Networking Guide 7 - Network Access and Security

Hacker Tools: Common Network Attacks

Network attacks that are directed by a hacker are called directed attacks. For example, a hacker sending a WinNuke packet (generated by the WinNuke utility, discussed later in this chapter) to a specific machine is considered a directed attack. Viruses are traditionally not directed attacks. The virus is unknowingly copied from user to user. Viruses are some of the most prevalent attacks used on the Internet. In this section, we’ll discuss some of the techniques that hackers commonly use to attack a network

IP Spoofing

IP spoofing is the process of sending packets with a fake source address, pretending that the packet is coming from within the network that the hacker is trying to attack. The address can be considered stolen from the hacker’s target network. A router (even a packet-filtering router) is going to treat this packet as coming from within the network and will let it pass; however, a firewall can prevent this type of packet from passing into the secured network.

The Ping of Death

The Ping of Death is a type of denial of service (DoS) attack. A DoS attack prevents any users, even legitimate ones, from using the system. Ping is primarily used to see if a computer is responding to IP requests. Normally, when you ping a remote host, four normal-sized ICMP (Internet Control Message Protocol) packets are sent to the remote host to see if it is available. In a Ping of Death attack, a very large ICMP packet is sent to the remote host, whose buffer is flooded by this packet. Typically, this causes a system to reboot or hang. Patches to prevent a Ping of Death attack from working are available for most operating systems.


WinNuke

WinNuke is a Windows program that sends special TCP/IP packets with an invalid TCP header. Windows 95/98 and Windows NT/2000 computers will crash when they receive one of these packets because of the way the Windows 95/98 or Windows NT/2000 TCP/IP stack handles bad data in the TCP header. Instead of returning an error code or rejecting the bad data (Microsoft calls it out-of-band data), it sends the computer to the Blue Screen of Death (BSoD). Figuratively speaking, the hacker causes the computer to blow up, or to be nuked. This type of attack does not affect Unix boxes and NetWare servers.

Tip There is a patch to solve this particular problem, making machines invulnerable to WinNuke attacks. You can obtain it by going to Microsoft’s support website at http://support.microsoft.com/
servicedesks/technet/ and searching for WinNuke.


SYN Flood

A SYN flood is also a denial of service attack because it can barrage the receiving machine with dozens of meaningless packets. In normal communications, a workstation that wants to open a TCP/IP communication with a server sends a TCP/IP packet with the SYN flag set to 1. The server automatically responds to the request, indicating that it is ready to start communicating. Only new communications use SYN flags. If you are in the middle of a file download, SYNs are not used. A new SYN packet is used only if you lose your connection and must reestablish communications.

To initiate a SYN flood, a hacker sends a barrage of SYN packets. The receiving station normally can’t help itself and tries to respond to each SYN request for a connection. The receiving device soon expends its resources trying to reply, and all incoming connections are rejected until all current connections can be answered. The victim machine cannot respond to any other requests because its buffers are overfilled, and it therefore rejects all packets, including valid requests for connections. Patches that can help with this problem are available for the various network operating systems.

Real World Scenario: Why We Have Firewalls

In the early days of the Internet, firewalls weren’t necessary. Internet users more or less behaved themselves and operated on the honor system. Plus, there were very few Fortune 500 companies who connected their entire corporate network to the Internet. However, as the Internet grew, many large companies realized they could communicate better if they connected their network directly to the Internet. At the same time, some users realized they could gain wealth or other consideration by getting into a company’s network and stealing data from it. Firewalls were designed in response to this threat. As the saying goes, a few bad apples spoil the whole bunch.

Intruder Detection: Defense Techniques

There are three main types of intruder detection and defense:

• Active detection involves constantly scanning the network for possible break-ins.
  
• Passive detection involves logging all network events to a file.
  
• Proactive defense involves using tools to shore up your network walls against attack.
  

Active Detection

Active detection is analogous to a security guard walking down the hallway rattling doors. The guard is checking for a break-in. Special network software can search for hackers trying known attack methods, including suspicious activity as they travel over the network. Some sophisticated active systems actually take action, such as shutting down the communications sessions that the hacker is using, as well as e-mailing or paging you. Some packages actually go as far as trying to cripple the computer from which the hacker is attacking. Cisco’s NetRanger, Memco’s SessionWall, and Snort are all forms of active intrusion-detection software.

