8.7/1.45 ready at Fri, 5 Feb 1999 23:28:31 +0100 (MET) wwwis: HELO wwwis.win.tue.nl svis01: 250 svis01.win.tue.nl Hello wwwis [126.96.36.199], pleased to meet you wwwis: MAIL From: firstname.lastname@example.org svis01: 250 email@example.com... Sender ok ...
Application level Protocols • Telnet: allows to log in on any other computer on the network (on which you have an account). It requires an interactive login. (Username and Password are transmitted without encryption.) • Rlogin: allows to remote log in as a specific user. It is possible to log in without password, based on domain name. (Insecure). • Ssh: “secure shell”, allows remote log in, using encrypted channel, with or without password. (public/private keys used between computers.)
Application level Protocols • Ftp: File Transfer Protocol. Used in anonymous mode to access public file servers, and with passwords to copy to and from machines. Ftp uses separate “channel” for commands and for data transfer. • Rcp: Remote copy, allowed based on domain name / user name combination. Insecure. • Scp: Secure copy, allowed based on domain name / user name combination and public/private key encryption. Uses encrypted channel to avoid snooping.
Application level Protocols • SMTP: Simple Mail Transfer Protocol • NNTP: Network News Transfer Protocol • RPC: There are different varieties of protocols for remote execution. (Remote shell, remote procedure call, etc.) • NFS: Network File System. Introduced by Sun Microsystems. Uses UDP, not TCP. • Remote Printing • ...
Internet security: Issues • How to achieve secure (secret and reliable) communication over an insecure network. (Which encryption techniques fit which purpose: subject of Paul Lebouille, IBM.) • How to prevent unauthorized access to services while allowing authorized access to other services. • How to isolate a company network from Internet, while allowing the use of Internet by computers in the company.
Internet communication threats • Snooping: Any computer on Internet can intercept passing datagrams. One can easily filter out the data belonging to a single connection.
Internet communication threats • Spoofing: A computer can pretend to be another one (by using the other’s IP number) and thus steal its traffic.
Internet communication threats • Spoofing:Man in the middle variation Spoofing machine talks to the “real” owner of IP number, to pass on corrupted data.
Host (or Subnet) Security • Any technical solution for security must be used as a means of implementing a chosen security policy: • What are we protecting? • How important is it? • How likely is it that it will be attacked? • What should happen if an attack is successful? • What is permitted, by whom and for what purpose? • What Internet connectivity is needed from the host or subnet?
Firewalls: background • A firewall provides security for an Intranet by controlling what and how can be communicated with Internet. Firewalls cannot protect against: • Attacks that do not go through the firewall (hand carried tapes/disks, modem connections). • Data-driven attacks: something (malicious) is uploaded or copied through a legitimate channel, and then executed. • Denial of service attacks that overload the data connection between Intranet and Internet.
Firewall architectures • Approaches: • packet filtering: allow only datagrams with certain properties to pass. • proxy services: application-level gateways that forward datagrams and hide the Intranet. • Architectures: • dual-homed host: one host with two network interfaces, one for Intranet, one for Internet. • screened host: packet filter combined with bastion host providing gateway/proxy services. • screened subnet: trusted/untrusted subnets.
Packet filtering (screening router) • Selectively blocks or lets through packets between the Intranet and Internet, based on: • Source IP address • Destination IP address • Protocol (TCP, UDP) • Source port • Destination port • For each combination one can configure the filter to allow or deny all values, certain ranges, or single values.
Point to Point Tunneling Protocol • PPTP was developed by Microsoft. It is aimed at dial-in connections using PPP. • User access is first controlled through PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol). • Each PPP packet is encoded with 40-bit RC4. The encryption prevents the network from reading the destination information. • The PPP packet is encapsulated within a GRE (Generic Routing Encapsulation) packet which includes destination information.
IPsec • IPsec might be a successor/replacement for PPTP. It addresses authentication, integrity, access control and confidentiality. • Uses a variety of encryption algorithms. • Uses two headers: AH (Authentication Header) and ESP (Encapsulating Security Payload). • AH verifies that the data hasn’t been altered. • ESP encrypts the data so it remains confidential.
Home Networks • To connect several computers at home (consisting of PCs): • Local lan consists of ethernet. • Connection to ISP through modem or “fixed” network (cable modem, isdn router, etc.). • This effectively creates a dual-homed host. • The internal network can use 192.168 range. • On the bastion host you must enable IP forwarding. • In the network “security” options you need to select TCP and UDP ports to enable/disable. • You need to setup proxy services on bastion. • You need to configure the other PCs to use the proxies. (e.g. through a package like Wingate.)
