Basics of Network Security

The computer is a moron ~ Peter Drucker

Protect your network as if it would be a Hotel, not as if it would be a castle

Introduction

Network Security is a big and vast topic and is growing into a high profile IT specialty area. Security related websites are tremendously popular with savvy Internet users. The popularity of security related certifications has also expanded. Esoteric security measures like biometric identification and authentication has become a commonplace in corporates and government programs. Yet, with all this focus on security, many organizations still implement security measures in an almost haphazard way, with no well thought out plan for making all the parts fit together. Network security involves many aspects, from protection of the physical equipment to protection of the electronic bits and bytes that make up the information that resides on the network.

Security Overview

The term computer security encompasses many related, yet separate, topics. These can be stated as security objectives,

• Control of physical accessibility to the computer(s) and/or network
• Prevention of accidental erasure, modification or compromise of data
• Detection and prevention of intentional internal security breaches
• Detection and prevention of unauthorized external intrusions (hacking)

Network security solutions are loosely categorized as, hardware, software and human.

Basic Security Concepts

A generic definition of security in a dictionary is "freedom from risk or danger; safety".

This definition is perhaps a bit misleading when it comes to computer and networking security, as it implies a degree of protection that is inherently impossible in the modern connectivity oriented computing environment. So the same dictionary provides another definition specific to computer science: "The level to which a program or device is safe from unauthorized use". Implicit in this definition is the caveat that the objectives of security and accessibility – the two top priorities on the minds of many network administrators – are, by their very natures, diametrically opposed. The more accessible your data is, the less secure it is. Likewise, the more tightly you secure it, the more you impede accessibility. Any security plan is an attempt to strike the proper balance between the two.

Knowledge is Power

The above is a famous hacker's motto and is a truism that applies not only to those attempting to gain access to data they aren't supposed to see, but also to those who are trying to protect themselves from the intruders. The first step in winning any battle - and network security is a battle over the ownership and control of your computer files - is the same as it has always been: "know thine enemy".

To protect your network resources from theft, damage or unwanted exposure, you must understand who initiates these things, why and how they do it. Knowledge makes us powerful, and better able to prevent unauthorized intrusions into the network.

The very best place to learn is from hackers themselves. May network administrators and even some security specialists eschew the books and websites that are written to a hacker audience or from a hacker's point of view.

Think Like a Thief

It is well known in law enforcement circles that the best criminal investigators are those who are best able to get inside the mind of the lawbreaker. Network intrusion detectives will find that the same is true - to prevent the network from falling prey to hackers, or to catch data thieves when they do get in, requires that one is able to adopt a mindset emulating theirs.

This means learning to anticipate the intruder's actions. Determine what needs to be protected, and to what degree. Practice implementing multiple layers of protection called defense in depth.

The Intrusion Triangle

Borrowing again from the law enforcement community, crime prevention specialists use a model called the “Crime Triangle” to explain that certain criteria must exist before a crime can occur. We can adapt this same triangle to network security: the same three criteria must exist before a network security breach can take place. The three “legs” or points of the triangle are shown in the figure.

1. Motive - An intruder must have a reason to want to breach the security of the network
2. Means - An intruder must have the ability to breach the security of the network
3. Opportunity - An intruder must have the chance to enter the network, either because of flaws in the security plan, holes in a software program that opens an avenue of access, or physical proximity to network components

If one thinks about the three-point intrusion criteria for a moment, one finds that there is really only one leg of the triangle over which the network administrator or security specialist, have any control. It is unlikely that one can remove the intruder's motive. It is also not possible to prevent the intruder from having or obtaining the means to breach. The only one thing we can affect is the opportunity afforded the hacker.

Removing Intrusion Opportunities

Crime prevention officers tell members of the community that the “good guys” probably can’t keep a potential burglar from wanting to steal, and they certainly can’t keep the potential burglar from obtaining burglary tools or learning the “tricks of the trade.” What citizens can do is take away, as much as possible, the opportunity for the burglar to target their own homes. This means putting dead-bolt locks on the doors (and using them), getting a big, loud, unfriendly dog, installing an alarm system, and the like. In other words, as a homeowner, your goal is not to prevent the burglar from burglarizing, but to make your own home a less desirable target.

As a network “owner,” your objective is to “harden” your own network so that all those hackers out there who already have the motive and the means will look for an easier victim.

