▶ 10.1 The Network Security Problem
The modern local area network (LAN) emerged at the same time and place as the modern personal computer: in the 1970s at Xerox Corporation’s Palo Alto Research Center, commonly called PARC. Researchers at PARC produced the Alto, the prototype of today’s personal computer (FIGURE 10.1). PARC installed a prototype Ethernet to connect the Altos together. Alto users shared printers, files, and other resources across this early LAN.
FIGURE 10.1 The Xerox Alto (photographed at the Computer History Museum, California).
Courtesy of Dr. Richard Smith.
Local networks became an essential desktop feature in the 1980s. Office desktops rarely had internet connections until the late 1990s, but all had LANs to share files and printers. In most cases, these LANs used improved Ethernet products.
When we talk about computer networks, even the simplest network has two parts: the hosts and the links. A host is a computer connected to the network. A link is a component that connects the host to other hosts or to the networks. The simplest network consists of two hosts with a single wire linking them. More complex networks may include separate devices that connect multiple hosts together or that connect networks together.
Even today, wired network connections remain popular. As wireless connections improve in speed and reliability, so do wired connections. It seems likely that a wired LAN always will run faster and more reliably than wireless. It is easier to control and protect a signal on a wire. Wireless LAN signals, on the other hand, must compete with other sources of electronic signals and noise, including motors, microwave ovens, audio/video equipment, and so on. Not only do physical wires isolate a LAN from random noise and interference, they also protect it from outsiders. When we wire up a LAN, it is usually inside a building. We can lock the LAN away from outsiders. We can keep track of which computers we attach to the wired LAN and which we omit.
As networks grow larger, however, it becomes harder to keep track of its computers. Most wired networks use standard plugs and jacks. If someone can reach an unused jack that’s connected to the network, it’s easy to connect another computer. Some organizations try to keep a strict accounting of every authorized computer, but many don’t. A malicious visitor can easily plug in to an unused jack; now the network is no longer isolated from attacks.
The rest of this section reviews the following:
■ Possible attacks on the network
■ Defending the network via physical protection
■ Defending hosts against attack
The rest of the chapter gives a tutorial on networking fundamentals. These technical details will give us a better understanding of the risks and how our defenses work.
10.1.1 Basic Network Attacks and Defenses
We increase a computer’s attack surface when we connect it to other computers. Networking introduces new attack vectors. There are six general attack types, all of which apply to networks. (See Box 1.3 in Chapter 1). However, we place a different emphasis on these attacks, so we examine them in a different order:
■ Physical theft. Someone steals network hardware, like wires, hubs, or other equipment that keeps the network running.
■ Subversion. Someone modifies or otherwise takes over part of the network so that it enables an attack. For example, an attacker might reroute traffic to allow its interception. Note that in networking, this threat involves physical or logical changes to network components. It does not involve changes to network traffic.
■ Disclosure. An attacker’s computer intercepts copies of network data intended for others. While this may pose no risk for a lot of network traffic, this type of eavesdropping may yield passwords or other data that enables a more serious attack.
■ Forgery. Someone constructs a bogus message or modifies a legitimate message as part of an attack. For example, a bogus order could send merchandise without collecting payment.
■ Masquerade. A person tricks the network into sending messages claiming to be originated by someone else. In the networking environment, this behaves like a particular type of forgery.
■ Denial of service. An attack that makes some or all of the network unusable. Typical attacks either flood parts of the network with traffic or render network components unusable.
Example: Sharing a Network
Let us consider the attacks and their risks in terms of a specific problem:
Bob’s office is in the Old Masonic building. Many years ago, the tenants formed a cooperative to install and maintain LAN wiring and a shared printer inside the building. Everyone in the building is a member of the cooperative. The wiring doesn’t extend outside the building, and the cooperative’s rules exclude outsiders from membership.
The cooperative restricts access to tenants of the building. All tenants pay a monthly fee to cover supplies and utility costs.
Let’s apply the risk management framework to the network cooperative. The assets are network equipment, printer supplies, and utility costs. The risk is that outsiders—those who aren’t paying for the network or its supplies—will use up the printer supplies or slow down the network for the rest.
Policy Statements
There are three statements in the Old Masonic tenant cooperative’s policy:
All tenants shall contribute to utility bills and printer supplies.
All tenants shall have access to the network and the printer.
Network and printer access shall only be granted to tenants.
Potential Controls
There are six general categories of security controls. (See Box 2.2 in Chapter 2.) These same categories provide basic network defenses.
■ Physical—physically isolating some—or all—of the computers and network from potential threats.
■ Mechanical—providing physical access via locked doors.
■ Logical—restricting network behavior according to the origin or contents of a request: a user, a computer, or a network-oriented program. Network services use access rules to validate permissions before taking action.
■ Functional—restricting network activity by not implementing risky actions.
■ Procedural—protecting the network with operating procedures. For example, only trustworthy people get a key to the room with computers and the network.
