|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
The following short descriptions of the protocols and services most commonly used on the Internet explain what information is carried by these protocols and what is therefore eligible for filtering by a firewall. It also describes other points which should be borne in mind when using the various protocols and services.
With a TCP/IP communication, a connection is normally established by a client process from a random port with a port number > 1023 to a server process with a port number < 1024 (well known port). The ports with numbers < 1024 are also known as privileged ports, because they may only be used by processes with root privileges. However, the restriction that ports < 1024 may only be used by processes with root privileges, is only a convention and it may be circumvented. No security strategy, therefore, may assume that the IT systems really do protect their privileged ports in this way. Even if FTP is used, for instance, to access ports 20 or 21, this cannot be regarded as a secure connection.
IP
The Internet Protocol (IP) is a connectionless protocol. An IP header includes two 32 bit addresses (IP numbers) for the target and source of the computers communicating with each other.
As the IP numbers are not protected by cryptographic procedures, they may only be used for authentication in very specific topographies, i.e. only when it is certain that the addresses cannot be changed. For example, packets coming from outside but whose source address is an address from the network to be protected, may not be admitted by the firewall.
ARP
The Address Resolution Protocol (ARP) is used to find the correct 48 bit hardware or Ethernet address for a 32 bit IP address. If it cannot find the corresponding entry in the computer's internal table, an ARP broadcast packet is sent with the unknown IP number. The computer with this IP number then returns an ARP response packet with its hardware address. As the ARP response packets are not tamper-proof, they can only be used in very specific topographies (see above).
ICMP
The Internet Control Message Protocol (ICMP) is a transport layer protocol whose purpose is to transport error- and diagnostic information for the IP protocol. It is initiated and processed internally by IP, TCP or UDP and may be applied at user level by the command ping.
If a computer or network is not accessible, a message such as Destination Unreachable is generated, and this can be misused to interrupt all connections between the participating computers.
The message Redirect is broadcast if a gateway recognises that the packet can be sent direct to another gateway, in other words that a detour has been used. The shorter route is then entered in the sender's routing table. This can be misused to configure unwanted routes.
The firewall must ensure that these messages are not admitted through the filters. In the case of the other messages, consideration needs to be given as to whether the information sent out can be misused for the purposes of an 'invasion'.
Routing protocols
Routing protocols like RIP (Routing Information Protocol) or OSPF (Open Shortest Path First) are used to pass route changes between two networked systems to the systems involved, thus permitting a dynamic change of routing tables. It is quite easy to create false RIP packets and thus configure unwanted routes. Dynamic routing should therefore only be used in very specific topographies (see above).
TCP
The Transmission Control Protocol (TCP) is a connection-based protocol of the transport layer. Accuracy of transmission is ensured by sequence numbers, check sum generation with receipt acknowledgement, acknowledgement with timeout and segment retransmission after acknowledgement timeout. The header includes two 16 bit port numbers which are used to identify the communication terminals and are associated with the application layer services using well known ports. As they are not protected by cryptographic procedures, they can only be used for authentication in very specific topographies (see above).
The first packet transmitted when the connection is established is normally the only one transmitted without a set confirmation flag (ACK). This makes it possible to distinguish between connection set-up and data transfer phases. The firewall must be able to distinguish between ACK and non-ACK packets, i.e. whether a connection setup is taking place or an existing connection is being used.
UDP
The User Datagram Protocol (UDP) is a connectionless protocol of the transport layer which provides no transport acknowledgements or other security measures for ensuring transmission accuracy. The header includes two 16 bit port numbers (see TCP) which are independent of those used with the TCP protocol. As they are not protected by cryptographic procedures, they may only be used for authentication in very specific topographies.
As the protocol definition makes no distinction between a call connection and data transfer, this distinction must be made by the firewall. It must be possible to check the status of the connection and it must be possible to identify clearly to which connection a packet belongs.
This can be achieved, for instance, when making a UDP connection by storing the target port and temporarily marking it so that the response packets are only admitted at this port and blocking the port again after the connection is terminated.
Telnet
The Telnet protocol allows a user to create a terminal session on a remote computer and defines for this purpose virtual input and output units (network virtual terminals) between which connection parameters have to be negociated.
