CHAPTER 9: Security Standards and Services 416 documentation as the Assigned Call ID), which is a unique identifier for the call being attempted. A final Outgoing-Call-Connected message completes the handshake, and data can flow, marked with the Tunnel IDs and Call ID to ensure that it can be uniquely distinguished from other traffic. Again, as in the PPTP case, there is a message to disconnect a call and a message to disconnect a tunnel – these are the Call-Disconnect-Notify and Stop-Control-Connection-Notification messages. If it sounds like L2TP is PPTP with a few different names, that’s because L2TP was designed to include the best features of PPTP and Cisco’s Layer 2 Forwarding (L2F) Protocol. L2TP’s main usability benefit comes in its use of a single pseudo- connection over a protocol that is forwarded by most routers. UDP. L2TP’s biggest security benefit also comes from the use of a well-defined protocol – Internet Protocol Security (IPsec). L2TP is most often used as a VPN by combining it with IPsec ESP – so that VPN traffic is encapsulated in five layers (see Figure 9.8): PPP1. L2TP2. UDP3. IPsec ESP4. IP5. Although this might sound confusing, the L2TP/IPsec VPN is a common method of maintaining trusted and encrypted connections from machine to machine across uncontrolled external networks. NETWORK PORTS, SERVICES, AND THREATS In this section, we discuss network ports, network services, and potential threats to your network. To properly protect your network, you need to first identify the existing vulnerabilities. As we will discuss, knowing what exists FIGURE 9.8 L2TP/IPsec Packet Showing Multiple Levels of Encapsulation. Network Ports, Services, and Threats 417 in your network is the best first defense. By identifying ports that are open but may not be in use, you will be able to begin to close the peep holes into your network from the outside world. By monitoring required services and removing all others, you reduce the opportunity for attack and begin to make your environment more predictable. Also, by becoming familiar with common network threats that exist today, you can take measures to prepare your environment to stand against these threats. The easiest way for a hacker to make its way into your envi- ronment is to exploit known vulnerabilities. By understanding how these threats work, you will be able to safeguard against them as best as possible and be ready for when new threats arise. Network Ports and Protocols Unnecessary network ports and protocols in your environment should be eliminated whenever possible. Many of our internal networks today use TPC/IP as the primary protocol. So for most that means eliminating the following protocols: Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), and/or NetBIOS Extended User Interface (NetBEUI). It is also important to look at the specific operational protocols used in a network such as Internet Control Messaging Protocol (ICMP), Internet Group Management Protocol (IGMP), Service Advertising Protocol (SAP), and the Network Basic Input/Output System (NetBIOS) functionality asso- ciated with Server Message Block (SMB) transmissions in Windows-based systems. Although you are considering removal of nonessential protocols, it is important to look at every area of the network to determine what is actually occurring and running on the system. The appropriate tools are needed to NOTES FROM THE FIELD … Eliminate External NetBIOS Traffic One of the most common methods of obtaining access to a Windows-based system and then gaining control of that system is through NetBIOS traffic. Windows- based systems use NetBIOS in conjunction with SMB to exchange service information and establish secure channel communications between machines for ses- sion maintenance. If file and print sharing is enabled on a Windows computer, NetBIOS traffic can be viewed on the external network unless it has been disabled on the external interface. With the proliferation of digital sub- scriber line (DSL), Broadband, and other “always-on” connections to the Internet, it is vital that this functional- ity be disabled on all interfaces exposed to the Internet. CHAPTER 9: Security Standards and Services 418 do this, and the Internet contains a wealth of resources for tools and infor- mation to analyze and inspect systems. A number of functional (and free) tools can be found at sites such as www.foundstone.com/knowledge/free_tools.html. Among these, tools like SuperScan 3.0 are extremely useful in the evaluation process. Monitoring a mixed environment of Windows, UNIX, Linux and/or Netware machines can be accomplished using tools such as Big Brother, which may be downloaded and evaluated (or in some cases used without charge) by visiting www.bb4.com or Nagios, which can be found at www. nagios.org. Another useful tool is Nmap, a portscanner, which is available at http://insecure.org/nmap/. These tools can be used to scan, monitor, and report on multiple platforms giving a better view of what is present in an environment. In UNIX and Linux-based systems, nonessential services can be controlled in a variety of ways depending on the distribution being worked with. This may include editing or making changes in con- figuration files such as xinetd.conf or inetd.conf or the use of graphical administration tools such as linuxconf or webmin in Linux, or the use of facilities such as svcadm in Solaris. It may also include the use of ipchains, iptables, pf, or ipfilter in various versions to