Securing Protocol Layers   «Prev  Next»

Lesson 7 TCP/IP applications
Objective Discuss the security implications of commonly used applications.

TCP/IP Applications

To properly configure security mechanisms and best protect network resources, you must understand your network's specific TCP/IP applications. Normally, the security mechanisms you implement will be in the form of a firewall, either a screening router or proxy server.
  1. Proxy server: Proxy servers communicate with external servers on behalf of the internal clients. When the terms application gateway or circuit-level gateway are used, they refer to the specific services provided by each form of firewall.
  2. Screening router: Examines inbound and outbound packets based upon filter rules. Screening router is another term for a packet filter.

TCP/IP applications

Understanding the architecture of each application that will be routed through a firewall is necessary to proper firewall configuration. Common TCP/IP applications are described in the table below.

Applications Security Implications
SMTP transfers email from one server to another using TCP Port 25
  1. Denial of Service attacks by flooding the SMTP server with email
  2. Sending and receiving viruses and trojan horses
  3. Hackers can connect directly to the SMTP server to generate a bogus email
File Transfer Protocol is used only to send and receive files
  1. User names and passwords are sent in plain text
  2. May be used to download pirated software
(NNTP) Network News Transfer Protocol is one-to-many communication: a message is posted to a single location, and any number of users can contact the NNTP server to retrieve it
  1. The same security issues as in SMTP
  2. Can be used in conjunction with SSL to encrypt all information between the NNTP client and server
(HTTP) HyperText Transfer protocol Clients use browser to access and retrieve web pages from the server.
  1. CGI scripts, ActiveX Controls and Java Applets
  2. Two distinct security concerns are the viewer applications in use by the client and the CGI programs used by the HTTP server
Telnet is used for remote terminal access and can be used to administer a Unix machine
  1. Experienced hackers can hijack a Telnet session in progress
  2. Telnet sends all usernames and passwords in plain text
Simple network management protocol allows administrators to check the status and sometimes modify the configuration of SNMP nodes
  1. all information is transferred in plain text
  2. a hacker could query and modify the SNMP nodes used on the network

Using Telnet

Telnet should only be used when you can verify the security of the entire network connecting the client and server, not over the Internet. If you wish to deny incoming Telnet connections, you should filter all Telnet traffic at the firewalls.

Malicious email attachments

A typical email message contains a header indicating where the message initiated, who the recipient is, and the time and date. An email message can include any type of attachment, including viruses and trojans [1].
The best defense against malicious attachments is to purchase an SMTP[2] server that scans all messages, or to use a proxy server that scans all incoming and outgoing messages. Another preventive measure is user education. Educating email users on how viruses and trojans are sent through SMTP will help reduce the number of viruses or trojans on the network. To learn more about hacker attempts to exploit FTP in the paragraph below.

File Transfer Protocol

FTP is used to send, edit and receive files over a TCP/IP connection and consists of a server and a client. Almost every TCP/IP host has a built-in FTP client, and most servers have an FTP server program.
FTP uses two ports for communication. The control connection port, TCP port 21, remains open during the entire FTP session, and it is used to send control messages and client commands between the client and server. A data connection is established using an ephemeral port and is created each time a file is transferred between the client and server, sometimes several times during the entire FTP session. Difficult to exploit directly, hackers are able to exploit FTP servers indirectly.

FTP servers

FTP servers may not require authentication from the client; when authentication is required, all user names and passwords are sent in plain text. A common exploit is to find an FTP server that accepts anonymous connections and has write access. Hackers can then upload erroneous information to fill up the entire hard disk space. This action is done in hopes that the FTP server is installed on the hard disk that contains the operating system. If the hard disk or log files are filled with false information from the hacker, the overload could cause the system to crash. The hacker then attempts to break into the operating system or other services without being detected by the log files.

Anonymous Connections

Only allow anonymous connections to your FTP server so that you do not compromise any user accounts on the FTP server. Because FTP sends all user names and the corresponding passwords in plain text, your user accounts will not be compromised by using FTP.
SNMP is a viable network management solution within a company's private network, but you may want to consider filtering all SNMP traffic at the firewall.

[1]Trojan (trojan horse): A file or program that purports to operate in a legitimate way, but which also has an alternative, secret operation, such as emailing sensitive company information to a hacker. A trojan horse is a specific program that destroys information on a hard drive.
[2]Simple Mail Transfer Protocol (SMTP): The Internet standard protocol to transfer electronic mail messages from one computer to another. It specifies how two mail systems interact, as well as the format of control messages they exchange to transfer mail.