Authenticating TCP/IP Before Connection Establishment

blackridge.us

Authenticating TCP/IP Before Connection Establishment

10 August 2011

Authenticating TCP/IP Before

Connection Establishment


Brief history of communications

60,000 years ago -

People started to

speak

5,000 years ago –

People started to

write

600 years ago –

People started to

publish

43 years ago – The

Internet was born


The Internet

In little more than 43 years,

the Internet has exploded

in size and scale of machines

Number of Web

pages is greater

than 60 billion


Connecting the world . . .

In 1995 there

were an estimated

16 million

“active Internet

users”

Today there are

2 Billion active

Internet users


Internet in 2003


. . . and in 2007


Most people see the

Internet as a world of

fluffy clouds


Security professionals

know the Internet is a

hostile environment


Reconnaissance

The first step . . .


The first step of a cyber attack . . . .

"The attacker typically fingerprints the remote

systems just enough to suspect that the

target may be vulnerable. In many cases,

the fingerprinting is strongly related to a

successful exploitation.“

Stop the

reconnaissance and

you’ll stop the attack.

Peter Szor, author of The Art of Computer Virus Research and Defense


Everyone is a target

Any internet connected system is regularly probed and tested

Hacktivism

Denial of Service

Organized crime

Political motives

Script kiddies

Bank account theft Intellectual property

Foreign intelligence

Spammers

Credit card numbers

Port scans for open services

Automated bots

Infected systems scanning for new targets


TCP/IP 101

Transport Connection Protocol

Designed 1973 when

Internet prohibited

from commercial use

Used to share resources using

packet switching among nodes

Extensively used by

Internet’s most

popular applications;

WWW

Email

FTP, etc.

Client

SYN

SYN-ACK

ACK

DATA

ACK

TCP Packets

Server

Two phases:

Session

setup

Data

Transfer

Security starts before data

transfer begins BUT only AFTER

connection is established.


Leaking Information

Software in Use

Host Discovery

Firewall Auditing

Operating Systems

Fingerprinting

Services Running

Types of Data infiltrated

or exfiltrated

Patch Status

IP Addresses

Port Scanning

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at

2011-­‐07-­‐1 11:06 EDT DNS resolution of 1 IPs took 0.01s.

Initiating SYN Stealth Scan against 24.5.19.17 [1679

ports] at 11:06

Discovered open port 443/tcp on 24.5.19.17

Discovered open port 80/tcp on 24.5.19.17

Discovered open port 25/tcp on 24.5.19.17

The SYN Stealth Scan took 21.04s to scan 1679 total

ports.

Host 24.5.19.17 appears to be up ... good.

Interesting ports on 24.5.19.17:

Not shown: 1677 filtered ports

PORT STATE SERVICE

80/tcp open http

443/tcp open https

25/tcp open smtp

Nmap finished: 1 IP address (1 host up) scanned in 21.246

seconds

Raw packets sent: 3362 (147.908KB) | Rcvd: 7 (322B)


Transport Access Control (TAC)

First Packet Authentication


The Goals

Authenticate the First Packet of the TCP session

establishment phase

Cloak or hide TCP/IP connected resources from

anonymous users

Create machine identification for informed security

decisions to enforce IA policy

Make TAC useful to security professionals to protect

their Enterprises


TAC Breakdown

TAC fits in existing security

infrastructure

0 1 1 0 0 0 1 0 1

1 1 0 0 1 0 1 0 0

1 0 1 1 0 0 0 1 0

1 1 1 0 0 1 0 1 0

Transport Access Control

1 0 1 1

0 1 0 1

1 1 1 0

Internet facing within

authentication boundary

Firewalls

Intrusion

Preven4on

Systems

Virtual

Private

Networks

Internally facing within

authority boundary

1 0 1 1

1 0` 0 1

0

Network Resources and Applica4ons


Wrap-up

Internet in its toddler years

TCP/IP does not include security

Anonymous connections allow network reconnaissance

Machine bases identity

Defense in Depth

Enforce IA policy at

the machine level

No Forklift upgrades

There are no silver bullets, security is a process.

First Packet Authentication

is part of an overall process


Questions? More information?

Find us online at

blackridge.us

Or drop us a line at

info@blackridge.us

Thank you.

More magazines by this user
Similar magazines