On Network Security 20070322 A

BOM Target Audience Compiling Department Engineers/cooperation engineers/users Access Network Technical Service Dept.
Product Name Product Version Doc. Version
Broadband products All versions V1.0
On Network Security
Drafted by Reviewed by Reviewed by Approved by Ren Yuan Wang Zhen Chen Rui Date Date Date Date 2005-03-14 2002-04-07 2005-03-14
Huawei Technologies Co., Ltd.

All Rights Reserved
Huawei Confidential
On Network Security
For internal use only.
Revision Record
Date 2002-07-12 Revised Version V1.0 Description First draft finished Author Wang Zhen
Huawei Confidential
On Network Security
Contents
Chapter 1 Overview .......................................................................................................................... 1 1.1 Background........................................................................................................................... 1 1.2 Importance of Security.......................................................................................................... 1 1.3 Our Enemies ......................................................................................................................... 2 1.4 Our Enemies' Tricks.............................................................................................................. 2 Chapter 2 Hacker Strategies ........................................................................................................... 5 2.1 Denial Of Service (DOS)....................................................................................................... 5 2.1.1 Cause Analysis........................................................................................................... 5 2.1.2 Types of DOS............................................................................................................. 6 2.1.3 Distributed Denial Of Service (DDOS) ....................................................................... 8 2.1.4 Defense Against and Exploration of DOS................................................................ 11 2.2 Sniff..................................................................................................................................... 13 2.2.1 Principle.................................................................................................................... 13 2.2.2 How to Guard Against Sniff?.................................................................................... 14 2.3 Scanning ............................................................................................................................. 14 2.3.1 Scanning Attack ....................................................................................................... 14 2.3.2 Security Scanning .................................................................................................... 15 2.4 Security Problems of Routing Protocols ............................................................................. 16 2.4.1 Route Spoofing: Attack to the RIP Protocol ............................................................. 16 2.4.2 Route Spoofing: Attack to the BGP Protocol ........................................................... 16 2.4.3 Route Spoofing: Attack to the OSPF Protocol ......................................................... 16 2.5 Buffer Overflow ................................................................................................................... 17 2.5.1 Loopholes of and Attacks to Buffer Overflow........................................................... 17 2.5.2 Protection Against Buffer Overflow .......................................................................... 19 Chapter 3 Security Problems of Other Protocols ....................................................................... 20 3.1 Security at the Network Layer............................................................................................. 20 3.1.1 Source IP Address Spoofing .................................................................................... 20 3.1.2 The Attack of Over-long Reassembled IP Segmented Packet and the Solution to It22 3.2 Security at the Transport Layer .......................................................................................... 23 3.3 Security at the Application Layer ........................................................................................ 24 Chapter 4 Security Strategies ....................................................................................................... 27 4.1 What Is Security?................................................................................................................ 27 4.2 Security Service, Mechanism and Technology................................................................... 27 4.3 Network Security System.................................................................................................... 27 Chapter 5 Security Technologies ................................................................................................. 29 5.1 CallBack.............................................................................................................................. 29 5.2 AAA: Authentication, Authorization and Accounting........................................................... 29 5.3 Certification Authority (CA) ................................................................................................. 30 5.4 Packet Filtering ................................................................................................................... 32 5.5 Address Translation............................................................................................................ 33 5.6 Data Compression .............................................................................................................. 33 5.6.1 Description of IPComp ............................................................................................. 33 5.6.2 IPComp Association (IPCA) ..................................................................................... 34 5.7 Encryption and Key Exchange............................................................................................ 35 5.7.1 IP Security (IPSec)................................................................................................... 35 5.7.2 Internet Key Exchange (IKE).................................................................................... 36 5.8 Application Specific Packet Filter (ASPF)........................................................................... 37 5.8.1 ASPF Principle ......................................................................................................... 37 5.8.2 ASPF Working Process............................................................................................ 38
Huawei Confidential
On Network Security
5.8.3 Detection of and Prevention Against DOS............................................................... 38 5.9 Firewall................................................................................................................................ 39 5.9.1 What Is Firewall?...................................................................................................... 39 5.9.2 What Firewall Can Do? ............................................................................................ 39 5.9.3 Types of Firewall ...................................................................................................... 41 5.9.4 Operating System of Firewall ................................................................................... 42 5.9.5 The Counter-attack Function of Firewall .................................................................. 42 5.9.6 Limitation of Firewall ................................................................................................ 42
Huawei Confidential
On Network Security
Key words: Denial Of Service (DOS), Distributed Denial Of Service (DDOS), Sniff, scanning, route spoofing, buffer overflow, address spoofing, network security system, security technology Abstract: This document introduces some basic concepts of network security, common methods of network attack, and some network security technologies. Chapter 1 briefly describes the current network security condition and common problems of network security. Chapter 2 analyzes the forms and causes of common network attacks, such as DOS, Sniff and scanning. Chapter 3 covers some security problems existing in the current protocols. Chapter 4 briefly deals with the concept of security and the security system. Chapter 5 introduces some security technologies currently in common use. Acronyms and Abbreviations: DOS: Denial Of Service AAA: Authentication, Authorization and Accounting ASPF: Application Specific Packet Filter References: Null
Huawei Confidential
On Network Security
Chapter 1 Overview
1.1 Background
Internet brings immense vitality to the people all over the world and realizes the borderless global village. But we are still hindered by many undesirable factors: the shortage of IP address, serious consumption of bandwidth, limitation of governmental regulations and deficiency in programming technology. Now, the numerous loopholes that have accumulated on the network confront us with even greater threats. The trouble-makers lurking on the network will seek for these loopholes to attack the network system, which will inevitably cost us much more efforts for our former negligence. Though most network system products are labeled with "security", compared with the weak network protocols and defective technologies we have, it seems that dangers are still everywhere.
1.2 Importance of Security

It is no doubt that Internet will become the biggest public data network. It realizes and boosts personal and business communication across the world. The Internet traffic is soaring daily, and people communicate more and more through email; mobile office and Small Office & Home Office (SOHO) telnet through Internet; commercial transaction and even tax collecting are done on the World Wide Web (WWW). While Internet is revolutionizing and improving our mode of business activity, this huge network, along with the related technologies, is also opening the door to the increasing network security threats. Though the latent security loopholes may cause tremendous risks, in aspects of guiding e-business operation, Internet is still very safe. For example, in a hotel, it is by far safer when you send your credit card information to the e-market administrator by the network than by phone or by the waiter. It is because the e-business transaction is usually guarded by security technologies, while the hotel waiter and the e-market administrator are not always supervised or credible. However, in online business operation, people's concern about security can be as bad as the security hazards that exist on the network. Usually, with the concern and doubt about computer, people tend to be incredulous of Internet. The incredulity costs many companies serious loss of business opportunities, especially those that have just completed the Web infrastructures. Therefore, we must take actions to improve the condition of network security. We must not only take effective security measures, but must also convince people of their effectiveness. Of course, adequate promotion on how to protect the customer's security and privacy is also necessary. Besides, to protect the customer, a company must also protect its employees and cooperation partners against security hazards, because the communication of employees and cooperation partners may also be affected by network attacks. Network attacks may paralyze the employee's work for hours, and the network will also have to be closed to avoid damage. Obviously, the employee's work efficiency and morale are greatly retarded by the waste and loss of time and data.
2007-03-22
Huawei Confidential
Page 1 of 47
On Network Security
1.3 Our Enemies

Hacker This is an ordinary and overly romantic name for the computer enthusiast who loves to obtain the access authority of other people's computer or network. Many hackers are content with simple invasion and leaving their "footprints" on the victim's desktop. Another type of hacker enthuses in decryption, which is more dangerous. They attack all computer systems, steal or sabotage confidential data, modify the webpage, finally leaving the business operation in chaos. There are also some amateur hackers, who only seek for some hacker tools on the network for their own use. They do not care for or understand the principle and aftermath of these tools. The Unperceivable Group The company employees only focus on their specific work and responsibility, and often neglect the rules for network security. For example, for easy memorization, they use some simple words as passwords. The hackers can easily work out these passwords or decrypt them with some effective decrypting software. The employees may also cause security hazards without intending to do so. For example, the infection of computer virus. The most common way of virus infection is by using floppy disks or downloading files from Internet. When the employees transfer data by floppy disks, they may also transfer the virus to the network, yet they do not even know that their computers are infected. The employees may also bring trouble to the network when they download files from Internet. We should notice the human-factor errors. Whether they are computer beginners or experts, they may make these errors when installing the anti-virus software. This is also a security hazard. The Group with a Grudge What brings more unnerving dangers than misoperation does is the people who sabotage the network with a grudge or vengeance. These people, who have received customer complaint, retired or have been fired and harbor a grudge, may revengefully cause their network to catch virus or maliciously delete some vital files. This group is highly threatening, because they usually know which part of the network carries the valuable information and know the security mechanism. Peepers Some employees may play the peeper out of curiosity or mischief. They illegally obtain the access authority of confidential data and secure the information that they are not entitled to, just to prove to other people that they can do it. There are still some people who access private information out of curiosity, for example, the financial data, private mails and employees' payroll and the like. This behavior may not bring serious dangers, but peeping at other people's financial issues or health record may harm their reputation and cause ugly results.
1.4 Our Enemies' Tricks

Virus Virus is the best-known security problem, because it usually affects a wide range of fields. Designed as a specific event and once triggered, the virus program can promulgate itself and infect the other computers. For example, the macro virus attaches to the file that contains the macro structure. Every time macro is run, the macro virus is activated. When activated, some viruses may cause annoying interruption, such as a
2007-03-22 Huawei Confidential Page 2 of 47
On Network Security
ridiculous pop-up message. Some viruses are destructive. They delete files or slow down the system running speed. A network may get infected by downloading files from the floppy disk or from the Internet. When a computer on the network gets infected, the chances are that the other computers on the same network will get infected. Trojan Horse Trojan Horse is a program secretly installed in the target system either directly by a hacker or by an unnoticed user. Once installing the program successfully and obtaining the administrator's authority, the attacker can directly and remotely control the target system. Trojan Horse is a vehicle for other destructive codes. It usually appears as a harmless and even useful program, such as a computer game, which is but a camouflage. The virus of Trojan Horse may delete files, replicate itself and send the program to all addresses in the mail address list. It can also prepare for other attacks. Vicious programs include NetBus, BackOrifice and BO2k. Benign programs include netcat, VNC and pcAnywhere. Vandals With the development of application software such as ActiveX and Java Applets, websites are becoming more vivid. The application software can create special effects to make the websites more interactive and attractive. However, it also makes it easier to download and run these application programs, thus providing new entrances for sabotage. Vandal is an application software or Applet (a Java application program) that causes damage of varied degrees. Vandal can damage the partition of the file or the system. Network Attack Since the TCP/IP protocol that constitutes Internet is weak in security, network security becomes an actual issue that we must face. Many types of attack exist on the network. They include: Packet interceptionThe attacker uses the data-obtaining device to intercept the data from the data flow in transmission. The attacker analyzes the data to obtain the username/password or other sensitive information. Delay exists when data is transmitted on Internet. Compound with the geological span, it is practically impossible to avoid data interception. IP address spoofingThe attacker changes his own IP address to disguise as an intranet user or a credible extranet user, and sends specific packets to disturb the normal transmission of network data. He can also fake some acceptable routing packets (such as the ICMP specific packets) to change the routing information and then intercept the information. Source route attackThe sender of packet specifies the route for the packet in the Option field of the IP packet, and the packet may be sent to some protected networks. Port scanningThe attacker finds the system loophole by detecting the port that the firewall is monitoring. Or he may have known that the router software of a certain version has a loophole, and queries the specific port to judge whether the loophole exists. Then he attacks the routers by these loopholes so that the router is under his control or fails to run normally. Denial Of Service (DOS)The attacker intends to stop the legal user from accessing the resources. For example, he sends large quantities of packets to exhaust the bandwidth resource of the network. The macro virus, Mellisa, is designed for DOS.
2007-03-22
Huawei Confidential
Page 3 of 47
On Network Security
Many big websites suffer serious loss due to the attack of Distributed Denial Of Service (DDOS). Data Interception The data transmitted over the network may be intercepted by unauthorized people. These criminals can intercept and even modify the content of the data. They can intercept data in many ways, for example, by IP address theft. Social Engineering Social engineering is an increasing non-technical method used to obtain confidential information on network security. For example, a social engineer can pretend to be a technical support representative and call the employee to get the password. Some other people can achieve the same end by bribery. Spam Spam is the emails sent automatically or the advertisement information emailed automatically. Though harmless, spam is a real nuisance. It consumes much of our time and memory space.
2007-03-22
Huawei Confidential
Page 4 of 47
On Network Security
Chapter 2 Hacker Strategies