Warning Because SATAN is free, both sides have access to it. Consequently, hackers can (and often do) use SATAN to look for security holes. Many other intrusiondetection programs will also look for SATAN-type intrusions.


Passive Detection

Video cameras are an example of passive intrusion-detection systems. Their counterparts in networking are files that log events that occur on the network. Tripwire for Unix systems is one of the earliest programs of this type. With passive detection systems, files and data are looked at, and checksums are calculated for each file and piece of data. These checksums are then stored in a log file. If the network administrator notices a security breach on the network, he or she can access the log files to find clues regarding the security breach.


Proactive Defense

The main feature of the proactive defense is to make sure your network is invulnerable to attack. You can do this through research and maintenance. You must stay current on all known security holes on your network. You can use tools such as SATAN to find the holes in your security walls and plug them with software patches. Unfortunately, before you can patch a hole, it must be discovered. And the war against attackers is ongoing. As soon as you patch a hole, the hacker will find and exploit two other weaknesses. It usually takes some time for a patch to be developed and, in that time, companies lose resources to a hacker.

The U.S. Department of Defense (DoD) gave responsibility for computer security to the National Security Agency (NSA) in 1981 via directive 5215.1, and the National Computing Security Center (NCSC) was formed. The NCSC website states the center’s mission as “technical standards and criteria for the security evaluation of trusted computer systems that can be incorporated into the Department of Defense component life-cycle management process.”

In this section, we will briefly examine some NCSC standards and their impact on network security. The Network+ exam asks you to identify each level.

You can find the evaluation criteria for the DoD computer standards (called the Rainbow Series because of the color of the books) at http://www.radium.ncsc.mil/tpep/library/rainbow.

The NCSC first released A Trusted Computer System Evaluation Criteria (TCSEC) in 1983 for stand-alone, non-networked computers. The current DoD Standard release is 5200.28-STD and is commonly referred to as the Orange Book. The Orange Book defines the standard parameters of a trusted computer in several classes, indicated by letter and number: the higher the letter, the higher the certification. For example, class A is the highest class, and class D is the lowest class. The most publicized class is C2, Controlled Access Protection, which indicates that, within the Trusted Computer guidelines, the computer must have accountability for the data. In other words, each person who uses the computer must have a unique username and password, and the use of a file can be traced to that user. This is the highest NCSC class for local operating systems. Higher-level classes require that operating systems be specifically written to incorporate security-level information as the data is input.

Generally speaking, a stand-alone computer system can qualify for Trusted Computer certification if it meets the objectives in DoD document 5200.28-STD and passes the DoD’s evaluation process. Several vendors put their operating systems through this process. Although Microsoft makes the operating systems for the majority of desktop computers, only its Windows NT product has been submitted and approved for the Trusted Computer certification.

Note For the exam, you must know that both Windows NT Server and Workstation are C2-level certified for Trusted Computer (Orange Book). If the computer on which Windows NT Server is installed is connected to a network, however, it loses the C2 Trusted Computer certification.



Trusted Network Interpretation

In 1987, the NCSC released enhanced testing criteria based on the Orange Book standard. The new standard, NCSC-TG-005, is called the Red Book and is the Trusted Network Interpretation Environmental Guideline (TNIEG). Trusted computers are addressed in the Orange Book. The Red Book defines the certification criteria for trusted networks. They both use the D through A levels. As with the C2 class in the Trusted Computer implementation, the C2 class is the highest class for generic network operating systems. Higher-level classes require that operating systems be specifically written to incorporate security-level information as the data is input.

With a C2 Trusted Network certification, network operating systems must provide a unique user account for each person on the network and provide accountability for the information the user uses. Additionally, the network communications must be secure.

Note Currently, several network operating systems are under evaluation for C2 Trusted Network certification. However, the only currently available network operating system that has achieved C2 Trusted Network certification is NetWare 4.


Certified Operating Systems and Networks

Not all versions of an operating system are certified. This is the case even within the same vendor’s product line. The NCSC requires that products adhere to a specific implementation in order to maintain their security certification. Be sure to check these out if you want to take advantage of the security rating.

