Network Implementation of Protocols and Services
- Given a Scenario, Implement Common Protocols and Services
- Given a Scenario, Troubleshoot Security Issues Related to Wireless Networking
- What Next?
The network infrastructure is subject to myriad internal and external attacks through services, protocols, and open ports. It is imperative that you understand how to properly implement services and protocols, especially if the network has been in existence for some period of time and some services are no longer needed or have been forgotten. To stop many would-be attackers, you must understand how protocols are used on the network, what common ports are used by network protocols, and how to securely implement a wireless network.
This chapter discusses these concepts to help you understand how to use the proper network implementation of protocols and services as a tool to protect and mitigate threats against network infrastructure based on organizational needs. It also has a section specifically dedicated to wireless security implementation based on organization requirements.
Given a Scenario, Implement Common Protocols and Services
- Protocols
- Ports
- OSI relevance
Protocols
Internet Protocol Security
The Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. The use of IPsec can secure transmissions between critical servers and clients. This helps prevent network-based attacks from taking place. Unlike most security systems that function within the application layer of the OSI model, IPsec functions within the network layer. IPsec provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol.
The asymmetric key standard defining IPsec provides two primary security services:
- Authentication Header (AH): This provides authentication of the data’s sender, along with integrity and nonrepudiation. RFC 2402 states that AH provides authentication for as much of the IP header as possible, as well as for upper-level protocol data. However, some IP header fields might change in transit, and when the packet arrives at the receiver, the value of these fields might not be predictable by the sender. The values of such fields cannot be protected by AH. So, the protection provided to the IP header by AH is somewhat piecemeal.
- Encapsulating Security Payload (ESP): This supports authentication of the data’s sender and encryption of the data being transferred along with confidentiality and integrity protection. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an antireplay service (a form of partial sequence integrity), and limited traffic-flow confidentiality. The set of services provided depends on options selected at the time of security association establishment and on the placement of the implementation. Confidentiality may be selected independently of all other services. However, the use of confidentiality without integrity/authentication (either in ESP or separately in AH) might subject traffic to certain forms of active attacks that could undermine the confidentiality service.
Protocols 51 and 50 are the AH and ESP components of the IPsec protocol. IPsec inserts ESP or AH (or both) as protocol headers into an IP datagram that immediately follows an IP header.
The protocol field of the IP header will be 50 for ESP or 51 for AH. If IPsec is configured to do authentication rather than encryption, you must configure an IP filter to let protocol 51 traffic pass. If IPsec uses nested AH and ESP, you can configure an IP filter to let only protocol 51 (AH) traffic pass.
IPsec supports the IKE protocol, which is a key management standard used to allow specification of separate key protocols to be used during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.
The common key exchange protocols and standard encryption algorithms—including asymmetric key solutions such as the Diffie-Hellman Key Agreement and Rivest-Shamir-Adleman (RSA) standards; symmetric key solutions such as the International Data Encryption Algorithm (IDEA) and Digital Encryption Standard (DES); Triple DES (3DES) and hashing algorithms, such as the message digest 5 (MD5) and Secure Hash Algorithm (SHA)—are covered in detail in Chapter 12, “Cryptography Tools and Techniques.”
Although IPsec by itself does not control access to the wireless local-area network (WAN), it can be used in conjunction with 802.1X to provide security for data being sent to client computers that are roaming between access points (AP) on the same network. For better security, segment the wireless network by placing a firewall between the WLAN and the remainder of the network. Because IPsec is a solution to securely authenticate and encrypt network IP packets, you can use IPsec to provide strong security between a Remote Authentication Dial-In User Service (RADIUS) server and a domain controller, or to secure traffic to a partner organization’s RADIUS servers. RADIUS provides authentication and access control within an enterprise network and is explained in greater detail in Chapter 10, “Authentication, Authorization, and Access Control.” Many of the VPN solutions use IPsec, and, like a virtual private network (VPN), IPsec is an excellent solution in many circumstances. However, it should not be a direct alternative for WLAN protection implemented at the network hardware layer.
