Introduction to Network Security

Matt Curtin
Reprinted with the permission of Kent Information Services, Inc.

Abstract

Network security is a complicated subject, historically only tackled by well-trained

and experienced experts. However, as more and more people become ``wired'', an
increasing number of people need to understand the basics of security in a networked
world. This document was written with the basic computer user and information
systems manager in mind, explaining the concepts needed to read through the hype in
the marketplace and understand risks and how to deal with them.

Risk Management: The Game of Security

It's very important to understand that in security, one simply cannot say ``what's the
best firewall?'' There are two extremes: absolute security and absolute access. The
closest we can get to an absolutely secure machine is one unplugged from the
network, power supply, locked in a safe, and thrown at the bottom of the ocean.
Unfortunately, it isn't terribly useful in this state. A machine with absolute access is
extremely convenient to use: it's simply there, and will do whatever you tell it,
without questions, authorization, passwords, or any other mechanism. Unfortunately,
this isn't terribly practical, either: the Internet is a bad neighborhood now, and it isn't
long before some bonehead will tell the computer to do something like self-destruct,
after which, it isn't terribly useful to you.

This is no different from our daily lives. We constantly make decisions about what
risks we're willing to accept. When we get in a car and drive to work, there's a certain
risk that we're taking. It's possible that something completely out of control will cause
us to become part of an accident on the highway. When we get on an airplane, we're
accepting the level of risk involved as the price of convenience. However, most
people have a mental picture of what an acceptable risk is, and won't go beyond that
in most circumstances. If I happen to be upstairs at home, and want to leave for work,

1
I'm not going to jump out the window. Yes, it would be more convenient, but the risk
of injury outweighs the advantage of convenience.

Every organization needs to decide for itself where between the two extremes of total
security and total access they need to be. A policy needs to articulate this, and then
define how that will be enforced with practices and such. Everything that is done in
the name of security, then, must enforce that policy uniformly.

Types And Sources Of Network Threats

Now, we've covered enough background information on networking that we can

actually get into the security aspects of all of this. First of all, we'll get into the types
of threats there are against networked computers, and then some things that can be
done to protect yourself against various threats.

Denial-of-Service

DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to
address. These are the nastiest, because they're very easy to launch, difficult
(sometimes impossible) to track, and it isn't easy to refuse the requests of the attacker,
without also refusing legitimate requests for service.

The premise of a DoS attack is simple: send more requests to the machine than it can
handle. There are toolkits available in the underground community that make this a
simple matter of running a program and telling it which host to blast with requests.
The attacker's program simply makes a connection on some service port, perhaps
forging the packet's header information that says where the packet came from, and
then dropping the connection. If the host is able to answer 20 requests per second, and
the attacker is sending 50 per second, obviously the host will be unable to service all
of the attacker's requests, much less any legitimate requests (hits on the web site
running there, for example).

Such attacks were fairly common in late 1996 and early 1997, but are now becoming
less popular.

2
Some things that can be done to reduce the risk of being stung by a denial of service
attack include

 Not running your visible-to-the-world servers at a level too close to capacity

 Using packet filtering to prevent obviously forged packets from entering into
your network address space.

Obviously forged packets would include those that claim to come from your
own hosts, addresses reserved for private networks as defined in RFC
1918 [4], and the loopback network (127.0.0.0).

 Keeping up-to-date on security-related patches for your hosts' operating

systems.

Unauthorized Access

``Unauthorized access'' is a very high-level term that can refer to a number of

different sorts of attacks. The goal of these attacks is to access some resource that
your machine should not provide the attacker. For example, a host might be a web
server, and should provide anyone with requested web pages. However, that host
should not provide command shell access without being sure that the person making
such a request is someone who should get it, such as a local administrator.

Executing Commands Illicitly

It's obviously undesirable for an unknown and untrusted person to be able to execute
commands on your server machines. There are two main classifications of the severity
of this problem: normal user access, and administrator access. A normal user can do a
number of things on a system (such as read files, mail them to other people, etc.) that
an attacker should not be able to do. This might, then, be all the access that an attacker
needs. On the other hand, an attacker might wish to make configuration changes to a
host (perhaps changing its IP address, putting a start-up script in place to cause the
machine to shut down every time it's started, or something similar). In this case, the
attacker will need to gain administrator privileges on the host.

3
Confidentiality Breaches

We need to examine the threat model: what is it that you're trying to protect yourself
against? There is certain information that could be quite damaging if it fell into the
hands of a competitor, an enemy, or the public. In these cases, it's possible that
compromise of a normal user's account on the machine can be enough to cause
damage (perhaps in the form of PR, or obtaining information that can be used against
the company, etc.)

