|
|
Network Security - Hacker's Grief!
Posted On August 4, 2007 by Sneha Philipose filed under Miscellaneous
As corporations continually expand their mission-critical networks with new, Intranet, Extranet and e-commerce applications, network security technologies are becoming increasingly vital in preventing corruption and intrusion, and eliminating network security vulnerabilities. Instead of being layered onto networks as an afterthought or considered a necessity only for organizations with especially sensitive data, security capabilities are beginning to migrate into the core fabric of all network infrastructures.
Having security measures embedded directly into network elements will ensure a certain degree of inherent protection in any communications network. From there on, network managers, MIS managers and CIOs can determine for themselves how to balance their degree of vulnerability with the openness, cost, and the administrative considerations of activating the security options that make sense for their organizations.
Hackers take heed
Hacking is the high-tech iteration of a pastime that's been around since the dawn of time. People are naturally curious, and barriers tempt and taunt them. Since Pandora opened that fateful and apparently unsecured box, people have gone to extraordinary measures to see what is private, to go where they are not permitted.Yet, the desire to see what's inside the box does not necessarily imply malicious intent. Hacking can do great service or great harm.
The "white hats" are true hackers, and consider themselves part of a noble profession. By discovering and reporting vulnerabilities, hacker groups worldwide play a valuable role in the advancement of security technologies and products by discovering vulnerabilities in their "clients'" networks and recommend ways to secure them. Nevertheless, it's the infamous "black hats" that enjoy a disproportionate share of media attention. Crackers perpetrate crimes for political gain, economic advantage, social status, or simple amusement. They are unpredictable, malicious, and unwelcome. They deface Web pages, crash computer systems, steal or damage confidential information, and disrupt business. Yet another class of hackers are condescendingly referred to as "script kiddies." These are amateurs who find hacking tools online and use them, usually without understanding how they work or what damage they can do. They can do great harm.
Techniques CIOs should deploy
The greatest threat to security comes from those already inside the network. The external perimeter is a known risk, and most people have some kind of defense in place. But most LANs have few or no restrictions. Once a cracker is inside the perimeter, he can freely roam the internal network. The pressing need for network security starts with formulating a multi-layer defense as part of the corporate security policy and continues with instilling secure habits among employees. While it's obvious that people shouldn't post their passwords on computer monitors, many employees are careless when it comes to safeguarding information. Policies define standards for secure network design and defensive actions, allowing network managers to incorporate a consistent multi-layer defense strategy into their procedures. In large enterprises, for instance, the Cisco Secure Consulting Services group recommends internal measures that separate core business functions to harden that "chewy inside." For example:
· Using firewalls and access control lists to segment corporate finance, the executive staff, and production networks can limit the amount of information intruders could gather or the damage vandals could do.
· A good procedural checklist (that the network administrators should follow) can reduce the duration of a denial-of-service (DoS) attack by allowing the staff to quickly identify the source and nature of the traffic and apply filters accordingly.
Defending the fort
So what do crackers do, and can a network defend itself against them? Attacks take hundreds of forms and fall into several categories: reconnaissance attacks, access attacks, and DoS attacks. Many attacks can be prevented or curbed through disciplined systems administration procedures.
Reconnaissance attacks use sniffers, scanners, and other tools to gather information that could be used to compromise assets later. Many crackers run such tools continuously and sort data to identify vulnerable hosts. Other common weaknesses are found in programs running under the port-mapper, such as rusersd and network file system (NFS) service, and basic mail protocols like Simple Mail Transfer Protocol (SNMP). Most reconnaissance attacks can be deflected through conscientious router and server configurations to turn off unneeded services, especially where they are exposed to the Internet.
Access attacks exploit known vulnerabilities in authentication services, FTP services and Web services to gain entry to Web accounts, confidential databases, and other sensitive information. For example, crackers could deploy a password-cracking tool against known usernames gathered in a reconnaissance attack to gain entry to e-mail. Using such tools, the Secure Consulting Services group has been able to crack 53 per cent of passwords obtained from compromised networks. Preventive actions against access attacks include using strong passwords that combine letters and numbers, protecting Internet mail servers using proxy devices such as firewalls, and filtering incoming TCP requests by allowing only those services that are needed. As a rule, do not allow TCP/IP port 111 or 139 as both have a history of security problems and weak authentication. TCP/IP ports 111 and 139 support the Unix portmapper (or RPC) and Windows Net BIOS services. Both services are rarely deployed over the Internet but are often allowed through Internet filtering devices.