2.1 Denial Of Service (DOS)
DOS is s system loophole that prevails globally. Hackers revel in this strategy, while numerous network users are falling victim to it. Tribe Flood Network, TFN2K, Smurf, Targaand still more programs are yet to come. Like plagues, these programs are flooding over the network, putting the global village at a disadvantage. We have to develop a simple and easy security solution to fight against the attack that may occur out of anywhere at any time. There are many attack forms of DOS. The basic DOS is by using excessive legal requests to occupy service resources. The service resources gets overloaded and is unable to respond to other requests. The service resources includes the network bandwidth, the space of file systems, open processes or service ports. This form of DOS causes resource shortage. No mater how fast the computer's processing speed, how large the memory, or how high the Internet rate, they can not stand this attack. There is a limit to everything. The attacker can always find a request value that exceeds the limit value and exhausts the service resources. Do not take it for granted that adequate bandwidth always promises a highly efficient website. DOS belittles service resources of all types. Two typical forms of DOS: exhausted resources and overloaded resources. When the service resources receives legal requests that by far exceed its capacity (for example, when a full Web server receives excessive requests), it denies service to legal users. DOS can also result from software defects or wrong program configuration. Vicious DOS differs from unintentional overloaded service in that the sender of the former sends excessive requests to the resources and causes other users unable to access the service resources.
2.1.1 Cause Analysis

Software Defects DOS is usually caused by software defects or wrong configuration. Software defects include system defects concerning security in the operating system or application program. The defects often originate from wrong programming, careless audit of source codes, unintended side effects, or improper binding. According to the level of unlimited or unauthorized system access caused by the wrong information, the defects can be divided into different degrees. Some DOS attacks result from the inherent defects of protocol developing; some DOS attacks can be avoided by simple patches; some DOS attacks caused by system defects cannot be eliminated. Wrong Configuration Wrong configuration can also become a threat to system security. The wrong configuration usually occurs in the hardware, the system or the application program. By correctly configuring the router, firewall, switch and other connection devices on the network, we can reduce the possibility of these errors. In other words, we can say that
On Network Security
wrong configuration gives birth to DOS. Wrong configuration is usually generated by some inexperienced or irresponsible employees or by wrong theories. Resource Bottleneck Finally, some unintentional DOS attacks are caused by the bottleneck of overloaded bandwidth or resources. There is no fixed solution to this type of problems.
2.1.2 Types of DOS

Generally, the primary problem of the attacker is network bandwidth. The attacker cannot send too many requests to the small-scale and low-rate networks. However, DOS such as "the ping of death" can destroy an unpatched UNIX system with only small amount of packets. Of course, most DOS attacks still require high bandwidth. But high bandwidth is owned by big companies and is usually denied to the hacker who works as a one-man army. To break this restriction, the vicious attacker develops DDOS. Thus the attacker can use tools to integrate a lot of network bandwidth and send a large number of requests to the same target.
I. Common Network-based DOS Attacks

Big Ping Packets The attacker pings a large number of packets to occupy all bandwidth, so the data of normal services cannot reach or be processed by the host. If the packets pinged are too big, they will be fragmented, thus increasing the processing load of the device during the attack. The firewall of some devices cannot filter the fragmented packets in the attack, so the fragmented packets can still penetrate the firewall and reach the host, and then the host will deny service to the legal user. Smurf (Directed Broadcast) The broadcast information can be sent to the devices on the entire network by a certain means (by the broadcast address or other mechanisms). When a device sends an "ICMP echo" request (such as PING) with the broadcast address, some systems will respond with an "ICMP echo" response. That is, sending one packet can receive multiple responses. Smurf is based on this principle. In addition, it needs a fake source address. In other words, the attacker sends packets that have the address of the attacked host as the source address and the broadcast address as the destination address on the network. Thus many systems respond to the attacked host with large quantities of information (because the attacker has faked the victim host's address). The method of generating a lot of responses by sending one packet on the network is also called "amplifier". The Smurf amplifiers are available on www.netscan.org. Some shiftless and irresponsible websites are still attacked by the "amplifier" because of this kind of loophole. Fraggle Fraggle is similar to Smurf and is simply improved. With some UDP-based service that the host provides, the attacker uses the UDP response instead of the ICMP response to generate a lot of response packets, thus attacking the victim network or host. SYN Flood To communicate over the network, a host needs to establish the TCP handshake first, which requires three packet switches. Once a server receives the SYN packet of the
2007-03-22
Huawei Confidential
Page 6 of 47
On Network Security
client, it must respond with an SYN-ACK packet, and wait for the client to respond with an ACK packet for acknowledgement. Then a connection is finally established. However, if the client sends only an SYN packet for initialization and does not send the ACK packet for acknowledging the server, it will keep the server waiting for the ACK packet. Some TCP/IP protocol stacks have only limited memory buffer for establishing TCP connection, so the server can wait for only a limited number of ACK packets. If the buffer if full of initialization messages of false connection, the TCP/IP protocol stack will stop responding to the subsequent connection till the connection attempts in the buffer time out. Even if establishing TCP connection is unlimited, SYN Flood still consumes a lot of the victim system resources. Slashdot Effect The Slashdot Effect causes the Web server or servers of other types to get overloaded because of heavy network transmission. In these circumstances, the network traffic is generated for a certain webpage or link. This also occurs as a normal phenomenon on the website with heavy visits. We must distinguish the normal phenomenon from DOS. If your server becomes congested suddenly and even fails to respond to further requests, you should examine the phenomenon of resource shortage closely. Check whether the 10000 clicks are all done by the legal user, or 5000 of them by the legal user, and 5000 of them by an attacker. UDP Flood Various attacks with a disguise use the simple TCP/IP service, such as Chargen and Echo, to transmit useless data that occupies the bandwidth to the full. The attacker fakes a UDP connection in the Chargen service of a certain host, and directs the response address to a host providing the Echo service, thus generating abundant useless data flow between two hosts. Data flow of a certain quantity will cause DOS to the bandwidth. Land Attack The attacker sets the IP address of a victim as the source address and destination address of the TCP SYN message. Thus the victim sends the SYN-ACK message to its own address, which responds with an ACK message and creates a null connection. Each null connection created in this way will stay till it times out. Different victims react to the Land attack differently. Many UNIX hosts will crash, and NT hosts will become extremely slow (for about five minutes). Teardrop Teardrop uses the information contained in the packet header of the IP fragmentation that is trusted in the TCP/IP stack implementation to attack the victim. The IP segment contains information that indicates which segment of the original packet the current segment carries. When receiving fake segments containing overlapped offset, some servers that runs TCP/IP (including the Windows NT with the patch earlier than service pack 4) will crash. Defense: Apply the latest service packet on the server, or reassemble the segments instead of forwarding them when configuring the firewall. Email Bomb Email bomb is one of the primitive anonymous attacks. The attacker configures a device to keep sending many emails to the same address, and exhausts the bandwidth of the receiver's network. Ping of Death
2007-03-22
Huawei Confidential
Page 7 of 47
On Network Security
In the early period, the router restricts the maximum length of the packet. When running the TCP/IP protocol stack, many operating systems specify the maximum length of the ICMP packet as 64 KB. The systems read the packet header, and then generate the buffer for the payload according to the information contained in the header. When the receiver receives a malformed packet, namely, the packet who claims that its length exceeds the upper limit of the ICMP packet (the overloaded length is over 64 KB), error of memory allocation occurs. It causes the TCP/IP protocol stack to collapse and the receiver to undergo system down.
II. Defense
Now all standard TCP/IP protocol stacks are capable of tackling with jumbo packets, and most firewalls can automatically filter these packets.
III. Development of DOS

As we are fortifying our defenses, the attackers are also developing their DOS strategies. Tribe Flood Network (TFN) and TFN2K introduce a new concept: DDOS. These programs enable the devices that are distributed over the network to work together to attack a host, making the victim host appear as if it were attacked by many hosts located in various places. The distributed devices are manipulated by several control devices to perform attacks of various types, such as UDP Flood, SYN Flood, and so on.
2.1.3 Distributed Denial Of Service (DDOS)

DDOS is short for Distributed Denial Of Service. It is a distributed, cooperative, large-scale and special attack that is based on DOS. It mainly targets at relatively big websites, such as websites of large companies, search engines and governmental departments. Different from DOS which needs only a single device, DDOS uses a number of controlled devices to attack one device. DDOS is more violent, hard to defend against and more destructive. Figure 2-1 shows the principle of DDOS. Figure 2-1 Principle of DDOS
2007-03-22
Huawei Confidential
Page 8 of 47
On Network Security
This figure shows that DDOS consists of the performers of three levels: the attacker, the controlling terminal, and the agent. The devices at the three levels play different roles in the attack.
I. Roles of the Devices

Attacker The computer used by the attacker works as the controlling console. It can by any host on the network, or even a mobile laptop. The attacker host manipulates the whole process of attack and sends attack commands to the controlling terminals. Controlling terminal Controlling terminals are some hosts invaded and controlled by the attacker. These hosts respectively control a lot of hosts that serve as the agent. A special program is installed on the controlling terminal, so the controlling terminal can receive the special commands sent by the attacker and then send these commands to the agents. Agent The agents are also some hosts invaded and controlled by the attacker. They run the attack program for receiving and executing the commands sent by the controlling terminal. The agent is the executer of attack that really launches the attack to the victim host. DDOS consists of three steps. Step 1 The attacker looks for a host that has security loopholes on Internet. The attacker enters the system and installs a backdoor program on the host. The more hosts the attacker invades, the bigger his army for attack. Step 2 The attacker installs the attack program on the invaded hosts. Some of the hosts serve as the controlling terminal in the attack and some serve as the agent. Step 3 The hosts at different levels perform their own task respectively. Under the maneuver of the attacker, they launch the attack to the target host. Since the attacker maneuvers the attack behind the scene, it will not be tracked by the monitoring system during the attack, so it is hard to reveal the attacker's identity.
II. Common DDOS Weapons

It is relatively difficult to implement DDOS, because it requires the attacker to be capable of invading other people's computers. Unfortunately, some click hacker programs appear. These invading and attacking programs can be installed within several seconds, making DDOS a handy matter. The following are some common hacker programs. 1) Trinoo The principle of Trinoo is to send four-byte UDP packets that contain all "0"s to random ports on the attacked host. When the attacked host processes the trash packets that are beyond its processing capability, its network performance drops continuously till it fails to provide normal service and crashes. Trinoo need not fake the IP address and uses the following communication ports: From the attacker host to the controlling terminal: 27665/TCP From the controlling terminal to the agent: 27444/UDP From the agent to the main server of the victim host: 31335/UDP
On Network Security
2)
TFN
TFN is composed of the program of the controlling terminal and that of the agent. It can fake packets and usually uses the following attack methods: SYN Flood Ping Flood UDP Bomb TFN2K
3)
TFN2K evolves from TFN. Based on the features of TFN, TFN2K has some new ones. In TFN2K, the network communication between the controlling terminal and the agent is encrypted, and the communication may be mixed with many false packets. In TFN, the ICMP communication is not encrypted. TFN2K has new attack methods: Mix and Targa3. In TFN2K, the process port on the agent can be configured. 4) Stacheldraht Stacheldraht also evolves from TFN and inherits the latter's features. The communication between the controlling terminal and the agent in Stacheldraht is also encrypted. In addition, it fakes the command source and can escape from the RFC2267 filter of some routers. There is a built-in agent upgrade module in Stacheldrah. The module can automatically download and install the latest agent program.
III. Monitoring and Detecting DDOS

