#14.

Securing Internet Connections

AGENDA
 Understanding Infrastructure Security
 Introduction
 The Internet is perhaps the area of largest
growth for networks. The Internet is a worldwide
network that offers the capability of
instantaneous connections between networks,
no matter where they’re located.
 Introduction
 The technology started as a research project
funded by the Department of Defense and has
grown at an enormous rate. Within a few years,
virtually every computer in the world is
expected to be connected to the Internet. This
situation creates a security nightmare and is one
of the primary reasons the demand for
professionals trained in information and
computer security is expected to grow
exponentially.
 Working with Ports and
Sockets
 As we’ve already discussed, the primary method
of connection between systems using the
Internet is the TCP/IP protocol. This protocol
establishes connections and circuits using a
combination of the IP address and a port. A port
is an interface that is used to connect to a
device. Sockets are a combination of the IP
address and the port. For example, if you
attempt to connect to a remote system with the
IP address 192.168.0.100, which is running
 Working with Ports and
Sockets
 Securing Internet Connections a website, you’ll
use port 80 by default. The combination of these
two elements gives you a socket. The full
address and socket description would then be
192.168.0.100:80.
 Working with Ports and
Sockets
 IP is used to route the information from one host
to another through a network. The four layers of
TCP/IP encapsulate the information into a valid
IP packet that is then transmitted across the
network. Figure 3.15 illustrates the key
components of a TCP packet requesting the
home page of a website. The data will be
returned from the website to port 1024 on the
originating host.
 Working with Ports and
Sockets
 The source port is the port that is addressed on
the destination. The destination port is the port
to which the data is sent. In the case of a web
application, the data for port addresses would
both contain 80. A number of the fields in this
packet are used by TCP for verification and
integrity, and you need not be concerned with
them at this time.
 Working with Ports and
Sockets
 However, the data field contains the value Get/.
This value requests the home or starting page
from the web server. In essence, this command
or process requested the home page of the site
192.168.0.100 port 80. The data is formed into
another data packet that is passed down to IP
and sent back to the originating system on port
1024.
 Working with Ports and
Sockets
 The connections to most services using TCP/IP
are based on this port model. Many of the ports
are well documented, and the protocols to
communicate with them are well known. If a
vendor has a technological weakness or
implements security poorly, the vulnerability
will become known and exploited in a short time.
 Working with E-Mail
 E-mail is one of the most popular applications in
use on the Internet. Several good e-mail servers
and clients are available. Figure 3.16
demonstrates the process of transferring an e-
mail message.
 Working with E-Mail
 Simple Mail Transport Protocol
Simple Mail Transport Protocol (SMTP) is a mail
delivery protocol that is used to send e-mail
between an e-mail client and an e-mail server
as well as between e-mail servers. Messages
are moved from client to server to client via the
Internet.
 Working with E-Mail
Each e-mail message can take a different path
from the client to the server. In the case of
Figure 3.16, the clients are on two different e-
mail servers; they could both be on the same
server, and the process would appear
transparent to the user. SMTP uses port 25 and
TCP for connections.
 Working with E-Mail
 Post Office Protocol
Post Office Protocol (POP) is a newer protocol
that relies on SMTP for message transfer to
receive e-mail. POP provides a message store
that can be used to store and forward
messages. If a server isn’t operating, the
originating server can store a message and try
to resend it later. POP3 uses port 110. The POP
protocol uses TCP for connections.
 Working with E-Mail
 Internet Message Access Protocol
Internet Message Access Protocol (IMAP) is the
newest player in the e-mail field, and it’s rapidly
becoming the most popular. Like POP, IMAP
has a store-and-forward capability. However, it
has much more functionality
 Working with E-Mail
IMAP allows messages to be stored on an e-
mail server instead of being downloaded to the
client. It also allows messages to be
downloaded based on search criteria. Many
IMAP implementations also allow connections
using web browsers. The current version of
IMAP (IMAP 4) uses port 143 and TCP for
connections.
 Working with the Web
 When two hosts communicate across the Web,
data is returned from the host using Hypertext
Markup Language (HTML). HTML is nothing
more than a coding scheme to allow text and
pictures to be presented in a specific way in a
web browser. HTML can be created any number
of ways, including via manual coding and in
graphical design programs.
 Working with the Web
 HTML files are read, interpreted by your
browser, and displayed on your system. If you
want to see what HTML looks like, you can set
your browser to view source code—you’ll see
things similar to word-processor coding for
virtually every characteristic of the web page
you’re viewing.
 Working with the Web
 Websites are collections of these pages, which
are called into your browser when you click a
link or scroll through the pages. Most
developers want more than the ability to display
pages and pages of colored text on your
computer. To make creative and sophisticated
websites possible, web browsers have become
more complicated, as have web servers.
Current browsers include audio, visuals,
animations, live chats, and almost any other
feature you can imagine.