■ Cryptographic—using cryptography to protect network activities. We introduce this in Chapter 13.
What types of controls do the policy statements require? The first statement relies on procedural control. The Old Masonic cooperative has been part of the building for so long that the arrangement is part of each lease. The landlord collects the cooperative fee along with the rent and manages the utility bill.
10.1.2 Physical Network Protection
The remaining policy statements rely on physical controls to protect the cooperative’s network. The entire network resides inside the Old Masonic building (FIGURE 10.2). Only building tenants have keys to the building; tenants on upper floors greet clients and customers at the front door and escort them. Computers must be physically connected to the network to use the printer or internet connection.
FIGURE 10.2 Physical protection of a LAN.
Bob and Alice share a wall and a doorway. Alice shares a computer with Bob that is on the cooperative’s network. But Alice’s Arts is actually in the building next door. Alice can use the cooperative’s printer and internet connection because she shares Bob’s computer, but she can’t retrieve her printouts because she doesn’t have a key to the printer closet in the Old Masonic building. Alice can’t join the cooperative and have her own key to the printer closet because her store isn’t in the Old Masonic building.
Alice would really like to connect her POS terminal to the Old Masonic network. It would be much less expensive than her current arrangement. The wiring job isn’t especially difficult because there are already appropriate holes in their shared wall. Bob could install a low-cost network switch to share his connection with Alice’s business.
Alice’s hookup would clearly violate the existing policy. The cooperative could decide to include Alice, provide her with keys, and divide expenses with her. This reduces costs for everyone. They could rewrite the policy to say “Old Masonic building tenants and Alice.”
This extension poses another problem. Without Alice, the entire network is inside the Old Masonic building and under the physical control of the landlord. Once they run a wire into Alice’s Arts, the landlord can’t control what happens to that wire.
Protecting External Wires
Many companies implement a LAN for their employees’ computers. If the company resides inside a single building, the LAN benefits from the building’s physical protection. If the company has two adjacent buildings, they can run a network cable between the buildings. Now, however, they have to worry about attacks on the outside cable. Cables often run inside physically strong enclosures, like metal conduits.
An attacker must be highly motivated to break into a metal conduit. Although most attackers are not, sites may face this risk if their networks carry classified defense information. A network requires special physical protections if it carries information through areas open to people not allowed access to that information.
Not only do wires need protection, but the networking equipment needs protection, too. The suite’s printer network relies on a few low-cost switches to hook up the computers. If Alice has physical access to a switch and passes a wire through Bob’s wall, then she can hook into the network regardless of the cooperative’s approval. However, she would still have some explaining to do when she tried to pick up a printout.
The tenants and landlord verify the integrity of their network by looking at its physical condition. They must account for every device wired in to it. An extra wire suggests an unauthorized user.
The Old Masonic cooperative is a close-knit group. They do not need risks or policy statements related to privacy, eavesdropping, or disclosure. However, some network users may use it for private matters, like printing a tax return or a love letter. This shouldn’t pose a problem as long as the tenants can be trusted.
10.1.3 Host and Network Integrity
Integrity is another important part of modern network security. We must ensure that all host computers on the network are virus-free and can resist obvious attacks. Although this isn’t as much of a problem on a small, isolated network like that in the suite, it remains a risk.
The U.S. military protects its classified networks against attack by isolating them from other networks. If a worm infects millions of computers on the internet, it won’t infect the classified networks. There is no effective connection from the internet to the classified networks, so there is no way for the infection to enter the classified networks.
In December 2008, the classified networks were in fact infected, reportedly by the “agent.btz” worm. The infection was eventually traced to a USB flash drive that was plugged into a U.S. military laptop at a base in the Mideast. When plugged in, the laptop automatically ran a program on the drive that infected the computer and its connected network at the U.S. Central Command. The worm soon spread through both classified and unclassified networks.
Shortly after the attack, military commands issued orders forbidding the use of portable USB drives on military computers.
We reviewed different types of malware, some of which propagate using a USB drive. (See Section 3.2.4.) The same strategy penetrated sensitive U.S. military networks.
Network Worms
The Old Masonic building has had its LAN for a very long time. It was originally intended to share a printer and was not connected to the internet. The original risk assessment and security policy didn’t consider worms or other internet-related attack vectors. Now that the LAN connects to the internet, it exposes a much larger attack vector. Worms now pose a serious risk to the tenants.
Whose fault is it if a worm infects a tenant’s computer? Is it the cooperative’s fault because the network connects to the internet? The policy says nothing about protecting tenants from outside threats. If the cooperative wanted some measure of protection, they could decide on a “firewalling” policy (see Section 12.4), but the most effective security measures usually involve up-to-date patching and proper management of individual computers. Worms thrive on errors in older, unpatched network software.
Like viruses, worms copy themselves to other places and spread from those other places. While viruses may infect USB drives, diskettes, and application programs, worms infect host computers. When a worm starts running, it takes these four steps:
Decide how to locate computers on the network.
