TCP/IP AND SECURITY SOFTWARE APPLICATIONS

STUDENT PAPER

William Natale
St. Edward’s University
wnatale@nucentrix.net

The TCP/IP protocol suite refers to a family of protocols. The designers of TCP/IP
divided the job of a full protocol suite into a number of tasks delineated as layers (show in
Figure 1 below). Each layer has a different, but specific task in communication. Conceptually,
it is useful to envision the layers of TCP/IP as a stack. The first layer called the link layer is
responsible for communicating with the actual network hardware (e.g., Ethernet card). The
second, the network layer, is responsible for determining how to get data to its destination. This
layer cannot guarantee that data will reach its destination, but does decide where data should
be sent. The third, the transport layer, provides data flows to the application layer and data
may be checked for reliability. The fourth, the application layer, is the level where users
typically interact with the network and telnet, ftp, email, and IRC reside.

Application Tenet, FTP, RPC, etc

Transport TCP,UDP
Network IP, ICMP, IGMP
Link Network Interface and Device Driver
Figure 1. The Layers of the TCP/IP Protocol Suite.

Data packets are the basic unit of transmission on the Internet. Each packet contains data
and header information. Headers consist of some combination of checksums, protocol
identifiers, destination and source addresses, and state information. Each layer may add its own
header information, so it can interpret the data the lower layer is passing to it. Each layer takes
the previous layer's packet, views most of its data, and puts its own header on it.
The link layer is the lowest level of the protocol stack, and is composed of network
hardware and device drivers. When receiving data from the network, it takes packets from the
network wire, removes the link layer information, and sends the remaining data to the network
layer. When transmitting data onto a network, it takes packets from the network layer, attaches
a link layer header, and sends them out over the wire.
JCSC 16, 3 (March 2001)
© 2001 by the Consortium for Computing in Small Colleges
205
JCSC 16, 3 (March 2001)

The network layer is where the Internet Protocol (IP) and the Internet Control Message
Protocol (ICMP) reside. ICMP is used to provide both network reliability information and
utilities like ping and traceroute. IP is used for almost all other Internet communication and
manages the sending and receiving of data packets. If a packet arrives with any problems, the
IP quietly discards it. Upper layers are responsible for insuring reliable exchange of data
packets. The IP's behavior is considered stateless or connectionless because the existence of
previous or future packets is irrelevant when processing the current packet. The IP layer is able
to get packets to their destinations because every network interface on the Internet has an IP
address, a unique numeric address.
Because it is difficult to refer to machines with strings of numbers, the designers of TCP/IP
allowed network administrators to associate names with IP addresses. Originally, every host
on the Internet maintained a complete copy this database. The exponential growth of the
Internet made these databases impossible to be up to date. Out of this mess, the Domain Name
System (DNS) was made and distributed a database of IP addresses and their natural language
names.
The procedure an IP layer takes to send a packet is to determine how to get a packet to
its destination (also known as routing) and to send to packet on its way. Routers have two
network interfaces and a routing table. Each router only knows about the routers to which it
is connected. The router does not determine the full destination path, but at each hop is only
concerned with where to send it next [1].
There are two protocols at the transport layer: the user datagram protocol (UDP) and the
transmission control protocol (TCP). UDP has multiplexing, demultiplexing, and some light
error checking, but essentially adds nothing to the IP. UDP takes messages from the
applications process, attaches source and destination port number fields for multiplexing,
demultiplexing, adds two other small fields, and sends the resulting segment to the network
layer. The network layer encapsulates the segment into an IP datagram and then makes a best
effort attempt to deliver it to the receiving host. If the datagram arrives at the receiving host,
UDP uses the port numbers and IP address to deliver the datagram to the correct application.
The sending and receiving transport layers do not handshake before sending a datagram; and
therefore, UDP is considered to be connectionless [2].
TCP provides multiplexing, demultiplexing, and error checking. TCP is connection-
oriented which requires an application to first request a connection to a destination and then use
the connection to transfer data. It provides for full duplex data transfer that allows data to flow
in either direction. A TCP connection is always point-to-point that has only two endpoints.
TCP has complete reliability, which is a feature that guarantees that data sent across a
connection will be delivered exactly as sent, with no data missing or out of order. It also has a
stream interface that is a feature that allows an application to send a continuous stream of data
across a connection [3].
In the beginning the research-oriented Internet and its communications protocol suite,
TCP/IP, were designed for a more benign environment than now exists. It could be best
described as a collegial environment, where the users and hosts were mutually trusting and