Note There are no A-level certified Microsoft Windows, Novell NetWare, or Unix operating systems yet. C1 has been discontinued as a certification.

The Cray Research and Harris Computer Systems versions of Unix are B-level certified. Unix and Windows NT 3.5 are Trusted Computer (Orange Book) certified (C-level). NetWare is certified C2 Red Book, allowing it to operate as a trusted network

Understanding Encryption

Occasionally company data has to be sent over public networks, such as the Internet, and just about anyone with the desire to do so (including a company’s competitors) can view the data in transit. Companies that want to ensure that their data is secure during transit encrypt their data before transmission. Encryption is the process that encodes and decodes data. The encrypted data is sent over the public network and is decrypted by the intended recipient. Generally speaking, encryption works by running the data (represented as numbers) through a special encryption formula (called a key). Both the sender and the receiver know the key. The key, generally speaking, is used to encrypt and decrypt the data.

The NSA has classified encryption tools and formulas as munitions since 1979 and therefore regulates them. The agency is concerned that unfriendly nations, terrorists, and criminals will use encrypted communications to plan crimes and go undetected. You can export weak encryption methods, but they cannot compete commercially with the tools designed overseas.

One way to measure an encryption algorithm is by its bit strength. Until 1998, only software with 40-bit strength and less could be exported. That limit has been increased to 56-bit, then 128-bit by special consideration of the U.S. Department of Commerce.

Note To ensure the security of monetary transfers, the NSA allows U.S. banks to use more secure encryption methods. Banks need to communicate with their overseas branches, customers, and affiliates.



Uses for Encryption

In internal networks, some encryption is necessary, such as encrypting passwords that are being sent from workstation to server at login. This is done automatically by many modern network operating systems. Some older network utilities such as FTP and Telnet don’t have the ability to encrypt passwords. Encryption is also used by many e-mail systems, giving the user the option to encrypt individual or all e-mail messages. Third-party software packages, such as PGP, can provide data encryption for e-mail systems that don’t natively have the ability to encrypt. Encryption is also used for data transmission over VPNs, using the Internet to connect remote users securely to internal networks. Finally, encryption has become important with the advent of e-commerce, online banking, and online investing. Buying products and handling finances online would not be possible if the data sent between all involved parties over the Internet were not encrypted.


How Encryption Works

The encryption process involves taking each character of data and comparing it against a key. For example, you could encrypt the following string of data in any number of ways:

The quick brown fox

For sample purposes, let’s use a simple letter-number method. In this method, each letter in the alphabet corresponds to a particular number. (You may have used this method as a kid when you got a decoder wheel in your Cracker Jack or breakfast cereal box.) If you use a straight alphabetictonumber encryption (for example, A=1, B=2, C=3, and so on), the data translate into the following:

20 8 5 17 21 9 3 11 2 18 15 23 14 6 15 24

You can then transmit this series of numbers over a network, and the receiver can decrypt the string using the same key in reverse. From left to right, the number 20 translates to the letter T, 8 to H, 5 to E, and so on. Eventually, the receiver gets the entire message:

The quick brown fox

Most encryption methods use much more complex formulas and methods. Our sample key was about 8 bits long; some keys are extremely complex and can be a maximum of 128 bits. The larger the key (in bits), the more complex the encryption—and the more difficult it is to crack.

Encryption Keys

To encode a message and decode an encrypted message, you need the proper encryption key or keys. The encryption key is the table or formula that defines which character in the data translates to which encoded character. Encryption keys fall into two categories: public and private. Let’s look at how these two types of encryption keys are used.

Private Key Encryption

Private keys are known as symmetrical keys. In private key encryption technology, both the sender and receiver have the same key and use it to encrypt and decrypt all messages. This makes it difficult to initiate communication the first time. How do you securely transmit the single key to each user? You use public keys, which we’ll discuss shortly.

The Data Encryption Standard (DES)

International Business Machines (IBM) developed one of the most commonly used private key systems, DES. In 1977, the United States made DES a government standard, defined in the Federal Information Processing Standards Publication 46-2 (FIPS 46-2).

DES uses lookup table functions and is incredibly fast when compared with public key systems. A 56-bit private key is used. RSA Data Systems issued a challenge to break the DES. Several Internet users worked in concert, each tackling a portion of the 72 quadrillion possible combinations. The key used in RSA’s challenge was broken in June 1997, after searching only 18 quadrillion keys out of the possible 72 quadrillion. The plain text message read: “Strong cryptography makes the world a safer place.”