Simple Network Management Protocol
Older protocols that are still in use might leave the network vulnerable. Protocols such as Simple Network Management Protocol (SNMP) and Domain Name Service (DNS) that were developed a long time ago and have been widely deployed can pose security risks, too. SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPS). Many of the vulnerabilities associated with SNMP stem from using SNMPv1. Although these vulnerabilities were discovered in 2002, vulnerabilities are still being reported with current SNMP components. A recent Ubuntu Linux Security Advisory noted that vulnerabilities in Net-SNMP allow remote attackers to cause a denial of service.
The SNMP management infrastructure consists of three components:
- SNMP managed node
- SNMP agent
- SNMP network management station
The device loads the agent, which in turn collects the information and forwards it to the management station. Network management stations collect a massive amount of critical network information and are likely targets of intruders because SNMPv1 is not secure. The only security measure it has in place is its community name, which is similar to a password. By default, this is “public,” and many times is not changed, thus leaving the information wide open to intruders. SNMPv2 uses message digest 5 (MD5) for authentication. The transmissions can also be encrypted. SNMPv3 is the current standard, but some devices are likely to still be using SNMPv1 or SNMPv2.
SNMP can help malicious users learn a lot about your system, making password-guessing attacks a bit easier than brute-force attacks. SNMP is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162. Make sure that network management stations are secure physically and secure on the network. You might even consider using a separate management subnet and protecting it using a router with an access list. Unless this service is required, you should turn it off.
Secure Shell
As a more secure replacement for the common command-line terminal utility Telnet, the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. SSH requires encryption of all data, including the login portion. SSH uses the asymmetric (public key) RSA cryptography method to provide both connection and authentication.
Data encryption is accomplished using one of the following algorithms:
- Encryption Algorithm (IDEA): The default encryption algorithm used by SSH, which uses a 128-bit symmetric key block cipher.
- Blowfish: A symmetric (private key) encryption algorithm using a variable 32- to 448-bit secret key.
- Data Encryption Standard (DES): A symmetric key encryption algorithm using a random key selected from a large number of shared keys. Most forms of this algorithm cannot be used in products meant for export from the United States.
- Triple Data Encryption Standard (#DES): A symmetric key encryption algorithm that dramatically improves upon the DES by using the DES algorithm three times with three distinct keys.
Using SSH helps guard against attacks such as eavesdropping, man-in-the-middle attacks, and spoofing. Attempts to spoof the identity of either side of a communication can be thwarted because each packet is encrypted using a key known only by the local and remote systems.
Domain Name Service
Domain Name Service (DNS) was originally designed as an open protocol. DNS servers are organized in a hierarchy. At the top level of the hierarchy, root servers store the complete database of Internet domain names and their corresponding IP addresses. There are different types of DNS servers. The most common types are the following:
- Authoritative servers: Definitive for particular domains providing information about only those domains. An authoritative-only name server only returns answers to queries about domain names that have been specifically configured.
- Caching servers: Uses recursion to resolve a given name starting with the DNS root through to the authoritative name servers of the queried domain.
Internal DNS servers can be less susceptible to attacks than external DNS servers, but they still need to be secured. To stop outside intruders from accessing the internal network of your company, use separate DNS servers for internal and Internet name resolution. To provide Internet name resolution for internal hosts, you can have your internal DNS servers use a forwarder.
The following are some considerations for internal DNS servers:
- Eliminate any single point of failure by making sure that the structure is planned properly. Analyze where the clients of each DNS zone are located and how they will resolve names if the DNS server is unavailable.
- Prevent unauthorized access to your servers by implementing integrated zones with secure dynamic updates. Keep the list of DNS servers that are allowed to obtain a zone transfer small.
- Monitor the server events and DNS logs. Proper monitoring of logs and server events can help prevent unauthorized access as well as diagnose problems.
Transport Layer Security
Another asymmetric key encapsulation currently considered the successor to SSL is the Transport Layer Security (TLS) protocol, based on Netscape’s Secure Sockets Layer 3.0 (SSL3) transport protocol, which provides encryption using stronger encryption methods, such as DES, or without encryption altogether if desired for authentication only. SSL and TLS transport are similar but not entirely interoperable. TLS also provides confidentiality and data integrity.
TLS has two layers of operation:
- TLS Record Protocol: This protocol allows the client and server to communicate using some form of encryption algorithm (or without encryption if desired).
- TLS Handshake Protocol: This protocol allows the client and server to authenticate one another and exchange encryption keys to be used during the session.
