Port, Protocols and Network security

  1. Ports, Protocols and Security

a) Protocol-based Attacks

Denial-of-Service (DoS) attacks consume or disable resources so that services to users are interrupted. Rather than destroying or stealing data, they disrupt daily standard operations. This can lead t loss of reputation and of revenue for the victim.

There are different types of DoS attacks, conducted using a variety of methods. Some cause the user’s application or operating system to crash, other clog web server connections with illegitimate traffic or consume disk, buffer or queue space, making servers slow or unable to respond to valid user requests. Another form of DoS attack involves trying to logon to a server multiple times until the account is locked due to too many incorrect logon attempts.

An attacker might also cause a DNS server to crash by sending large number of DNS lookup requests that the server runs out of memory and crashes.

To establish a normal TCP connection, a three-way hand shake occurs. First a SYN flag – a synchronize flag is sent from the client to the server. The session is acknowledged by the server with a packet containing the SYN flag and an acknowledgement (ACK) flag. This is known as a SYN/ACK packet. The client then responds to the server with an ACK packet to complete the session so that the host can exchange data.

DoS attacks can be categorized into three main types:

  • SYN flood attacks: involves flooding a server with half-open TCP connections. An attacker users a spoofed address source to flood the connection queue with SYN packets. Because the SYN/ACK packets that the server responds with can’t reach the spoofed address. ACK packets are never returned to the server and the connections can’t be completed.

The server waits a while for a client to try again before it removes an incomplete connection from memory. Since most servers can establish only a few connections at a time, if a server if flooded with half-open connections, legitimate users can’t use the server until the half-open connections time out.

Firewalls often include features to prevent or stop SYN flood attacks. For instance a firewall can withhold or insert packets in a data stream as needed to stop a SYN flood attack. It can also immediately respond to a server’s SYN/ACK packet with an ACK using a spoofed client IP address.

If a connection attempt is legitimate, the client responds with its own ACK packet shortly after this, and the firewall forwards this to the server. In case of illegitimate half-open connection, a client doesn’t return an ACK, the firewall in this case sends a reset (RST) packet to kill the TCP session.

A firewall uses the following process to prevent SYN flood attack:

  1. A legitimate client or a client used for a SYN flood attack sends a SYN through the firewall.

  2. The firewall passes the SYN on to the server.

  3. The server returns a SYN/ACK to the client.

  4. The firewall passes on the SYN/ACK to the legitimate client but blocks a SYN/ACK destined for a spoofed address.

  5. The firewall responds to the server’s SYN/ACK packet with an ACK using the spoofed client IP address.

  6. A legitimate client responds with an ACK, which is passed through the firewall to the server. A client used for a SYN flood attack doesn’t return an ACK.

  7. Finally, the firewall sends RST for the SYN flood spoofed address, which enables the server to remove the illegitimate session from the half-open connection queue.

Some of the measures for preventing SYN flood attacks are as follows:

    • Increase the half-open connection queue size on the server.

    • Decrease the time-out period for the queue, thereby limiting the number of half-open connections from a single address.

    • Implementing IDS that detects SYN flood attacks.

    • Use Regedit set the SynAttackProtect registry parameter to a value of 1 and the MaxConnectResponseRetransmissions parameter to a value of at least 2 on the server.

  • Smurf attacks: overwhelm a host by flooding it with ICMP packets using a third-party network. A ping is sent by the hacker to the broadcast address of the intermediary network. The IP address for the packet source if faked so it appears to be from the victim system.

Every host on the subnet replies to the broadcasted ping request on the victim’s address. Unintentionally, the hosts on the third-party network inundate the victim with ping packets.

Using a smurf attack, the hacker achieves two results; firstly the attack overwhelms the system that receives the echo packet flood and secondly it saturates the victim’s Internet connection with fraudulent traffic that prevents valid traffic from getting through.

