HOUR 20
Security
What You’ll Learn in This Hour:
• Definition of key security terms
• Computer network vulnerabilities
• Defending against vulnerabilities
• Tools for defenses
We begin this hour with an explanation of several basic but important terms pertaining to security. We then survey the security dangers faced by computer networks. Next, we explain several effective defenses employed to thwart these dangers. We conclude the hour with a look at specific tools to implement these defenses.
Network security is surely the most important job for the manager of a computer network. An efficient and fast network—one providing wonderful email, file transfer, and web page services—is all for naught if it’s not secure. And if the network you manage isn’t secure, your job isn’t secure.
How important is security to the industry? Very. For example, in the eight months I have been using the Vista operating system (OS) on one of my PCs, roughly 85% of the Microsoft Vista patches have pertained to security.
Network security issues have changed significantly over the past two decades. Network security once focused on protecting network resources from accidental erasure or unauthorized use of resources. Although remote access dial-in schemes for network access posed a potential risk for the network (and still do), the administrator was required to secure what was essentially a closed system. This meant the major security issues pertained to users’ passwords and the rights assigned to these users.
When a company’s internal network was attached to the Internet, the situation changed. Many security issues now relate to outside attacks. These attacks can be direct, such as an attacker accessing an internal network by spoofing a legitimate user, or indirect, such as by attaching malicious payload to an email message that is sent out as spam.
If you assume responsibilities for network security in your organization, keep these happy thoughts in mind:
• He that is too secure is not safe.1
1 Thomas Fuller, Adages and Proverbs. Secondary source: Leonard Roy Frank, Quotationary, Random House, New York, 2001, p. 760.
• Distrust and caution are the parents of security.2
2 Benjamin Franklin, Poor Richard’s Almanac, July 1733. Secondary source: Ibid.
Basic Terms
Before we proceed into the security dangers and defenses against these dangers, a few definitions are in order. First, the term encryption means the changing of the syntax of a message (cleartext), making it unintelligible to the casual observer. This altered data is called ciphertext. Decryption is the opposite of encryption. It means changing the ciphertext back to the original intelligible format—that is, changing it to cleartext.
Encryption and decryption are performed using one of two methods. The first method is known by three names: private, symmetrical, or conventional. Whatever name is used, this method uses the same key (a value) for encryption and decryption. This is a secret key that the sender and receiver of the message share. The sender uses the key to encrypt the cleartext into ciphertext; the receiver uses the key to decrypt the ciphertext into cleartext.
The second method is known by two names: public or asymmetric. Public key security has become the dominant method of both encryption and authentication in computer networks. This method uses two keys (actually key sets): one for encryption and the other for decryption. They correlate with each other because their values are created using complementary values and algorithms. Thus, text that is encrypted by one key can be decrypted by the other. The idea is to allow one key to be disseminated to the pubic (the public key) while the other key is held in secret (the secret key). Therefore:
• For encryption—A sender’s cleartext is encrypted by the receiver’s public key. It can only be decrypted by its complementary private key, which is known only to the receiver who holds it in a secure place. The sender knows only the public key.
• For authentication—A cleartext value (a known value—say, a password) is encrypted into ciphertext by the sender’s private key. This data can only be decrypted into a cleartext value (the known password) if the receiver possesses the complementary public key.
A digital signature validates the authenticity of the sender by using asymmetric keys. Assuming a sender has sent or otherwise made available to the receiver the sender’s public key, this key is applied to a “digital signature,” which is a known value. If the resulting decryption operations result in the computation of this known value that the sender encrypted, the sender is considered legitimate. (That is, the sender is authentic.)
A security certificate establishes a secure communication connection between two parties. Each certificate contains a public key and a private key. When a web browser communicates with a secured server, a handshake authenticates the server and the browser client. A security certificate is issued by a trusted source, known as the certificate authority (CA), which usually verifies the domain name and issues the certificate. For example, VeriSign is a well-known CA.