206
 CCSC: South Central Conference

interested in free and open exchange of information. Today, the Internet environment is much
less trustworthy and contains all the dangerous situations, nasty people, and risks that one can
find in society as a whole [4].
The TCP/IP protocol suite has been criticized as having been designed with no thought
of security. Computer users point to the ease with which IP addresses can be spoofed, the
lack of security for name and address mappings provided by the Domain Name System
(DNS), and the difficulty of operating some protocols across "firewall gateways" as evidence
of failure to anticipate security requirements. These points are valid, but IP was designed to
operate over lower network layer protocols such as X.25. TCP/IP was developed for the
Department of Defense (DoD) and in the DoD environment, the only accepted means of
providing high security in a large geographically distributed network, was the application of
cryptography. Uniform use of cryptographic security technology addresses most of failures
cited above. In the late 1970s as part of the DOD sponsored R&D programs, prototype
devices implementing these services were developed, tested, and deployed on a limited basis
long before security became a common concern for many Internet users.
This model for security was not comprehensive. No protocol in the entire TCP/IP suite
contains any authentication of communication between the sender and receiver. This makes
it possible for one system to impersonate another system. Certain implementations of TCP
made use of easily predicted sequence numbers. The ability to predict sequence numbers and
lack of authentication makes it possible to establish fraudulent connections [5]. Sequence
numbers are used to handle delivery of packets that are out of order and corresponding reply
that occurs when an old message arrives, and routing protocols [6]. It did not explicitly
address electronic email. The use of application layer relays disabled the IP-layer security from
affording complete protection to email. The DNS was not initially part of the Internet design.
There was no explicit security features envisioned to protect name and address mappings,
beyond the use of trusted computers and IP layer secure communication paths to these
servers. So even if IP layer, end-to-end cryptography were widely implemented in the
Internet, there would still be a need for additional security standards [7].
Today with the exponential growth of the Internet, computer security is a major concern.
At the end of 2000, projections estimate the number of Internet users in the United States to
be 135.7 million and worldwide to be 374.9 million [9]. This year the U.S. market for
residential high-speed Internet services will grow to 3.3 million subscribers [8]. The high speed
Internet services includes cable modems, digital subscribers' links (DSL), and asymmetric
digital subscribers' links (ADSL). The characteristics of these services include static IP
addresses, computers that are "always on", and the use of Local Area Network (LAN)
technology for computer interfaces present increased security issues. The "always on" and
static IP address on these connections present a much greater vulnerability to computer
hackers. Information theft is up over 250% in the last 5 years and 99% of all major companies
reported at least one major incident. In the U.S. alone telecom and computer fraud totaled
$10 billion [10].
Because TCP/IP comprises a large part of the market, many computer hackers try to
exploit its weaknesses. Hackers typically use port scanners to find security holes. TCP/IP

207
JCSC 16, 3 (March 2001)

protocol suite supports up to 65,535 ports or communication channels for independent

