CHAPTER 25

LOCAL AREA NETWORKS

Gary C. Kessler and N. Todd Pritsky

25.1 INTRODUCTION

25.2 POLICY AND PROCEDURE ISSUES

25.3 PHYSICAL SITE SECURITY

25.4 PHYSICAL LAYER ISSUES

25.4.1 Sniffers and Broadcast LANs

25.4.2 Attacks on the Physical Plant

25.4.3 Modems, Dial-up Servers, and Telephone Lines

25.4.4 Wireless LAN Issues

25.5 NETWORK OPERATING SYSTEM ISSUES

25.5.1 Windows 9x

25.5.2 NT/2000, XP Vista

25.5.3 UNIX

25.5.4 MacOS

25.6 CONCLUSION

25.7 FURTHER READING

25.8 NOTES

25.1 INTRODUCTION.

This chapter discusses generic issues surrounding local area network (LAN) security. Securing the LAN is essential to securing the Internet because LANs are where most of the attackers, victims, clients, servers, firewalls, routers, and other devices reside. Compromised LAN systems on the Internet open other nodes on that local network to attack and put other systems at risk on the Internet as a whole. Many of the general issues mentioned herein are described in more specific terms in other chapters of this Handbook, such as Chapters 15, 22, 23, and 47 in particular.

25.2 POLICY AND PROCEDURE ISSUES.

Twenty years ago, all users had accounts on a shared mainframe or minicomputer. A single system manager was responsible for security, backup, disaster recovery, account management, policies, and all other related issues. Today all users are system managers, and, in many cases, individuals have responsibility for several systems. Since the vulnerability of a single computer can compromise the entire LAN, it is imperative that there be rules in place so that everyone can work together for mutual efficiency and defense. But where polices and procedures can be centralized, they should be, because most users do not take the security procedures seriously enough.

The next list, modified from the Internet Engineering Task Force (IETF) Request for Comment (RFC) 2196, is a rough outline of LAN-related security policies and procedures that should at least be considered.¹

1. Administrative Policies Framework
   1. Information Security Issues
      1. Password management procedures
         • (1) Are passwords assigned or chosen by user?
         • (2) Are password auditing procedures in place?
         • (3) Are password policies enforced (e.g., minimum length, allowed and required characters, expiration, blacklisting)?
         • (4) How many passwords are required to access all systems?
      2. Virus protection
         • (1) Are servers protected?
         • (2) Is there an e-mail “viruswall”?
         • (3) Is virus protection a centrally managed activity, or up to each user?
         • (4) How do users maintain the current virus signature database?
      3. Encryption and certificates
      4. Security event handling
   2. Network Connectivity Issues
      1. Dial-up access
      2. Hubs versus switches
      3. Identification and authentication
         • (1) Passwords and management
         • (2) Authentication systems
         • (3) Two-factor authentication?
         • (4) Single sign-on?
         • (5) Biometrics
   3. Physical site security and disaster recovery
      1. Physical security of systems
      2. Dial-up access lines and modems
      3. Scheduling backups
      4. Access to servers
      5. Storing and limiting access to backup media
      6. Disaster recovery and contingency plans
   4. Operating system and LAN security
      1. Operating system-specific issues
         • (1) Monitoring operating system security vulnerabilities
         • (2) Applying security patches
         • (3) Securing the OS during installation
         • (4) Auditing the systems
      2. Is Dynamic Host Configuration Protocol (DHCP) employed?
      3. Log analysis software and procedures
      4. Vulnerability testing
      5. Intrusion detection tools
2. User Policies Framework
   1. Written, published network security policy
   2. Network/Internet Appropriate Use Policy (AUP)
   3. User training and education
      1. Security (general issues)
      2. Importance of protecting customer data, client information, and other private information such as medical claim records and patient information
      3. Policies and AUPs
      4. Suggestions for how to be safe
   4. Virus protection
      1. Using antivirus software
      2. Maintaining a current virus signature database
   5. Choosing good passwords
   6. Best practices
      1. E-mail (netiquette and handling attachments)
      2. Browser (shut off Java, JavaScript, ActiveX, and other auto-execution code)
      3. Microsoft Office Suite
         • (1) Use of macros
         • (2) Implications for document management
      4. Protecting files on the server and your own system
         • (1) Use of Windows “shares” and UNIX NFS
         • (2) Use of NetWare, New Technology File System, (NTFS), and UNIX access controls
         • (i) Spotting a possible compromise (methods for identifying intrusions or other unauthorized activity)
         • (ii) What to do and whom to contact if a compromise is suspected
   7. When trouble strikes (computer emergency response procedures)

Not every issue will apply to all networks, but each LAN is an ever-evolving entity, and the policies guiding its operation also must evolve.