Skipjack and Clipper

The replacement for DES might be the NSA’s recent algorithm called skipjack. Skipjack is officially called the Escrowed Encryption Standard (EES), defined in FIPS 185, and uses an 80-bit key rather than the DES 56-bit key. The functions and complexity of each algorithm are different as well. Skipjack was supposed to be integrated into the clipper chip.

A clipper chip is a hardware implementation of skipjack. Clipper chips were proposed for use in U.S. telephone lines, but many civil liberties and privacy activists became upset because the U.S. government would be able to decrypt secure telephone conversations.



Public Key Encryption

Public key encryption, or a Diffie-Hellman algorithm, uses two keys to encrypt and decrypt data: a public key and a private key. The receiver’s public key is used to encrypt a message to the receiver. The message is sent to the receiver who can then decrypt the message using the private key. This is a one-way communication. If the receiver wants to send a return message, the same principle is used. The message is encrypted with the original sender’s public key (the original sender is now going to be the receiver of this new message) and can only be decrypted with his or her private key. If the original sender does not have a public key, a message can still be sent with a digital certificate (also sometimes referred to as a digital ID). The digital ID verifies the sender of the message.
Note The term Diffie-Hellman refers to all public key algorithms. Whitfield Diffie and Martin Hellman from the Stanford Research Institute invented public key encryption. They introduced the dual key concept in their 1976 paper, “New Directions in Cryptography.”


RSA Data Security

Rivest, Shamir, and Adleman (RSA) encryption is a public key encryption algorithm named after the three scientists from the Massachusetts Institute of Technology (MIT) who developed it. They created a commercial company in 1977 to develop asymmetric keys and received several U.S. patents. Their encryption software is used in several products today, including Netscape Navigator and Novell’s latest NetWare Client.

Note For more information on RSA Data Security, go to www.rsa.com.


Pretty Good Privacy (PGP)

PGP is an encryption utility based on public key encryption. In the early 1990s, Phil Zimmerman, also from MIT, wrote the majority of the code for this freely available version of public key encryption. The software was designed to encrypt data for e-mail transmission. Zimmerman compared e-mail to postcards. As the e-mail message is passed from server to server on the Internet, anyone can read it, just as anyone can read a postcard as it travels through the postal service. He compared an encrypted message to a letter mailed inside an envelope.

Zimmerman distributed the software for personal use only and restricted commercial use. The name PGP denotes that nothing is 100-percent secure. Both RSA Data Security and the U.S. federal government had problems with Zimmerman’s product. RSA complained about patent infringement (a license fee is now paid to RSA). The government decided to prosecute Zimmerman for exporting munitions grade software; however, the charges were eventually dropped. Many years later, PGP and other public key– related products are readily available.

Security Policies

A security policy defines how security will be implemented in an organization, including physical security, document security, and network security.

Security policies must be implemented completely because random implementation is similar to blocks of Swiss cheese. Some areas are covered, and others are full of holes. Before a network can be truly secure, the network support staff must implement a total network security policy that includes posting company information on bulletin boards, clean desks, audits, recording, and the consequences of not complying with the security policy.

Security Audit

A security audit is a review of your network to identify components that aren’t secure. Although you can do a security audit yourself, you can also contract an audit with a third party. This is a good idea if you want the level of security to be certified. A consultant’s audit is a good follow-up to an internal audit.

Government agencies may also require that your network be certified before granting you contract work, especially if the work is considered confidential, secret, or top secret.


Clean Desk Policy

A clean desk policy does not mean that employees must wipe the bread crumbs from their last lunch. (Being clean with food is still a good idea. Mice and ants are difficult to get rid of once an infestation occurs.) A clean desk policy means that all important documents, such as books, schematics, confidential letters, and the like, are removed from a desk (and locked away) when employees leave their workstations. This goes for offices, laboratories, workbenches, and desks and is especially important for employees who share space. It is easy to grab something off someone’s desk without that person’s knowledge, and most security problems involve people on the inside. Implementing a clean desk policy is the number-one way to reduce such breaches.

