Blessed are the Geeks, for they shall internet the earth

Network security, lesson 1: Introduction

The need for a secure computing environment has never been greater. Right now, information security professionals are in great demand and the importance of the field is growing every day. All the industry leaders have been placing their bets on security in the last few years.

Just recently, Bill Gates and Steve Ballmer of Microsoft have been quoted as saying that secure computing is no longer an optional component, but is something that should be integrated into every system rather than being thrown in as an afterthought. Usually programmers would concentrate on getting a program working, and then (if there was time) try and weed out possible security holes.

Now, applications must be coded from the ground up with security in mind, as these applications will be used by people who expect the security and privacy of their data to be maintained. This series intends to serve as a very brief introduction to information security with an emphasis on networking.

For an understanding of what lies in this series, you should have decent knowledge of how the Internet works. You don't need to know the ins and outs of every protocol under the sun, but a basic understanding of network (and obviously computer) fundamentals is essential.

Hacker or cracker?

There is a very well worn out argument against using the incorrect use of the word 'hacker' to denote a computer criminal -- the correct term is a 'cracker' or when referring to people who have automated tools and very little real knowledge, 'script kiddie.' Hackers are actually just very adept programmers (the term came from 'hacking the code' where a programmer would quickly program fixes to problems he faced.)

While many feel that this distinction has been lost due to the media portraying hackers as computer criminals, we will stick to the original definitions through this series.
  
Administrator's notebook
Need a quick review? Here are the main points:
  • Today's basic network infrastructure includes security measures like firewalls, content monitoring and intrusion-detection systems.
  • Attacks can come in the form of espionage, information theft, and illegal use of your network, among others.
  • Companies must have a complete security policy and basic security training for employees.
  • A specific IT staffer should be in charge of security issues.
  • 24/7 security is a necessity.

This series will cover the following topics:
Part one: The threat to the enterprise
Part two: Common security measures explained
Part three: Intrusion-detection systems
Part four: Penetration testing and more information

The threat to the enterprise

Most businesses have conceded that having an Internet presence is critical to keep up with the competition, and most of them have realized the need to secure that online presence.

Gone are the days when firewalls were an option and employees were given unrestricted Internet access. These days most medium-sized corporations implement firewalls, content monitoring and intrusion-detection systems as part of the basic network infrastructure.

For the enterprise, security is very important. The threats include:

  • Corporate espionage by competitors,
  • Attacks from disgruntled ex-employees
  • Attacks from outsiders who are looking to obtain private data and steal the company's crown jewels (be it a database of credit cards, information on a new product, financial data, source code to programs, etc.)
  • Attacks from outsiders who just want to use your company's resources to store pornography, illegal pirated software, movies and music, so that others can download and your company ends up paying the bandwidth bill and in some countries can be held liable for the copyright violations on movies and music.

As far as securing the enterprise goes, it is not enough to merely install a firewall or intrusion-detection system and assume that you are covered against all threats. The company must have a complete security policy, and basic training must be imparted to all employees telling them things they should and should not do, as well as who to contact in the event of an incident. Larger companies may even have an incident response or security team to deal specifically with these issues.

One has to understand that security in the enterprise is a 24/7 problem. There is a famous saying, "A chain is only as strong as its weakest link." The same rule applies to security.

After the security measures are put in place, someone has to take the trouble to read the logs, occasionally test the security, follow mailing lists of the latest vulnerabilities to make sure software and hardware is up-to-date, etc. In other words, if your organization is serious about security, there should be someone who handles security issues.

This person is often a network administrator, but invariably in the chaotic throes of day-to-day administration (yes we all dread user support calls), the security of the organisation gets compromised -- for example, an admin who needs to deliver 10 machines to a new department may not password protect the administrator account, just because it saves him some time and lets him meet a deadline. In short, an organization is either serious about security issues or does not bother with them at all.

While the notion of 24/7 security may seem paranoid to some people, one has to understand that in a lot of cases a company is not specifically targeted by an attacker. The company's network just happens to be one that the attacker knows how to break into and thus they get targeted. This is often the case in attacks where company ftp or Web servers have been used to host illegal material.

The attackers don't care what the company does -- they just know that this is a system accessible from the Internet where they can store large amounts of warez (pirated software), music, movies, or pornography. This is actually a much larger problem than most people are aware of because in many cases, the attackers are very good at hiding the illegal data. It's only when the bandwidth bill has to be paid that someone realizes that something is amiss.

Click here for part two: Common security measures.

 

Network security, lesson 2: Common security measures


Firewalls

By far the most common security measure these days is a firewall. A lot of confusion surrounds the concept of a firewall, but it can basically be defined as any perimeter device that permits or denies traffic based on a set of rules configured by the administrator. Thus, a firewall may be as simple as a router with access lists or as complex as a set of modules distributed through the network controlled from one central location.

