Home IT-security Network protocols I have known

Network protocols I have known

0
Network protocols I have known

No politics today. No philosophy. But I’m going full geek. So, if you know something about networking, go ahead.

You’re traveling through the Internet, a place not only of sight and sound but of mind. A journey into a wondrous land whose boundaries are that of imagination. That’s the signpost up ahead – your next stop, the geek-zone.

Network protocols make us able to send email, files and communicate. There are many and many lost through the ages. Some of them makes the world go round and many pay my pay check. I work in IT-security by the way. Just so you know.
Some of the protocols that are good have flaws, there are bad and ugly that have merits. I know that, and I admit, this list is built on my personal opinions more than anything. Still, it’s what it is. If you’re looking for consistency. It may occasionally occur.
And IT-security never ages well, so… You know…

The Good

Kerberos

Like many protocols still in use, it’s getting old. But still has power and is a very capable standard of authentication. I love Kerberos but hope it will be seriously upgraded to lose its known security problems. Because it handles trust in a scalable and sane manner. It makes computers authenticate with little disruption and it has a future even in the hostile world we live in.

Still, it does work better in local networks, than over the Internet. This is clear, as it wasn’t really intended for federations and trust over big parts of the world. It may have had its best days, but it is still for the future. And a three-headed dog. Sounds like an awesome pet.

IPSEC

Setting it up is tedious, and you can incur a heavy overhead on traffic if you combine AH and ESP. But still, it’s reliable and secure. It can do little magic tricks, like making traffic secure even when it’s in cleartext as it cannot easily be changed by a hacker. It can lock computers away from each other without any extra hardware or firewalls. It can do much and it delivers secure communications with little disruptions.

SSH

Maybe I’m too kind. Not sure I like rsync and SCP so much. And they use SSH today. But still, if you put some effort into it, SSH can be put out directly on the Internet. I would recommend administering stuff over a VPN. But still. Heck yeah, it’s easy to setup and very capable.

ICMP

Some parts of ICMP belongs in the bad and the ugly list. Seriously. “Router advertisement” and “loose source routing”. But I’m going to assume you turned that off and hardened your systems enough not to get into trouble with hackers stuck in the 90s.

ICMP echo and administratively prohibited are primitive, but very sleek. ICMP has several codes, but the functionality is small and very rudimentary. Given the enormous complexity of modern protocols, this is quite appealing. They do suffer from not having any integrity protections, this I must concede. But darn it, working with them makes troubleshooting easy.

TCP/IP

This is one that has stood the test of time well and is up to any task you have for it. Also getting old, but still does what it’s supposed to do. It’s really two protocols, but it’s hard imagining one without the other. And IPSEC can make them work well in a modern environment.

It is pretty much a monopoly, but serious, would you like to go back to IPX/SPX? Maybe for a round of Red Alert 2. But I think Novell Netware belongs in a museum.

Btw, I don’t care for UDP. You cannot make me!

The Bad

FTP

I’m going to be 100% clear: I’m not complaining about the lack of encryption. That can be solved. But seriously, a protocol that may need your firewall to open inbound ports on the fly to work. What’s up with that? And bounce attacks. And jump to dos prompt. This protocol is deceptively easy, until you struggle with RFC1918 addresses on both ends of communication or just a firewall with no ALG. Good luck with that garbage can of a protocol.

WEP

I know, it should not be a problem today. But it still is. And “it’s at least encrypted”. But it does not help. I can like unencrypted protocols because they work if you take this into account. But a protocol that claims to be secure, only to be pretty much cleartext to anyone with Kali Linux is not ok.

I’m leaving this without further remarks, just asking you to turn it off. Friends do not let friends do WEP.

RDP

Remote Desktop Protocol made the cut to the bad list. I was on the verge of putting it on the ugly list. But my kinder side prevailed. It’s useful on a local network and it’s a great way to administer a Windows machine if you have no concept of security. I mean, every heard about RSAT (Microsoft’s remote tools) that allow you to administer services without jumping into the server itself.
But it’s a horror show, should you ever decide to put it directly out on the Internet. Don’t hide it on, say, port 51921, and hope no one finds it. Eventually they will. Historically, it has provided the world with plenty remote code execution opportunities, bad encryption, and possibilities to guess passwords.

I know it can be decently secured with gateways, but most people don’t bother. They just let their sparkling new cloud-based Windows-machine hang out with the rest of the Internet. If you see no problems with that, you may be part of the problem.

UPNP

Nice, locked door you have. Any a wolf wearing a sheep’s cloth can get in. Why? It’s a feature with UPNP, not a bug. A great hole in the Armor, so your machine can open ports to applications that other may want to use on your machine.
And there is no way anything bad could happen?

mDNS

Bonjour, mes amis. I know exactly what’s on my network. I just scream “Is anyone out there” and the answers come in immediately. “I’m a printer with LPD out of yellow toner”, “I’m NAS – wanna see my shares?”, “I’m a washing machine and you have forgotten your underwear for two weeks”.

Ok, so knowing what devices you have on the network is sweet. No more, “What the heck is the ip for the office printer”. But in this day and age, silence is better than responding to anyone asking anything. I don’t want to be too hard on mDNS as it’s very useful. And it may be the last reason for anyone to use LanSweeper for anything.

But I must say that we live in a world where (and this must be said with Morgan Freeman’s amazing voice) malicious intent must be expected by anyone, everywhere.

The Ugly

SMB/CIFS

Windows filesharing. It’s up to version 3.1 or something right now. Lots of new features that shine like the lip gloss on a pig that it really is. So, Microsoft removed the infamous 1.0, that was no fun for Ukraine in 2017. And you can add features to it as much as you want to. It will never be secure.

And it’s provided through port 445 on Windows. You know the black hole into everything that Windows can provide.
It’s a protocol with enough buggy features (offline files, anyone?), security holes and general horror that the Geneva convention should cover it.

PPTP

The most evil, seductive, and horrid VPN you ever knew! Super-easy to setup. Fast, stable, and capable. There is nothing wrong with it really. Except its “security”. It may look like your opaque on the Internet but beware of the devil!

The Chuck Norris of security, Bruce Schneier, roundhouse kicked its authentication into space in the 90s. Microsoft then created an updated version of it, and Schneier just growled nastily at it. But it was Moxie Marlinspike that finally gave it the walking papers in the 2010s.

It still exists on many routers as the “If you really have no idea how to setup a decent VPN, I guess you could use this” option. If your protocol comes with a “we take no responsibility for…” legal clause, you might want to ponder on the proposition of using post-it notes for communication instead.

VNC

Inefficient, slow, total broken, unencrypted and kind of bad. I use it a lot, I must admit. But that’s because RDP messes up the audio cards in my recording devices. It’s the protocol that made for funny comments on the Internet like “I opened port 5900 to the Internet. Why is someone moving my mouse pointer?”.
It’s built for remote code execution in all ways that’s possible. If I found VNC on an Internet-facing server, I would almost assume it was a honey pot.

Big whoop! Wanna fight about it? ... Or maybe... you know... just leave a nice comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: