CIS 551 / TCOM 401

3/23 2006

Lecture 18:

SMTP, NATs, and Firewalls
Scribed by Varun Sarin and Reetika Jain

Last week- TCP/ UDP and denial of service attacks.
1) TCP/UDP are one below the application layer (HTTP, HTML)
2) Mail Transfer Protocol as example.
3) Dealing with network attacks:
  • Network Address Translation
  • Firewalls
        Protocol stack revisited
        The view shown in the slide is the standard view of the network protocol stack.
        In actuality, they are compressed. Last 3 layers are handled in hardware and
        low level OS code. Session and Presentation has to do with marshalling of
        data. Most interesting layer to an application developer is the topmost layer.

        Common Features
        All the applications in the application layer share certain common features.
        They are request/reply protocols.
        Example: Mail server: The client is present on a local machine.
        We go through a certain protocol:
      • Client connects to the server
      • Server sends an OK message
      • Client sends required information to server

        HTTP: Protocol consists of a set of queries.
        Designed to handle fixed set of messages.
        We need to come up with a particular data format.
      • The body is ASCII text.
      • Data representation - Messages and data they contain are human readable.
        Can interact with mail server with telnet (if you know the mail protocol)
        Security - can't really encrypt data. Have to wrap it or do encryption at a lower level.
        That is another problem because the encryption program doesnt really doesn't know what
        it is encrypting.

      • SMTP
        Data format RFC822. Adopted around 1982.
        MIME - Couple of side protocols/encoding. Mail protocol works with only ASCII text. If we
        want to embed something - must be ASCII. They use 6 bit ASCII. Some type of binary data.
        MIME maps the binary data to ASCII characters. More interesting are MIME commands.
        Has some header data - length, type of encoding etc.
        It lets you abuse the system. Gets a mail with attachment - has a header - with MIME how to
        deal with it (remote service, save a file etc.)

        RFC822 Headers
        Tells the format of the protocol. Bunch of "type: value".The slide shows many of the well known
        types. Lots of others that mail clients use and you can make your own values as well.
        Security lapse lies in the fact that you can set the FROM line, date etc. to anything you want.

        3 attachments in mail. Information about MIME version, header information is the first part. Content-
        type: multipart/mixed- Bunch of sub-MIME attachments. Need to know where attachments end - random
        strings with dashes. Metadata that could be abused in name= " ".
        Inline- actual data lives here. Here we can specify another protocol to figure out data.

        SMTP security
        No authentication (spam). Authenticated email - complicated. sendmail - earliest internet worms - exploited
        bugs in sendmail (1986, buffer overflow).
        sendmail - responsible for buffering , storing - lots of header, data processing aspects
        lots of buffers - most of which are subject to external inputs.
        Concurrent program - makes it more complicated
        sendmail - needs to write into all private directories, must have strong privileges (distributed part of protocol).
        properties - Commonly used, written in C, needs privileges, deals with unverifiable data.

        MIME security
        Less familiar, attachment - inline attachments. can send .exe so client program (if not very secure) runs the
        program automatically. Other weaknesses - send message as external link - give it a name and satisfy a site
        and access type and connect to a remote machine on directory and contents of the message is empty. Abused
        by - instead give /etc/passwd or .login - if you save it - can overwrite an important file. Also since it points to a
        remote machine - this is unsafe.

        NATs and Firewalls
        Major defences - put reference monitor in network that regulate access control. isolate pieces of the network.
        NAT - orginally designed as a way of breaking up IP address space.
        both let you filter network technologies.
        Where do you do the filtering? possible places - spam - on the mail server, client as well (set your own policy)

        Kinds of firewalls
        personal firewalls - came in when you installed windows. (application firewalls - run locally - for a single machine)
        filtering firewalls - not as configurable by the user, able to take in account more information about application running on
        the machine. know specific information about the user as well.
        NAT - it makes a single IP address stand for a bunch of machines internally to the NAT and to the rest of the world it looks
        like one machine. Violates the global IP rule.
        proxy based - like a filter based firewall but it resides on the router. Operates at application level. reconstruct TCP/HTTP information
        that is carried through them. Pretends to be a web server and web client.

        every host has a unique IP (originally) to get around that problem.
        NAT - gives it an IP. behind it uses a completely different address space.
      • used in very small networks
      • works at IP layer
      • trick - information about ports. changes port information

        Network address translation
      • Makes use of a network address translator, which uses a completely different address space
      • It is used in small networks, typically home networks
      • It works at the IP layer
      • It was fundamentally designed to provide illusion of more addresses then there actually are

      • NAT maintains a table of the form Client IP, Client Port, NAT identifier
      • For outgoing packets, the source IP is replaced with NATís IP and Client port is replaced with NATís ID. This is done using the fact that you canít authenticate source address in IP to get extra security
      • For incoming packets, the table is referred again for replacing certain information

      • Itís called a Network Address Translator cause it translates addresses inside the network to its own address
        NAT IDís should not be collected hence the table entries expire after 2-3 minutes to allow them to be garbage collected

        Benefits of NAT
      • Connections to the outside can only be established from the inside
      • NATís have to be explicitly configured to do port forwarding
      • NATís can simplify network administration by dividing the network into smaller chunks
      • NATís force all traffic to go through one point and hence allows for traffic logging

      • Drawbacks of NAT
      • Rewriting IP addresses isnít easy
      • Checksum needs to be recalculated in order to guarantee integrity of data, which may cause delay
      • NAT may not work with all protocols
      • NAT provides for limited filtering of packets

      • Note : Most wireless routers are NATís

        Gateway is a router/machine connecting two networks that runs the filtering software
        Filters protect against bad packets. Both incoming and outgoing packets must be filtered Provides protection to the inside network from outside access while providing them outside services
        Filtering firewalls use IP information. The firewall can be configured using the source, destination, source port, destination port and flags information from the IP header. Some firewalls keep state about open TCP connections which allows for conditional filtering rules to be applied.
        Note : Firewalls can be subject to Denial of Service attacks

        A TCP connection is established by means of a Three-way handshake, which includes a SYN packet, SYN+ACK packet and an ACK packet
        If you want to break the TCP connection then any one of the three packets could be dropped

      • Ports are used distinguish applications and services on a machine
      • The low numbered ports are reserved for server listening while the high numbered ports are assigned for client requests