The Need for Network Security | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Today, the vast majority of networks are connected to the Internet, allowing users to take advantage of fast and efficient world wide e-mail communication, newsgroups, file transfer, and the tremendous research capabilities offered by the World Wide Web (WWW). Unfortunately, this connectivity makes the network vulnerable to all the "bad guys" lurking out there, looking to break into systems for fun or profit. Who they are and why they do it is beyond the scope of this book. In this chapter, we confine our discussion to what the "bad guys" do and how you can defend your network against them.

Hackers, crackers, and network attackers (including "script kiddies" who have little technical expertise) can use a number of methods to circumvent network security and gain access to information, including:

Snooping
Spoofing
Password compromise
Denial-of-Service (DoS) attack
Man-in-the-Middle (MITM) attack
Application-directed attack
Compromised Key attack

Test Day Tip

As the network administrator or security administrator you must become intimately familiar with the various types of attacks your network is subject to, but you do not have to memorize every detail of them for this particular exam. What you do need to know for this exam are the basics of how each attack works and how IPSec can be used as part of a multilayered security solution to help prevent them.

Snooping

Most data sent over a network is transmitted in cleartext. An individual with a network sniffer such as the Network Monitor program that comes with Systems Management Server or a third-party program such as Sniffer Pro, can easily read cleartext messages as they traverse a network.

This is also true of sensitive data, such as user account passwords. Some server applications that maintain their own username and password lists allow for this type of critical logon information to cross the network in cleartext format. A network snooper, using easily accessible sniffing programs, can plug into an available port in a hub or switch and access the information. The person using the snooping program can now use the stolen credentials to access the network at any time, posing as an authorized user. Other information that can be intercepted includes credit card numbers, Social Security numbers, contents of personal e-mail messages, and proprietary organizational secrets.

Spoofing

The source and destination Internet Protocol (IP) addresses are prerequisites for establishing sessions between computers on a Transmission Control Protocol/Internet Protocol (TCP/IP)-based network. The act of IP spoofing involves assuming the identity of a legitimate trusted host computer on a network in order to gain access to computers on the internal network. This is done by forging someone else's source IP address. Another term for spoofing is impersonation, because the intruder impersonates a computer with a legitimate IP address. A common spoofing-based attack is the TCP/IP sequence number attack. Further, some software tools are available that allow people without technical skills to easily spoof addresses.

The TCP/IP Sequence Number Attack

TCP is responsible for the reliability of communications on a TCP/IP-based network. This responsibility includes acknowledgment of information sent to a destination host. To track bytes sent over a network, each segment is given a sequence number. A sophisticated attacker can establish the sequencing pattern between two computers because the sequence pattern is not random.

First, the attacker must gain access to the network. Then, they must connect to a server and analyze the sequence pattern between the server and a legitimate host with which it is communicating at the time. The TCP/IP sequence number attacker then attempts to connect to the server by spoofing (falsely assuming) a legitimate host's IP address. To prevent the legitimate host from responding, the spoofer starts a DoS attack on the legitimate host.

Because the legitimate host cannot respond, the spoofer waits for the server to send its reply and then responds with the correct sequence number. The server then believes that the spoofing computer is the legitimate host, and the spoofer can begin data transfer.

Spoofing Tools

Hackers are all too willing to share their knowledge with others. Many hackers will not only teach hacker "wannabes" how to perform various attacks, but they will even create software tools to perform these tasks so that people with little or no technical expertise can use the same techniques. Those who run these scripts instead of performing the steps manually themselves are known as "script kiddies."

IP spoofing utilities are commonly found on hacker sites. Additionally, many distributed attack tools (those used to launch distributed DoS attacks) use source IP address spoofing to hide the origin of an attack. Tools such as Mendax (for Linux), Spoofit, and detailed spoofing guides can be downloaded from the Web or exchanged in hacker newsgroups. Some of these are marketed as legitimate systems administration tools designed to test a network's vulnerability to spoofing, but they can also be used for nefarious purposes.

