Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =???? Figure 1: Communication scenario Solution of Exercise Sheet 5 1 Network packets Figure 1 shows the communication scenario for which a network trace (exercise- 5.pcapng) has been provided. The first task is to identify the actors and the protocols involved in the communication. (1 point) i. Identify the IP address of the client and the IP address of the server? Client IP address = 192.168.56.1 Server IP address = 192.168.56.101 (2 points) ii. List at least 3 application layer protocols that the client has used to establish a communication with the server? Application layer protocols: HTTP, TELNET, SSH (3 points) iii. Are these protocols secure or insecure? If they are insecure, what would be your suggestion for a replacement? HTTP and TELNET are insecure protocols. The secure replacement for these protocols are: HTTPS and SSH. 2 Packet Structure 1/6
Version (4 bits) Header Length (4 bits) Type of service (8 bits) Total Length (16 bits) Identification Flags Fragment Offset Time to live (TTL) Protocol Checksum Source IP Address (32 bits) Destination IP Address (32 bits) Options Data Figure 2: IP Header Source Port Number (16 bits) Destination Port Number (16 bits) Sequence Number Acknowledgement Number Checksum Control Bits (9 bits) Window Size Urgent Pointer Options Data Figure 3: TCP Header Select a package which has HTTP as a protocol and the info column says GET. Take a closer look to see the similarities and differences between it and the TCP/IP model as was described in the lecture. In wireshark, the protocol blocks are shown in the middle panel, i.e., details view. To expand each block and get all the details for the selected packet click on the + sign. Spend some time trying to understand the layered communication and answer the following questions: (2 points) i. Examine the selected HTTP request and identify the transport and the internet layer. Figure 2 and 3 show the header format of TCP and IP and different options in the header, as discussed in the lecture. Your task is to fill in the marked cells with the appropriate values from the selected HTTP request. In the packet trace provided for the exercise sheet there are two HTTP GET requests. Depending of the chosen request there are might be more then one correct answers. IP Header: Version = 4, Header Length = 20 bytes, Total Length = 407 (or 381), Time To Live = 128, Protocol = TCP, Source IP = 192.168.56.1, 2/6
Destination IP = 192.168.56.101 TCP Header: Source Port Number = 64122 (or 64126), Destination Port = 80, Window Size = 256 (2 points) ii. Can you extract any kind of data from the website? If yes, provide a small portion of that data. One simple example would be: <title>test Page for the Apache HTTP Server on Fedora</title> 3 Insecure protocols The client is using insecure protocol to log in to the server (see Figure 1). He is not aware that his username and password are sent via insecure communication channel. Your task as a security expert is to identify the problem and suggest a solution. (7 points) i. Identify the (insecure) protocol that the client has used to log in to the server. Which protocol has been used? What are his credentials? The client uses TELNET to connect to the remote server. His credentials are: username: testuser password: CSL2014@ (3 points) ii. What would you suggest as a secure protocol replacement? How does the replacement prevent the leakage? Explain your answer! The secure replacement would be SSH. 4 Network Firewalls In the lecture, we have seen stateless packet-filter firewalls, i.e. every packet is handled and checked against the list of configured access rules on an individual basis. In addition to stateless packet-filters, there are also stateful packet-filters (You can refer to https://en.wikipedia.org/wiki/stateful_firewall to get more information). (1 point) i. Briefly describe the difference of stateless and stateful packet-filters. 3/6
Some (propably too long) sample answer: A stateful firewall keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. It is capable of distinguishing legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected. A stateless firewall treats each network frame (or packet) in isolation. Such packet filters might function more efficiently because they only look at the header part of a packet. This is at the same time a drawback as they cannot check the context which makes them vulnerable to spoofing attacks. Stateless firewalls have no way of knowing whether any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. (3 points) ii. Name and briefly explain two advantages and disadvantages of stateful packet-filters. Should stateful packet-filters always be preferred over stateless filters? Why? Check wikipedia article, e.g.: + can use context (session/connection) for filtering + can defend against spoofing + necessary to allow some services (like FTP see below) - might be slower under heavy load - more complex and harder to administrate - require memory to track connections (2 points) iii. Name two concrete scenarios in which a stateless packet-filter cannot be used. Usage of secure protocols such as IPsec for tunneling and encryption. File Transfer Protocol (FTP). By design, such protocols need to be able to open connections to arbitrary high/unprivileged ports to function properly. Since a stateless firewall has no way of knowing 4/6
that the packet destined to the protected network (to some host s destination port 4970, for example) is part of a legitimate FTP session, it will drop the packet. (4 points) iv. We would like to test whether a firewall performs stateless or stateful inspection of TCP traffic. We assume that: The firewall filters traffic exchanged between two hosts (Host #1 and Host #2), as shown in Figure 4. The firewall allows Host #1 to access any Web server running on Host #2. The default security policy is Deny all. Moreover, we assume that five packets have been generated and exchanged (see Figure 4). By analyzing the accepted and denied packets, tell whether the firewall performs stateless or stateful packet inspection and briefly explain your answer. Figure 4: List of packets accepted and denied by the firewall To answer this question, students have to read how a tcp connection is established (1. syn to dest host, 2. syn ack to source host, 3. ack to dest host) The firewall performs stateful packet filtering. Host #1 initiates a FTP connection with source port 2000. Packet #1, #3, and #4 belong to the 5/6
three-way tcp handshake. Packet #2 is dropped as it does not belong to a connection (there were no prior packets for syn and syn ack). Packet #5 is accepted as it initiates a new telnet connection. A stateless packet filter would drop packet #3, due to the deny all rule (for unprivileged ports, here 2000). The FTP connection could not be established then. 6/6