In passive mode, the server uses a random port for data connection and port 21 for the control connection.. Active Mode The FTP client initializes a control connection from a random por
Trang 1To determine what port number to use, technicians need to know what port number the given software is using To make that determination easier, there is a list of common services that run on computers along with their respective well-known ports This allows the technician to apply the policy
of denying by default and only open the specific port necessary for the
dAMAGE ANd dEFENSE…
denial of Service Attacks
A port is a connection point into a device Ports can
be physical, such as serial ports or parallel ports,
or they can be logical Logical ports are ports used
by networking protocols to define a network
con-nection point to a device Using Transmission
Con-trol Protocol/Internet Protocol (TCP/IP), both TCP
and User Datagram Protocol (UDP) logical ports
are used as connection points to a network device
Because a network device can have thousands of
connections active at any given time, these ports
are used to differentiate between the connections
to the device.
A port is described as well known for a particular service when it is normal and common to find that particular software running at that particular port number For example, Web servers run on port 80 by default, and File Transfer Protocol (FTP) file transfers
use ports 20 and 21 on the server when it is in active mode In passive mode, the server uses a random
port for data connection and port 21 for the control connection.
Exam warning
There are two modes in which FTP operates: active and passive.
Active Mode
The FTP client initializes a control connection from a random port higher than
1
1024 to the server’s port 21.
The FTP client sends a
2 PORT command instructing the server to connect to a
port on the client one higher than the client’s control port This is the client’s data port.
The server sends data to the client from server port 20 to the client’s data port.
3
passive Mode
The FTP client initializes a random port higher than 1,023 as the control port
1
and initializes the port one higher than the control port as the data port.
The FTP client sends a
2 PASV command instructing the server to open a random
data port.
The server sends a
3 PORT command notifying the client of the data port number
that was just initialized.
The FTP client then sends data from the data port it initialized to the data port
4
the server instructed it to use.
Trang 2application to work For example, if they want to allow the Siebel Customer
Relations Management application from Oracle to work through a
fire-wall, they would check against a port list (or the vendor’s documentation)
to determine that they need to allow traffic to port 2,320 to go through
the firewall A good place to search for port numbers and their associated
services online is on Wikipedia This list is fairly up-to-date and can help
you find information on a very large number of services running on all
ports (http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)
You will notice that even Trojan horse applications have well-known port
numbers A few of these have been listed in Table 9.2
Unfortunately, for nearly every possible port number, there is a virus or
Trojan horse application that could be running there For a more
compre-hensive list of Trojans listed by the port they use, go to the SANS Institute
Web site at www.sans.org/resources/idfaq/oddports.php
Table 9.2 Well-known Ports of Trojan Horses
Back Orifice 31337 and 31338 (modifiable)
Back Orifice 2000 8787, 54320, and 54321 (modifiable)
OpwinTrojan 10000 and 10005
SubSeven 1243, 1999, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000,
7215, 16959, 27374, 27573, and 54283 (depending on the version) WinSatan 999 and 6667
Exam warning
The most important ports to remember are as follows:
20 FTP Active Mode Control Port
21 FTP Active Mode Data Port
22 Secure Shell (SSH)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
80 HTTP
110 Post Office Protocol 3 (POP3)
119 Network News Transfer Protocol (NNTP)
143 Internet Message Access Protocol (IMAP)
443 SSL (HTTPS)
Trang 3Packet-filtering firewalls have both benefits and drawbacks One of the benefits
is speed Since only the header of a packet is examined and a simple table of rules is checked, this technology is very fast A second benefit is ease of use The rules for this type of firewall are easy to define and ports can be opened or closed quickly In addition, packet-filtering firewalls are transparent to network devices Packets can pass through a packet-filtering firewall without the sender
or receiver of the packet being aware of the extra step A major bonus of using a packet-filtering firewall is that most current routers support packet filtering There are two major drawbacks to packet filtering:
A port is either open or closed With this configuration, there is no
■
■ way of simply opening a port in the firewall when a specific applica-tion needs it and then closing it when the transacapplica-tion is complete When a port is open, there is always a hole in the firewall waiting for someone to attack
The second major drawback to pack filtering is that it does not
■
■ understand the contents of any packet beyond the header There-fore, if a packet has a valid header, it can contain any payload This
is a common failing point that is easily exploited
To expand on this, since only the header is examined, packets cannot be filtered by username, only IP addresses With some network services such
as Trivial FTP (TFTP) or various UNIX r commands (rsh, rcp, etc.), this can
cause a problem Believe the port for these services is either open or closed for all users, the options are either to restrict system administrators from
using the services or invite the possibility of any user connecting and using these services The operation of this firewall technology is illustrated in Figure 9.1
Referring to Figure 9.1, the sequence of events is as follows:
Communication from the client starts
1
by going through the seven layers of the OSI model
The packet is then transmitted over
2
the physical media to the packet-filtering firewall
The firewall works at the network
3
layer of the OSI model and examines the header of the packet
FIGurE 9.1 Packet Filtering Technology.