Secure Sockets Layer
Secure Sockets Layer (SSL) protocol communications occur between the HTTP (application) and TCP (transport) layers of Internet communications. SSL is used by millions of websites in the protection of their online transactions with their customers. SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. The SSL process uses certificates for authentication and encryption for message integrity and confidentiality. SSL establishes what is called a stateful connection. In a stateful connection, both ends set up and maintain information about the session itself during its life. This is different from a stateless connection, where there is no prior connection setup. The SSL stateful connection is negotiated by a handshaking procedure between client and server. During this handshake, the client and server exchange the specifications for the cipher that will be used for that session. SSL communicates using an asymmetric key with cipher strength of 40 or 128 bits.
SSL works by establishing a secure channel using public key infrastructure (PKI). This can eliminate a vast majority of attacks, such as session hijackings and information theft.
You can secure communications when performing administration on wireless access points (WAP) by leveraging protocols such as SSH or HTTP with SSL or TLS. A WAP can implement access control functions to allow or deny access to the network and provides the capability of encrypting wireless traffic. It also has the means to query an authentication and authorization service for authorization decisions and securely exchange encryption keys with the client to secure the network traffic.
As a general rule, SSL is not as flexible as IPsec from an application perspective but is more flexible for access from any location. One must determine the usage requirements for each class of user and determine the best approach.
Transmission Control Protocol/Internet Protocol
The core of TCP/IP consists of four main protocols: the Internet Protocol (IP), the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Control Message Protocol (ICMP). IP is responsible for providing essential routing functions for all traffic on a TCP/IP network. TCP provides connection-oriented communication. UDP provides connectionless communications. TCP connections are initiated and terminated with a three-way handshake process. ICMP provides administrative services to TCP/IP networks.
TCP/IP’s implementation of the OSI model makes functionality simpler by mapping the same seven layers of the OSI model to a four-layer model instead. Unlike the OSI reference model, the TCP/IP model focuses more on delivering interconnectivity than on functional layers. It does this by acknowledging the importance of a structured hierarchical sequence of functions, yet leaves protocol designers flexibility for implementation. Table 2.1 compares the OSI and TCP/IP models.
TABLE 2.1 OSI and TCP/IP Model Comparison
OSI Reference Model |
TCP/IP Reference Model |
Application Presentation Session |
Application |
Transport |
Transport |
Network |
Internet |
Data link |
Network access Physical |
File Transfer Protocol Secure
FTP passes the username and password in a plain-text form, allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access to the server. FTPS, also known as FTP Secure and FTP-SSL, is an FTP extension that adds support for TLS and SSL. FTPS supports channel encryption as defined in RFC 2228.
With FTPS, data transfers take place in a way designed to allow both parties to authenticate each other and to prevent eavesdropping, tampering, and forgery on the messages exchanged. FTPS includes full support for the TLS and SSL cryptographic protocols, including the use of server-side public key authentication certificates and client-side authorization certificates. It also supports compatible ciphers, including AES, RC4, RC2, Triple DES and DES, as well as hash functions SHA1, MD5, MD4, and MD2.
You should use FTPS when you need to transfer sensitive or confidential data between a client and a server that is configured to use SSL for secure transactions.
Secure variations of FTP ensure that data cannot be intercepted during transfer and allow the use of more secure transfer of user access credentials during FTP login. However, the same certificate vulnerabilities discussed earlier in this chapter apply here, too.
Hypertext Transport Protocol over Secure Sockets Layer
Basic web connectivity using Hypertext Transport Protocol (HTTP) occurs over TCP port 80, providing no security against interception of transacted data sent in clear text. An alternative to this involves the use of SSL transport protocols operating on port 443, which creates an encrypted pipe through which HTTP traffic can be conducted securely. To differentiate a call to port 80 (http://servername/), HTTP over SSL calls on port 443 using HTTPS as the URL port designator (https://servername/).
HTTP Secure (HTTPS) was originally created by the Netscape Corporation and used a 40-bit RC4 stream encryption algorithm to establish a secured connection encapsulating data transferred between the client and web server, although it can also support the use of X.509 digital certificates to allow the user to authenticate the sender. Now, 256-bit encryption keys have become the accepted level of secure connectivity for online banking and electronic commerce transactions.