Security Threats
What is an effective strategy for protecting the resources attached to a network? You must understand the various types of security threats, most of which result in the denial of service (DoS) to the users of the network. They are as follows:
• Virus—A virus is a piece of code that “infects” a software program. It attaches itself to the program and executes when the program is run. It might or might not infect other programs. The result might be only irritating, such as the execution of a lot of superfluous code or funny icons appearing on a computer screen. But it might also be dangerous; for example, it might be able to access the files on a computer and destroy them.
• Worm—A worm runs as an independent program that replicates itself over and over again until it saturates a computer system or a network. A worm can result in clogging or flooding, resulting in the DoS to the user community.
• Trojan horse—A Trojan horse is a piece of code that comes in the form of a virus or a worm. It’s so named because it hides itself, perhaps in a user’s login, and then exploits the user’s profile to do damage. It’s possible that a Trojan horse might not be found because, after doing its deeds, it exits the system without leaving a trace of itself.
• Bomb—Many Trojan horses (with their viruses or worms) don’t do harm immediately. Some are triggered by a time threshold; after a date has passed, the bomb “explodes.”
• Replay—This violation is an attack on a resource by capturing data, perhaps modifying it, and resending it. An example of a replay attack is applying a transaction to a database more than once: say, one’s payroll record.
Security Defenses
Different defenses are employed to combat these threats. They are as follows:
• Privacy/secrecy/confidentiality—The assurance that a user’s traffic is not examined by nonauthorized parties. It a nutshell, it’s an assurance that no one “reads your mail.”
• Authentication—The assurance that a legitimate party (or parties) has sent the traffic a user receives. For example, if a user receives a legal document from an attorney through the Internet, this user is confident that his attorney sent it, not someone else. This idea is also called data origin authentication.
• Integrity—The assurance that the traffic a user receives wasn’t modified after the proper party sent it. This service includes antireplay defenses—that is, operations that prevent someone from reinjecting previously authenticated packets into a traffic stream. Because of its anti-injecting operations, this service offers sequence integrity, which means “rogue” packets might be rejected if they don’t meet certain rules. For Internet Protocol (IP) networks, this idea is called connectionless integrity.
• Access control—The prevention of unauthorized use of a resource. This service might prevent someone from monopolizing resources or deny the user of the resource entirely. Resource monopolization is a common security attack that leads to the DoS to legitimate users.
• Nonrepudiation—The inability to deny or disavow a transaction. This service is part of the authentication service described in the second bullet point. An example of this feature is an option in the X.400 personal message service. An email recipient isn’t allowed to examine the contents of the message body of the email until she has acknowledged that the email was indeed received. The feature is akin to a postal certified letter. The recipient can examine the envelope, but she can’t look inside until she signs the receipt.
Securing the Internal Network
The first line of defense for a private network (one in which a user accesses the network directly, without going through the Internet) revolves around user logon issues and the different levels of access provided to network resources. Without question, users should have a valid username and password to log on to the network. Furthermore, the network administrator must control the assignment of usernames and passwords to all users. A set of rules should be devised to assign usernames and passwords so that someone who attempts to access the network by hijacking a particular user account can’t guess them.
Resources on the network can also be secured by assigning the appropriate level of access to the resource for each user on the network. For example, most users only need to be able to read a particular database file on the network. So, it would make sense to give those users only the read permission for rights to that file.
Both user authentication and resource permissions are important to basic network security. Let’s take a closer look at how a network administrator can use authentication and permissions to secure the internal network.
User Access
The network administrator is responsible for creating user accounts. Every Network Operating System (NOS) provides a built-in administrator’s account that can create and modify network user accounts and manage the resources on the network. This administrator’s account is given various names in different OSs, such as root, admin, or administrator.
Not only does the network administrator determine the naming conventions for user accounts, but he also controls the rules for user passwords and the logon hours, as well as days that a particular user can log on to the network.
Assigning complex usernames to your users doesn’t enhance network security. It only enhances the possibility of users forgetting their usernames. Let’s face it—most network administrators assign usernames based on the first initial and last name of the user. It’s a fairly consistent and convenient way to assign usernames.