25.3 PHYSICAL SITE SECURITY.

The physical protection of the site is very important but too often overlooked. One reason that site security is often lacking is that some of the policies and procedures can be perceived as messages to employees that they are not trusted. Nevertheless, physical site security includes many aspects of protecting network servers, communications facilities, individual user's systems, and information.

For more information on facilities security, see Chapters 22 and 23 of this Handbook.

25.4 PHYSICAL LAYER ISSUES.

The LAN itself has a number of additional vulnerabilities because the systems and media are so widely dispersed. This section discusses securing the LAN infrastructure.

25.4.1 Sniffers and Broadcast LANs.

Traditional LAN media access control (MAC) schemes operate assuming a logical, if not physical, broadcast topology. In a broadcast network, every station hears every transmission. When operating in promiscuous mode, a LAN station will read every frame that goes by regardless of whether the frame is addressed to the station or not.

When protocol analysis, or sniffer, software became available in the 1980s, every station on the LAN became a potential network analysis and management tool—or a surreptitious eavesdropper. Since so many of the network's applications—particularly TCP/IP-based applications—transmit passwords and files in plaintext, this type of software is potentially very dangerous.

A number of sources offer very powerful and very flexible commercial packet-sniffing software, such as Network Associates' SnifferPro and Novell's LANalyzer. These packages usually have additional capabilities, such as network monitoring, performance monitoring, and traffic analysis. Prior to 1990, network protocol analysis required a special piece of hardware with a connection to the network. Today, a large number of software packages that do TCP/IP packet sniffing can help an intruder because they can be installed directly on an individual's laptop or desktop computer. Some of these packages include:

• BUTTsniffer (Windows NT)
• Ethereal (Windows, Unix)
• Network Monitor (free with, and for, Windows NT)
• Sniffit (Linux, SunOS, Solaris, FreeBSD, Irix)
• snort (UNIX)
• Solsniff (Solaris)
• tcpdump (UNIX)
• WinDump (Windows 9x/NT)

Relatively few countermeasures can be taken against these kinds of tools. Fortunately, they are effective only on a broadcast network such as a hubbed LAN. If an Ethernet hub, for example, is replaced with a switch, the only traffic broadcast to all hosts on the network are those frames actually addressed to the LAN's broadcast address. In this case, a station can sniff only that traffic that is going to or coming from the station with the sniffer software. Replacing all hubs with switches may be unreasonable in many environments, but placing all servers on a switch instead of a hub will improve both performance and security.

Other network-based tools that can detect a host with a network interface card (NIC) in promiscuous mode, such as AntiSniff (Windows) and sentinel (UNIX). These tools work by performing a number of tests to detect the promiscuous host; they then check the network host's operating systems, domain name system (DNS) activity, and network and machine latency. An excellent overview of antisniffer tools can be found at www.securitysoftwaretech.com/antisniff/tech-paper.html.

Sniffers can be defeated using cryptography. Use of secure IP (IPsec) and secure shell (SSH) for TCP/IP applications can provide privacy and integrity to all communication and applications. IPsec is available from any of the IPSec Developers Forum members (www.ip-sec.com), and SSH is available from SSH Communications Security (www.ssh.com).

25.4.2 Attacks on the Physical Plant.

The most common medium employed today on LANs is copper-based, unshielded twisted pair (UTP) cable. All copper media, including UTP and coaxial cable, emanate a magnetic field because of the changing current on the wire. Van Eck monitoring devices can pick up these emanations remotely and reproduce the frames on the wire or keystrokes at a machine. As far-fetched as this might sound, the vulnerability is very real. The U.S. Government and military have a set of standards to reduce and limit electromagnetic radiation (EMR) called TEMPEST, and the National Security Agency (NSA) has a list of products that are TEMPEST-compliant. Indeed, this vulnerability may not be a major problem in most organizational networks, but there is some set of networks where this is a concern. An excellent source of TEMPEST information can be found at www.eskimo.com/~joelm/tempest.htm.

An alternative to encasing workstations in Faraday cages (i.e., copper mesh layers surrounding all components) is to generate random electronic noise that masks meaningful radiated data transmissions.²

One way to reduce or eliminate EMR is to reduce or eliminate the amount of copper media on the network. Optical fiber, for example, has no EMR because there is no electricity on the line. It does not eliminate the EMR at the desktop itself, but it does prevent its entry into all interconnecting fiber cables.

Users also can be the source of some types of denial-of-service (DoS) attacks, either purposely or accidentally. Consider coaxial cable Ethernet networks (10BASE-5 or 10BASE-2) where nodes are attached to a common LAN medium. In both cases, the coaxial cable has a terminating resistor at the end of the wire to eliminate reflection of the signal. If the resistor is removed, it allows extra noise on the wire that can block all traffic on the network. End-of-cable resistors should be beyond the reach of users if at all possible.