DoS attacks (grabbed headlines in February 2000 as they blocked access to Web-based companies such as Yahoo! and eBay). A DoS attack sends a large amount of useless traffic to a particular host or port. While they do not compromise or damage hosts, well-executed DoS attacks can prevent any legitimate traffic from getting through, effectively shutting down its services.
An especially malicious form of DoS attack is distributed denial of service (DDoS), which compromises multiple hosts and enslaves them to send vast amounts of traffic to a target host. These "zombie" attack hosts often reside on unsuspecting public networks such as those found in universities. Network administrators are often unaware that their hosts have become zombies because they only watch for incoming attacks. RFC 2267 specifies ingress and egress filters that can prevent your routers and hosts from becoming the source of a DoS attack. DDoS attacks are dangerous because there seems to be little that anyone can do to prevent them. A few measures that should be taken to prevent the attack are:
· Make sure you're friends with your service provider. If an attack does happen, you need to be able to react out-of-band.
· Next, it's useful to have detection systems that can readily identify an incoming DoS attack.
· To determine whether an attack is actually in progress, having a service agreement puts the vendors Technical Assistance Center (TAC) at your disposal. TAC personnel determine whether a host is under attack, using real-time data analysis tools, routers to check packet counters and characterize traffic flows. Accurate and timely information is vital to successfully filtering a DoS attack.
· After the attack has been identified and characterized, filters can clamp the flood of DoS traffic.
Looking ahead
An adage of the Internet age is that hackers will hack. They hack to benefit and to harm. Without precautions, corporations could experience major security breaches, resulting in serious damages or loss.
While white-hat hacking will always have a place in the Internet community, it's important to keep a step ahead of the black-hat crackers. It's always good practice to keep server operating system and application software current with the latest updates and patches. Another good strategy is to know the enemy by visiting Web sites frequented by hackers and security-minded professionals.
As with physical security, vigilance and diligence are required to protect what's precious on the network to keep an organization safe and running smoothly.
Vishwanathan Iyer is a Systems Engineer at Cisco Systems. He can be reached at: viyer@cisco.com
Having security measures embedded directly into network elements will ensure a certain degree of inherent protection in any communications network. From there on, network managers, MIS managers and CIOs can determine for themselves how to balance their degree of vulnerability with the openness, cost, and the administrative considerations of activating the security options that make sense for their organizations.
Hackers take heed
Hacking is the high-tech iteration of a pastime that's been around since the dawn of time. People are naturally curious, and barriers tempt and taunt them. Since Pandora opened that fateful and apparently unsecured box, people have gone to extraordinary measures to see what is private, to go where they are not permitted.Yet, the desire to see what's inside the box does not necessarily imply malicious intent. Hacking can do great service or great harm.
The "white hats" are true hackers, and consider themselves part of a noble profession. By discovering and reporting vulnerabilities, hacker groups worldwide play a valuable role in the advancement of security technologies and products by discovering vulnerabilities in their "clients'" networks and recommend ways to secure them. Nevertheless, it's the infamous "black hats" that enjoy a disproportionate share of media attention. Crackers perpetrate crimes for political gain, economic advantage, social status, or simple amusement. They are unpredictable, malicious, and unwelcome. They deface Web pages, crash computer systems, steal or damage confidential information, and disrupt business. Yet another class of hackers are condescendingly referred to as "script kiddies." These are amateurs who find hacking tools online and use them, usually without understanding how they work or what damage they can do. They can do great harm.
Techniques CIOs should deploy
The greatest threat to security comes from those already inside the network. The external perimeter is a known risk, and most people have some kind of defense in place. But most LANs have few or no restrictions. Once a cracker is inside the perimeter, he can freely roam the internal network. The pressing need for network security starts with formulating a multi-layer defense as part of the corporate security policy and continues with instilling secure habits among employees. While it's obvious that people shouldn't post their passwords on computer monitors, many employees are careless when it comes to safeguarding information. Policies define standards for secure network design and defensive actions, allowing network managers to incorporate a consistent multi-layer defense strategy into their procedures. In large enterprises, for instance, the Cisco Secure Consulting Services group recommends internal measures that separate core business functions to harden that "chewy inside." For example:
· Using firewalls and access control lists to segment corporate finance, the executive staff, and production networks can limit the amount of information intruders could gather or the damage vandals could do.
