 |  |
Chapter 22. Administrative Services
Contents:
System Management ProtocolsRouting Protocols
Protocols for Booting and Boot-Time Configuration
ICMP and Network Diagnostics
Network Time Protocol (NTP)
File Synchronization
Mostly Harmless Protocols
22.1. System Management Protocols
These protocols are used to manage devices on the network, either by simply conveying information about their status or by actually controlling remote devices.22.1.1. syslog
syslog is used to manage log messages in a centralized way. syslog got its start as a way of centrally recording messages for a set of Unix machines, but many network devices (routers, hubs, etc.) now use syslog to report status and usage information. Such devices often don't even have a way to record this information locally, because they don't have any writable storage media; if you want to know what they're reporting, something has to be listening to their syslog messages.icrosoft operating systems do not provide syslog support; instead, they use a combination of a local log manager and SNMP for remote event reporting. It is possible to get implementations of syslog for such systems.
Attackers will often attempt to flood a site's syslog server in order to cover their tracks, so that the server runs out of disk space and stops logging new messages, or so that the evidence of their activities is lost in the noise. Recent versions of syslog often have the ability to turn off listening from the network, while still keeping the ability to send messages to remote servers; some of them also provide the ability to accept remote messages only from specific source addresses.
22.1.1.1. Packet filtering characteristics of syslog
syslog is a UDP-based service. syslog servers (which record messages logged by other systems) listen on UDP port 514. syslog clients generally (but not always) use ports above 1023 to talk to servers. syslog servers never send messages back to clients. syslog servers can be configured to pass messages along to other syslog servers; in such cases, the sending server generally uses port 514 as the client port. There are TCP-based variants of syslog available, but there is no standard yet.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | UDP |
>1023[146]
|
514 |
[147]
|
External client contacting internal syslog server |
| In | Ext | Int | UDP | 514 | 514 | [147] | External syslog server passing message to internal syslog server |
| Out | Int | Ext | UDP | >1023[146] | 514 | [147] | Internal client contacting external syslog server |
| Out | Int | Ext | UDP | 514 | 514 | [147] | Internal syslog server passing message to external syslog server |
[146]Some syslog clients sometimes use ports below 1024.
[147]UDP has no ACK equivalent.
22.1.1.2. Proxying characteristics of syslog
syslog is a self-proxying protocol; that is, syslog servers can generally be configured to simply pass messages they receive on to other syslog servers. Although syslog would be straightforward to proxy with a proxy system that knows about UDP, there do not appear to be implementations available that provide this facility.
22.1.1.3. Network address translation and syslog
Although syslog does not use embedded IP addresses, the log entries syslog makes include information derived from the source IP address; using network address translation may make it hard to figure out where messages are from.
22.1.2. Simple Network Management Protocol (SNMP)
SNMP is a standardized remote monitoring and management mechanism for network devices like hubs, routers, and bridges, as well as servers and workstations. The theory is that any SNMP-capable management station should be able to monitor and control any SNMP-capable network device.Normally, SNMP management stations act as clients, contacting SNMP servers in the various network devices to request information or to issue commands. Sometimes, network devices act as SNMP clients to contact special SNMP servers (known as trap servers) on management stations to report critical information that can't wait until the next time the management station polls the device. SNMP trap servers are separate from regular SNMP servers so that a given machine can run both -- that is, can be both an SNMP server (and thus be manageable via SNMP) and an SNMP trap server (and thus be a management station and receive traps from other devices).
In general, you don't want someone from the outside to be able to manage your network via SNMP. Therefore, you shouldn't allow SNMP to cross your firewall, and you should carefully configure (or disable) SNMP on your systems that are outside your firewall so that attackers can't use it to change that configuration. See Chapter 10, "Bastion Hosts", Chapter 11, "Unix and Linux Bastion Hosts", and Chapter 12, "Windows NT and Windows 2000 Bastion Hosts ", for more information on how to properly configure bastion hosts.
