Even with a firewall in place on your network, you could still be a sitting duck. The firewall itself is not always the root of the security problem. Many network professionals overlook even the simplest security practices. For example, a man named Rica works for a large corporation and provides computer security and firewall penetration tests. He breaks into Fortune 500 companies’ firewall-protected systems to see how effective the firewalls really are. His results are not pretty. In his eight years of break-in attempts, he’s been caught in the act only once! When any of his clients eventually discovered he had been dancing around their internal networks, it was usually after he’d been in for several weeks.
Why is he able to break in undetected so successfully? Most security violation logs in firewall systems detect and record 50 to 60 percent of all unauthorized access attempts. Mr. Rica gets in because the network security professionals charged with handling those systems do not monitor the logs closely enough. In some cases, they don’t monitor them at all. Real intruders could be slipping in right under their noses.
Never assume an intruder won’t go around or through your firewall. It’s always prudent to know all the possible entry points of your system. Even inexperienced intruders could enter your system through any piece of software that lets one computer communicate with another. Some of these entry points lie in your network hardware, such as bridges and routers, and others are in your software systems, like your mail FTP server. You should identify all TCP/IP-enabled devices on your network, both hardware and software, and route traffic away from them when possible. This one step greatly minimizes your overall security risk. Don’t put all your eggs in the basket labeled "firewall." You must define and develop security policies that include heavy monitoring if you want your firewall to be an effective deterrent.
Figure 1 illustrates a generic firewall implementation. Here are four questions to ask when considering a firewall for your network:
What functions do you want the firewall to perform?
What level of control over the network and firewall do you need and want?
How much money can you allocate toward getting it done right?
How much will it cost to maintain the firewall?
Packet Filters Packet filters typically limit packet traffic to and from hosts on your network, based on an intricate set of rules that you define. Packet filters come in two varieties: hardware-based and software-based. A hardware packet filter is typically a standalone router that filters packets as they enter and leave the router. A software filter runs on a network server that acts as a routing gateway.
As discussed in Chapter 1, each TCP/IP packet traveling through a network contains a header that holds certain information, including the source and destination addresses and the destination port number. A packet filter uses this information to decide how to handle the packet, based on the rules you establish that tell the router how you want to handle each packet type. As the packets flow through the router, the router compares each packet against the defined rule set and decides whether the packet can pass through.
You can define the source and destination addresses and the types of ports that packet filters recognize. The best packet filters by default deny all traffic unless it is expressly given permission to pass. Because you must purposely create a rule that allows certain traffic to pass, you are less likely to leave parts of your system exposed accidentally. Figure 2 shows a typical packet filter installation on a network.
Keep in mind that packet filters can have certain weaknesses stemming from their inner workings as traffic analysis agents. Because they simply look at packets and decide how to handle those packets based on port numbers and IP addresses, they can sometimes be spoofed (faked) into thinking a particular packet stream is authorized traffic, when in fact it may not be.
We talk more about packet filtering systems and look a few of the best ones on the market later in this book.
Proxy Servers and Application Gateways
A proxy server is a server that is empowered to act on behalf of other computers on a network. A host computer running a proxy server is commonly referred to as an application gateway.
Figure 3 shows a typical proxy server/application gateway configuration.
Proxy servers act as mediators between two systems attempting to communicate with each other across a network. The actual mediation process flows something like this:
A user connects to the application gateway via software that tells the proxy what system the user wants to connect to, and for what reason (such as a Web page request).
The gateway checks the user’s source IP address and accepts or rejects it according to access criteria put in place by the administrator.
The proxy may authenticate the user by some means, such as a one-time password.
The proxy service creates a connection between the gateway and the host.
The proxy server passes data between the two connections.
The proxy server logs the connection information.
The proxy server repeats steps 5 and 6 until all the information is transferred. The disconnect process varies from vendor to vendor.
Because they protect the identity of the host, application gateways are a handy way to traverse a network anonymously. The source IP address of the host is never revealed to any system other than the proxy. They improve security because without knowing the true IP address of a host, it is next to impossible for an intruder to attack that machine. However, you should be aware that even the most minor mistakes in configuring the proxy and the network routing can leave you wide open to attack when you might consider yourself protected.
Proxy servers are an economical and reliable way to protect your computer systems from intrusion. Proxies strengthen the weaknesses associated with packet filters. Used together, they provide a higher level of security than if each is used independently.
Application gateways have a number of advantages over other types of security systems:
Robust authentication and logging — the application traffic can be authenticated before it reaches internal hosts and can be logged in detail.
Hidden information — the names of your internal systems are not revealed to external systems. Often, the application gateway is the only host name that must be revealed.
Cost-effectiveness — third-party software or hardware for authentication and logging needs to be located only on the application gateway.
Less complex filtering rules — the rules you establish for a combined packet filter/proxy server setup can be less complex than if the packet filter controls all aspects of application traffic by itself. When used with a proxy server, a packet filter simply allows application traffic destined for the application gateway and rejects all other traffic.
Circuit-Level Gateways Circuit-level gateways are similar to application gateways, except circuit-level gateways verify a TCP or UDP session but do not verify which application is being used. They simply allow a client to connect and send packets back and forth between the client and server.