Client
Application
Packet Filtering Firewall
Open Port
OSI Model
OSI Model
Presentation
Session
Transport
Network Network
Data Link Data Link
Physical
Application
Server
OSI Model
Presentation Session Transport Network Data Link Physical Physical
Trang 4If the packet is destined for an allowed port, the packet is sent
4
through the firewall, over the physical media, and up through the
layers of the OSI model to the destination address and port
Application Layer Firewalls
The second firewall technology is called application filtering or an
applica-tion-layer gateway This technology is more advanced than packet filtering,
as it examines the entire packet and determines what should be done with
the packet based on specific defined rules For example, with an
applica-tion-layer gateway, if a Telnet packet is sent through the standard FTP port,
the firewall can determine this and block the packet if a rule is defined
disallowing Telnet traffic through the FTP port It should be noted that this
technology is used by proxy servers to provide application-layer filtering to
clients
One of the major benefits of application-layer gateway technology is its
application-layer awareness Because application-layer gateway technology
can determine more information from a packet than a simple packet filter
can, application-layer gateway technology uses more complex rules to
deter-mine the validity of any given packet These rules take advantage of the
fact that application-layer gateways can determine whether data in a packet
matches what is expected for data going to a specific port For example, the
application-layer gateway can tell if packets containing controls for a Trojan
horse application are being sent to the HTTP port (80) and thus, can block
them
Although application-layer gateway technology is much more advanced
than packet-filtering technology, it does have its drawbacks Because of
the fact that each packet is disassembled completely and then checked
against a complex set of rules, application-layer gateways are much
slower than packet filters In addition, only a limited set of application
rules are predefined, and any application not included in the predefined
list must have custom rules defined and loaded into the firewall Finally,
application-layer gateways process the packet at the application layer of
the OSI model By doing so, the application-layer gateway must then
rebuild the packet from the top down and send it back out This breaks
the concept behind client/server architecture and slows the firewall down
even further
Client/server architecture is based on the concept of a client system
r equesting the services of a server system This was developed to increase
application performance and cut down on the network traffic created by
ear-lier file sharing or mainframe architectures When using an application-layer
Trang 5gateway, the client/server architecture is broken as the packets no longer flow between the client and the server Instead, they are deconstructed and reconstructed at the firewall The client makes
a connection to the firewall at which point the packet is analyzed, then the firewall creates a con-nection to the server for the client By doing this, the firewall is acting as a proxy between the client and the server The operation of this technology is illustrated in Figure 9.2
honeypots
A honeypot is a computer system that
is deliberately exposed to public access – usually on the Internet – for the express purpose
of attracting and distracting attackers In other words, these are the technical equivalent of the
FIGurE 9.2 Application-Layer Gateway Technology.
NoTES FroM ThE FIEld …
walking the line between opportunity and
Entrapment
Most law enforcement officers are aware of the fine line
they must walk when setting up a “sting” – an
opera-tion in which police officers pretend to be victims or
participants in crime, with the goal of getting criminal
suspects to commit an illegal act in their presence Most
states have laws that prohibit entrapment; that is, law
enforcement officers are not allowed to cause a person
to commit a crime and then arrest him or her for doing it
Entrapment is a defense to prosecution; if the accused
person can show at trial that he or she was entrapped,
the result must be an acquittal.
Courts have traditionally held, however, that
provid-ing a mere opportunity for a criminal to commit a crime
does not constitute entrapment To entrap involves using persuasion, duress, or other undue pressure to force someone to commit a crime that the person would not otherwise have committed Under this holding, setting
up a honeypot or honeynet would be like the (perfectly legitimate) police tactic of placing an abandoned auto-mobile by the side of the road and watching it to see if anyone attempts to burglarize, vandalize, or steal it It should also be noted that entrapment only applies to the actions of law enforcement or government person-nel A civilian cannot entrap, regardless of how much pressure is exerted on the target to commit the crime (however, a civilian could be subject to other charges, such as criminal solicitation or criminal conspiracy, for causing someone else to commit a crime).