Now, there are more and more DDOS on the network. We must detect the attack as soon as possible to avoid heavy loss. DDOS can be detected in the following ways: 1) By Analyzing Abnormal Conditions When communication on the network soars suddenly and exceeds the normal limit When a certain service item of the website always fails When you find jumbo ICP packets and UDP packets passing the host or packets of suspicious content In general, when your device becomes abnormal, you had better take these factors into account, and stop the attack before it happens. 2) By Using DDOS Detecting Tools When the attacker seeks a stage for his script, he has to scan the system first to find loopholes. Currently, some tools for detecting network invasion are available on the market. These tools guard the system against the attacker's scanning. Moreover, some scanning tools can also detect and delete the agent program installed in the system by the attacker. You must get alert and check the communication on the following occasions:
IV. Defense Strategies Against DDOS

Since DDOS is rather covert, so far we have not developed an effective solution to fighting back DDOS. Therefore we must raise our awareness of security and precaution, and improve the security condition of the network system. We can take the following security and precaution measures: 1) Make sure to discover the systems loopholes, and install patch programs in the system as soon as possible. Establish and optimize the backup mechanism for some important information (such as the configuration information of the system). Take caution when setting the password of some privilege accounts (such as the
Huawei Confidential Page 10 of 47
2007-03-22
On Network Security
2)
3) 4)
5)
6)
administrator account). We can take these measures to reduce the opportunity for the attacker to take advantage of the system. In network management, check the physical environment of the system regularly, and prohibit the unnecessary network service. Lay down restriction on border security to ensure that the packets output are correctly restricted. Check the system configuration information regularly, and make sure to check the daily security log. Fortify the network security with network security tools (such as the firewall); and configure the security rules correctly to filter all possible fake packets. Another good defense measure is to accommodate the work with the Internet Service Provider (ISP), and request the ISP to provide access control on the router and limitation on the total bandwidth. When you find your system under the DDOS attack, you must start your counter-attack strategies. Track the attacking packets as soon as possible, contact the ISP and relative emergency organizations promptly, analyze the affected system, confirm the other nodes involved and stop the traffic from the nodes known to be under attack. When you are a potential DDOS victim and find that your computer is controlled by the attacker as the controlling terminal or agent, do not treat the matter lightly just because your system is temporarily not damaged. The attacker has already found the loophole in your system, which poses as a serious threat to your system. Therefore, once you find DDOS software existing in the system, delete the software as soon as possible to avoid further dangers.
2.1.4 Defense Against and Exploration of DOS

Hackers are discovering the defects in operating systems and network devices, and are using these defects to perform vicious attacks. In general, we can protect the network against attacks with the following two methods: Mend the loopholes that we have found in the system Identify, track or prohibit the nasty devices or networks from accessing out system In the second method, the primary problem facing us is how to identify the vicious attacking devices, especially those that can cause DOS. These devices hide their own addresses and use those of the victim's that they have faked. The attacker fakes thousands of vicious packets to attack the victim host. The principle of TFN2K is as simple as we have mentioned in Figure 2-1, and the program explained in this figure provides a user interface that is easy to operate.
I. By Using Packet Filter and Other Routing Configuration

Packet filter is used to filter the ports that connect to extranet. This measure guards against fake addresses, so the device on extranet cannot attack the device on intranet by faking the latter's address. It has been controversial whether to use the packet filter on the ports connecting to extranet or on the ports connecting to intranet. RFC2267 recommends using the packet filter on the ports connecting to intranet on the global Internet, but doing so will bring about a lot of troubles. Using the Access Control List (ACL) on medium-level routers will not cause much trouble, but will pose as an obvious threat to backbone routers which are already full. Also, when the ISP uses packet filter on the ports connecting to extranet, the traffic of overload will be transferred to other devices that are not so busy. The ISP also does not care whether the customers use this technology on the edge routers or not. Of course, this filter technology is not perfectly safe. It depends on the filter mechanism used by the network administrator.
On Network Security
II. By Tracking Anonymous Attacks Through DNS

From the viewpoint of a responsible network management system (NMS), our goal is not simply to stop DOS, but to further trace the initial cause and schemer of the attack. When someone uses attacking tools (such as TFN2K) with fake source address on the network, though we cannot use ready-made tools to identify its legality, we can still analyze the attacking tool through domain name system (DNS). If the attacker targets at www.ttttt.com, he must send a DNS request to resolve the domain name first. The attacking tool will perform this step by calling the gethostbyname() function or the corresponding interface of application program. That is, the DNS request generated before the attack provides us with a related list, which we can use to locate the attacker. It is practical to read the suspicious DNS request list by using ready-made tools or by manually reading the DNS request log. However, this measure has three disadvantages: The attacker usually queries and resolves the address with the local DNS serving as the initial point. Therefore, sometimes the sender of DNS request that we have found is not the attacker, but is the local DNS that the attacker has sent the request to. Despite this, if the attacker is hiding within an organization with a local DNS, we can still take this organization as the initial point of the query. The attacker may have known the IP address of his target, or have obtained the IP address by other means (such as ping). He may also start the attack a long time after he has obtained the IP address. In such cases, we cannot locate the attacker (or his local server) from the time period of the DNS request. DNS has a default time to live (TTL) for different domain names. So the attacker can use the information in the DNS buffer to resolve the domain name. To make a detailed resolution record better, you can shorten the default TTL of DNS. But doing so will increase the DNS query frequency and occupy more network bandwidth.
III. By Using "ngrep" to Tackle with TFN2K

Based on the principle of tracking the TFN2K resident program by DNS, a practical tool called ngrep has been developed. The modified ngrep can monitor about five types of TFN2K attack: Targa3 SYN Flood UDP Flood ICMP Flood Smurf Ngrep also has a buffer that can be recycled for recording DNS requests and ICMP requests. When ngrep detects an attack, it will print the content of its buffer and continue recording the ICMP response. Careless attacker will locate a target by pinging the target host, and we can capture such attackers by recording the ICMP responses during or after the attack. Also note that ngrep uses the method of network monitoring (the network is based on broadcast), so it cannot be used on the network that is based on the Ethernet switch (the transmission is point-to-point). The modified ngrep need not locate in the same network segment as DNS does, but it must locate in a position where it can monitor all DNS requests. Theoretically, ngrep can well detect TFN2K attacks targeting at extranet.
2007-03-22
Huawei Confidential
Page 12 of 47
On Network Security
2.2 Sniff
Sniff is an old-school topic. It is no news to obtain sensitive information on the network by Sniff. There are also many successful cases. Well, what is Sniff then? Sniff is a sniffing device, or a bugging device. Sniff furtively works at the bottom network layer, and records all the victim's secrets, catching the victim off his guard. Sniff can be software or hardware. There are several platforms for the Sniff software, such as Windows and UNIX. The Sniff hardware is also called the network analyzer. They all aim at one thing: obtaining various information transmitted on the network.
2.2.1 Principle
On the Ethernet, all communication is broadcast. That is, usually, all network interfaces in the same network segment can access all data that is transmitted on the physical media. Each network interface has a unique hardware address, which is the MAC address of the network interface card (NIC). Most systems use the 48-bit address which represents a device on the network. Generally, the MAC addresses on the NICs are different. After an address segment is allocated to the NIC vendor, each address in this segment is allocated to an NIC the vendor manufactures. The Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol (RARP) are used for the conversion between the MAC address and the IP address. In normal condition, a network interface should respond to only the following two types of frames: 1) 2) The frame that matches the NIC's MAC address The broadcast frame that is sent to all devices
In an actual system, the NIC receives and transmits the data. After the NIC receives the data, the single-chip program inside the NIC receives the destination MAC address of the frame. Then according to the receiving mode configured in the computer's NIC driving program, the single-chip program decides whether NIC will receive the frame or not. If yes, NIC receives the frame and generates the interruption signal to inform CPU; if not, NIC discards the frame. Therefore NIC stops the data that it will not receive, and the computer does not know this at all. After receiving the interruption signal, CPU starts to interrupt the current processing flow. According to the interruption program address of NIC configured in NIC's driving program, the operating system calls the driving program for receiving the data. The driving program receives the data, and puts the data in the signal stack for processing by the system. NIC receives signals in four modes: Broadcast mode NIC can receive the broadcast information on the network. Multicast mode NIC set in this mode can receive multicast data. Direct mode Only the destination NIC can receive the data. Promiscuous mode NIC can receive all data that is transmitted through it, regardless of whether the data is intended for it or not.
2007-03-22
Huawei Confidential
Page 13 of 47
On Network Security
In short, based on the broadcast mode, data is transmitted on the Ethernet. That is, all physical signals have to pass a certain device. When an NIC is set to the promiscuous mode, the NIC can receive all data that passes through it, thus the attacker can intercept, analyze and monitor the packets. This is the principle of Sniff: set the NIC to receiving all data that it can receive.
2.2.2 How to Guard Against Sniff?

The most effective way to guard against Sniff is to segment the network properly and to use switches and bridges on the network. In ideal condition, each device has its own network segment. This measure greatly increases the cost of network construction. Therefore, try to implement the devices that can trust each other in the same network segment, thus avoiding Sniff among the devices. We also need to shield the hardware between the network segments. Also, with the encryption technology, such as Security Shell (SSH), we can encrypt the sensitive data that is transmitted on the network. The sensitive data includes the user ID, password, bank account, confidential commercial information and so on.
2.3 Scanning
Scanning is to perform security detection on the computer system or other network devices, thus discover the security loopholes and defects that the hacker may take advantage of. Obviously, the scanning software is a double-bladed knife. The hacker uses it to invade the system, and the system administrator can use it to effectively protect the system from invasion.
2.3.1 Scanning Attack

I. Address Scanning
The address scanning software uses programs such as ping to detect the target address. If the address responds, it means that the address and the network segment of the specified address exist. Sometimes the hacker uses the TCP/UDP packet to establish a connection to a certain address to judge whether there is response.
II. Port Scanning

The hacker usually uses some software to establish connection to a serial of TCP/UDP ports of a large scale of hosts. According to the response, the hacker judges whether the hosts provide service by these ports.
III. Response Mapping

The hacker sends false information to the host, and then decides which hosts exist according to the response "host unreachable". Currently, normal scanning is easily detected by the firewall, so the hacker uses the common messages that will not trigger firewall rules. These messages include RESET, SYN-ACK, and DNS response.
2007-03-22
Huawei Confidential
Page 14 of 47
On Network Security
IV. Slow Scanning

The detecting device for scanning decides whether the attacked host is being scanned by monitoring the connection counts (for example, 10 times every second) that the host starts within a short period of time. So the hacker can use some scanning software with slower scanning speed to scan the system.
2.3.2 Security Scanning

I. Two Scanning Strategies
There are two security scanning strategies: the passive strategy and the active strategy. The passive strategy is based on the host. This strategy checks the improper settings, weak passwords and other objects that go against the security rules in the system. The active strategy is based on the network. This strategy executes some script files to simulate attacks to the system and records how the system reacts, thus finding the loophole in the system. Scanning that uses the passive strategy is called system security scanning, and scanning that uses the active strategy is called network security scanning.
II. Four Types of Detection Technique of Security Scanning

Application-based detection It uses a passive and indestructive method to check the settings of the application software package, and thus find the security loopholes. Host-based detection It uses a passive and indestructive method to check the system. Usually, it involves such problems as in the system core, file attributes, patches of the operating system, and so on. This technique also includes decrypting the passwords and eliminating weak passwords. Therefore, this technique locates system problems and detects system loopholes accurately. Its disadvantage is that it depends on the platform, and upgrading this kind of detection software is complicated. Target-based detection It uses a passive and indestructive method to check the system attributes and file attributes, such as the database, registration number, and so on. It uses the Message Digest Algorithm (MDA) to check the encryption result of files. The mechanism of this technique is based on a closed loop. It continuously processes the files, the system target, attributes of the system target, generates the detection result, and then compares the detection result with the former detection result. Once it detects changes, it informs the administrator. Network-based detection It uses an active and indestructive method to check whether the system may be attacked and collapse. It uses a series of scripts to simulate attacks to the system and then analyzes the result. It can also check the system according to network loopholes that are already known.
2007-03-22
Huawei Confidential
Page 15 of 47
On Network Security
Network detection techniques are usually used for penetration experiments and security audit. The software with this type of techniques can detect a series of platform loopholes, and it is easy to install. But it may also affect the network performance.
2.4 Security Problems of Routing Protocols

The attacker spoofs the routing protocols in order to make the device accept, store and transmit false routing information. The attacker illegally obtains the network topology information by receiving the routing information.
2.4.1 Route Spoofing: Attack to the RIP Protocol