Send messages to each computer to determine if it has particular security weaknesses. This may consist of simply trying various attack vectors; this is how the Morris worm operated.
If a computer is vulnerable to one of its attacks, the worm penetrates the computer.
After penetrating the computer, the worm installs a back door to give control to an attacker.
Note that worms search automatically for vulnerable computers. If a computer has not been patched to fix its vulnerabilities, a worm will probably find the computer while scanning the network. This could happen in a matter of minutes.
Early network worms often served no particular purpose. Many were intended to illustrate nothing more than a particular programmer’s prowess at designing malware. In fact, early virus and worm authors often were caught because they bragged to others in black-hat hacker discussion groups. Today, however, worms serve a practical if illegal purpose: They help people construct botnets.
Botnets
Many of the malware packages create and operate botnets for monetary gain. (See Section 3.2.4.) To create a botnet, the attackers must infiltrate host computers via a worm, virus, or Trojan. The malware then installs a rootkit, software that remains hidden and that provides backdoor control of the computer. The infected host computer becomes a bot, a working member of the botnet. Although the most dangerous rootkits have administrative control of a bot, some operate simply as a user. In either case, the rootkit gives the botnet controller the software to control the bot.
A host often becomes a bot because its owner is careless about computer security. For example, the owner might not keep the software up to date, which leaves the computer open to worm attacks. A careless computer owner might also install an infected USB drive or click on an email-based attack.
A bot’s owner usually doesn’t realize that the computer is part of a botnet. Successful backdoor software is stealthy and has no obvious effect on the computer’s behavior. If the software degrades the computer’s behavior, the bot’s owner may try to get the computer fixed. The diagnosis and repair process often uncovers the rootkit, allowing the backdoor software to be removed.
Botnets in Operation
A botnet controller may ask its bots to do any of several things. Most bots can download additional malware. This allows the botnet controller to modify the bot to resist attacks on it and to add capabilities. Typical botnets may perform one or more of these operations:
■ Steal authentication credentials from the bot’s owner. The ZeuS botnet focuses primarily on this theft.
■ Harass the bot’s owner with pop-up windows. Sometimes the pop-up is simply advertising. In some cases, the pop-up claims to be a virus warning. The bot’s owner then is offered antivirus software that’s actually additional malware. Some botnets actually charge the bot’s owner for this malware download.
■ Send spam. (See Section 14.3.1.)
■ Perform distributed denial of service (DDOS) attacks. Such attacks transmit a modest amount of data from each bot to the target system. If the botnet has thousands or tens of thousands of bots, the target system may be overwhelmed by the traffic load.
Botnets are often in competition with one another. No botnet wants to share a victim host with another botnet. If a host computer contains two or more bot packages, then their combined effect may slow the computer down and make the owner aware that there’s trouble. If a botnet penetrates a host belonging to another botnet, the new one will try to remove the other network’s bot software.
Fighting Botnets
Botnets routinely lose bots as individuals replace infected computers or install security software that detects and removes the bot software. However, this doesn’t normally affect a large, healthy botnet. The operators continue to locate and incorporate new machines that replace the ones lost.
The most effective way of fighting botnets so far has been to go after a botnet’s control mechanism. Botnet operators use a special set of hosts to send commands to the botnet. These command hosts are usually a botnet’s weak point.
There have been numerous efforts to disable large botnets. Such “takedowns” often involve police organizations in several countries working in conjunction with software and network service providers. In 2014, a takedown disabled a large botnet based on “Gameover/ZeuS” software that was distributing Cryptolocker malware. In 2013, another takedown targeted the Citadel botnet community, which was estimated to have caused over a half a billion dollars in financial losses. An earlier, multiyear effort took down the Pushdo/Cutwail botnet, an earlier ZeuS-based botnet, and the Bredolab botnet. This effort decreased global spam levels at least 40 percent between August and October 2010.
The Insider Threat
Do any of the Old Masonic tenants pose a network-based threat to other tenants? Eve, for example, is curious about everyone and everything. What if she sets up the printer to make her copies of everything it prints? This would be an insider threat. Eve is part of a community that trusts its members. The security environment assumes that people will follow the rules, both written and unwritten.
Many networks don’t know they have an insider threat until something unfortunate happens. For example, Eve might be able to program the printer to send copies of everything to her own computer. If another tenant prints his tax forms, the printer sends a copy to Eve, too. If anyone finds out, the cooperative needs to reassess its risk environment.
Eve might not be the only insider threat. If the cooperative says “No” to Alice’s proposal, but Bob is willing to help her out, she could still join the network. Bob installs a switch and a wire to Alice’s Arts, and other tenants might not notice. No one would be likely to notice Alice’s connection unless someone “maps” the network. (See Section 11.5.2.) Alice’s connection violates the cooperative’s policy, which relies heavily on the tenants for self-policing and enforcement.