The theory behind the circuit-level gateway approach to network security is avoiding any direct physical contact between the outside world and a machine on the internal network. In this scenario, a proxy address (or substitute address) is used as a contact to the outside source. Once information is transferred to that address, the proxy transfers information to the appropriate internal destination. This scenario helps deter hackers by limiting the amount of information individual machines share with the outside world, much like an application gateway. Unlike packet filtering systems, circuit-level gateways don’t examine individual packets of information but accept multiple packets once they verify address information. Circuit-level gateways are rarely used alone; they are more commonly part of a larger security system package.
Physical Isolation
You should consider physically isolating systems on your network by placing them where they cannot be reached by TCP/IP traffic from anyone outside your network. This change alone can greatly minimize the possibilities of that system being attacked. If you set it up correctly, an intruder’s only choice is to gain physical access to your facilities to get at the system. Facility access is a lot easier to control than network access. You should consider placing your systems behind a locked door with an alarm system in place, even during normal business hours. You may also consider using card key systems in which a user must have a card to log on to a system.
Protocol Isolation Protocol isolation techniques use network devices that do not require TCP/IP as the primary means of network communication. They use some other protocol, such as NetBEUI or IPX/SPX, to communicate on your local network. When these systems need to access the Internet, which requires TCP/IP, they go through some type of application gateway. Protocol isolation provides a great deal of protection because TCP/IP traffic cannot reach a system that does not run TCP/IP.
Microsoft’s Internet Information Server (IIS) and Proxy Server (MPS), formerly code-named Catapult, both allow the use of IPX/SPX to gain access to the Internet with TCP/IP on client systems. Only the server runs TCP/IP, which leaves the client systems protected from attack. You can learn more about IIS and IAS at http://www.microsoft.com/infoserv .
Monitoring and Auditing
Monitoring your systems for availability is always a great idea. It can give you early warning signs of a possible intrusion attempt, and in lots of situations, you’ll be able to stop an intruder before any real damage is done.
You can easily monitor your TCP/IP services with a number of programs that have been engineered specifically for that purpose. A typical program monitors your services at the port level, meaning that the program connects to the service and waits for a response. The program can page you, send you e-mail, and write an alarm message on the screen in the event of problems. The better monitoring software attempts to stop and restart services to get them to respond, and at least one of these programs even automatically reboots a nonresponsive Windows NT machine. One such software package is NTManage by LANWARE, Inc., which you can find on the Internet at http://www.lanware.net .
Windows NT comes with some fairly robust auditing capabilities. You should learn how the auditing system works and implement it on your servers. More important, and I cannot stress this enough, you must monitor the logs as part of a daily routine. It makes no sense to use an audit system if you do not review the logs regularly. Many networks use security systems, and intruders still find their way in. Why does it happen? In most cases, no one monitored the logs, and thus, no one detected the breach in time to stop it. Monitor your logs diligently.
THE INTRUDER’S PERSPECTIVE
To stop an intruder, you must think like an intruder. To do so, you need some basic information about the ways they behave. You need to understand their ethics and the tools they use to penetrate your systems.
Hackers, Crackers, and Phreaks
The terms "hacker," "cracker," and "phreak" describe similar people with important differences. First, a hacker is an independent-minded law-abiding computer enthusiast. A hacker pursues the free-wheeling intellectual exploration of the potential of computer systems. Hackers are intensely interested in the system itself and enjoy relating to the machines. You can think of a hacker as a computerphile, a person totally engrossed in computer programming and computer technology. A hacker delights in possessing an intimate understanding of the internal workings of a system — computers and computer networks in particular. Hackers are usually the nonthreatening, nondamaging types of people, but many folks confuse the terms Hacker and Cracker, and use Hacker to indicate a malicious intruder. For this reason, we’ll mainly use the term Hacker generically in this book to represent both good and bad computing explorers.
Crackers, on the other hand, are the ones to worry about. A cracker illegally accesses other people’s computer systems for fun, profit, and personal gain. Crackers don’t always harm a computer once they gain access. For some, the challenge of finding a way into a system and snooping around undetected is enough. The word is often used, confused with, and interchanged with hacker, although the meanings are not the same. Crackers definitely perpetrate some type of crime, whether they realize it or not.
Phreaks are another group altogether. Phreaks are mischievous individuals who delight in exploring and manipulating telephone systems and other audiovisual communication equipment. This interest first developed in the 1960s, before personal computers were widely available. In the early days, phreaks broke into telephone systems in an effort to make long distance calls without charge. Back then, everyone shared information on bulletin board systems (BBSs), which were accessible to most users only by long-distance phone calls. To gain access, phreaks used all sorts of ploys, mostly tone-producing devices because that’s how most telephone switches were controlled. The switches recognize variations in audible tones and interpret them as commands. Phreaks know what these tones are, how to reproduce them, and how to use them to their advantage. Long-distance carriers such as Sprint and MCI suffered heavy losses at the hands of phreaks in the 1980s during the real heyday of phone phreaking.
Today, phone-switching equipment has become more sophisticated, making phreaking an extremely dangerous game to play — the likelihood of being caught is about 95 percent. Today’s phreaks focus more on accessing telephone computers, much as crackers do, and also hijack voice mailboxes for personal use. Phreaks are still a threat because they will attack your company’s PBX once they discover its existence.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