World Wide Web Technology • Request-response paradigm:
HTTP HyperText Transfer Protocol • HTTP is a typical TCP/IP protocol: • Textual representation: both requests and responses have a textual representation so that a human can diagnose the protocol. • Standard error codes: Internet convention says: 1xx: command received and being processed 2xx: success 3xx: further action is needed 4xx: temporary error 5xx: permanent error (HTTP has some slight deviations, see later)
HTTP Example • HTTP 1.0 request: GET /index.html HTTP/1.0 From: firstname.lastname@example.org User-Agent: Mozilla 4.5... Accept: text/plain Accept: text/html ... other fields ... < empty line marks end of request >
HTTP Example (cont.) • HTTP 1.0 reply: HTTP/1.0 200 OK Date: Mon, 08 Feb 1999 20:48:51 GMT Server: Apache/1.2.4 Last-Modified: Wed, 23 Sep 1998 ... Content-Length: 3173 Accept-Ranges: bytes Connection: close Content-Type: text/html < empty line > < The content of the document follows>
HTTP Response Codes • 1xx: request received, processing continues. (Such response is followed by another one.) • 2xx: success, result depends on the code: • 200: OK, result follows. • 201: An entity was created as a result of the request. • 3xx: further processing needed: • 300: Multiple choices, client must select one. • 301: Moved temporarily. • 304: Not modified (since date given in request).
HTTP Response Codes • 4xx: client error: • 400: Malformed request. • 401: Unauthorized, authorization required. • 402: Payment required (not yet supported). • 403: Forbidden, authorization will not help. • 404: Not found. (Resource temporarily or permanently unavailable.) • 5xx: server error: • 500: Internal server error (unexpected by server). • 503: Service unavailable (due to overload, …) see: RFC 2068
HTTP Threats from result codes • HTTP is very susceptible to “man in the middle” attacks. Examples: • 200: Since HTTP uses cleartext, the content of a document can be subtly altered. (The Content-Length must be kept correct though!) • 301: A browser can be fooled into loading from a different server, without the user knowing it. • 401: A user can be “tricked” into giving his password. Basic authentication transmits the password without encryption. (The newer digest authentication performs encryption.)
HTTP Basics • HTTP/1.0 uses a TCP/IP connection for each request. • HTTP/1.0 wastes resources because opening and closing connections is expensive. • Subsequent requests to the same server seem to form a session, but because they are separate TCP/IP connections the (non-existent) session can easily be broken into. • Browsers (Netscape Navigator, Internet Explorer, ...) issue several requests in parallel to retrieve in-line images “faster”. This actually constitutes a denial of service attack.
HTTP Basics • HTTP/1.1 solves some 1.0 problems: • Support for multi-part content, meaning that only one request is needed to retrieve several objects at once. • Persistent connections reduce the risk of break-ins into a session, and reduce connection setup overhead. (Persistent connections may also cause a server to need many more open connections.) • Authentication can be done through a “challenge” mechanism and “digest authentication”. A user password is not transmitted over the network.
HTTP Security Issues • HTTP allows content-coding. Unfortunately, only compression schemes are defined, and no encryption schemes. • Secure-HTTP (or S-HTTP) is an extension with encryption, but not well supported. It encrypts the message (and reply) body but some of the header info is not encrypted. • HTTPS (HTTP over SSL) first creates an encrypted channel (using SSL). Subsequently request and reply headers and body are encrypted.
HTTP Security Issues (cont.) • Experimental implementations of persistent connections in HTTP 1.0 cause denial of service. Therefore HTTP 1.1 proxy servers never open a persistent connection with an HTTP 1.0 client. • HTTP 1.1 connections may time out. Both clients and servers must always be able to recover from asynchronous close events. • Browsers can route requests through a proxy. Some Internet Providers use a transparent proxy: the user may not be aware of the proxy’s existence.
HTTP Security Issues (cont.) • Safe methods: GET and HEAD should not take an action other than retrieval. (Users cannot be held accountable for side effects of these methods.) • Forms which are used with the GET method should never ask for sensitive information, because of logging attacks. • The Content-MD5 header can be used to add a digest (checksum) to a reply. This gives the false impression the message has not been tampered with.
HTTP Security Issues (cont.) • The behavior of a cache with authorized requests is not always safe: a cache may return replies to non-authenticated clients. • Sharing browser sessions on shared workstations poses the risk of authorized sessions to be taken over by the next user. • A server may attempt to validate the identity of the user through the RFC 931 protocol. The user’s machine confirms the user name of an open connection. This technique is generally unsafe.
Server-side Technology • Basic architecture: CGI scripts act as a gateway between WWW server and information system (database system).
Server-side Technology • Security threats from CGI-scripts: • The input for a CGI-script results from filling out a form. The script should anticipate erroneous input, possibly also data overrun. • A CGI-script should check that it is invoked through the right form, by checking the HTTP_REFERER field. However, this field can be faked. • CGI-scripts are often written in scripting languages such as Perl or Bourne-shell. Writing scripts in such languages is easy, but writing secure scripts is difficult.