[CALUG] DoD/OSI Layer 2, 3 and 4 in the real world -- WAS: open ports

Bryan J Smith b.j.smith at ieee.org
Thu Sep 15 20:27:58 EDT 2011 

But I also understand the OP and some follow-up threads.  I wanted to assert that there can be "real" services and facilities below the transport (layer 4) details.  That's what trips a number of organizations up when it comes to security.

Acting like it's all (pun)Ether(pun) and doesn't service anything is not always a good assumption.  There are aspects at the IP (layer 3) level that can cause issues, and not everything is identified by the kernel as spoofing.  And one certainly does not want one big pool of media access.

Even in my "mobile" network, I have a security appliance with no less than four (4) zones.  Internet, LAN (trusted Linux only), WLAN1 (select Linux), WLAN2 (Windows, consoles, guests).  I don't let anything on the LAN or WLAN1 networks that I don't trust, and especially not Windows.

A number of issues hit Windows below the transport belt, or in various things you cannot disable.  There are a few (100x less) for Linux as well.


----- Original Message -----
From: Morty <morty+calug at frakir.org>
Sent: Thursday, September 15, 2011 7:59 PM

[snip; resending from correct "From:", with minor edits]

Another attempt to answer the original question:

* Ports are numbers used in networking.  "Open ports" are usually
  associated with services that are listening.  Essentially, they mean
  that someone else can connect to your computer even when you're not
  telling your computer to do something.  That someone else might be
  trying to hack your computer or get it to do things that you might
  not want it to do.  From a security perspective, you want to
  minimize your open ports.

* how to enable or disable an individual port is usually related to
  the service process that has it open.  You can find what ports are
  open and what programs are associated with a port like so:

  # run as root
  netstat -pln --inet --inet6

  Note that some of these options are relatively new.  So if you have
  a really old Linux distro, this command might not be supported.
  There are older ways to do this; feel free to ask (or upgrade) if
  this is a problem for you.

* Once you know what service is using what port, you can decide which
  services you don't need and turn them off.  Most Linux distros have
  a distro-specific mechanism to enable or disable individual
  services, such as sshd and apache httpd.  "inetd" or "xinetd" may be
  a special case -- a master service that tends to support a whole
  bunch of ports and services -- and has a special configuration
  mechanism for supported services.  telnet in particular is usually
  handled via inetd or xinetd.

* ethernet drivers don't deal directly with port requests.  Instead,
  they pass traffic that meets certain criteria to other kernel
  layers, such as the kernel's IPv4 and IPv6 layers.  The IPv4 and
  IPv6 layers are independent of individual ethernet drivers, or even
  of ethernet as a whole -- for example, you can have IPv4 with PPP
  (e.g. for dial-up), which doesn't use ethernet.  IP, in turn, can
  pass the traffic to TCP, UDP, or other protocols.  TCP or UDP, in
  turn, can pass the request to a service program such as the apache
  web server or inetd.

  Part of the beauty of IP is that it acts as an abstraction between
  high-level protocols and "real" network protocols.  This way,
  telnet, email, and other protocols work basically the same whether
  you are on ethernet, PPP for dialup, PPP over a high speed serial
  link, wireless, token ring, FDDI, or ATM.  This despite the fact
  that many of those lower-level protocols are fundamentally
  different.  You can easily plug in new services to IP to add
  functionality that was not part of the original design.  It's quite
  brilliant.

* There are some other protocols that you might also see that don't
  have ports.

* This is all very common information.  If you google for guides to
  securing your distro, you should find a lot more info, tailored to
  your distro of choice.

- Morty

_______________________________________________
CALUG mailing list
CALUG at unknownlamer.org
http://lists.unknownlamer.org/listinfo/calug

More information about the CALUG mailing list