The firewall protects everything "behind" it from everything in "front" of it. Usually the "front" of the firewall is its Internet facing side, and the "behind" is the internal network. The way firewalls are designed to suit different types of networks is called the firewall topology.

Here is a link to detailed explanation of different firewall topologies:
http://www.firewall.cx/firewall_topologies.php

You can also get devices known as personal firewalls, such as Zonealarm (http://www.zonelabs.com), Sygate Personal Firewall (http://www.sygate.com) and Tiny Personal Firewall (http://www.tinysoftware.com).

These are packages meant for individual desktops and are fairly easy to use. The first thing they do is make the machine invisible to pings and other network probes. Most of them also let you choose what programs are allowed to access the Internet. Therefore, you can allow your browser and mail client, but if you see some suspicious program trying to access the network, you can disallow it. This is a form of egress filtering or outbound traffic filtering and provides very good protection against Trojan horse programs and worms.

However, firewalls are no cure-all solution to network security woes. A firewall is only as good as its rule set, and there are many ways an attacker can find common misconfigurations and errors in the rules. For example, if the firewall blocks all traffic except traffic originating from port 53 (DNS) so that everyone can resolve names, the attacker could then use this rule to his advantage. By changing the source port of his attack or scan to port 53, the firewall will allow all of his traffic through, because it assumes it is DNS traffic.

Bypassing firewalls is a whole study in itself and one which is very interesting (especially to those with a passion for networking), because it normally involves misusing the way TCP and IP are supposed to work. That said, firewalls today are becoming very sophisticated and a well-installed firewall can severely thwart a would-be attacker's plans.
  
Administrator's notebook
Need a quick review? Here are the main points:
  • A firewall permits or denies traffic based on a set of rules. It cannot look inside packets.
  • Antivirus tools screen out traffic according to a list of definitions. Updating definitions is crucial, as is educating users about viruses.
  • IDS scans to look for breaches. Host-based systems run on one important machine. Network-based systems use a sniffer in conjunction with a database of attacks.
  • Patching and updating systems is very effective but needs to be done vigilantly.
  • Many tools can be used to thwart attacks; these include network utilities, port scanners, sniffers, and vulnerability scanners. Attackers can also find these tools useful.

It is important to remember that the firewall does not look into the data section of the packet. Thus, if you have a Web server that is vulnerable to a CGI exploit and the firewall is set to allow traffic to it, there is no way the firewall can stop an attacker from attacking the Web server. It does not look at the data inside the packet. That would be the job of an intrusion-detection system (covered in part three).

Antivirus systems

Everyone is familiar with the desktop version of antivirus packages like Norton Antivirus and McAfee. The way these operate is fairly simple -- when researchers find a new virus, they figure out some unique characteristic it has (maybe a registry key it creates or a file it replaces) and out of this they write the virus "signature."

The whole load of signatures for which your antivirus software scans is known as the virus "definitions." This is the reason why keeping your virus definitions up-to-date is very important. Many antivirus packages have an auto-update feature for you to download the latest definitions. The scanning ability of your software is only as good as the date of your definitions. In the enterprise, it is very common for administrators to install antivirus software on all machines, but there is no policy for regular updates of the definitions. This is meaningless protection and serves only to provide a false sense of security.

With the recent spread of e-mail viruses, antivirus software at the mail server is becoming increasingly popular. The mail server will automatically scan any e-mail it receives for viruses and quarantine the infections. The idea is that since all mail passes through the mail server, this is the logical point to scan for viruses. Given that most mail servers have a permanent connection to the Internet, they can regularly download the latest definitions. On the downside, these can be evaded quite simply. If you zip up the infected file or Trojan, or encrypt it, the antivirus system may not be able to scan it.

End users must be taught how to respond to antivirus alerts. This is especially true in the enterprise -- an attacker doesn't need to try and bypass your fortress-like firewall if all he has to do is e-mail Trojans to a lot of people in the company. It takes just one uninformed user to open the infected package to allow the hacker a backdoor to the internal network.

It is advisable that the IT department gives a brief seminar on how to handle e-mail from untrusted sources and how to deal with attachments. These are very common attack vectors, simply because you may harden a computer system as much as you like, but the weak point still remains the user who operates it. As crackers say, "The human is the path of least resistance into the network."

