 | |||
|
|
||
| |||
| |||
| |||
|
||||||||||||||||||||
| |
|
Home > Networking Tips > > Network security, lesson 2: Common security measures |
| |
|
|
|
| Networking Tips: |
|
|
|
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||
Network security, lesson 2: Common security measuresFirewall.cx 02.13.2004 Rating: -4.52- (out of 5)
| |||||||||||||||||||||||||||||||||||||||||||||
It is important to remember that the firewall does not look into the data section of the packet. Thus, if you have a Web server that is vulnerable to a CGI exploit and the firewall is set to allow traffic to it, there is no way the firewall can stop an attacker from attacking the Web server. It does not look at the data inside the packet. That would be the job of an intrusion-detection system (covered in part three).
The whole load of signatures for which your antivirus software scans is known as the virus "definitions." This is the reason why keeping your virus definitions up-to-date is very important. Many antivirus packages have an auto-update feature for you to download the latest definitions. The scanning ability of your software is only as good as the date of your definitions. In the enterprise, it is very common for administrators to install antivirus software on all machines, but there is no policy for regular updates of the definitions. This is meaningless protection and serves only to provide a false sense of security.
With the recent spread of e-mail viruses, antivirus software at the mail server is becoming increasingly popular. The mail server will automatically scan any e-mail it receives for viruses and quarantine the infections. The idea is that since all mail passes through the mail server, this is the logical point to scan for viruses. Given that most mail servers have a permanent connection to the Internet, they can regularly download the latest definitions. On the downside, these can be evaded quite simply. If you zip up the infected file or Trojan, or encrypt it, the antivirus system may not be able to scan it.
End users must be taught how to respond to antivirus alerts. This is especially true in the enterprise -- an attacker doesn't need to try and bypass your fortress-like firewall if all he has to do is e-mail Trojans to a lot of people in the company. It takes just one uninformed user to open the infected package to allow the hacker a backdoor to the internal network.
It is advisable that the IT department gives a brief seminar on how to handle e-mail from untrusted sources and how to deal with attachments. These are very common attack vectors, simply because you may harden a computer system as much as you like, but the weak point still remains the user who operates it. As crackers say, "The human is the path of least resistance into the network."
Host-based IDS: These systems are installed on a particular important machine (usually a server or some important target) and are tasked with making sure that the system state matches a particular set baseline. For example, the popular file-integrity checker Tripwire is run on the target machine just after it has been installed. It creates a database of file signatures for the system and regularly checks the current system files against their known safe signatures. If a file has been changed, the administrator is alerted. This works very well because most attackers will replace a common system file with a trojaned version to give them backdoor access.
Network-based IDS: These systems are more popular and quite easy to install. Basically, they consist of a normal network sniffer running in promiscuous mode. (In this mode, the network card picks up all traffic even if it is not meant for it.) The sniffer is attached to a database of known attack signatures, and the IDS analyzes each packet that it picks up to check for known attacks. For example, a common Web attack might contain the string /system32/cmd.exe? in the URL. The IDS will have a match for this in the database and will alert the administrator.
Newer versions of IDS support active prevention of attacks. Instead of just alerting an administrator, the IDS can dynamically update the firewall rules to disallow traffic from the attacking IP address for some amount of time. Or the IDS can use "session sniping" to fool both sides of the connection into closing down so that the attack cannot be completed.
Unfortunately, IDS systems generate a lot of false positives. A false positive is basically a false alarm, where the IDS sees legitimate traffic and for some reason matches it against an attack pattern. This tempts a lot of administrators into turning them off or even worse -- not bothering to read the logs. This may result in an actual attack being missed.
IDS evasion is also not all that difficult for an experienced attacker. The signature is based on some unique feature of the attack, and so the attacker can modify the attack so that the signature is not matched. For example, the above attack string /system32/cmd.exe? could be rewritten in hexadecimal to look something like:
This might be totally missed by the IDS. Furthermore, an attacker could split the attack into many packets by fragmenting the packets. This means that each packet would only contain a small part of the attack, and the signature would not match. Even if the IDS is able to reassemble fragmented packets, this creates a time overhead and since the IDS has to run at near real-time status, they tend to drop packets while they are processing. IDS evasion is a topic for a paper on its own.
