Network security is a big topic and is growing into a high profile (and often highly paid) Information Technology (IT) specialty area. Security-related websites are tremendously popular with savvy Internet users. The popularity of security-related certifications has expanded. Esoteric security measures like biometric identification and authentication – formerly the province of science fiction writers and perhaps a few ultra-secretive government agencies – have become commonplace in corporate world. Yet, with all this focus on security, many organizations still implement security measures in an almost haphazard way, with no well-thought-out plan for making all the parts fit together. Computer security involves many aspects, from protection of the physical equipment to protection of the electronic bits and bytes that make up the information that resides on the network.
The term computer security encompasses many related, yet separate, topics. These can be stated as security objectives, and include:
■ Control of physical accessibility to the computer(s) and/or network
■ Prevention of accidental erasure, modification or compromise of data
■ Detection and prevention of intentional internal security breaches
■ Detection and prevention of unauthorized external intrusions (hacking)
Network security solutions are loosely divided into three categories: hardware, software and human
Knowledge is Power
The above title is a famous hacker’s motto (along with such other gems as “Information wants to be free,” and the simplistic but optimistic, “Hack the world!”). However, it is a truism that applies not only to those attempting to gain access to data they aren’t supposed to see, but also to those who are trying to protect themselves from the intruders. The first step in winning any battle – and network security is a battle over the ownership and control of your computer files – is the same as it’s always been: “know thine enemy.”
To protect your network resources from theft, damage, or unwanted exposure, you must understand who initiates these things, why, and how they do it. Knowledge will make you powerful, too – and better able to prevent unauthorized intrusions into your network. In the section entitled Detecting and Preventing Unauthorized External Intrusions, we will discuss the various motivations that drive different network intruders and the types of people who make a practice of “breaking and entering” networks. The very best place to learn is from the hackers themselves. Many network administrators and even some security specialists eschew the books and websites that are written to a hacker audience or from the hacker’s point of view. This may be because one fears “guilt by association” or believes that it would be somehow demeaning to hang out with the hackers. This attitude may be based on high moral ground, but strategically, it’s a mistake.
Think Like a Thief
It is well known in law enforcement circles that the best criminal investigators are those who are best able to “get inside the mind” of the lawbreaker. Network intrusion detectives will find that the same is true – to prevent your network from falling prey to hackers, or to catch data thieves when they do get in, requires that you be able to adopt a mindset emulating theirs. This means learning to anticipate the intruder’s actions. First, you must determine what needs to be protected, and to what degree. A wealthy person not only establishes a general security perimeter by building fences around the house and locking doors and windows, but also places the most valuable items in a wall or floor safe. This provides multiple layers of protection. The practice of implementing multiple layers of protection is known as defense in depth.
The Intrusion Triangle
Borrowing again from the law enforcement community, crime prevention specialists use a model called the “Crime Triangle” to explain that certain criteria must exist before a crime can occur. We can adapt this same triangle to network security: the same three criteria must exist before a network security breach can take place.
Let’s look at each point individually:
■Motive: An intruder must have a reason to want to breach the security of your network (even if the reason is “just for fun”); otherwise, he/she won’t bother.
■Means: An intruder must have the ability (either the programming knowledge, or, in the case of “script kiddies,” the intrusion software written by others), or he/she won’t be able to breach your security.
■Opportunity: An intruder must have the chance to enter the network, either because of flaws in your security plan, holes in a software program that open an avenue of access, or physical proximity to network components; if there is no opportunity to intrude, the would-be hacker will go elsewhere.
If you think about the three-point intrusion criteria for a moment, you’ll see that there is really only one leg of the triangle over which you, as the network administrator or security specialist, have any control. It is unlikely that you can do much to remove the intruder’s motive. The motive is likely to be built into the type of data you have on the network or even the personality of the intruder him/herself. It is also not possible for you to prevent the intruder from having or obtaining the means to breach your security. Programming knowledge is freely available, and there are many experienced hackers out there who are more than happy to help out a less-sophisticated ones. The one thing that you can affect is the opportunity afforded the hacker.
