Security+ Series Part 4: Protocols and Ports

Welcome back to part 4 of security+ series. As promised in this part we are going to look at protocols and ports our apps use to communicate across network. Without any further trash talk, lets get started.

IPSec

I mentioned IPSec when we described Virtual Private Networks. Generally it is not just single protocol, rather than a protocol family. The IPSec’s job is to provide authentication, confidentiality, integrity, and anti replay protection for traffic that is on the move from one point to another.

To achieve authentication, several methods can be used. From simple pre-shared keys, RSA signatures to digital certificates.

Data confidentially is definitively a high priority. IPSec can utilize industry grade standard protocols such as DES, 3DES or AES. Advanced Encryption Standard is most recent it is recommended among the three. The way it works is IPSec will wrap your data into Encapsulated Security Payload and encrypt everything inside, therefore a middle man would have a hard time to putting the original message together.

Message Integrity checks that no one tampered with your payload during transit. For this purpose, hashing algorithms are used. They perform a one-way mathematical function on data and spill out a unique string of characters – hash. The receiving party will run the same algorithm against data and compare the hashes. If they match, data did not changed. Most popular hashing standards are MD5 and SHA.

Frenzy, one of decepticons steals data from Air Force One, and sends them to Megatron over an IPSec tunnel. Feds have no clue what they are cooking out there.

SNMP

Simple Network Management Protocol, or known by name Security is Not My Problem is used for network device management. It uses a put and pull model. Every value in device is stored in Management Information Base – MIB. These MIBs have a structure. A value can anything from CPU utilization, RX/TX rate on an interface, or even a password. These value are protected by read-only or write community strings. SNMP is used my management solutions such as Cacti, Cisco’s Prime Infrastructure and many others.

These guys get their favorite monitoring sitcom via SNMP.

The bad thing about SNMP version 1 and version 2c is they are not encrypting any communication between server and SNMP agent (device). If some one would play a man in the middle game and they could easily get the strings and that is game over my fiends.

It is recommends to use version 3, which adds more robust authentication mechanisms as well as encryption and message integrity. Add an access control list on top of that and you are on the right track. SNMP uses TCP port 161 for GET/SET operations and TCP port 162 for Traps.

There are more options how to manage security devices. An example is Security Device Event Exchange (SDDE). SDEE uses TCP port 443.

SNMPwalk pulling stuff out of a box.

Telnet

Telnet a legacy protocol but still used on lot of networks for remote device administration, or watching cool movies. It was invented back in 1968. It is lightweight and it does not provide any data confidentiality. It is not recommended to use Telnet anymore, SSH is better option. Telnet uses TCP port 23.

Start Wars Episode IV ASCII edition. This is how new Episode VII will be shot.

SSH

Secure Shell, is most widely used remote access protocol in the wild. It brings encryption to the table and is used for remote access device management. An engineer would use it to connect to remote router or a scripting tool can use it to perform repeatable tasks on the box. Most popular SSH clients include Putty and SecureCRT. SSH uses TCP port 22.

Putty is simple and very customizable and free.

RDP

Remote Desktop Protocol is often used for remote graphical administration of Windows based systems. It was developed by Microsoft and provides data confidentiality and authentication using TLS from version 5.2. The server listens on TCP port 3389.

Connecting to NSA surveilance server via RDP

I am connecting to remote server in NSA domain

DNS

Without DNS there is no Internet, and without Internet there is no DNS. The Domain Name System plays huge role. It helps us translate human readable names into IP addresses. For example when you hit google.com, are really connecting to one of many addresses that they service is running on. DNS can also be used form load-sharing.

There are two types of DNS traffic out there, client-server, this uses UDP port 53. And server-to-server traffic e.g. zone transfer, this uses TCP port 53. It is important to keep DNS secure and available. Many other things depend on it.

DNS packets displayed in popular traffic capture tool Wireshark.

SSL

Secure Socket Layer is protocol used for encrypting connections over the Internet. For example It is used when you communicate with your bank or social network. You can see the presence of this layer in your browser, often noted by a lock or https prefix in URL. SSL negotiate secure connection between two parties, client and server negotiate what kind of encryption, hashing, and authentication will they use. This security model is tightly related to Public Key Infrastructure – PKI. We will touch on this more in later parts. Besides HTTPS TCP port 443 other protocols can take advantages of SSL service.

Screen Shot 2014-10-12 at 17.07.19

Bank uses digital certificate to proof its identify and build secure connection

TLS

Transport Layer Security is also a cryptographic protocol as SSL. It is an open standard successor, created by IETF. It operates very similarly to SSL, and may see these terms often interchanged. Client and server can negotiate which protocol they are going to use SSL or TLS.

Bank's digital certificate details.

Bank’s secure connection details.

TCP/IP

The famous TCP/IP started it all. The term refer to protocol stack naming two most used protocols which work together. Transmission Control Protocol take care of reliable packet delivery, sequencing, flow control and session multiplexing. The Internet Protocol on the other hand handles logical addressing and routing.

TCP/IP are like characters in Army of Two. The work with each other.

IPv4

Internet Protocol version 4 is in charge of logical addressing. The most common analogy to this protocol is your mail address. For someone to send you a letter, they need to know you address. They write this destination address on an envelope along with source address, in case you wanna reply to letter. IP does the same except it does use numeric 32 bit values.

