CHAPTER 9: Security Standards and Services 396 To determine what port number to use, technicians need to know what port number the given software is using. To make that determination easier, there is a list of common services that run on computers along with their respective well-known ports. This allows the technician to apply the policy of denying by default and only open the specific port necessary for the DAMAGE AND DEFENSE… Denial of Service Attacks A port is a connection point into a device. Ports can be physical, such as serial ports or parallel ports, or they can be logical. Logical ports are ports used by networking protocols to define a network con- nection point to a device. Using Transmission Con- trol Protocol/Internet Protocol (TCP/IP), both TCP and User Datagram Protocol (UDP) logical ports are used as connection points to a network device. Because a network device can have thousands of connections active at any given time, these ports are used to differentiate between the connections to the device. A port is described as well known for a particular service when it is normal and common to find that particular software running at that particular port number. For example, Web servers run on port 80 by default, and File Transfer Protocol (FTP) file transfers use ports 20 and 21 on the server when it is in active mode. In passive mode, the server uses a random port for data connection and port 21 for the control connection. Exam Warning There are two modes in which FTP operates: active and passive. Active Mode The FTP client initializes a control connection from a random port higher than 1. 1024 to the server’s port 21. The FTP client sends a 2. PORT command instructing the server to connect to a port on the client one higher than the client’s control port. This is the client’s data port. The server sends data to the client from server port 20 to the client’s data port.3. Passive Mode The FTP client initializes a random port higher than 1,023 as the control port 1. and initializes the port one higher than the control port as the data port. The FTP client sends a 2. PASV command instructing the server to open a random data port. The server sends a 3. PORT command notifying the client of the data port number that was just initialized. The FTP client then sends data from the data port it initialized to the data port 4. the server instructed it to use. Hardware and Software Security Devices 397 application to work. For example, if they want to allow the Siebel Customer Relations Management application from Oracle to work through a fire- wall, they would check against a port list (or the vendor’s documentation) to determine that they need to allow traffic to port 2,320 to go through the firewall. A good place to search for port numbers and their associated services online is on Wikipedia. This list is fairly up-to-date and can help you find information on a very large number of services running on all ports (http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers). You will notice that even Trojan horse applications have well-known port numbers. A few of these have been listed in Table 9.2. Unfortunately, for nearly every possible port number, there is a virus or Trojan horse application that could be running there. For a more compre- hensive list of Trojans listed by the port they use, go to the SANS Institute Web site at www.sans.org/resources/idfaq/oddports.php. Table 9.2 Well-known Ports of Trojan Horses Trojan Horse Port AimSpy 777 Back Orifice 31337 and 31338 (modifiable) Back Orifice 2000 8787, 54320, and 54321 (modifiable) OpwinTrojan 10000 and 10005 SubSeven 1243, 1999, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, and 54283 (depending on the version) WinSatan 999 and 6667 Exam Warning The most important ports to remember are as follows: 20 FTP Active Mode Control Port 21 FTP Active Mode Data Port 22 Secure Shell (SSH) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 80 HTTP 110 Post Office Protocol 3 (POP3) 119 Network News Transfer Protocol (NNTP) 143 Internet Message Access Protocol (IMAP) 443 SSL (HTTPS) CHAPTER 9: Security Standards and Services 398 Packet-filtering firewalls have both benefits and drawbacks. One of the benefits is speed. Since only the header of a packet is examined and a simple table of rules is checked, this technology is very fast. A second benefit is ease of use. The rules for this type of firewall are easy to define and ports can be opened or closed quickly. In addition, packet-filtering firewalls are transparent to network devices. Packets can pass through a packet-filtering firewall without the sender or receiver of the packet being aware of the extra step. A major bonus of using a packet-filtering firewall is that most current routers support packet filtering. There are two major drawbacks to packet filtering: A port is either open or closed. With this configuration, there is no  way of simply opening a port in the firewall when a specific applica- tion needs it and then closing it when the transaction is complete. When a port is open, there is always a hole in the firewall waiting for someone to attack. The second major drawback to pack filtering is that it does not  understand the contents of any packet beyond the header. There- fore, if a packet has a valid header, it can contain any payload. This is a common failing point that is easily exploited. To expand on this, since only the header is examined, packets cannot be filtered by username, only IP addresses. With some network services such as Trivial FTP (TFTP) or various UNIX r commands (rsh, rcp, etc.), this can cause a problem. Believe the port for these services is either open or closed for all users, the options are either to restrict system administrators from using the services or invite the possibility of any user connecting and using these services. The operation of this firewall technology is illustrated in Figure 9.1. Referring to Figure 9.1, the sequence of events is as