Preventative Measures


There are many standard techniques typically used to keep a network up and running. One of these preventative measures is regular backups. If your system becomes infected with virus programs or if you find that data has been corrupted, you'll understand the importance of regular, frequent backups . In addition, it's a good idea to keep offline copies of important data files for an extended period. Simply doing a backup each night and overwriting the tape or tapes the next night will provide you with very little protection. Damage to your system might not become evident until weeks or, in some cases, months after the initial intrusion.

There are also commercial and noncommercial products you can use to help safeguard your system. These include intrusion-detection mechanisms, antivirus programs, and programs that can monitor changes on important servers.

So where should you start when defining the defensive mechanisms needed to protect your network? Let's start at the edge of the network ”the router.

Protecting Routers

Routers typically can be configured in several ways. You can attach a serial cable and terminal directly to most routers and perform configuration tasks. Another method is Telnet. Most modern routers allow you to Telnet into the router to perform configuration tasks . Turn this functionality on only when it is needed, and then turn it back off. The same goes for unnecessary protocols and services. In a manner similar to deciding what services you want to allow through a firewall (and in what direction), you should turn off all unnecessary services on a router. You'll have to consult your documentation to find out the particular commands you'll need to use. However, a good document on router security can be found at the following URL:

www.cisco.com/warp/public/707/21.html

You might want to check vendor Web sites for other router products that are in use on your network to look for similar advice. Additionally, be sure to stay informed of router firmware updates and operating-system updates and patches. As new threats are discovered , a responsible vendor will release information or code that can be used to help improve the security of the routers that stand guard at the edge of the network.

The Network As Target

There are some problems for which there is currently no easy solution. The distributed denial-of-service attack discussed earlier in this chapter is one of those. When the entry points into your network are saturated with an overload of network traffic, there's not much you can do about it. The best tactic you can use when such an attack occurs is to try to block out the address ranges from which the attack is coming. But when your network is being singled out by several hundred other compromised computers, it's rather difficult to quickly program routers to block all of these network addresses. The fact that many large Internet sites have been taken down during the past few years by these kinds of attacks should be indicative of how serious this attack can be. What can you do? Gather all the information you can, and, when the attack is over, try to backtrack to find out where the attack initiated. At this time it might not be possible to do this because one computer can set off others to do the dirty work for them. If you don't have access to the actual computers that perform a distributed denial-of-service attack, you can use the information on those other systems to further research the problem.

So for now, the best solution is to hope that this doesn't happen to you and to use an Internet service provider that has a good technical team that can respond quickly to help block sites that are generating this type of attack. And by all means, if you are targeted , get the authorities involved.

Protecting Host Computers ”Encryption and Virus-Protection Software

After an intruder gets past a router, it's usually pretty easy to intrude further by gaining access to host computers on the network. Again, it is so easy to simply put up a router and firewall configuration and assume that your network is safe. However, even if these methods do protect you from outsiders, you still must worry about users who are allowed on the network. A disgruntled employee can do more damage (and probably do a good job of hiding the evidence) than many network intruders. Host security is a very important topic.

You should first start by becoming intimately familiar with the resource-protection and user -authentication schemes used by your computers. For example, many Unix variants provide for a shadow password file that is not easily accessible. When someone breaks into a Unix server, it's a simple matter to download the contents of the /etc/passwd file and spend a few minutes or hours using an automated program to encrypt words in a dictionary, check to see whether they match the encrypted password in the stolen file, and then simply log back into your Unix box using a valid password!

The applications you run on servers or workstations can also make the host computer an easy target. For example, if you are using older versions of FTP or Telnet, you're sending usernames and passwords about your network in clear, easy-to-read ASCII text. A network sniffer (which can be something as simple as a Trojan horse program planted somewhere in your network) can watch for these and transmit them back to the intruder. Because secure versions of these and other related utilities are available, you should always be sure to use the secure versions, even if it means purchasing additional software that already comes with your operating system.

You can find more information about standard TCP/IP applications that are particularly vulnerable by reading Chapter 26, "Basic TCP/IP Services and Applications."


If you have an important server that is absolutely critical to your business operations, you might want to consider keeping a "hot spare" around. That is, create another server that is virtually a clone of the important server. If the original server is compromised, place the hot spare into service. This might involve a little time if you have data that needs to be restored to the hot spare before it can be used. However, for servers that contain data that doesn't change often, such as some Web servers, you can have an exact duplicate sitting around just waiting to be used in case the operational Web server becomes compromised.

In this case, however, you need to be sure that the "hot spare" itself has not been compromised. Some malicious code can remain around for many months before causing problems. This is another good reason to use updated antivirus software on a regular, frequent basis.

