PART02

[ Pobierz całość w formacie PDF ]
.Although Kerberos solves the problem of connection hijack and impersonation, it addscomplexity to the administration of the environment.The system admin must now maintainKDCs to support the network.If the KDCs go down or become unreachable, the users areunable to use the network.If the KDCs are violated, the security of the entire network hasbeen destroyed.Finally, the maintenance of the Kerberos configuration files is somewhatcomplex and frequently time-consuming.Some Kerberos implementations are unsecure onmultiuser systems.From a SATAN standpoint, one might want to identify remote hosts thatoffer KDC servers and focus attacks on these systems.Imagine if the KDC ran NFS; thehacker could use NFS-based attacks to gain access to that system, permitting the hacker to gainaccess to all systems that trusted that KDC.Kerberos is available to U.S.sites from MIT, but a free, precompiled version of the MIT codeis available from Cygnus Corporation at http://www.cygnus.com.Other vendors, such asCybersafe, offer commercial Kerberos implementations.Note For detailed information on Kerberos, see Chapter 9.474 Part II: Gaining Access and Securing the GatewaySecure Shell (ssh)SATAN searches for phase one vulnerabilities.Another way of dealing with such vulnerabilitiesis the recently introduced Secure Shell, or ssh, program.A replacement for rlogin, remsh, andrcp, ssh doesn t require the overhead of Kerberos (users don t have to kinit, and the systemadministrators do not need to maintain KDCs) and offers higher levels of cryptographicssecurity.In addition, it can be used to improve X Windows security.ssh protects against IP spoofing, IP source routing, DNS spoofing, corruption of data in aconnection, and X authentication attacks.The latest version of the ssh FAQ is available from http://www.uni-karlsruhe.de/�ig25/ssh-faq/.The program itself is available from ftp://ftp.cs.hut.fi/pub/ssh/.SSLYet another way of dealing with phase one vulnerabilities, the vulnerabilities that SATAN isdesigned to locate, is SSL.Introduced originally to provide security for Web browsers byencrypting http connections, SSL, or the Secure Socket Library, has gained quite a followingover the past year as a vehicle to provide security for general Internet services.A draft RFCdescribes version 3 of the protocol, enabling anyone to implement daemons, although licensingfor the public key technology is still required.SSL uses public key technology to negotiate a session key and crypto algorithm between aclient and server.The public key is stored in an X.509 certificate that bears a digital signaturefrom a trusted third party, such as RSA Corporation.SSL moves the details of encryption and authentication into the socket library calls, makingimplementation of Internet programs much easier.The SSL calls directly parallel standardsocket library calls.Compared to making a Kerberos server, making an SSL server is vastlysimpler.From a user standpoint, SSL no longer requires the active participation of a KDC, because thedigital signature takes place offline.So the network connection is a two-party transaction,rather than a three-party transaction.Both the client and server can be authenticated, althoughcurrent Netscape client browsers are using only server authentication.The SSL protocolnegotiates a crypto algorithm at the beginning of a connection; DES, triple-DES, IDEA, RC4,and RC2, along with md5 hashes, are advertised in common implementations.To meet U.S.export restrictions, SSL implementations shipped out of the U.S.can advertise only RC4-40,which uses 40-bit keys.Two publicly available implementations of SSL libraries are popular: SSLref and SSLeay.SSLref, a product of Netscape Corporation, is free for non-profit uses and can be licensed forcommercial purposes.It requires the RSAref library from RSA Corporation.SSLeay is a publicSATAN and the Internet Inferno 475domain version of SSL that includes implementations of the RSA algorithms over which RSACorporation claims legal ownership in the U.S.Multiple versions of telnet, FTP, http, Mosaic, and rdist have been implemented using SSLand are available from the SSLeay archives.The addresses follow:SSLref Source: http://www.netscape.comSSLeay Source: http://www.psy.uq.oz.au/�ftp/Crypto/RSA Source: http://www.rsa.comVeriSign: http://www.verisign.comSSL RFC Draft.ftp://ietf.cnri.reston.va.us/internet-drafts/draft-hickman-netscape-ssl-01.txtFirewallsSATAN is primarily intended for remote scanning of systems connected to the Internet.Thevast majority of such systems are firewall systems, rather than just standard Unix workstations.A firewall system is one that connects an internal network to the Internet.Every organizationshould connect to the Web only through carefully maintained firewall systems.By reducingthe number of systems directly on the Internet to a limited number that are under the scrutinyof administrators, the level of vulnerability can be minimized.Each of these firewalls shouldprevent vulnerable services, such as NFS, NIS, or fingerd, from being offered to Internet sites.The DNS configuration on the firewall system should minimize the amount of informationavailable to external users.In general, firewalls should minimize the amount of informationleakage from the internal network to external sites.Modifying a company network to use firewalls is a complex task that requires time andconsideration.TIS offers a public domain firewall that includes S/Key support.CERT has apaper on packet filtering that can assist you in configuring a firewall.You can subscribe to afirewalls mailing list by sending subscribe firewalls to majordomo@greatcircle.com.Thebibliography lists several references on the topic.Other papers on the topic are available viathe COAST and CERT archives.One impact on users of implementing a firewall is access to the external Internet.Somefirewalls permit telnet or FTP connections to cross the firewall by requiring an additionalpassword for the firewall; some use S/Key; and some use SecurID smart cards.Other firewallsuse socks proxy servers that require the client services to be modified.The importance of properly configuring a firewall, applying patches in a timely manner, andlimiting the amount of services available to Internet users cannot be overestimated.If SATANis used by a hacker against your organization, SATAN will be used to scan the firewall systems.476 Part II: Gaining Access and Securing the GatewayThe addresses follow:TIS firewall: ftp://ftp.tis.com/pub/firewalls/toolkitCERT packet filtering paper: ftp://ftp.cert.org/pub/tech_tips/packet_filteringS/Key source: ftp://thumper.bellcore.com/pub/nmh/skeyNote For more information on firewalls, see Chapter 7.sockssocks is an IP encapsulation technique that permits TCP connections to use a proxy server tocomplete a connection.It permits users to conveniently use Internet services across a gatewaywithout being aware that a gateway is being crossed [ Pobierz całość w formacie PDF ]

Wątki