Understanding the Basic Security Concepts of Communication and Network DevicesThe easiest way to keep a computer safe is by physically isolating it from outside contact. Because of the way most companies currently do business, this is virtually impossible . Securing the devices on the network is imperative to protecting the environment. To secure devices, you have to understand the basic security concepts of communication and network devices. This section introduces security concepts as they apply to physical devices found on most networks. FirewallsA firewall is a component placed between computers and networks to help eliminate undesired access by the outside world. It can be comprised of hardware, software, or a combination of both. A firewall is the first line of defense for the network. How firewalls are configured is importantespecially for large companies where a compromised firewall may spell disaster in the form of bad publicity or a lawsuit, not only for the company, but also for the companies it does business with. For smaller companies, a firewall is an excellent investment because most small companies don't have a full-time technology staff, and an intrusion could easily put them out of business. All things considered , a firewall is an important part of your defense, but you should not rely on it exclusively for network protection. See Figure 6.1 for an example of a firewall. Figure 6.1. A network with a firewall.
There are three main types of firewalls:
Packet-Filtering FirewallA packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the Network layer (layer 3) of the Open System Interconnection (OSI) model. Packet-filtering solutions are generally considered less secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. This leaves the system open to denial of services (DoS) attacks. Even though they are the simplest and least secure, they are a good first line of defense. Their main advantage is speed, which is why they are sometimes used before other types of firewalls to perform the first filtering pass. Proxy Service FirewallProxy service firewalls are go-betweens for the network and the Internet. They hide the internal addresses from the outside world and don't allow the computers on the network to directly access the Internet. This type of firewall has a set of rules that the packets must pass to get in or out. It receives all packets and replaces the IP address on the packets going out with its own address and then changes the address of the packets coming in to the destination address. Proxy service firewalls can also serve as caching servers. In this capacity, these firewalls hold frequently visited Web pages in cache to reduce the time it takes to get a response from the Internet. Here are the two basic types of proxies:
Stateful-Inspection FirewallThis is a combination of all types of firewalls. This firewall relies on algorithms to process Application layer data. Because it knows the connection status, it can protect against IP spoofing. It has better security controls than packet filtering, but because it has more security controls and features, it increases the attack surface and is more complicated to maintain. Other Firewall ConsiderationsIn addition to the core firewall components , other elements are involved in designing a firewall solution that administrators should consider. These include network, remote access, and authentication policies. Firewalls can also provide access control, logging, and intrusion notification. Firewall architecture is covered later in this chapter in the "Basic Security Concepts, Strengths, and Vulnerabilities of Security Topologies" section. RoutersRouters operate at the Network layer of the OSI model. They are the items that receive information from a host and forward that information to its destination on the network or the Internet. Routers maintain tables that are checked each time a packet needs to be redirected from one interface to another. The tables inside the router help speed up request resolution so packets can reach their destination quicker. The routes may be added manually to the routing table or may be updated automatically using the following protocols:
Although routers are primarily used to segment traffic, they have some good security features. One of the best features of a router is its ability to filter packets, either by source address, destination address, protocol, or port. These filters are referred to as access control lists (ACLs). Routers can also be configured to help prevent spoofing by using strong protocol authentication.
SwitchesSwitches are rapidly becoming more popular than hubs when it comes to connecting desktops to the wiring closet. Switches operate at the Data Link layer (layer 2) of the OSI model. Their packet-forwarding decisions are based on MAC addresses. They allow LANs to be segmented, thus increasing the amount of bandwidth that goes to each device. Each segment is a separate collision domain, but all segments are in the same broadcast domain. Here are the basic functions of a switch:
Because most switches are configurable, implementing sound security with your switches can be done very similarly to configuring security on a firewall or a router. Physical and virtual security controls must be in place. Switches should be placed in a physically secured area if possible. Be sure that strong authentication and password policies are in place to secure access to the operating system and configuration files. WirelessWireless devices have become extremely popular because of the mobility they provide. However, wireless devices are not really considered secure yet. There are all kinds of stories about war-driving, war-chalking, and making wireless antennas out of Pringles cans.