Although the number of characters that can be used to create a username varies per NOS, every OS has naming conventions that you should be aware of before you create your user accounts. For example, Windows provides you with 20 characters for a username. NetWare eDirectory usernames can be up to 64 characters. Certain characters can’t be used in usernames. Typically, characters such as the slash (/), backslash (), and other special characters can’t be used in usernames. Some OSs allow spaces to be used in the usernames, and others don’t. Again, you need to know your NOS’s naming conventions before you create usernames.
Password Protection
The password provides security for the network authentication process. The network administrator (you and your staff) must develop a set of rules for the type of passwords that are allowed on the network. Although you can assign passwords to your users, it’s a better use of your time to create the rules for passwords on the network and allow your users to create (and update) their own passwords based on your rules. NOSs allow you to set the conditions that must be met for a password, such as the number of characters, the inclusion of both alphanumeric and numeric characters, and whether the password can contain the user’s name.
The best practice for passwords is to use what are called strong passwords. What constitutes a strong password varies slightly from NOS to NOS, but in general terms, a strong password is one that wouldn’t be easy to guess by someone who has hijacked a user’s account and is attempting to access the network. Microsoft defines a strong password as follows:
• It contains at least seven characters.
• It doesn’t contain user, real, or company names.
• It doesn’t contain complete dictionary words.
• It’s a combination of numeric, alphanumeric, and nonalphanumeric characters.
On Microsoft Server 2003 and 2008, network password rules and other policies related to passwords (such as enforcing a password history) are handled using Group Policy, which provides a framework for controlling the user and computer environment in a Windows domain. Figure 20.1 shows the password policy settings for 2003. The 2008 window is quite similar. Note that the policies haven’t been enabled for strong password protection.
Group Policy sets rules in a Windows network environment using Group Policy objects. These objects can contain settings for both computers and users. A Windows server is configured with a number of default Group Policy objects; a network administrator can also create additional objects as needed. For a primer on Group Policy, see Sams Teach Yourself Microsoft Windows Server 2003 in 24 Hours and Sams Teach Yourself Microsoft Windows Server 2008 in 24 Hours.
FIGURE 20.1 Microsoft Windows Server 2003 provides Group Policy to control settings related to user password requirements.
Another element related to keeping user passwords secure is requiring your network users to change their passwords after a specific interval. Again, the various NOSs provide you with the administrative tools to create password rules and control the interval for password expiration. Be advised that forcing users to change their passwords on occasion is a good way to protect user accounts, but it can also lead to a lot of headaches in that users either forget their new passwords or start writing down the passwords to remember them. Choose an interval that balances security issues with the short-term memory of your users.
You can also protect the network from a hacker using a hijacked user account by limiting the logon hours for your users. (If users don’t work on the weekend, don’t allow weekend logons.) In addition, you can specify the computers that a user can log on to—again, limiting the chance of someone co-opting a username and using it maliciously.
Auditing Logons
After you’ve done your best to make sure that password protection on the network is strong, you can employ auditing to keep an eye on user logons. Auditing allows you to track both successful and unsuccessful logons. This means if you see numerous unsuccessful logon attempts for a particular user, the user account might have been hijacked and is being used by a hacker attempting to gain access to the network.
Most NOSs have some form of audit mechanism. For example, Windows Server 2003 and 2008 offer their Security log, and UNIX has /var/adm/wtmp, /var/adm/syslog, and other logs. But none of the tools that NOSs provide for auditing do you any good if you don’t use them.
Each NOS approaches the enabling of auditing in a different way. Because we’ve briefly discussed Windows Group Policy, let’s look at the enabling of the Auditing Policy on a Windows Server 2003 computer. (Once again, 2008 is similar.) You can access Group Policies for a domain by using the Group Policy Management snap-in, as shown in Figure 20.2.
FIGURE 20.2 The Windows Server Group Policy Management snap-in allows you to view the different levels of policies for the domain.
After you’ve located the particular Group Policy in the management snap-in, you can edit the policy. It’s just a matter of right-clicking on a particular policy and then selecting Edit on the shortcut menu that appears. In terms of auditing, the Audit Policy allows you to audit logon events and a number of other events, such as object access and system events.
