Internet File Systems

AFS — Andrew File System or AFS is a networked file system with similar functionality to NFS. This file system is newer in design and can interoperate (to some degree) with NFS file systems. Unlike NFS, the AFS designers placed security in the protocol and incorporated the Kerberos authentication system into the file protocol.

NFS — Network File System or NFS is a Remote Procedure Call (RPC) based facility which utilizes port 2049. This facility allows NFS-capable clients to mount a file system on a NFS server located on the network. Once the NFS file system has been mounted it is treated like a local file system.

If an internal system exports a file system to external systems, then the file system is available to a hacker across the network. Even if the file system is exported to only a select set of clients the possibility of a hacker spoofing one of those clients is possible. As well, it might be possible for a hacker to hijack an existing NFS connection. NFS should never be allowed across a firewall to an external network such as the Internet.

FTP — File Transfer Protocol or FTP allows a user to transfer text or binary files between two networked computers using ports 20 and 21. The ftp protocol uses a client-server structure with a client program opening a session on a server. There are many "anonymous ftp servers" located across the Internet.

An anonymous server allows anyone to log on and retrieve information without any user identification and authentication (the user gives the username "anonymous" or "ftp"). If an anonymous ftp server allows world writable areas then the server could be used to distribute malicious or illegal software.

A server could also be the source of computer viruses, trojan horses or other malicious software. CERT provides a document on setting up an anonymous ftp server which is available via anonymous ftp from:

ftp://info.cert.org/pub/tech_tips/anonymous_ftp

This document describes the procedures of configuring an anonymous server, with restricted access.

The procedures for restricting access to incoming files are also provided. Even though access to incoming files is restricted, a hacker is able to deposit corrupt, malicious, or illegal software on a server; it is unavailable however, until the server administrator reviews the software and moves it to the archive of retrievable software.

GOPHER - Gopher is a client-server system designed to locate and retrieve files or information from servers, "gopher holes", across the Internet. When a user initiates a connection to a Gopher server, the user is presented with a menu of data topics to choose from.

When a user selects a topic, Gopher returns access information and a data type description. The access information tells the client program what IP address, port and filename to access. The data type description informs the client program how to interpret the raw information that is being retrieved.

The data types include text and graphic files, script programs and binary executable files. If software is retrieved and executed automatically without user intervention then malicious code (e.g. viruses or trojan horses) could be obtained and executed without prior screening.

Therefore, software should not be executed until it has been screened by a virus checker. For those trivia hounds, it was originally developed at a U.S. university whose mascot was a gopher…

ICMP — Internet Control Message Protocol is used to determine routing information and host status. An ICMP redirect packet is used to inform a router or computer about "new and improved" routes to a destination. These packets can be forged providing false routes to a destination to allow an attacker to spoof another system.

Another common ICMP packet is known as the ICMP unreachable message. These packets indicate problems with a route to a destination address. A false ICMP unreachable message could be used to deny access to another network or host.

If this type of vulnerability is of concern to your organization then the routing server or firewall can be configured to ignore ICMP unreachable messages. The drawback of this configuration is that if the packet is genuine and a host is actually unreachable, the network routing tables will still not be updated and users will not know that the host is not available. They will simply be denied access.

Ping is a common ICMP based service. Ping sends a packet to a given destination which in effect says "Are you alive?" The destination returns an acknowledgement to the ping or an ICMP unreachable message may be returned by a routing system in the path.

PING also has an ugly and sordid history in its use in network attacks and in network infiltrations. ICMP packets should be filtered and not allowed across network boundaries.

LPD — Line Printer Daemon allows networked computers to access printing services on another computer. If lpd packets (destined for port 515) are allowed to be printed on an internal print server from external sources, a hacker could deny printing services to internal users by monopolizing the printer.

This can be prevented by applying quotas, such as, limiting amount of time the printer can be used, time of day it can be used, etc. This can also be prevented by denying external network access to the printer.

NNTP — Network News Transfer Protocol is an application level protocol which is used to distribute news groups. This protocol provides an unauthenticated and unsecured transfer service. The information passed between computers using this protocol is not encrypted and can be read by anyone with a network monitoring device located in the information pathway.

Since there is no authentication, neither the integrity nor the source of the information can be guaranteed. To provide some sort of information integrity or confidentiality, a higher level of security protocol must be applied to the news messages. One example of this type of security service is the PEM protocol.

NEWS READERS - Network news readers are applications which provide the user with access to NNTP. The news readers usually do not require privileges to run and therefore can only get access to the files owned by the user running the news reader. One concern with these applications is that they do not control the flow of information. An organization cannot control the content of the message; the news reader will not screen information.

NIS — Network Information Services was originally developed and known as "yp or yellow pages". The NIS protocol acts in a client server type of fashion where the server provides user and host information to a client. The NIS system provides a central password and host file system for networks of computers.

It is possible for a hacker to inform an NIS client to use another NIS server to authenticate logins. If this was successful then a hacker could gain unauthorized access to the client computer. A hacker can use the NIS protocol to gain information about the network configuration including host and usernames.

The more information that a hacker has available, the easier it is to break into a system. NIS should never be allowed across a firewall to an external network such as the Internet.