The current Institute of Electrical and Electronics Engineers (IEEE) standards for wireless are 802.11a and 802.11b. There are plans to implement 802.11e, f, g, and i in 2003. These standards operate on radio frequencies. One of the issues with the current wireless technology is that it is a broadcast signal. This basically means that a wireless device advertises that it is out there and open, making it easy for an intruder to pick up and monitor. Wired Equivalent Privacy (WEP) is an IEEE Wireless Fidelity security protocol. It is defined in the 802.11b standard and is an encryption algorithm that can be used to secure a wireless environment when it is enabled. WEP can have trouble exchanging public and private keys between wireless hosts , but a WEP-enabled network is more secure than a wireless network without it. Several tools exist to help you monitor wireless networks. The following are some tools that can check the security of a wireless LAN (WLAN):
Wireless LANs can be subject to session hijacking and man-in-the-middle attacks. Using WEP is better than leaving your network unprotected , but it can lead to a false sense of security. WEP works by using the RC4 encryption scheme. The 802.11 design uses a shared key. (Refer to Chapter 8, "Basics of Cryptography," for more information.) Additional risks remain because anyone can purchase an access point and set it up, and access points are small enough to be attractive to thieves . Access points are devices that allow wireless networks to connect to wired networks. As with firewalls, routers, and switches, great care needs to be taken to configure wireless devices for tight security because these devices have distinct potentials to leave large holes open on a corporate network.
ModemsModems are used via the phone line to dial in to a server or computer. They are gradually being replaced by high-speed cable and Digital Subscriber Line (DSL) solutions, which are faster than dial-up access. Most companies use modems for employees to dial in to the network and work from home. The modems on network computers or servers are usually configured to take incoming calls. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. This attack can be set to target connected modems that are set to receive calls without any authentication, thus allowing attackers an easy path into the network. There are several ways to resolve this:
As mentioned, cable and DSL modems are more popular these days. They act more like routers than modems. Although these devices are not prone to war-dialing attacks, they do present a certain amount of danger by maintaining an always-on connection. By leaving the connection on all the time, a hacker has ample time to get into the machine and the network. The use of encryption and firewall solutions will help keep the environment safe from attacks. RASRemote Access Service (RAS) allows a user to dial in to the network via a modem or modem pool while providing the user with secure access during the time he is connected. Many controls may be used to protect the RAS entry point. Here are some examples:
These are just a few of the controls that can be set. In addition, the physical area where the modems or modem pools are located should be secure. Once the physical and logical environments are safe, it is possible they will still be susceptible to DoS attacks, buffer overflows, social engineering, and PBX vulnerabilities, so be sure auditing is implemented. Telecom/PBXThe telecommunications (telecom) system and Private Branch Exchange (PBX) are a vital part of an organization's infrastructure. Besides the standard block, there are also PBX servers, where the PBX board plugs into the server and is configured through software on the computer. Many companies have moved to Voice over IP (VoIP) to integrate computer telephony, videoconferencing, and document sharing. For years PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy. To protect your network, make sure the PBX is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Many times hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. VPNA Virtual Private Network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. VPNs are very popular for several reasons:
In a VPN, encryption/decryption takes quite a bit of CPU cycles and memory usage, so be prepared to factor dedicated hardware or existing hardware upgrades into the costs of proposed solutions. IDSIDS stands for intrusion-detection system . Intrusion-detection systems are designed to analyze data, identify attacks, and respond to the intrusion. They are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. Intrusion-detection systems are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. The two basic types of intrusion-detection systems are network based and host based . As the names suggest, network-based IDSs look at the information exchanged between machines, and host-based IDSs look at information that originates on the individual machines. Here are some specifics:
Network-based IDSs and host-based IDSs should be used together to ensure a truly secure environment. IDSs can be located anywhere on the network. They can be placed internally or between firewalls. Many different types of IDSs are available, all with different capabilities, so make sure they meet the needs of your company before committing to using them. Chapter 7, "Intrusion Detection and Security Baselines," covers IDSs in more detail.
Network Monitoring/DiagnosticsMost organizations use monitoring and diagnostic tools to help manage their networks. Diagnostic tools can be actual tools, such as cable testers and loopback connectors, or software programs and utilities. Some of the more common network diagnostic tools include the following:
Port scanners, vulnerability scanners, and intrusion-detection systems are also used in network monitoring. Port and vulnerability scanners were discussed in Chapter 3, "Nonessential Services and Attacks," and intrusion-detection systems were discussed earlier in this chapter. If these tools are used on the network, be sure the information they gather is protected as well. SNMPSimple Network Management Protocol (SNMP) is an Application layer protocol whose purpose is to collect statistics from TCP/IP devices. Its management infrastructure consists of three components:
The device loads the agent, which in turn collects the information and forwards it to the management station. Network management stations collect a massive amount of critical network information and are likely targets of intruders because SNMPv1 is insecure . The only security measure it has in place is its community name, which is similar to a password. By default, this is "public" and many times is not changed, thus leaving the information wide open to intruders. SNMPv2 uses Message Digest Version 5 (MD5) for authentication. The transmissions can also be encrypted. SNMPv3 is the current standard, but most devices are likely to still be using SNMPv1 or SNMPv2. SNMP is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162. Make sure network management stations are secure physically and secure on the network. You might even consider using a separate management subnet and protecting it using a router with an access list. WorkstationsWorkstation security is often overlooked, yet this is one of the areas that can attract intruders the most because it is the path of least resistance to deploying an attack. This mostly happens because users are unaware of the dangers they put themselves and the company in by doing some of the following:
This by no means covers all the possible situations users get into. There is also theft and lost equipment, failed components, and physical access by visitors to consider. In the area of physical theft, the most obvious solution is security locks. Every laptop comes with a hook for a security lock that can be used to discourage theft attempts. Similar locks exist for desktop workstations as well. In addition to physical locks, educate your employees to always log off or lock their workstations while they are unattended. To protect the information on stolen or lost equipment, use encryption to make it impossible to read this information without appropriate login credentials. Should a component in a workstation fail, such as a hard drive, running nightly backups will be instrumental in making sure the data can be recovered. You may also want to consider removing floppy drives or disabling devices that aren't absolutely necessary. This prevents visitors and users from bringing in infected files. Antivirus software can be used to scan email and for downloadable malicious code. Be sure that the definitions are updated on a regular basis; the software alone will not do the job. Again, user education and training will help ensure that the updates are timely . User education in company security policies and the scope of their responsibilities is the ultimate key to success in keeping the workstations secure. ServersAs you learned in Chapter 3, servers can serve a variety of functions and their vulnerabilities are determined by their use. Servers are more sensitive to attacks than workstations, and these attacks can be more costly. Therefore, all network servers should be isolated in a server room and locked to prevent any kind of unauthorized physical access. Visitors to these premises must be justified and supervised. Besides having physical controls, availability must also be ensured. This can be accomplished via Redundant Array of Inexpensive Disks (RAID), uninterruptible power supply (UPS) equipment, and clustering. We already discussed ways to make the server environment safer in Chapter 3, the server hardening is discussed in Chapter 7. Mobile DevicesLaptops, personal digital assistants (PDAs), Palm Pilots, and PocketPCs are all mobile devices. They are very susceptible to theft because they are small, valuable , and many times contain important information about a company. They use wireless or infrared technology, and as you saw in an earlier discussion, you need to be sure that encryption is enabled to keep their data safe. If possible, you should protect these devices with passwords so there is at least an initial deterrent. We have covered basic security concepts as they apply to physical devices. These devices all use some type of media to communicate with each other. With that in mind, let's move to the next section. |