Annex B: Network Security Primer
This annex is a network security primer.
The Need for Network Security
The Internet is changing the way we work, live, play, and learn. These changes are occurring both in the ways that we currently experience (e-commerce, real-time information access, e-learning, expanded communication options, and so forth) and in ways we have yet to experience. Imagine a day when your enterprise can make all of its telephone calls over the Internet for free. Or perhaps on a more personal note, consider logging on to a day-care provider's web site to check how your child is doing throughout the day. As a society, we are just beginning to unlock the potential of the Internet. But with the Internet's unparalleled growth comes unprecedented exposure of personal data, critical enterprise resources, government secrets, and so forth. Every day, hackers pose an increasing threat to these entities with several different types of attacks. These attacks, outlined in the next section, have become both more prolific and easier to implement. There are two primary reasons for this problem.
First is the ubiquity of the Internet. With millions of devices currently connected to the Internet and millions more on the way, a hacker's access to vulnerable devices continues to increase. The ubiquity of the Internet has also allowed hackers to share knowledge on a global scale. A simple Internet search on the words hack, crack, or phreak yields thousands of sites, many of which contain malicious code or the means with which to use that code.
Second is the pervasiveness of easy-to-use operating systems and development environments. This factor has reduced the overall ingenuity and knowledge required by hackers. A truly remarkable hacker can develop easy-to-use applications that can be distributed to the masses. Several hacker tools that are available in the public domain merely require an IP address or host name and a click of a mouse button to execute an attack.
Network Attack Taxonomy
Network attacks can be as varied as the systems that they attempt to penetrate. Some attacks are elaborately complex, while others are performed unknowingly by a well-intentioned device operator. It is important to understand some of the inherent limitations of the TCP/IP protocol when evaluating the types of attacks. When the Internet was formed, it linked various government entities and universities to one another with the express purpose of facilitating learning and research. The original architects of the Internet never anticipated the kind of widespread adoption that the Internet has achieved today. As a result, in the early days of the IP, security was not designed into the specification. For this reason, most IP implementations are inherently insecure. Only after many years and thousands of RFCs do we have the tools to begin to deploy IP securely. Because specific provisions for IP security were not designed from the onset, it is important to augment IP implementations with network security practices, services, and products to mitigate the inherent risks of the IP. The following is a brief discussion of the types of attacks commonly seen on IP networks and how these attacks can be mitigated.
Packet Sniffers
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a particular collision domain. (Promiscuous mode is when the network adapter card sends all packets received on the physical network wire to an application for processing.) Sniffers are used legitimately in networks today to aid in troubleshooting and traffic analysis. However, because several network applications send data in clear text (Telnet, FTP, SMTP, POP3, and so forth), a packet sniffer can provide meaningful and often sensitive information, such as usernames and passwords.
One serious problem with acquiring usernames and passwords is that users often reuse their login names and passwords across multiple applications and systems. In fact, many users employ a single password for access to all accounts and applications. If an application is run in client/server mode and authentication information is sent across the network in clear text, it is likely that this same authentication information can be used to gain access to other corporate or external resources. Because hackers know and use human characteristics, such as using a single password for multiple accounts, in attack methods known collectively as social engineering attacks, they are often successful in gaining access to sensitive information. In a worst-case scenario, a hacker gains access to a system level user account, which the hacker uses to create a new account that can be used at any time as a back door to break into a network and its resources.
You can mitigate the threat of packet sniffers in several ways:
Authentication— Using strong authentication is a first option for defense against packet sniffers. Strong authentication can be broadly defined as a method of authenticating users that cannot easily be circumvented. A common example of strong authentication is OTPs, which is a type of two-factor authentication. Two-factor authentication involves using something you have combined with something you know. Automated teller machines (ATMs) use two-factor authentication. A customer needs both an ATM card and a personal identification number (PIN) to make transactions. With OTP, you need a PIN and your token card to authenticate to a device or software application. A token card is a hardware or software device that generates new, seemingly random passwords at specified intervals (usually 60 seconds). A user combines that random password with a PIN to create a unique password that only works for one instance of authentication. If a hacker learns a password by using a packet sniffer, the information is useless because the password has already expired. Note that this mitigation technique is effective only against a sniffer implementation that is designed to grab passwords. Sniffers deployed to learn sensitive information (such as mail messages) will still be ineffective.