The best and most expensive locks in the world won’t keep intruders out of your house if you don’t use them. And if those locks are difficult to use and result in inconvenience to you in your everyday comings and goings, you probably won’t use them – at least, not all the time. A poorly implemented network security system that is difficult to administer or that unduly inconveniences network users may end up similarly unused; eventually, you will throw your hands up in frustration and just turn the darn thing off. And that will leave your network wide open to intruders.

A good network security system will help you to remove the temptations (open ports, exploitable applications) easily and will be as transparent to your users as possible. 

Security Terminology

• Attack - In the context of computer/network security, an attack is an attempt to access resources on a computer or a network without authorization, or to bypass security measures that are in place
• Audit - To track security-related events, such as logging onto the system or network, accessing objects, or exercising user/group rights or privileges
• Availability of Data - Reliable and timely access to data
• Breach - Successfully defeating security measures to gain access to data or resources without authorization, or to make data or resources available to unauthorized persons, or to delete or alter computer files
• Brute Force Attack - Attempt to “crack” passwords by sequentially trying all possible combinations of characters until the right combination works to allow access
• Buffer - A holding area for data
• Buffer Overflow - A way to crash a system by putting more data into a buffer than the buffer is able to hold
• CIA Triad - Confidentiality, Integrity, and Availability of data. Ensuring the confidentiality, integrity, and availability of data and services are primary security objectives that are often related to each other
• Confidentiality of Data - Ensuring that the contents of messages will be kept secret
• Countermeasures - Steps taken to prevent or respond to an attack or malicious code
• Cracker - A hacker who specializes in “cracking” or discovering system passwords to gain access to computer systems without authorization
• Crash - Sudden failure of a computer system, rendering it unusable
• Defense-in-Depth - The practice of implementing multiple layers of security. Effective defense-in-depth strategies do not limit themselves to focusing on technology, but also focus on operations and people. For example, a firewall can protect against unauthorized intrusion, but training and the implementation of well-considered security policies help to ensure that the firewall is properly configured
• Denial of Service Attack - A deliberate action that keeps a computer or network from functioning as intended (for example, preventing users from being able to log onto the network)
• Exposure - A measure of the extent to which a network or individual computer is open to attack, based on its particular vulnerabilities, how well known it is to hackers, and the time duration during which intruders have the opportunity to attack. For example, a computer using a dial-up analog connection has less exposure to attack coming over the Internet, because it is connected for a shorter period of time than those using “always-on” connections such as cable, DSL or T-carrier
• Hacker - A person who spends time learning the details of computer programming and operating systems, how to test the limits of their capabilities, and where their vulnerabilities lie
• Integrity of Data - Ensuring that data has not been modified or altered, that the data received is identical to the data that was sent
• Least Privilege - The principle of least privilege requires that users and administrators have only the minimum level of access to perform their job-related duties. In military parlance, the principle of least privilege is referred to as need to know
• Malicious Code - A computer program or script that performs an action that intentionally damages a system or data, that performs another unauthorized purpose, or that provides unauthorized access to the system
• Penetration Testing - Evaluating a system by attempting to circumvent the computer’s or network’s security measures
• Reliability - The probability of a computer system or network continuing to perform in a satisfactory manner for a specific time period under normal operating conditions
• Risk - The probability that a specific security threat will be able to exploit a system vulnerability, resulting in damage, loss of data, or other undesired results. That is, a risk is the sum of the threat plus the vulnerability
• Risk Management - The process of identifying, controlling, and either minimizing or completely eliminating events that pose a threat to system reliability, data integrity, and data confidentiality
• Sniffer - A program that captures data as it travels across a network. Also called a packet sniffer
• Social Engineering - Gaining unauthorized access to a system or network by subverting personnel (for example, posing as a member of the IT department to convince users to reveal their passwords)
• TCSEC - Trusted Computer System Evaluation Criteria. A means of evaluating the level of security of a system
• Technical Vulnerability - A flaw or bug in the hardware or software components of a system that leaves it vulnerable to security breach
• Threat - A potential danger to data or systems. A threat agent can be a virus; a hacker; a natural phenomenon, such as a tornado; a disgruntled employee; a competitor, and other menaces
• Trojan Horse - A computer program that appears to perform a desirable function but contains hidden code that is intended to allow unauthorized collection, modification or destruction of data
• Virus - A program that is introduced onto a system or network for the purpose of performing an unauthorized action (which can vary from popping up a harmless message to destroying all data on the hard disk)
• Vulnerability - A weakness in the hardware or software or security plan that leaves a system or network open to threat of unauthorized access or damage or destruction of data
• Worm - A program that replicates itself, spreading from one machine to another across a network

Addressing Security Objectives

Controlling Physical Access

One of the most important, and at the same time most overlooked aspects of a comprehensive network security plan is physical access control. This matter is often left up to facilities managers or plant security departments, or it is outsourced to security guard companies. Network administrators frequently concern themselves with sophisticated software and hardware solutions that prevent intruders from accessing internal computers remotely, while doing nothing to protect the servers, routers, cable, and other physical components of the network from direct access.