Similar DoS attacks may occur whenever users modify the wiring scheme of the network. Removal of terminating resistors is only one action that can cause problems. Hubs in common areas might be unplugged or have network connectors removed. A token ring hub-to-hub connection can be detached, breaking the integrity of the ring and thus preventing LAN hosts from communicating with other hosts and denying service to users.

It is important that the physical network should be secured to the greatest extent possible. LAN managers should educate users to avoid the accidental problems that might occur and even how to recognize nefarious attacks.

25.4.3 Modems, Dial-up Servers, and Telephone Lines.

Modems any-where on the LAN are a potential danger, particularly those that are connected directly to a user's system, with or without official sanction. Modems can provide a back door into the LAN, possibly bypassing the firewall, strong authentication, proxy server, and any other network security.

In general, all modems should be concentrated at the network's dial-up server. Individual user systems should, in most cases, be banned from having modems on the network. This is a difficult rule to enforce, however, because laptops and an increasing number of desktop systems include preinstalled modems, and a user can always connect an external modem to the serial port of any system. This is an example of why security managers have to integrate policies into the culture of an organization. Otherwise, users will find a way around what they perceive to be prohibitive and onerous policies, and modems are one way to circumvent the corporate firewall.

Modems in auto-answer mode are particularly dangerous. Although most companies do not advertise their dial-in telephone numbers, these numbers do not remain secret for very long from someone who wants to find them. Anyone with a telephone directory can easily start mapping an organization's block of corporate telephone numbers. For example, if the main number is 802-555-3700, attackers have a place to start. When attackers call the main number and ask the receptionist for the organization's fax number, they obtain even more information. Using war-dialer software, attackers can scan an entire block of telephone numbers (e.g., 555–3700 through 555–3799) and obtain a list of which numbers are active, which respond with a tone, and what the tone represents (e.g., fax, modem, etc.). If a user has an auto-answer modem on a computer, attackers may gain access to the user's system without so much as a password. Security managers should work with their local telephone companies to obtain telephone numbers for modem lines that are not in the organization's telephone block.

The dial-up server, then, is the place to concentrate the modems and the authentication of dial-up users. There are several strategies for authentication at the dial-up server, the strongest being some form of two-factor authentication, such as a combination of passwords and a token. Another strong protection mechanism is to implement a dial-back mechanism, so that once a bona fide user logs in, the system hangs up and calls back to a preconfigured telephone number. This is a very effective scheme that works well with fixed-location telecommuters but not with roaming employees. In addition, attackers have been known to tamper with the central switch of a telephone company to call-forward from an assigned number to the attacker's own modem.

When a user requires two separate logons, one to the dial-up server and then one to a domain server, security restrictions should control what the caller is allowed to do after passing the first test. One of the authors of this chapter worked with a company that had a shared secret (an oxymoron) telephone number for its modem bank and then a single shared username and password for all the users to authenticate to the dial-up server. To access files and shared network resources, the user then had to authenticate to the domain controller. But after passing the identification and authentication for the first server, an attacker was on the organization's LAN and had complete, unfettered access to the Internet and an identity that implicated the company in any possible malfeasance.

Some guidelines for securing dial-up servers include:

• Maintain and monitor telephone logs
• Configure all software and modems so that a user logout forces the modem to disconnect, and a modem disconnect forces a user logout.
• Configure the modems so that they return to their default configuration after every connection.
• Implement a dial-back mechanism, where possible.
• Use two-factor authentication for roaming users.
• Periodically scan internal telephone numbers for unauthorized modems.
• Prevent the display of any banner message when the user connects to the modem, and certainly do not display any sort of welcome message.
• Train the organization help desk in social engineering techniques, and prohibit them from giving out modem telephone numbers, user names, or other sensitive information that could help attackers.

25.4.4 Wireless LAN Issues.

Wireless LANs (WLANs) have vulnerabilities their wired counterparts do not. The most obvious difference between wired and wireless networks is the medium itself. Although copper-based LANs emit a small amount of radiation that can be intercepted, the entire basis of wireless LANs is transmitting data using relatively strong radiation in some form.

There are WLANs based on infrared signals that cannot penetrate building walls and so achieve some degree of security due to the limited propagation of those signals. Such LANs typically are found in networks requiring high levels of security. However, most WLANs today use radio transmission techniques. In these networks, anyone on a nearby street can use a listening device to intercept data and even capture the network identifiers required to connect to the LAN. The practical range of interception is governed by the inverse-square law for the signal strength (it declines as the square of the distance from the source) and by the sensitivity and signal-to-noise characteristics of the receivers.

Fortunately, there is a certain measure of security within the physical layer itself. IEEE 802.11-based LANs employ either Direct-Sequence Spread Spectrum (DSSS) or Frequency-Hopping Spread Spectrum (FHSS) techniques. As always, depending on range and noise levels, it is possible to eavesdrop. However, interpreting the signals is made more difficult by how DSSS and FHSS work.

To make sense of the transmissions, the receiver must know either the chipping code used in a DSSS network or the frequency-hopping pattern in an FHSS implementation. Without such information, the signal will appear to be nothing more than background noise to the illicit receiver. It is not an insurmountable problem for the would-be eavesdropper, but the work factor is greatly increased when compared to narrowband radio techniques. The spread spectrum approach also offers more reliability in the face of interference from denial of service (i.e., intentional jamming), as the signal is spread over a broad range of frequencies. Some vendor equipment also comes with software components that allow for tuning around interference.

For greater privacy than that provided by the physical layer alone, the 802.11 standard includes an optional encryption method called Wired Equivalent Privacy (WEP). This technique is truly optional so not all vendors support the standard. WEP uses a 40-bit form of the RC4 algorithm by default, although some products support stronger, 128-bit versions. It is a good idea to choose a product that offers more than just the 40-bit version, as a 40-bit keyspace does not provide great security given today's computing power.

Because WEP does not offer strong encryption and does not describe a standard key-exchange mechanism, many vendors have implemented layer three tunneling methods, such as those found in virtual private networks (VPNs), to provide greater privacy. These VPN-based approaches generally employ other encryption processes (e.g., Microsoft Point-to-Point Encryption) as used in the Point-to-Point Tunneling Protocol (PPTP) that use longer keys than WEP and often support Public Key Infrastructure (PKI) or other key-exchange mechanisms. Some implementations also provide authentication through standards such as Remote Access Dial-In User Service (RADIUS) for more flexible client management. The major problem is that these approaches are not all interoperable and are not necessarily multiprotocol capable.

WEP also can be used for authentication to prevent unauthorized access to the WLAN itself. Such authentication adds another layer of protection to the username and password combination employed by typical server software. Before gaining access to information resources on the server, a client first must gain access to the physical medium. Using the shared key scheme, a wireless device must possess the same encryption key as the LAN's access point, the device enabling wireless connectivity to the wired portion of the LAN. Any data transmitted must be encrypted with the key, or the frame will be ignored. Many wireless access products also have the capability to create access control lists based on MAC addresses to filter LAN connections.

In summary, network managers should consider these security items when evaluating wireless network components:

Physical Layer Schemes

• Infrared. Cannot penetrate walls and is good for high-security applications
• Frequency-hopping spread spectrum. Signal hopping provides good level of security but complexity of technique limits bandwidth
• Direct-sequence spread spectrum. Low “spreading ratio” can increase available bandwidth but also the possibility of interception and jamming

Encryption Options

• Wired equivalent privacy. Optional default is low-grade encryption, 40-bit strength
• Alternative encryption methods. Often more secure than WEP but not always interoperable

Authentication Methods

• Wired Equivalent Privacy. Requires clients to have the same encryption key as the LAN access point, which introduces key management issues
• Access control list. Allows only certain clients to gain physical access to the LAN, based on the MAC address; this adds complexity to client management
• Server-based authentication. Flexible user authentication with RADIUS for an additional layer of protection from illicit connections

25.5 NETWORK OPERATING SYSTEM ISSUES.

In the early 1990s, it was common to find desktop systems running the Windows operating system and the Novell NetWare network operating system (NOS). Desktop applications ran over Windows, and NetWare was used only to move files to and from the shared file space, or to print documents.

Today, the distinction among the desktop operating system, server operating system, and NOS is disappearing. Operating systems such as Linux, MacOS, UNIX, and Windows all provide desktop application suites with networking capabilities, including communications protocols such as TCP/IP. There are some general security considerations for all LANs regardless of the specific operating system:

• Use whatever capabilities are provided by the operating system to employ strong passwords.
• Create password policies that force strong passwords. Change passwords periodically and do not allow reuse. Periodically audit passwords using password-cracking tools such as L0phtCrack (Windows NT) or crack (UNIX). Ensure that the administrator and root accounts are given passwords that are not widely distributed or guessed.
• Disable (or uninstall) any services that are not being used.
• Keep the operating system and application software up to date, and with the latest security patches installed.
• Carefully manage access control lists for files and other system/network resources.
• Strictly define users, groups, and network/domain trusts.
• Tightly secure any running applications.
• Log on as administrator or root only when necessary; otherwise log on as a regular user.
• Allow operators and administrators to log on only locally at server systems.
• Limit use of guest, demo, or anonymous accounts.
• Where feasible, put boot and system files as well as application files and data on different partitions, hard drives, or I/O controllers.
• Regularly audit server systems.
• Monitor log files.
• Remove floppy, CD, and DVD drives from servers after the system has a stable configuration.
• Implement best industry practices when securing the operating system.
• Use vulnerability assessment tools on a regular basis to scan servers.
• Use intrusion detection tools to monitor potential attacks on the LAN that are launched from the internal network.
• If using the Simple Network Management Protocol (SNMP) for network administration, carefully choose community names and block external access to the SNMP service. Make Management Information Bases (MIBs) read-only, where possible.
• Avoid use of the Domain Name System (DNS) HINFO (host info) resource record to identify the central processing unit type and the installed operating system.