applications on a single computer. For example, TCP port 80 is used for HTTP
communications between a web browser and server and TCP port 25 is used for Simple Mail
Transfer Protocol (SMTP), email traffic. Port scan hacker attacks look for applications with
weak security systems, and once identified, use those ports of entry to invade other parts of
the compromised computer [11].
Security software applications such as, ZoneAlarm Pro 2.1 (version 2.1.25) [15],
Norton Internet Security 2000 (version 1.0.147.0) [13], LockDown 2000 (version 7.0.0.3)
[12], and BlackIce Defender (version 2.1.cn) [14] provide security protection for computers
and networks. In my research I conducted performance tests these security software
applications.
To facilitate the performance testing, each security software application ran on a
dedicated computer. One computer was setup without any security software. The environment
included Microsoft Windows 98 (version 4.10.1998), Microsoft Internet Explorer (version
5.50), and Microsoft Outlook Express (version 5.00.2919.6600). Additional software used
to support testing included: RealPlayer 8 basic (version 6.0.9.380) for testing RealPlayer
downloads, ICQ Messaging Software (version 2000B beta v. 4.56) for testing ICQ
Messaging with and without file attachments, and IPSwitch FTP (version 5.06) utility for testing
file transfers. Additionally, the BIOS virus protection was disabled, Windows 98 file/printer
sharing was disabled, and Internet Explorer was set to its minimum-security level.
Each security software application had unique settings for each level of security. The
performance tests evaluated each security level of each application with commonly used
Internet applications and its capabilities to protect against unwanted intrusions.
Each security software application was tested for its ability to work with common
Internet software applications such as FTP, ICQ Messaging, RealPlayer downloads, and MP3
music file downloads. ICQ messaging was tested with and without file attachments.
The potentially malicious attacks were simulated attacks using HTML embedded with
potentially malicious Java Applets, Java Script, Visual Basic Script, and ActiveX Controls.
Finally, each security software application was tested for its capability to block or stealth ports,
ability to detect a Denial of Service (DoS) attack, ability to detect email attachments, and
ability to detect the presence of Trojans. A port scanning utility called Nmap was used to port
scan the security software applications [16].
To simulate a DoS attack, several computers ran the "ping -t count IP address"
command to continuously ping a chosen IP address. The -t switch sets the command to be
continuous [17].
Using Outlook Express (version 5.00.2919.6600), email was sent and received with
visual basic script files and Trojan file attachments.
The performance data collected for each application was whether or not the specific
security software application passed or failed a test. The security software application passed
a test if it alerted the user before running embedded scripts, script attachments, or completely

208
 CCSC: South Central Conference

blocks port access. If the security software application allowed these tests to run without
intervention, it is a failed test. For the purpose of data analysis, a passed test was indicated
with a "1" and a failed test was indicated with a "0". Points were subtotaled for each level of
security for each security software application. The low, medium, and high-level scores for
each security software application were totaled. These point totals and observations made
during testing were used to determine which security software application affords the highest
level of protection. To view detailed data and graphics, please visit URL,
http://cs.stedwards.edu/~wnatale/security.html.
Analysis of data collected at the highest and medium security level settings indicates that
BlackIce Defender (version 2.1.cn), ZoneAlarm Pro (version 2.1.25), Norton Internet
Security 2000 (version 1.0.147.0), and LockDown 2000 (version 7.0.0.3) did not afford any
protection to the following Internet applications: 1) ICQ messaging, 2) HTML with embedded
Java Applets, 3) HTML with embedded Java script, 4) HTML with embedded Visual Basic
script, and 5) Email with file attachments (Trojans). Each of these security software
applications passed the Trojan port scan test. The following graphic chart in Figure 2 shows
the results of each test at each security software application's highest-evel setting.
Data collected at the lowest security level setting indicates BlackIce Defender (version
2.1.cn), ZoneAlarm Pro (version 2.1.25), and LockDown 2000 (version 7.0.0.3) had equal
point totals. At this level ZoneAlarm Pro (version 2.1.25) failed to block or stealth ports.
The computer without any security software applications scored zeroes on all tests.
Four observations were noted during testing. The first was Norton Internet Security 2000
(version 1.0.147.0) failed to block HTML with embedded Java Applets and HTML with
ActiveX controls for its high and medium level settings. The second was ZoneAlarm Pro
(version 2.1.25) failed to block email with script attachments with the "block email with script
attachments" option enabled. Script attachments such as Java Script, Visual Basic Script, and
Trojan file attachments were not blocked. The third was LockDown 2000 (version 7.0.0.3)
detected the execution of a Trojan server.exe and displayed an alert message when the Trojan
server attempted to write over a file. The fourth was BlackIce Defender (version 2.1.cn)
detected ICQ Messages as port probes at its highest security level.
Performance data at the high and medium security levels indicated that ZoneAlarm Pro
(version 2.1.25) affords the highest level of security. It was the only application application
to display an alert during a simulated DoS attack. It was also superior in detecting and alerting
the user prior to executing an FTP, RealPlayer, or MP3 download.
These security software applications did not provide protection against potentially
malicious attacks with HTML code embedded scripts or email attachments. The user cannot
assume that the use of these security software applications will make his computer or network
secure.

