CIS 551 / TCOM 401
SMTP, NATs, and Firewalls
Scribed by Varun Sarin and Reetika Jain
Last week- TCP/ UDP and denial of service attacks.
1) TCP/UDP are one below the application layer (HTTP, HTML)
2) Mail Transfer Protocol as example.
3) Dealing with network attacks:
Network Address Translation
Protocol stack revisited
The view shown in the slide is the standard view of the network protocol stack.
In actuality, they are compressed. Last 3 layers are handled in hardware and
low level OS code. Session and Presentation has to do with marshalling of
data. Most interesting layer to an application developer is the topmost layer.
All the applications in the application layer share certain common features.
They are request/reply protocols.
Example: Mail server: The client is present on a local machine.
We go through a certain protocol:
Client connects to the server
Server sends an OK message
Client sends required information to server
HTTP: Protocol consists of a set of queries.
Designed to handle fixed set of messages.
We need to come up with a particular data format.
The body is ASCII text.
Data representation - Messages and data they contain are human readable.
Can interact with mail server with telnet (if you know the mail protocol)
Security - can't really encrypt data. Have to wrap it or do encryption at a lower level.
That is another problem because the encryption program doesnt really doesn't know what
it is encrypting.
Data format RFC822. Adopted around 1982.
MIME - Couple of side protocols/encoding. Mail protocol works with only ASCII text. If we
want to embed something - must be ASCII. They use 6 bit ASCII. Some type of binary data.
MIME maps the binary data to ASCII characters. More interesting are MIME commands.
Has some header data - length, type of encoding etc.
It lets you abuse the system. Gets a mail with attachment - has a header - with MIME how to
deal with it (remote service, save a file etc.)
Tells the format of the protocol. Bunch of "type: value".The slide shows many of the well known
types. Lots of others that mail clients use and you can make your own values as well.
Security lapse lies in the fact that you can set the FROM line, date etc. to anything you want.
3 attachments in mail. Information about MIME version, header information is the first part. Content-
type: multipart/mixed- Bunch of sub-MIME attachments. Need to know where attachments end - random
strings with dashes. Metadata that could be abused in name= " ".
Inline- actual data lives here. Here we can specify another protocol to figure out data.
No authentication (spam). Authenticated email - complicated. sendmail - earliest internet worms - exploited
bugs in sendmail (1986, buffer overflow).
sendmail - responsible for buffering , storing - lots of header, data processing aspects
lots of buffers - most of which are subject to external inputs.
Concurrent program - makes it more complicated
sendmail - needs to write into all private directories, must have strong privileges (distributed part of protocol).
properties - Commonly used, written in C, needs privileges, deals with unverifiable data.
Less familiar, attachment - inline attachments. can send .exe so client program (if not very secure) runs the
program automatically. Other weaknesses - send message as external link - give it a name and satisfy a site
and access type and connect to a remote machine on directory and contents of the message is empty. Abused
by - instead give /etc/passwd or .login - if you save it - can overwrite an important file. Also since it points to a
remote machine - this is unsafe.
NATs and Firewalls
Major defences - put reference monitor in network that regulate access control. isolate pieces of the network.
NAT - orginally designed as a way of breaking up IP address space.
both let you filter network technologies.
Where do you do the filtering? possible places - spam - on the mail server, client as well (set your own policy)
Kinds of firewalls
personal firewalls - came in when you installed windows. (application firewalls - run locally - for a single machine)
filtering firewalls - not as configurable by the user, able to take in account more information about application running on
the machine. know specific information about the user as well.
NAT - it makes a single IP address stand for a bunch of machines internally to the NAT and to the rest of the world it looks
like one machine. Violates the global IP rule.
proxy based - like a filter based firewall but it resides on the router. Operates at application level. reconstruct TCP/HTTP information
that is carried through them. Pretends to be a web server and web client.
every host has a unique IP (originally) to get around that problem.
NAT - gives it an IP. behind it uses a completely different address space.
used in very small networks
works at IP layer
trick - information about ports. changes port information
Network address translation
Makes use of a network address translator, which uses a completely different address space
It is used in small networks, typically home networks
It works at the IP layer
It was fundamentally designed to provide illusion of more addresses then there actually are
NAT maintains a table of the form Client IP, Client Port, NAT identifier
For outgoing packets, the source IP is replaced with NATís IP and Client port is replaced with NATís ID. This is done using the fact that you canít authenticate source address in IP to get extra security
For incoming packets, the table is referred again for replacing certain information
Itís called a Network Address Translator cause it translates addresses inside the network to its own address
NAT IDís should not be collected hence the table entries expire after 2-3 minutes to allow them to be garbage collected
Benefits of NAT
Connections to the outside can only be established from the inside
NATís have to be explicitly configured to do port forwarding
NATís can simplify network administration by dividing the network into smaller chunks
NATís force all traffic to go through one point and hence allows for traffic logging
Drawbacks of NAT
Rewriting IP addresses isnít easy
Checksum needs to be recalculated in order to guarantee integrity of data, which may cause delay
NAT may not work with all protocols
NAT provides for limited filtering of packets
Note : Most wireless routers are NATís
Gateway is a router/machine connecting two networks that runs the filtering software
Filters protect against bad packets. Both incoming and outgoing packets must be filtered
Provides protection to the inside network from outside access while providing them outside services
Filtering firewalls use IP information. The firewall can be configured using the source, destination, source port, destination port and flags information from the IP header. Some firewalls keep state about open TCP connections which allows for conditional filtering rules to be applied.
Note : Firewalls can be subject to Denial of Service attacks
A TCP connection is established by means of a Three-way handshake, which includes a SYN packet, SYN+ACK packet and an ACK packet
If you want to break the TCP connection then any one of the three packets could be dropped
Ports are used distinguish applications and services on a machine
The low numbered ports are reserved for server listening while the high numbered ports are assigned for client requests