Taking advantage of the defects of the Routing Information Protocol (RIP), the attacker sends fake RIP packets, and spoofs the device that runs RIP. RIP V1 has no authentication mechanism and does not authenticate the routing information that it receives. RIP V2 is comparatively safer because it has the option to authenticate the information by plain-text password or Message Digest 5 (MD5) encryption. In general, RIP is very simple and there are many weapons on the network that attack RIP. In terms of security, RIP is weak. Especially when RIP works with the other routing protocols, the fake routing information can diffuse through the other routing protocols once RIP is attacked. Then larger scales of networks will be affected.
2.4.2 Route Spoofing: Attack to the BGP Protocol

Border Gateway Protocol (BGP) uses TCP as the transmission protocol, so it will inevitably receive some TCP attacks, such as the TCP semi-connection attack. BGP packets do not have sequence numbers for themselves and depend on TCP sequence numbers. Therefore, if the TCP run by the device uses the mechanism of predictable sequence number, the attacker can use tools to insert fake TCP packets into the TCP flow, and then launch the attack. (The routers of some vendors use the mechanism of random sequence number.) Besides, if BGP and RIP are associated (the model of BGP trusting the route learned through RIP), BGP will transmit the routing information that it has obtained from RIP. But the protocol is not to blame for the defect. Generally, BGP has a relatively sound security mechanism.
2.4.3 Route Spoofing: Attack to the OSPF Protocol

Open Shortest Path First (OSPF) is configured with several security mechanisms and is much safer than RIP. However, once the password is sniffed, OSPF is also open to several attacks. In these attacks, the attacker inserts false packets of routing information to get the attacked device into an unstable state. The prerequisite to these attacks is getting the password for authentication, therefore protecting the password is vital. By default, OSPF exchanges some passwords with the adjacent OSPF nodes for authentication every 10 seconds. Thus the possibility for the password to get sniffed increases greatly. Generally, it is difficult to attack OSPF.
2007-03-22
Huawei Confidential
Page 16 of 47
On Network Security
2.5 Buffer Overflow

In the past 10 years, the security loopholes targeted by buffer overflow are most common. What is more serious is that buffer overflow takes up the greatest part of remote network attacks. This type of attack enables an anonymous Internet user to obtain the authority to partially or completely control a host. Since this type of attack means that anyone can get the control authority of the host, it represents a most serious threat to security. The loopholes of buffer overflow are common and they are easy to implement. This is one reason why buffer overflow becomes a common method of security attack. Another reason is that the loopholes of buffer overflow give the attacker what he wants: to inject and execute the attacking codes. With certain authority, the injected attacking codes run the program with buffer overflow loopholes, and then get the control authority of the attacked host.
2.5.1 Loopholes of and Attacks to Buffer Overflow

The aim of buffer overflow is to disturb the functions of a program that has some privileges. If the attacker gets the control authority of the program, and if the program has adequate authority, then the attacker can control the entire host. Usually, the attacker attacks the root program, and runs execution codes such as "exec(sh)" to get the shell of root. But it is not always so. In this attack, the attacker must achieve the following two goals: 1) 2) To arrange suitable codes in the address space of the program By properly initializing the register and memory, make the program transfer to the address space that we have arranged
Based on these two goals, we can classify buffer overflow as follows:
I. Arranging Suitable Codes in the Address Space of the Program

There are two methods to do so: 1) Code Injection The attacker inputs a character string in the attacked program, and then the program will put the character string in the buffer. The data contained in this string is a command serial that can run on the victim hardware platform. The attacker stores the attacking codes in the buffer of the victim program. There are two different ways to operate: The attacker does not have to overflow any buffer to achieve this end. He only needs enough space for storing the attacking codes. The buffer can be set anywhere: the stack (containing the local variable), the heap (the application program dynamically applies to the heap for memory) and the static data area (containing initialized or uninitialized data). By Using Existing Codes
2)
Sometimes, the codes that the attacker needs already exist in the attacked program. The attacker then only needs to input some parameters in the codes to make the program transfer to an existing segment of codes (legal codes). For example, the attacking codes demand to execute "exec("/bin/sh")", and the codes execute "exec("/bin/sh")" in libc (a standard function library and exists in the form of file). "arg" is a pointer parameter that points to a character string. The attacker only needs to change the parameter pointer that he has input to make the pointer point to "/bin/sh". Then the program will transfer to the corresponding command serial in libc.
On Network Security
II. Making the Program Transfer to the Attacking Codes

By using all these methods, the attacker tries to change the execution flow of the program and make the program transfer to the attacking codes. The basic method is to overflow a buffer without border check or with other defects, thus disturbing the normal execution order of the program. By buffer overflow, the attacker can typeover the adjacent program space in a nearly violent way and directly escape from the system examination. 1) Activation Records Whenever a function is called, the caller leaves an activation record in the stack. The activation record contains the address which the function returns to when the calling finishes. The attacker usually overflows these automatic variables and points the address for returning to the attacking codes. After the program address for returning is changed, when the function calling finishes, the program transfers to the address set by the attacker instead of to the original address. This type of buffer overflow is often called "stack smashing attack" and is currently a common method of buffer overflow. 2) Function Pointers "void (* foo)()" indicates that the variable of a function pointer with the returning value of "void" is "foo". The function pointer can locate any address space, therefore the attacker only needs to find a buffer that can be overflowed near a function pointer of any space. Then he overflows the buffer to change the function pointer. At a certain moment, when the program calls the function through the function pointer, the program flow is realized as the attacker has intended. One instance of attack is the superprobe program in the Linux system. 3) Longjmp Buffers When the C language contains a simple checking/recovering system, it is called setjmp/longjmp. It means setting "setjmp(buffer)" at the checking point, and setting "longjmp(buffer)" to recover the checking point. However, if the attacker can enter the space of the buffer, "longjmp(buffer)" is then actually for transferring to the code of the attacker. Just like the function pointer, the longjmp buffer can point to any place. So what the attacker needs to do is to find a buffer that can be overflowed. An example is Perl 5.003. The attacker first enters the longjmp buffer which is used for recovering buffer overflow, and then induces the longjmp buffer to enter the recovering mode, so the Perl interpreter transfers to the attacking codes.
III. The Integrated Technology of Code Injection and Flow Control

The simplest and most common method of buffer overflow is to integrate code injection and activation record in a character string. The attacker locates an automatic variable that can be overflowed, transmits a large character string to the program, changes the activation record by inducing buffer overflow, and meanwhile injects the codes. This is an attack template pointed out by Levy. Since the C language opens only a small buffer for the user and parameters, attacks aiming at such loopholes are really common. Code injection and buffer overflow need not necessarily be completed in one action. The attacker can inject the codes in one buffer, and does not overflow the buffer. Then he overflows another buffer to transfer the program pointer. This method applies to the buffer with small space for overflow (the space cannot hold all the codes). If the attacker attempts to use the resident codes instead of injecting external codes, the attacker usually needs to parameterize the codes. For example, some code segments in libc (almost all C programs need libc for connection) can execute
On Network Security
"exec(something)". "something" is the parameter. The attacker then uses the buffer overflow to change the program parameter, and uses another buffer overflow to point the program pointer to the specified code segment in libc.
2.5.2 Protection Against Buffer Overflow

Currently, there are four basic methods to protect the buffer from the attack and influence of overflow.
I. Writing Correct Codes

Writing correct codes is a highly significant but also time-consuming task, especially writing programs such as the C language which is liable to errors (for example, the character string ends with 0). This writing style results from the traditional emphasis on performance and neglect of correctness. Though much time has been spent getting people to understand how to write safe programs, programs with security loopholes still come out. Therefore some tools and technologies are developed to help inexperienced programmers write safe and correct programs. The simplest method is using grep to search for library calling that is apt to produce loopholes in the source codes. For example, by calling strcpy and sprintf, it is found that these two functions do not check the length of the parameters that are input. In fact, this problem exists in different versions of standard library of the C language. In order to discover common loopholes such as buffer overflow and problems that occur in competition in program/task design, the code checking team checks a lot of codes. But there are still errors straying from precaution. Though substitute functions like strncpy and snprintf are used to prevent buffer overflow, errors still occur due to the intrinsic problems of code writing. Take the example of the lprm program. Though it has passed the code security check, buffer overflow still occurs in this program. Though these tools help the programmer develop safer programs, the tools cannot reveal all loopholes of buffer overflow due to the characteristics of the C language. Therefore, the error-detection technology can only reduce the possibility of buffer overflow, but cannot absolutely eliminate it. Unless the programmer ensures that he can always be correct, we still need further measures to guarantee the reliability of programs.
II. Inexecutable Buffer

When the address space of the data segment in the program is set as inexecutable, the attacker cannot execute the codes that are injected into the buffer of the attacked program. This technology is called inexecutable buffer. In fact, many early UNIX systems are designed with this technology. Yet in order to present better performance and functions, the late UNIX and MS Windows systems are designed with executable codes input dynamically in the data segment. To keep the compatibility of programs, it is impossible to design the data segments of all programs as inexecutable.
III. Checking Array Border

Code injection not only causes buffer overflow, but also disturbs the execution flow of the program. Unlike the protection method of inexecutable buffer, the technology of checking array border completely avoids the occurrence and attack of buffer overflow. Thus, as long as the array cannot be overflowed, there is no chance for overflow.
On Network Security
To realize array border check, the "read" and "write" operation of all arrays must be checked to ensure that the operation on the arrays is safe. The direct method is to check the operation of all arrays. But usually some optimization technologies can be used to reduce the checking counts.
IV. Checking the Integrity of Program Pointer

Checking the integrity of program pointer differs slightly from checking array border. The latter prevents the program pointer from being changed, and the former detects whether the program pointer is changed before it is called. Thus, even the attacker has successfully changed the program pointer, the changed pointer will not be used because the system has detected the change beforehand. Compared with checking array border, this method cannot solve all problems of buffer overflow. We will not use this method if we use other methods to solve buffer overflow. Yet this method features good performance and excellent compatibility.
Chapter 3 Security Problems of Other Protocols

3.1 Security at the Network Layer
3.1.1 Source IP Address Spoofing
The IP protocol sends IP packets according to the destination address field in the IP packet header. If the destination address is an address on the local network, the IP packet will be sent directly to the destination. If the destination address is not on the local network, the IP packet will first be sent to the gateway, and then to other addresses, depending on the gateway. This is the processing methods specified by the IP protocol. When the IP protocol performs routing for the IP packet, it does not check the source IP address contained in the IP packet header at all. It also considers that the source IP address in the IP packet header is the IP address of the device that sends this packet. When the destination host that receives the packet communicates with the source host, it considers the source IP address in the header of the IP packet it has received as the destination address of the IP packet it will send. Then it communicates data with the source host. Being simple and highly efficient, this mode of data communication is also a security hazard of the IP protocol. Many network security accidents result from this disadvantage of the IP protocol.
I. Types of Source IP Address Spoofing