While many of the perpetrators of these sorts of break-ins are merely thrill-seekers
interested in nothing more than to see a shell prompt for your computer on their
screen, there are those who are more malicious, as we'll consider next. (Additionally,
keep in mind that it's possible that someone who is normally interested in nothing
more than the thrill could be persuaded to do more: perhaps an unscrupulous
competitor is willing to hire such a person to hurt you.)

Destructive Behavior

Among the destructive sorts of break-ins and attacks, there are two major categories.

Data Diddling.

The data diddler is likely the worst sort, since the fact of a break-in might not be
immediately obvious. Perhaps he's toying with the numbers in your spreadsheets, or
changing the dates in your projections and plans. Maybe he's changing the account
numbers for the auto-deposit of certain paychecks. In any case, rare is the case when
you'll come in to work one day, and simply know that something is wrong. An
accounting procedure might turn up a discrepancy in the books three or four months
after the fact. Trying to track the problem down will certainly be difficult, and once
that problem is discovered, how can any of your numbers from that time period be
trusted? How far back do you have to go before you think that your data is safe?

Data Destruction.

Some of those perpetrate attacks are simply twisted jerks who like to delete things. In
these cases, the impact on your computing capability -- and consequently your

4
business -- can be nothing less than if a fire or other disaster caused your computing
equipment to be completely destroyed.

Where Do They Come From?

How, though, does an attacker gain access to your equipment? Through any
connection that you have to the outside world. This includes Internet connections,
dial-up modems, and even physical access. (How do you know that one of the temps
that you've brought in to help with the data entry isn't really a system cracker looking
for passwords, data phone numbers, vulnerabilities and anything else that can get him
access to your equipment?)

In order to be able to adequately address security, all possible avenues of entry must
be identified and evaluated. The security of that entry point must be consistent with
your stated policy on acceptable risk levels.

Lessons Learned

From looking at the sorts of attacks that are common, we can divine a relatively short
list of high-level practices that can help prevent security disasters, and to help control
the damage in the event that preventative measures were unsuccessful in warding off
an attack.

Hope you have backups

This isn't just a good idea from a security point of view. Operational requirements
should dictate the backup policy, and this should be closely coordinated with a
disaster recovery plan, such that if an airplane crashes into your building one night,
you'll be able to carry on your business from another location. Similarly, these can be
useful in recovering your data in the event of an electronic disaster: a hardware
failure, or a breakin that changes or otherwise damages your data.

Don't put data where it doesn't need to be

5
Although this should go without saying, this doesn't occur to lots of folks. As a result,
information that doesn't need to be accessible from the outside world sometimes is,
and this can needlessly increase the severity of a break-in dramatically.

Avoid systems with single points of failure

Any security system that can be broken by breaking through any one component isn't
really very strong. In security, a degree of redundancy is good, and can help you
protect your organization from a minor security breach becoming a catastrophe.

Stay current with relevant operating system patches

Be sure that someone who knows what you've got is watching the vendors' security
advisories. Exploiting old bugs is still one of the most common (and most effective!)
means of breaking into systems.

Watch for relevant security advisories

In addition to watching what the vendors are saying, keep a close watch on groups
like CERT and CIAC. Make sure that at least one person (preferably more) is
subscribed to these mailing lists

Have someone on staff be familiar with security practices

Having at least one person who is charged with keeping abreast of security
developments is a good idea. This need not be a technical wizard, but could be
someone who is simply able to read advisories issued by various incident response
teams, and keep track of various problems that arise. Such a person would then be a
wise one to consult with on security related issues, as he'll be the one who knows if
web server software version such-and-such has any known problems, etc.

This person should also know the ``dos'' and ``don'ts'' of security, from reading such
things as the ``Site Security Handbook.''[5]

6
Firewalls

As we've seen in our discussion of the Internet and similar networks, connecting an
organization to the Internet provides a two-way flow of traffic. This is clearly
undesirable in many organizations, as proprietary information is often displayed
freely within a corporate intranet (that is, a TCP/IP network, modeled after the
Internet that only works within the organization).

In order to provide some level of separation between an organization's intranet and the
Internet, firewalls have been employed. A firewall is simply a group of components
that collectively form a barrier between two networks.

A number of terms specific to firewalls and networking are going to be used

throughout this section, so let's introduce them all together.

