Over the Network

Attacking a system over the network gives the hacker a significant advantage over a serial line. On the serial line, the hacker has only the login program, and possibly UUCP, to attack. However, over the network, he has a plethora of programs offering services through different sockets on the network. Most of these services use simple text-based protocols that can be attacked , even if the hacker has only terminal access.

Dial-up access directly into a network is available only via a terminal server or a dial-up network server utilizing a serial line protocol, such as SLIP or PPP.

Terminal/Modem Servers

Network terminal or modem servers are devices that are directly attached to the network and allow for either direct-connected terminals or modems. The connection through these devices will generally give the user a prompt that allows him to connect to any device on the network. This connection will usually use either telnet or a proprietary protocol. In either case, the remote computer will see the user as a simple terminal connecting over the network. Many universities and businesses use terminal servers to consolidate the costs of modems and telephone lines into one location that can be utilized by everyone in the organization.

In many cases, a hacker will get a connection by simply connecting to the modem server. There may be no password required. He may then be able to connect to any computer that is on the same network or any system on which there is routing information. In either case, network terminal/modem servers are a very useful commodity to the hacker. Some of these network terminal servers will allow him to connect to the modem that is attached to the port and dial out using that modem. If that is the case, he has the ability to dial in and dial out, allowing him to put the long-distance call on your bill and to do connection laundering; that is, anyone who is tracing his activities to where he dialed out will come back to you, the owner of the terminal server, instead of directly to the hacker.

If you can require some level of authentication on your terminal server, do so. Giving free access to your network is asking for trouble. Restrict the systems to which the terminal server can connect. This will reduce your level of vulnerability. Utilize Caller ID on all modems. Institute callback security where possible. Where possible, do not allow dial-out from terminal servers.

Dial-up SLIP/PPP Servers

Today it is common to want to extend your network so you can facilitate users who work on the road or at home. This is usually done by having a dial-up SLIP or PPP server. This server gives TCP/IP connectivity to the system that dials into it.

This will allow the hacker to be a peer on the network. A hacker's system can utilize all the network tools at his disposal to probe systems. Gaining access over the network is much easier than over a terminal line. However, gaining access to a dial-up SLIP or PPP connection will generally be more difficult than a simple text connection. Text connections are often guarded by only a login ID and password. The dial-up SLIP will also require IP address information. Organizations should put stronger security on SLIP and PPP connections. These should include a hardware-based password system and some type of smart card, so access is not possible without physically having the smart card. This is termed two-factor authentication, because it is based on something you know, a password or PIN number, and something you have, a smart card or authentication token. It is also a very good idea to have Caller ID enabled on all dial-up connections.

Host-based Firewalls

A host-based firewall is a software product which evaluates each network packet that the system receives and determines if it should accept it, based on a variety of packet features including the source address and packet type. They have the ability to evaluate all types of packets, including UDP and ICMP.

When an IP packet is received, the software goes down a list of rules until it finds a rule matching the packet and then handles the packet in the manner that the rule specifies.

IPChain is a stateless firewall. This means the determination of accepting the packet is based solely on its source and destination addresses, port number, and protocol.

System administrators who already employ ipchain-based firewalls should begin to migrate their scripts to iptables before the release of 7.2. Red Hat 7.1 comes preinstalled with a 2.4.x kernel that has netfilter and iptables compiled in.

The following shell script configures ipchain to deny all access except SSH.

 #!/bin/sh  PATH=/usr/sbin:/sbin:/bin:/usr/sbin  LOCAL_INTERFACE="192.168.1.1/32" #  IP address  LOCAL_NETWORK="192.168.1.0/24"   #  IP address/mask here  SSH_PERMITTED="192.168.1.2/32 192.168.2.3/32" # who allowed to ssh  # deny everything  ipchains -P input DENY  ipchains -P output DENY  ipchains -P forward DENY  ipchains -F  #permit ssh  for ipaddr in $SSH_PERMITTED;  do  ipchains -A input -p tcp -s $ipaddr -i $LOCAL_INTERFACE -j ACCEPT  done  # permit outgoing tcp  ipchains -A output -p tcp -i $LOCAL_INTERFACE -j ACCEPT  ipchains -A input -p tcp ! -y -i $LOCAL_INTERFACE -j ACCEPT  # all the other connection attempts  ipchains -A input -p tcp -i $LOCAL_INTERFACE -l -j DENY  ipchains -A input -p udp -i $LOCAL_INTERFACE -l -j DENY  ipchains -A input -p icmp -i $LOCAL_INTERFACE -l -j DENY 

IPTables is part of the netfilter project and the replacement for ipchains in the Linux 2.4 kernel. Iptables has many more features than ipchains, including the ability to do stateful packet inspection, and a clean separation of packet filtering and network address translation.

