Understanding the Basic Security Concepts of Communication and Network Devices

Understanding the Basic Security Concepts of Communication and Network Devices

The easiest way to keep a computer safe is by physically isolating it from outside contact. Because of the way most companies currently do business, this is virtually impossible . Securing the devices on the network is imperative to protecting the environment. To secure devices, you have to understand the basic security concepts of communication and network devices. This section introduces security concepts as they apply to physical devices found on most networks.

Firewalls

A firewall is a component placed between computers and networks to help eliminate undesired access by the outside world. It can be comprised of hardware, software, or a combination of both. A firewall is the first line of defense for the network. How firewalls are configured is importantespecially for large companies where a compromised firewall may spell disaster in the form of bad publicity or a lawsuit, not only for the company, but also for the companies it does business with. For smaller companies, a firewall is an excellent investment because most small companies don't have a full-time technology staff, and an intrusion could easily put them out of business. All things considered , a firewall is an important part of your defense, but you should not rely on it exclusively for network protection. See Figure 6.1 for an example of a firewall.

There are three main types of firewalls:

• Packet-filtering firewall

• Proxy-service firewall

  • Circuit-level gateway

  • Application-level gateway

• Stateful-inspection firewall

Packet-Filtering Firewall

A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the Network layer (layer 3) of the Open System Interconnection (OSI) model. Packet-filtering solutions are generally considered less secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. This leaves the system open to denial of services (DoS) attacks. Even though they are the simplest and least secure, they are a good first line of defense. Their main advantage is speed, which is why they are sometimes used before other types of firewalls to perform the first filtering pass.

Proxy Service Firewall

Proxy service firewalls are go-betweens for the network and the Internet. They hide the internal addresses from the outside world and don't allow the computers on the network to directly access the Internet. This type of firewall has a set of rules that the packets must pass to get in or out. It receives all packets and replaces the IP address on the packets going out with its own address and then changes the address of the packets coming in to the destination address. Proxy service firewalls can also serve as caching servers. In this capacity, these firewalls hold frequently visited Web pages in cache to reduce the time it takes to get a response from the Internet. Here are the two basic types of proxies:

• Circuit-level gateway Operates at the OSI Session layer (layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. DoS attacks are detected and prevented in circuit-level architecture where a security device discards suspicious requests .

• Application-level gateway All traffic is examined to check for OSI Application layer (layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). Because the filtering is application specific, it adds overhead to the transmissions but is more secure than packet filtering.

Stateful-Inspection Firewall

This is a combination of all types of firewalls. This firewall relies on algorithms to process Application layer data. Because it knows the connection status, it can protect against IP spoofing. It has better security controls than packet filtering, but because it has more security controls and features, it increases the attack surface and is more complicated to maintain.

Other Firewall Considerations

In addition to the core firewall components , other elements are involved in designing a firewall solution that administrators should consider. These include network, remote access, and authentication policies. Firewalls can also provide access control, logging, and intrusion notification. Firewall architecture is covered later in this chapter in the "Basic Security Concepts, Strengths, and Vulnerabilities of Security Topologies" section.

Routers

Routers operate at the Network layer of the OSI model. They are the items that receive information from a host and forward that information to its destination on the network or the Internet. Routers maintain tables that are checked each time a packet needs to be redirected from one interface to another. The tables inside the router help speed up request resolution so packets can reach their destination quicker. The routes may be added manually to the routing table or may be updated automatically using the following protocols:

• Routing Information Protocol (RIP/RIPv2)

• Interior Gateway Routing Protocol (IGRP)

• Enhanced Interior Gateway Routing Protocol (EIGRP)

• Open Shortest Path First (OSPF)

• Border Gateway Protocol (BGP)

• Exterior Gateway Protocol (EGP)

• Intermediate SystemIntermediate System (IS-IS)

Although routers are primarily used to segment traffic, they have some good security features. One of the best features of a router is its ability to filter packets, either by source address, destination address, protocol, or port. These filters are referred to as access control lists (ACLs). Routers can also be configured to help prevent spoofing by using strong protocol authentication.

