Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Network Security

When it comes to enhancing computer security, it is better to follow the philosophy "that which is not expressly permitted is denied" than "that which is not expressly prohibited is allowed." As the requirement for providing Internet users access to a companies World Wide Web (WWW) and File Transfer Protocol (FTP) information servers, as well as allowing internal customers access the Internet, the risks greatly increase for a skilled computer hacker to drive a wedge into the small openings within network and client security. The more access provided, the greater the risk for security breaches.

Taking advantage of network vulnerabilities is a real threat. In a 1997 report, the Computer Security Institute and Federal Bureau of Investigation (CSI-FBI) reported 47% of 563 U.S. companies surveyed had been attacked through the Internet. This is up from 37% in the CSI-FBI 1996 report. The report also noted 43% of respondents experienced security attacks from within their organization. Over 70% blamed hackers, while more than half believe business competitors were responsible for the intrusions. Of those reporting losses, 59% could quantify the losses, which totaled $100 million.

A survey conducted in cooperation with a U.S. Senate subcommittee on the threats posed to the nation's electronic infrastructure reported that hackers and competitors broke into the computer systems of almost six of every ten major U.S. corporations in the past year (USA Today, Nov. 28, 1996). This survey, based on 236 out of 500 major corporations responding, reported:

• 58% of respondents suffered computer break-ins in the past twelve months.
• Corporate competitors are believed responsible for many attacks. More than 22% of attacks sought trade secrets or documents of primary interest to a competitor.
• Nearly 18% say they lost more than $1 million due to attacks. Over 66% suffered losses exceeding $50,000.

In its annual report, the Computer Emergency Response Team (CERT) list nearly 2,500 reported security incidents affecting over 12,000 sites in 1995. The most serious attacks included IP spoofing, eavesdropping, and packet sniffing in which the attacker directly reads transmitted information (including confidential logon information or database contents). Further, various surveys estimate between 57% to 80% of all security violations are done from within an organization by current employees.

Security, for all its costs and visible limitations imposed upon an organization, needs to be regarded as an enhancement that contributes to the long-term viability of an organization — as well as to the bottom line.

Every company needs a written security policy

One of the first steps by any concerned company should be the implementation of a security policy that has approval from the highest levels of management. Management approval helps reduce the inevitable complaints that arise from the user community, as well as provides additional force to the policy. The policy should address

• the use of untrusted external resources by employees, including the ability for users to download software into a sand-box environment (a constrained run-time environment) set up to prevent code from accessing critical system resources;
• information access issues such as the required use of passwords, password management (frequency of change, validity during time of day and week, etc.);
• the use of dial up modems (who can access the network without going through a security firewall, times of day for access, etc.);
• what can be hand copied into the system from the outside such as Internet downloads done at home; and
• what actions should be taken in case of a security attack or breach.

Along with a published security policy, an organization should conduct a risk assessment of its information systems and put in place risk-management protocols and procedures.

Finally, and most importantly, educate users about the consequences of downloading unauthorized software.

At Engineering Computer Consultants, we help businesses implement the best solutions to reduce their network vulnerabilities, from developing written security policies to securing Internet access and enhancing internal network security via firewall servers. ECC has experience with security audits, enhancing network security, and implementing AltaVista Firewall for NT, Microsoft's Proxy Server, and Raptor's Eagle NT.

In our experience, security breaches are more often the result of improper setup and maintenance than buggy code. Because firewall management has such strong implications for network security, ECC focused a great deal of attention to proper installation and maintenance.

Contact Tony at (970) 229-5888 for further information.

Security Protocols

Regular monitoring of network activity by time of day and IP address should be conducted as part of standard security protocol. Monitoring and recording access logs help to identify patterns that are characteristic of break-in attempts, and permits a rapid response for turning off all communications to the concerned client. Saving logs are critical to the successful prosecution of a suspected hacker.

Beyond policy, a firewall between the Internet and the local area network (LAN) is required to truly secure a site. A firewall can be software, hardware, or a combination of the two. Most Internet routers available today support packet filtering which permits a router to discard IP packets based on various criteria (a packet filtering firewall examines all the packets it sees, then forwards them or drops them based on predefined rules). This criteria can be based on source and destination IP address, protocol type, or application type. For example, the packet filter can be used to permit only traffic destined for the Internet File Transfer Protocol (FTP) server program to reach a particular host. When properly implemented, packet filters provide a good first defense against possible intruders. While packet filters provide some protection, they are ineffective against many other attacks such as security holes within host applications. For this reason, ECC recommends the use of software firewalls that support proxy application gateways. With proxies, the firewall acts as an intermediary for user requests, setting up a second connection to the desired resource either at the application layer (an application proxy) or at the session or transport layer (a circuit relay). Proxy servers will keep your Intranet computers from directly exchanging packets with the Internet.