Removing Intrusion Opportunities
Crime prevention officers tell members of the community that the “good guys” probably can’t keep a potential burglar from wanting to steal, and they certainly can’t keep the potential burglar from obtaining burglary tools or learning the “tricks of the trade.” What citizens can do is take away, as much as possible, the opportunity for the burglar to target their own homes. This means putting dead-bolt locks on the doors (and using them), getting a big, loud, unfriendly dog, installing an alarm system, and the like. In other words, as a homeowner, your goal is not to prevent the burglar from burglarizing, but to make your own home a less desirable target. As a network “owner,” your objective is to “harden” your own network so that all those hackers out there who already have the motive and the means will look for an easier victim. The best and most expensive locks in the world won’t keep intruders out of your house if you don’t use them. And if those locks are difficult to use and result in inconvenience to you in your everyday comings and goings, you probably won’t use them – at least, not all the time. A poorly implemented network security system that is difficult to administer or that unduly inconveniences network users may end up similarly unused; eventually, you will throw your hands up in frustration and just turn the darn thing off. And that will leave your network wide open to intruders. A good network security system will help you to remove the temptations (open ports, exploitable applications) easily and will be as transparent to your users as possible.
Every industry has its own “language,” the jargon that describes concepts and procedures peculiar to the field. Computer networking is infamous for the “technotalk” and the proliferation of acronyms that often mystify outsiders. Specialty areas within an industry often have their own brands of jargon, as well, and the computer security sub-field is no exception.
It is not possible to provide a complete glossary of security-related terms within the scope of this chapter, but in this section, we will define some of the more common words and phrases that you may encounter as you begin to explore the fascinating world of computer security:
■Attack In the context of computer/network security, an attack is an attempt to access resources on a computer or a network without authorization, or to bypass security measures that are in place.
■Audit To track security-related events, such as logging onto the system or network, accessing objects, or exercising user/group rights or privileges.
■Availability of data Reliable and timely access to data.
■Breach Successfully defeating security measures to gain access to data or resources without authorization, or to make data or resources available to unauthorized persons, or to delete or alter computer files.
■Brute force attack Attempt to “crack” passwords by sequentially trying all possible combinations of characters until the right combination works to allow access.
■Buffer A holding area for data.
■Buffer overflow A way to crash a system by putting more data into a buffer than the buffer is able to hold.
■CIA triad Confidentiality, Integrity, and Availability of data. Ensuring the confidentiality, integrity, and availability of data and services are primary security objectives that are often related to each other. See also availability of data, confidentiality of data, and integrity of data.
■Confidentiality of data Ensuring that the contents of messages will be kept secret. See also integrity of data.
■Countermeasures Steps taken to prevent or respond to an attack or malicious code.
■Cracker A hacker who specializes in “cracking” or discovering system passwords to gain access to computer systems without authorization. See also hacker.
■Crash Sudden failure of a computer system, rendering it unusable.
■Defense-in-depth The practice of implementing multiple layers of security. Effective defense-in-depth strategies do not limit themselves to focusing on technology, but also focus on operations and people. For example, a firewall can protect against unauthorized intrusion, but training and the implementation of well-considered security policies help to ensure that the firewall is properly configured.
■Denial of Service attack A deliberate action that keeps a computer or network from functioning as intended (for example, preventing users from being able to log onto the network).
■Exposure A measure of the extent to which a network or individual computer is open to attack, based on its particular vulnerabilities, how well known it is to hackers, and the time duration during which intruders have the opportunity to attack. For example, a computer using a dialup analog connection has less exposure to attack coming over the Internet, because it is connected for a shorter period of time than those using “always-on” connections such as cable, DSL or T-carrier.
■Hacker A person who spends time learning the details of computer programming and operating systems, how to test the limits of their capabilities, and where their vulnerabilities lie. See also cracker.
■Integrity of data Ensuring that data has not been modified or altered, that the data received is identical to the data that was sent.
■Least privilege The principle of least privilege requires that users and administrators have only the minimum level of access to perform their job-related duties. In military parlance, the principle of least privilege is referred to as need to know.
■Malicious code A computer program or script that performs an action that intentionally damages a system or data, that performs another unauthorized purpose, or that provides unauthorized access to the system.
■Penetration testing Evaluating a system by attempting to circumvent the computer’s or network’s security measures.
■Reliability The probability of a computer system or network continuing to perform in a satisfactory manner for a specific time period under normal operating conditions.
■Risk The probability that a specific security threat will be able to exploit a system vulnerability, resulting in damage, loss of data, or other undesired results. That is, a risk is the sum of the threat plus the vulnerability.
■Risk management The process of identifying, controlling, and either minimizing or completely eliminating events that pose a threat to system reliability, data integrity, and data confidentiality.