Physically breaking into the server room and stealing the hard disk on which sensitive data resides may be a crude method; nonetheless, it happens. In some organizations, it may be the easiest way to gain unauthorized access, especially for an intruder who has help “on the inside.”

A good security policy should cover,

• Controlling physical access to the servers
• Controlling physical access to networked workstations
• Controlling physical access to network devices
• Controlling physical access to the cable
• Being aware of security considerations with wireless media
• Being aware of security considerations related to portable computers
• Recognizing the security risk of allowing data to be printed out
• Recognizing the security risks involving floppy disks, CD, tapes, and other removable media

Preventing Accidental Compromise of Data

The topic of network security may bring to mind a picture of evil corporate rivals determined to steal your company’s most precious trade secrets or malevolent hackers bent on crashing your network and erasing all of your data just for the sheer joy of it. While these risks do exist, often the reality of network data loss is far less glamorous. A large proportion of erased, modified, or disclosed data is the result of the actions of employees or other authorized network personnel. And a large percentage of that is the result of accidental compromise of the data. Unintended errors in entering data or accessing network resources or carelessness in use of the computers and network can cause loss of data or crashing of individual computers, the server, and even the network.

Your network security plan should address these unintended compromises, which can be just as disastrous as intentional breaches of security.

• Know Your Users
• Educate Your Users
• Control Your Users

Preventing Intentional Internal Security Breaches

According to most computer security studies, as documented in RFC 2196, Site Security Handbook, actual loss (in terms of money, productivity, computer reputation, and other tangible and intangible harm) is greater for internal security breaches than for those from the outside. Internal attackers are more dangerous for several reasons:

• They generally know more about the company, the network, the layout of the building(s), normal operating procedure, and other information that will make it easier for them to gain access without detection
• They usually have at least some degree of legitimate access and may find it easy to discover passwords and holes in the current security system.
• They know what information is on the network and what actions will cause the most damage.

Firewalls are helpful in keeping basically compliant employees from accidentally (or out of ignorance) visiting dangerous websites or sending specific types of packets outside the local network. However, they are of more limited use in preventing intentional internal security breaches. Simply limiting their access to the external network cannot thwart insiders who are determined to destroy, modify, or copy your data. Because they have physical access, they can copy data to removable media, to a portable computer (including tiny hand-held machines), or perhaps even print it to paper and remove it from the premises that way. They may change the format of the data to disguise it and upload files to web-based data storage services.

In a high security environment, computers without floppy drives – or even completely disk-less workstations – may be warranted. System or group policy can be applied that prevents users from installing software (such as that needed for a desktop computer to communicate with a Pocket PC or Palm Pilot). Cases can be locked, and physical access to serial ports, USB ports, and other connection points can be covered so removable media devices can’t be attached. Other internal controls include physical measures such as key cards to limit entry to server rooms and other sensitive resources, as well as software controls such as user and group accounts, encryption, and so forth.

Hiring and Human Resource Policies

A good “defense in depth” security strategy is multifaceted, involving technology, operations, and people. In many cases, the latter is the weakest link in the chain. Thus, prevention starts with good human resources practices. That means management should institute hiring policies aimed at recruiting persons of good character. Background investigations should be conducted, especially for key positions that will have more than normal user access.

The work environment should encourage high employee morale. In many cases, internal security breaches are committed as “revenge” by employees who feel underpaid, under-appreciated, and even mistreated. Employees who are enthusiastic about their jobs and feel valued by the organization will be much more likely to comply with company rules, including network security policies.

Another motivation for internal breaches is money. If the company engages in a highly competitive business, competitors may approach employees with lucrative offers for trade secrets or other confidential data. If you are in a field that is vulnerable to corporate espionage, your security policies should lean toward the “deny all access” model, in which access for a particular network user starts at nothing, and access is added on the basis of the user’s need to know.

Detecting Internal Breaches

Implementing auditing will help you detect internal breaches of security by recording specified security events. You will be able to track when objects (such as files or folders) are accessed, what user account was used to access them, when users exercise user rights, and when users log onto or off of the computer or network. Modern network operating systems include built-in auditing functionality.