The SNMP version in widest use, which is SNMPv2, does support some rudimentary security; when information is requested, the requester needs to specify a community that it's in. Different communities can be shown different information, and in some implementations, a reusable password can be required for certain communities. At its best, this security is quite primitive; anybody who's doing packet sniffing can easily discover a community name and password. Since relatively few implementations support passwords, and almost all implementations provide a default community called "public", it's very rare to find things at their best. At least one implementation not only comes with the "public" community but does not provide any permanent way to disable access for this community!
SNMP can be an extraordinarily dangerous protocol. The minimal information most devices will give out includes operating system details and precise traffic loads and destinations, which is already information you don't want attackers to have. Many implementations add even more critical information (for instance, icrosoft's SNMP server will list all valid account names on the machine and most of the services running on it). In addition, it is possible for a remote machine not only to request information but to set variables. Since SNMP is intended for network management, and an SNMP client is expected to be a network management console, these variables usually give you full control of at least the machine's network configuration, and often more than that. For instance, you can often reboot a remote machine via SNMP, and icrosoft systematically attempts to make all the functionality of service control panels available over SNMP. Routers can often be completely controlled via SNMP.
In general, the default "public" community is able only to read information, but it is often able to read all the available information, which in several implementations from large router vendors includes a listing of all the communities and their capabilities, so that anybody can read the information about how to get write access.
On machines that are running multiple SNMP-enabled services (for instance, machines that have an operating system SNMP agent and are also running Oracle), SNMP servers may be at unexpected ports. If multiple SNMP agents need to run on the same machine, only one of them can be at SNMP's normal port. One way to deal with it is to have a master agent at that port and move some or all of the other SNMP agents to other ports (normally above 1024, since that's where free ports are likely to be). The master agent then speaks SNMP to the other agents (commonly referred to as sub-agents), which don't have to be aware that there's anything unusual happening. This is a very flexible approach, but it is yet another service that may be vulnerable if you open up connections above 1024.
22.1.2.1. SNMP version 3
Implementations of SNMPv3 are just becoming available. SNMPv3 provides greatly enhanced security, including user authentication, encrypted communications, and time-stamped digital signatures that prevent attackers from intercepting and resending packets. Gateways that translate between SNMPv3 and earlier versions of SNMP are available, allowing you to use SNMPv3 across insecure links to manage older devices as long as there is some secure link between the gateway and the managed device.
22.1.2.2. Packet filtering characteristics of SNMP
SNMP is a UDP-based service. SNMP servers (in network devices) listen on UDP port 161. (TCP port 161 is also reserved for use by SNMP but has been used only experimentally.) SNMP trap servers (in management stations) listen on UDP port 162. SNMP clients generally use ports above 1023 to talk to both regular and trap servers. By convention, SNMP sub-agents are at port 1161, but they might be anywhere.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | UDP | >1023 | 161 |
[148]
|
Query from external management station to internal SNMP device |
| Out | Int | Ext | UDP | 161 | >1023 | [148] | Response from internal SNMP device to external management station |
| Out | Int | Ext | UDP | >1023 | 161 | [148] | Query from internal management station to external SNMP device |
| In | Ext | Int | UDP | 161 | >1023 | [148] | Response from external SNMP device to internal management station |
| In | Ext | Int | UDP | >1023 | 162 | [148] | Trap from external SNMP device to internal management station |
| Out | Int | Ext | UDP | >1023 | 162 | [148] | Trap from internal SNMP device to external management station |
[148]UDP has no ACK equivalent.
All versions of SNMP use the same port numbers, so you will not be able to tell what version you are allowing through your packet filters. Since different versions have very different levels of security, you will probably want to limit access to those devices that you know are appropriately secure.
