Security+ - Identifying Common and Nonessential Services
Previous | Table of Contents | Next |
Software Exploitation, Malicious Code and Social Engineering | An Overview of Communications Security |
Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99 |
A computer system that is not connected to a network, or the internet (or both) is a rare thing indeed in this day and age. While this provides a considerable amount of power and flexibility to the user in terms of access to remote services, data and information it carries with it great risks. It is not too much of an exaggeration to state that any computer connected to a network is in danger of being attacked in some way. For proof of this fact look no further than the secure computer environments used by government defense organizations. To these people, a secure computer is located in a physically secure area where users pass through stringent security checks and are searched to ensure they are not carrying any portable storage devices or media which would allow software to be installed in a secure system. The computers themselves, whilst possibly networked to each other, have absolutely no contact to the outside world.
Obviously, such levels of security are beyond the needs and means of the average user or company and, quite frankly, disconnecting all the computers in an enterprise from the outside would negate the whole purpose of IT infrastructure. The best approach, therefore, is to make sure that all computer systems are as secure as possible. This requires a multi-layered defense strategy, the most basic of which is ensuring that only necessary ports and services are available on all systems on a network. In this chapter we will look at this strategy in detail.
Understanding Ports and Services
The predominant network communications protocol in use these days is TCP/IP. It is the protocol used by the internet and as such has swept away most of the formerly popular protocols used for local area networks (LANs).
TCP/IP defines a total 65,535 ports of which 1023 are considered to be well known ports. It is important to understand that these are not physical ports into which network cables are connected, but rather virtual ports on each network connection which can be used by applications and services to communicate over a TCP/IP network connection. In reality the number of ports that are used by popular network clients and services comprises an even smaller subset of the well known group of ports.
There are a number of different TCP/IP services which can be provided by an operating system. A comprehensive list of such services is provided in the table at the end of this chapter, but such services include HTTP for running a web server, FTP for allowing file transfers, SSH and Telnet for providing remote login access and SMTP for the transport of email messages. Each service is in turn is assigned to a standard TCP/IP port. For example, HTTP is assigned to port 80 while SSH communication takes place on port 21.
Securing Ports and Services
Securing a system involves both removing any unnecessary services from the operating system and ensuring that the ports associated with the non-essential services are blocked using a firewall.
Many operating systems are installed with a number of services installed and activated by default. Before installing a new operating system it is essential that the installation be carefully planned. This involves deciding which services are not required and identifying which services have been installed and enabled by default. Deployment of new operating system installations should never be rushed. The fewer services and open ports available on a system the smaller the surface area and opportunities for attackers. A good way to verify the security level of a system prior to deployment is through the use of Port Scanning technology.
Port Scanning
Port scanning involves the use of software designed specifically to scan all the ports on a system to find out which ports are open and have services running behind them. Port scanners are best run externally, in other words on another system on the network, as opposed to the system being tested. Port scanning need not be an expensive undertaking. In fact a wide selection of extremely comprehensive scanning tools is available for download on the internet.
After execution, the port scanner will generate a report listing the services and vulnerabilities present on the target system. Use this information to decide which non-essential services can be disabled.
Port scanning should be performed on a regular basis and the results compared against base line data to ensure that nonessential services have not been enabled without the administrator's knowledge.
Primary TCP/IP Ports and Assignments
The following table outlines the common TCP/IP ports and the respective service assignments.