Preventing Unauthorized External Intrusions

External intrusions (or “hacking into the system”) from outside the LAN has received a lot of attention in the media and thus is the major concern of many companies when it comes to network security issues. In recent years, there have been a number of high profile cases in which the web servers of prominent organizations (such as Yahoo and Microsoft) have been hacked. Attempts to penetrate sensitive government networks, such as the Pentagon’s systems, occur on a regular basis.

Distributed Denial of Service (Duos) attacks make front-page news when they crash servers and prevent Internet users from accessing popular sites.

There are psychological factors involved, as well. Internal breaches are usually seen by companies as personnel problems and handled administratively. External breaches may seem more like a “violation” and are more often prosecuted in criminal actions. Because the external intruder could come from anywhere, at any time, the sense of uncertainty and fear of the unknown may cause organizations to react in a much stronger way to this type of threat.

The good news about external intrusions is that the area(s) that must be controlled are much more focused. There are usually only a limited number of points of entry to the network from the outside. This is where a properly configured firewall can be invaluable, allowing authorized traffic into the network while keeping unauthorized traffic out. On the other hand, the popularity of firewalls ensures that dedicated hackers know how they work and spend a great deal of time and effort devising ways to defeat them.

Never depend on the firewall to provide 100 percent protection, even against outside intruders.

Remember that in order to be effective, a security plan must be a multifaceted, multi-layered one. We hope the firewall will keep intruders out of your network completely – but if they do get in, what is your contingency plan? How will you reduce the amount of damage they can do and protect your most sensitive or valuable data?

External Intruders with Internal Access

A special type of “external” intruder is the outsider who physically breaks into your facility to gain access to your network. Although not a true “insider,” because he is not authorized to be there and does not have a valid account on the network, he has many of the advantages of an internal intruder. Your security policy should take into account the threats posed by this “hybrid” type of intruder.

Tactical Planning

In dealing with network intruders, you should practice what police officers in defensive tactics training call “if/then thinking”. This means considering every possible outcome of a given situation and then asking yourself, “If this happens, then what could be done to protect us from the consequences?”.

The answers to these questions will form the basis of your security policy.

This tactic requires that you be able to plan your responses in detail, which means you must think in specifics rather than generalities. Your security threat must be based in part on understanding the motivations of those initiating the attack and in part on the technical aspects of the type of attack that is initiated.

Classifying Specific Types of Attacks

Social Engineering Attacks

Social engineering is defined as obtaining confidential information by means of human interaction. You can think of social engineering attackers as specialized con artists. They gain the trust of users (or even better, administrators) and then take advantage of the relationship to find out the user’s account name and password, or have the unsuspecting users log them onto the system. Because it is based on convincing a valid network user to “open the door”, social engineering can successfully get an intruder into a network that is protected by high-security measures such as biometric scanners.

It is especially challenging to protect against social engineering attacks. Adopting strongly worded policies that prohibit divulging passwords and other network information to anyone over the telephone and educating your users about the phenomenon are obvious steps you can take to reduce the likelihood of this type of security breach. Human nature being what it is, however, there will always be some users on every network who are vulnerable to the social engineer’s con game. A talented social engineer is a master at making users doubt their own doubts about his legitimacy. Because social engineering is a human problem, not a technical problem, prevention must come primarily through education rather than technological solutions.

Denial of Service (DOS) Attacks

Denial of Service (DOS) attacks are one of the most popular choices of Internet hackers who want to disrupt a network’s operations. Although they do not destroy or steal data as some other types of attacks do, the objective of the DOS attacker is to bring down the network, denying service to its legitimate users. DOS attacks are easy to initiate; software is readily available from hacker websites and newsgroups that will allow anyone to launch a DOS attack with little or no technical expertise.

Distributed Denial of Service attacks

Distributed DOS (DDOS) attacks use intermediary computers called agents on which programs called zombies have previously been surreptitiously installed. The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs, which may be on networks anywhere in the world, the hacker is able to conceal the true origin of the attack.

DNS DOS attack

The Domain Name System (DNS) DOS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network’s bandwidth is tied up by bogus DNS queries. The attacker uses the DNS servers as “amplifiers” to multiply the DNS traffic.

The attacker begins by sending small DNS queries to each DNS server, which contain the spoofed IP address of the intended victim. The responses returned to the small queries are much larger in size, so that if there are a large number of responses returned at the same time, the link will become congested and denial of service will take place.