Although HTTPS encrypts communication between the client and server, it does not guarantee that the merchant is trustworthy or that the merchant’s server is secure. SSL/TLS is designed to positively identify the merchant’s server and encrypt communication between the client and server.
Secure Copy Protocol
The Secure Copy Protocol (SCP) is a network protocol that supports file transfers. SCP is a combination of RCP and SSH. It uses the BSD RCP protocol tunneled through the SSH protocol to provide encryption and authentication. The RCP performs the file transfer, and the SSH protocol performs authentication and encryption. SCP runs on port 22 and protects the authenticity and confidentiality of the data in transit. It thwarts the ability for packet sniffers to extract information from data packets.
An SCP download request is server driven, which imposes a security risk when connected to a malicious server. SCP has been mostly superseded by the more comprehensive SFTP, and some implementations of the SCP utility actually use SFTP instead.
Internet Control Message Protocol
Internet Control Message Protocol (ICMP) is a protocol meant to be used as an aid for other protocols and system administrators to test for connectivity and search for configuration errors in a network. Ping uses the ICMP echo function and is the lowest-level test of whether a remote host is alive. A small packet containing an ICMP echo message is sent through the network to a particular IP address. The computer that sent the packet then waits for a return packet. If the connections are good and the target computer is up, the echo message return packet will be received. It is one of the most useful network tools available because it tests the most basic function of an IP network. It also shows the Time To Live (TTL) value and the amount of time it takes for a packet to make the complete trip, also known as round-trip time (RTT), in milliseconds (ms). One caveat with using ICMP: It can be manipulated by malicious users, so some administrators block ICMP traffic. If that is the case, you will receive a request timeout even though the host is available.
Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an IP network. Traceroute outputs the list of traversed routers in simple text format, together with timing information. Traceroute is available on most operating systems. On Microsoft Windows operating systems, it is named tracert. Traceroute uses an ICMP echo request packet to find the path. It sends an echo reply with the TTL value set to 1. When the first router sees the packet with TTL 1, it decreases it by 1 to 0 and discards the packet. As a result, it sends an ICMP Time Exceeded message back to the source address. The source address of the ICMP error message is the first router address. Now the source knows the address of the first router. Generally, three packets are sent at each TTL, and the RTT is measured for each one. Most implementations of traceroute keep working until they have gone 30 hops, but this can be extended up to 254 routers.
Pathping is a Windows route-tracing tool that combines features of the ping and tracert commands with additional information. The command uses traceroute to identify which routers are on the path. When the traceroute is complete, pathping sends pings periodically to all the routers over a given time period and computes statistics based on the number of packets returned from each hop. By default, pathping pings each router 100 times, with a single ping every 0.25 seconds. Consequently, a default query requires 25 seconds per router hop. This is especially helpful in identifying routers that cause delays or other latency problems on a connection between two IP hosts.
IPv4
IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it ensure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper-layer transport protocol, such as TCP. IPv4 currently routes the majority of Internet traffic. IPv4 is widely used in both internal and external networks throughout the world.
IPv4 is susceptible to ping sweeps, port scans, and application and vulnerability scans. To mitigate sweeps and scans, filtering messages or traffic types is an acceptable solution because it is impossible to eliminate reconnaissance activity.
IPv6
Because of the increased demand of devices requiring IP addresses, IPv4 could not keep up with such an expansive demand. As a result, a new method was needed to address all the new devices requiring IP addresses. The Internet Engineering Task Force (IETF) published a new standard for IP addresses in RFC 2460. The new standard, IPv6, makes several changes to the older IPv4 standard. IPv6 increases the address size from IPv4 32 bits to 128 bits.
The differences between IPv6 and IPv4 are in five major areas: addressing and routing, security, network address translation, administrative workload, and support for mobile devices. Table 2.2 provides a comparison of some of the differences between IPv4 and IPv6.