Switched infrastructure— Another method to counter the use of packet sniffers in your environment is to deploy a switched infrastructure. For example, if an entire organization deploys switched Ethernet, hackers can only gain access to the traffic that flows on the specific port to which they connect. A switched infrastructure obviously does not eliminate the threat of packet sniffers, but it can greatly reduce their effectiveness.
Antisniffer tools— A third method used against sniffers is to employ software and hardware designed to detect the use of sniffers on a network. Such software and hardware does not completely eliminate the threat, but like many network security tools, they are part of the overall system. These so-called antisniffers detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own. One such network security software tool, which is available from LOpht Heavy Industries, is called AntiSniff. For more information, refer to the URL www.l0pht.com/antisniff/.
Cryptography— The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant. If a communication channel is cryptographically secure, the only data that a packet sniffer will detect is cipher text (a seemingly random string of bits) and not the original message. Cisco's deployment of network level cryptography is based on IPSec, a standard method for networking devices to communicate privately using IP. Other cryptographic protocols for network management include SSH and SSL.
IP Spoofing
An IP spoofing attack occurs when a hacker inside or outside a network pretends to be a trusted computer. A hacker can do this in one of two ways. The hacker uses either an IP address that is within the range of trusted IP addresses for a network, or an authorized external IP address that is trusted and to which access is provided to specified resources on a network. IP spoofing attacks are often a launch point for other attacks. The classic example is to launch a DoS attack using spoofed source addresses to hide the hacker's identity.
Normally, an IP spoofing attack is limited to the injection of malicious data or commands into an existing stream of data that is passed between a client and server application or a peer-to-peer network connection. To enable bidirectional communication, the hacker must change all routing tables to point to the spoofed IP address. Another approach hackers sometimes take is simply not to worry about receiving any response from the applications. If a hacker tries to obtain a sensitive file from a system, application responses are unimportant.
However, if a hacker manages to change the routing tables to point to the spoofed IP address, the hacker can receive all of the network packets that are addressed to the spoofed address and reply just as any trusted user can.
The threat of IP spoofing can be reduced, but not eliminated, through the following measures.
Access control— The most common method for preventing IP spoofing is to configure access control properly. To reduce the effectiveness of IP spoofing, configure access control to deny any traffic from the external network that has a source address that should reside on the internal network. Note that this only helps prevent spoofing attacks if the internal addresses are the only trusted addresses. If some external addresses are trusted, this method is not effective.
RFC 2827 filtering— You can also prevent a network's users from spoofing other networks (and be a good Net citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your organization's own IP range. Your ISP can also implement this type of filtering, which is collectively referred to as RFC 2827 filtering. This filtering denies any traffic that does not have the source address that was expected on a particular interface. For example, if an ISP is providing a connection to the IP address 15.1.1.0/24, the ISP could filter traffic so that only traffic sourced from address 15.1.1.0/24 can enter the ISP router from that interface. Note that unless all ISPs implement this type of filtering, its effectiveness is significantly reduced. Also, the further you get from the devices you want to filter, the more difficult it becomes to do that filtering at a granular level. For example, performing RFC 2827 filtering at the access router to the Internet requires that you allow your entire major network number (that is, 10.0.0.0/8) to traverse the access router. If you perform filtering at the distribution layer, as in this architecture, you can achieve more specific filtering (that is, 10.1.5.0/24).
Additional authentication— The most effective method for mitigating the threat of IP spoofing is the same as that for mitigating the threat of packet sniffers: namely, eliminating its effectiveness. IP spoofing can function correctly only when devices use IP address-based authentication. Therefore, if you use additional authentication methods, IP spoofing attacks are irrelevant. Cryptographic authentication is the best form of additional authentication, but when that is not possible, strong two-factor authentication using OTP can also be effective.
Denial of Service (DoS)
Certainly the most publicized form of attack, DoS is also among the most difficult to completely eliminate. Even among the hacker community, DoS attacks are regarded as trivial and considered bad form because they require so little effort to execute. Still, because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators. If you are interested in learning more about DoS attacks, researching the methods employed by some of the better-known attacks can be useful. These attacks include the following:
TCP SYN flood
Ping of death
Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K)
Trinco
Stacheldraht
Trinity
Another excellent source on the topic of security is the Computer Emergency Response Team (CERT). It has published an excellent paper on dealing with DoS attacks, which you can find at the following URL: www.cert.org/tech_tips/denial_of_service.html.
DoS attacks are different from most other attacks because they are generally not targeted at gaining access to your network or the information on your network. These attacks focus on making a service unavailable for normal use, which is typically accomplished by exhausting some resource limitation on the network or within an operating system or application.
When involving specific network server applications, such as a Web server or an FTP server, these attacks can focus on acquiring and keeping open all the available connections supported by that server, effectively locking out valid users of the server or service. DoS attacks can also be implemented using common Internet protocols, such as TCP and ICMP. Most DoS attacks exploit a weakness in the overall architecture of the system being attacked, rather than a software bug or security hole. However, some attacks compromise the performance of your network by flooding the network with undesired and often useless network packets and by providing false information about the status of network resources. This type of attack is often the most difficult to prevent, as it requires coordination with your upstream network provider. If traffic meant to consume your available bandwidth is not stopped there, denying it at the point of entry into your network will do little good because your available bandwidth has already been consumed. When this type of attack is launched from many different systems at the same time, it is often referred to as a DDoS attack.
The threat of DoS attacks can be reduced through the following three methods:
Antispoof features— Proper configuration of antispoof features on your routers and firewalls can reduce your risk. This includes RFC 2827 filtering, at the minimum. If hackers cannot mask their identities, they might not attack.
Anti-DoS features— Proper configuration of anti-DoS features on routers and firewalls can help limit the effectiveness of an attack. These features often involve limits on the amount of half-open connections that a system allows at any given time.
Traffic rate limiting— An organization can implement traffic rate limiting with your ISP. This type of filtering limits the amount of nonessential traffic that crosses network segments to a certain rate. A common example is to limit the amount of ICMP traffic allowed into a network, because this traffic is used only for diagnostic purposes. ICMP-based DDoS or DoS attacks are common.
Password Attacks
Hackers can implement password attacks using several different methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP spoofing can yield user accounts and passwords, password attacks usually refer to repeated attempts to identify a user account or password. These repeated attempts are called brute-force attacks.
Often, a brute-force attack is performed using a program that runs across the network and attempts to log into a shared resource, such as a server. When hackers successfully gain access to resources, they have the same rights as the users whose accounts have been compromised to gain access to those resources. If the compromised accounts have sufficient privileges, the hackers can create back doors for future access without concern for any status and password changes to the compromised user accounts.
Another problem exists when users have the same (possibly strong) password on every system to which they connect. Often, this includes personal systems, corporate systems, and systems on the Internet. Because that password is only as secure as the most weakly administered host that contains it, if that host is compromised, hackers have a whole range of hosts on which they can try the same password.
You can most easily eliminate password attacks by not relying on plain-text passwords in the first place. Using OTP or cryptographic authentication can virtually eliminate the threat of password attacks. Unfortunately, not all applications, hosts, and devices support these authentication methods. When standard passwords are used, it is important to choose a password that is difficult to guess. Passwords should be at least eight characters long and contain uppercase letters, lowercase letters, numbers, and special characters (#, %, $, and so forth). The best passwords are randomly generated, but these are very difficult to remember, often leading users to write their passwords down.
Several advances have been made relative to password maintenance—both for the user and the administrator. Software applications are now available that encrypt a list of passwords to be stored on a handheld computer. This allows the user to remember only one complex password and have the remaining passwords stored securely within the application. From the standpoint of the administrator, several methods exist to brute-force attack your own users' passwords. One such method involves a tool used by the hacker community called L0phtCrack. L0phtCrack brute-force attacks Windows NT passwords and can point out when a user has chosen a password that is very easy to guess. For more information, refer to the following URL: www.l0pht.com/l0phtcrack/.