One solution to this problem is for administrators to configure DNS servers to respond with a “refused” response, which is much smaller in size than a name resolution response, when they received DNS queries from suspicious or unexpected sources.

SYN attack/LAND attack

Synchronization request (SYN) attacks exploit the Transmission Control Protocol (TCP) “three-way handshake”, the process by which a communications session is established between two computers.

Because TCP, unlike User Datagram Protocol (UDP), is connection-oriented, a session, or direct one-to-one communication link, must be created before sending data. The client computer initiates communication with the server (the computer whose resources it wants to access).

The “handshake” includes the following steps:

1. The client machine sends a SYN segment.
2. The server sends an acknowledgement (ACK) message and a SYN, which acknowledges the client machine’s request that was sent in step 1 and sends the client a synchronization request of its own. The client and server machines must synchronize each other’s sequence numbers.
3. The client sends an ACK back to the server, acknowledging the server’s request for synchronization. When both machines have acknowledged each other’s requests, the handshake has been successfully completed and a connection is established between the two computers.

This is how the process normally works. A SYN attack uses this process to flood the system targeted with multiple SYN packets that have bad source IP addresses, which causes the system to respond with SYN/ACK messages. The problem comes when the system, waiting for the ACK message, puts the waiting SYN/ACK messages into a queue. The queue is limited in the number of messages it can handle, and when it is full, all subsequent incoming SYN packets will be ignored. In order for a SYN/ACK to be removed from the queue, an ACK must be returned from the client, or the interval timer must run out and terminate the three-way handshake process.

Because the source IP addresses for the SYN packets sent by the attacker are no good, the ACKs that the server is waiting for never come. The queue stays full, and there is no room for valid SYN requests to be processed. Thus service is denied to legitimate clients attempting to establish communications with the server.

The LAND attack is a variation on the SYN attack. In the LAND attack, instead of sending SYN packets with IP addresses that do not exist, the flood of SYN packets all have the same spoof IP address – that of the targeted computer.

The LAND attack can be prevented by filtering out incoming packets whose source IP addresses appear to be from computers on the internal network. 

Ping of Death

Another type of DOS attack is the so-called “Ping of Death” (also known as the “large packet ping”). The Ping of Death attack is launched by creating an IP packet larger than 65,536 bytes, which is the maximum allowed by the IP specification (this is sometimes referred to as a “killer packet”). This can cause the target system to crash, hang or reboot.

Although newer operating systems are generally not vulnerable to this type of attack, many companies still have older operating systems deployed against which the Ping of Death can be used.

Teardrop

The teardrop attack works a little differently from the Ping of Death, but with similar results. The teardrop program creates IP fragments, which are pieces of an IP packet into which an original packet can be divided as it travels through the Internet. The problem is that the offset fields on these fragments, which are supposed to indicate the portion (in bytes) of the original packet that is contained in the fragment, overlap. When the destination computer tries to reassemble these packets, it is unable to do so and may crash, hang or reboot.

Ping Flood (ICMP flood)

The ping flood or ICMP flood is a means of tying up a specific client machine. It is caused by an attacker sending a large number of ping packets (ICMP echo request packets) to the Winsock or dialer software. This prevents it from responding to server ping activity requests, which causes the server to eventually timeout the connection. A symptom of a ping flood is a huge amount of modem activity, as indicated by the modem lights. This is also referred to as a ping storm.

The fraggle attack is related to the ping storm. Using a spoofed IP address (which is the address of the targeted victim), an attacker sends ping packets to a subnet, causing all computers on the subnet to respond to the spoofed address and flood it with echo reply messages.

SMURF attack

The Smurf attack is a form of “brute force” attack that uses the same method as the ping flood, but directs the flood of ICMP echo request packets at the network’s router. The destination address of the ping packets is the broadcast address of the network, which causes the router to broadcast the packet to every computer on the network or segment. This can result in a very large amount of network traffic if there are many host computers, which can create congestion that causes a denial of service to legitimate users.

In its most insidious form, the Smurf attacker spoofs the source IP address of a ping packet. Then both the network to which the packets are sent and the network of the spoofed source IP address will be overwhelmed with traffic. The network to which the spoofed source address belongs will be deluged with responses to the ping when all the hosts to which the ping was sent answer the echo request with an echo reply.