· A good procedural checklist (that the network administrators should follow) can reduce the duration of a denial-of-service (DoS) attack by allowing the staff to quickly identify the source and nature of the traffic and apply filters accordingly.
Defending the fort
So what do crackers do, and can a network defend itself against them? Attacks take hundreds of forms and fall into several categories: reconnaissance attacks, access attacks, and DoS attacks. Many attacks can be prevented or curbed through disciplined systems administration procedures.
Reconnaissance attacks use sniffers, scanners, and other tools to gather information that could be used to compromise assets later. Many crackers run such tools continuously and sort data to identify vulnerable hosts. Other common weaknesses are found in programs running under the port-mapper, such as rusersd and network file system (NFS) service, and basic mail protocols like Simple Mail Transfer Protocol (SNMP). Most reconnaissance attacks can be deflected through conscientious router and server configurations to turn off unneeded services, especially where they are exposed to the Internet.
Access attacks exploit known vulnerabilities in authentication services, FTP services and Web services to gain entry to Web accounts, confidential databases, and other sensitive information. For example, crackers could deploy a password-cracking tool against known usernames gathered in a reconnaissance attack to gain entry to e-mail. Using such tools, the Secure Consulting Services group has been able to crack 53 per cent of passwords obtained from compromised networks. Preventive actions against access attacks include using strong passwords that combine letters and numbers, protecting Internet mail servers using proxy devices such as firewalls, and filtering incoming TCP requests by allowing only those services that are needed. As a rule, do not allow TCP/IP port 111 or 139 as both have a history of security problems and weak authentication. TCP/IP ports 111 and 139 support the Unix portmapper (or RPC) and Windows Net BIOS services. Both services are rarely deployed over the Internet but are often allowed through Internet filtering devices.
DoS attacks (grabbed headlines in February 2000 as they blocked access to Web-based companies such as Yahoo! and eBay). A DoS attack sends a large amount of useless traffic to a particular host or port. While they do not compromise or damage hosts, well-executed DoS attacks can prevent any legitimate traffic from getting through, effectively shutting down its services.
An especially malicious form of DoS attack is distributed denial of service (DDoS), which compromises multiple hosts and enslaves them to send vast amounts of traffic to a target host. These "zombie" attack hosts often reside on unsuspecting public networks such as those found in universities. Network administrators are often unaware that their hosts have become zombies because they only watch for incoming attacks. RFC 2267 specifies ingress and egress filters that can prevent your routers and hosts from becoming the source of a DoS attack. DDoS attacks are dangerous because there seems to be little that anyone can do to prevent them. A few measures that should be taken to prevent the attack are:
· Make sure you're friends with your service provider. If an attack does happen, you need to be able to react out-of-band.
· Next, it's useful to have detection systems that can readily identify an incoming DoS attack.
· To determine whether an attack is actually in progress, having a service agreement puts the vendors Technical Assistance Center (TAC) at your disposal. TAC personnel determine whether a host is under attack, using real-time data analysis tools, routers to check packet counters and characterize traffic flows. Accurate and timely information is vital to successfully filtering a DoS attack.
· After the attack has been identified and characterized, filters can clamp the flood of DoS traffic.
Looking ahead
An adage of the Internet age is that hackers will hack. They hack to benefit and to harm. Without precautions, corporations could experience major security breaches, resulting in serious damages or loss.
While white-hat hacking will always have a place in the Internet community, it's important to keep a step ahead of the black-hat crackers. It's always good practice to keep server operating system and application software current with the latest updates and patches. Another good strategy is to know the enemy by visiting Web sites frequented by hackers and security-minded professionals.
As with physical security, vigilance and diligence are required to protect what's precious on the network to keep an organization safe and running smoothly.
Vishwanathan Iyer is a Systems Engineer at Cisco Systems. He can be reached at: viyer@cisco.com