Remember, no matter how secure the routing protocol of choice is, if you never change the default password on the router, you have left yourself wide open to attacks.

Switches

Switches are rapidly becoming more popular than hubs when it comes to connecting desktops to the wiring closet. Switches operate at the Data Link layer (layer 2) of the OSI model. Their packet-forwarding decisions are based on MAC addresses. They allow LANs to be segmented, thus increasing the amount of bandwidth that goes to each device. Each segment is a separate collision domain, but all segments are in the same broadcast domain. Here are the basic functions of a switch:

• Filtering and forwarding frames

• Learning Media Access Control (MAC) addresses

• Preventing loops

Because most switches are configurable, implementing sound security with your switches can be done very similarly to configuring security on a firewall or a router. Physical and virtual security controls must be in place. Switches should be placed in a physically secured area if possible. Be sure that strong authentication and password policies are in place to secure access to the operating system and configuration files.

Wireless

Wireless devices have become extremely popular because of the mobility they provide. However, wireless devices are not really considered secure yet.

There are all kinds of stories about war-driving, war-chalking, and making wireless antennas out of Pringles cans.

War-driving is the practice of using a laptop computer with a wireless network card to locate unsecured wireless networks. A hacker can drive around and see where he can gain network access. This is mostly done in business districts but can also be done in residential neighborhoods. From the parking lot or street the unsecured network is accessed without the company's permission or knowledge. War-chalking is the practice of marking the buildings of unsecured wireless networks so other hackers will know they can gain access. Several Web sites list the coordinates of unsecured networks using a GPS.

The current Institute of Electrical and Electronics Engineers (IEEE) standards for wireless are 802.11a and 802.11b. There are plans to implement 802.11e, f, g, and i in 2003. These standards operate on radio frequencies. One of the issues with the current wireless technology is that it is a broadcast signal. This basically means that a wireless device advertises that it is out there and open, making it easy for an intruder to pick up and monitor.

Wired Equivalent Privacy (WEP) is an IEEE Wireless Fidelity security protocol. It is defined in the 802.11b standard and is an encryption algorithm that can be used to secure a wireless environment when it is enabled. WEP can have trouble exchanging public and private keys between wireless hosts , but a WEP-enabled network is more secure than a wireless network without it.

Several tools exist to help you monitor wireless networks. The following are some tools that can check the security of a wireless LAN (WLAN):

• Kismet

• NetStumbler

• Airopeek NX

• Sniffer Wireless

Wireless LANs can be subject to session hijacking and man-in-the-middle attacks. Using WEP is better than leaving your network unprotected , but it can lead to a false sense of security. WEP works by using the RC4 encryption scheme. The 802.11 design uses a shared key. (Refer to Chapter 8, "Basics of Cryptography," for more information.) Additional risks remain because anyone can purchase an access point and set it up, and access points are small enough to be attractive to thieves . Access points are devices that allow wireless networks to connect to wired networks. As with firewalls, routers, and switches, great care needs to be taken to configure wireless devices for tight security because these devices have distinct potentials to leave large holes open on a corporate network.

Wireless LANs can be subject to session hijacking and man-in-the-middle attacks.

Modems

Modems are used via the phone line to dial in to a server or computer. They are gradually being replaced by high-speed cable and Digital Subscriber Line (DSL) solutions, which are faster than dial-up access.

Most companies use modems for employees to dial in to the network and work from home. The modems on network computers or servers are usually configured to take incoming calls. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. This attack can be set to target connected modems that are set to receive calls without any authentication, thus allowing attackers an easy path into the network. There are several ways to resolve this:

• Set the callback features to have the modem call the user back at a preset number.

• Make sure authentication is required using strong passwords.

• Be sure employees have not set up modems at their workstations with remote control software installed.

As mentioned, cable and DSL modems are more popular these days. They act more like routers than modems. Although these devices are not prone to war-dialing attacks, they do present a certain amount of danger by maintaining an always-on connection. By leaving the connection on all the time, a hacker has ample time to get into the machine and the network. The use of encryption and firewall solutions will help keep the environment safe from attacks.