Intrusion-detection systems

There are basically two types of intrusion-detection systems (IDS):
  • Host-based IDS
  • Network-based IDS

Host-based IDS: These systems are installed on a particular important machine (usually a server or some important target) and are tasked with making sure that the system state matches a particular set baseline. For example, the popular file-integrity checker Tripwire is run on the target machine just after it has been installed. It creates a database of file signatures for the system and regularly checks the current system files against their known safe signatures. If a file has been changed, the administrator is alerted. This works very well because most attackers will replace a common system file with a trojaned version to give them backdoor access.

Network-based IDS: These systems are more popular and quite easy to install. Basically, they consist of a normal network sniffer running in promiscuous mode. (In this mode, the network card picks up all traffic even if it is not meant for it.) The sniffer is attached to a database of known attack signatures, and the IDS analyzes each packet that it picks up to check for known attacks. For example, a common Web attack might contain the string /system32/cmd.exe? in the URL. The IDS will have a match for this in the database and will alert the administrator.

Newer versions of IDS support active prevention of attacks. Instead of just alerting an administrator, the IDS can dynamically update the firewall rules to disallow traffic from the attacking IP address for some amount of time. Or the IDS can use "session sniping" to fool both sides of the connection into closing down so that the attack cannot be completed.

Unfortunately, IDS systems generate a lot of false positives. A false positive is basically a false alarm, where the IDS sees legitimate traffic and for some reason matches it against an attack pattern. This tempts a lot of administrators into turning them off or even worse -- not bothering to read the logs. This may result in an actual attack being missed.

IDS evasion is also not all that difficult for an experienced attacker. The signature is based on some unique feature of the attack, and so the attacker can modify the attack so that the signature is not matched. For example, the above attack string /system32/cmd.exe? could be rewritten in hexadecimal to look something like:

'2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f'

This might be totally missed by the IDS. Furthermore, an attacker could split the attack into many packets by fragmenting the packets. This means that each packet would only contain a small part of the attack, and the signature would not match. Even if the IDS is able to reassemble fragmented packets, this creates a time overhead and since the IDS has to run at near real-time status, they tend to drop packets while they are processing. IDS evasion is a topic for a paper on its own.

The advantage of a network-based IDS is that it is very difficult for an attacker to detect. The IDS itself does not need to generate any traffic, and, in fact, many of them have a broken TCP/IP stack so that they don't have an IP address. Thus the attacker does not know whether the network segment is being monitored or not.

Patching and updating

It is embarrassing and sad that this has to be listed as a security measure. Despite being one of the most effective ways to stop an attack, there is a tremendously laid-back attitude to regularly patching systems. There is no excuse for not doing this, and yet the level of patching remains woefully inadequate. Take, for example, the MSblaster worm that spread havoc recently. The exploit was known almost a month in advance and a patch had been released. Still, millions of users and businesses were infected. While administrators know that having to patch 500 machines is a laborious task, the way I look at it is that I would rather be updating my systems on a regular basis than waiting for disaster to strike and then running around trying to patch and clean up those 500 systems.

In the enterprise, there is no "easy" way to patch large numbers of machines, but there are patch deployment mechanisms that take a lot of the burden away. Frankly, it is part of an admin's job to do this, and when a network is horribly fouled up by the latest worm, it just means that someone, somewhere didn't do his job well enough. Now that we've concluded a brief introduction to the types of threats faced in the enterprise, it is time to have a look at some of the tools that attackers use.

Keep in mind that a lot of these tools have legitimate purposes and are very useful to administrators as well. For example, I can use a network sniffer to diagnose a low-level network problem or I can use it to collect your password. It just depends which shade of hat I choose to wear.

General network tools

As surprising as it might sound, some of the most powerful tools, especially in the beginning stages of an attack, are the regular network tools available with most operating systems. For example, an attacker will usually query the "whois" databases for information on the target. After that, he might use "nslookup" to see if he can transfer the whole contents of the DNS zone. This will let him identify high-profile targets such as Web servers, mail servers, and DNS servers. He might also be able to figure what different systems do based on their DNS name; for example, sqlserver.victim.com would most likely be a database server. Other important tools include traceroute to map the network and ping to check which hosts are alive. You should make sure your firewall blocks ping requests and traceroute packets.

Port scanners

Most of you will know what port scanners are. Any system that offers TCP or UDP services will have an open port for that service. For example, if you're serving up Web pages, you'll likely have TCP port 80 open. FTP is TCP port 20/21, Telnet is TCP 23, SNMP is UDP port 161 and so on.

A port scanner scans a host or a range of hosts to determine what ports are open and what service is running on them. This tells the attacker which systems can be attacked.

For example, if I scan a Web server and find that port 80 is running an old Web server, like IIS/4.0, I can target this system with my collection of exploits for IIS 4. Usually the port scanning will be conducted at the start of the attack, to determine which hosts are interesting.