The security hazard of the IP protocol leaves the TCP/IP network open to two types of attack. 1) DOS Attack The most common attack is DOS.
2007-03-22
Huawei Confidential
Page 20 of 47
On Network Security
Take the attack of TCP-SYN Flood as an example. The attacker sends a lot of TCP-SYN packets to the attacked host. The source address in these TCP-SYN packets is not the IP address of the attacking host; instead, it is an IP address faked by the attacker. After receiving the TCP-SYN packet sent by the attacker, the attacked host allocates some resource for a TCP connection. Also, the attacked host takes the source address (which is faked by the attacker) of the packet it has received as the destination address, and sends the TCP-(SYN+ACK) response to the destination host. Since the fake IP address is chosen carefully by the attacker and does not exist at all, the attacked host will never receive the response to the TCP-(SYN+ACK) packet that it has sent. Therefore the TCP state machine of the attacked host will be in the waiting state. If the TCP state machine of the attacked host is configured with timeout control, the resource allocated to the connection will not be released until the state machine times out. Therefore if the attacker sends enough TCP-SYN packets to the attacked host fast enough, the TCP module of the attacked host will undergo DOS, because the TCP module cannot allocate system resource to the new TCP connection. Moreover, even if the network administrator of the attacked host monitors the packets of the attacker, he cannot check out the attacker with the source address information in the IP packet header. The attacker in TCP-SYN Flood is not the only one who fakes the source IP address in the attack. Actually, taking advantage of the IP protocol for not checking the source IP address, every attacker inputs fake source IP address in the packet header to start an attack, so that the attacker will not be discovered. 2) Hijack Attack The disadvantage of the IP protocol brings about another common hazard to the TCP/IP network: the hijack attack. The attacker gets some privileges by attacking the victim host. This attack only works on the host with authentication based on the source address. Authentication based on the source address is taking the IP address as the criterion for allocating the security authority. Take the firewall as an example, the firewall on some networks permits only the IP packets that come from the network trusted by its own network to pass. Yet since the IP protocol does not check whether the source IP address contained in the IP packet is the authentic address of the source host that sends this packet, the attacker can still escape from the firewall by source IP address spoofing. There are some network application programs that use the IP address as the criterion for allocating the security authority. The attacker can also obtain privileges by source IP address spoofing, and causes serious loss for the victim.
II. Solution
We cannot eliminate the security hazards caused by this inherent defect of the IP protocol. We can only take some redemptive measures to minimize the dangers of this defect. An ideal counter-attack to this threat is: Before the gateway or router that connects the LANs permits the IP packets from extranet to enter the LAN, the gateway or router must check the IP packet. If the source IP address of the IP packet is an IP address that exists on the LAN which the packet will enter, the gateway or router rejects the IP packet to enter the LAN. This solution can well solve the problem.
2007-03-22
Huawei Confidential
Page 21 of 47
On Network Security
But some Ethernet cards receive the packets that they have sent themselves, and in actual application, some LANs need the trust-relationship to share resources. Therefore, this solution is not very practical. Another counter-attack is to check the source IP address when the IP packet goes out from the LAN. That is, before the gateway or router that connects the LANs permits the IP packet to be sent from the LAN, the gateway or router must check the source IP address of the IP packet. If the source IP address of the IP packet is not the IP address that exists on the LAN from which the IP packet will be sent, the gateway or router rejects the IP packet to leave the LAN. Thus, to pass through the gateway or router, the attacker needs at least the IP address that exists on the LAN which the attacker has entered. If the attacker launches an attack, it is easy to trace the attacker according to the source IP address of the IP packet that he has sent. It is recommended that the gateway and router of every ISP or LAN check and filter the source IP address of the IP packet that is sent from the LAN. If every gateway and router work in this way, source IP address spoofing will never work. Currently, not every gateway or router works in this way, so the network administrator has to supervise the network under his management as closely as possible, always on the look-out for possible attacks.
3.1.2 The Attack of Over-long Reassembled IP Segmented Packet and the Solution to It
Internet is composed of numerous connected networks. The interconnected networks usually have different Maximum Transmission Units (MTUs). To transmit IP packets accurately on networks with different MTUs, the IP protocol provides the function to segment and reassemble IP packets. That is, to transmit IP packets to the network with smaller MTU, the IP protocol takes the MTU of the destination network as the max length of the IP packet. The IP protocol segments the IP packets that are generated with larger MTU on the local network, and then sends the IP packets to the destination host. When the segmented IP packets reach the IP protocol of the destination host, the IP protocol of the destination host finds that the IP packets that have arrive are not integrated packets. It will buffer the IP packets first. When all the related IP packets arrive, the IP protocol reassembles the IP packets into an integrated one, and then sends the IP packet to the upper-layer protocol. The following four fields in the IP header can identify all segmented IP packets that belong to one integrated IP packet: The Identification field The Protocol field The Source address field The Destination address field. In the Flag filed in the IP header, the DF bit indicates whether the packet can be segmented or not, and the MF bit indicates whether the IP packet is an IP segmented packet. In the IP header, the Fragment offset field indicates the position of this segment in the original integrated IP packet. It is based on these six fields that the IP protocol segments and reassembles the IP packet. To reassemble the IP packets, the IP protocol reassembles all IP segments whose MF bit is 1 (that is, they belong to the same integrated IP packet) into one IP packet, till the IP protocol receives an IP segment with the MF bit of 0. This is the last segment.
On Network Security
The length of the reassembled IP packet is obtained by adding the data lengths of the IP segments. The Header length field in the IP header is only 16 bits, which means that the max length of the IP packet is 65535. If the lengths of the IP segments that are received add up to more than 65535, and the IP protocol has not checked this, the IP protocol will collapse or in the state of service failure because of overflow. Normally, this does not occur. But such a hazard usually becomes an opportunity for the attacker, and it exists on the operating system of many networks. The infamous Ping attack is exactly based on this security hazard. Ping is a common program for diagnosing the network condition. Actually, it is an ICMP packet with the type of "ECHO_REQUEST" sent to the destination host according to the Internet Control Message Protocol (ICMP). If the ICMP module of the destination host receives the packet, it responds to the source host with an ICMP packet with the type of "ECHO_RESPONSE". If, within the specified time, there is no "ECHO_RESPONSE" packet, pinging times out and shows that the destination address is unreachable. The Ping attack is also sending the "ECHO_REQUEST" packet to the attacked host. But the packet in this case is composed of a series of IP segmented packets that are manually created by the attacker. And the lengths of the IP segmented packets add up to more than 65535. The aim of the attacker is to make the IP protocol of the destination host reassemble these IP segmented packets, and to confront the IP protocol with the IP packet whose length exceeds 65535. Solution: When reassembling the IP segments, the IP protocol must carefully judge and process the IP packet whose length exceeds 65535. After discovering IP segments whose lengths accumulate to more than 65535, the IP protocol must discard all IP segments that are received, and release the resource that they have occupied.
3.2 Security at the Transport Layer

In the Internet application protocol, the Inter-process Communication (IPC) in a broad sense is usually used for communicating with security protocols at different layers. Two popular IPC programming interfaces are BSD Sockets and the Transport Layer Interface (TLI). Both interfaces are available in the V command in the UNIX system. To provide secure service on Internet, the first idea is to enhance its IPC interface, such as BSD Sockets. Detailed operation is to authenticate the entities on both ends, to exchange the data encryption key, and so on. The Netscape Company follows this theory and enacts the Security Sockets Layer (SSL) protocol that is based on reliable transmission service (such as the service provided by TCP/IP). SSL V3 is enacted in December, 1995. It mainly includes the following two protocols: 1) The SSL Record Protocol: concerning segmenting, compressing, authenticating and encrypting the information provided by the application program. SSL V3 supports MD5 and Secure Hash Algorithm (SHA) for authenticating the data and R4 and Data Encryption Standard (DES) for encrypting the data. The key for authenticating and encrypting the data can be negotiated by the SSL Handshake Protocol. SSL Handshake Protocol: for exchanging the version number, encryption algorithm, (mutual) identity authentication, and the key. SSL V3 supports the key exchanging algorithm of Deffie-Hellman, the key exchanging mechanism based on the Rivest-Shamir-Adleman cryptographic algorithms (RSA), and another key exchanging mechanism based on Fortezza chip.
2)
2007-03-22
Huawei Confidential
Page 23 of 47
On Network Security
The Netscape Com. has launched to the public the SSL reference implementation (SSLref). Another free SSL implementation is called SSLeay. SSLref and SSLeay provide all TCP/IP applications with the SSL function. The Internet Assigned Number Authority (IANA) has assigned fixed port numbers to the TCP/IP application with the SSL function. For example, port number 443 is assigned to HTTP application with the SSL function (https), port number 465 is assigned to the SMTP application with the SSL function (ssmtp), and port number 563 is assigned to the NNTP application with the SSL function (snntp). Microsoft launches the improved version of SSL2: the Personal Communication Technology (PCT). At least in terms of the recording format used, SSL and PCT are highly similar. Their main difference lies in that they have different value for the Most Significant Bit in the field of version number: For SSL, the bit is 0, and for PCT, it is 1. With this difference, the two protocols can be supported discriminatingly. In April, 1996, the Internet Engineering Task Force (IETF) authorizes a Transport Layer Security (TLS) organization to draft the Transport Layer Security Protocol (TLSP). The protocol will be a standard proposal formally submitted to the Internet Engineering Steering Group (IESG). TLSP will resemble SSL in many aspects. One advantage of the security mechanism at the network layer is its transparency. That is, security service can be provided without any change at the application layer. But this is impossible for the transport layer. Theoretically, every TCP/IP application that applies TLSP, such as SSL or PCT, must make some modification in order to add corresponding new functions, and must use a (slightly) different IPC interface. Therefore, the disadvantage of the security mechanism at the transport layer is that both ends, the IPC interface at the transport layer and the application program, have to be modified. However, compared with the security mechanism at the network layer and the application layer, the modification made here is rather small. Another disadvantage is that it is difficult to establish a security mechanism at the transport layer for UDP-based communication. Compared with the security mechanism at the network layer, the advantage of the security mechanism at the transport layer is that it provides process-to-process (instead of host-to-host) security service. Combining this advantage with the security service at the application layer, the security mechanism can take a great leap forward.
3.3 Security at the Application Layer

The security protocol at the network layer (transport layer) allows adding security attributes for the data channel between hosts (or processes). Essentially, it means that the real (perhaps and encrypted) data channel is established between hosts (or processes), but the channel cannot discriminate the security requirements of a specific file that is transmitted on the same channel. For example, when a secure IP channel is established between two hosts, all IP packets transmitted on this channel will be encrypted automatically. Likewise, when a security data channel is established between two processes through TLSP, all messages transmitted between the two processes will be encrypted automatically. It needs a security mechanism at the application layer to distinguish the different security requirements of a specific file. Providing security service at the application layer is the most flexible method to handle the security requirements of a single file. For example, the signature email system may need to encrypt certain paragraphs in the email that the system will send. The protocol of the lower layers that provides security functions usually does not know the paragraph structure of the mails that will be sent,
On Network Security
therefore the protocol does not know which part to sign. The application layer is the only layer that provides this kind of security service. Generally, there are several ways to provide security service at the application layer. The first one is to modify every application program (and application protocol) respectively. Some major TCP/IP application programs already support this function. In RFC from RFC1421 to RFC1424, IETF requires using Privacy Enhanced Mail (PEM) to provide security service for the SMTP-based e-mail system. For various reasons, the Internet industry is still slow in adopting PEM. One main reason is that PEM depends on an already existing and operatable Public Key Infrastructure (PKI). PEM PKI is structured on the layer basis, consisting of the following three layers: Top layer: the Internet Policy Registration Authority Sub-layer: the Policy Certification Authority (PCA) Bottom layer: the Certification Authority (CA) To establish a PEM-standard PKI is also a political process, because it requires multiple parties to trust each other on a common point. Unfortunately, as history has proved it, a political process always takes time. As an intermediate step, Phil Zimmermann develops a software package, the Pretty Good Privacy (PGP). PGP meets most PEM standards, and does not require PKI. To the contrary, PGP adopts the distributed trusting mode. That is, every user decides for himself which users he will trust. Therefore, PGP does not propose PKI on the entire network; instead, PGP lets the user establish a trusting network for himself. But one problem occurs immediately: In the distributed trusting mode, what if the key is abolished? S-HTTP is the security enhanced version of the Hyper Text Transport Protocol (HTTP) used on Web. It is designed by IETF. S-HTTP provides a security mechanism on the file basis, so every file can be designed as the private/signed state. The algorithm for encryption and signature can be negotiated by the receiver and the sender that participate in the communication. S-HTTP supports many uni-directional hash functions, such as MD2, MD5 and SHA; it supports many single-key mechanisms, such as DES, ternary DES, RC2, RC4 and Commercial Data Masking Facility (CDMF). It also supports the digital signature mechanism, such as RSA and Digital Signature Standard (DSS). Currently, there is not yet a public standard for the Web security. Such a standard can only be enacted by the WWW Consortium, IETF or other related standardization organizations. The formal standardization process can take as long as several years. It will be when all the standardization organizations thoroughly realize the significance of the Web security. S-HTTP and SSL provide the Web security from different perspectives. S-HTTP distinguishes between the "private" mail and the "signed" mail. SSL treats the data channels between the processes that participate in the communication as "private" and "authenticated". The tool software package, Secure Web, that is developed by the Terisa Company provides security functions for any kind of Web application. This tool software package provides the encryption algorithm library of the RSA data security company, and also completely supports SSL and S-HTTP. This tool software package is also applied to e-business, especially to transactions by the credit card. To make transactions by the credit card on Internet safer, the MasterCard Company, together with IBM, Netscape, GTE and Cybercash, enacts the Secure Encryption Payment Protocol (SEPP). The Visa International Company and Microsoft, together with other companies, enact the Secure Transaction Technology (STT) protocol. Meanwhile, MasterCard, Visa and Microsoft have coordinated to launch secure transaction service by credit card on Internet. They release the corresponding
On Network Security
Secure Electronic Transaction (SET) protocol, which specifies the methods how the bearer pays through the credit card on Internet. This mechanism is backed by an infrastructure for certification, which supports the X.509 certificate. In applying the security functions we have mentioned in the previous text, we are confronted with a primary problem: applying every single function needs the corresponding modification. Therefore it is ideal if there is a unified modifying method. One step in this direction is the Security Shell (SSH) developed by Tatu Yloenen of the Helsinki University. SSH enables the user to safely telnet to the host, execute commands and transport files. It realizes a key exchanging protocol and a protocol of authenticating the host and the client. SSH has many popular and free versions that run on the UNIX system platform. It also has the business version packaged and marketed by the Data Fellows Company. Pushing the SSH theory one step forward, we get the authenticated key distribution scheme. The authenticated key distribution scheme actually provides an Application Program Interface (API). API provides security service for all kinds of network application program, for example, programs of authentication, data confidentiality and integrity, access control and non-repudiation service. Currently, some practical authenticated key distribution schemes have been developed. For example, Kerberos (V4 and V5) by the Massachusetts Institute of Technology (MIT), CryptoKnight and Netwrok Security Program by IBM, SPX by DEC and TESS by the Karlsruhe University. These are the instances widely applied. There are also modification and extension of the authenticated key distribution scheme. For example, SESAME and OSF DCE extend the service of Kerberos V5 by adding access control, and Yaksha extends the service of Kerberos V5 by adding non-repudiation service. A problem confronting the authenticated key distribution scheme is the unpopularity it meets with on Internet. One reason is that it still requires modifying the application program. Taking this into account, it is crucial for the authenticated key distribution scheme to provide a standardized and secure API. If this is realized, the R&D engineers no longer have to modify an entire application program for adding only a few security functions. Therefore, the most prominent progress in the field of authenticating system design is to develop the standardized and secure API, namely, Generic Security Services API (GSS-API). Obviously, GSS-API (V1 and V2) is too technical for a programmer who is not a security expert. However, the researchers of the Austin University, Texas, push API to a higher level than GSS-API by developing Security Network Program (SNP). SNP makes programming concerning network security easier.
2007-03-22
Huawei Confidential
Page 26 of 47
On Network Security
Chapter 4 Security Strategies