restrict the options available for connection at a firewall. Modern Windows-based platforms allow the configuration of OS and network services from provided administrative tools. These tools include a service applet in a control panel or a Microsoft Management Console (MMC) tool in a Windows XP/Vista/2003/2008 environment. It may also be possible to check or modify configurations at the network adaptor prop- erties and configuration pages. In either case, it is important to restrict access and thus limit vulnerability due to unused or unnecessary services or protocols. Let’s take a moment to use a tool to check what protocols and services are running on systems in a network. This will give you an idea of what you Note As you begin to evaluate the need to remove protocols and services, make sure that the items you are removing are within your area of control. Consult with your system adminis- trator on the appropriate action to take and make sure you have prepared a plan to back out and recover if you found that you have removed something, that is, later deemed necessary, or if you make a mistake. Network Ports, Services, and Threats 419 are working with. Exercise 9.3 uses Nmap to look at the configuration of a network, specifically to generate a discussion and overview of the services and protocols that might be considered when thinking about restricting access at various levels. Nmap is used to scan ports, and while it is not a full-blown security scanner, it can identify additional information about a service that can be used to determine an exploit that could be effective. Security scanners that can be used to detail existing vulnerabilities include products such as Nessus and LANGuard Network Security Scanner. On using a UNIX-based platform, a number of evaluation tools have been developed, such as Amap, P0f, and Nessus, which can perform a variety of port and security scans. In Exercise 9.3, you will scan a network to identify potential vulnerabilities. EXERCISE 9.3 Scanning for Vulnerabilities In this exercise, you will examine a network to identify open ports and what could be the potential problems or holes in specific systems. In this exercise, you are going to use Nmap, which you can download and install for free prior to starting the exercise by going to http://insecure.org/nmap/download.html and selecting the download tool. This tool is available for Windows or Linux computers. To begin the exercise, launch Nmap from the command line. You want to make sure that you install the program into a folder that is in the path or that you open it from the installed folder. When you have opened a command line prompt, complete the exercise by performing the following steps: From the command line type 1. Nmap. This should generate the following response: C:\>nmap Nmap V. 4.20 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) CHAPTER 9: Security Standards and Services 420 Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don’t ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,…] Hide scan using many decoys -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin * -S <your_IP>/-e<devicename> Specify source address or network interface interactive Go into interactive mode (then press h for help) win_help Windows-specific features Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' This should give you some idea of some of the types of scans that 2. Nmap can perform. Notice the first and second entries. The –sS is a TCP stealth scan, and the –sT is a TCP full connect. The dif- ference in these is that the stealth scan does only two of the three steps of the TCP handshake, while the full connect scan does all three steps and is slightly more reliable. Now run Nmap with the –sT option and configure it to scan 3. the entire subnet. The following gives an example of the proper syntax. C:\>nmap –sT 192.168.1.1-254 The scan may take some time. On a large network, expect the tool 4. to take longer as there will be many hosts for it to scan. When the scan is complete, the results will be returned that will 5. look similar to those shown here. Interesting ports on (192.168.1.17): (The 1,600 ports scanned but not shown below are in state: filtered) Port State Service 80/tcp open http Network Ports, Services, and Threats 421 Interesting ports on (192.168.1.18): (The 1,594 ports scanned but not shown below are in state: filtered) Port State Service 80/tcp Open http 139/tcp Open netbios-ssn 445/tcp Open printer 9100/tcp Open jetdirect 9111/tcp Open DragonIDSConsole 9152/tcp Open ms-sql2000 Interesting ports on (192.168.1.19): (The 1,594 ports scanned but not shown below are in state: filtered) Port State Service 80/tcp open http 9100/tcp open jetdirect 9112/tcp open DragonIDSSensor 9152/tcp open ms-sql2000 Interesting ports on VENUS (192.168.1.20): (The 1,596 ports scanned but not shown below are in state: filtered) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds Interesting ports on PLUTO (192.168.1.21): (The 1,596 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 80/tcp open http 139/tcp open netbios-ssn 515/tcp open printer CHAPTER 9: Security Standards and Services 422 Interesting ports on (192.168.1.25): (The 1,598 ports scanned but not shown below are in state: filtered) Port State Service 23/tcp open Telnet 69/udp open tftp 80/tcp open http Nmap run completed – 254 IP addresses (six hosts up) scanned in 2528 s In the example shown above, notice how you can see the ports that were identified on each