The advantage of a network-based IDS is that it is very difficult for an attacker to detect. The IDS itself does not need to generate any traffic, and, in fact, many of them have a broken TCP/IP stack so that they don't have an IP address. Thus the attacker does not know whether the network segment is being monitored or not.
In the enterprise, there is no "easy" way to patch large numbers of machines, but there are patch deployment mechanisms that take a lot of the burden away. Frankly, it is part of an admin's job to do this, and when a network is horribly fouled up by the latest worm, it just means that someone, somewhere didn't do his job well enough. Now that we've concluded a brief introduction to the types of threats faced in the enterprise, it is time to have a look at some of the tools that attackers use.
Keep in mind that a lot of these tools have legitimate purposes and are very useful to administrators as well. For example, I can use a network sniffer to diagnose a low-level network problem or I can use it to collect your password. It just depends which shade of hat I choose to wear.
A port scanner scans a host or a range of hosts to determine what ports are open and what service is running on them. This tells the attacker which systems can be attacked.
For example, if I scan a Web server and find that port 80 is running an old Web server, like IIS/4.0, I can target this system with my collection of exploits for IIS 4. Usually the port scanning will be conducted at the start of the attack, to determine which hosts are interesting.
This is when the attacker is still footprinting the network -- feeling his way around to get an idea of what type of services are offered and what operating systems are in use. One of the best port scanners around is Nmap (http://www.insecure.org/nmap). Nmap runs on just about every operating system, is very versatile and has many features including OS fingerprinting, service version scanning and stealth scanning. Another popular scanner is Superscan (http://www.foundstone.com), which is only for the windows platform.
When the target network is a switched environment (a network which uses Layer 2 switches), a conventional network scanner will not be of any use. For such cases, the switched network sniffer Ettercap (http://ettercap.sourceforge.net) is very popular. It allows the attacker to collect passwords, hijack sessions, modify ongoing connections and kill connections. It can even sniff secured communications like SSL (Secure Sockets Layer, used for secure Web pages) and SSH1 (Secure Shell, a remote access service like telnet, but encrypted).
There are also programs that allow an admin to detect whether any NICs are running in promiscuous mode.
There are essentially two methods of password cracking:
Dictionary mode: In this mode, the attacker feeds the cracker a word list of common passwords such as "abc123" or "password." The cracker will try each of these passwords and note where it gets a match. This mode is useful when the attacker knows something about the target. If I know that the passwords for the servers in your business are the names of Greek Gods, I can find a dictionary list of Greek God names and run it through the password cracker.
Most attackers have a large collection of word lists. For example, when I do penetration testing work, I usually use common password lists, Indian name lists and a couple of customized lists based on what I know about the company (usually data I pick up from their company Web site). Many people think that adding on a couple of numbers at the start or end of a password (for example "superman99") makes the password very difficult to crack. This is a myth, because most password crackers have the option of adding numbers to the end of words from the wordlist. While it may take the attacker 30 minutes more to crack your password, it does not make it much more secure.
Brute force mode: In this mode, the password cracker will try every possible combination for the password. In other words, it will try aaaaa, aaaab, aaaac, aaaad, etc. This method will crack every possible password; it's just a matter of how long it takes. It can turn up surprising results because of the power of modern computers. A five- or six-character alphanumeric password is crackable within a matter of a few hours or a few days, depending on the speed of the software and machine. Powerful crackers include l0phtcrack for windows passwords and John the Ripper for Unix-style passwords.
Part four of this series presents a more detailed list of tools with descriptions and possible uses.
Click here to read part one of this series, "Network security, part one: Introduction."
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk. |
|
|||
| Networking Solutions for Business
Alcatel-Lucent Network Business Communications Solutions |
|
|
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS |
|
|
||
|
|||||||