Password Compromise

Users who gain illegitimate access to network passwords can access resources they would not otherwise be able to use. An attacker can gain knowledge of passwords in a number of ways, including:

Social Engineering The attacker contacts an individual who has access rights to the information of interest. Often using an assumed identity, the attacker makes a request for a password from the individual, using a persuasive story and/or a charming personality to con the victim into revealing the password. Many infamous hackers, such as Kevin Mitnick, have used social engineering to aid in their hacking efforts.
Sniffing Many network applications (for example, Post Office Protocol [POP] and File Transfer Protocol [FTP]) allow a username and password to cross a network in cleartext. The attacker can use a network sniffer application (also called a network monitor or protocol analyzer) to intercept the information and look at the data inside the packet.
Cracking A cracker uses a number of techniques to gain illegal access to passwords. Examples of cracking techniques include dictionary attacks and brute-force attacks. Crackers also rely on the tendency of many users to select easily guessed passwords, such as Social Security numbers, a spouse's name, or other information that can be obtained through a little investigative research.

If an administrator's password is compromised, the attacker has access to all network resources that are protected with access controls. The intruder also has access to the entire user account database and can use this information to access all files and folders, change routing information, and alter information without the knowledge of users who depend on the information.

Damage & Defense…
The Importance of Password Policies

A good password policy is the first line of defense in protecting a network from intruders. Careless password practices (choosing common passwords, such as "God" or "love" or a user's spouse's name; choosing short, all-alpha, one-case passwords; writing passwords down; or sending passwords across the network in plaintext) are like leaving your car doors unlocked with the key in the ignition. Although some intruders might be targeting a specific system, many others are just "browsing" for a network that is easy to break into. Lack of a good password policy is an open invitation.

Best practices for password creation require that you address the following:

Password length and complexity
Who creates the password
Forced changing of passwords

A few rules of thumb for creating good password policies include:

Passwords should have a minimum of eight characters.
Passwords should not be "dictionary" words.
Passwords should consist of a mixture of alpha, numeric, and symbol characters.
Passwords should be created by their users.
Passwords should be easy for users to remember.
Passwords should never be written down.
Passwords should be changed on a regular basis.
Passwords should be changed anytime compromise is suspected.
Password change policies should prevent users from making only slight changes when creating new passwords.

In a high security environment, you might need to go beyond the use of just passwords (something you probably already know) in authenticating users to access the network. A multifaceted authentication scheme also requires that users provide something they have (such as smart cards or tokens) and/or something they are, that is, biometric identifiers, such a fingerprints or retinal scans.

DoS Attacks

A common type of network attack is the DoS attack. Rather than actually breaking into a network to access its data, this type of attacker attempts to overload a network or server to cause a shutdown, thereby denying network services to legitimate users. A DoS can be created in a number of ways. All DoS attack techniques have the ability to disrupt normal computer or operating system functioning on a targeted machine. These attacks can flood a network with useless packets, corrupt or exhaust memory resources, or exploit a weakness in a network application. DoS attacks include:

TCP SYN attacks
SMURF attacks
Teardrop attacks
Ping-of-Death attacks

TCP SYN Attacks

When computers on a TCP/IP-based network establish a session, they go through a three-way handshake process as follows:

The originating client sends a packet with the SYN flag set to On. This host includes a sequence number in the packet. The server uses this sequence number in the next step.
The server returns a packet to the originating host with its SYN flag set to On. This packet has a sequence number that is incremented by 1 over the number that was sent by the requesting computer.
The client responds to the request with a packet that acknowledges the server's sequence number by incrementing the sequence number by 1.

Whenever a host requests a session with a server, the pair goes through the three-way handshake process. The attacker can take advantage of this process by initiating multiple session requests that originate from bogus-source IP addresses. The server keeps each open request in a queue while it waits for Step 3 to occur. Entries into the queue are typically emptied every 60 seconds. If the attacker is able to keep the queue filled, legitimate connection requests will be denied, so service is denied to legitimate users of e-mail, Web, FTP, and other IP-related services.

SMURF Attacks

A SMURF attack attempts to disable a network by flooding it with Internet Control Message Protocol (ICMP) echo requests and echo replies. In a SMURF attack, the attacker spoofs a source IP address and then issues an ICMP echo request to a broadcast address. This action causes all the machines on a segment to reply to the bogus request. If the attacker can maintain this attack for an extended period of time, no useful information can be passed though the network due to the flood of ICMP echo request and reply messages traversing the wire.