Figure 20.3 shows the Group Policy Object Editor and the Audit Policy objects available on a server running Microsoft Windows Server 2003. After these various audit objects are enabled, the events are tracked using the Windows Security log. (We’ll talk about logs and network monitoring in more detail in Hour 21, “Managing a Network.”)
As you can see from our Microsoft example, you can audit logon events and other events that allow you to keep tabs on your network. For example, attempts to access certain items on the network can be audited, allowing you to not only track potential hackers by logon attempts but also attempt to access certain data files or other resources on the network.
FIGURE 20.3 Auditing is enabled using the Windows Group Policy Object Editor.
When you’re setting the different configuration parameters for user accounts, you can set the number of unsuccessful logons that you’ll allow before an account is disabled. The settings vary from NOS to NOS, but you should use this feature as another way to secure user accounts. If someone has obtained a username, you don’t want to give him the opportunity to guess passwords and then access the network.
Resource Permissions
Securing the network using strategies related to user accounts and passwords is just one way of securing the internal network. Another method of securing important data and resources on the network relates to user rights or permissions to those resources. After a user has logged on to the network, she typically needs to access resources on a file or print server. The level of access that each user has to a share or the volume on a file server is up to the network administrator.
Each NOS has a method of assigning permission (or rights) to folders or directories on network servers. Although it’s convenient to give all your users the same access to a resource, you should take into account that each user requires a different level of access to a particular resource; not everyone on the network needs to modify data. For example, an accountant needs to be able to edit spreadsheets on a server, whereas an administrative assistant only needs to be able to view or read the data contained in the file. However, assigning individual permissions for each user to each resource is time-consuming and a hassle to keep organized (in terms of documentation).
A fine feature of NOSs is that you can create groups and then assign access permissions or rights to the group. Then group membership determines the level of access that a user has to particular resources.
Although access rights don’t necessarily keep hackers off your internal network, they do allow you to minimize the damage that a careless user can make to important data files or the level of access that a hacker has to a particular resource when they commandeer a particular user account.
Dealing with Viruses
Another threat to your network’s security is the virus, explained earlier in this hour. Granted, many viruses emanate from the Internet, but some are generated internally; thus, they’re explained in more detail in this section. For this discussion, we concentrate on viruses, but keep in mind that so-called antivirus software typically guards against related attacks, such as worms, Trojan horses, and bombs.
Viruses come in several varieties. Numerous virus types have evolved over the years, and are summarized here, classified based on how they infect a computer. For all, the best defense is antivirus software.
• Boot sector viruses—Some of the first viruses were boot sector viruses. They’re so named because they infect the first sector (the boot sector) of a disk or hard drive. A boot sector virus typically spreads through infected external disks or other removable storage media. Boot sector virus infections are helped along by user forgetfulness. If I place a boot sector virus–infected disk in my computer, nothing happens unless I reboot the system (turn it off for the day and then turn it back on the next morning) and have forgotten to remove the infected disk from the drive. On bootup, the boot sector virus is loaded into the computer’s memory (because the computer tries to boot from the external disk). The virus can then infect the hard drive or any disks you place in the external drive after the computer is up and running.
• File viruses—File viruses infect an executable program, such as an EXE or COM file. When the infected file is run, the file virus is loaded into the computer’s RAM. It can then infect other executable files as they’re run on the computer. A form of the file virus is the overwriting virus, which overwrites the executable file that it infects.
• Macro viruses—The macro virus is a fairly recent virus type. Macro viruses are written in a macro language, such as Visual Basic code or the language built into, say, a word processor package. It can infect documents and spreadsheet data files rather than executables. When an infected document is loaded into an application, such as Microsoft Word, the virus code runs as any other macro would in that particular application. Another scary thing about macro viruses is that they aren’t OS specific. Because Microsoft Excel can run on a Macintosh and a Windows-based PC, the macro virus can be spread between the two platforms if the infected Excel worksheet is shared. Also, macro viruses aren’t confined to Microsoft applications and have popped up in other office suites, such as Lotus SmartSuite. An example of a macro virus is the famous Melissa virus, a Word macro virus that automatically spreads itself via email. When in doubt, don’t open those loving attachments.