Table 2.2 IPv4 and IPv6 Comparison
IPv4 |
IPv6 |
Addresses are 32 bits (4 bytes) in length. |
Addresses are 128 bits (16 bytes) in length. |
Header includes a checksum and options. |
Header does not include a checksum, and all optional data is moved to IPv6 extension headers. |
ARP uses broadcast request frames to resolve an IP address to a link-layer address. |
Multicast Neighbor Solicitation messages are used to resolve IP addresses to linklayer addresses. |
IPv4 header does not identify packet flow for quality of service (QoS). |
IPv6 header identifies packet flow for QoS. |
IPsec support is optional. |
IPsec support is required. |
IPv4 limits packets to 64 KB of payload. |
IPv6 has optional support for jumbograms, which can be as large as 4 GB. |
Must be configured either manually or through Dynamic Host Configuration Protocol (DHCP). |
Does not require manual configuration or DHCP. |
In addition to the difference in the address structure in IPv6, there are IPv6 versions of protocols and commands. The following are some of the more prevalent ones:
- DHCPv6: Provides stateful address configuration or stateless configuration settings to IPv6 hosts.
- EIGRPv6: Enhanced Interior Gateway Routing Protocol (EIGRP) is a routing protocol that was developed by Cisco. EIGRPv6 runs on IPv6 networks. It operates in the same manner as the IPv4 version, except that is routes IPv6 addresses.
- ICMPv6: Used by IPv6 nodes to report packet processing errors and diagnostics.
- Pingv6: Used in the same capacity as Ping except for IPv6 addresses. On Windows-based machines, is used, and on Linux/UNIX-based machines is used.
Internet Small Computer System Interface
Internet Small Computer System Interface (iSCSI) is an IP-based storage networking standard for linking data storage facilities. iSCSI is used for faster data transfers over intranets and handling remote storage access mainly in local-area networks (LAN) and WANs. It can be used in cloud environments as well, allowing remote resources to appear as local.
Businesses choose iSCSI because of ease of installation, cost, and utilization of current Ethernet networks. iSCSI clients or initiators send SCSI commands to SCSI targets on remote servers to communicate. iSCSI typically uses TCP port 860, with the target service using port 3260. iSCSI uses IPsec for protection. IPsec provides greater levels of security and integrity, as mentioned earlier in this section.
Fibre Channel
Fibre Channel (FC) is a gigabit network technology predominantly used to link data storage facilities or a storage-area network (SAN). FC is similar to iSCSI, but requires a Fibre Channel infrastructure. An FC infrastructure generally is more costly and complex to manage due to the separate network switching infrastructure. FC uses the Fibre Channel Protocol (FCP) to transport SCSI commands over the network consisting of ports and fabric. FC allows devices to attach through an interconnected switching system called a fabric. An FC port is not the same thing as computer port or network port. It is the node path performing data communications over the channel. The fiber may attach to a node port (N_Port) and to a port of the fabric (F_Port).The FC port manages a point-to-point connection between itself and the fabric.
FC network protection is primarily security through obscurity because direct access to the FC network is not available to most users, but this does not eliminate the need for security. Approved in 2004, the Fibre Channel Security Protocols standard (FC-SP) specifies how to protect against security breaches. This standard defines protocols for authentication, session keys, integrity and confidentiality, and policy implementation across an FC fabric. Basic FC security occurs through authentication and access control. To secure FC, authentication between FC devices and other devices with whom they communicate can be established using mutual authentication. Proper access control can be achieved through port locking, hard zoning, logical unit number (LUN) masking, and using secure management interfaces and protocols.
Fiber Channel over Ethernet
Fiber Channel over Ethernet (FCoE) is similar in concept to FC except that it allows Ethernet as a method of linking devices to storage. FC traffic runs over an Ethernet infrastructure by encapsulating FC over the Ethernet portions of the connectivity, allowing FC to run alongside IP traffic. FC traffic is used for the server applications, FC SAN, and FC storage. Because FCoE allows FC to be carried over Ethernet, the amount of equipment required in the data center can be reduced. FCoE uses a converged network adapter (CNA), lossless Ethernet links, and an FCoE switch.
Organizations often choose FCoE to maintain or evolve their existing FC network. SAN basic security flaws include weaknesses with authentication and authorization. FCoE can be secured in the manners suggested for FC but also includes control-plane protection and data-plane protection. Control-plane protection is access protection for the switches. Data-plane protection is security for traffic passing through the switches.
File Transfer Protocol
File Transfer Protocol (FTP) servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. Many FTP servers include the ability for anonymous access in their default installation configuration. Anonymous access is a popular method to provide general access to publicly available information. The problem with this form of access is that any user may download (and potentially upload) any file desired. This might result in a server’s available file storage and network access bandwidth being rapidly consumed for purposes other than those intended by the server’s administrator. If unauthorized file upload is allowed along with download, illegal file content could be placed on the server for download, without the knowledge of the system’s administrator.
Even when user authentication is required, FTP passes the username and password in an unencrypted (plain-text) form, allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access. To mitigate FTP vulnerabilities, actions such as disabling anonymous access, hardening access control lists (ACL), enabling logging and disk quotas, setting access restrictions by IP, and enabling “blind” puts can be implemented. Using more secure variations of FTP ensures that data cannot be intercepted during transfer and allows the use of more secure transfer of user access credentials during FTP login.
Secure File Transfer Protocol
Secure File Transfer Protocol (SFTP), or Secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you cannot use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.
Trivial File Transfer Protocol
Trivial File Transfer Protocol (TFTP) is a simple version of FTP used for transferring files between network devices. TFTP uses UDP port 69, has no login feature, and because it is implemented using UDP generally works only on LANs. TFTP works with either Bootstrap Protocol (BOOTP) or DHCP.
Because of the lack of security in TFTP, it is a good idea to place the TFTP server behind a firewall on an isolated LAN that only the essential equipment can reach.
Telnet
Telnet is a terminal emulation program used to access remote routers and UNIX systems. Telnet can be used as a tool to determine whether the port on a host computer is working properly. Telnet passes the username, password, and even transacted data in an unencrypted form (clear text), allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access to the server. Telnet-type clear-text connections create the ideal situation for TCP hijacking and man-in-the-middle attacks. Methods for mitigating Telnet vulnerabilities include using enhanced encryption or authentication security such as Kerberos, IPsec, SSH, SSL, or Cisco Secure Telnet.
Hypertext Transport Protocol
Hypertext Transfer Protocol (HTTP) allows users to connect to sources of information, services, products, and other functionality through the Internet. Business transactions, membership information, vendor/client communications, and even distributed business logic transactions can all occur though HTTP using basic Internet connectivity on TCP port 80.
An HTTP message contains a header and a body. The message header of an HTTP request has a request line and a collection of header fields. All HTTP messages must include the protocol version. Some HTTP messages can contain a content body, which is optional. The original HTTP specification has little support for the security mechanisms appropriate for today’s Internet transactions. Methods for mitigating HTTP vulnerabilities include using enhanced encryption or authentication security HTTPS or SSL.
NetBIOS
Network Basic Input/Output System (NetBIOS) is an application programming interface (API) providing various networking services. NetBIOS provides name, datagram, and session services, allowing applications on different computers to communicate within a LAN. The session mode establishes a connection and provides error detection. The datagram mode is connectionless and supports LAN broadcast. NetBIOS is most commonly found in use with Microsoft Windows operating systems. Because it does not support routing, NetBIOS must be used with another transport mechanism such as TCP when it is implemented in an organization that has a WAN.
Ports
There are 65,535 TCP and UDP ports on which a computer can communicate. The port numbers are divided into three ranges:
- Well-known ports: The well-known ports are those from 0 through 1,023.
- Registered ports: The registered ports are those from 1,024 through 49,151.
- Dynamic/private ports: The dynamic/private ports are those from 49,152 through 65,535.
Often, many of these ports are not secured and, as a result, are used for exploitation. Table 2.3 lists some of the most commonly used ports and the services and protocols that use them. Many of these ports and services have vulnerabilities associated with them. It is important that you know what common ports are used by network protocols and how to securely implement services on these ports.