■Sniffer A program that captures data as it travels across a network. Also called a packet sniffer.
■Social engineering Gaining unauthorized access to a system or network by subverting personnel (for example, posing as a member of the IT department to convince users to reveal their passwords).
■TCSEC Trusted Computer System Evaluation Criteria. A means of evaluating the level of security of a system.
■Technical vulnerability A fl aw or bug in the hardware or software components of a system that leaves it vulnerable to security breach.
■Threat A potential danger to data or systems. A threat agent can be a virus; a hacker; a natural phenomenon, such as a tornado; a disgruntled employee; a competitor, and other menaces.
■Trojan horse A computer program that appears to perform a desirable function but contains hidden code that is intended to allow unauthorized collection, modification or destruction of data.
■Virus A program that is introduced onto a system or network for the purpose of performing an unauthorized action (which can vary from popping up a harmless message to destroying all data on the hard disk).
■Vulnerability A weakness in the hardware or software or security plan that leaves a system or network open to threat of unauthorized access or damage or destruction of data.
■Worm A program that replicates itself, spreading from one machine to another across a network. Once you are comfortable with the terminology, you can begin to address the individual objectives that will assist you in realizing your goal to create a secure network environment.
Addressing Security Objectives
If our security goal is to have complete control over what data comes into and goes out of our networks, we must define objectives that will help us reach that goal. We listed some general security objectives related to computer networks – especially those connected to an outside internetwork such as the Global Internet – as controlling physical access, preventing accidental compromise of data, detecting and preventing intentional internal security breaches, and detecting and preventing unauthorized external intrusions.
Controlling Physical Access
One of the most important, and at the same time most overlooked aspects of a comprehensive network security plan is physical access control. This matter is often left up to facilities managers or plant security departments, or it is outsourced to security guard companies. Network administrators frequently concern themselves with sophisticated software and hardware solutions that prevent intruders from accessing internal computers remotely, while doing nothing to protect the servers, routers, cable, and other physical components of the network from direct access. Physically breaking into the server room and stealing the hard disk on which sensitive data resides may be a crude method; nonetheless, it happens. In some organizations, it may be the easiest way to gain unauthorized access, especially for an intruder who has help “on the inside.”
Physical Access Factors
It is important for you to make physical access control the “outer perimeter” of your security plan.
■Controlling physical access to the servers
■Controlling physical access to networked workstations
■Controlling physical access to network devices
■Controlling physical access to the cable
■Being aware of security considerations with wireless media
■Being aware of security considerations related to portable computers
■Recognizing the security risk of allowing data to be printed out
■Recognizing the security risks involving CDs and other removable media
Let’s look at why each of these is important and how you can implement a physical security plan that addresses all these factors.
Protecting the Servers
File servers on which sensitive data is stored and infrastructure servers that provide mission critical services such as logon authentication and access control should be placed in a highly secure location.
At the minimum, servers should be in a locked room where only those who need to work directly with the servers have access. Keys should be distributed sparingly, and records should be kept of issuance and return. If security needs are high due to the nature of the business or the nature of the data, access to the server room may be controlled by magnetic card, electronic locks requiring entry of a numerical code, or even biometric access control devices such as fingerprint or retinal scanners. Both ingress and egress should be controlled – ideally with logs, video cameras, and/or other means of recording both who enters and who exits. Other security measures include monitor detectors or other alarm systems, activated during non-business hours, and security cameras. A security guard or company should monitor these devices.
Keeping Workstations Secure
Many network security plans focus on the servers but ignore the risk posed by workstations with network access to those servers. It is not uncommon for employees to leave their computers unsecured when they leave for lunch or even when they leave for the evening. Often there will be a workstation in the receptionist area that is open to visitors who walk in off the street. If the receptionist must leave briefly, the computer – and the network to which it is connected – is vulnerable unless steps have been taken to ensure that it is secure.
A good security plan includes protection of all unmanned workstations. A secure client operating system such as Windows NT or Windows server requires an interactive logon with a valid account name and password in order to access the operating system (unlike Windows 9x). This allows users to “lock” the workstation when they are going to be away from it so someone else can’t just step up and start using the computer. However, don’t depend on access permissions and other software security methods alone to protect your network. If a potential intruder can gain physical access to a networked computer, he/she is that much closer to accessing your valuable data or introducing a virus onto your network. Ensure all workstation users adhere to a good password policy. Many modern PC cases come with some type of locking mechanism that will help prevent an unauthorized person from opening the case and stealing the hard disk.