Another way to protect servers is to use the tools that the operating system provides to protect some services. For example, you'd be a fool to place a directory on your system disk for use as an anonymous FTP site. The last thing you want is to have someone filling up all the space on your system disk. Most operating systems allow you to set quotas that define how much space a particular user account can use on a server's hard drives . Enforcing quotas can help prevent an attack that consists of consuming all the available space on a disk. In addition, you can set alarms to notify you when quotas are being used up at a rate that is faster than what you see during normal operations. It's then an easy matter to track down the source of the data coming into the server and to terminate the user process.

Additionally, protecting computers should also involve software that detects malicious code. Even home PC users are aware of the value of antivirus programs. There are so many vendors of this software that it would be pointless to attempt to list them here. However, when you do choose an antivirus program, there are some things you should consider when making a purchasing decision. For example, does the vendor respond quickly with updates to the software as new viruses are discovered? Does the software have the capability to remove the virus after it has been discovered? Does the software have the capability to scan floppy disks and files transferred to the computer through the network? Of these, the capability to quickly respond to new threats is perhaps the most important. However, your situation might dictate other factors that are more important. Note also that many firewall products now contain some type of virus-detection mechanism.

Using Tripwire

There are many programs you can use to help determine whether your system has been compromised. Tripwire is a very popular program that can be used for this purpose. Tripwire was originally developed in 1992 by Gene Kin and Dr. Eugene Spafford. The Academic Source Release (ASR) version of Tripwire can be downloaded for noncommercial use from Tripwire's Web site. In addition, Tripwire has created commercial versions of the software, including an enterprise manager program (Tripwire Manager) that uses SSL for communications and simplifies management of multiple servers and workstations.

Tripwire is based on the concept of taking a "snapshot" of system resources, such as files, directories, and, in the case of Windows NT, Registry settings. The information gathered by Tripwire is stored in a secure database and is used to compare a server later to determine whether changes have been made and what those changes were. A policy file allows the network administrator to control the types of data that Tripwire monitors and to prioritize certain events using a rule base. In addition, Tripwire can produce reports that make monitoring the system easier for administrators.

Currently, Tripwire runs on the following operating-system platforms:

  • Windows NT 4.0, Windows 2000, Windows 2003, and Windows XP Professional

  • Solaris (SPARC) versions 2.6, 7.0, and 8.0

  • IBM AIX 4.3

  • HP-UX 11.0

  • Several versions of Linux

Some of the things that Tripwire can monitor are specific to an operating system, whereas others (such as file types and sizes) can be monitored on all platforms. For example, here are a few of the items you can use Tripwire to monitor on Unix systems:

  • Addition, deletion, or modification of files, along with file permissions, types, and sizes

  • Inode number and number of links

  • Owner and group IDs for files

  • Modification timestamps and access timestamps

In addition, hash algorithms can be used to ensure the integrity of the contents of files. Tripwire supports several kinds of hashing algorithms, such as CRC-32, MD5, and the SHS/SHA algorithm, among others.

For Windows NT systems, the list that can be monitored includes the standard file components and things such as these:

  • File attributes, such as archive, read-only, hidden, or offline

  • Create and access times

  • NTFS Owner SID, NTFS Group SID, and other NTFS attributes

  • Addition, deletion, and modification of Registry keys and the values of those keys

These lists are not all-inclusive. For more information about acquiring an evaluation copy of Tripwire or the Academic Source Release, visit the Web site www.tripwire.com.

User Awareness and Training

Social engineering is a term used a lot lately to describe an easy method for gaining access into your network. Put quite simply, are the users of your network trained in security measures? A quick test is to simply have someone from your help desk call a user and ask him for his password. I would bet that in at least half of the cases the users will give out their passwords. A help-desk person shouldn't have to ask this type of question! Instead, if people at your help desk need to access a user account, they can notify the user that they are changing the password temporarily and will notify the user when to reset the password to a value known only to the user.

A password policy should also be in effect to ensure that common names and words are not used. Yet, one must be careful to avoid making passwords so difficult that users have a hard time remembering them. Most operating systems have the capability to keep a history list of passwords to prevent their reuse within a specified amount of time. You'll also find that you can usually set a minimum and maximum password length.

Social engineering also can involve dumpster diving. How secure are the printouts that you throw in the trash can? Do you have paper shredders (and a security policy dictating their use) in place? Even Hollywood stars know that much useful information can be obtained from a trash can! This goes not just for paper materials. When you decommission old tapes or old computer hard drives, do you take the time to destroy any data that is stored on them? It may be well and good to donate old computers to nonprofit organizations or schools , but it's also a good idea to reformat the hard drives and reinstall the operating systems before you do so. Tapes can be made useless by various means, including bulk tape erasers that zap the contents in just a few seconds.



Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2003
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net