Monitoring the Network

I l @ ve RuBoard

There are numerous ways you can monitor the traffic on a network. There are specific instruments that analyze the traffic on a LAN, as well as software that allows your computer to see all the packets on the network. This listening to all the packets on a network is often referred to as having your system in "promiscuous" mode. Many systems come with a network-logging tool for diagnostics that can work for this purpose.

Just watching all the packets on a network will not yield much useful information. A hacker must be able to filter out the packets that he doesn't want and capture and reconstruct the communication he is looking for. What he is looking for are telnet, rlogin and ftp packets that will contain the user name and associated password. These are passed across the network in clear text.

Network monitoring software has become widespread and available for all types of computers. Many vendors will include a network sniffer as part of the diagnostic software that comes with the system. Many of these programs are not built with security in mind; they are created to collect information to solve a particular problem. However, it is often the same information that a hacker is looking for.

Controlling network monitoring is a very difficult task. Anyone who has access to your network can monitor the packets on the network. Any of the data in the packets can be captured. The only defense to this is to encrypt the data that are traveling over the network. However, in a standard UNIX environment, user data can be encrypted, but the login names and passwords which are part of the control environment cannot. There are a number of packages available to increase the security of the login process.

On Linux systems, the promiscuous mode can be enabled or disabled with the ifconfig command. The output from the netstat -i command will display the status of the interface as illustrated below.

 netstat -i  eth1  Link encap:Ethernet  HWaddr 00:90:27:3A:E3:67        inet addr:10.0.0.3  Bcast:10.0.0.255  Mask:255.255.255.0        UP BROADCAST RUNNING  PROMISC  MTU:1500  Metric:1        RX packets:50361 errors:0 dropped:0 overruns:0 frame:0        TX packets:16 errors:0 dropped:0 overruns:0 carrier:0        collisions:0 txqueuelen:100        Interrupt:17 Base address:0xfcc0 

ARPA Services

The ARPA services of telnet and FTP are two of the oldest protocols still in use today. They date back to the very beginning of computer networks. The entire session is transmitted in clear text. There is no encryption utilized, even for the login password. This makes these protocols hazardous to use today with the availability of network sniffers. Security-enhanced versions or secure replacements for these protocols should be used to get remote system access and to transfer files.

Kerberos is an authentication service for authenticating users or services across an open network. It authenticates entities without sending plain text passwords over the network. The Kerberos protocol uses strong cryptography ( DES) so that a client can prove its identity to a server (and vice versa) across an insecure network connection, and assure privacy and data integrity in the communications. It works by assigning a unique shared secret key and issues a token called a ticket to each client that logs on to the network. The ticket is then embedded in messages to identify the sender of the message.

Under Kerberos, a client ( generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the KDC key, and sends the encrypted TGT back to the client. The client uses the TGT to obtain further service tickets, which provide the proof of the client's identity.

PAM Kerberos, PAM-KRB5, is supported on the HP-UX 11i system. It is based on Kerberos Authentication System V5, developed by Massachusetts Institute of Technology (MIT). The PAM Kerberos module is compliant with IETF RFC 1510 and Open Group RFC 86. HP-UX PAM Kerberos is implemented under the PAM (Pluggable Authentication Module) framework. PAM Kerberos works with Microsoft Windows 2000 and MIT Kerberos V5 KDC. However, it is not intended to work with the HP-UX DCE KDC.

To support single sign-on between HP-UX and Microsoft Windows 2000 or other UNIX systems running MIT Kerberos, HP-UX provides PAM Kerberos that integrates HP-UX login with any Kerberos 5 Server, such as Microsoft Windows 2000 Key Distribution Center (KDC) and MIT KDC.

Secure Shell

Secure shell provides terminal access ( ssh) and file transfer ( sftp) in a secure manner. If SSH is used for remote shell logins and file copying, these security threats can be greatly diminished. A server's digital signature provides verification for its identity. The entire communication between client and server systems cannot be used if intercepted, because each of the packets is encrypted. Attempts to spoof the identity of either side of a communication will not work, since each packet is encrypted using a key known only by the local and remote systems.

Since servers can be configured to allow different types of authentication, this method gives each side the optimal amount of control. The server can decide which encryption methods it will support based on its security model, and the client can choose the order of authentication methods to attempt from among the available options. Thanks to the secure nature of the SSH transport layer, even seemingly insecure authentication methods , such as a host-based authentication, are safe to use.

For SSH to be truly effective in protecting your network connections, you must stop using all insecure connection protocols, such as telnet and rsh. Otherwise, a user's password may be protected using ssh on one day only to be captured when it logs in the next day using telnet.

POP and IMAP

Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) are two protocols which are used to access e-mail which has been stored on a server.

These protocols both suffer from transmitting unencrypted passwords and data over the network. The common solution to this problem is to wrap the protocol in an encryption protocol, such as SSL or SSH.

Linux systems can enable SSL-wrapped IMAP and POP3 by using the sslproxy program supplied by openssl. The services would need to be added to /etc/services , and the program invoked from inetd. To do this, add the following lines to /etc/services :

 imaps 993/tcp  pop3s 995/tcp 

and these lines to /etc/inetd.conf

 imaps stream tcp nowait root  /usr/sbin/tcpd sslproxy -t 3600 -p imap  pop3s stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p pop-3 

FTP Sessions

FTP, File Transfer Protocol, allows you to transfer files between computers. In general, the user must have an account with a valid user name and password on both machines. The FTP protocol passes the user name and password over the network in clear text, so that any network sniffer can see this information. Disable or remove the FTP daemon ftpd if FTP services are not needed.

Users can be restricted from using FTP by entering their user names into the file /etc/ftpusers . The superuser account, all accounts with extra privileges, such as database administrators, all default accounts, and captive accounts should be listed in the /etc/ftpusers file. Since the FTP user's file is an exclusion file, each time a user is added that does not need FTP access, it must be added to this file.

Although most systems can log these attempts if logging is turned on, most sites do not log bad passwords that are entered via FTP, so hackers see this as safer place to do password guessing than at the login prompt.

SMTP

A hacker can use the Simple Mail Transfer Protocol (SMTP) command vrfy to verify if a user login name exists on a system. This command will also give him the person's real name from the GECOS field of the password file, and the address to which the mail is forwarded, if the mail is forwarded. The following entries in the sendmail.cf file can eliminate a great deal of SMTP-based snooping:

 novrfy  noexpn  goaway 

A user who has his mail forwarded to another system may be a limited user of the system. This may indicate a good user ID to exploit. Checking common user IDs, such as root or postmaster , may indicate who administers the system and where his home system is.

A company should discourage the use of e-mail addresses that address specific users on specific machines. Instead, the company should set up one e-mail gateway that has an e-mail address for all of the employees . This gateway would then relay the inbound e-mail to the appropriate machine and user. This would hide the specifics of a machine name and user login ID. It would also have the benefit of giving a uniform appearance to all the company's e-mail.

I l @ ve RuBoard


Halting the Hacker. A Practical Guide to Computer Security
Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
ISBN: 0130464163
EAN: 2147483647
Year: 2002
Pages: 210

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net