Note The International Computer Security Association ( www.icsa.net) reports that as much as 80 percent of all network break-ins occur from within the company by employees. Thus, protecting your data with a firewall is just the beginning of establishing network security.

For a clean desk policy to be effective, users must clean up their desks every time they walk away from them, without exception. The day this is not done will be the day when prospective building tenants are being shown the layout of the building, and an important document ends up missing. Additionally, workstations should be locked to desks, and you should spot-check to help enforce the clean desk policy. Spot-check randomly, for example, before the company picnic or before a child-at-work day.

Tip The ICSA is a vendor-neutral organization that certifies the functionality of security products as well as makes recommendations on security.


Recording Equipment

Recording equipment, such as tape recorders and video cameras, can contain sensitive, confidential information. A security policy should prohibit their unauthorized presence and use.

When you walk into almost any large technology company, you are confronted with signs. A common sign is a camera with a circle surrounding it and a slash through the center of the circle. The text below the sign usually indicates that you cannot bring any recording devices onto the premises. This applies to, but is not limited to, still cameras, video cameras, and tape recorders of any kind.

The NSA recently updated its policy to disallow the Furby doll on government premises. Why would a government not allow dolls on its premises? Well, the Furby doll has a sophisticated computer inside with a digital recording device. The doll repeats what it hears at an interval of time later. This is quite harmless in the playroom at a children’s daycare center. A recording of conversations at the NSA, however, cannot be allowed.

Security policies can cover hundreds of items. Here are some of the more common:

Notification What good is a security policy if no one knows about it? Give users a copy of the security policy when you give them their usernames and passwords. Computers should also display a shortened version of the policy when a user attempts to connect. For example, “ Unauthorized access is prohibited and will be prosecuted to the fullest extent of the law.” One hacker argued that since a computer did not tell him otherwise, anyone was free to connect to and use the system.

Equipment Access Disable all unused network ports so that nonemployees who happen to be in the building cannot connect a laptop to an unused port and gain access to the network. Also, place all network equipment under lock and key.

Wiring Network wires should not run along the floor where they can be easily accessed. Routers, switches, and concentrators should also not be hooked up in open office space. They should be in locked closets or rooms, with access to those rooms controlled by badge-swiping systems.

Door Locks/Swipe Mechanisms Be sure that only a few, key people know the combination to the cipher lock on data center doors or that only the appropriate people have badges that will allow access to the data center. Change lock combinations often, and never leave server room doors open or unlocked.

Badges Require everyone to wear an ID badge, including contractors and visitors, and assign appropriate access levels to contractors, visitors, and employees.

Tracking Require badge access to all entrances to buildings and internal computer rooms. Track and record all entry and exit to these rooms.

Passwords Reset passwords at least every month. Train everyone on how to create strong passwords. Set BIOS passwords on every client and server computer to prevent BIOS changes.

Monitor Viewing Block computer monitors so that visitors or people looking through windows can’t see them. Be sure that unauthorized users/ persons cannot see security guard stations and server monitors.

Accounts Each user should have their own, unique user account, and employees should not share user accounts. Even temporary employees should have their own account. Otherwise, you will not be able to isolate a security breach.

Testing Review and audit your network security at least once a year.

Background Checks Do background checks on all network support staff. This may include calling their previous employers, verifying their college degrees, requiring a drug test, and checking for any criminal background.

Firewalls Use a firewall to protect all Internet connections, and use the appropriate proxies and dynamic packet-filtering equipment to control access to the network. Your firewall should provide as much security as your company requires and your budget allows.

Intrusion Detection Use intrusion-detection and logging software to determine a breach of security. Be sure that you are logging the events you want to monitor.

Cameras Cameras should cover all entrances to the building and the entire parking lot. Be sure that cameras are in weather-proof and tamperproof housings, and review the output at a security monitoring office. Record everything on extended-length tape recorders.

Mail Servers Provide each person with their own e-mail mailbox, and attach an individual network account to each mailbox. If several people need to access a mailbox, do not give all of them the password to a single network account. Assign privileges to each person’s network account. You can then track activity to a single person, even with a generic address such as info@mycompany.com.

DMZ Use a demilitarized zone for all publicly viewable servers, including web servers, FTP servers, and e-mail relay servers. Do not put them outside the firewall. Servers outside the firewall defeat the purpose of the firewall.