Specific operating system vulnerabilities are beyond the scope of this chapter; entire books and Web sites are devoted to securing some of these individual operating systems. At a minimum, network managers must monitor their operating system vendor's Web site and all other sites that cover the NOS's security. The sections that follow provide some general observations and comments about the various network operating systems.

25.5.1 Windows 9x.

All of the Windows operating systems (including NT and 2000) support peer-to-peer resource sharing and are vulnerable to exploitation of NetBIOS file and print sharing. In particular, when file and print sharing is enabled, the service is, by default, bound to TCP/IP. Although this does not cause an additional exposure to systems on the local network (since shares can be seen by other nodes on the LAN anyway), it does provide a potential vulnerability for hosts connected to the Internet. File and print sharing can be unbound from TCP/IP using Start, Control Panel, and Network.

Windows 9x (including Windows 95, Windows 98, and Windows ME) systems also have a vulnerability in the way authentication is performed when a user wishes to access a remote share. Windows uses the challenge-handshake authentication protocol (CHAP) for all passwords that need to be sent over the network, so passwords never appear in plaintext on the LAN. However, because Windows 9x uses the same challenge during a given 15-minute period, an intruder with a physical access to the LAN and to a sniffer could effect a replay attack by resending a duplicate authentication request and remapping a share on the Windows 9x system. This example illustrates the critical role of physical security in preventing compromise of LANs.

One of the best-known Trojan horse programs for Windows 9x is Back Orifice (BO). Advertised as a remote Win9x administrator tool, it can be used by a nefarious user to take total control of someone else's system, including the capability to modify the registry, reboot the system, transfer files, view cached passwords, spawn processes, and create shares. NetBus is another tool that can be used to take control of a remote Windows system. Some commercial virus scanners can detect these programs on individual systems, and several workstation firewalls exclude communications characteristic of these Trojans.

Windows 9x has no particular logon security mechanism. Although every user might be forced to log on to a system, any user can log in with any username and any password to get at least basic access. Several password-cracking programs are available through the Internet to break Windows' .PWL password files, which are accessible once a user has access to the network. If a password-protected screen saver is preventing an attacker from logging in, there is an easy way around this as well: Simply reboot the computer. However, third-party security programs include nonbreakable secure logins and secure screen savers; many include bootlock functions that prevent any access whatever unless a valid password is entered. Current examples of such software can be located easily using buyers' guides such as the annual listing from the Computer Security Institute.³

25.5.2 NT/2000, XP Vista.

From a security perspective, Windows 2000 Millennium Edition (ME) is not significantly stronger than Windows 9x. Network administrators should periodically scan the network's public shares to ensure that they are appropriate. Windows NT Server, NT Workstation, and 2000 Server editions are built for security, and network services and have the software architecture to support these services. However, a security vulnerability announcement related to these operating systems seems to come out almost weekly. Many of the hacking tools available for Win9x also are available for Windows NT and 2000; Back Orifice 2000 (BO2K), for example, is an NT/2000 version of BO and NetBus also can take control of an NT/2000 host.

Scripting holes in Internet Explorer (IE) and Office 2000 make all Windows systems susceptible to a variety of new virus and worm attacks. Although the early viruses, such as Melissa and I LOVE YOU, required users to open e-mail attachments, that is no longer so. Microsoft Outlook and Outlook Express will execute HTML and script code in the body of an e-mail by default. Several ActiveX components also will execute from an e-mail containing HTML and script code; examples of such controls include Scriplet.typlib (ships with IE 4.x and 5.x) and the UA control (Office 2000). The best protection against these types of vulnerabilities are to define Outlook and Outlook Express to read e-mail in the “Restricted Sites Zone” and disable all Active Scripting and ActiveX related settings inthatzone. This vulnerability affects all Windows systems with Office 2000 or Internet Explorer 4.x/5.x installed, even if IE is not used.

Securing Windows NT/2000 systems is well beyond the scope of this chapter, but some of the precautions, in addition to those listed already, follow.

• Format the drive using NTFS rather than FAT.
• Use long file names and disable the DOS 8.3 naming format.
• Disable the Everyone group.
• Rename the administrator account.
• Turn auditing on. (It is off by default.)

All NT-based systems have been given the C2 security rating by the National Computer Security Center. At the time of this writing, Windows NT 3.5 and 4.0 and Windows 2000 SQL Server version 8.0 have completed the evaluation process. Windows 2000 Server has been submitted by Microsoft and is expected to be given the C2-level rating. This means that when Windows is installed correctly, it meets evaluation criteria set forth in the NCSC's Orange Book of security specifications. C2 certification is not applied to the operating system itself; rather, it is applied to a particular installation. Microsoft provides tools to audit a site so administrator(s) can deploy the correct hardware and software configurations to achieve this level of security in a network.

Windows 2000 introduced a new feature that administrators might want to employ. Windows NT introduced the ability to compress and decompress files on the fly. Windows 2000 introduces the capability to encrypt and decrypt files on the fly. The Encrypting File System (EFS) uses public key cryptography and the Data Encryption Standard (DES) to encrypt files on the hard drive. EFS includes an optional capability for a recovery mechanism in case of key loss. Organizations using EFS on critical systems should consider employing this mechanism to protect against loss or destruction of the private key.

Windows XP, which has sold well over 400 million copies and still enjoys by far the largest installed base of any Microsoft OS, introduced a number of security-oriented features. The major improvement was the inclusion of a firewall capability in both the Home Edition and Professional versions. Professional goes a couple of steps further by offering EFS file encryption, Kerberos,⁴ smart card support, and a new software restriction feature allowing administrators to mitigate the impact of viruses and Trojan horses. XP also supports raw sockets, which in itself is not unusual—UNIX and Linux do as well. This feature is intended to increase the functionality of Internet services, but in Microsoft's implementation, it is available to any user, no matter what privilege level. Thus hackers can possibly gain control of a computer running XP and use it to initiate DoS attacks by commanding the OS to generate a flood of traffic.

Although Microsoft's Windows Vista was released with much fanfare—and after a number of delays—it has not been as widely implemented as might have been due to concerns about security and stability of the platform, not to mention a perception that many of the security features create a great deal of inconvenience in the user experience (e.g., User Account Control, to be described, and the Digital Rights Management implementation). Regardless, a prime mover of Vista development was Microsoft's Trustworthy Computing initiative, and as such, a number of new security capabilities were added.

Features include User Account Control (UAC), Bitlocker Drive Encryption, Windows Defender, Data Execution Prevention, Application isolation, Windows Service Hardening, Network Access Protection, and a variety of others. UAC is the most visible from the user perspective, requiring user intervention before allowing any action that requires administrative-level privileges. These include:⁵

• Right-clicking an application's icon and clicking “Run as administrator”
• Changes to files or folders in %SystemRoot% or %ProgramFiles%
• Installing and uninstalling applications
• Installing device drivers
• Installing ActiveX controls
• Changing settings for Windows Firewall
• Changing UAC settings
• Configuring Windows Update
• Adding or removing user accounts
• Changing a user's account type
• Configuring Parental Controls
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user's folders and files

As an interesting historical aside, the National Security Agency assisted Microsoft in the development of Vista. As reported in the Washington Post in January 2007:

It is left as an exercise for the reader to decide whether having a spy agency working on a premier OS is a good thing or not.

One of the most important capabilities for the network security manager is to audit the Windows server systems to protect their integrity. These tools are part of the base operating system or the Windows NT Resource Kit:

• netstat examines open ports.
• Event Viewer examines application, security, and system logs.
• net start, net user, net group, net local group display running services, users, groups, and local groups.
• dumpel converts Event Viewer logs to ASCII files.
• NetMon displays network traffic.
• netsvc displays local and remote running services and drivers.
• addusers displays users and groups.
• findgrp displays local and domain groups for a user.
• local and global show all members of specific local or global groups.
• dommon displays trusted domains.
• xcacls examines the file Access Control Lists (ACL).
• perms examines the ACLs associated with a user
• sysdiff displays changes in the Registry and file system.
• regdmp creates an ASCII version of the Registry.
• ralist lists a domain's Remote Access Servers (RAS).
• rasusers lists users authorized for dial-in access.

25.5.3 UNIX.

UNIX is the oldest operating system still in widespread, growing use today. Readers needing guidance for Novell Netware should refer to Chapter 18 in the fourth edition of this Handbook. Originally developed in 1969 at AT&T Bell Laboratories, UNIX became the first operating system to integrate network communications when TCP/IP was bundled into Berkeley Software Development (BSD) 4.2 UNIX in 1984. UNIX had traditionally been reserved for server systems and hardcore computer users. With the development of the X-Windows interface for UNIX and the wide deployment of Linux since the mid-1990s, UNIX and its variants represent the only significant competition to Windows in the desktop and server environment.

Like TCP/IP and the Internet itself, UNIX was developed for functionality and use within a trusted user community. As such, while UNIX has many powerful tools, it does not have a cohesive security architecture, nor is it an inherently secure operating system.

UNIX has most of the basic operating system protections: passwords, access control lists, groups, user privilege levels, and so on. But UNIX also comes with a large variety of services (daemons) enabled by default, including FTP, Telnet, finger, echo, chargen, daytime, RPC, BIND, and more. In addition, nearly every UNIX daemon has had some sort of security vulnerability reported at one time or another, with buffer overflows being quite prevalent.

There are many things that an administrator should consider when securing a UNIX/Linux system. In addition to the general steps just listed, the security manager might also:

• Disable (or remove) any unused services, particularly finger, the BIND name daemon (named), RPC, sendmail, Trivial FTP (tftp), POP/IMAP, sadmind, mountd, and NFS.
• Install the latest version and security patch of all installed software.
• Take great care when configuring access control lists and other sharing.
• Prevent running Sendmail in daemon mode (turn off the -bd switch) on machines that are neither mail servers nor mail relays.
• Limit use of the “r” remote access protocols.
• Use shadow password files.
• Implement TCP Wrappers to control access to services.
• Consider using encrypted communication protocols, such as Secure Shell (SSH) or Secure Sockets Layer (SSL), for remote access. Prevent transmission of cleartext passwords over the Internet.

One of the most important capabilities for the network/security manager is to audit the Windows server systems to protect their integrity. These tools are part of the base operating system or the Windows NT Resource Kit:

• netstat examines open ports.
• lsof displays hidden file space and network connections.
• tcpdump displays network traffic.
• who displays users that are logged on and the utmp log file.
• last displays login history, and the wtmp log file.
• lastb display a history of bad logins (and the btmp log file).
• syslogd is a central server facility for managing and logging system messages.
• TCPWrapper monitors and manages incoming service requests.

25.5.4 MacOS.

Although the Macintosh operating systems have mostly given way to Windows and UNIX, at least for server systems, they are still worth mentioning. The Macintosh was the first desktop operating system that included networking and resource sharing as integral elements. But like UNIX and TCP/IP before it, the MacOS is designed for convenience and usability but not for security.

Because of its peer-to-peer nature, MacOS has a number of potential exposures. Although Windows and UNIX also can operate in a peer-to-peer mode, a novice user generally will not know how to share resources and thereby may not inadvertently open holes. On the Mac, however, every user is a system administrator and can accidentally open holes to the system. Consider, for example, that a user can share individual files, folders, or disk volumes. Unlike Windows, where a directory is marked as not shared, read, or full, Mac file sharing is more complex and allows the user to establish a set of trusts that require a fair amount of cooperation and knowledge by the users. Network communication is via the proprietary AppleTalk protocol, but this sharing capability is also available over TCP/IP in MacOS.

A nefarious Mac network user can quickly see what servers and shares are available on the network by using the Chooser accessory. Network administrators are advised periodically to scan the network in order to ensure that no users have accidentally enabled more “Guest” access than they intended. However, such guest access is a potentially gaping hole if using TCP/IP. Personal file sharing should be disabled, but if file sharing is required, administrators should establish a central file server, with security provisions.

In desktop use, Macs have relatively little security. Password protection is provided by default only with some laptop systems, and not even a password-protected screen saver comes standard with the system. In short, there is very little standing between a determined attacker and a Mac computer. Third-party software is required to provide password protection against access to the system and files, or for data protection with disk encryption.

Mac-based viruses and worms are much less prevalent than their Windows counter-parts, but Macs are not totally immune. First, those viruses that depend on Microsoft Office Suite software will work because the Mac versions of Word and Excel employ macros. Second, Internet-based attacks aimed at TCP/IP—such as the Ping-of-Death, Teardrop, and SMURF—can still affect a Mac server. There are a few third-party antivirus packages specific for the Mac, for example, Norton Antivirus.

Increased security can, indeed, be added to individual Mac systems, using such tools as:

• DiskLocker software, which write-protects the hard drive, and FileLock that allows write-protecting individual files
• Empower, which adds strong access control to applications and files
• MacPassword and Sesame, which provide complete password protection for a Mac system, including multiple password levels as for administrators and users

Any system that can employ passwords will also have password crackers, and the Mac is no exception. Password crackers abound for the Mac but they do not target the MacOS itself, since the operating system does not have passwords. Instead, the crackers attack passwords associated with certain MacOS applications. For example:

• FirstClass Thrash! and PassFinder attack FirstClass passwords, an application often used to transform a Mac into an Internet mail and news server
• FMProPeeker, FMP Password Viewer, and MasterKey crack FileMaker passwords.
• Password Killer circumvents PowerBook security.
• Remove Passwords and RemoveIt both break passwords associated with StuffIt archives.

