Designing a Secure Network


A basic explanation of design principles is always a good start in any security discussion. Design starts with requirements analysis, so the first step for getting security right on Mac OS X Server is to understand requirements. You should talk to users, managers, and technical staff to find out what security concerns must be addressed. Before implementing security mechanisms, you need to know if you are securing services that run on the server, protecting internal servers on a private network connected to the server, controlling which outside services your internal users can reach, or all of these.

One basic aspect of requirements analysis is to find out who the users are, where they are located, and what resources they use. Designers sometimes use the concept of a user community to help them recognize requirements. A user community is a set of users with similar application and security requirements. This can be a corporate department, a set of outside users, a set of business partners, or a single user who has unique requirements. You should document user-community names, sizes, locations, and applications. Also document the names and addresses of servers, their locations and applications, and which user communities depend on them. With that documentation in hand, you can begin to understand what needs to be secured.

Next, to ensure system and data availability, you must understand the direction of network traffic flow to and from services. Talk to your users, examine network diagrams, study network traffic with a protocol analyzer, and review network logs to help you understand the direction of network traffic flow and how your security measures can filter this flow to implement user requirements.

Analyzing Network Security Threats

An important step in network security design is analyzing threats, their likelihood and severity, and the dangers associated with not taking action to prevent and mitigate these threats. Network devicessuch as servers, routers, and firewallsare attractive targets for attackers.

If an attacker undermines the security of a network device, the following problems arise:

  • Data flowing through the device and the networks it connects can be intercepted, analyzed, altered, or deleted, compromising confidentiality and integrity.

  • The device's configuration can be changed to block legitimate access and allow future attacks.

  • User passwords can be compromised.

  • Configuration and management data can be monitored, showing the attacker other devices that are reachable from the device.

Tools for intercepting and analyzing data on a network are readily available. Ethereal, for example, is a free and easy-to-use protocol analysis tool that runs on almost every platform. Ethereal captures network traffic and displays each packet in human-readable format, which makes it a useful network management tool as well as a powerful tool for network attackers. The following output from Ethereal shows a Telnet packet. Notice that the output is helpful for analyzing packet headers while troubleshooting a problem, but it's also helpful for attackers, who can easily see in the Telnet data section at the end of the output that the user typed co followed by a carriage return (\r).

Frame 27 (58 bytes on wire, 58 bytes captured) Ethernet II   Destination: 00:00:0c:00:2e:75 (Cisco_00:2e:75)   Source: 00:0d:93:28:c9:f6 (AppleCom_28:c9:f6)   Type: IP (0x0800) Internet Protocol   Version: 4   Header length: 20 bytes   Differentiated Services Field: 0x10   Total Length: 44   Identification: 0x22fe (8958)   Flags: 0x04     .1.. = Don't fragment: Set     ..0. = More fragments: Not set   Fragment offset: 0   Time to live: 64   Protocol: TCP (0x06)   Header checksum: 0x02d8 (correct)   Source: 10.10.0.209 (10.10.0.209)   Destination: 10.10.0.2 (10.10.0.2) Transmission Control Protocol   Source port: 51854 (51854)   Destination port: telnet (23)   Sequence number: 2722440935   Acknowledgement number: 3672130357   Header length: 20 bytes   Flags     0... .... = Congestion Window Reduced (CWR): Not set     .0.. .... = ECN-Echo: Not set     ..0. .... = Urgent: Not set     ...1 .... = Acknowledgment: Set     .... 1... = Push: Set     .... .0.. = Reset: Not set     .... ..0. = Syn: Not set     .... ...0 = Fin: Not set   Window size: 65535   Checksum: 0x788a (correct) Telnet   Data: co\r


From output such as this, an attacker can gain information about Ethernet addresses (in the Ethernet II section of the example, see Destination: 00:00:0c:00:2e:75 (Cisco_00:2e:75) and Source: 00:0d:93:28:c9:f6 (AppleCom_28:c9:f6)) and IP addresses (in the Internet Protocol section, see Source: 10.10.0.209 (10.10.0.209) and Destination: 10.10.0.2 (10.10.0.2)). This knowledge of addresses helps an attacker find targets.

An attacker can also gain information about the identifiers used for IP datagrams and the sequence numbers used for Transport Control Protocol (TCP) segments. (In the Internet Protocol section, see Identification: 0x22fe (8958); in the Transmission Control Protocol section, see Sequence number: 2722440935.) This type of information could be used to craft an attack packet.

Finally, as mentioned, the attacker can see that the user typed co followed by a carriage return. These were the last two characters in the Telnet password, which was Cisco.

Reconnaissance Attacks

An attacker launches a reconnaissance attack to learn about potential targets and their weaknesses in preparation for a more focused attack. Reconnaissance attackers use tools to discover the reachability of computers, networks, services, and applications. While on a reconnaissance mission, an attacker might try to gather the following information:

  • The existence of and names of servers configured in a domain name system (DNS) server

  • Configuration information listed in a Simple Network Management Protocol (SNMP) server

  • The reachability of servers and end-user systems via ping and port scans

  • Operating system and application versions

One tool that attackers use to test the reachability and vulnerabilities of a network server is the UNIX nmap utility. nmap sends traffic to the target for numerous TCP and User Datagram Protocol (UDP) ports and examines the results to discover open ports, application and operating system versions, and vulnerabilities.

By default, Mac OS X Server has very few ports open. In this example using nmap on the Mac OS X Server with the IP address of 192.168.3.1, some default ports have been closed while others have been opened:

Pretendcos-Computer:~ Pretendco$ nmap 192.168.3.1 Starting nmap V. 3.00 (www.insecure.org/nmap/) Interesting ports on (192.168.3.1): (The 1592 ports scanned but not shown below are in state: closed) Port       State   Service 25/tcp     open    smtp 53/tcp     open    domain 80/tcp     open    http 110/tcp    open    pop-3 311/tcp    open    asip-webadmin 407/tcp    open    timbuktu 427/tcp    open    svrloc 548/tcp    open    afpovertcp 625/tcp    open    unknown Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds


Note

The nmap utility has nefarious as well as reputable qualities. You can use it to test the security of your own network devices, for example. This testing method should be used sparingly and with caution, however. nmap sends a huge number of packets to the target in a short period of time.


Denial of Service Attacks

Denial of Service (DoS) attacks target networks, servers, or applications, making it impossible for legitimate users to gain access. DoS attacks usually result from the inability of a network, computer, or application to handle a huge load, which crashes the system or halts the system's services. These attacks pose a significant risk because they can interrupt business processes and are reasonably easy to conduct, even by an unskilled attacker.

DoS attacks include:

  • Flooding servers with huge numbers of connection requests

  • Sending so many pings that a device gets so busy replying that it can't handle legitimate traffic

  • Flooding network paths with so much traffic that all bandwidth is consumed

Preventing DoS attacks is best handled by dedicated hardware firewalls and intrusion detection systems (IDSs) that have built-in software that recognizes and mitigates attacks. For example, some dedicated firewalls have advanced software that can recognize and deflect a flood of TCP connection requests, also known as a TCP SYN flood attack.

Dealing with DoS attacks may also require help from network administrators of upstream networks. For example, if the Internet pipe into your company is being flooded with huge amounts of traffic, consuming all available bandwidth, this must be stopped at your Internet service provider (ISP).

In the case of Mac OS X Server, simple DoS attacks are stoppable by disallowing Internet Control Message Protocol (ICMP) echoes (pings) and echo replies, and by disallowing all traffic from a known attackerboth of which are relatively easy to do with Mac OS X Server firewall service.




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net