In order to prevent smurf attacks, routers are configured to drop ICMP packets that originate outside of the network and have an internal broadcast or multicast destination address.

Hosts can also be configured to ignore echo requests targeted at their subnet broadcast addresses.

  • Ping of death attacks: In the past, ping of deaths were successfully used to crash systems. An IP packet has a maximum size of 65,535 bytes. Sending a 65,536 byte fragmented ping packet causes a buffer overflow when the packet is reassembled, which can crash a system.

Distributed Denial of Service (DDOS) attack refers to an attack in which the attacker manipulates several hosts to perform a DoS attack. This usually causes the targcet to become inaccessible for a time, and can result in reputation and revenue losses for the victim.

DDoS attacks use automated tools that make them easy to execute. They are often used to attack government and large corporate sites. At first, the hacker finds a computer to use as the handler. The compromised system is usually one with lots of disk space and a fast Internet connection. The hacker then uses this computer to upload a chosen attack toolkit.

Since the hacker needs to remain undetected, hence a host with many user accounts or a host with a careless administrator is chosen to set as the handler. Then the attacker uses automated scripts to scan large areas of IP address space to locate targets to use as zombies or agents. The scripts often make use of known weakness in Windows operating systems. The zombie software is loaded onto these systems without the system users realizing it. Typically the hacker creates hundreds or thousands of zombies to launch the DDoS attack. A collection of zombies is called botnet.

Home computers which are not adequately protected and are using DSL or cable connections being always on are often targeted as zombies.

A DDoS attack is usually launched through IRC connections. The compromised host is automatically logged on to an IRC channel. The host waits passively for the order to attack from the handler system. The attack begins when a command is delivered from the handler system to the zombies connected to the IRC channel. The zombies are instructed from a remote location, to flood the victim’s network. All of this happens without the owners of the zombie machines ever knowing that their systems were compromised.

In order to prevent DDoS attacks, firewalls and routers should be configured so that

  • Filter packets entering the network contain a broadcast address for the destination.

  • Directed broadcasts on internal routers are turned off.

  • Packets for any source address that is not permitted on the Internet are blocked.

  • Any port or protocol that is not used for Internet connections on the network is blocked.

  • Any incoming packet with a source address that originates inside the network is blocked from entering the network.

  • Packets with forged source addresses are blocked from leaving the network.

Man-in-the-middle Attacks: Here, an attacker positions themselves between two hosts that are communicating with each other. The attacker then listens in on the session. Each of the hosts believes that it is communicating only with the other host. But in fact, the hosts are communicating with the attacker. The man-in-the-middle method can be used for several types of attacks. It can be used for DoS attacks, corrupting transmitted data or for analysing traffic to gather information about a network.

The other types of man-in-the-middle attacks include:

  • Web Spoofing: In this attack, the attacker puts a web server between the victim’s web browser and a legitimate server. The attacker then monitors and records the victim’s online activity. The attacker can also modify the content viewed by the victim.

  • Information Theft: In this attack, the attacker passively records the data transmitted between hosts to gather sensitive information such as login details or trade secrets.

  • TCP/IP Session Hijacking: In this attack, an attacker between two hosts takes over the role of one of the hosts and assumes full control of the TCP session.

Anyone having an access to network packets that travel between hosts can conduct a man-in-the-middle attack. Some of the methods used to conduct such attack are as follows:

  • Address Resolution Protocol (ARP) Poisoning: can be conducted using tools such as Dsniff, Hunt, ARP Poison, Ethercap or Parasite which enable an attacker to monitor and modify a TCP session. The attacker needs to be on the same Ethernet segment as the victim or as the host.

  • Internet Control Message Protocol (ICMP) Redirect: Here the attacker uses ICMP redirected packets to instruct a router to forward packets destined for a victim through the attacker’s system. The attacker can then monitor and modify packets before sending them t their original destination. To prevent such attacks, the routers should be configured to ignore ICMP redirect packets.