Teardrop Attacks

A Teardrop attack is executed using a program such as teardrop.c, that causes fragmentation similar to that seen in a Ping-of-Death attack (described next). A teardrop attack takes advantage of a weakness in the reassembly process and can cause a system to hang or crash.

Ping-of-Death Attacks

The Ping-of-Death attack exploits features of the ICMP and the maximum transfer unit (MTU) sizes of various network architectures. The PING command issues an ICMP echo request and is returned an ICMP echo reply by the destination host. The ICMP echo request message is encapsulated in an IP packet that is limited by 65,535 octets. The MTU defines the maximum size of a unit for a defined network architecture, which varies with the media type.

If the size of a packet is larger than the MTU, the packet is fragmented and then reassembled at its destination. It is possible to send a packet with more than the legal number of octets. When packets are fragmented, an offset value is included with the packet. This offset value is used to reassemble fragments at their destination. The attacker could include with the last fragment a legal offset and a larger packet size. This will exceed the legal number of octets in the data portion of the ICMP echo request. When reassembly is attempted, the destination computer could respond by rebooting or crashing.

MITM Attacks

A MITM attack occurs when two parties believe that they are communicating only with each other, but in fact there is an intermediary silently listening in on the conversation. The man in the middle can intercede in the conversation by impersonating the identity of either the sender or the receiver. During the attacker's intercession, they can alter or destroy messages during transit.

Using a network sniffer, an attacker can record and save messages for later use, allowing the attacker to issue a subsequent replay attack. The man in the middle, having recorded aspects of a conversation, can replay this information to get around network authentication mechanisms in the future. This is known as a replay attack.

Application-directed Attacks

Application-directed attacks seek to take advantage of weaknesses inherent in certain network applications. By exploiting weaknesses in network applications, an intruder can:

Corrupt or alter important operating system files
Change the content of data files
Cause a network application or an entire operating system to operate abnormally or even crash
Disrupt normal security and access controls maintained by the application or operating system
Plant a program or programs that can return information to the attacker; Back Orifice is an example of such an application

Numerous types of application-directed attacks exist. Web servers are often the targets of such attacks. One example is the Code Red worm that caused considerable damage to numerous systems a few years ago. This worm exploits vulnerabilities in the Internet Information Services (IIS) running on Windows NT 4 and Windows 2000 systems. It can deface Web sites running on a server. It can also install DoS tools. After affecting a system, the worm attempts to propagate itself to other unprotected IIS servers. Variants of the Code Red worm have been created as well, each with its own symptoms. Microsoft creates security patches to protect against known application vulnerabilities such as Code Red. Always check the http://microsoft.com/security site for information about the latest attacks and their patches.

These application-level attacks provide the most fertile ground for would-be intruders. Many network applications have not completed the degree of security assessment and testing that is required to optimize their immunity to attacks aimed against them.

Compromised Key Attacks

A key is a number, or cipher, that can be used in combination with an encryption algorithm to either verify the integrity of a communication or encrypt the contents of a communication. Various types of keys are available. One type is known as a secret key. A sending computer encrypts the contents of a message using a secret key, and the receiving computer decrypts the message with the same secret key. Using this shared secret, two computers can communicate in private.

Another type of secret key is the private key. The secret private key can be used to confirm a sender's identity. This process is known as signing a message. A recipient who receives a message signed by someone's private key can be confident that the person who claims to have sent the message is indeed that person. The private key is part of a key pair, two mathematically related keys. The other part of the pair is a public key. The private key is kept secret, and the public key is published to the world. If the public key belonging to a certain person can be used to decrypt their messages, that affords assurance that the message was encrypted with the related private key, which is known only to the person. As discussed in Chapter 9, key pairs can also be used in the opposite way: A message can be encrypted by a sender using the recipient's public key, and only the person who holds the associated private key can decrypt the message, providing confidentiality for the data.

An attacker who somehow gains access to secret or private keys can decrypt messages intended for someone else or communicate with an assumed identity using someone else's private key. When secret or private keys no longer remain secret and private, they are said to be compromised. After keys are compromised they can no longer be used to secure identities and information. Detecting whether a key has been compromised is difficult. Often, the compromise of a key is discovered only after some vital piece of information is found to no longer be secret, as in cases of corporate espionage.