 #!/bin/sh  iptables -F  # permit outgoing connections  iptables -P OUTPUT ACCEPT  # deny inbound connections  iptables -P INPUT DROP  # allow packets on loopback interface  iptables -A INPUT lo -h ACCEPT 

IPFilter is a stateful firewall package. It maintains session information so that it can associate each individual packet to the session to which it belongs. This allows for better selection of allowing or denying packets, since the additional information about the session is available. This session information can also be applied to sessionless connections, such as UDP and ICMP. IPFilter will associate these packets into a virtual session to which they belong and provide the additional security based on this session information.

IPFilter is was built on BSD based UNIX systems and is available on Solaris and Irix as well as HP-UX.

IPFilter/9000 (B9901AA) is a port to HP-UX of the popular BSD IPFilter program, which is a public-domain stateful inspection host-based firewall system. It provides for the filtering of selected IP traffic into or out of the system. The traffic can be selected by source address, destination address, protocol port number, packet features, or any combination of these. It is provided for use as a system firewall on hosts running HP-UX 11i.

A system firewall is a packet filtering mechanism that is built into the TCP/IP stack of a host and provides filtering functionality specifically configured for the protection of that particular host. This program uses a sophisticated stateful-inspection packet filtering technology to filter traffic that enters or exits an individual HP-UX host.

Multi- homed HP-UX systems can be configured to discard incoming packets that are received through one network interface but whose destination address is that of a different interface of the same host, as well as to block the sending of outgoing packets whose source address is not that of the interface through which they are being sent. This packet filtering feature characterizes the Strong End-System (ES) functionality described in RFC 1122 of the IETF.

It can also function as a limited application proxy, but it is not recommended or supported as a general-purpose application proxy.

Designed to be used as a firewall, it is quite capable of being used to protect a host from network attacks. By default, the product will allow all packets to pass both in and out. However, by adding the appropriate filters to /etc/opt/ipf/ipf.conf , all packets can be blocked.

It is supported on HP-UX 11, with appropriate patches, in both 32- and 64-bit mode. It is released as a no-charge software product on the application CD.

The following configuration file denies all except SSH:

 # By default block all packets  block in all  block in proto tcp all flags s/sa  block in proto udp all  block in proto icmp all  # Allow packets on loopback interface  pass in quick on lo0 all  pass out quick on lo0 all  # Block all packets with IP options  block in log quick all with opt lsrr  block in log quick all with opt ssrr  block in log quick all with ipopts  # Block all packets with a length which is too short to be real  block in log quick proto tcp all with short  # pass secure shell  pass in on le0 proto tcp from 192.168.1.2/32 port = 22 keep state  # allow all outbound connections, initiated by me.  pass out quick proto tcp from any to any flags S keep state keep frags  pass out quick proto udp from any to any keep state  pass out quick proto icmp from any to any keep state 

Packet Filtering

Packet filtering is a method of restricting network access based on the network service being requested and the hosts requesting the service. On specific machines, this is accomplished by disabling the service, using a wrapper program to deny access to the service, or using the internet daemon's security to limit the hosts that can use the service on systems that support it. Usually, you will want to do packet filtering on a network level instead of a host level. This can be accomplished with filtered bridges or routers. If your site isn't filtering certain TCP/IP packets, it may not be as secure as you think it is.

System managers, security managers, and network managers need to understand packet filtering issues. Due to the flaws in several TCP/IP services and chronic system administration problems, a site must be able to restrict external access to these services. It is recommended that the following services be filtered:

• DNS zone transfers can be used by hackers to request all the information contained in the Domain Name Services database. Permit access to this service only from known secondary domain name servers. This will prevent intruders from gaining additional knowledge about the systems connected to your local network.

• TFTP allows unauthenticated access to a system and lets the hacker put files on and get files from the system. A system with TFTP enabled can be used as a depot for the transfer of information or stolen information.

• SunRPC supports all the ONC -based services.

• NFS ( Network File System) has long been used by hackers to gain information and access to systems through inappropriate configuration and software problems.

• rexec is used to execute a program remotely. It always requires a password and leaves a minimal amount of log information. It is used by hackers who have initially compromised a system so they can regain access without leaving tracks.

• rlogin (the remote login service) uses Berkeley Trusted Hosts configuration and security.

• rsh remotely executes a program using trusted systems configuration and security.

  Both rlogin and rsh are used by hackers with the use of personal .rhosts files to create an intricate web of connections between systems and users on those systems. This can make it extremely difficult to track the hacker back to his origin through dozens of different machines, where he has utilized different user IDs on each one.

• lpd ( remote printer daemon) allows unauthenticated access to the system's print spooler resources.

• uucpd allows UUCP to run over the network. Running this services opens all the UUCP security issues over the network.

• X Windows windowing system has been utilized to allow eavesdropping and capturing the keystrokes of the user on the system.

There are a variety of network analysis tools that will determine which sockets a system has active. These include SATAN and strobe.

If the site does not need to provide other services to external users, those other services should be filtered.