To highlight the importance of firewalls, International Data Corporation recently released an estimate for firewall sales from 1996 to the year 2000. The implementation of firewalls will continue as Internet and Intranet security concerns — and the threats — increase globally.

Worldwide Firewall Market (units sold)

1996	1997	1998	1999	2000
42,300	150,500	377,100	765,900	1,507,300

Firewalls usually include several software tools, such as separate proxy servers for e-mail, FTP, Gopher, Telnet, WWW, and WAIS. Firewalls can also filter certain outbound Internet Control Message Protocol (ICMP) packets so the server won’t divulge any network information. Also, some firewalls provide Network Address Translation (NAT). NAT translates the Transmission Control Protocol/Internet Protocol (TCP/IP) address on the internal LAN to another IP address for communicating across the Internet. The internal IP address is hidden (protected from IP spoofing) as well as permit the use of non-approved Internet addresses within the LAN.

For further information on TCP/IP, see Yale University's Introduction to TCP/IP. For the

For details on the various levels of network connectivity and where TCP and IP fit into the networking scheme, see ECC's Open System Interconnection page.

In order to transverse the Internet (or LAN) and ensure the message arrives at its proper destination, a formal process is followed when a client initiates communications with a server. Because of this formal process, the server does not need to look up the IP address associated with a clients request since it is already within the incoming message. Also, the server does not need look up the return gateway and hardware address because they are also contained in the message. Basically, everything the server needs to respond to a client is in the client’s message. This is the root of the a problem called IP spoofing, where one system pretends to be another one. IP spoofing works because most TCP/IP servers do not attempt to verify whether a client is telling the truth about its IP address.

Firewall Protection

To protect against hackers, some level of protection is required between the LAN and the outside. A firewall protects an internal network against all external network traffic (malicious and otherwise) not specifically allowed by a security policy. A firewall usually acts as a proxy server to mask all of the internal networks Internet Protocol (IP) addresses outbound to the Internet. In this case, outbound packets are masked to look like they originated on the proxy server. This prevents outside detection of the LAN structure. Without a proxy server, a hacker monitoring the outbound traffic will eventually determine individual IP addresses within the LAN, and then use IP spoofing to feed those addresses back to the LAN server. The hacker then appears as a known client to the LAN server.

It is important to note there are several products on the market which are advertised as a proxy server. Although these products provide proxy capabilities, they have limitations when compared to firewalls. Unlike application-level firewalls, proxy servers do not provide sophisticated event statistics, reports, alarms, or audit tracking. As part of a compete security procedure, reporting and analysis is critical to preventive maintenance.

With the ability to mask inside IP addresses comes the ability to allocate any number of addressing schemes. As defined by RFC1918, the best current practice for address allocation for private Intranets is as follows. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Intranets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

The first block is referred to as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. The first block is actually a single class A network number, the second block is a set of 16 contiguous class B network numbers, and the third block is a set of 256 contiguous class C network numbers. Anyone can use any combination of these numbers, along with whatever valid subnet masking, so long as routers, hosts and firewalls are appropriately configured. Remember: you must use a firewall or at least a network address translator if implementing RFC-1918 and want to connect to the Internet. Of course, with a firewall, a business can implement any network-addressing scheme.

Another purpose of a firewall is to perform IP filtering of incoming packets. After careful monitoring, unusual activity originating from a specific IP address can be identified and checked using the WHOIS program (available on the Internet at various sites, including http://www.winsite.com/) to determine the domain of the unwanted user. Once the determination is made that this user should not be doing business on the companies server, an IP filter can be used to block any further connections from the unwanted user’s domain while other users are still permitted access inside the firewall.

Several Internet sites provide current information on firewall products and vendors. One site is the National Computer Security Association. NCSA maintains various useful security links, such as CERT advisories, seminars, conferences, reading lists, and related links. The following table provides several links to commercial sites that support Windows NT and Unix based firewalls.

Windows NT Firewalls

Related Sites

Windows NT Security

Windows NT is a relatively new Operating System (OS), initially released in the fall of 1992. The OS has since gone through various updates, with version 4.0 (Service Pack 3) the most recent rendition. The OS, under the proprietary ownership of a single company, does not suffer the same level of security issues as other mid to high-level operation systems such as UNIX (Solaris, SunOS, SCO UNIX, etc.), as apparent by the number of security FAQs released for UNIX versus Windows NT. It is iteresting to note Windows NT (v3.5, SP3) is only one of two operating systems that provides C2 complaince in a regular, off-the-shelf version. By the way, the other is OS/400.