To get access to another computer using the Telnet command, the other computer must be running the Telnet Daemon. The standard port for a Telnet session is Port 23. Other port numbers may be set as parameters, allowing a connection to be made to other server processes.
As Telnet allows full access to a remote host for a user, this access must be protected by strong authentication.
A distinction is often made between simple and strong authentication. Simple authentication uses simple password procedures where the password is transmitted as plain text and is therefore not protected from eavesdroppers. Strong authentication, on the other hand, uses more complex procedures based, for example, on the use of one-time passwords or smart cards.
There is the risk with Telnet that an 'invader' may cut into an authorised Telnet connection during transmission, e.g. to tap classified information or enter his own commands in the Telnet connection. For this reason encrypted transmission should be possible.
FTP
The File Transfer Protocol (FTP) allows exchange of files between remote computers.
When using FTP, two connections are established whereby the commands are transmitted through port 21 and the data through port 20. To allow the exchange of commands between computers with different operating systems, FTP defines a set of standard commands which are not the same as the user interface commands. The FTP client translates the user interface commands into the corresponding standard commands. For the firewall it is the standard commands which are relevant, because these are the only ones actually transmitted over TCP/IP.
While the client establishes the command connection to the server port 21, the server is responsible for establishing the data connection from his port 20 to a client port (> 1023). This constitutes a security weakness, since 'invaders' could pretend to be servers. The connection should, therefore, be set up the other way round and the client should use the standard command PASV instead of PORT. This forces the server to decide on a random port number and await the data transfer at this port. The client can then set up a connection to this port, so that the TCP connection is made from the protected network into the external one.
All commands which manipulate or read files or directories ( CWD, CDUP, RETR, STOR, DELE, LIST, NLIST), must be linked to a corresponding authorisation administration. This restricts access to certain files for untrustworthy users or blocks it altogether. This assumes that a strong authentication mechanism is in place.
The command SYST, with which a client asks for the operation system version of the server, should be linked to an authorisation administration and blocked for untrustworthy users.
Moreover, it must be possible to encrypt the transmission of files, directory information and passwords.
SMTP
Simple Mail Transfer Protocol (SMTP) is a simple protocol for transmitting electronic mail on the Internet consisting of only a few commands.
The commands VRFY and EXPN can call up internal information, so the use of these commands should only be allowed within the protected network. For untrustworthy users, VRFY and EXPN must be blocked. The firewall should be able to encrypt SMTP connections between trustworthy users, although this is only advisable if a strong authentication mechanism is used.
DNS
Domain Name Service (DNS) is used to convert computer names into IP numbers and vice versa and provides information on computer systems using the network. The information transmitted is not protected by cryptographic procedures, so spoofing attacks are possible using forged data. This should be taken into consideration especially in the event of DNS responses from the Internet.
To gain access to computers on a network, an intruder first needs their addresses which he can either get by random searching or more simply by analysing the DNS information. Once he has the address the intruder can, for example, forge an address (IP spoofing) by pretending that his computer belongs to the network to be protected and sending packets to it.
It must always be remembered that all information made available by DNS can be misused. How a firewall must be configured in order to provide risk protection when using DNS is described in Safeguard S 2.77 Secure Arrangement of Further Components.
NNTP
Network News Transfer Protocol (NNTP) is used for transmitting news articles.
The firewall must be able to prevent the transport of certain news groups entirely or only admit them for certain computers. There must be a guarantee that when sending news, no information percolates via the network to be protected (e.g. computer names) into the external network.
HTTP
Hypertext Transfer Protocol (HTTP) is used for transmitting data between WWW clients and WWW servers. It supports four operations: Connection, Request, Response,and Close.
The firewall must be able to analyse the commands of an HTTP packet and restrict it with filters. It must, for instance, be possible to prevent implementation of the POST command and the associated file change during a Request operation. The filters must be distinguishable both by individual users (by means of strong authentication) and by computers.
It must be possible to distinguish the type of data transmitted and to search special file types for specific information. Should other processes be necessary for processing the data transmitted (e.g. an external viewer or a shell), it must be possible to let the user confirm implementation of these processes first.
Other services: X11, BSD "r services", NFS, NIS, TFTP
These services should not be used through a firewall (see also T 4.11 Lack of authentication possibilities between NIS Server and NIS Client, T 4.12 Lack of authentication possibilities between X Server and X Client and Safeguards
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |