Network-Level Topics

• Identify the basic security issues associated with system/network design and configuration.

By understanding key TCP/IP networking concepts, you can better understand how to secure your networks from intrusion or snooping from hackers or even malicious users on your network. Some key networking technology you will learn about in the next two sections, “Network Address Translation (NAT)” and “Secure Sockets Layer (SSL),” can greatly help in securing your network traffic.

Packet Routing Basics

In previous sections, you have learned about the basic anatomy of an IP packet and how TCP/IP is modeled for use on networks, such as the Internet. In this section, you learn how packets are routed around a network. On its deepest level, routing packets on the Internet is a very complex topic, but to gain a fundamental view of how it works, take a look at Figure 2.6.

As you can see, it is a large web of smaller interconnected networks (Internet). A good analogy is to relate it to the body's nervous system. You have the big, main pipe that stretches out to essential areas and then all the midsize networks hook into that larger pipe and then the smaller into the midsize networks and so on.

The great design theory behind a network such as the Internet is that you can theoretically get anywhere one way or another, even if a main gateway is blocked or down, but keep in mind that sometimes this isn't the case and you will have points of failure. Usually, you have multiple routes or pathways for your packet so it should make it to its destination; it just may take longer than normal to arrive. The packet knows how to get to its destination on the network using the destination IP address (much like a ZIP Code); it pinpoints an exact spot on the Internet and every router or gateway on the Internet has a routing table of some type or another. Internet service providers (ISPs), or larger carriers, typically manage these routing tables. In many cases, a packet can make several stops along the way called hops as it hits various gateways on the Internet. One way to see where your packets are going is to use a utility such as Tracert in Windows. Figure 2.7 shows a sample output of Tracert.

One Internet routing fact is that when a packet is traveling over the Internet, gateways on the Internet don't pay attention to the actual source address of the packet, just the destination. This one particular design feature allows many common attacks that hackers employ, such as Denial of Service and IP spoofing. These attacks often allow hackers to carry out their attacks without the victim knowing where exactly the hacker is coming from.

System Ports

You have undoubtedly heard of the network term ports, which only the TCP and UDP protocols make use of on a system. Ports are the result of a single system's need to communicate with multiple services and protocols on a network connection, such as the Internet. A classic example is a server that provides email services and an FTP site for users to upload and download files. For the most part, any major program type or service has its own default-specified port (for instance, FTP uses ports 20 and 21, whereas HTTP uses port 80). Each packet of data coming in has a destination port listed inside the header information; this port number indicates where exactly on the server the packet is destined. On a system, there are 65,536 ports for use by TCP and UDP, but only the first 1,023 have been marked as well-known ports that will be used by common services. Understanding which ports your system has active can help provide you with better insight into the possible ports hackers might use to gain access to your system. Remember, if the port isn't in use (much like the physical network jack earlier), don't have it open; it simply provides another avenue into your system. Another tactic to help prevent attack through known ports and services in use is to change the port the service is using. For instance, change your FTP server from using port 21 to using port 2100. This works well, but you must also reconfigure the port information for any clients connecting to that server.

Network Address Translation

Network Address Translations (NAT) is a popular way to share a common Internet IP address to any systems inside your network. NAT basically takes the external valid IP address provided by your Internet service provider (ISP) and then passes the information to your internal invalid IP address on your system using NAT services. An invalid address is one that does not work on the Internet, but works fine on internal networks, such as those within the 192.168.x.x range. When a system on the internal network requests something on the Internet, such as a Web page, it sends the request through the NAT service. NAT assigns a particular port (for instance, 3003) that the system's communications pass through and records that data in a table within the NAT service. NAT then picks up the packet and stamps its own valid IP address on it that it uses to connect to the Internet. When the Web site from which you are requesting data receives the packet, it completes the request and then sends it back to the NAT server because that is the IP address that was on the packet. The NAT server then takes the data out of the packet, reads the return address port that was marked in the table, and routes it to the appropriate system on the internal network. For example, a client system sends a packet out to a Web server requesting a Web page. The packet has the client's internal network address (for example, 192.168.1.10) and port 3003. The destination is the Web server's address (198.167.0.9) and port 80, which is received by the NAT service. The NAT service then chooses a free port number, such as 5008, on its system and adds an entry into the NAT table that associates any incoming packets to its own port 5008 to the client address 192.168.1.10 and port 3003. NAT then replaces the source address and packet on the packet with its own and routes the packet out to the Internet. The Web server eventually gets the packet and responds with the appropriate information, sending the packets back to the NAT server on port 5008. The NAT server receives that information and replaces the original client system addresses and port information with the client's and then returns the packet.

Secure Sockets Layer

A popular way to secure traffic passed to and from Web servers and Web browsers is to use Secure Sockets Layer (SSL) security on Web pages and servers. SSL uses encryption to encrypt the data passing from the Web page or directory (for instance, a directory that holds an online store's customer database) to the client (Web browser), allowing for secure data transmission. Because it requires additional processor and network bandwidth because of the encryption and decryption of packets, SSL is generally reserved for those Web pages or sites that really need it. The places in which SSL is actually needed are locations such as an online store, in which you enter your sensitive information (such as your credit card number) to complete a transaction. You want these types of Web pages to be encrypted; however, you do not need to encrypt certain pages using SSL, such as the main page or the news page in which there isn't any sensitive information. Most Web servers support the use of SSL, including Windows 2000 through IIS version 5. Another great feature of SSL is that most, if not all, current Web browsers support SSL. The security options you have learned about in this chapter are certainly not the only ones available to you. They do, however, represent a good cross section of security options of which you can take advantage when trying to secure TCP/IP communications and authentication on your servers and network in general. Likely, you will use a mix of these options to design the best overall security solution for your network based on the potential results, your organization's security needs, and the time it takes to implement and support your new TCP/IP security options.