In a recent computer magazine, over a dozen users and analysts said Microsoft Corporation's Windows NT, versions 3.51 and 4.0, are "inherently secure operating systems that are as good, if not better, than competing operating systems." But Windows NT has very little security when taken right out of the box. It is therefore important to understand and modify all security options appropriate for your site.

Windows NT does not provide suitable levels of security immediately after installation. Security gaps do occur when administrators do not understand the nuances of the OS and fail to properly implement NT security permissions. When an administrator does not sufficient implement NT's security options, internal and external hackers can get full supervisory permissions to access, delete, write, and execute other user's files. The following tips will help reduce the chances of your NT system being hacked.

	Tips to Reduce Your NT Systems Changes of Being Hacked
»	Install a firewall.
»	Use NT's NTFS file system (and not FAT).
»	Physically secure the server.
»	Rename the Administrator account.
»	Under User Manager/Policies/Account, use the Maximum Password Age, Minimum Password Length, Password Uniqueness, and Account Lockout features.
»	Use alpha-numeric naming conventions for user names and passwords.
»	Set up NT to lockout an account after several unsuccessful logon attempts.
»	Use an Administrator decoy account to divert intruders into this fake honey-pot.
»	Under NT 3.51, disable guest permissions (NT 4.0 automatically does this).

The recent article, "'Hack' Punches Hole in Microsoft NT Security," in The EE Times (March 31, 1997) highlights the importance of securing your Windows NT system (as well as any system with critical data). This article discusses various ways user passwords can be compromised using two relatively new tools that dump the NT user database and use brute force (number crunching) to guess passwords. The story really highlights the importance of securing Administrator accounts on all systems. For more details, check out Microsoft's Response to the EE Times Article on Windows NT Security.

Also review Jos Visser's On NT Password Security.

One critical Windows NT issue is the security threat to user information based on capturing usernames and encrypted passwords during the authentication process across the Internet. Read Microsoft's Security issues with Windows NT for more details. For related information, check the Knowledge Base articles

• How to Enable Strong Password Functionality in Windows NT,
• Guidelines for Strong Passwords, and
• Password Change Filtering & Notification in Windows NT

For other Windows NT information, check out other Windows NT Server Hot News.

Security across the Internet

IP-level security includes two functional areas: authentication and privacy. Authentication ensures a received packet was indeed transmitted by the source identified in the packet header, and ensures that nothing has altered the packet in transit. Privacy enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. These features are implemented as extension headers (the Authentication header and the Encapsulated Security Payload (ESP) header) that follow the main IP header in a packet.

IP authentication services provide client workstations authentication directly to servers, which can be either on the same network or on a external network. Another application for the service is to allow a remote workstation to authenticate itself to a corporate firewall, providing valid workstations access to an entire internal network. The Encapsulated Security Payload (ESP) provides support for privacy and data integrity for IP packets. This mechanism can encrypt either a transport-layer segment (transport-mode ESP) or an entire IP packet (tunnel-mode ESP).

Transport-mode ESP encrypts the data carried by IP. Typically, this data is a transport-layer segment, such as TCP or UDP segment, which contains application-level data. For this mode, the ESP header goes into the IP packet immediately before the transport-layer header. Transport-mode operation provides privacy for any application that uses it, avoiding the need to implement privacy in each application. It is possible thought to conduct traffic analysis on the transmitted packets since the destination and source addresses are in plain text.

Tunnel-mode ESP encrypts an entire IP packet, including its own header. The ESP is prefixed to the packet and then the trailing portion of the ESP header plus the packet is encrypted, countering traffic analysis. The entire block is then encapsulate with a new IP header containing sufficient information for routing but not for traffic analysis. Tunnel mode is useful to companies using firewalls that protect their trusted networks from external networks. In such a case, encryption occurs between an external host and the firewall or between firewalls. This simplifies the network administrators security management by reducing the number of distributed security keys.

Tunnel-mode is used to set up a Virtual Private Network (VPN). With a VPN, a company has two or more private networks that interconnect across the Internet. Computers on the internal network use the Internet for data transport but do not interact with Internet-based computers outside the VPN. All implementations that conform with the ESP specification must implement the Data Encryption Standard-Cipher Block Chaining (DES-CDC) method of encryption.

What to do if your site has been hacked

Report it to the Computer Emergency Response Team (CERT). Funded by the Defense Advanced Research Projects Agency, CERT is the central security clearinghouse on the Internet. It accepts reports of intrusions, investigates them, and publishes advisories at regular intervals that recommend security countermeasures. During 1995, CERT documented more than 2,400 computer-security incidents, including over 700 confirmed break-ins.

To file a report, use the template available at ftp://info.cert.org//pub/incident_reporting_formal. Also, if you care to read through CERT advisories, go to the newsgroup at comp.security.announce newsgroup.