Smurf attacks can generally do more damage than other forms of DoS, such as SYN floods. The SYN flood affects only the ability of other computers to establish a TCP connection to the flooded server, but a Smurf attack can bring an entire ISP down for minutes or hours. This is because a single attacker can easily send 40–50 ping packets per second, even using a slow modem connection.

Because each is broadcast to every computer on the destination network, that means the number of responses per second is 40–50 times the number of computers on the network – which could be hundreds or thousands. This is enough data to congest even a T-1 link.

One way to prevent a Smurf attack from using your network as the broadcast target is to turn off the capability to transmit broadcast traffic on the router. Most routers allow you to do this. 

UDP bomb or UDP flood

An attacker can use the UDP and one of several services that echo packets upon receipt to create service-denying network congestion by generating a flood of UDP packets between two target systems. For example, the UDP chargen service on the first computer, which is a testing tool that generates a series of characters for every packet that it receives, sends packets to another system’s UDP echo service, which echoes every character it receives. By exploiting these testing tools, an endless flow of echos go back and forth between the two systems, congesting the network. This is sometimes called a UDP packet storm.

In addition to port 7, the echo port, an attacker can use port 17, the quote of the day service (quotd) or the daytime service on port 13. These services will also echo packets they receive. UDP chargen is on port 19.

Disabling unnecessary UDP services on each computer (especially those mentioned above) or using a firewall to filter those ports/services, will protect you from this type of attack.

UDP Snork attack

The snork attack is similar to the UDP bomb. It uses a UDP frame that has a source port of either 7 (echo) or 9 (chargen), with a destination port of 135 (Microsoft location service). The result is the same as the UDP bomb – a flood of unnecessary transmissions that can slow performance or crash the systems that are involved.

WinNuke (Windows out-of-band attack)

The out-of-band (OOB) attack is one that exploits a vulnerability in Microsoft networks, which is sometimes called the Windows OOB bug. The WinNuke program (and variations such as Sinnerz and Muerte) creates an out-of-band data transmission that crashes the machine to which it is sent. It works like this: a TCP/IP connection is established with the target IP address, using port 139 (the NetBIOS port). Then the program sends data using a flag called MSG OOB (or Urgent) in the packet header.

This flag instructs the computer’s Winsock to send data called out-of-band data. Upon receipt, the targeted Windows server expects a pointer to the position in the packet where the Urgent data ends, with normal data following, but the OOB pointer in the packet created by WinNuke points to the end of the frame with no data following.

The Windows machine does not know how to handle this situation and will cease communicating on the network, and service will be denied to any users who subsequently attempt to communicate with it.

A WinNuke attack usually requires a reboot of the affected system to reestablish network communications.

Mail bomb attack

A mail bomb is a means of overwhelming a mail server, causing it to stop functioning and thus denying service to users. A mail is a relatively simple form of attack, accomplished by sending a massive quantity of email to a specific user or system. There are programs available on hacking sites on the Internet that allow a user to easily launch a mail bomb attack, automatically sending floods of email to a specified address while protecting the attacker’s identity.

A variation on the mail bomb program automatically subscribes a targeted user to hundreds or thousands of high volume Internet mailing lists, which will fill the user’s mailbox and/or the mail server. Bombers call this list linking. Examples of these mail bomb programs include Unabomber, extreme Mail, Avalanche, and Kaboom.

The solution to repeated mail bomb attacks is to block traffic from the originating network using packet filters. Unfortunately, this does not work with list linking because the originator’s address is obscured; the deluge of traffic comes from the mailing lists to which the victim has been subscribed.

Scanning and Spoofing

The term scanner, in the context of network security, refers to a software program that is used by hackers to remotely determine what TCP/UDP ports are open on a given system, and thus vulnerable to attack. Administrators also use scanners to detect and correct vulnerabilities in their own systems before an intruder finds them. Network diagnostic tools such as the famous Security Administrator’s Tool for Analyzing Networks (SATAN), a UNIX utility, include sophisticated port scanning capabilities.

A good scanning program can locate a target computer on the Internet (one that is vulnerable to attack), determine what TCP/IP services are running on the machine, and probe those services for security weaknesses.

Port scan

Port scanning refers to a means of locating “listening” TCP or UDP ports on a computer or router and obtaining as much information as possible about the device from the listening ports.

TCP and UDP services and applications use a number of well-known ports, which are widely published. The hacker uses his knowledge of these commonly used ports to extrapolate information.

IP Spoofing

IP spoofing involves changing the packet headers of a message to indicate that it came from an IP address other than the true source. The spoofed address is normally a trusted port, which allows a hacker to get a message through a firewall or router that would otherwise be filtered out. Modern firewalls protect against IP spoofing.

