Each week, Network News adds more terms, building an on-line Jargon Buster for readers.

Index
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

B

Buffer overflow
Buffer overflows have become a common attack against applications, and have proven to be very dangerous.

When an application accepts data it does so into a buffer, which is a temporary storage location. The buffer is a fixed-length allowing it to hold a finite amount of data. Problems occur when the buffer is not properly bound check.

This allows a malicious user to purposely send more information than the buffer can hold causing errors. This can overwrite memory space allocated to a different buffer or application. This can either crash the machine or lose data integrity.

More malicious, but requiring some skill, is when instructions are tacked onto the end of the buffer overflow. If put in the correct place the instructions can be executed by the computer with the same privileges as the process.

As many processes run at root or admin level, the attacker can perform tasks including adding a new user, deleting data, or uploading a Trojan. Attacks like this are hard to defend against and have become popular with many crackers.

The most famous example is all of the attacks made against Microsoft IIS servers, with some new ones found out recently. In all cases the fix requires a patch that properly checks and deals with this kind of malicious input.

http://packetstormsecurity.nl/docs/infosec/buffer-overflows/w00w00-heap-overflows.txt

D

DNS
The Domain Name System (DNS) is the method used on the internet to translate the people-friendly text-based domain name into an IP address.

DNS servers contain tables of domain names and the addresses they map to. In addition to the simple mapping DNS records also have special mappings such as the mail record.

This tells a transmitting email server where the destination email server is on the remote domain. Each domain can have several entries depending on the number of machines on the network. For example, the 'www' prefix on a domain name refers to the web server on that domain.

DNS requests can also be made in reverse, which translates an IP address into the domain name. This can be used to verify the identity of a remote computer.

DNS servers are key to the internet and often a target for hackers. If a domain entry is hacked, for example, the hacker can change the web site that it points at.

This can be used to steal confidential information. Alternatively denial of service attacks stop clients from resolving IP addresses and therefore accessing services.

The most common DNS server on the internet is BIND.

DWDM
Dense wavelength division multiplexing (DWDM) is an optical technology that increases the bandwidth capability of a strand of fibre optic.

The technology works by transmitting multiple signals at different wavelengths down the same strand. Essentially this is transmitting different light colours. The result is that one strand of fibre is transformed into many virtual strands. Current technology supports up to 240 simultaneous channels.

On a 2.5Gbps Sonet network with 80-channel DWDM, up to 200 billion bits could be sent down a single strand of fibre.

DWDM is bit-rate and protocol independent. IP, ATM, Sonet/SDH and Ethernet networks, or even a mixture, can all make use of the technology.

Installations require a DWDM box at either end of the network. When data is transmitted down

a strand, the first DWDM box multiplexes the traffic onto the fibre, while the second unit demultiplexes it into its original format.

DWDM reduces the cost of deploying cabling and can speed up deployments. In theory the number of multiplexed channels can be increased.

The downside of the technology occurs if a cable is damaged, as all the multiplexed channels are lost. The resultant application errors increase the complexity of network management.

DWDM Tutorial

Differentiated Services (Diffserv)
This overcomes the limitations of Type of Service. It is a layer-3 protocol used at the edge of an enterprise which tags each frame, either at the originating device or at an intermediate point, to identify the requested level of service. It includes a Differentiated Services Code Point (DSCP) which specifies how each switch handles the frame.

I

IMAP4

The Internet Message Access Protocol 4 (IMAP4) was originally know as the Interactive Mail Access Protocol.

It was developed in 1986 at Stanford University and is similar in operation to POP3, but offers additional features. These features allow better interaction between email clients and servers.

The primary driving factor of the protocol is to allow bandwidth efficient access of email stored on a server. It works on the notion that messages always stay there.

This allows a client to issue the commands to download, delete and access messages, which always stay on the server.

Part of the efficient use of bandwidth is not requiring for an entire mailbox to be downloaded everytime it is viewed. For example, a mailbox listing can be provided by just downloading the header information. IMAP4 furthers this by allowing keyword searches to be performed on the server.

Much of this functionality has been included in later versions of POP3. It's common for ISPs to provide a web-based POP3 wrapper that performs most of the additional tasks. Most email servers and clients support both POP3 and IMAP4 to give a better selection. However, IMAP4 is likely to be the best choice if all emails are to remain on a central server.

Background Stanford University
www.imap.org

J

Jabber
Jabber is a common word found in network analysis and monitoring tools. It signifies that an error has occurred, although there are two definitions.

