CIS 551 / TCOM 401

3/23 2006

Lecture 18:

SMTP, NATs, and Firewalls
Scribed by Varun Sarin and Reetika Jain

Overview
Last week- TCP/ UDP and denial of service attacks.
Today-
1) TCP/UDP are one below the application layer (HTTP, HTML)
2) Mail Transfer Protocol as example.
3) Dealing with network attacks:

Network Address Translation

Firewalls

Protocol stack revisited
The view shown in the slide is the standard view of the network protocol stack.
In actuality, they are compressed. Last 3 layers are handled in hardware and
low level OS code. Session and Presentation has to do with marshalling of
data. Most interesting layer to an application developer is the topmost layer.

Common Features
All the applications in the application layer share certain common features.
They are request/reply protocols.
Example: Mail server: The client is present on a local machine.
We go through a certain protocol:

Client connects to the server

Server sends an OK message

Client sends required information to server

HTTP: Protocol consists of a set of queries.
Designed to handle fixed set of messages.
We need to come up with a particular data format.

The body is ASCII text.

Data representation - Messages and data they contain are human readable.
Can interact with mail server with telnet (if you know the mail protocol)
Security - can't really encrypt data. Have to wrap it or do encryption at a lower level.
That is another problem because the encryption program doesnt really doesn't know what
it is encrypting.

SMTP
Data format RFC822. Adopted around 1982.
MIME - Couple of side protocols/encoding. Mail protocol works with only ASCII text. If we
want to embed something - must be ASCII. They use 6 bit ASCII. Some type of binary data.
MIME maps the binary data to ASCII characters. More interesting are MIME commands.
Has some header data - length, type of encoding etc.
It lets you abuse the system. Gets a mail with attachment - has a header - with MIME how to
deal with it (remote service, save a file etc.)

RFC822 Headers
Tells the format of the protocol. Bunch of "type: value".The slide shows many of the well known
types. Lots of others that mail clients use and you can make your own values as well.
Security lapse lies in the fact that you can set the FROM line, date etc. to anything you want.

Example
3 attachments in mail. Information about MIME version, header information is the first part. Content-
type: multipart/mixed- Bunch of sub-MIME attachments. Need to know where attachments end - random
strings with dashes. Metadata that could be abused in name= " ".
Inline- actual data lives here. Here we can specify another protocol to figure out data.

SMTP security
No authentication (spam). Authenticated email - complicated. sendmail - earliest internet worms - exploited
bugs in sendmail (1986, buffer overflow).
sendmail - responsible for buffering , storing - lots of header, data processing aspects
lots of buffers - most of which are subject to external inputs.
Concurrent program - makes it more complicated
sendmail - needs to write into all private directories, must have strong privileges (distributed part of protocol).
properties - Commonly used, written in C, needs privileges, deals with unverifiable data.

MIME security
Less familiar, attachment - inline attachments. can send .exe so client program (if not very secure) runs the
program automatically. Other weaknesses - send message as external link - give it a name and satisfy a site
and access type and connect to a remote machine on directory and contents of the message is empty. Abused
by - instead give /etc/passwd or .login - if you save it - can overwrite an important file. Also since it points to a
remote machine - this is unsafe.

NATs and Firewalls
Major defences - put reference monitor in network that regulate access control. isolate pieces of the network.
NAT - orginally designed as a way of breaking up IP address space.
both let you filter network technologies.
Where do you do the filtering? possible places - spam - on the mail server, client as well (set your own policy)

Kinds of firewalls
personal firewalls - came in when you installed windows. (application firewalls - run locally - for a single machine)
filtering firewalls - not as configurable by the user, able to take in account more information about application running on
the machine. know specific information about the user as well.
NAT - it makes a single IP address stand for a bunch of machines internally to the NAT and to the rest of the world it looks
like one machine. Violates the global IP rule.
proxy based - like a filter based firewall but it resides on the router. Operates at application level. reconstruct TCP/HTTP information
that is carried through them. Pretends to be a web server and web client.

NAT
every host has a unique IP (originally) to get around that problem.
NAT - gives it an IP. behind it uses a completely different address space.

used in very small networks

works at IP layer

trick - information about ports. changes port information

Network address translation

Makes use of a network address translator, which uses a completely different address space

It is used in small networks, typically home networks

It works at the IP layer

It was fundamentally designed to provide illusion of more addresses then there actually are

NAT maintains a table of the form Client IP, Client Port, NAT identifier

For outgoing packets, the source IP is replaced with NAT’s IP and Client port is replaced with NAT’s ID. This is done using the fact that you can’t authenticate source address in IP to get extra security

For incoming packets, the table is referred again for replacing certain information

It’s called a Network Address Translator cause it translates addresses inside the network to its own address
NAT ID’s should not be collected hence the table entries expire after 2-3 minutes to allow them to be garbage collected

Benefits of NAT

Connections to the outside can only be established from the inside

NAT’s have to be explicitly configured to do port forwarding

NAT’s can simplify network administration by dividing the network into smaller chunks

NAT’s force all traffic to go through one point and hence allows for traffic logging

Drawbacks of NAT

Rewriting IP addresses isn’t easy

Checksum needs to be recalculated in order to guarantee integrity of data, which may cause delay

NAT may not work with all protocols

NAT provides for limited filtering of packets

Note : Most wireless routers are NAT’s

Firewalls
Gateway is a router/machine connecting two networks that runs the filtering software
Filters protect against bad packets. Both incoming and outgoing packets must be filtered Provides protection to the inside network from outside access while providing them outside services
Filtering firewalls use IP information. The firewall can be configured using the source, destination, source port, destination port and flags information from the IP header. Some firewalls keep state about open TCP connections which allows for conditional filtering rules to be applied.
Note : Firewalls can be subject to Denial of Service attacks

A TCP connection is established by means of a Three-way handshake, which includes a SYN packet, SYN+ACK packet and an ACK packet
If you want to break the TCP connection then any one of the three packets could be dropped

Ports

Ports are used distinguish applications and services on a machine

The low numbered ports are reserved for server listening while the high numbered ports are assigned for client requests