This is when the attacker is still footprinting the network -- feeling his way around to get an idea of what type of services are offered and what operating systems are in use. One of the best port scanners around is Nmap (http://www.insecure.org/nmap). Nmap runs on just about every operating system, is very versatile and has many features including OS fingerprinting, service version scanning and stealth scanning. Another popular scanner is Superscan (http://www.foundstone.com), which is only for the windows platform.

Network sniffers

A network sniffer puts the computer's NIC (network interface card or LAN card) into promiscuous mode. In this mode, the NIC picks up all the traffic on its subnet regardless of whether it was meant for it or not. Attackers set up sniffers so that they can capture all the network traffic and pull out log-ins and passwords. The most popular network sniffer is TCPdump. It can be run from the command line, which is usually the level of access a remote attacker will get. Other popular sniffers are Iris and Ethereal.

When the target network is a switched environment (a network which uses Layer 2 switches), a conventional network scanner will not be of any use. For such cases, the switched network sniffer Ettercap (http://ettercap.sourceforge.net) is very popular. It allows the attacker to collect passwords, hijack sessions, modify ongoing connections and kill connections. It can even sniff secured communications like SSL (Secure Sockets Layer, used for secure Web pages) and SSH1 (Secure Shell, a remote access service like telnet, but encrypted).

There are also programs that allow an admin to detect whether any NICs are running in promiscuous mode.

Vulnerability scanners

A vulnerability scanner is like a port scanner on steroids. Once it has identified which services are running, it checks the system against a large database of known vulnerabilities and then prepares a report on the security holes that are found. The software can be updated to scan for the latest security holes. These tools are very simple to use, so many script kiddies point them at a target machine to find out what they can attack. The most popular ones are Retina (http://www.eeye.com), Nessus (http://www.nessus.org) and GFI LanScan (http://www.gfi.com). These are very useful tools for administrators, as well, because they can scan their whole network and get a detailed summary of the holes that exist.

Password crackers

Once an attacker has gained some level of access, he usually goes after the password file on the relevant machine. In Unix-like systems this is the /etc/passwd or /etc/shadow file, and in Windows it is the SAM database. Once he gets hold of this file, it is usually "game over." He will run it through a password cracker that will usually guarantee him further access. Running a password cracker against your own password files can be a scary and enlightening experience. L0phtcrack cracked my old password, fR7x!5kK, after being left on for just one night!

There are essentially two methods of password cracking:

Dictionary mode: In this mode, the attacker feeds the cracker a word list of common passwords such as "abc123" or "password." The cracker will try each of these passwords and note where it gets a match. This mode is useful when the attacker knows something about the target. If I know that the passwords for the servers in your business are the names of Greek Gods, I can find a dictionary list of Greek God names and run it through the password cracker.

Most attackers have a large collection of word lists. For example, when I do penetration testing work, I usually use common password lists, Indian name lists and a couple of customized lists based on what I know about the company (usually data I pick up from their company Web site). Many people think that adding on a couple of numbers at the start or end of a password (for example "superman99") makes the password very difficult to crack. This is a myth, because most password crackers have the option of adding numbers to the end of words from the wordlist. While it may take the attacker 30 minutes more to crack your password, it does not make it much more secure.

Brute force mode: In this mode, the password cracker will try every possible combination for the password. In other words, it will try aaaaa, aaaab, aaaac, aaaad, etc. This method will crack every possible password; it's just a matter of how long it takes. It can turn up surprising results because of the power of modern computers. A five- or six-character alphanumeric password is crackable within a matter of a few hours or a few days, depending on the speed of the software and machine. Powerful crackers include l0phtcrack for windows passwords and John the Ripper for Unix-style passwords.

Part four of this series presents a more detailed list of tools with description

Click here to read part one of this series, "Network security, part one: Introduction."


SearchNetworking.com is the largest and most active online community dedicated to the enterprise network.  Over 300,000 IT professionals rely on SearchNetworking.com for industry news, technical tips and valuable best practices on routing, switching, network security, network/systems management, convergence/VoIP and wireless LANs, so they can keep their networks up to date and cope with constant change. 

Whether you are looking for advice on implementing a new technology or seeking new cost-saving strategies to improve the performance of your current network, SearchNetworking.com is an online helpdesk for IT managers and administrators.  We provide unbiased news, a library of how-to tips, informative learning guides, expert and vendor Webcasts and white papers all in an effort to arm you with the tools and tactics you need to do your job successfully and make the right IT purchasing decisions. Register for FREE today...  




 


E-mail your comments to dougchick@thenetworkadministrator.com
            
All rights reserved  TheNetworkAdministrator.com

Disclaimer: The Opinions shared on TheNetworkAdministrator.com are contributed by its readers and does not necessarily express the opinion of the creators of this publication.