RAS

Remote Access Service (RAS) allows a user to dial in to the network via a modem or modem pool while providing the user with secure access during the time he is connected. Many controls may be used to protect the RAS entry point. Here are some examples:

• Providing strong authentication

• Allowing dial-in only with callback to a preset number

• Restricting dial-in hours and user access

• Using account lockout and strict password policies

These are just a few of the controls that can be set. In addition, the physical area where the modems or modem pools are located should be secure. Once the physical and logical environments are safe, it is possible they will still be susceptible to DoS attacks, buffer overflows, social engineering, and PBX vulnerabilities, so be sure auditing is implemented.

Telecom/PBX

The telecommunications (telecom) system and Private Branch Exchange (PBX) are a vital part of an organization's infrastructure. Besides the standard block, there are also PBX servers, where the PBX board plugs into the server and is configured through software on the computer. Many companies have moved to Voice over IP (VoIP) to integrate computer telephony, videoconferencing, and document sharing.

For years PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy.

To protect your network, make sure the PBX is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Many times hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port.

VPN

A Virtual Private Network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. VPNs are very popular for several reasons:

• Users in an organization can dial a local Internet access number and connect to the corporate network for the cost of a local phone call.

• Administrative overhead is reduced with a VPN because the Internet Service Provider (ISP) is responsible for maintaining the connectivity once the user is connected to the Internet.

• There are various security advantages to using a VPN, including encryption, encapsulation, and authentication.

In a VPN, encryption/decryption takes quite a bit of CPU cycles and memory usage, so be prepared to factor dedicated hardware or existing hardware upgrades into the costs of proposed solutions.

IDS

IDS stands for intrusion-detection system . Intrusion-detection systems are designed to analyze data, identify attacks, and respond to the intrusion. They are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. Intrusion-detection systems are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. The two basic types of intrusion-detection systems are network based and host based . As the names suggest, network-based IDSs look at the information exchanged between machines, and host-based IDSs look at information that originates on the individual machines. Here are some specifics:

• Network-based IDSs monitor the packet flow and try to locate packets that may have gotten through the firewall and are not allowed for one reason or another. They are best at detecting DoS attacks and unauthorized user access.

• Host-based IDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity.

Network-based IDSs try to locate packets not allowed on the network that the firewall missed. Host-based IDSs collect and analyze data that originates on the local machine or a computer hosting a service. Network-based IDSs tend to be more distributed.

Network-based IDSs and host-based IDSs should be used together to ensure a truly secure environment. IDSs can be located anywhere on the network. They can be placed internally or between firewalls. Many different types of IDSs are available, all with different capabilities, so make sure they meet the needs of your company before committing to using them. Chapter 7, "Intrusion Detection and Security Baselines," covers IDSs in more detail.

Network Monitoring/Diagnostics

Most organizations use monitoring and diagnostic tools to help manage their networks. Diagnostic tools can be actual tools, such as cable testers and loopback connectors, or software programs and utilities. Some of the more common network diagnostic tools include the following:

• Ping Packet Internet Grouper (ping) is a utility that tests network connectivity by sending an Internet Control Message Protocol (ICMP) echo request to a host. It is a good troubleshooting tool to tell whether a route is available to a host.

• Tracert/traceroute This utility traces the route a packet takes and records the hops along the way. This is a good tool to use to find out where a packet is getting hung up.

• Nslookup This is a command-line utility used to troubleshoot a Domain Name Server (DNS) database. It queries the DNS server to check whether the correct information is in the zone database.

• Netstat Netstat displays all the ports on which the computer is listening. It can also be used to display the routing table and pre-protocol statistics.

• IPConfig/Ifconfig IPConfig is used to display the TCP/IP settings on a Windows machine. It can display the IP address, subnet mask, default gateway, Windows Internet Naming Service (WINS), DNS, and MAC information. This is useful in verifying that the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration is correct if connectivity issues arise.