follows: Communication from the client starts 1. by going through the seven layers of the OSI model. The packet is then transmitted over 2. the physical media to the packet- filtering firewall. The firewall works at the network 3. layer of the OSI model and examines the header of the packet. FIGURE 9.1 Packet Filtering Technology. Client Application Packet Filtering Firewall Open Port OSI Model OSI Model Presentation Session Transport Network Network Data Link Data Link Physical Application Server OSI Model Presentation Session Transport Network Data Link Physical Physical Hardware and Software Security Devices 399 If the packet is destined for an allowed port, the packet is sent 4. through the firewall, over the physical media, and up through the layers of the OSI model to the destination address and port. Application Layer Firewalls The second firewall technology is called application filtering or an applica- tion-layer gateway. This technology is more advanced than packet filtering, as it examines the entire packet and determines what should be done with the packet based on specific defined rules. For example, with an applica- tion-layer gateway, if a Telnet packet is sent through the standard FTP port, the firewall can determine this and block the packet if a rule is defined disallowing Telnet traffic through the FTP port. It should be noted that this technology is used by proxy servers to provide application-layer filtering to clients. One of the major benefits of application-layer gateway technology is its application-layer awareness. Because application-layer gateway technology can determine more information from a packet than a simple packet filter can, application-layer gateway technology uses more complex rules to deter- mine the validity of any given packet. These rules take advantage of the fact that application-layer gateways can determine whether data in a packet matches what is expected for data going to a specific port. For example, the application-layer gateway can tell if packets containing controls for a Trojan horse application are being sent to the HTTP port (80) and thus, can block them. Although application-layer gateway technology is much more advanced than packet-filtering technology, it does have its drawbacks. Because of the fact that each packet is disassembled completely and then checked against a complex set of rules, application-layer gateways are much slower than packet filters. In addition, only a limited set of application rules are predefined, and any application not included in the predefined list must have custom rules defined and loaded into the firewall. Finally, application-layer gateways process the packet at the application layer of the OSI model. By doing so, the application-layer gateway must then rebuild the packet from the top down and send it back out. This breaks the concept behind client/server architecture and slows the firewall down even further. Client/server architecture is based on the concept of a client system r equesting the services of a server system. This was developed to increase application performance and cut down on the network traffic created by ear- lier file sharing or mainframe architectures. When using an application-layer CHAPTER 9: Security Standards and Services 400 gateway, the client/server architecture is broken as the packets no longer flow between the client and the server. Instead, they are deconstructed and reconstructed at the firewall. The client makes a connection to the firewall at which point the packet is analyzed, then the firewall creates a con- nection to the server for the client. By doing this, the firewall is acting as a proxy between the client and the server. The operation of this technology is illustrated in Figure 9.2. Honeypots A honeypot is a computer system that is deliberately exposed to public access – usually on the Internet – for the express purpose of attracting and distracting attackers. In other words, these are the technical equivalent of the FIGURE 9.2 Application-Layer Gateway Technology. NOTES FROM THE FIELD … Walking the Line between Opportunity and Entrapment Most law enforcement officers are aware of the fine line they must walk when setting up a “sting” – an opera- tion in which police officers pretend to be victims or participants in crime, with the goal of getting criminal suspects to commit an illegal act in their presence. Most states have laws that prohibit entrapment; that is, law enforcement officers are not allowed to cause a person to commit a crime and then arrest him or her for doing it. Entrapment is a defense to prosecution; if the accused person can show at trial that he or she was entrapped, the result must be an acquittal. Courts have traditionally held, however, that provid- ing a mere opportunity for a criminal to commit a crime does not constitute entrapment. To entrap involves using persuasion, duress, or other undue pressure to force someone to commit a crime that the person would not otherwise have committed. Under this holding, setting up a honeypot or honeynet would be like the (perfectly legitimate) police tactic of placing an abandoned auto- mobile by the side of the road and watching it to see if anyone attempts to burglarize, vandalize, or steal it. It should also be noted that entrapment only applies to the actions of law enforcement or government person- nel. A civilian cannot entrap, regardless of how much pressure is exerted on the target to commit the crime (however, a civilian could be subject to other charges, such as criminal solicitation or criminal conspiracy, for causing someone else to commit a crime). Client Application Authorized Packet Application Layer Gateway OSI Model Presentation Session Transport Network Data Link Physical Application OSI Model Presentation Session Transport Network Data Link Physical Application OSI Model Presentation Session Transport Network Data Link Server Physical Hardware and Software Security Devices 401 familiar police “sting” operation. Although the strategy involved in luring hackers to spend time investigating attractive network devices or servers can cause its own problems, finding ways to lure intruders into a system or network improves the odds of being able to identify those intruders and pursue them more effectively. Figure 9.3 shows a graphical representation of the honeypot concept in action. The following characteristics are typical of honeypots: Systems or devices used as lures are set up with only “out of the box”  default installations so that they are deliberately made subject to all known vulnerabilities, exploits, and attacks. The systems or devices used as lures do not include sensitive  information (for example, passwords, data, applications, or ser- vices an organization depends on or must absolutely protect), so these lures can be compromised or even destroyed, without causing damage, loss, or harm to the organization that presents them to be attacked. FIGURE 9.3 A Honeypot in Use to Keep Attackers from Affecting Critical Production Servers. Attacker spends all of their time attacking the honeypot because it looks like a poorly configured and insecure production server. The Internet and DMZs Honeypot The honeypot provides alerts to the network administrator so they can take defensive measures as desired to stop or monitor the attack. Production Server Production Server The production servers continue operating without being affected by the attempted attack. The honeypot only appears to be a critical production server. However, it is running a special IDS package that can intelligently respond to the attacker, track the attackers actions, and keep the attacker engaged while important attack information is being collected. The attack signature that is collected can be used later to prevent attacks of the same sort from actually succeeding against real servers. In most cases, the attacker never knows the difference between the honeypot and a real server and thus makes no lasting damage to the network itself. CHAPTER 9: Security Standards and Services 402 Systems or devices used as lures often also contain deliberately tan- talizing objects or resources, such as files named password.db, folders named Top Secret, and so forth – often consisting only of encrypted garbage data or log files of no real significance or value – to attract and hold an attacker’s interest long enough to give a backtrace a chance of identifying the attack’s point of origin. Systems or devices used as lures also include or are monitored by  passive applications that can detect and report on attacks or intru- sions as soon as they start, so the process of backtracing and identi- fication can begin as soon as possible. Exam Warning A honeypot is a computer system that is deliberately exposed to public access – usually on the Internet – for the express purpose of attracting and distracting attackers. Likewise, a honeynet is a network set up for the same purpose, where attackers not only find vul- nerable services or servers but also find vulnerable routers, firewalls, and other network boundary devices, security applications, and so forth. The honeypot technique is best reserved for use when a company or organization employs full-time Information Technology (IT) security pro- fessionals who can monitor and deal with these lures on a regular basis, or when law enforcement operations seek to target specific suspects in a “virtual sting” operation. In such situations, the risks are sure to be well understood, and proper security precautions, processes, and procedures are far more likely to already be in place (and properly practiced). Nevertheless, for organizations that seek to identify and pursue attackers more proac- tively, honeypots can provide valuable tools to aid in such activities. Exercise 9.2 outlines the basic process to set up a Windows honeypot. Although there are many vendors of honeypots that will run on both Win- dows and Linux computers, this exercise will describe the install on a com- mercial honeypot that can be used on a corporate network. EXERCISE 9.2 Install a Honeypot KFSensor is a Windows-based honeypot IDS that can be downloaded 1. as a demo from www.keyfocus.net/kfsensor/ Fill out the required information for download.2. Hardware and Software Security Devices 403 Once the program downloads, accept the install defaults and allow 3. the program to reboot the computer to finish the install. Once installed, the program will step you through a wizard process 4. that will configure a basic honeypot. Allow the system to run for some time to capture data. The program 5. will install a sensor in the program tray that will turn red when the system is probed by an attacker. Honeynets A honeynet is a network that is set up for the same purpose as a honeypot: to attract potential attackers and distract them from your production network. In a honeynet, attackers will not only find vulnerable services or servers but also find vulnerable routers, firewalls, and other network boundary devices, security applications, and so forth. The following characteristics are typical of honeynets: Network devices used as lures are set up with only “out of the box”  default installations so that they are deliberately made subject to all known vulnerabilities, exploits, and attacks. The devices used as lures do not include sensitive information (for  example, passwords, data, applications, or services an organization depends on or must absolutely protect), so these lures can be com- promised, or even destroyed, without causing damage, loss, or harm to the organization that presents them to be attacked. Devices used as lures also include or are monitored by passive  applications that can detect and report on attacks or intrusions as soon as they start, so the process of backtracing and identification can begin as soon as possible. The Honeynet Project at www.honeynet.org is probably the best overall resource on the topic online; it not