Spoofing is used whenever it is beneficial for one machine to impersonate another. It is often used in combination with one of the other types of attacks. For example, a spoofed address is used in the SYN flood attack to create a “half open” connection, in which the client never responds to the SYN/ACK message because the spoofed address is that of a computer that is down or doesn't exist. Spoofing is also used to hide the true IP address of the attacker in Ping of Death, Teardrop and other attacks.

IP spoofing can be prevented by using Source Address Verification on your router, if it is supported.

Source Routing attack

TCP/IP supports source routing, a means that permits the sender of network data to route packets through a specific point on the network. There are two types of source routing:

• Strict Source Routing: the sender of the data can specify the exact route (rarely used).
• Loose Source Record Route (LSRR): the sender can specify certain routers (hops) through which the packet must pass.

The source route is an option in the IP header that allows a sender to override routing decisions normally made by routers between the source and destination machines. Source routing is used by network administrators to map the network, or for troubleshooting routing and communications problems. It can also be used to force traffic through the route that will provide the best performance.

Unfortunately, source routing can be exploited by hackers.

If the system allows source routing, an intruder can use it to reach private internal addresses on the LAN that normally would not be reachable from the Internet, by routing the traffic through another machine that is reachable from both the Internet and the internal machine.

Source routing can be disabled on most routers to prevent this type of attack.

Other protocol exploits

The attacks we have discussed so far involve exploiting some feature or weakness of the TCP/IP protocols. Hackers can also exploit vulnerabilities of other common protocols, such as Hypertext Transfer Protocol (HTTP), Domain Name System (DNS), Common Gateway Interface (CGI), and other commonly used protocols.

Active-X controls, Java script, and VBscript can be used to add animations or applets to web sites, but hackers can exploit these to write controls or scripts that allow them to remotely plant viruses, access data, or change or delete files on the hard disk of unaware users who visit the page and run the script. Many e-mail client programs have similar vulnerabilities.

System and software exploits

System and software exploits are those that take advantage of weaknesses of particular operating systems and applications (often called bugs). Like protocol exploits, they are used by intruders to gain unauthorized access to computers or networks or to crash or clog up the systems to deny service to others.

Common “bugs” can be categorized as follows:

• Buffer Overflows - Many common security holes are based on buffer overflow problems. Buffer overflows occur when the number of bytes or characters input exceeds the maximum number allowed by the programmer in writing the program.
• Unexpected Input - Programmers may not take steps to define what happens if invalid input (input that doesn't match program specifications) is entered. This could cause the program to crash or open up a way into the system.
• System Configuration Bugs - These are not really “bugs,” per se, but rather are ways of configuring the operating system or software that leaves it vulnerable to penetration.

Popular software such as Microsoft’s Internet Information Server (IIS), Internet Explorer (MSIE) and Outlook Express (MSOE) are popular targets of hackers looking for software security holes that can be exploited.

Major operating system and software vendors regularly release security patches to fix exploitable bugs. It is very important for network administrators to stay up to date in applying these fixes and/or service packs to ensure that their systems are as secure as possible

Trojans

The name is short for “Trojan horse”, and refers to a software program that appears to perform a useful function, but in fact, performs actions that the user of the program did not intend or was not aware of. Trojan horses are often written by hackers to circumvent the security of a system. Once installed, the hacker can exploit the security holes created by the Trojan to gain unauthorized access, or the Trojan program may perform some action such as:

• Deleting or modifying files
• Transmitting files across the network to the intruder
• Installing other programs or viruses

Basically, the Trojan can perform any action that the user has privileges and permissions to do on the system. This means a Trojan is especially dangerous if the unsuspecting user who installs it is an administrator and has access to the system files.

Trojans can be very cleverly disguised as innocuous programs, such as utilities or screen-savers.

A Trojan can also be installed by an executable script (Javascript, a Java applet, Active-X control, and others) on a web site. Accessing the site may initiate the installation of the program if the web browser is configured to allow scripts to run automatically.

Viruses

The most common use of the term ”virus” is any program that is installed without the awareness of the user and performs undesired actions (often harmful, although sometimes merely annoying). Viruses may also replicate themselves, infecting other systems by writing themselves to any USB disk that is used in the computer or sending themselves across the network. Viruses are often distributed as attachments to e-mail, or as macros in word processing documents. Some activate immediately upon installation, and others lie dormant until a specific date/time or a particular system event triggers them.