• Telnet Telnet is a terminal emulation program used to access remote routers and Unix systems. This is an excellent tool to use to determine whether the port on a host computer is working properly.

Know the different utilities that are used to troubleshoot networks and what they are used for.

Port scanners, vulnerability scanners, and intrusion-detection systems are also used in network monitoring. Port and vulnerability scanners were discussed in Chapter 3, "Nonessential Services and Attacks," and intrusion-detection systems were discussed earlier in this chapter. If these tools are used on the network, be sure the information they gather is protected as well.

SNMP

Simple Network Management Protocol (SNMP) is an Application layer protocol whose purpose is to collect statistics from TCP/IP devices. Its management infrastructure consists of three components:

• SNMP managed node

• SNMP agent

• SNMP network management station

The device loads the agent, which in turn collects the information and forwards it to the management station. Network management stations collect a massive amount of critical network information and are likely targets of intruders because SNMPv1 is insecure . The only security measure it has in place is its community name, which is similar to a password. By default, this is "public" and many times is not changed, thus leaving the information wide open to intruders. SNMPv2 uses Message Digest Version 5 (MD5) for authentication. The transmissions can also be encrypted. SNMPv3 is the current standard, but most devices are likely to still be using SNMPv1 or SNMPv2.

SNMP is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162. Make sure network management stations are secure physically and secure on the network. You might even consider using a separate management subnet and protecting it using a router with an access list.

Workstations

Workstation security is often overlooked, yet this is one of the areas that can attract intruders the most because it is the path of least resistance to deploying an attack. This mostly happens because users are unaware of the dangers they put themselves and the company in by doing some of the following:

• Installing unauthorized software

• Downloading infected music and movie files

• Opening email that has a virus

• Forwarding email hoaxes

• Sharing their C: drive with full access, no password

• Using weak passwords

• Not logging off the network when leaving the building

This by no means covers all the possible situations users get into. There is also theft and lost equipment, failed components, and physical access by visitors to consider.

In the area of physical theft, the most obvious solution is security locks. Every laptop comes with a hook for a security lock that can be used to discourage theft attempts. Similar locks exist for desktop workstations as well. In addition to physical locks, educate your employees to always log off or lock their workstations while they are unattended.

To protect the information on stolen or lost equipment, use encryption to make it impossible to read this information without appropriate login credentials.

Should a component in a workstation fail, such as a hard drive, running nightly backups will be instrumental in making sure the data can be recovered. You may also want to consider removing floppy drives or disabling devices that aren't absolutely necessary. This prevents visitors and users from bringing in infected files.

Antivirus software can be used to scan email and for downloadable malicious code. Be sure that the definitions are updated on a regular basis; the software alone will not do the job. Again, user education and training will help ensure that the updates are timely .

User education in company security policies and the scope of their responsibilities is the ultimate key to success in keeping the workstations secure.

Servers

As you learned in Chapter 3, servers can serve a variety of functions and their vulnerabilities are determined by their use. Servers are more sensitive to attacks than workstations, and these attacks can be more costly. Therefore, all network servers should be isolated in a server room and locked to prevent any kind of unauthorized physical access. Visitors to these premises must be justified and supervised. Besides having physical controls, availability must also be ensured. This can be accomplished via Redundant Array of Inexpensive Disks (RAID), uninterruptible power supply (UPS) equipment, and clustering. We already discussed ways to make the server environment safer in Chapter 3, the server hardening is discussed in Chapter 7.

Mobile Devices

Laptops, personal digital assistants (PDAs), Palm Pilots, and PocketPCs are all mobile devices. They are very susceptible to theft because they are small, valuable , and many times contain important information about a company. They use wireless or infrared technology, and as you saw in an earlier discussion, you need to be sure that encryption is enabled to keep their data safe. If possible, you should protect these devices with passwords so there is at least an initial deterrent.

We have covered basic security concepts as they apply to physical devices. These devices all use some type of media to communicate with each other. With that in mind, let's move to the next section.