4.1 What Is Security?
Security consists of five basic elements: Confidentiality Integrity Availability Controllability Auditability. Confidentiality: The information is not revealed to unauthorized entity or process. Integrity: Only the authorized person can modify the data, and it can be checked whether the data has been modified by unauthorized entity. Availability: The authorized entity can access the data when necessary, that is, the attacker cannot occupy all the resource and hamper the work of the authorized entity. Controllability: The flow direction and behavior mode of the information within the authorized scope is controllable. Auditability: The criteria and methods to audit the network security problems that have occurred are available.
4.2 Security Service, Mechanism and Technology

Security Service It includes service of service control, data confidentiality, data integrity, object authentication and non-repudiation service. Security Mechanism It includes the mechanisms of access control, encryption, authentication exchange, digital signature, protection against service flow analysis, and route control. Security Technology It includes the technologies of firewall, encryption, identification, digital signature, audit control, anti-virus technology and virus prevention. In the secure and open environment, the user can use different kinds of security application program. Security application program is implemented by some security service, and security service is implemented by various security mechanisms or security technologies. It should be pointed out that the same security mechanism can sometimes implement different security service.
4.3 Network Security System

In a broad sense, security should include physical security, network security and information security. With the orienting strategy of Huawei as a network device provider and the current condition of Huawei, physical security is not included in Huawei's product catalogue.
On Network Security
Therefore products concerning the security system focus on network security and information security. The center of the focus is access control, security detection, user authentication and transmission security. The anti-virus function can be integrated with the products of other companies. And backup recovery, audit control, storage security and content audit are mainly the management methods and measures in the operating process. Of course, security management is also vital. Huawei should provide unified management platform and user interface for the security products, and facilitate the user's security management. The following figure shows the security technology system. Figure 4-1 Security technology system
Security management User User authentication authentication
Security management
Backup Environment Environment recovery security security Environment security security Audit Audit monitoring monitoring Media Media security security Equipment security Anti-virus Access control Security Security detection detection
Storage security security
Content Content audit audit
Transmission security
Key points Physical security Network security Information security
Security system
2007-03-22
Huawei Confidential
Page 28 of 47
On Network Security
Chapter 5 Security Technologies

5.1 CallBack
CallBack is the callback technology. The client starts a call first, and requests the server to call back the client. The server accepts the call, and decides whether it will call back the client or not. CallBack enhances security. When processing a callback, the server calls the client according to the number configured on the server, thus avoiding security problems that may be caused by the username/password losing confidentiality. Besides, according to the configuration on the server, the server can process the calling request differently, that is, rejects the call, receives the call (without callback) or receives the callback. So the server can restrict different clients differently, and the server is the deciding side to access the resource in an incoming call. CallBack also features the following advantages: Saving the call fee (when the call fee rates of the two calling directions are different) Changing the payer of call fee Combining the bills of call fee Huawei devices support two types of CallBack: callback directly to the caller number, and callback to the number contained in the Point-to-point Protocol (PPP) negotiation. Callback directly to the caller number does not need to work with PPP. The server directly checks the caller's number to see whether it matches the number configured on the server. So only the server needs the corresponding configuration, and the client needs no modification. As for callback to the number contained in the PPP negotiation, it needs to configure the username and the password on the client, and configure the corresponding callback number string on the server. This mode of callback supports the following three conditions: 1) 2) 3) The server and the client both have the fixed network-layer addresses, and implement RFC1570. The client needs the dynamically allocated network-layer address. Only the server implements RFC1570.
It shows that, in the mode of callback directly to the caller number, the server will reject illegal telephone number. In the mode of callback to the number contained in the PPP negotiation, even if the illegal user has obtained the legal username and password, the server only calls back by the line that has been configured, thus avoiding the access of the illegal user and ensuring the security of the server.
5.2 AAA: Authentication, Authorization and Accounting

AAA provides the function of user authentication, authorization and accounting. Authentication
2007-03-22
Huawei Confidential
Page 29 of 47
On Network Security
The user (including the Login user, PPP-access user and so on) must be authenticated before he is allowed to access the network resource. The user can be authenticated either by the user database that is maintained by the router, or by the user database that is maintained by the Remote Authentication Dial in User Service (RADIUS) server. Authorization A group of attributes are defined to describe the authority information of the user, and to decide the actual access authority of the user. The information is stored in the database maintained by the RADIUS server. For the access user, the attribute, "filterID", of the user can be used to decide on the type of rule for filtering user packets. Accounting With the accounting function, AAA can track and audit the user conditions, such as accessing the network resource. When the accounting function is enabled, the network access server sends the user activity information to the RADIUS server in a certain accounting format. The information is stored on the server for analyzing the network running condition creating user bills, and so on. The AAA network security service provides a main framework for identity authentication and access control. AAA can be implemented by one or multiple protocols, such as RADIUS, TACACS and Kerberos. The AAA & RADIUS implemented by Huawei devices support the following features: 1) 2) 3) 4) 5) 6) 7) Authenticating the user ID and authorizing the user, including the access user, Login user (such as the Telnet user) and so on; authenticating the caller number. Charging on the basis of time; charging in real time. Charging on the basis of byte; charging in real time. Supporting the RADIUS server group: the RADIUS servers can work in the mode of redundancy backup. Using different RADIUS server groups for different users: Different users can use different authenticating servers and choose different accounting servers. Configuring individual attribute for different users. Supporting the accounting of heavy traffic: the maximum traffic is 2 Gx2 G.
5.3 Certification Authority (CA)

CA is a security authentication technology based on the public key system and implemented by the security certificate. The security certificate adopts the international standard X.509 certificate format. It mainly includes the following information: The certificate version number The identity information of the CA that issues the certificate The identity information of the certificate bearer The public key of the certificate bearer The valid period of the certificate Some other supplementary information. The certificate is signed by the CA that issues it, thus ensuring that the certificate cannot be faked or modified. The security certificate is issued and maintained by the CA center. The security certificate functions in mainly two aspects: exchanges information with the CA center regarding the management function of the CA center; performs the authentication function with the router serving as the communicating entity. Generally, the security certificate works in the mode of off-line distribution and local authentication. When the router works as a user, the exchange between the router and the CA center covers the following aspects:
On Network Security
Registering New user needs to register on the proper CA center. Initializing Before the user applies for the certificate, he needs to obtain information of the CA center first, including the identity information of the CA center and the public key, for the follow-up certificate operation. In actual application, the information of the CA center can be initialized in the user's system by pre-installation. Applying for the certificate The user application contains the user's public key information and provides the certificate for bearing the corresponding private key. The CA center receives the user's application, and issues the certificate if the user passes the authentication. Recovering the key pair If the user forgets the certificate password or loses the certificate file for some reason, he can request the CA center on-line to recover his key pair. Of course, it is up to the user to decide whether he will trust the CA center with his key pair. Updating the key pair For security concern, all key pairs must be updated regularly, and the CA center will issue new certificates. Revoking the certificate When the certificate bearer discovers or suspects that his key has lost its confidentiality, he can send an application to the CA center for revoking the certificate to ensure the certificate security. Cross-authentication In actual application, CA should be of the tree structure with different levels. Two different CAs also need to establish a mutual trusting mechanism, namely, cross-authentication of the certificate. When the user authenticates the certificate issued by another CA, he needs to authenticate the identity on the CA level by level on the authentication tree by the cross-authentication information. Figure 5-1 shows the authentication process how a router passes the CA authentication. RCA is called the root CA center and is a CA of higher level. The security certificate can be open, so, during authentication, the two parties can send each other its own certificate with the digital signature. After receiving the certificate, the authenticating party needs to authenticate the following information: Authenticity of the certificate The receiver authenticates the digital signature of the CA center; when a certificate belonging to a different CA is received, a cross authentication of the CA center is needed. Identity of the sender After confirming the authenticity of the certificate and obtaining the public key information, the CA center authenticates the digital signature of the sender to confirm that the certificate is sent by the correct sender, not by an illegal sender. Validity of the certificate The CA center checks the Certificate Revocation List (CRL) to confirm the validity of the certificate. Figure 5-1 Security authentication of the CA center
2007-03-22
Huawei Confidential
Page 31 of 47
On Network Security
On occasions with higher security demands, the user can query the status information of the certificate in real time by the Online Certificate Status Protocol (OCSP).
5.4 Packet Filtering

Every filed in the IP packet header and in the header of the upper-layer protocol packet (such as the TCP packet) header carried by the IP packet contains the information that can be processed by the router. Packet filtering usually involves the following attributes of the IP packet: The Source IP address, Destination IP address and Protocol fields of the IP packet The TCP/UDP source port or destination port The ICMP code and the Type filed of the ICMP packet The Identification field of the TCP packet Different rules can be formed by different combinations of these fields. For example, to prohibit the FTP connection from host 1.1.1.1 to host 2.2.2.2, the packet filter can create the following rules for discarding the corresponding packets: Destination IP address = 2.2.2.2 Source IP address = 1.1.1.1 Protocol field = 6 (TCP) Destination port = 21 (FTP) In normal condition, the other fields are not considered for creating rules. ACL can be used not only in packet filtering, but also in other features that need to classify the data stream, for example, address translation and IP Security (IPSec). Huawei devices support ACL that functions as follows: Support the standard and the extended ACL: only set a simple address range by the standard ACL; or set details by the extended ACL, including the protocol, source address range, destination address range, source port range, destination port range, priority and service type. Support time period: ACL can be set to working for a specific time period. For example, setting 8:00 to 20:00 on every Monday as the working period of ACL, or setting the working period of ACL from X-X-X (date-month-year) to X'-X'-X' (date-month-year). Support ACL automatic sequence arranging: There is an option to configure automatic sequence arranging for a certain type of ACL, which simplifies the configuration and facilitates the configuration and maintenance of ACL. Support named ACL: It facilitates memorization and configuration. The specific input and output directions of the interface can be configured: Apply the packet filtering rules on the output direction of the WAN port, or apply other packet filtering rules on the input direction of the WAN port.
2007-03-22
Huawei Confidential
Page 32 of 47
On Network Security
Support filtering based on the interface: On a direction of the interface, we can prohibit or permit the interface to forward the packets coming from a certain interface. Create a log for the packets that meet the requirements: The device can record related information of the packet, and provides a mechanism to ensure that, when a lot of identical trigger logs are generated, they will not consume too much resource.
5.5 Address Translation