RPC — Remote Procedure Call is similar to a procedure call in the C programming language. The difference is that the procedure call includes a remote IP address and port. The procedure is called from one computer and is executed on another computer across the network.

The network file system (NFS) works in this manner. These procedure calls and ports can be used by a hacker to obtain unauthorized access to resources and information on a system. RPC calls should be filtered and not allowed across network boundaries.

The unfortunate thing about RPC’s is that programs, such as certain Windows 32 bit applications, require RPCs to operate. Because so many ports must be opened to support the RPC functionality, the additional application flexibility also causes major and serious security problems.

R-UTILS (RLOGIN, RCP, RSH) — These utilities came with the original Berkly version of UNIX. These utilities allow a "trusted" user from a known host to login or execute commands on another network computer. No user identification and authentication is required, since these systems assume a trusted user and host.

If a hacker was to spoof one of the trusted hosts, then unauthorized access could be possible. These utilities should never be allowed across a firewall to the Internet.

SNMP — Simple Network Management Protocol allows a network administrator to manage network resources from a remote node. This protocol should never be allowed through a firewall connected to the Internet. A hacker would have the ability to remotely manage and change the configuration of network systems. It would also allow a hacker to rewrite the security policy of the internal network.

TELNET — Telnet is an application which allows a user to log in to a remote computer. Telnet transmits all data between computers in an unencrypted fashion (including the username and password pair). A hacker located on the routing path could monitor all information transferred and pick up sensitive data or the username-password that was used.

As well, an ambitious hacker could possibly hijack an existing telnet session. If a hacker gained access to a telnet session then all system resources available to the authorized user would be compromised. A possible solution for this is to use an encryption scheme with telnet.

Telnet is also used as the connection method for most network infrastructure devices such as routers, bridges and lower-level hardware such as CSU/DSU facilities on leased lines and frame relay connections. It has great potential to allow a hacker access to a great deal of very sensitive hardware that can cripple a network if compromised.

TFTP — Trivial File Transfer Protocol is mainly used for remotely booting another networked computer and operates on port 69. A computer can initiate a tftp session to a boot server and transfer the system boot information it requires to start up. This protocol should be disabled if not required and should never be allowed across a firewall to the Internet.

TFTP can also be used to transfer and deposit information to a networked computer. An attacker could use this protocol to grab sensitive data, password files or to deposit compromised system files. TFTP should not be allowed.

TFTP is also the most common protocol used to download bootstrap kernel software for diskless systems such as routers. Compromise of TFTP host systems on a network can cause a great deal of security problems for a customer network.

MOTIF — Motif is a graphical environment developed by the Open Software Foundation (OSF) as a front end for the X11 X-windows interface. The vulnerabilities of the X-Windows system are described later.

OPENWINDOWS — Openwindows is a graphical environment developed by Sun for its SunOS and Solaris operating systems. This system is now publicly available within other versions of the UNIX operating system. This graphical environment is similar to the Xwindows system, however, it connects to port number 2000.

WINSOCK — Winsock is a Microsoft Windows dynamic link library providing TCP/IP port services to windows applications. These services allow users to run many Internet tools, such as Archie, Cello, ftp, Gopher, Mosaic and telnet on an MS-DOS/MS-Windows computer.

WINDOWS-X11 — X windows is a graphical environment for user application software. This environment supports distributed services using TCP ports numbered 6000+. This system is designed to remotely control and display processes across the network.

It is possible for a malicious process to monitor or take control of the screen, mouse and keyboard devices. The opening of so many ports also allows the intruder an opportunity to use an open port to compromise a trusted network from an untrusted connection.

WAIS — Wide Area Information Servers This is another of the WWW family of applications and protocols.

WWW — World Wide Web is a new family of applications and protocols developed to provide users with a convenient method of accessing information across the Internet. (see http for vulnerability information)

HTTP — Hypertext Transfer Protocol is the application level protocol used to access world wide web (WWW) servers and information. Http is similar to the Gopher protocol; it transfers an information block and a data type description to the client.

The client program (Internet Explorer, Mosaic, Lynx, and Netscape Navigator are common client applications) is responsible for interpreting the information and presenting it to the user in the correct form. As with the Gopher protocol, executable code is a valid data type to be retrieved.

Some client programs can be configured to automatically interpret and process the information that is retrieved. If this protocol is supported care should be taken to configure client programs to prompt prior to executing any script or executable programs.

Any executable code retrieved should be scanned for viruses, trojan horses or other malicious activities before being executed. A potential solution is s-http, which is intended to be a secure version of the http protocol. The s-http protocol is still in development and further information will be sent automatically if an e-mail message is sent to: info@commerce.net.

This protocol uses the PEM standard for mail and data exchange and provides the PEM capabilities above the http protocol. In this manner all data exchanged between an http server and client can be both authenticated and/or encrypted as required.

Another standard in progress is the SSL or Secure Sockets Layer activity. This standard provides a security layer between the TCP and application protocol layers. SSL can be used to provide integrity (proof of sender) and confidentiality for any TCP data stream. This security protocol can be used with all applications level protocols not just http.