The first applies to any kind of network and is caused by a faulty device continuously transmitting data onto the network.

This is typically caused by a damaged Nic. The broadcast information is completely meaningless and just fills the network with data. In a shared bandwidth environment, this can stop other devices from transmitting, as they'll sense that the network is busy.

In a switched environment this is less of a problem, although the switch has additional load placed on it while it processes the information coming through.

The second definition only applies to Ethernet networks. The 802.3

standard clearly defines a minimum and maximum packet size. In this case a jabber is a packet that is larger than the 1518-byte defined limit.

Packets of this size can cause errors in devices that are programmed to properly check packet sizes.

Most jabbers will get caught at the switch, as these devices use store and forward to only pass on valid packets. Alternatively, Nics should have proper jabber control built in that only allows the card to

transmit for 150ms, or approximately 1500 bytes.

M

MGCP

The Media Gateway Control Protocol (MGCP) is also known as H.248 and is one proposed standard for replacing the older H.323 for the conversion of audio signals carried over the PSTN to packets for data networks.

It was developed by Telcordia and Level 3 Communications and has been accepted by

the IETF as Megaco and as H.248 by the Telecommunication Standardisation Sector of the ITU. The older H.232 was previously okay for Lans but it did not scale to larger networks.

The growth of VoIP has seen a need for a better protocol. MGCP is designed to make IP telephony devices cheaper because it eliminates the need for them being complex, processor intensive devices.

It does this by using a media gateway controller to setup, maintain and terminate calls between endpoints.

Part of this puzzle is to make sure that all endpoints involved in a communication are working at the same rate.

MGCP's controller can determine the location of all end points and accurately calculate the media capabilities of each.

In addition to voice, as the name suggests, the protocol can handle multi-point multimedia conversations, such as that found in video conferencing.

N

NAT
Network Address Translation (NAT) is a standard that allows one set of IP addresses to be used internally and another set to be used externally.

The technology requires a NAT box to sit at the internet gateway. It provides the translation between internal and external addresses.

This functionality is usually provided by the corporate firewall.

The firewall holds the pool of internal and external addresses so that it knows which translations are valid.

NAT has several advantages. First, it allows a company to have more internal IP addresses. As there is a translation on the way out there is no danger of a conflict with existing public IP addresses on the internet.

The freedom to organise the internal network by any method introduces greater flexibility to network management.

It makes logically dividing the network easier, which can make network management a lot easier to deal with.

It also means that if you want to expand the network at a later date you do not have to rely on the number of external IP addresses owned.

Next, NAT hides the internal structure of the network.

From a hacker's perspective there is no clear indication of how many machines exist on the internal network or how they are organised.

further reading

O

OSPF
Open Shortest Path First (OSPF) is a protocol used by routers on an IP network. It is now used in preference to the Routing Information Protocol (RIP), which is an ageing protocol.

It is used when a router detects a change in the network. The change is automatically sent to all machines in the same network to keep routing tables updated and identical across the network.

OSPF is more efficient than RIP, which sends the entire routing table for changes. OSPF only sends the specific change and only does so when a change occurs, not every 30 seconds like RIP.

OSPF is more intelligent when it comes to routing decisions and doesn't just count the number of hops to a destination. Instead it uses a link-state algorithm that takes into account additional network information, such as latency. Using this method routes are given a preference.

Most OSPF routers also support RIP, as there are still older devices built on this technology. However, OSPF will eventually replace RIP as the routing protocol of choice.

The updates sent every time a change occurs means that routing problems including loops and count-to-infinity are prevented. However, the protocol requires a lot of CPU power and memory, although the benefits are substantial. The current version of OSPF is version 2.

RFC for OSPF 2
OSPF Explanation

P

PXE (Pre-boot eXecution Environment)
The Pre-boot eXecution Environment (PXE, but pronounced 'pixie') is part of Intel's open wired for management (WFM) specification that automates client management.

PXE is the component that allows a PC to boot remotely from an image stored on a server. This can be used to install operating systems and software on client machines without having to visit them. It's now common to find this option on disk imaging packages. Even if an OS is installed, PXE jumps in first and executes the image off the server.

PXE has a wake-on-Lan element in it that allows an administrator to remotely power a computer by sending a signal to the network card. For this to work, both the NIC and BIOS of the client machine have to support PXE.

Typically a PXE-enabled NIC is directly connected to the client motherboard so that it retains power even if the machine is turned off. The NIC sits on the network listening for a wake-up call from a management station - and then cycles the power of the computer.