Protecting Network Devices
Hubs, routers, switches and other network devices should be physically secured from unauthorized access. It is easy to forget that just because a device doesn’t have a monitor on which you can see data, this does not mean the data can’t be captured or destroyed at that access point.
For example, a traditional Ethernet hub sends all data out every port on the hub. An intruder who has access to the hub can plug a packet-sniffing device (or a laptop computer with sniffer software) that operates in “promiscuous mode” into a spare port and capture data sent to any computer on the segment. Although switches and routers are somewhat more secure, any device through which the data passes is a point of vulnerability. Replacing hubs with switches and routers makes it more difficult for an intruder to “sniff” on your network, but it is still possible to use techniques such as Address Resolution Protocol (ARP) spoofing. This is sometimes called router redirection, in which nearby machines are redirected to forward traffic through an intruder’s machine by sending ARP packets that contain the router’s Internet Protocol (IP) address mapped to the intruder’s machine’s MAC address. This results in other machines believing the intruder’s machine is the router, and so they send their traffic to it. A similar method uses Internet Control Message Protocol (ICMP) router advertisement messages. It is also possible, with certain switches, to overflow the address tables with multiple false Media Access Control (MAC) addresses or send a continuous flow of random garbage through the switch to trigger it to change from bridging mode to repeating mode. This means all frames will be broadcast on all ports, giving the intruder the same opportunity to access the data that he would have with a regular hub. This is called switch jamming.
Finally, if the switch has a special monitor port designed to be used with a sniffer for legitimate (network troubleshooting) purposes, an intruder who has physical access to the switch can simply plug into this port and capture network data. Your network devices should be placed in a locked room or closet and protected in the same manner as your servers. How Packet Sniffers Work
Packet sniffer/protocol analyzer devices and programs are not used solely for nefarious purposes, although intruders use them to capture unencrypted data and clear-text passwords that will allow them to break into systems. Despite the fact that they can be used to “steal” data as it travels across the network, they are also invaluable troubleshooting tools for network administrators. The sniffer captures individual data packets and allows you to view and analyze the message contents and packet headers. This can be useful in diagnosing network communications problems and uncovering network bottlenecks that are impacting performance. Packet sniffers can also be turned against hackers and crackers and used to discover unauthorized intruders. The most important part of the sniffer is the capture driver. This is the component that captures the network traffic, filters it (according to criteria set by the user), and stores the data in a buffer. The packets can then be analyzed and decoded to display the contents. It is often possible to detect an unauthorized packet sniffer on the wire using a device called a Time Domain Reflectometer (TDR), which sends a pulse down the cable and creates a graph of the reflections that are returned. Those who know how to read the graph can tell whether unauthorized devices are attached to the cable and where. Other ways of detecting unauthorized connections include monitoring hub or switch lights using Simple Network Monitoring Protocol (SNMP) managers that log connections and disconnections or using one of the many tools designed for the specific purpose of detecting sniffers on the network. There are also several techniques using Packet Internetwork Groper (ping), ARP, and DNS that may help you to catch unauthorized sniffers.
Securing the Cable
The next step in protecting your network data is to secure the cable across which it travels. Twisted pair and coaxial cable are both vulnerable to data capture; an intruder who has access to the cable can tap into it and eavesdrop on messages being sent across it. A number of companies make “tapping” devices. Fiber optic cable is more difficult to tap into because it does not produce electrical pulses, but instead, uses pulses of light to represent the 0s and 1s of binary data. It is, however, possible for a sophisticated intruder to use an optical splitter and tap into the signal on fiber optic media.
Compromise of security at the physical level is a special threat when network cables are not contained in one facility but span a distance between buildings. There is even a name for this risk, “manhole manipulation,” referring to the easy access intruders often have to cabling that runs through underground conduits. Cable taps can sometimes be detected by using a TDR or optical TDR to measure the strength of the signal and determine where the tap is located.
Safely Going Wireless
Wireless media is becoming more and more popular as our society becomes more mobile, and many predict it will be next big thing in networking during the first years of the new millennium. Large companies such as Cisco Systems, Lucent Technologies, Sun Microsystems, and Microsoft have invested large amounts of talent and money into the wireless initiative.