209
JCSC 16, 3 (March 2001)

REFERENCES
[1] Jason Yanowitz, "Under the hood of the Internet," ACM CROSSROADS STUDENT
MAGAZINE, 1994.
[2] James F. Kurose and Keith W. Ross, Computer Networking A Top-Down Approach
Featuring the Internet, Addison Wesley Longman Inc., 2001.
[3] Charles L. Hedrick, "General Description of the TCP/IP protocols," 1987. Rutgers
University, <http://oac3.hsc.uth.tmc.edu/staff/snewton/tcp-tutorial/sec2.html>,
[Accessed September 16, 2000].
[4] Rolf Oppliger, "Internet Security: Firewalls and Beyond," COMMUNICATIONS OF
THE ACM, Vol. 40, no. 5, pp. 92-102, May 1997.
[5] Anish Bhimani, "Securing The Commercial Internet," IEEE/ACM TRANSACTIONS
ON NETWORKING, Vol. 7, No. 3, pp. 29-35, June 1996.
[6] Douglas E. Comer, Internetworking with TCP/IP PRINCIPLES, PROTOCOLS,
AND ARCHITECTURES, Prentice Hall, 4th edition, 2000.
[7] Stephen Kent, "Internet Security Standards: Past, Present, and Future," StandardView,
Vol. 2, No. 2, pp. 78-85, June 1994.
[8] _________,"More Than 16 Million High-Speed Homes by 2004," 15 August 2000,
CyberAtlas, <http://cyberatlas.internet.com/markets/broadband/
article/0,,10099_296911,00.html>, [Accessed September 9, 2000].
[9] _________, "The World's Online Populations," 28, July 2000, CyberAtlas,
< h t t p : / / c y b e r a t l a s . i n t e r n e t . c o m / b i g _ p i c t u r e / g e o g r a p h i c s / a r t i c l e/
0,1323,5911_151151,00.html>, [Accessed September 9, 2000].
[10] Aurobindo Sundaram, "An Introduction to Intrusion Detection," ACM Crossroads
Student Magazine, 13 February 2000,<http://info.acm.org/crossroads/xrds2-
4/intrus.html>, [Accessed September 16, 2000].
[11] Frank Kuypers, "Preventing the Hack Attack. (Industry Trend or Event)," July, 2000,
Telecommunications, Expanded Academic ASAP, Infotrac, Scarborough-Phillips
Library, Austin,<http://www.infotrac.galegroup.com/itweb/seu_main>, [Accessed
September 8, 2000].
[12] ________, "LockDown 2000," 2000, Lockdown Corporation,
<http://lockdown2000.com/lockdown2000.html>, [Accessed September 8, 2000].
[13] ________, "Norton Internet Security 2000," 2000, Symantec Corporation,
<http://www.symantec.com/sabu/nis/nis_pe/>, [Accessed September 8, 2000].
[14] ________, "BlackIce Defender," 2000, Network ICE Corporation,
<http://www.networkice.com/html/blackice_defender.html>, [Accessed September 8,
2000].

210
 CCSC: South Central Conference

[15] _________, "ZoneAlarm Pro," 2000, Zone Labs Inc., <http://www.zonelabs.com/>,

[Accessed September 8, 2000].
[16] Fyodor, "Nmap Stealth Port Scanner For Network Security Auditing, General Internet
Exploration, & HackingLast", September 4, 2000,
<http://insecure.org/nmap/index.html>, [Accessed September 8, 2000]
[17] Laura Chappell, "Troubleshooting TCP/IP Networks Building Your Toolkit," January
1999, <http://www.nwconnection.com/jan99/tcp19/ index.html>, [Accessed September
22, 2000].

211