It is just as important to keep the version of MacOS up to date as the other operating systems. Macs running System 7.1 and 7.8, for example, are known to crash if they are subject to a large volume of port scans. Many schools and businesses use FoolProof to limit user access to files and other resources; it also appears to store passwords in memory in plaintext so that any user with a memory editor can access password lists. And the installation of System 8.0 on top of earlier versions of MacOS (on a PowerBook) can disable the Password Control Panel and any password protection. These examples demonstrate the need to stay abreast of security warnings and patches.

A number of Mac administrative tools can be used to improve security. Among these are:

• InterMapper, an SNMP-based network management tool for both AppleTalk and IP
• MacRadius, a Mac version of RADIUS to protect dial-in servers and services
• NetLock, a powerful data security application that employs encryption to protect network sessions, passwords, logins, and other information
• Network Security Guard, software that scans MacOS systems for security vulnerabilities

There are fewer MacOS security incidents reported because the greater popularity of Windows NT and UNIX servers make it easier to learn about them, because there are more potential targets, and because one single attack can affect more systems. Put another way, there are fewer attacks on Macs because the hacker community is not as familiar with them, and there are fewer attractive targets.

25.6 CONCLUSION.

A good administrator can secure almost any NOS, although no NOS is secure initially. The network administrator needs continuous vigilance and monitoring, while recognizing that the operating system is only a part of the overall security plan for the LAN and network services. Most network administrators, due to the nature of their job and training, focus exclusively on the computers attached to the LAN and to the LAN's operating system and software. Unfortunately, this approach is too narrow in its scope. Personal firewall software also might be employed to protect individual systems against attack, but almost all of these products are oriented toward IP-based attacks and miss attacks that employ the NOS's native operating system.

Routers, network firewalls, and proxy servers are essential for protecting LAN systems from attack by an external source. The network administrator also must provide tools to protect servers and workstations from other users on the LAN.

25.7 FURTHER READING

This section lists some books, articles, and Web sites that cover the issues addressed in this chapter. Administrators should monitor vendor, operating system, and security Web sites that will have up-to-date, timely additional information.

Brenton, C. Mastering Network Security. San Francisco: SYBEX, 1999.

Edwards, M. J. Internet Security with Windows NT. Loveland, CO: Duke Press, 1998.

Fraser, B., ed. “Site Security Handbook.” RFC 2196/FYI 8, September 1997; ftp://ftp.isi.edu/in-notes/rfc2196.txt (accessed November 24, 2000).

Garfinkel, S., and G. Spafford. Practical Unix and Internet Security. Sebastopol, CA: O'Reilly & Associates, 1996.

IEEE Working Group for WLAN Standards; grouper.ieee.org/groups/802/11/.

Landau, T. Sad Macs, Bombs, and Other Disasters, 4th ed. Berkeley, CA: Peachpit Press, 2000.

L0pht. “Overview of AntiSniff,” November 24, 2000. www.securitysoftwaretech.com/antisniff/tech-paper.html.

Mann, S., and E. L. Mitchell. Linux System Security: The Administrator's Guide to Open Source Security Tools. Englewood Cliffs, NJ: Prentice-Hall, 2000.

Maximum Security, 2nd ed. Indianapolis: SAMS, 1998.

McNamara, J. “The Complete, Unofficial TEMPEST Information Page,” October 2, 2000; www.eskimo.com/~joelm/tempest.html (November 21, 2000).

National Computer Security Center. “Commercial Product Evaluations,” www.radium.ncsc.mil/tpep.

Payne, W. H., T. Sheldon, and B. Payne. The Complete Reference to Netware 5. New York: McGraw-Hill, 1999.

Rizzo, J., and K. D. Clark. How Macs Work, Millennium ed. Indianapolis: Que, 2001.

SANS Institute. “How to Eliminate the Ten Most Critical Internet Security Threats: The Experts' Consensus,” V1.32, January 18, 2001; www.sans.org/topten.htm (accessed March 6, 2001).

SANS Institute. “Securing Linux Step-by-Step Guide,” V1.0. www.sansstore.org (November 23, 2000).

SANS Institute. “Securing Windows NT Step-by-Step Guide,” V2.15, July 30, 1999; www.sansstore.org (accessed November 23, 2000).

SANS Institute. “Top 20 List.” www.sans.org/top20/.

Scambray, J., S. McClure, and G. Kurtz. Hacking Exposed, 2nd ed. Berkeley, CA: Osborne/McGraw-Hill, 2001.

Schmidt, J., T. Hadden, T. Davis, D. Bixler, and A. Kachur. Microsoft Windows 2000 Security Handbook. Indianapolis: Que, 2001.

Steen, W., ed. Netware Security. Indianapolis: New Riders Publishing, 1996.

University of Toronto. “Local Area Network Security Guidelines,” November 21, 2000; www.utoronto.ca/security/LAN.htm.

Wireless Ethernet Compatibility Alliance, www.wirelessethernet.org.

Wireless LAN Association, www.wlana.org

25.8 NOTES