The technology of address translation converts the private network address into the public network address or vice versa. Address translation is secure in that the actual address of intranet is shielded, and that extranet cannot possibly access intranet directly by address translation. The Huawei devices support address translation that functions as follows: Support Network Address Port Translation (NAPT): map the packet, [source address + port], sent by the intranet user to another packet, [interface address + port]. This function works with dial-on-demand to enable the intranet user to access the Internet conveniently by a router. Support Network Address Translation (NAT): convert only the IP address and do not convert the port. Support Address pool: map the addresses on the intranet to an address pool on extranet. Discriminate the data flows: By discriminating the data flows, convert only some of the addresses, and do not convert the other addresses; or convert some addresses into the addresses in an address pool, and convert the other addresses into the addresses in another address pool. The methods are diversified. Support the intranet server flexibly: by address translation, provide service to extranet, such as the Web, FTP, SMTP and Telnet service. Placing the server on intranet makes it secure and convenient to maintain the server. The service can be customized. For example, configure the Web service on port 8080, and the FTP service on port 8021. Support FTP: Due to the design of the FTP protocol, the IP address of the host is contained in the PORT and PASV commands of the FTP protocol. It needs special processing. The Quidway series of security devices support the following two conditions. When the user accesses extranet by NAT, the device supports the FTP PORT command; when the FTP service is provided to extranet through NAT, the device supports the PASV command.
5.6 Data Compression

Data compression mainly reduces the packet length, thus improving the communication performance between hosts or gateways. The packet can be compressed at the application layer directly, or at the network layer or data link layer. The following mainly deals with the data compression protocol at the network layer: the IP Payload Compression Protocol (IPComp).
5.6.1 Description of IPComp

I. Advantages and Disadvantages of IPComp
1)
2007-03-22
IPComp has the following advantages:

Huawei Confidential Page 33 of 47
On Network Security
2)
It uses the bandwidth effectively: Data compression can reduce the packet length and use the bandwidth effectively. Experience proves that, compressing common packets at the ratio of 3:1 is the same as carrying more than three times of data by the same link bandwidth. It enhances security: IPComp shows its advantages especially in encrypting IP packets. Firstly, IPComp shortens the packet length, so it takes less time for encryption. Secondly, IPComp reduces the redundant message in the packet, and it is more difficult to decrypt a compressed and encrypted packet. Thirdly, it is inefficient to compress the encrypted data (for example, by the PPP Compression Control Protocol) at the data link layer, and IPComp well solves this problem. IPComp has the following disadvantage:
IPComp requires the participating nodes to have strong calculating capability, because compression and decompression consumes much CPU resource. For a device that mainly works for forwarding packets quickly, data compression becomes a heavy burden.
II. Working Process of IPComp

The working process of IPComp consists of two parts: compressing the data that will be sent, and decompressing the data that is received. IPComp usually works with the technique of packet security processing. The packets that will be sent are compressed before they are encrypted, authenticated and segmented. The decompressing process is the reverse. The IP packets are decompressed after they have been reassembled, authenticated and decrypted. Decompressing the IP packet requires modifying the corresponding fields (the Header length field, the Protocol field, and the Header checksum field) in the original IP packet header. It also requires creating a new IPComp protocol header based on the original IP header and the packet generated by compression. The positions of the new IPComp header in the new packet differ slightly in different versions. In IPv4, the IPComp header directly follows the IP packet header. In IPv6, if the IP packet contains both the IPv6 segment header and the IPComp protocol header, the IPComp protocol header follows the IPv6 segment header. Some other IPv6 headers may locate between the IPv6 segment header and the IPComp protocol header. Compressing the IP packet should follow several rules: The compressed data need not be checked during transmission. The length of the compressed data plus that of the IPComp protocol header must be shorter than the length of the IP packet payload before compression. Small packets are not compressed; the experience threshold is 90 bytes. Compressed packets are not recompressed.
5.6.2 IPComp Association (IPCA)

In IP compression, IPCA is a concept similar to the Security Association (SA) in IPSec. To run IPComp between two nodes, IPCA must be established first. IPCA contains all information necessary for IPComp, including Compression Parameter Index (CPI), operating mode, compression algorithm, parameters needed for the compression algorithm and so on. CPI consists of 16 bits and is stored in the IPComp protocol header. Its value indicates different meanings: 063 represents the common compression algorithm.
On Network Security
64255 is reserved for future use. 25661439 is the value negotiated for establishing IPCA between two nodes. The two nodes are independent from each other when choosing CPI. But the IPComp header in the packet sent must use the CPI chosen by the decompressing node. CPI and the destination IP address uniquely point out some features of the compression algorithm. IPCA can be established in two ways: by manual configuration or by dynamic negotiation. When IPCA works with IPSec, it is recommended to establish IPCA according to the standards of Internet Key Exchange (IKE). IKE provides some necessary mechanisms and guiding principles for establishing IPCA. By using IKE, the IPComp negotiation can be finished as an independent process, or as a coordinated process finished with other protocols relating to IPSec.
5.7 Encryption and Key Exchange

5.7.1 IP Security (IPSec)
The IPSec protocol family is a group of open protocols. It is used for encrypting and authenticating the data source for specific communicating parties at the network layer, thus ensuring the privacy, integrity and authenticity of the packets transmitted on Internet. IPSec implements these functions by two security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). Implementing these functions does not affect the user, host or other Internet components. The user can also choose different hardware and software encryption algorithms without affecting other functions. IPSec provides the following network security service: Privacy IPSec encrypts the packets before sending them, ensuring data privacy. Integrity At the destination, IPSec authenticates the packet to confirm that the packet is not modified during transmission. Authenticity The IPSec terminal authenticates all packets protected by IPSec. Anti-replay IPSec protects the packet against being captured and replayed on the network. In other words, the destination rejects the old or repeated packet by checking the sequence number of the packet. IPSec transmits data between two ends by establishing SA. SA defines the protocol and algorithm used in data protection, and attributes such as the valid period of SA. IPSec generates new AH or ESP additional header when forwarding the encrypted data, which guarantees the security of IP packets. IPSec works in two modes: tunnel and transmission. In the tunnel mode, the entire IP packet of the user is encrypted, and is used to calculate the additional header. The additional header and the encrypted user data are encapsulated in a new IP packet. In the transmission mode, only the data of the transport layer (such as data of TCP, UDP or ICMP) is used to calculate the additional header. The additional header and the encrypted transport-layer data are placed behind the original IP packet header.
On Network Security
The AH header ensures the integrity and authenticity of the packet, and guards against the hacker intercepting the packet or inserting fake packets into the network. Taking calculation efficiency into account, AH does not use digital signature. Instead, it uses the Security Hash Algorithm (SHA) to protect the packets. AH does not encrypt the user data. Figure 5-2 shows the position of AH in the IP packet (in the tunnel mode). Figure 5-2 AH processing
IP TCP
Data
IP2 AH
IP TCP
Data
ESP encrypts the user data that needs protection and then encapsulates the data in the IP packet, ensuring the integrity, authenticity and privacy of the data. Figure 5-3 shows the position of the ESP header in the IP packet (in the tunnel mode). Figure 5-3 ESP processing
IP TCP
Data
IP2 ESP IP TCP
Data Trailer Auth
AH and ESP can work either independently or unitedly. By using IPSec, the data can be transmitted on the public network without the danger of being monitored, modified or faked. IPSec provides data protection between two hosts, two security gateways or between host and security gateway. Multiple SAs can be established between two ends. Combining this with ACL, IPSec can implement different protection strategies for different data flows. SA is directional (uni-directional). Usually, four SAs are established between two ends, each end having two SAs. One SA is for transmitting data, and the other for receiving data. The SA of IPSec can be configured manually. But when the nodes on the network increase, manual configuration becomes difficult and cannot ensure security. So IKE is used for automatic SA establishing and key exchange.
5.7.2 Internet Key Exchange (IKE)

Two communicating parties use IKE to negotiate and establish SA and to exchange the key. IKE defines the methods for the two parties to authenticate the identity, negotiate the encryption algorithm and to generate the shared session key. The essence of IKE is that it never directly transmits the key on insecure networks. Instead, the two parties calculate the shared key by a series of data exchange. Even if a third party obtains all exchanged data of the two parties for calculating the key, the third party still cannot calculate the real key. The core technology for achieving this is the Diffie Hellman (DH) exchange technology. The prerequisite for DH is that the two parties share two parameters: the radix "g" and the modulus "p". The two parameters are defined by the DH group that is used, and are open in actual application. Figure 5-4 shows the four steps of DH exchange and calculation.
On Network Security
1) 2) 3) 4)
The two parties each generate a random value, for example, a and b. By the modular exponentiation algorithm, the results are generated, c and d. Exchange the modulus. Calculate the DH common values, which are damodp and cbmodp in the figure. It is proved: the DH common value gabmodp = damodp = cbmodp.
Note that, in this calculation process, only the modulus exchange is performed on the public network. If the third party intercepts c and d on the network, he still needs to calculate the DH common value "gabmodp" and to get a or b. And to get a or b by calculating c and d needs to perform discrete logarithm. "p" is a prime number. As has been mathematically proved, when p is big enough (generally a binary number bigger than 768 bits), the calculation is highly complicated and almost impossible. Therefore, DH ensures the two communicating parties to obtain the public information securely. Figure 5-4 DH exchange and calculation
Peer 1
a
1 2
g, p
2 3 3
Peer 2
1
c=gamod p d amod p
4
d=gbmod p c bmod p
4
In identity authentication, IKE provides authenticating methods such as Pre-shared Key, public key encryption authentication and digital signature authentication. The last two methods are implemented by supporting CA. IKE is composed of two periods. In the first period, ISAKMP SA is established, including two modes: Main Mode and Aggressive Mode. In the second period which is protected by ISAKMP SA, IPSec SA is established, and it is also called Quick Mode. IPSec SA finally transmits the IP data securely. Besides, IKE contains the Informational Exchange for transmitting information and the DH Group Exchange for creating new DH groups.
5.8 Application Specific Packet Filter (ASPF)

5.8.1 ASPF Principle
ASPF checks not only the network-layer information of the packet, but also the application-layer protocol information (such as the FTP protocol). According to the connection state, ASPF creates and deletes temporary connections dynamically. This is realized by modifying ACL dynamically. ASPF maintains the connection state information in its own data structure, and uses the information for creating temporary admission (rules). The firewall checks every packet in the data flow to ensure that the packet and packet state match the security rules defined by the user. Connection state information is used for intelligently permitting/prohibiting the packet. When a session ends, the temporary access rules will be deleted, and the session in the firewall will also be disabled.
On Network Security
By ASPF, the Quidway series of security devices support the protocol in which multiple data connections exist on one control connection. Many application protocols, such as Telnet and SMTP, use the standard or conventional port address for communication. But most multi-media application protocols, such as H.323, FTP and RPC, use the conventional port for initializing a control connection, and then choose the port dynamically for transmitting data. Choosing the port is unpredictable. And some application protocols may need to use multiple ports at a time. The standard firewall has to prohibit such application protocols to protect intranet from attack. Sometimes the firewall prohibits only some application protocols that use fixed ports, thus leading to many security hazards. ASPF monitors the port used by every connection of every application protocol, enables the proper channel for the data to pass through the firewall in the session, and disables the channel when the session ends. In this way, ASPF effectively controls the access of the application protocol that uses the dynamic port. ASPF also provides the enhanced function of tracking and auditing. It can record the information of all connections. The information includes the time, source address, destination address, port used and bytes transmitted of the connection.
5.8.2 ASPF Working Process