Man-in-the-Middle Attacks
A man-in-the-middle attack requires that the hacker has access to network packets that come across a network. An example of such a situation could be someone who works for an ISP and has access to all network packets that are transferred between the employer's network and any other network. Such attacks are often implemented using network packet sniffers and routing and transport protocols. The possible uses of such attacks are theft of information, hijacking of an ongoing session to gain access to private network resources, traffic analysis to derive information about a network and its users, DoS, corruption of transmitted data, and introduction of new information into network sessions.
Man-in-the-middle attacks can be effectively mitigated only through the use of cryptography. If someone hijacks data in the middle of a cryptographically private session, all that the hacker will see is cipher text and not the original message. Note that if a hacker can learn information about the cryptographic session (such as the session key), man-in-the-middle attacks are still possible.
Application Layer Attacks
Application layer attacks can be implemented using several different methods. One of the most common methods is exploiting well-known weaknesses in software that is commonly found on servers, such as sendmail, HTTP, and FTP. By exploiting these weaknesses, hackers can gain access to a computer with the permissions of the account running the application, which is usually a privileged system level account. These application layer attacks are often widely publicized in an effort to allow administrators to rectify the problem with a patch. Unfortunately, many hackers also subscribe to these same mailing lists, which results in their learning about the attack at the same time (if they have not discovered it already).
The primary problem with application layer attacks is that they often use ports that are allowed through a firewall. For example, a hacker executing a known vulnerability against a Web server often uses TCP port 80 in the attack. Because the Web server serves pages to users, a firewall needs to allow access on that port. From a firewall's perspective, it is merely standard port 80 traffic.
Application layer attacks can never be completely eliminated. New vulnerabilities are always being discovered and publicized to the Internet community. The best way to reduce your risk is by practicing good system administration. The following are a few measures you can take to reduce your risks:
Read OS and network log files or have them analyzed by log analysis applications.
Subscribe to mailing lists that publicize vulnerabilities such as Bugtraq (www.securityfocus.com) and the CERT (www.cert.org).
Keep your OS and applications current with the latest patches.
In addition to proper system administration, using IDSs can aid in this effort. There are two complementary IDS technologies:
- NIDS operates by watching all packets traversing a particular collision domain. When NIDS sees a packet or series of packets that match a known or suspect attack, it can flag an alarm or terminate the session.
- HIDS operates by inserting agents into the host to be protected. It is then concerned only with attacks generated against that one host.
IDSs operate by using attack signatures, which are the profile for a particular attack or kind of attack. They specify certain conditions that must be met before traffic is deemed to be an attack. In the physical world, IDS can be most closely compared to an alarm system or security camera. IDS's greatest limitation is the amount of false positive alarms a particular system generates. Tuning IDS to prevent such false alarms is critical to the proper operation of IDS in a network.
Network Reconnaissance
Network reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. When hackers attempt to penetrate a particular network, they often need to learn as much information as possible about the network before launching attacks. This can take the form of DNS queries, ping sweeps, and port scans. DNS queries can reveal such information as who owns a particular domain and what addresses have been assigned to that domain. Ping sweeps of the addresses revealed by the DNS queries can present a picture of the live hosts in a particular environment. After such a list is generated, port-scanning tools can cycle through all well-known ports to provide a complete list of all services running on the hosts discovered by the ping sweep. Finally, the hackers can examine the characteristics of the applications that are running on the hosts. This can lead to specific information that is useful when the hacker attempts to compromise that service.
Network reconnaissance cannot be prevented entirely. If ICMP Echo and Echo Reply are turned off on edge routers, for example, ping sweeps can be stopped, but at the expense of network diagnostic data. However, port scans can easily be run without full ping sweeps; they simply take longer because they need to scan IP addresses that might not be live. IDS at the network and host levels can usually notify an administrator when a reconnaissance-gathering attack is under way. This allows the administrator to prepare better for the coming attack or to notify the ISP who is hosting the system that is launching the reconnaissance probe.