TABLE 2.3 Commonly Used Ports
Port |
Service/Protocol |
15 |
Netstat |
20 |
FTP-Data transfer |
21 |
FTP-Control (command) |
22 |
SSH/SFTP/SCP |
23 |
Telnet |
25 |
SMTP |
53 |
DNS |
69 |
TFTP |
80 |
HTTP |
110 |
POP3 |
110 |
POP3 |
137, 138, 139 |
NetBIOS |
143 |
IMAP |
161/162 |
SNMP |
443 |
HTTPS |
445 |
SMB |
989/990 |
FTPS |
1,812 |
RADIUS |
3389 |
RDP |
Table 2.3 includes a list of protocols that may be currently in use on a network. These protocols, along with some older or antiquated protocols, may be configured open by default by the machine manufacturer or when an operating system is installed. Every operating system requires different services for it to operate properly. If ports are open for manufacturer-installed tools, the manufacturer should have the services listed in the documentation. Ports for older protocols such as Chargen (port 19) and Telnet (port 23) may still be accessible. For example, Finger, which uses port 79, was widely used during the early days of Internet, and today’s sites no longer offer the service. However, you might still find some old implementations of Eudora mail that use the Finger protocol, or worse, the mail clients have long since been upgraded, but the port used 10 years ago was somehow left open. The quickest way to tell which ports are open and which services are running is to do a Netstat on the machine. You can also run local or online port scans.
The best way to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols is to remove any unnecessary protocols and create access control lists to allow traffic on necessary ports only. By doing so, you eliminate the possibility of unused and antiquated protocols being exploited and minimize the threat of an attack.
OSI Relevance
You should be very familiar with the OSI model as well as the common protocols and network hardware that function within each level. For example, you should know that hubs operate at the physical layer of the OSI model. Intelligent hubs, bridges, and network switches operate at the data link layer, and Layer 3 switches and routers operate at the network layer. The Network+ Exam Cram and Exam Prep books cover the OSI model in much more detail. If you will be working extensively with network protocols and hardware, you should also look at these texts.
The layers of the OSI model are as follows:
- Application layer
- Presentation layer
- Session layer
- Transport layer
- Network layer
- Data link layer (subdivided into the Logical-Link Control [LLC] and Media Access Control [MAC] sublayers)
- Physical layer
Most applications, like web browsers or email clients, incorporate functionality of the OSI layers 5, 6, and 7.
Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
Which of the following is the correct address size for IPv6 addresses?
- A. 32 bit
- B. 64 bit
- C. 128 bit
- D. 256 bit
Which of the following protocols runs on port 22 and protects the authenticity and confidentiality of file transfer data in transit?
- A. DHCP
- B. SSL
- C. FTP
- D. SCP
You are troubleshooting connectivity issues on the network. Which of the following would be most helpful in determining where the connectivity issues lie?
- A. SNMP
- B. ICMP
- C. SSL
- D. IPsec
You want to be sure that the NetBIOS ports that are required for certain Windows network functions have been secured. Which of the following ports would you check?
- A. 25/110/143
- B. 161/162
- C. 137/138/139
- D. 20/21
Your company is in the process of setting up a management system on your network, and you want to use SNMP. You have to allow this traffic through the router. Which UDP ports do you have to open? (Choose two correct answers.)
- A. 161
- B. 139
- C. 138
- D. 162
Which standard port is used to establish a web connection using the 40-bit RC4 encryption protocol?
- A. 21
- B. 80
- C. 443
- D. 8,250
Cram Quiz Answers
- C. IPv6 increases the address size from IPv4 32 bits to 128 bits. Answers A, B, and D are incorrect because IPv6 addresses sizes are 128 bit.
- D. SCP runs on port 22 and protects the authenticity and confidentiality of the data in transit. Answer A is incorrect because DHCP is used to automatically assign IP addresses. Answer B is incorrect because SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. The standard port for SSL is port 443. Answer C is incorrect because in FTP the data is not protected.
- B. Traceroute uses an ICMP echo request packet to find the path between two addresses. Answer A is incorrect because SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPS). Answer C is incorrect because SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. Answer D is incorrect because IPsec authentication and encapsulation standard is widely used to establish secure VPN communications.
- C. There are NetBIOS ports that are required for certain Windows network functions, such as file sharing, which are 137, 138, and 139. Answer A is incorrect because these ports are used for email. Answer B is incorrect because these ports are used for SNMP. Answer D is incorrect because these ports are used for FTP.
- A and D. UDP ports 161 and 162 are used by SNMP. Answer B is incorrect because UDP port 139 is used by the NetBIOS session service. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution.
- C. A connection using HTTPS is made using the RC4 cipher and port 443. Answer A is incorrect because port 21 is used for FTP connections. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. Answer D is incorrect because port 8,250 is not designated to a particular TCP/IP protocol.