Viruses come in thousands of different varieties. They can do anything from popping up a message that says “Hi!” to erasing the computer’s entire hard disk. The proliferation of computer viruses has also led to the phenomenon of the virus hoax, which is a warning – generally circulated via email or websites – about a virus that does not exist or that does not do what the warning claims it will do. 

Viruses, however, present a real threat to your network. Companies such as Symantec and McAfee make anti-virus software that is aimed at detecting and removing virus programs. Because new viruses are being created daily, it is important to download new virus definition files, which contain information required to detect each virus type, on a regular basis to ensure that your virus protection stays up to date.

Worms

A worm is a program that can travel across the network from one computer to another. Sometimes different parts of a worm run on different computers. Technically, a worm – unlike a virus – can replicate itself without user interaction; however, much modern documentation makes little distinction between the two, or classifies the worm as a subtype of the virus. Worms make multiple copies of themselves and spread throughout a network. Originally the term worm was used to describe code that attacked multiuser systems (networks) while virus was used to describe programs that replicated on individual computers.

The primary purpose of the worm is to replicate. These programs were initially used for legitimate purposes in performing network management duties, but their ability to multiply quickly has been exploited by hackers who create malicious worms that replicate wildly, and may also exploit operating system weaknesses and perform other harmful actions.

Design a Comprehensive Security Plan

A widely accepted method for developing your network security plan is laid out in Request for Comments (RFC) 2196, Site Security Handbook, and attributed to Fites, et al (1989). It consists of the following steps:

1. Identify what you are trying to protect.
2. Determine what you are trying to protect it from.
3. Determine how likely the anticipated threats are.
4. Implement measures that will protect your assets in a cost-effective manner.
5. Review the process continually and make improvements each time a weakness is discovered.

The entire text of RFC 2196, which provides many excellent suggestions that focus primarily on the implementation phase, can be found on the web at www.faqs.org/rfcs/rfc2196.html

It is important to understand that a security plan is not the same thing as a security policy, although the two words are sometimes used interchangeably. Your security policies (and there are likely to be many of them) grow out of the security plan. Think of policy as “law” or “rules,” while the security plan is procedural; it lays out how the rules will be implemented.

Your security plan will generally address three different aspects of protecting your network:

1. Prevention: the measures that are implemented to keep your information from being modified, destroyed, or compromised.
2. Detection: the measures that are implemented to recognize when a security breach has occurred or has been attempted, and if possible, the origin of the breach.
3. Reaction: the measures that are implemented to recover from a security breach, to recover lost or altered data, to restore system or network operations, and to prevent future occurrences.

These can be divided into two types of actions: proactive and reactive. The first, prevention, is proactive because it takes place before any breach has occurred and involves actions that will, if successful, make further actions unnecessary. Unfortunately, our proactive measures don’t always work.

Reactive measures such as detection and reaction do, however, help us to develop additional proactive measures that will prevent future intrusions.

Regardless of how good your prevention and detection methods may be, it is essential that you have in place a reaction in case attackers do get through and damage your data or disrupt your network operations. As the old folk saying goes: “hope for the best, and plan for the worst”.

Conclusion

You must be able to recognize the security threats to which your network is subject and understand a little about the motivations of typical intruders. It is not necessary that you be a hacker in order to prevent your network from hacking attempts, but it will benefit you to know something about how unscrupulous hackers think and how they do their dirty work.

You must be aware of the different types of attacks with which you could be confronted, and understand how to protect your network from social engineering attacks, DoS attacks, scanning and spoofing, source routing and other protocol exploits, software and system exploits, and Trojans, viruses and worms.

There are a number of hardware-based security solutions available, and even more software-based firewalls on the market. You should have a basic understanding of the capabilities and limitations of each type.

Your comprehensive security plan is integral to protecting your network from both internal and external threats. There is no “one size fits all” when it comes to corporate security plans and policies; yours should be based on the nature of the business in which your organization engages, the nature of the data stored on the network, the number and types of connections your network has to the “outside world”, and the management philosophy regarding organizational structure.

A good security plan is one that meets the needs of IT administration, company management, and network users. The best way to ensure that your security plan meets these criteria is to involve persons from all levels of the organization in the planning process. Once you have a good, comprehensive security plan and corresponding policies worked out, you will be able to use security appliances as an important element in your security plan, to implement and enforce those policies and provide monitoring, notification, and record-keeping to document the successful functioning of your security plan.