Port Scanning & Firewalls

Adapted, with permission, from the Data Security and Ethics lecture materials by Martin Lester (University of Reading).

Networking: Internet Protocol (IP)

The Internet is a network of computers or hosts.

Hosts can exchange messages over a connection...

...but these are split into small packets of data (often 1-2 KB).

Packets can be interleaved, so the network can be shared between many connections.

Packets may have to travel through 10s of hosts to reach their destination and can easily be lost.

Internet Protocol (IP) specifies the format of packets.

Networking: IPv4

Every host has a numerical address. Packets include source and destination host addresses.

In IPv4, introduced in 1982, the address is 32 bits and usually written as 4 numbers between 0 and 255:

192.168.1.2

Addresses are organised hierarchically. All addresses beginning 192.168.1. usually belong to the same network.

Addresses ending .1 are often a router/gateway that can pass packets to another network.

Networking: IPv4 address shortage

32 bits is not enough for all devices connected to the Internet.

IPv6, standardised around 1998, uses 128-bit addresses, but adoption has been slow.

Many networks still do not support IPv6.

Many support IPv4 and IPv6, but badly.

NAT offers a temporary solution to the IPv4 address space shortage. Networks can use private address ranges internally and share one external IP address.

(So many internal networks use the same private address ranges.)

Networking: DNS

Humans don't want to have to remember IP addresses.

Sometimes, several computers perform the same role (such as being a company's webserver), or the computer performing a role changes.

A DNS server turns textual names (like www.example.com) into IP addresses.

DNS operates over IP, so you still need the IP address of a DNS server.

Networking: TCP: reliable connections

IP only allows small packets to be sent and doesn't guarantee they will arrive in order (or at all).

Most networked applications need to send larger messages and want reliability.

TCP specifies how to send reliable messages over IP by: * adding sequence numbers in packets to indicate ordering; * acknowledging received packets; * resending

Most high-level applications (like a webserver) can treat a TCP/IP network connection as a stream of bytes to read/write.

Networking: UDP: connectionless

Some applications don't need reliable connections.

Maybe they run on hardware with low memory/processing power, so TCP is too complicated.

Maybe the application needs fast responses and wants to decide itself when/whether to resend. (Example: some online games.)

UDP specifies how to send application messages (datagrams) over IP without reliability.

DNS is traditionally a UDP-based protocol (although a TCP-based version is becoming more popular).

Networking: TCP/UDP ports

When a host receives a message over the network, how does it know whether to treat it as a request for a webpage, an e-mail, a login attempt or something else?

TCP connections/UDP datagrams include source and destination port numbers to specify the networked service/application.

Port numbers are in the range 1-65535 and are standardised.

When opening a TCP connection, the destination port specifies the service.

Networking: Port ranges

Ports 1-1023 are privileged. Only the administrator (root) can use them.

This stops an ordinary user from starting (say) an SSH login server and collecting passwords from everyone who mistakenly tries to log in.

The source port is often a high port chosen at random to identify the connection. This is called an ephemeral port.

A program running on a host can listen on a port. Then, when a connection is made to that host/port, the operating system will notify that program.

Port scanning

Port scanning is the process of scanning a host or network to find open ports.

If a port on a host is open, it means it is accepting connections over the network on that port.

That means a server program running on the host is listening on that port.

Port numbers are fixed so...

...knowing which ports are open on a host tells us which services it is running (e-mail, webserver, SSH login...).

TCP SYN scan

┏━━━━━━━━━┓             ┏━━━━━━━━━┓
┃         ┣━━ SYN ━━━━━❯┃         ┃
┃ scanner ┃             ┃ target  ┃
┃         ┃             ┃         ┃
┃         ┃             ┃         ┃
┗━━━━━━━━━┛             ┗━━━━━━━━━┛

TCP SYN scan is the conceptually simplest scan.

Scanner sends just a TCP SYN packet to target on port n.

TCP SYN packet normally used as first step in opening a connection.

Need administrator (root) privileges to send just TCP SYN packet, without trying to open a connection.

TCP SYN scan: open port

┏━━━━━━━━━┓             ┏━━━━━━━━━┓
┃         ┣━━ SYN ━━━━━❯┃         ┃
┃ scanner ┃             ┃ target  ┃
┃         ┃❮━ SYN/ACK ━━┫         ┃
┃         ┃             ┃         ┃
┗━━━━━━━━━┛             ┗━━━━━━━━━┛

If port is open, scanner receives a TCP SYN/ACK packet in response.

Scanner knows: * target is online; * port n is open.

Scanner sends a TCP RST packet to terminate the connection.

Whole process handled by operating system on target.

TCP SYN scan: closed port

┏━━━━━━━━━┓             ┏━━━━━━━━━┓
┃         ┣━━ SYN ━━━━━❯┃         ┃
┃ scanner ┃             ┃ target  ┃
┃         ┃❮━━━━━ RST ━━┫         ┃
┃         ┃             ┃         ┃
┗━━━━━━━━━┛             ┗━━━━━━━━━┛

If port is closed, scanner receives a TCP RST packet in response.