22.1.2.3. Proxying characteristics of SNMP
SNMP is not commonly used across the Internet (although Internet service providers frequently use it), and proxies are not widely available. You may be able to modify network management stations to use proxies for SNMP gets, but in many cases, you will not be able to do traps through proxies. This is because the SNMP agent has to generate the trap, and it is often running on a device where neither the software nor the procedures are particularly modifiable.
22.1.2.4. Network address translation and SNMP
SNMP does not use embedded IP addresses directly, and SNMP itself will function without problems through network address translation systems. However, the information that's distributed through SNMP will almost always include IP addresses that will not be translated. This may leak information that's considered confidential and will certainly cause problems if any person or program tries to use the information. A number of network management programs will use the address information inside the SNMP data to make subsequent connections to managed machines, which will not work.
22.1.3. System Management Server (SMS)
Microsoft's System anagement Server is a suite of programs used to manage Windows computers. It is not a single service, and the exact services that are included change with different releases of SMS. The basic functions of SMS are:
- Hardware and software inventory
- Software distribution
Shared application management
Remote control
- An enhanced network monitor
- SNMP tools to convert events to traps and receive traps
Database tools to clean databases and produce reports
SMS has very serious security implications. The SMS hardware and software inventory provide detailed information about machines, and the software distribution mechanism allows any command to be executed with full Administrator permissions. All client machines are completely at the mercy of the SMS servers. In addition, an SMS system normally involves multiple server machines (for instance, one running the database server, one running software distribution, and one storing the shared applications), and those servers all trust each other. If any of the machines involved is compromised, the attacker will have control of all of the servers and, through them, of all of the clients.
Several of the utilities included in SMS are useful in a firewall environment; the network monitor, for instance, is an important diagnostic tool, and there is a tool for turning events into SNMP traps. The primary functions of SMS (hardware and software inventory, software distribution, and shared application management) are all risky and should not be run through a firewall or to firewall machines.
22.1.4. Performance Monitor and Network Monitor
Under Windows NT, the two most frequently used tools for diagnosing system problems and tracking usage are Performance Monitor and Network onitor. Both of these programs allow you to access remote machines and get data from them. They are based on SMB transactions, which are discussed further in Chapter 14, "Intermediary Protocols".Performance Monitor and Network Monitor both provide information that's useful to attackers. Performance Monitor is the less interesting of the two; it provides performance and utilization data that will tell an attacker some useful data about the machine configuration, the amount of work needed to produce a denial of service, and the likelihood that anybody will notice if the attacker starts using the machine, but it doesn't give out anything of immediate use in breaking into the machine.
Network Monitor, on the other hand, comes with an agent that will let an attacker use the machine as a remote network sniffer. The version of Network Monitor that comes with Windows NT shows only packets sent to and from the machine it's running on (including broadcast and multicast packets), but that's plenty of data for an attacker to do damage with. If you have installed the full-featured version that comes with System Management Server, it will show all traffic that comes to the port, regardless of the machine that the traffic was sent to. Depending on your network configuration, this may make no difference (for instance, on a switched network, hosts will normally receive only their own traffic), or it may be all the traffic on the network segment (for instance, if you're using simple hubs or classic Ethernet bus-style cabling).
Because they are based on SMB transactions, Network Monitor and Performance Monitor are difficult to secure through a firewall, and you should not allow them. Because the Network Monitor Agent and Performance Monitor are extremely useful management tools, you may want to allow them on machines that make up your firewall. In this situation, you should be sure that they are not running on interfaces that can be reached from the Internet. It would be better yet to run Network Monitor and Performance Monitor locally on the firewall machine and disable SMB over the network altogether.
22.1.5. Summary Recommendations for System Management
- Do not allow any system management protocols across or into your firewall from the Internet. (This may require special SNMP configurations on your packet filtering routers, which are probably themselves SNMP-capable devices.)
- If you need to use SNMP remotely, use SNMPv3.
|  | |
| 21.9. Auth and identd |  | 22.2. Routing Protocols |