• Multipartite viruses—A multipartite virus has the characteristics of both a boot sector virus and a file virus. It can spread from the boot sector of a drive to another drive, and it can attack executable files on the computer. Some multipartite viruses can even infect device drivers (such as the drivers for your network interface card, or NIC).
The only way to keep network computers free of viruses is to invest in antivirus software and run the software frequently. Antivirus software is available in various configurations ranging from desktop file scanning to server-based file scanning to firewall-based file scanning. It’s wise to have as many file scanners as possible between the user and his files (whether the files come from the Internet or the local network). Although slight performance degradation is involved with virus scanning, time spent cleaning out virus-infected systems is time well spent. Typically, virus software vendors have a method in which the software that is installed on each computer can be automated and maintained successfully with minimal user input.
Protecting the Internal Network from External Attacks
The discussions thus far in this hour have emphasized measures to secure networks that have no gateways to external networks, such as the Internet. As mentioned earlier, you must address internal threats, but the major dangers come from outside. In this section, we expand our analysis to include the big, bad Internet.
Keep in mind that the earlier discussions on security problems and preventions apply to the interfaces with external networks as well. What’s the difference between internal and external network security? For external interfaces, we must add more ingredients to the security soup.
For Internet connectivity, Transmission Control Protocol/Internet Protocol (TCP/IP) is now the standard L_4/L_3 protocol stack. However, TCP/IP and the User Datagram Protocol (UDP) were not designed with security in mind. As discussed in Hour 14, “Connecting to the Internet: Initial Operations,” each server protocol in the TCP/IP stack communicates with a well-known port number. As examples, Hypertext Transfer Protocol (HTTP) operates on port 80, and FTP operates on ports 20 and 21. Hundreds of well-known port numbers are registered though the Internet authorities. Each of these ports is a potential path for an attack on a network. Hackers employ a variety of technical tricks to penetrate network security walls. The TCP/IP protocol stack and both client and NOSs provide holes that hackers can exploit. Fortunately, firewalls offer a strategy for blocking these ports.
Firewalls
Even though firewalls are covered in this hour under the subject of securing internal networks from external attacks, these devices are also common in internal local area networks (LANs).
In addition, most OSs and NOSs come with firewall software. The PC I’m using as I type this paragraph is loaded with Vista firewall software, as well as Verizon firewall software. In addition, for some of my Internet connections, I use AOL, which executes its own firewall software for the connection. The router I use to connect to the Internet also executes firewall software. Wow. That’s four firewalls, not including the firewall software in the servers.
I recognize a portion of my response time delays are attributable to multiple executions of code, some of which engage in redundant scans and checks. I could opt for configuring the packages to make them more efficient or simply turn one or more of them off. In my Windows XP PC, I have done just that. For my Vista PC, I’ve decided to let Microsoft, Verizon, and AOL perform their security operations without my interference. Thus far, I’ve yet to encounter a can of worms—or viruses.
In its simplest terms, a firewall is a system that protects trusted networks from untrusted networks. The concept of trusted and untrusted networks depends on the organization. In some situations, there are both trusted and untrusted networks within a company, depending on the need to know and the need to protect certain resources. In one of my former jobs, the organization installed a firewall on its LAN for the sole purpose of preventing all people—except six employees—from accessing sensitive financial and economic data.
Packet Filtering
One of the key operations that a firewall performs is packet filtering. This term describes an operation in which certain packets are allowed to pass through the firewall and others aren’t. The filtering operations are based on a set of rules encoded in the software running the firewall. The most common type of packet filtering from the standpoint of a conventional router is done on IP packets. The router examines the IP addresses to make sure the source and destination addresses are legitimate—that is, whether they’re trusted addresses.
Filtering on IP addresses can create a tricky situation because many users send and receive traffic in a dynamic fashion. Surfing the Web results in IP addresses at the websites being placed in the packets.
Another common filtering process is on Internet port numbers. This filtering usually takes place in servers and user machines and not routers, because the operation consumes overhead. One approach is to filter on certain IP addresses in the router and filter on port numbers in the server or user machine.