Scanner knows: * target is online; * port n is closed.

TCP SYN scan: filtered port

┏━━━━━━━━━┓             ┏━━━━━━━━━┓
┃         ┣━━ SYN ━━━━━❯┃         ┃
┃ scanner ┃             ┃ target  ┃
┃         ┃         ... ┃         ┃
┃         ┃             ┃         ┃
┗━━━━━━━━━┛             ┗━━━━━━━━━┛

If port is filtered, scanner receives nothing.

Packet could have been lost in network. Scanner can retry.

Eventually scanner concludes: * target is offline; * or port n is filtered.

If scanner knows target is online, port must be filtered.

TCP connect scan

┏━━━━━━━━━┓             ┏━━━━━━━━━┓
┃         ┣━━ SYN ━━━━━❯┃         ┃
┃ scanner ┃❮━ SYN/ACK ━━┫ target  ┃
┃         ┃━━ ACK ━━━━━❯┃         ┃
┃         ┃━━ RST ━━━━━❯┃         ┃
┗━━━━━━━━━┛             ┗━━━━━━━━━┛

Scanner opens TCP connection to target on port n, as if trying to connect to service.

Does not require administrative privileges, but slower.

More likely to be logged, as connection reaches application, instead of being handled entirely by operating system.

Nmap

Nmap is one of the best known examples of port scanning software.

It supports many other kinds of scan and is highly configurable.

It can also try to identify which program is listening on each port.

Example: Instead of just "port 80 is open", Nmap says "port 80 is open, the webserver is Apache 2.4.52 and the operating system is Ubuntu Linux 20.04".

Why port scan?

If you are an attacker:

You get a list of server software running on your target.

  • You can check the versions of the server software against published lists of known vulnerabilities and run exploit code (probably written by someone else).
  • You can explore the server to see if it is misconfigured.

If you are a system administrator:

  • You see what an attacker sees and can try to defend against it.
  • You can find out if any server software is running accidentally.
  • You can check your firewall is working correctly.

Firewalls

A firewall is a computer (or software running on a computer) that restricts access to the network, with the aim of blocking unauthorised or unwanted communications.

Most often: Stop attackers from connecting to potentially vulnerable hosts on a network.

But also: Stop network users from leaking data (intentionally or not).

Separate firewall (not running on computer being protected) is more robust.

Stateless packet filters

Most simple type of firewall is a stateless packet filter.

It looks at each packet and decides whether to let it through (allow) or block it (deny).

Firewall has no memory of previous packets.

Decision is made purely on the basis of the packet.

Configuring a firewall

In principle, firewall software could have a function that takes a packet as an argument and returns true/false to indicate allow/deny.

Then, you could configure the firewall by writing that function.

But would be needlessly complex and error-prone for most applications!

Many firewalls can be configured using a table of rules.

Easy to understand and flexible enough for many applications.

Firewall rules

The firewall takes each packet and checks it against each rule in sequence.

As soon as a rule matches the packet, it picks the rule's action (allow/deny).

If no rule matches, pick the default action. ````

#ProtoSource IP/portDest IP/portAction
1TCP10.0.0.1anyallow
2TCP10.0.0.*any : 23deny
3UDP1.1.1.1 : 5310.0.0.*allow
4TCPany10.0.0.2 : 80allow
default deny
````

Connection-tracking firewalls

Connection-tracking firewalls maintain a table of current network connections.

Can block packets that violate TCP standard. (Some operating systems vulnerable to malformed TCP packets.)

Can allow "related" new connections while blocking faked responses.

Needs more memory and processing power.

Under high load, if the table gets full, connections get dropped!

Application firewalls (1/2)

Application firewalls inspect the contents of connections.

Example: Can block e-mails with attachments, or even remove them for manual inspection.

Many recent applications use HTTP. Port-based filtering can't distinguish them.

Example: Can block an instant messaging service that communicates over HTTP.

Application firewalls (2/2)

Malware and exploits often use particular application-level commands.

Application firewalls can spot this and block them.

Example: Block request for a webpage with a very long parameter; could be attempt at a buffer overflow.

Problem: Application firewalls can't inspect encrypted connections.

Firewall policy

Many firewalls are configurable through a table of rules.

But how do we decide what policy to implement?

Will depend on needs of a particular organisation.

What services need to be allowed?

May not be uniform across the network.

Example: Allow incoming HTTP requests, but only to webserver.

By default, block everything not needed... but make sure this is acceptable to users.

Ethical issues: port scanning

Port scanning tools are useful for attackers, but also useful for defence.

Is it ethical... * to write port scanning software? * to distribute it? * to use it on a someone else's network? * to restrict its distribution or use by law? * to use it as part of an attack... * on the infrastructure of an oppressive government or exploitative company? * to expose secrets of corrupt politicans? * to monitor citizens and detect fraud committed by them?

Ethical issues: firewalls

Firewalls can help to protect your network from attack and protect confidentiality of your data.

The same technology can be used to...

  • ...censor access to websites unfavourable to a government.
  • ...monitor and record network traffic of employees.
  • ...hide networks run by criminals from police.