system. Although this is the same type of tool that would be used by an attacker, it’s also a valuable tool for the security professional. You can see from the example that there are a number of ports open on each of the hosts that were probed. Remember that these machines are in an internal network, so some of these ports should be allowed. The question as to whether or not the ports should be open should lead us back to a discussion involving environmental policy and risk assess- ment. If nothing else, this type of tool can allow us to see if our hardening activities have worked and verify that no one has opened services on a system that is not allowed. Even for ports that are allowed and have been identified by scanning tools, decisions must be made as to which of these ports are likely to be vulnerable, and then the risks of the vulnerability weighed against the need for the particular service connected to that port. Port vulnerabilities are constantly updated by various vendors and should be reviewed and evaluated for risk at regular intervals to reduce potential problems. It is important to remember that scans of a network should be con- ducted initially to develop a baseline of what services and protocols are active on the network. From there, the work begins to pare down which of the identi- fied service must stay active and which can be eliminated. Once the network has been secured according to policy, these scans should be conducted on a periodic basis to ensure that the network is in compliance with policy. Test Day Tip Spend a few minutes reviewing port and protocol numbers for standard services provided in the network environment. This will help when you are analyzing questions that require configuration of ACL lists and determinations of appropriate blocks to install to secure a network. Network Ports, Services, and Threats 423 Network Threats Network threats exist in today’s world in many forms. It seems as if the more creative network administrators become in protecting their environ- ments, the more creative hackers and script kiddies become at innovating ways to get past the most admirable security efforts. One of the more exciting and dynamic aspects of network security relates to the threat of attacks. A great deal of media attention and many vendor product offerings have been targeting attacks and attack methodologies. This is perhaps the reason that CompTIA has been focusing many questions in this particular area. Although there are many different varieties and methods of attack, they all can be generally grouped into several categories: By the general target of the attack (application, network, or mixed) By whether the attack is active or passive By how the attack works (for example, via password cracking or by exploiting code and cryptographic algorithms) It’s important to realize that the boundaries between these three cat- egories aren’t fixed. As attacks become more complex, they tend to be both application-based and network-based, which has spawned the new term mixed threat applications. An example of such an attack can be seen in the MyDoom worm, which targeted Windows machines in 2004. Victims received an e-mail indicating a delivery error, and if they executed the attached file, MyDoom would take over. The compromised machine would reproduce the attack by sending the e-mail to contacts in the user’s address book and by copying the attachment to peer-to-peer (P2P) sharing directo- ries. It would also open a backdoor on port 3,127 and try to launch a denial HEAD OF THE CLASS… Attack Methodologies in Plain English In this section, we’ve listed network attacks, appli- cation attacks, and mixed threat attacks, and within those are included buffer overflows, DDoS attacks, fragmentation attacks, and theft of service attacks. Although the list of descriptions might look over- whelming, generally the names are self-explanatory. For example, consider a DoS attack. As its name implies, this attack is designed to do just one thing – render a computer or network nonfunctional so as to deny service to its legitimate users. That’s it. So, a DoS attack could be as simple as unplugging machines at random in a data center or as complex as orga- nizing an army of hacked computers to send pack- ets to a single host to overwhelm it and shut down its communications. Another term that has caused some confusion is a mixed threat attack. This simply describes any type of attack that is comprised of two different, smaller attacks. For example, an attack that goes after Outlook clients, and then sets up a bootleg music server on the victim machine, is classified as a mixed threat attack. CHAPTER 9: Security Standards and Services 424 of service (DoS) attack against organizations such as The SCO Group or Microsoft. So, as attackers get more creative, we have seen more and more combined and sophisticated threats. In the next few sections, we will detail some of the most common network threats and attack techniques so that you can be aware of them and understand how to recognize their symptoms and thereby devise a plan to thwart attack. TCP/IP Hijacking TCP/IP hijacking, or session hijacking, is a problem that has appeared in most TCP/IP-based applications, ranging from simple Telnet sessions to Web-based e-commerce applications. To hijack a TCP/IP connection, a mali- cious user must first have the ability to intercept a legitimate user’s data, and then insert himself or herself into that session much like