Bastion host.
A general-purpose computer used to control access between the internal
(private) network (intranet) and the Internet (or any other untrusted network).
Typically, these are hosts running a flavor of the Unix operating system that
has been customized in order to reduce its functionality to only what is
necessary in order to support its functions. Many of the general-purpose
features have been turned off, and in many cases, completely removed, in
order to improve the security of the machine.
Router.
A special purpose computer for connecting networks together. Routers also
handle certain functions, such as routing , or managing the traffic on the
networks they connect.
Access Control List (ACL).
Many routers now have the ability to selectively perform their duties, based on
a number of facts about a packet that comes to it. This includes things like
origination address, destination address, destination service port, and so on.
These can be employed to limit the sorts of packets that are allowed to come
in and go out of a given network.

7
Demilitarized Zone (DMZ).
The DMZ is a critical part of a firewall: it is a network that is neither part of
the untrusted network, nor part of the trusted network. But, this is a network
that connects the untrusted to the trusted. The importance of a DMZ is
tremendous: someone who breaks into your network from the Internet should
have to get through several layers in order to successfully do so. Those layers
are provided by various components within the DMZ.
Proxy.
This is the process of having one host act in behalf of another. A host that has
the ability to fetch documents from the Internet might be configured as a proxy
server , and host on the intranet might be configured to be proxy clients . In
this situation, when a host on the intranet wishes to fetch the
<http://www.interhack.net/> web page, for example, the browser will make a
connection to the proxy server, and request the given URL. The proxy server
will fetch the document, and return the result to the client. In this way, all
hosts on the intranet are able to access resources on the Internet without
having the ability to direct talk to the Internet.

Types of Firewalls

There are three basic types of firewalls, and we'll consider each of them.

Application Gateways

The first firewalls were application gateways, and are sometimes known as proxy
gateways. These are made up of bastion hosts that run special software to act as a
proxy server. This software runs at the Application Layer of our old friend the
ISO/OSI Reference Model, hence the name. Clients behind the firewall must be
proxitized (that is, must know how to use the proxy, and be configured to do so) in
order to use Internet services. Traditionally, these have been the most secure, because
they don't allow anything to pass by default, but need to have the programs written
and turned on in order to begin passing traffic.

8
 Figure 1: A sample application gateway

These are also typically the slowest, because more processes need to be started in
order to have a request serviced. Figure 5 shows a application gateway.

Packet Filtering

Packet filtering is a technique whereby routers have ACLs (Access Control Lists)
turned on. By default, a router will pass all traffic sent it, and will do so without any
sort of restrictions. Employing ACLs is a method for enforcing your security policy
with regard to what sorts of access you allow the outside world to have to your
internal network, and vice versa.

There is less overhead in packet filtering than with an application gateway, because
the feature of access control is performed at a lower ISO/OSI layer (typically, the
transport or session layer). Due to the lower overhead and the fact that packet filtering
is done with routers, which are specialized computers optimized for tasks related to
networking, a packet filtering gateway is often much faster than its application layer
cousins. Figure 6 shows a packet filtering gateway.

Because we're working at a lower level, supporting new applications either comes
automatically, or is a simple matter of allowing a specific packet type to pass through
the gateway. (Not that the possibility of something automatically makes it a good

9
idea; opening things up this way might very well compromise your level of security
below what your policy allows.)

There are problems with this method, though. Remember, TCP/IP has absolutely no
means of guaranteeing that the source address is really what it claims to be. As a
result, we have to use layers of packet filters in order to localize the traffic. We can't
get all the way down to the actual host, but with two layers of packet filters, we can
differentiate between a packet that came from the Internet and one that came from our
internal network. We can identify which network the packet came from with certainty,
but we can't get more specific than that.

Hybrid Systems

In an attempt to marry the security of the application layer gateways with the
flexibility and speed of packet filtering, some vendors have created systems that use
the principles of both.

Figure 2: A sample packet filtering gateway

In some of these systems, new connections must be authenticated and approved at the
application layer. Once this has been done, the remainder of the connection is passed
down to the session layer, where packet filters watch the connection to ensure that
only packets that are part of an ongoing (already authenticated and approved)
conversation are being passed.

Other possibilities include using both packet filtering and application layer proxies.
The benefits here include providing a measure of protection against your machines

10
that provide services to the Internet (such as a public web server), as well as provide
the security of an application layer gateway to the internal network. Additionally,
using this method, an attacker, in order to get to services on the internal network, will
have to break through the access router, the bastion host, and the choke router.

So, what's best for me?

Lots of options are available, and it makes sense to spend some time with an expert,
either in-house, or an experienced consultant who can take the time to understand
your organization's security policy, and can design and build a firewall architecture
that best implements that policy. Other issues like services required, convenience, and
scalability might factor in to the final design.

Reference
http://www.interhack.net/pubs/network-security/

11