It’s a good idea to carefully check your vendor’s router and server filtering features to determine if their firewall capabilities meet your needs. Nothing precludes you from creating and configuring the details of the firewall. For example, several inexpensive, effective Linux firewall distributions are available from the Internet. I recommend that you check out www.coyotelinux.com.
Windows Firewall Settings
If you’re using Windows on your computer, you have some control over the firewall software. Using the General tab in Windows Firewall, you can do the following:
• Set the firewall to On, which is recommended. With this setting, most programs are blocked with the firewall. You can unblock a program by adding it to the Exceptions list (with the Exceptions tab).
• Block all incoming connections, which block all unsolicited attempts to connect to your computer. This might be useful when you want protection when online at an airport or other public venue with a public wireless network. You can still view most web pages and send and receive email and instant messages.
• Setting the firewall to Off isn’t recommended, unless you have another firewall running on your computer.
Other Key Security Protocols
In this part of the hour we examine several important security systems and protocols. By no means do they represent all the offerings available. But they’re found in most vendors’ PC OSs, server NOSs, and router OSs.
Password Authentication Protocol (PAP)
The Password Authentication Protocol (PAP) is an older authentication protocol used to authenticate a user to a network server. Most NOS remote servers support PAP. As well, PAP is still used by Point-to-Point Protocol (PPP) in some products, but many offerings have replaced it with CHAP.
Challenge-Handshake Authentication Protocol (CHAP)
As the name implies, the Challenge Handshake Authentication Protocol (CHAP) authenticates a user to an authentication entity, such as a server. CHAP has been used for many years in conjunction with PPP to validate remote login users. Verification takes place with the use of a shared secret, such as a user’s password. CHAP also protects against a playback attack.
Remote Authentication Dial In User Service (RADIUS)
RADIUS is yet another Internet protocol and is based on a client/server model. It is used to authenticate remote users with user names and passwords. It also supports the negotiation of configuration services between a user (client) and a server, such as the use of PPP, Telnet, and rlogin.
Transactions between the client and RADIUS server are authenticated through the use secret keys. In addition, user passwords are encrypted between the client and RADIUS server. RADIUS supports several authentication schemes. For example, a user supplies authentication data to the server either by directly answering the server’s login/password prompts or by using PAP or CHAP protocols.
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is used for authentication. Examples are protecting a website and securing credit card information that is sent to the web merchant. An SSL certificate enables encryption of sensitive information during online transactions. When a web browser communicates with a server, an SSL handshake authenticates the server and the client. Encryption takes place with a unique session key.
Each SSL certificate contains authenticated information about the certificate owner. A CA, such as VeriSign, verifies the identity of the certificate owner when it’s issued.
Software, such as Linux, supports SSL and allows users to create their own SSL certificate for secure HTTP communications with SSL-capable web servers. For example, an Apache web server is SSL-capable. Also, a number of trusted third-party certificate signers are available. I’ve mentioned VeriSign. You might want to check out others as well, such as GlobalSign, EnTrust, RapidSSL, and GlobalTrust.
Point-to-Point Tunneling Protocol (PPTP)
PPTP is an extension to PPP that tunnels IP packets inside encrypted PPP packets. It’s available in Windows Server 2008 and uses Microsoft Point-to-Point Encryption (MPPE) for the encryption operations.
Secure Socket Tunneling Protocol (SSTP)
Secure Socket Tunneling Protocol (SSTP), a recent addition to the suite of security protocols, is available on Windows Vista and Windows Server 2008. SSTP is an extension to PPP allowing remote access data to pass through a firewall that would normally block PPP and Layer 2 Tunneling Protocol (L2TP) traffic. SSTP encapsulates PPTP data over an SSL channel by using the HTTP Security (HTTPS) protocol.
Secure Shell (SSH)
Secure Shell (SSH) is a common set of software found on UNIX and Linux OSs. You should consider using it if you need secure communications between two devices on your network. It provides better security than older packages, such as rlogin.
DNS Security Protocol (DNSSEC)
DNS Security Protocol (DNSSEC), another authentication protocol, is used to guard against receiving invalid DNS information from servers. Although this possibility isn’t common, it’s indeed possible that a hacker might want to get “in the middle” of a DNS server and client to intercept their communications.