only provides copious information on the project’s work to define and document standard honeypots and hon- eynets, it also does a great job of exploring hacker mindsets, motivations, tools, and attack techniques. Although this technique of using honeypots or honeynets can help identify the unwary or unsophisticated attacker, it also runs the risk of attracting additional attention from savvier attackers. Honeypots or honey- nets, once identified, are often publicized on hacker message boards or mailing lists and thus become more subject to attacks and hacker activity CHAPTER 9: Security Standards and Services 404 than they otherwise might be. Likewise, if the organization that sets up a honeypot or honeynet is itself identified, its production systems and net- works may also be subjected to more attacks than might otherwise occur. Content Filters Content filtering is the process used by various applications to examining content passing through and make a decision on the data based on a set of criteria. Actions are based on the analysis of the content and the resulting actions can result in block or allow. Content filtering is commonly performed on e-mail and is often also applies to Web page access as well. Filtering out gambling or gaming sites from company machines may be a desired effect of management and can be achieved through content filtering. Example of content filters includes Web- Sense and Secure Computing’s WebWasher/SmartFilter. An open source content filter example would be DansGuardian and Squid. Protocol Analyzers A protocol analyzer is used to examine network traffic as it travels along your Ethernet network. They are called by many names, such as pack analyzer, network analyzer, and sniffer, but all function in the same basic way. As traffic moves across the network from machine to machine, the protocol analyzer takes a capture of each packet. This capture is essentially a photo- copy, and the original packet is not harmed or altered. Capturing the data allows a malicious hacker to obtain your data and potentially piece it back together to analyze the contents. Different protocol analyzers function differently but the overall principal is the same. A sniffer is typically software installed on a machine that can then capture all the traffic on a designated network. Much of the traffic on the network will be destined for all machines, as in the case of broadcast traffic. These packets will be picked up and saved as part of the capture. Also, all traffic destined to and coming from the machine running the sniffer will be captured. To capture traffic addressed to/from another machine on the network, the sniffer should be run in promiscuous mode. If a hub exists on the network, this allows the capturing of all packets on the network regard- less of their source or destination. Be aware that not all protocol analyzers support promiscuous mode, and having switches on the network makes promiscuous mode difficult to use due to the nature of switched traffic. In the cases where a sniffer that runs promiscuous mode is not available or unfeasible, it might make sense to run instead use the built-in monitor port on the switch if it exists. The monitor port exists to allow for the capture Security Zones 405 of all data that passed through the switch. Depending on your network architecture, this could encompass one or many subnets. SECURITY ZONES Although different components can be effectively used together in a net- work, in some instances, they need to be used completely separately from each other. You must imagine the different pieces that make up a network as discrete network segments holding systems that share common require- ments. These are sometimes called security zones and some of these com- mon requirements can be as follows: The types of information the zone handles Who uses the zone What levels of security the zone requires to protect its data Exam Warning A security zone is defined as any portion of a network that has specific security concerns or requirements. Intranets, extranets, DMZs, and VLANs are all security zones. It is possible to have systems in a zone running different protocol and OSs, such as Windows and NetWare. The type of computer, whether a PC, server, or mainframe, is not as important as the security needs of the com- puter. For example, there is a network that uses Windows 2003 Servers as domain controllers, Domain name system (DNS) servers, and Dynamic Host Control Protocol (DHCP) servers. There are also Windows XP Profes- sional clients and NetWare 6.5 file servers on the network. Some users may be using Macintosh computers running OS X or OS 9 while others may be running one or more types of Linux or UNIX. This is an extremely varied network, but it may still only have one or two security zones. The key is that the type of a computer and its OS are not as important with regards to security zones and is where the machines may reside in the environ- ment. Each of these components helps to make up your network topology and if used correctly can assist you in creating a safe and effective network design. For example, suppose you have an e-commerce application that uses Microsoft’s Internet Information Server (IIS) running a custom Active Server Page (ASP) application, which calls on a second set of servers hosting cus- tom COM+ components, which in turn interacts with a third set of servers . device. A port is described as well known for a particular service when it is normal and common to find that particular software running at that particular port number. For example, Web servers. 10005 SubSeven 1243, 1999, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, and 5428 3 (depending on the version) WinSatan 999 and 6667 Exam Warning The most important ports to remember. walk when setting up a “sting” – an opera- tion in which police officers pretend to be victims or participants in crime, with the goal of getting criminal suspects to commit an illegal act in their