Mail Relay Use a mail-relay server for e-mail. E-mail traffic should not go straight to your production servers. That would enable a hacker to directly access your server as well. Use a relay server in a DMZ.

Patches Make sure that the latest security updates are installed after being properly tested on a non-production computer.

Backups Store backup tape cartridges securely, not on a shelf or table within reach of someone working at the server. Lock tapes in a waterproof, fireproof safe, and keep at least some of your backups offsite.

Modems Do not allow desktop modems for any reason. They allow users to get to the Internet without your knowledge. Restrict modem access to approved server-based modem pools.

Guards In some cases, security guards are necessary. Guards should not patrol the same station all the time. As people become familiar with an environment and situation, they tend to become less observant about that environment. Thus, it makes sense to rotate guards to keep their concentration at the highest possible levels. Guards should receive sufficient breaks to ensure alertness. All patrol areas should be covered during shift changes, rotations, and breaks. Guards should also receive periodic training. Test to ensure that guards can recognize a threat and take appropriate action.

Warning Covering all these bases does not ensure that your network or facility is secure. This is just a starting point to head you in the right direction.

A security policy is not effective unless it is enforced, and enforced consistently. You cannot exempt certain individuals from policies or the consequences of breaking them. Your network users need to have a clearly written document that identifies and explains what users are and are not allowed to do. Additionally, it is important to state that breaking the policy will result in punishment, as well as which types of policy breaks result in which kind of punishment. Punishment may vary, depending on the severity of the incident. If a policy is broken, the appropriate punishment should be administered immediately.

Major Infractions

As far back as the mid-1980s, employees were being immediately terminated for technology policy infractions. One employee was immediately terminated from a large computer company when pornography was found on his computer’s hard drive. A manager and a security guard visited the employee. The manager informed the employee that he was being summarily terminated. The guard was there to ensure that the employee touched only personal items. The manager logged out the computer session. The former employee could now touch no computer equipment, including storage media such as floppy disks. The manager then informed the guard that the employee had one hour to vacate the premises.


Minor Infractions

A lesser infraction might be accidentally corrupting your desktop computer by installing software from the Internet. Beta products, new releases of software, and patches need to be tested by the IS department before implementation. One episode of downloading and installing a beta release of a web browser invoked action at a national telephone company. After installing the beta version and rebooting, the production Windows NT server became inoperable. The employee’s Internet FTP privileges were revoked for three months.


The Exit Interview

The exit interview is the process in which employers ask employees who are leaving the company about their employment experience. The exit interview is used to minimize risks whether the employee is leaving under favorable circumstances or is being terminated. During the exit interview, a manager, a human resources representative, a network administrator, and a security guard may be involved to different extents.

Returning and Logging Property

When an employee leaves the company, all company property needs to be turned in and logged. This includes, but is not limited to, cellular phones, pagers, toolkits, keys, badges, security tokens, models, and all documents. Obviously, coffee mugs and photos of the spouse do not count. The manager, security guard, or both handle this, depending on whether the employee is being terminated or leaving voluntarily.


Disabling Accounts

The information systems division or department needs to disable all accounts immediately, including those for network and voice mail. This should coincide with the announcement that the employee is leaving (either voluntarily or forcefully). This is especially important when the employee has access to sensitive documents. Even if the person is leaving under favorable conditions, she may still be able to log in and copy data to floppy disks to take with her for her own use. Common practice has extended this from just system administrators to everyone.

Salespeople can easily hurt a company by taking client information with them. One salesperson accessed his former company’s voice mail system and stole sales leads. For total security, you need to look beyond the obvious disgruntled ex-network administrator who demolishes your website after leaving.

Summary

In this guide, you learned about various technologies used to provide access to a network as well as those used to secure a network. You learned about the various types of clients that exist for a network, how they are installed, and how they provide a computer with network access. Then, you learned about the proper (and not so proper) usage and types of usernames and passwords. You also learned about some devices used to secure a network, namely firewalls and proxies. Finally, you learned about some of the security threats that exist within any company.

Various nice Network access and security Techniques given in the post are really awesome. I hope by implementing the encrypting and decryption techniques and other security techniques, I can provide the best security for my website.