DNSSEC is available on Windows Server 2008 and can be used to configure DNS zones so they can be authenticated. DNSSEC uses asymmetric keys for its operations.
Internet Security Protocol (IPSec)
The more recent implementations of security products now support the IP Security Protocol (IPSec). IPSec is an Internet standard providing the following security features: (a) access control, (b) origin authenticity, (c) replay protection, (d) privacy, and (e) integrity. With a Windows server, you can provide these end-to-end services from client-to-client, server-to-server, and client-to-server by using a feature in IPSec called the transport mode. Let’s review the transport mode and compare it to another IPSec option: the tunnel mode.
With the transport mode, IPSec protects traffic (upper layer data carried in the IP packet) between hosts—that is, end to end. Depending on the installation, it might also protect parts of the IP header. The tunnel mode encapsulates the original IP packet with yet another IP header and operates between hosts or routers (gateways). It protects completely the inner IP header (thus, the user’s IP header) and parts of the outer IP header.
What to Choose?
As you can see, you have a wide choice of security tools. I suggest you study all the security features offered in your OS, NOS, and router software packages and then decide which combinations are best for your organization. You’ll find some of the operations redundant, so you might want to disable them. But be careful about turning off these settings. I’ve found that their duplications to do no harm, and by turning them off, you might end up deactivating a specific, unique service that isn’t running in the other packages. On the other hand, it’s a good idea to experiment with the packages to evaluate the delay and overhead of running them versus their benefit.
Wireless Networks
In Hour 7, “Mobile Wireless Networking,” we discussed the basics of wireless networking. In terms of security, wireless networking provides several challenges. These have been made obvious by a new hacker exploit termed wardriving. Wardriving entails driving around with a wireless-enabled laptop computer, which is used to find and connect to unsecured wireless networks. This maneuver might provide free access to the Internet and allow hackers to crack the wireless network. Wardrivers often outfit their vehicles with an external wireless antenna, which makes it easier to find wireless “hotspots.” A handheld Global Positioning System (GPS) might help map the borders of the hotspot.
How do you protect your network against wardriving? First, you need to learn how your wireless network access point is configured. (An access point is the device that allows wireless clients to connect to a wired network, which is discussed in more detail in Hour 7.) Regardless of the vendor of your access point, the access point has a default configuration, which includes settings such as the administrative password, the default subnet (the range of IP addresses for the device), and security settings related to the 802.11 security protocols Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA).
Wardrivers know that the default configuration for an access point makes it easy to promiscuously connect to a wireless network. Be aware that you can’t run a wireless network out of the box; you must custom configure access points with the highest security possible.
However, even changing default settings for access points doesn’t necessarily protect the network. For example, wireless networks use a network name or service set identifier (SSID) that identifies the wireless network. The SSID is used by mobile devices to connect to access points on the wireless network. Each access point vendor configures its access points with a default SSID. For example, access points from Linksys (a company providing wireless access points and NICs) use the default SSID “linksys.”
It makes sense to change the default SSID for added protection because wardrivers know what the default SSIDs are for most network access points. However, even changing the SSID doesn’t protect the wireless network all that much. SSIDs can be determined using a packet sniffer because they appear in packets as plain text.
Even being conscientious in terms of configuring wireless access points and other wireless devices isn’t going to protect a wireless network from wardrivers with too much time on their hands. You need to configure the currently available security protocols (WEP and especially WPA) on access points and take advantage of the security that these protocols provide.
Beyond access point configuration (including security protocols), you can take advantage of other strategies such as virtual private networking. For a higher level of security, you have to go beyond what the 802.11 standards currently provide and take advantage of third-party products. For example, Air Defense provides such products as RogueWatch, a monitoring device, which allows you to monitor your wireless environment for rogue access points and neighboring wireless networks protecting your network from unauthorized connections.
Although wireless networking provides efficient and inexpensive access to internal and external networks, security issues might preclude its use when network devices exchange highly sensitive data. If you do deploy wireless strategies on your network, remember that wardrivers are probably driving around right outside your building. Part of your defense is to configure your machines with protocols such as DNSSEC, SSL, SSH, SSTP, and IPSec. As well, installing a package, such as RogueWatch, allows you to monitor your wireless connections.