Administration tasks can be setup in conjunction with automated tasks, such as backups. If the client machine is not turned on, then PXE will do this automatically without administrator intervention.

Intel Labs

Q

Quality of Service (QoS)
This is a generic term for measuring and maintaining the quality of network characteristics such as transmission and error rates.

S

SIP
Session Initiation Protocol (SIP) is a multimedia and telephony protocol that provides services including call forwarding, number delivery, authentication and other telecoms applications. The protocol can set up, control and tear down sessions including internet telephone calls and multimedia conferences.

SIP is the current buzzword amongst data-centric vendors of IP Telephony. At time of writing, it has yet to be ratified by the IETF.

The key to SIP's status is it provides for personal mobility - users are identified by an email-like address, allowing them to change terminals easily and quickly. Effectively, SIP neatly sidesteps the cost associated with installations, moves and changes in a traditional telecoms environment.

SIP can be used to offer callers a choice of ways of reaching a person. For example, calls can be routed to a mobile phone, messaging service or desk phones.

SIP is independent of the packet layer and runs over UDP or TCP, making it popular with data-centric IP telephony vendors. It is possible to run SIP over other protocols, but UDP and TCP seem to be getting all the attention at present

Vendors hope SIP will become as ubiquitous as HyperText Transport Protocol (HTTP). However, SIP will only come into its own once it is ubiquitous.

IETF SIP Charter
www.cs.columbia.edu/sip
SIP Forum

SMB

The Server Message Block (SMB) protocol is used to allow applications to read and write files or request services from remote machines. It was developed by Microsoft and runs on top of other network protocols such as TCP/IP, IPX or NetBEUI.

SMB is the protocol used for network file sharing in Windows and DOS.

The NetBIOS protocol is actually based on SMB. Using NetBIOS with NetBEUI allows network engineers to get a file sharing network up and running very quickly, although TCP/IP scales further.

This doesn't mean that other operating systems cannot use SMB. An application called Samba is used by Unix and Linux to enable SMB. The Samba application allows Unix and Linux machines to appear on a Windows network so that file sharing can take place.

With SMB installed, an application can access files on a remote server, as well as additional resources including printers and named pipes. This allows an application to read, write and create files remotely.

Microsoft has made it easier for companies to write SMB clients, as it has offered an open-source version of SMB to the IETF.

The new protocol is called the Common Internet File System (CIFS) and is more flexible than existing standards such as FTP.

All about Samba

Stateful inspection

Stateful inspection is a type of firewall engine that works at the network layer. These firewalls are more secure than packet filtering firewalls, which only check the header of each incoming packet. Stateful inspection engines maintain session state and can look inside packets all the way up to the application layer to determine more about the contents.

As the connection state is maintained in a connection table, filtering decisions are made based on the context of a packet and not just administrator rules. This helps prevent attacks, such as malicious parties injecting harmful data into a communication stream.

Stateful inspection engines close all ports by default to help prevent port scans being run. Ports are then dynamically opened as needed. This is much more secure than simple packet filtering as can be seen by looking at FTP traffic.

FTP has a well-defined port number (21), but this is only used for control messages. When a file is downloaded, the FTP server negotiates with the client a higher port number for the transfer to take place on. A stateful inspection firewall can see this in progress and dynamically open the transfer port. A packet filtering firewall cannot do this, so either a large range of ports have to be left open or protocols such as FTP will fail to work.

T

Type of Service (ToS)
Also known as IP Precedence, this is information defined in two fields of the IP header. The first field, precedence, is used to identify and route packets. A second field, the ToS sub-field, can define the type of service requested for the traffic.

U

UDDI

The Universal Description Discovery and Integration (UDDI) service is an industry-wide project designed to standardise the discovery of web services. Member companies include Microsoft, IBM, Sun, Oracle and HP.

The UDDI service is a distributed directory that enables businesses to advertise services and can be thought of as a web-based Yellow Pages. Microsoft and IBM operate the current internet-wide UDDI Business Registry (UBR).

Each entry in the database contains information about the provider, the service and the binding. The provider and service information is basic text information that shows who provides the service and exactly what it does.

The binding information describes where the service can be found. Each entry can contain multiple bindings depending on the type of access. Examples include web, cobol and Java. The bindings can be updated as needed, but users can always find the service through the directory. Without the directory being bookmarked, services can easily get lost as sites get updated and modified.

In addition, each entry is categorised by the type of service offered, although they can be a member of multiple categories.

The directory is fully searchable. Companies can run their own UDDI directories to publish internal services to employees.

www.uddi.org

uddi.microsoft.com

Comment