When the packet passes through the router, ASPF compares the packet with the specified access rules. If the packet matches the rules, the packet will be examined; otherwise the packet will be discarded directly. If the packet is for enabling a new control connection or data connection, ASPF will modify or create the rules dynamically, meanwhile updates the state table to permit packets relating to the new connection. ASPF permits only the returning packet that belongs to an existing and valid connection to pass through the firewall. When processing the returning packet, ASPF also needs to update the state table. When a connection is disabled or times out, the state table corresponding to the connection will be deleted. Rules created dynamically will not be stored in the flash or the Nonvolatile Random Access Memory (NVRAM), ensuring that unauthorized packets will not easily pass through the firewall. The UDP packet is connectionless, so there is no real UDP "connection" whatsoever. ASPF is based on connection and checks the Source IP address, Destination IP address and Port of the UDP packet. By checking whether the UDP packet is similar to other UDP packets within the set time period, ASPF basically decides whether a connection exists.
5.8.3 Detection of and Prevention Against DOS

Unlike in the attack of other types where the attacker looks for the entrance to intranet, in DOS, the attacker prevents legal users from accessing the resource or the router. ASPF enhances the detection of and the prevention against DOS. SYN Flood is a typical DOS attack. In SYN Flood, the attacker uses many packets with the SYN bit set to 1 to exhaust the network resource. In the TCP protocol, the packet with the SYN bit set to 1 means a request for establishing a connection. When the server receives the packet with the SYN bit set to 1, it will reserve the resource and sends the client a response, indicating that the request for connection is permitted. In normal flow, the client should respond to the
On Network Security
server with a packet to indicate that the connection has been established. To interrupt the flow, SYN Flood uses the fake source address; even if it does not use the fake source address, it does not respond to the server. In establishing a TCP connection, when the packet fails to reach the destination address, it will be sent repeatedly. This increases the network burden greatly. In SYN Flood, the attacker fakes the source address and creates many SYN packets, and exhausts the memory or other resource of the specific target within short time. SYN Flood causes the HTTP or FTP server on the specific network to keep a lot of session connections, thus the legal user cannot access the resource. ASPF detects SYN Flood by comparing the number of requests for establishing new connections, the rate and the number of semi-connections that have been enabled. If the router detects the rate of an abnormal request for a new connection, the router sends the alarm information and takes some action. ASPF guards against DOS with the following two methods: 1) Discarding time-out TCP semi-connections in case the system resource is exhausted. It informs the corresponding host to clear time-out connections in case the system is overloaded. The administrator can configure the maximum number of receivable semi-connections and the time-out time of the semi-connection. Temporarily prohibiting all SYN packets to enter the attacked host. The temporary prohibition does not affect the existing connections. The administrator can configure the interval for the host to resume receiving SYN packets.
2)
5.9 Firewall
5.9.1 What Is Firewall?
Firewall is the combination of a series of components that are configured between different networks (such as between the trustable enterprise intranet and the suspicious public network) or between different network security domains. Firewall is the only passage for the information to enter into or exit from different networks or network security domains. It controls (permits, rejects or monitors) the information flow that travels between networks according to the security policies of the enterprise. Moreover, firewall can well protect itself from attacks. It is the infrastructure for providing information security service and implementing network and information security. Logically, firewall is a splitter, a limiter and an analyzer. It effectively controls all activity between intranet and Internet, and ensures the security of intranet.
5.9.2 What Firewall Can Do?

I. Firewall is the shelter of network security.
A firewall (serving as the blocking point and the controlling point) can greatly improve the security of an intranet, and reduce the risk by filtering the insecure service. Only application protocols that are carefully selected can pass the firewall, therefore the network environment is more secure. If firewall can prohibit insecure protocols, such as the well-known Network File System (NFS), to access the protected network, attackers on extranet cannot attack intranet by these weak protocols.
2007-03-22
Huawei Confidential
Page 39 of 47
On Network Security
Meanwhile, firewall can protect the network against the route-based attack, such as the source route attack in the IP option and the attack of ICMP redirected packet. Firewall should reject packets of all these attack types and inform the firewall administrator.
II. Firewall enhances network security policies.

In the security solution that centers around firewall, all the security software (such as the password, encryption, ID authentication, auditing and so on) can be configured on the firewall. Compared with distributing the network security issues on different hosts, the integrated security management of firewall is more economical. For example, when accessing the network, the one-time pad password system and the other ID authentication systems need not be distributed on different hosts; instead, they can be all integrated on the firewall.
III. Firewall monitors and audits the network access.

If all network access has to go through the firewall, then the firewall can record the access and create a log, meanwhile provides statistics about the network utilization condition. When detecting suspicious activity, firewall can give alarm accordingly, and provide detailed information about whether the network is monitored and attacked. In addition, it is important to collect the information on the utilization and misuse condition of a network. The primary reason is that, by the information provided, it can be checked whether the firewall can withstand the detection and attacks of the attacker, and whether the controlling capability of the firewall is adequate. It is also vital to use network statistics to analyze network demands and network threats.
IV. Firewall protects the intranet information from being discovered.

Using firewall to plan intranet can isolate the major network segments of intranet, thus restricting the major or sensitive network segments in affecting the entire network with security problems. Moreover, privacy is a highly concerned issue of intranet. An unnoticed detail of intranet may interest the attacker on extranet because the detail gives clues relating to security. Such a detail may reveal some security loopholes on intranet if it is discovered by the attacker. Firewall can hide the service, such as Finger and DNS, that may reveal the intranet details. Finger displays information such as register names and real names of all host users, last login time and the type of shell used. And the information displayed by Finger is easily obtained by the attacker. By the information, the attacker can know the utilization frequency of a system, whether the system users are on-line, and whether the system is noticed when it is attacked. Firewall also blocks the DNS information relating to intranet, so the domain name and IP address of a host will not be known by the users on extranet. Apart from the security function, firewall also supports the enterprise intranet technological system, Virtual Private Network (VPN), that has the Internet service characteristics. By VPN, firewall organically integrates the enterprise or organization LANs or dedicated subnets that are distributed all over the world. It not only saves dedicated communication lines, but also provides technical assurance for information sharing.
2007-03-22
Huawei Confidential
Page 40 of 47
On Network Security
5.9.3 Types of Firewall

I. Types of Firewall Technology
According to the defense methods and emphases, the firewall technology can be classified into many different types. Generally, it can be classified into two types: Packet filtering Application proxy Packet Filtering
1)
It works at the network layer and the transport layer. According to the fields in the packet header, such as the Source address, Destination address, Port number and Protocol type, the packet filter decides whether the packet can pass. Only the packet that meets the filtering logic will be forwarded to the egress of the corresponding destination, and the other packets will be cast out of the data flow. 2) Application Proxy It is also called application gateway and works at the application layer. It completely "obstructs" the network communication flow. By making special proxy program for each type of application service, it monitors and controls the communication flow at the application layer. In actual application, the functions of application proxy are usually implemented by special workstation.
II. Firewall of Packet Filtering

Packet filtering is a universally-used, inexpensive and effective security method. It is universally-used because it does not use special processing methods for each specific network service item. It is inexpensive because most routers provide packet filtering. It is effective because it satisfies the enterprise' security demands to a great extent. Packet filtering works at the network layer and the transport layer. According to the Source address, Destination address, Port number and Protocol type in the packet header, it decides whether the packet can pass the firewall. The information for making the decision comes from the header of the IP packet, TCP packet or UDP packet. The advantage of packet filtering is that the application program on the client and the host need not be modified, because packet filtering works at the network layer and the transport layer, and does not depend on the application layer. But its disadvantages are also obvious: 1) 2) 3) 4) 5) It depends on only the limited information of the network layer and the transport layer to decide on the filtering, so it cannot well meet the other security demands. On many filters, the number of filtering rules is limited. As the filtering rules increase, the performance of the filter will be greatly affected. Lacking the context information, the filter cannot effectively filter protocols such as UDP and Remote Procedure Call (RPC). Besides, most filters lack the auditing and alarm mechanism, and the management methods and user interface are relatively unsatisfactory. Packet filter demands high qualification of the security administrator. When creating the security rules, the administrator must well understand the protocols and the protocol functions in different application programs.
Therefore, packet filter usually works with the application gateway to constitute the firewall system.
2007-03-22
Huawei Confidential
Page 41 of 47
On Network Security
III. Firewall of Application Proxy

Firewall of application proxy is the isolating point between intranet and extranet, and it monitors and isolates the communication flow at the application layer. Meanwhile, it usually integrates the functions of the filter. It works at the top layer of the Open System Interconnection (OSI) model, and holds all information in the application system that can be used as security rules.
IV. Integrated Firewall

For higher security demands, packet filtering and application proxy are usually combined to work as the integrated firewall. The combination usually appears as the following two solutions: 1) The firewall system for shielding the host: In this system, the packet-filtering router or firewall connects to Internet, and a bastion is installed on intranet. By configuring filtering rules on the router or the firewall, the bastion is the only node reachable to other nodes on Internet. Thus intranet is shielded against unauthorized users on extranet. The firewall system for shielding the subnet: The bastion is installed on a subnet to form the Demilitaried Zone (DMZ). Two packet-filtering routers are installed at the two ends of the subnet, thus isolating this subnet from both Internet and intranet. In this system, the bastion and the packet-filtering routers together constitute the security foundation of the entire firewall.
2)
5.9.4 Operating System of Firewall

Firewall should be based on a secure operating system, and a secure operating system is realized by fortifying and renovating the security of special operating system. In the current products, the core of a secure operating system is fortified and renovated mainly in the following ways: Canceling the dangerous system calling Limiting the execution authority of commands Canceling the function of forwarding IP packets Checking the interface of each packet Using the random connection sequence number Retaining the packet filtering function (a software module) in the memory Canceling dynamic routing
5.9.5 The Counter-attack Function of Firewall

As a security device, firewall itself is also the target of many attackers on the network, so the counter-attack function is absolutely necessary for firewall.
5.9.6 Limitation of Firewall

There are some threats that are beyond the defense capability of firewall, such as the attacks that do not have to go through firewall. For example, if the user is allowed to dial up to extranet from the protected intranet, the user can establish direct connection to Internet. Besides, firewall cannot well guard against virus threat and attacks that come from intranet.
2007-03-22
Huawei Confidential
Page 42 of 47

On Network Security 20070322 A

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

On Network Security 20070322 A

Transféré par

Droits d'auteur :

Formats disponibles

BOM Target Audience Compiling Department Engineers/cooperation engineers/users Access Network Technical Service Dept.

Product Name Product Version Doc. Version

Broadband products All versions V1.0

Huawei Technologies Co., Ltd.

For internal use only.

For internal use only.

For internal use only.

For internal use only.

For internal use only.

1.2 Importance of Security

For internal use only.

1.3 Our Enemies

1.4 Our Enemies' Tricks

For internal use only.

For internal use only.

For internal use only.

Chapter 2 Hacker Strategies

2.1.1 Cause Analysis

For internal use only.

2.1.2 Types of DOS

I. Common Network-based DOS Attacks

For internal use only.

For internal use only.

III. Development of DOS

2.1.3 Distributed Denial Of Service (DDOS)

For internal use only.

I. Roles of the Devices

II. Common DDOS Weapons

For internal use only.

III. Monitoring and Detecting DDOS

IV. Defense Strategies Against DDOS

For internal use only.

2.1.4 Defense Against and Exploration of DOS

I. By Using Packet Filter and Other Routing Configuration

For internal use only.

II. By Tracking Anonymous Attacks Through DNS

III. By Using "ngrep" to Tackle with TFN2K

For internal use only.

For internal use only.

2.2.2 How to Guard Against Sniff?

2.3.1 Scanning Attack

II. Port Scanning

III. Response Mapping

For internal use only.

IV. Slow Scanning

2.3.2 Security Scanning

II. Four Types of Detection Technique of Security Scanning

For internal use only.

2.4 Security Problems of Routing Protocols

2.4.1 Route Spoofing: Attack to the RIP Protocol

2.4.2 Route Spoofing: Attack to the BGP Protocol

2.4.3 Route Spoofing: Attack to the OSPF Protocol

For internal use only.

2.5 Buffer Overflow

2.5.1 Loopholes of and Attacks to Buffer Overflow

Based on these two goals, we can classify buffer overflow as follows:

I. Arranging Suitable Codes in the Address Space of the Program

For internal use only.

II. Making the Program Transfer to the Attacking Codes

III. The Integrated Technology of Code Injection and Flow Control

For internal use only.

2.5.2 Protection Against Buffer Overflow

I. Writing Correct Codes

II. Inexecutable Buffer