Port | Assigment | Description |
---|---|---|
20 | FTP | File Transfer Protocol (Data) - The File Transfer protocol provides a mechanism for transferring specific files between network connected computer systems (usually a Linux or UNIX based system). Transfer is typically performed using the ftp client which provides a range of commands used to connect to a remote server for the purpose of uploading or downloading files. Most modern web browsers also have the ability to browse and download files located on a remote FTP server. FTP uses TCP (rather than UDP) to transfer files so is considered to be a highly reliable transport mechanism. FTP does not encrypt data and is not considered to be a secure file transfer protocol. The use of Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) is strongly recommended in place of FTP. |
21 | FTP | File Transfer (Control) - Traditionally FTP has two ports assigned (port 20 and port 21). Port 20 was originally considered the data transfer port, while port 21 was assigned to communicate control information. In modern implementations port 20 is now rarely used, with all communication taking place on port 21. |
22 | SSH | Secure Shell - The Secure Shell is used to provide a secure, encrypted, remote logon session to a remote host over a TCP/IP network. The original mechanism for remote access was the Telnet protocol. Because Telnet transmits data in plain text its use is now strongly discouraged in favor of the secure shell, which encrypts all communications, including log-in and password credentials. SSH also provides the mechanism by which files can be securely transferred using the Secure Copy Protocol (SCP), and is also the basis for the Secure File Transfer Protocol (SFTP). SSH also replaces both the rsh and rlogin clients. |
23 | Telnet | Telnet - Telnet is a terminal emulation protocol that provides the ability to log into a remote system over a TCP/IP connection. The access is text based allowing the user to type into a command prompt on the remote host and text displayed by the remote host is displayed on the local Telnet client. Telnet encrypts neither the password nor the text communicated between the client and server. As such, the use of telnet is strongly discouraged. Most modern systems will have port 23 closed and the telnet service disabled to prevent its use. SSH should be used in place of Telnet. |
25 | SMTP | Simple mail Transfer Protocol - SMTP defines the mechanism by which email messages are sent from one network host to another. SMTP is a very simple protocol and requires that the mail service always be available at the receiving host. Typically the receiving host will store incoming messages in a spool for subsequent access by the recipient using the POP3 or IMAP protocols. SMTP uses the TCP transport protocol to ensure error free message delivery. |
53 | DNS | Domain Name Server - The service used by TCP/IP networks to translate host names and Fully Qualified Domain Names (FQDN) to IP addresses. |
69 | TFTP | Trivial File Transfer Protocol - TFTP is a stripped down version of the File Transfer Protocol (FTP). It has a reduced command-set and lacks authentication. The most significant feature of TFTP is that it uses UDP to transfer data. This results in extremely fast transfer speeds but, consequently, lacks data reliability. TFTP is typically used in network based booting for diskless workstations. |
80 | HTTP | Hypertext Text Transfer Protocol - HTTP is the protocol used to download text, graphics and multimedia from a web server and to a web browser. Essentially it defines the command and control mechanism between the browser and server defining client requests and server responses. HTTP is based on the TCP transport protocol and, as such, is a connection-oriented protocol. |
110 | POP3 | Post Office Protocol - The POP3 protocol is a mechanism for storage and retrieval of incoming email messages from a server. In most corporate environments incoming email is stored on an email server and then downloaded to an email client running on the user's desktop or laptop when the user checks email. POP3 downloads all new messages to the client, and does not provide the user the option of choosing which messages to download, view headers, or download only parts of messages. It is for this reason the IMAP protocol is increasingly being used in place of POP3. |
119 | NNTP | Network News Transfer Protocol - The protocol responsible for posting and retrieving messages to and from Usenet News Servers (i.e. newsgroups and discussion forums hosted on remote servers). NNTP operates at the Application layer of the OSI stack and uses TCP to ensure error free message retrieval and transmission. |
123 | NTP | Network Time Protocol - A protocol designed to synchronize computer clocks with an external time source. Using this protocol an operating system or application can request the current time from a remote NTP server. The remote NTP server is usually based on the time provided by a nuclear clock. NTP is useful for ensuring that all systems in a network are set to the same, accurate time of day. This is of particular importance in security situations when, for example, the time a file was accessed or modified on a client or server is in question. |
143 | IMAP4 | Internet Message Access Protocol, Version 4 - IMAP4 is an advanced and secure email retrieval protocol. IMAP is similar to POP3 in that it provides a mechanism for users to access email messages stored on an email server, although IMAP includes many additional features such as the ability to selectively download messages, view message headers, search messages and download part of a message. IMAP4 uses authentication and fully supports Kerberos authentication. |
161 | SNMP | Simple Network Management Protocol - Provides a mechanism whereby network administrators are able to collect information about the devices (such as hubs, bridges, routers and switches) on a network. The SNMP protocol enables agents running on network devices to communicate their status to a central manager and, in turn, enables the manager to send new configuration parameters to the device agent. The agents can further be configured to notify the manager when certain events, known as traps, occur. SNMP uses UDP to send and receive data. |
443 | HTTPS | Hypertext Transfer Protocol Secure - The standard HTTP (non-secure) protocol transfers data in clear text (i.e. with no encryption and visible to anyone who might intercept the traffic). Whilst this is acceptable for most web browsing purposes it poses a serious security risk when confidential information such as credit card details need to be transmitted from the browser to the web server. HTTPS addresses this by using the Secure Sockets Layer (SSL) to send encrypted data between the client and server. |
2049 | NFS | Network File System - Originally developed by Sun Microsystems and subsequently widely adopted throughout the industry, NFS allows a file system on a remote system to be accessed over the network by another system as if the file system were on a local disk drive. NFS is widely used on UNIX and LINUX based systems. Later versions of Microsoft Windows possess the ability to also access NFS shared file systems on UNIX and LINUX based systems. |
Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99 |
Previous | Table of Contents | Next |
Software Exploitation, Malicious Code and Social Engineering | An Overview of Communications Security |