Client
Application
Authorized Packet Application Layer Gateway
OSI Model
Presentation
Session
Transport
Network
Data Link
Physical
Application
OSI Model
Presentation Session Transport Network Data Link Physical
Application
OSI Model
Presentation Session Transport Network Data Link Server
Physical
Trang 6familiar police “sting” operation Although the strategy involved in luring
hackers to spend time investigating attractive network devices or servers
can cause its own problems, finding ways to lure intruders into a system
or network improves the odds of being able to identify those intruders and
pursue them more effectively Figure 9.3 shows a graphical representation of
the honeypot concept in action
The following characteristics are typical of honeypots:
Systems or devices used as lures are set up with only “out of the box”
■
■
default installations so that they are deliberately made subject to all
known vulnerabilities, exploits, and attacks
The systems or devices used as lures do not include sensitive
■
■
information (for example, passwords, data, applications, or
ser-vices an organization depends on or must absolutely protect), so
these lures can be compromised or even destroyed, without causing
damage, loss, or harm to the organization that presents them to be
attacked
FIGurE 9.3 A Honeypot
in Use to Keep Attackers from Affecting Critical Production Servers.
Attacker spends all of their time attacking the honeypot because it looks
like a poorly configured and insecure production server.
The Internet
and DMZs
Honeypot
The honeypot provides alerts to the network administrator so they can take defensive measures as desired to stop or monitor the attack.
Production Server Production Server
The production servers continue operating without being affected by the attempted attack.
The honeypot only appears to be a critical production server However, it is running a special IDS package
that can intelligently respond to the attacker, track the attackers actions, and keep the attacker engaged while
important attack information is being collected The attack signature that is collected can be used later to prevent
attacks of the same sort from actually succeeding against real servers In most cases, the attacker never knows
the difference between the honeypot and a real server and thus makes no lasting damage to the network itself.
Trang 7Systems or devices used as lures often also contain deliberately
tan-■
■
talizing objects or resources, such as files named password.db, folders named Top Secret, and so forth – often consisting only of encrypted
garbage data or log files of no real significance or value – to attract and hold an attacker’s interest long enough to give a backtrace a chance of identifying the attack’s point of origin
Systems or devices used as lures also include or are monitored by
■
■ passive applications that can detect and report on attacks or intru-sions as soon as they start, so the process of backtracing and identi-fication can begin as soon as possible
Exam warning
A honeypot is a computer system that is deliberately exposed to public access – usually
on the Internet – for the express purpose of attracting and distracting attackers Likewise,
a honeynet is a network set up for the same purpose, where attackers not only find
vul-nerable services or servers but also find vulvul-nerable routers, firewalls, and other network boundary devices, security applications, and so forth.
The honeypot technique is best reserved for use when a company or organization employs full-time Information Technology (IT) security pro-fessionals who can monitor and deal with these lures on a regular basis,
or when law enforcement operations seek to target specific suspects in a “virtual sting” operation In such situations, the risks are sure to be well understood, and proper security precautions, processes, and procedures are far more likely to already be in place (and properly practiced) Nevertheless, for organizations that seek to identify and pursue attackers more proac-tively, honeypots can provide valuable tools to aid in such activities
Exercise 9.2 outlines the basic process to set up a Windows honeypot Although there are many vendors of honeypots that will run on both Win-dows and Linux computers, this exercise will describe the install on a com-mercial honeypot that can be used on a corporate network
ExErcisE 9.2 install a Honeypot
KFSensor is a Windows-based honeypot IDS that can be downloaded
1
as a demo from www.keyfocus.net/kfsensor/
Fill out the required information for download
2
Trang 8Once the program downloads, accept the install defaults and allow
3
the program to reboot the computer to finish the install
Once installed, the program will step you through a wizard process
4
that will configure a basic honeypot
Allow the system to run for some time to capture data The program
5
will install a sensor in the program tray that will turn red when the
system is probed by an attacker
honeynets
A honeynet is a network that is set up for the same purpose as a honeypot: to
attract potential attackers and distract them from your production network
In a honeynet, attackers will not only find vulnerable services or servers but
also find vulnerable routers, firewalls, and other network boundary devices,
security applications, and so forth
The following characteristics are typical of honeynets:
Network devices used as lures are set up with only “out of the box”
■
■
default installations so that they are deliberately made subject to all
known vulnerabilities, exploits, and attacks
The devices used as lures do not include sensitive information (for
■
■
example, passwords, data, applications, or services an organization
depends on or must absolutely protect), so these lures can be
