TCPIP from a Security Standpoint

1
TCP/IP from a Security Standpoint

• CS-480b
• Dick Steflik

2
TCP/IP Guru-ism

• You dont have to know all of the details
• You do need to know your system
• What services it is providing
• What protocols are involved
• What vulnerabilities is has
• How to minimize the risks

3
Why TCP/IP ?

• Packet based
• Provides decentralized control
• Devices are peers
• Its routable
• Independent of transmission medium
• Open standard
• Free
• Robust
• Flexible
• Pragmatic

4
Physical Layer

• Three major categories based on connection
  behavior
• Dial-up
• temporary point-to-point
• WAN and MAN
• premanent point-to-point
• LAN
• two or more devices communicating over a shared
  broadcast media

5
Dial-up

• Dial-up (and modems)
• Temporarily connected point-to-point
• uses telephone infrastructure
• audio frequency modems
• vulnerabilities
• Cannot provide physical security along entire
  communications path
• Cables are usually run through public
  infrastructure making physical security almost
  impossible
• Peel back the insulation on the wire and connect
  alligator clips
• Telephone connection panel in basements of
  buildings
• Easy to just clip on to the connections
• Punch panels
• Screw terminal connections

6
WAN and MAN

• WAN and MAN
• Constantly connected point-to-point
• uses telephone backbone, microwave, radio, fiber
  optic
• dedicated digital leased lines
• specially conditioned telephone lines (guaranteed
  quality)
• 56Kbps - 9.95 Gbps
• T1 - 56Kbps
• T2 - 6.312 Mbps
• T3 -44.736 Mbps
• OC1 51.84 Mbps
• OC48 - 2488 Mbps
• OC192 - 9.95 Gbps
• CSU/DSU - Carrier Set Unit / Data Set Unit
  (connection device)
• can be routed like a layer 3 protocol

7
WAN and MAN (more)

• Vulnerabilities
• Because much is done using radio and microwave
  links interception by a third party is pretty
  easy (especially radio), laser communication is
  harder to intercept but is overall less reliable
  due to environmental issues
• Remedy
• Encrypt the data before placing it on an
  unsecured links like radio, microwave laser

8
LAN

• Two or more network devices communicating over a
  shared broadcast media
• local area, shared communications medium
• Ethernet, Token-ring, FDDI
• Vulnerabilities
• Because much is done using radio and microwave
  links interception by a third party is pretty
  easy (especially radio), laser communication is
  harder to intercept but is overall less reliable
  due to environmental issues
• Remedy
• Encrypt the data before placing it on an
  unsecured links like radio, microwave laser

9
Dial-up

• Temporary connections
• Established as needed
• Cannot provide physical security along entire
  communications path
• Cables are usually run through public
  infrastructure making physical security almost
  impossible
• Peel back the insulation on the wire and connect
  alligator clips
• Telephone connection panel in basements of
  buildings
• Easy to just clip on to the connections
• Punch panels
• Screw terminal connections

10
Modems

• Convert low speed digital signals to audio or
  phase encoded signals for transmission through
  the public access telephone system,
• Most consumer used modems work over unconditioned
  analog lines on the public access telephone
  system
• Vulnerabilities
• Because of the public access, hard to secure
  against physical tampering
• Tap on with another modem and listen as the data
  goes by
• Remedy
• Encrypt data on the computer side of the sending
  and receiving modems

11
ISDN

• Integrated Services Digital Network
• a system of digital phone connections that allows
  data to be transmitted simultaneously across the
  world using end-to-end digital connectivity.
• Available for gt 10 years
• Data is sent digitally unlike modems
• Uses a Terminal Adapter rather than a modem
• Must be with-in 18000 ft. to telco facilities
• gt 18000 ft.requires expensive repeaters
• 16 or 64 kbps depending on service type
• Vulnerabilities
• Same as modems, physical security
• Remedy
• encryption

12
Data Link Layer

• IEEE views the OSI Data Link Layer as 2 layers
• Media Access Control (MAC) Sublayer
• Translates generic network requests into device
  specific terms
• Logical Link Control (LLC) Sublayer
• Provides the operating system link to the device
  driver

13
Media Access Control

• This is the actual device driver that controls
  the NIC
• Reporting of and setting of device status
• Packaging of outgoing data from the LLC layer
• Sending of outgoing data
• Receiving of incoming data
• Unpacking of incoming data, error checking and
  passing data to LLC layer
• MAC addresses are burned into the NIC and should
  be globally unique (by OEM agreement)
• But they are of local scope to the LAN, LAN
  protocols like ethernet and token-ring have no
  provisions to pass data from one LAN to another
  so a LAN should always see unique MAC addresses

14
Ethernet

• Framing
• 6 byte Destination address (MAC address)
• 6 byte Source address (MAC address)
• 2 byte type (of packet in payload)
• 0800 IP Datagram (46-1500 bytes)
• 0806 ARP packet (28 bytes data18 bytes of
  padding))
• 0835 RARP packet (28 bytes 18 bytes of
  padding)
• 4 byte CRC
• Remember, the ethernet information will always
  stay local to the LAN its the IP, ARP or RARP
  packet that will move it from LAN to LAN and
  across the Internet

15
PPP

• Designed to support multiple network types over
  the same serial link
• Supersedes SLIP (Serial Line Internet Protocol)
• Framing
• 5 byte header
• 7E FF 03 (constant)
• 2 byte type field
• 0021 IP Datagram
• Link control packet C021
• Network control data - 8021

16
Link Establishment Subversion

• Hacker can use call forwarding to forward an
  incoming call to the hackers phone number
• Since Windows supports other network protocols
  (NetBEUI, IPX, IP over PPP) the hacker can then
  attempt to use one of those protocols to break
  into the calling machine
• Dial-up connections via cell phones can be
  hijacked right out of the air with a proper
  receiver
• Harder to do with digital cell phones

17
Media Access Subversion

• Its up to the MAC to reject all but the packets
  destined for that machine a hacker can put their
  MAC/NIC into promiscuous mode and receive all
  packets on the LAN
• Most device drivers dont support this mode so to
  do this a new device driver must be introduced
• Its a good idea to every once in a while to scan
  all of the machines on your network looking for
  any machines that might be running promiscuously
  
• Find out why they are running in promiscuous mode
• Fix it

18
Logical Link Control

• OS control of the Device Driver
• Multiple instances of driver for multiple NICs
• Multiple Device drivers for different kinds of
  devices
• Windows NDIS
• UNIX character mode device specification