Trust Exploitation
Although not an attack in and of itself, trust exploitation refers to an attack where an individual takes advantage of a trust relationship within a network. The classic example is a perimeter network connection from a corporation. These network segments often house DNS, SMTP, and HTTP servers. Because they all reside on the same segment, a compromise of one system can lead to the compromise of other systems because they might trust other systems attached to their same network. Another example is a system on the outside of a firewall that has a trust relationship with a system on the inside of a firewall. When the outside system is compromised, it can leverage that trust relationship to attack the inside network.
You can mitigate trust-exploitation-based attacks through tight constraints on trust levels within a network. Systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall. Such trust should be limited to specific protocols and should be authenticated by something other than an IP address, where possible.
Port Redirection
Port redirection attacks are a type of trust exploitation attack that uses a compromised host to pass traffic that would otherwise be dropped through a firewall. Consider a firewall with three interfaces and a host on each interface. The host on the outside can reach the host on the public services segment (commonly referred to as a demilitarized zone [DMZ]), but not the host on the inside. The host on the public services segment can reach the host on both the outside and the inside. If hackers were able to compromise the public services segment host, they could install software to redirect traffic from the outside host directly to the inside host. Though neither communication violates the rules implemented in the firewall, the outside host has now achieved connectivity to the inside host through the port redirection process on the public services host. An example of an application that can provide this type of access is netcat. For more information, refer to the following URL: www.avian.org.
Port redirection can primarily be mitigated by the use of proper trust models (as mentioned earlier). Assuming a system is under attack, HIDS can help detect and prevent a hacker from installing such utilities on a host.
Unauthorized Access
Although not a specific type of attack, unauthorized access attacks refer to the majority of attacks executed in networks today. For hackers to brute-force attack a Telnet login, they must first get the Telnet prompt on a system. On connection to the Telnet port, a message might indicate “Authorization required to use this resource.” If the hacker continues to attempt access, the actions become unauthorized. These kinds of attacks can be initiated both on the outside and inside of a network.
Mitigation techniques for unauthorized access attacks are very simple. They involve reducing or eliminating the ability of a hacker to gain access to a system using an unauthorized protocol. An example would be preventing hackers from having access to the Telnet port on a server that needs to provide Web services to the outside. If a hacker cannot reach that port, it is very difficult to attack it. The primary function of a firewall in a network is to prevent simple unauthorized access attacks.
Virus and Trojan Horse Applications
The primary vulnerabilities for end-user workstations are viruses and Trojan horse attacks. Viruses refer to malicious software that is attached to another program to execute a particular unwanted function on a user's workstation. An example of a virus is a program that is attached to command.com (the primary interpreter for Windows systems) that deletes certain files and infects any other versions of command.com that it can find. A Trojan horse is different only in that the entire application is written to look like something else, when in fact it is an attack tool. An example of a Trojan horse is a software application that runs a simple game on the user's workstation. While the user is occupied with the game, the Trojan horse mails a copy of itself to every user in the user's address book. Then other users get the game and play it, thus spreading the Trojan horse.
These kinds of applications can be contained through the effective use of antivirus software at the user level and potentially at the network level. Antivirus software can detect most viruses and many Trojan horse applications and prevent them from spreading in the network. Keeping up-to-date with the latest developments in these sorts of attacks can also lead to a more effective posture against them. As new virus or Trojan applications are released, enterprises need to keep up-to-date with the latest antivirus software and application versions.
What Is a Security Policy?
A security policy can be as simple as an acceptable use policy for network resources or can be several hundred pages in length and detail every element of connectivity and associated policies. Although somewhat narrow in scope, RFC 2196 suitably defines a security policy as follows:
“A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide.”
This document does not attempt to go into detail on the development of a security policy. RFC 2196 has some good information available on the subject, and numerous locations on the Web have example policies and guidelines. The following Web pages may assist the interested reader:
RFC 2196 Site Security Handbook
A sample security policy for the University of Illinois
Design and Implementation of the Corporate Security Policy
The Need for a Security Policy
It is important to understand that network security is an evolutionary process. No one product can make an organization “secure.” True network security comes from a combination of products and services, combined with a comprehensive security policy and a commitment to adhere to that policy from the top of the organization down. In fact, a properly implemented security policy without dedicated security hardware can be more effective at mitigating the threat to enterprise resources than a comprehensive security product implementation without an associated policy.