Wireless Internet access based on the Wireless Access Protocol (WAP) Wireless networking offers several distinct advantages over traditional cabled networking. Laptop users can easily connect and disconnect as they come and go. Workers out in the field can maintain network communications in areas where there are no cables or phone lines. For professions such as policing, where employees work from a moving vehicle most of the time, wireless is the only way to stay connected to the department LAN. For telecommuters in rural areas where DSL and cable modem access are unavailable, wireless technologies such as satellite provide a broadband alternative to slow analog modems.
There are several different varieties of wireless networking, including:
■Radio (narrow band or spread spectrum)
The most popular wireless technologies are radio-based and operate according to the IEEE 802. standards. 802.11b (and increasingly, 802.11g, which is backwardly compatible with b) networks are becoming commonplace as commercial “hot spots” spring up in major cities and businesses and home computer users implement wireless networks because of their convenience. Wireless connectivity is available at hotels, airports, and even coffee shops and restaurants. Despite the many benefits of these wireless technologies, they also present special problems, especially in the area of network security. Wireless is more vulnerable to inception of data than cabled media. Radio and microwave are known as broadcast media. Because the signals are transmitted across the airwaves, any receiver set to the correct frequency can easily eavesdrop on the communications. The practice of “war driving” (going out with a wireless NIC-equipped laptop or handheld system and looking for open wireless networks to which they can connect) is a favorite pastime of hackers. If security is a priority, any data sent via radio or microwave links should be encrypted.
Have Laptop, Will Travel
Portable computers – laptops, notebooks, and new fully functional handheld computers such as the Pocket PC and Palm machines – present their own security problems based on the very features that make them popular– their small size and mobility. Physical security for portable computers is especially important because it is so easy to steal the entire machine, data and all. Luckily, there are a large number of companies that make theft protection devices and security software for laptops. Locks and alarms are widely available, along with software programs that will disable the laptop’s functionality if it is stolen, or even help track it down by causing the computer to “phone home” the first time the portable computer is attached to a modem. Some laptops come with removable hard disks. It is a good idea if you have highly sensitive data that must be accessed with your laptop to store it on a removable disk (PC Card disks and those that plug into the parallel port are widely available) and encrypt it. Separate the disk from the computer when it is not in use. The possibility of theft is not the only way in which laptops present a security risk. The threat to your network is that a data theft who is able to enter your premises may be able to plug a laptop into the network, crack passwords (or obtain a password via social engineering), and download data to the portable machine, which can then be easily carried away. New handheld computers are coming with more security devices built in. For example, the Hewlett-Packard iPAQ 5555 includes biometric (fingerprint recognition) technology to prevent unauthorized users from accessing the data.
The Paper Chase
Network security specialists and administrators tend to concentrate on protecting data in electronic form, but you should recognize that intruders may also steal confidential digital information by printing it out or locating a hard copy that was printed by someone else. It does little good to implement strong password policies and network access controls if employees can print out sensitive material and then leave it lying on desks, stored in unlocked file cabinets, or thrown into an easily accessed trash basket. “Dumpster diving” (searching the trash for company secrets) is a common form of corporate espionage – and one that surprisingly often yields results. If confidential data must be printed, the paper copy should be kept as physically secure as the digital version. Disposal should require shredding, and in cases of particularly high-security information, the shredded paper can be mixed with water to create a pulp that is impossible to put back together again.
Removable Storage Risks
Yet another potential point of failure in your network security plan involves saving data to removable media. Floppy diskettes, zip and jaz disks, tapes, PC cards, CDs and DVDs containing sensitive data must be kept physically secured at all times. Don’t make the mistake of thinking that deleting the files on a disk, or even formatting the disk, completely erases the data; it is still there until it has been overwritten and can be retrieved using special software.
Although removable media can present a security threat to the network, it can also play a part in your overall security plan. Removable disks (including fully bootable large capacity hard disks installed in mobile “nesting” racks) can be removed from the computer and locked in a safe or removed from the premises to protect the data that is stored there.
Physical Security Summary
Ensuring a physically secure network environment is the first step in controlling access to your network’s important data and system files, but it is only part of a good security plan. This is truer today than in the past, because networks have more “ways in” than they once did. A medium or large network may have multiple dial-in servers, VPN servers, and a dedicated full-time Internet connection.
Even a small network is likely to be connected to the Internet part of the time.
Virtual intruders never set foot on your organization’s property and never touch your computers. They can access your network from across the street or from halfway across the world. But they can do as much damage as the thief who breaks into your company headquarters to steal or destroy your data – and they are much harder to catch.