WEP and WPA
In Hour 7, we mentioned the WEP and the WPA protocols. Because of some security weaknesses in WEP, it has been deprecated by the Institute of Electronic and Electrical Engineers (IEEE). WPA is now the recommended wireless security protocol. It uses a higher level of encryption than WEP and employs a dynamic key exchange, which doesn’t exist in WEP.
As of this writing, WPA is still new and undergoing shakedown. If you’re using Wi-Fi in your network, I recommend that you do some research before making decisions on your wireless security configuration. Check out the latest certification of WPA by the Wi-Fi Alliance at www.wi-fi.org.
Best Practices for Securing a Network
We’ve explained that you need to require strong passwords on user accounts. Also, you should make sure your users change their passwords periodically. These procedures are important first steps for securing user access to the network. Controlling other user behaviors—such as the hours they can log on and the number of concurrent connections that a particular user account can have on the network—are also effective ways to build a sound security system.
Here’s a general checklist of best practices related to network security:
• Make passwords secret.
• Ensure users log out of the network at the end of their workday.
• Maintain security audit logs on your systems. Look for odd patterns of access: Should the junior accounting clerk be logged in to the network at 2:00 a.m.? Question the entries in this log just as you would question phone calls on your business long-distance service. Keep records of questionable access.
• Add virus-checking software to your system. Ideally, you’ll have one kind of antivirus software on your firewall, others on your servers, and still others on your workstations. Although this might appear to be overkill, you don’t want to have to deal with a network-wide virus infection.
• Build your network model in a way that fosters security. Adding firewalls to secure the network’s connection to the Internet is a must.
• Make certain your systems are patched against TCP/IP DoS attacks and different types of email-related attacks. Install the most recent updates provided by your software vendors on both your server and client computers. Make certain you’ve set software to allow your vendors (OS, NOS, wireless, router, and so on) to keep their security packages up-to-date by automatically downloading their changes.
• Instruct your users and system administrators that they aren’t to give out passwords, user IDs, or other computer security–related material over the phone unless they’re confident the information will be secure.
• Physically secure your server computers. Allow only password access to server’s consoles, and log all attempts to gain entry to those systems.
• Secure backup media in a locked area. (Backup strategies are discussed in Hour 21.
Create a network security plan that includes user education. Security awareness in the user community can go a long way toward securing an organization’s network. Keep in mind that no matter how small your company, you always run the risk of attack. The person in charge of network security must never forget to close the gate before the cows get out.
Summary
In this hour, we examined the issues related to securing computer networks. We discussed how to use password policies and resource rights to help secure the network. We also discussed the external attacks that hackers can visit upon your network. Solutions such as firewalls and the Internet security protocols were covered in relation to different hacker attacks. We also examined a checklist of actions you can take to keep your network secure.
Q&A
Q. Can using password expiration as a security measure be counterproductive?
A. It depends on the effectiveness of your user security education program. The security administrator needs to balance the use of password expiration with the fact that too many password changes (over time) confuse users. They forget their passwords or continue to attempt to reuse their dog’s name. In addition, the sudden loss of access to the network can generate resentment from the recent but now former users of the network. So, use common sense when setting up password expiration intervals.
Q. What security procedures must a security administrator make certain are operational in the network?
A. 1. The assurance that the user’s data isn’t examined by unauthorized parties.
2. The assurance that a legitimate party has sent the data that the user received.
3. The assurance that a user’s transmitted data isn’t altered before it reaches the end recipient. Additionally, the assurance that the data the user receives hasn’t been changed.
4. The assurance that a user’s resource (files, data, software, etc.) won’t experience unauthorized access.
5. The assurance that the receiver of a user’s transmission won’t be able to deny or disavow the legitimate reception of the transaction.
Q. Where can you obtain the procedures and services described in the previous question/answer?
A. All computer OSs and NOSs now provide some or all of these services. In addition, many of them are also available with the Internet security protoocols.