 Working with the Web
 This ability to deliver content over the Web is
accomplished in one of several ways. The most
common approach involves installing
applications that talk through the server to your
browser. The applications require additional
ports to be opened through your firewall and
routers. Unfortunately, doing so inherently
creates security vulnerabilities.
 Working with the Web
 Secure Sockets Layer and Transport Layer
Security
Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) are two common protocols
used to convey information between a web
client and a server. The SSL protocol uses an
encryption scheme between the two systems.
The client initiates the session, the server
responds, indicating that encryption is needed,
and then they negotiate an appropriate
encryption scheme.
 Working with the Web
TLS is a newer protocol that merges SSL with
other protocols to provide encryption. TLS
supports SSL connections for compatibility, but it
also allows other encryption protocols, such as
Triple DES, to be used. SSL/TLS uses port 443
and TCP for connections.
 Working with the Web
 HTTP/S
HTTP Secure (HTTP/S) is a protocol that is
used for secure connections between two
systems that use the Web. It protects the
connection, and all traffic between the two
systems is encrypted. HTTP/S uses SSL or TLS
for connection security, and it uses port 443 and
TCP for connections.
 Working with the Web
 Vulnerabilities of Web Add-ins
The growth of the Web and demands from
users for more features has spurred the creation
of a new set of vulnerabilities that must be
evaluated and managed. Increasingly, web
browsers and other web-enabled technologies
allow servers to send instructions to the client to
provide multimedia and other capabilities. This
is creating a problem for security professionals
because these protocols offer potential
weaknesses.
 Working with the Web
 ActiveX ActiveX is a technology that was
implemented by Microsoft to customize controls,
icons, and other features, which increases the
usability of web-enabled systems. ActiveX runs
on the client. It uses a method called
Authenticode for security. Authenticode is a type
of certificate technology that allows ActiveX
components to be validated by a server.
 Working with the Web
ActiveX components are downloaded to the
client hard disk, potentially allowing additional
security breaches. Web browsers can be
configured so that they require confirmation to
accept an ActiveX control. However, many users
don’t understand these confirmation messages
when they appear, and they automatically
accept the components.
 Working with the Web
Automatically accepting an ActiveX component
or control creates the opportunity for security
breaches on a client system when the control is
used because an ActiveX control contains
programming instructions that can contain
malicious code or create vulnerabilities in a
system.
 Working with the Web
 Buffer Overflows
Buffer overflows occur when an application
receives more data than it’s programmed to
accept. This situation can cause an application
to terminate or to write data beyond the end of
the allocated space. Termination may leave the
system sending the data with temporary access
to privileged levels in the attacked system, while
overwriting can cause important data to be lost.
This exploitation is usually a result of a
programming error in the development of the
software.
 Working with the Web
 Common Gateway Interface
Common Gateway Interface (CGI) is an older
form of scripting that was used extensively in
early web systems. CGI scripts were used to
capture data from a user using simple forms.
 Working with the Web
 Cookies Cookies are text files that a browser
maintains on the user’s hard disk in order to
provide a persistent, customized web
experience for each visit. A cookie typically
contains information about the user.
 Working with the Web
For example, a cookie can contain a client’s
history to improve customer service. If a
bookstore wants to know your buying habits and
what types of books you last viewed at its site, it
can load this information into a cookie on your
system. The next time you return to that store,
the server can read your cookie and customize
what it presents to you.
 Working with the Web
Cookies can also be used to time-stamp a user
to limit access. A financial institution may send
your browser a cookie once you’ve
authenticated. The server can read the cookie to
determine when a session is expired.
 Working with the Web
Obviously, cookies are considered a risk
because they have the potential to contain your
personal information, which could get into the
wrong hands. If security is your utmost concern,
the best protection is to not allow cookies to be
accepted. Almost every browser offers the
option of enabling or disabling cookies. If you
enable them, you can usually choose whether to
accept/reject all or only those from an
originating server.
 Working with the Web
 Cross-site scripting (XSS)
Using a client-side scripting language, it is
possible for a ne’er-do-well to trick a user into
visiting their site and having code then execute
locally. When this is done, it is known as cross-
site scripting. As an example, UserA may get a
message telling him that he needs to make
changes to his XYZ account, but the link in the
message is not really to the XYZ site (a phishing
ploy).
 Working with the Web
When he clicks on the link, a JavaScript routine
begins to run on his machine. Since the script is
running on UserA’s system, it has his
permissions and can begin doing such things as
running malevolent routines to send/delete/alter
data. The best protection against cross-site
scripting is to disable the running of scripts.
 Working with the Web
 Input Validation
Anytime a user must supply values in a session,
validation of the data entered should be done.
Many vendors, however, have fallen prey to
input validation vulnerabilities within their code.
In some instances, empty values have been
accepted, while others have allowed privilege
escalation if certain backdoor passwords were
used.
 Working with the Web
The best protection against input validation
vulnerabilities is for developers to follow best
practices and always validate all values entered.
As an administrator, when you learn of an input
validation vulnerability with any application on
your system, you should immediately stop using
it until a patch has been released and installed.