For use humans it would be hard to remember an address like this

11001100100001000010100010011011

Therefore we tend to divide this number into octets or group of 8 bits. Like this

11001100.10000100.00101000.10011011

And then convert each group of 8 bits into decimal. This gives us IP address:

204.132.40.155

IP address are then divide into Network and Host portion. Routers works with this information to route packet to right way, same way as mail services routes letters. Besides logical addressing, there are some extra features in IPv4 header like error checking and options.

IP packet is like a letter. It has it source and destination address.

IPv6

The next generation Internet Protocol brings extended address space and more efficient header usage. It is twice as big as IPv4 header, 40 Bytes. It provides 128-bit dressing space, which is huge extension. It provides 2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.

The header it self was rewritten to omit some fields like fragmentation, header checksum and added fields called Flow Label and Next Header. The header it self is much more modular now.

IPv4 vs. IPv6 Header

FTP

File Transfer Protocol is one of oldest protocols out there. The original publication is dating back to 1971. The protocol name says it for itself. It uses TCP port 20 and 21, it does not provide any data confidentiality.

FTPS

Remember when I told you about SSL/TLS and that they service can be used by other protocols? That is exactly what is happening here. File Transfer Protocol over SSL would use them secure data in transit. This is different that Secure File Transfer Protocol. It is not used very often in the wild. There are better ways.

SFTP

SSH File Transfer Protocol is an extension to classic SSH protocol. It uses same mechanisms but is generally used for file transfer. whether classic SSH is used for remote administration via CLI. It uses TCP port 22.

TFTP

Trivial File Transfer Protocol is the last flavor which we mention. As name says, it is very lightweit and simple. Offers no authentication, encryption or data reliability. It leverages UDP port 69. It is often used in IP telephony where phones use it to download firmware. Most embedded systems also support this protocol for reasons mentioned earlier.

TFTP is lightweight like these shoes

HTTP

Good old buddy Hyper Test Transport Protocol has been around since 1991. It is an application layer protocol used to request various types of resources from simple text-based HTML pages to multimedia. It defines message types, response codes, basic authentication, caching and more. By default it uses TCP port 80.

HTTPS

Another case with using SSL/TLS secure services. Original HTTP is plain text communication, therefore needs another protocol to secure its communication. As mentioned HTTPS rides on TCP port 443.

HTTPS uses SSL/TLS to secure your data

SCP

Secure Copy Protocol uses same mechanism for authentication, encryption and hashing than SSH can use. It provides just another way how to transfer files securely.

ICMP

Internet Control Message Protocol was invented to provide control services for IP. One of the most used protocols in the world are in fact using ICMP. They are the famous ping command and also some implementations of traceroute.

ICMP is often used in monitoring systems to determine system availability. The management station would sent an ICMP Request in regular intervals and expect and ICMP Reply. Often firewalls do not permit this type of traffic because of higher security risk of network reconnaissance – mapping whats alive on the net.

Valve Portal’s turret uses ICMP to check if you are alive.

SMTP

Simple Mail Transfer Protocol is used to carry out email messages from one email server to another. SMTP uses TCP port 25. There is also a flavor of SMTP that uses TLS called SMTPS and it uses TCP port 465.

POP3

Post Office Protocol is also used in email communication, introduced in 1984. It is used by email client to retrieve message from server. It supports download and delete actions for simple mail manipulation. Usually a client would connect, download the message and delete it from server. POP service listens on TCP port 110. This protocol can provide confidentiality using TLS, in that case it runs on TCP port 995.

Good luck reading the mail.

IMAP

Internet Message Access Protocol, has similar function as POP but brings additional features. IMAP client can send complex queries, for example retrieve just email header information. It supports online and offline type of operation. Plain IMAP runs on TCP port 143 and the flavor that uses TLS for security uses TCP port 993 (IMAPS).

Microsoft Outlook is popular POP3/IMAP client

iSCSI

SCSI stands for Small Computer System Interface. It is used to interact with storage device such as hard drive. It can be used over network hence the name (Internet)SCSI to interact with remote storage device at block-level. iSCSI client is referred as initiator and remote storage is often called target. It is commonly used in small scale Storage Area Network deployments. Storage servers can offer higher reliability and data protection through technologies such as RAID. These networks have higher demands on bandwidth and reliability than other types of traffic.

Clients disks appear like they are directly connected. But in fact they are located on iSCSI target (server).

Fibre Channel

Fibre Channel is another technology used to access remote storage at block level. FC uses dedicated Host Bus Adapters on servers side that connect to Fibre Channel Switches which also connect storage appliances that contain various disk types, Solid State Drives, SAS Drives, SATA Drives and Tape Libraries. Fiber Channel technology is pretty costly compared to iSCSI.

EMC storage array.

FCoE

Historically data and storage operated over two distinct physical networks. The reason was that storage traffic has different requirements for transport, and it usually requires a high speed links 4,8 or 16Gbps. As 10Gbps Ethernet evolved and matured, a new flavor of FC was introduced. Fiber Channel over Ethernet can use same infrastructure for data and storage traffic. FC frames are encapsulated into Ethernet frames and receive special treatment from transport fabric.

This can reduce CAPEX and OPEX expanses since you no longer need to have separate data and storage connections to servers and separate data and storage switches.

NetBIOS

Network Basic Input Output System  is a legacy protocol used in windows-based networks. It uses several services, for example name services run on UDP137, data gram services UDP 138 and session services on TCP 139.

used in windows network all ows PC to communicate, UDP 137 (name services) UDP138 (data gram services) TCP 139 (session services)

And that my friends is the of this post. I would not think at the beginning that this will be so long, if you made till the end, you have my praise. Stay tuned for next post in the series that will cover Wireless Security.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s