com-promised, or even destroyed, without causing damage, loss, or harm
to the organization that presents them to be attacked
Devices used as lures also include or are monitored by passive
■
■
applications that can detect and report on attacks or intrusions as
soon as they start, so the process of backtracing and identification
can begin as soon as possible
The Honeynet Project at www.honeynet.org is probably the best overall
resource on the topic online; it not only provides copious information on
the project’s work to define and document standard honeypots and
hon-eynets, it also does a great job of exploring hacker mindsets, motivations,
tools, and attack techniques
Although this technique of using honeypots or honeynets can help
identify the unwary or unsophisticated attacker, it also runs the risk of
attracting additional attention from savvier attackers Honeypots or
honey-nets, once identified, are often publicized on hacker message boards or
mailing lists and thus become more subject to attacks and hacker activity
Trang 9than they otherwise might be Likewise, if the organization that sets up a honeypot or honeynet is itself identified, its production systems and net-works may also be subjected to more attacks than might otherwise occur
Content Filters
Content filtering is the process used by various applications to examining content passing through and make a decision on the data based on a set of criteria Actions are based on the analysis of the content and the resulting actions can result in block or allow
Content filtering is commonly performed on e-mail and is often also applies to Web page access as well Filtering out gambling or gaming sites from company machines may be a desired effect of management and can be achieved through content filtering Example of content filters includes Web-Sense and Secure Computing’s WebWasher/SmartFilter An open source content filter example would be DansGuardian and Squid
protocol Analyzers
A protocol analyzer is used to examine network traffic as it travels along your
Ethernet network They are called by many names, such as pack analyzer, network analyzer, and sniffer, but all function in the same basic way As
traffic moves across the network from machine to machine, the protocol analyzer takes a capture of each packet This capture is essentially a photo-copy, and the original packet is not harmed or altered Capturing the data allows a malicious hacker to obtain your data and potentially piece it back together to analyze the contents
Different protocol analyzers function differently but the overall principal
is the same A sniffer is typically software installed on a machine that can then capture all the traffic on a designated network Much of the traffic on the network will be destined for all machines, as in the case of broadcast traffic These packets will be picked up and saved as part of the capture Also, all traffic destined to and coming from the machine running the sniffer will
be captured To capture traffic addressed to/from another machine on the network, the sniffer should be run in promiscuous mode If a hub exists on the network, this allows the capturing of all packets on the network regard-less of their source or destination Be aware that not all protocol analyzers support promiscuous mode, and having switches on the network makes promiscuous mode difficult to use due to the nature of switched traffic In the cases where a sniffer that runs promiscuous mode is not available or unfeasible, it might make sense to run instead use the built-in monitor port
on the switch if it exists The monitor port exists to allow for the capture
Trang 10of all data that passed through the switch Depending on your network
architecture, this could encompass one or many subnets
SECurITy zoNES
Although different components can be effectively used together in a
net-work, in some instances, they need to be used completely separately from
each other You must imagine the different pieces that make up a network
as discrete network segments holding systems that share common
require-ments These are sometimes called security zones and some of these
com-mon requirements can be as follows:
The types of information the zone handles
■
■
Who uses the zone
■
■
What levels of security the zone requires to protect its data
■
■
Exam warning
A security zone is defined as any portion of a network that has specific security concerns
or requirements Intranets, extranets, DMZs, and VLANs are all security zones.
It is possible to have systems in a zone running different protocol and
OSs, such as Windows and NetWare The type of computer, whether a PC,
server, or mainframe, is not as important as the security needs of the
com-puter For example, there is a network that uses Windows 2003 Servers as
domain controllers, Domain name system (DNS) servers, and Dynamic
Host Control Protocol (DHCP) servers There are also Windows XP
Profes-sional clients and NetWare 6.5 file servers on the network Some users may
be using Macintosh computers running OS X or OS 9 while others may be
running one or more types of Linux or UNIX This is an extremely varied
network, but it may still only have one or two security zones The key is
that the type of a computer and its OS are not as important with regards
to security zones and is where the machines may reside in the
environ-ment Each of these components helps to make up your network topology
and if used correctly can assist you in creating a safe and effective network
design
For example, suppose you have an e-commerce application that uses
Microsoft’s Internet Information Server (IIS) running a custom Active Server
Page (ASP) application, which calls on a second set of servers hosting
cus-tom COM+ components, which in turn interacts with a third set of servers