a man-in-the- middle (MITM) attack. A tool known as Hunt (www.packetstormsecurity .org/sniffers/hunt/) is very commonly used to monitor and hijack sessions. It works especially well on basic Telnet or FTP sessions. A more interesting and malicious form of session hijacking involves Web-based applications (especially, e-commerce and other applications that rely heavily on cookies to maintain session state). The first scenario involves hijacking a user’s cookie, which is normally used to store login credentials and other sensitive information, and using that cookie to then access that user’s session. The legitimate user will simply receive a “ses- sion expired” or “login failed” message and probably will not even be aware that anything suspicious happened. The other issue with Web server appli- cations that can lead to session hijacking is incorrectly configured session timeouts. A Web application is typically configured to time out a user’s session after a set period of inactivity. If this timeout is too large, it leaves a window of opportunity for an attacker to potentially use a hijacked cookie or even predict a session ID number and hijack a user’s session. To prevent these types of attacks, as with other TCP/IP-based attacks, the use of encrypted sessions are key; in the case of Web applications, unique and pseudorandom session IDs and cookies should be used along with SSL encryption. This makes it harder for attackers to guess the appro- priate sequence to insert into connections or to intercept communications that are encrypted during transit. Null Sessions Null sessions are unauthenticated connections. When someone attempts to con- nect to a Windows machine and does not present credentials, they can poten- tially successfully connect as an anonymous user, thus creating a Null session. Null sessions present vulnerability, in that once someone has successfully connected to a machine, there is a lot to be learned about the machine. The Network Ports, Services, and Threats 425 more that is exposed about the machine, the more ammunition a hacker will have to attempt to gain further access. For instance, in Windows NT/2000, content about the local machine SAM database was potentially accessible from a Null session. Once someone has obtained information about local usernames, they can then launch a brute force or dictionary attack in an attempt to gain additional access to the machine. Null session can be controlled to some degree with registry hacks that can be deployed out to your machines, but the version of Windows OS will dictate what can be configured for Null session behavior on your machine. IP Spoofing The most classic example of spoofing is IP spoofing. TCP/IP requires that every host fills in its own source address on packets, and there are almost no measures in place to stop hosts from lying. Spoofing, by definition, is always intentional. However, the fact that some malfunctions and misconfigura- tions can cause the exact same effect as an intentional spoof causes difficulty in determining whether an incorrect address indicates a spoof. Spoofing is a result of some inherent flaws in TCP/IP. TCP/IP basically assumes that all computers are telling the truth. There is little or no check- ing done to verify that a packet really comes from the address indicated in the IP header. When the protocols were being designed in the late 1960s, engineers didn’t anticipate that anyone would or could use the protocol maliciously. In fact, one engineer at the time described the system as flaw- less because “computers don’t lie.” There are different types of IP spoofing attacks. These include blind spoofing attacks in which the attacker can only send packets and has to make assumptions or guesses about replies, and informed attacks in which the attacker can monitor, and therefore partici- pate in, bidirectional communications. There are ways to combat spoofing, however. Stateful firewalls usually have spoofing protection whereby they define which IPs are allowed to origi- nate in each of their interfaces. If a packet claimed to be from a network speci- fied as belonging to a different interface, the packet is quickly dropped. This protects from both blind and informed attacks. An easy way to defeat blind spoofing attacks is to disable source routing in your network at your firewall, at your router, or both. Source routing is, in short, a way to tell your packet to take the same path back that it took while going forward. This information is contained in the packet’s IP options, and disabling this will prevent attackers from using it to get responses back from their spoofed packets. Spoofing is not always malicious. Some network redundancy schemes rely on automated spoofing to take over the identity of a downed server. This is due to the fact that the networking technologies never accounted for the need for one server to take over for another. . targeting attacks and attack methodologies. This is perhaps the reason that CompTIA has been focusing many questions in this particular area. Although there are many different varieties and methods. shown below are in state: filtered) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 445 /tcp open microsoft-ds Interesting ports on PLUTO (192.168.1.21): (The 1,596 ports scanned but. likely to be vulnerable, and then the risks of the vulnerability weighed against the need for the particular service connected to that port. Port vulnerabilities are constantly updated by various