  • Domain Name System (DNS) Poisoning: here, the attacker redirects traffic by modifying the victim’s DNS cache to include the wrong hostname to IP address mappings.

When an attacker reuses valid transmission data to gain access to a network, it is known as a replay attack. The most common replay attack is to use a packer sniffer for intercepting and retransmit data. This is the method used in both masquerade attacks and IP packet substitution attacks. Another type of replay attack involves reusing authentication tokens from unencrypted web session by sniffing out the user’s cookies.

To prevent replay attacks, softwares are up t date and have all of the security patches applied. Web sessions should use SSL to encrypt data. A secure authentication system also be used which has anti-replay features that make every packet unique.

In a TCP/IP session hijacking attack, the attacker takes over an established session between two hosts that are already communicating. The attacker impersonates one of the hosts – usually a client communicating with a server and disconnects the legitimate client. The attack is launched as a man-in-the-middle attack and uses ARP cache poisoning. The victim believes they are still communicating with the server, but they are now connected to the attacker instead.

Unencrypted protocols such as DNS, FTP and Telnet are vulnerable to TCP/IP session hijacking. The session is sniffed by the attacker to learn the sequence numbers that are used to synchronise the session between the nodes. In TCP/IP session, for each packet sent, the sequence number is increased that guarantees the packets are being processed in the proper order at the receiving node’s end of connection. The attacker predicts the sequence numbers and prevents the legitimate client from sending packets that would cause the sequence number to be increased. The attacker disconnects the session from the client and takes its place using a spoof of the client address. The attacker poisons the ARP cache on the server or uses ICMP redirects to reroute the information from the server to their own computer.

Attackers often use Linux Hunt tool to monitor traffic on the Ethernet segment which sniffs the packets after putting the attacker’s network card in promiscuous mode. Hunt has an option called rap/simple attack, which sends three ARP packets that bind the victim’s IP address to the attacker’s MAC address. Any packets originally intended for the victim’s IP address are then sent to the attacker’s computer instead.

To protect network from such attacks, encrypted transport protocols should be implemented such as IPSec, SSH and SSL. They generate session keys dynamically providing secure transmission channels. Digital signatures can also be used to make it more difficult for an attacker who can obtain session keys to hijack a session.

Protocols continually evolve as new techniques are discovered and communication needs are identified. Development effort and usage shifts to the new protocols and the old ones are forgotten – but not by attackers. Antiquated protocols are a popular means of attacking systems. Network administrators may fail to remove support for older protocols when they are obsolete, leaving the network vulnerable as attackers discover new flaws in older protocols. Some of the possible examples of antiquated protocols are as follows:

  • Internetwork Packet Exchange/Sequence Packet Exchange (IPX/SPX): is a proprietary protocol suit developed by Novell for use with its NetWare NOS product line. NetWare uses TCP/IP natively now. Hence unless it is necessary to connect very old NetWare systems, IPX/SPX support should be removed from servers and clients.

  • NetBIOS Extended User Interface (NetBEUI): this protocol was the basis for early networking systems by IBM, Novell and Microsoft. These vendors use NetBEUI over TCP/IP as an interim step toward the current state, which eliminates NetBEUI completely. This protocol is required if it is required to communicate with older Windows clients on in a peer-to-peer network.

  • AppleTalk: protocol was developed by Apple and is based on the OSI Reference Model. It was a self-configuring, simple networking system for the Macintosh platform. Apple has since replaced this protocol with native TCP/IP networking.

Spoofing refers to impersonating someone else. Presenting credentials that doesn’t belong to oneself in order to gain access to a system is spoofing the system. There are various types of spoofing attacks, such as:

  • IP address spoofing: here, TCP/IP packets generated by an attacker using the source address of a trusted host are used to gain access to a victim. Via this attack, the attacker is able to bypass filters on routers and firewalls to gain network access. It can be prevented by disabling source routing on internal routers. Packets having a local network source can also be filtered out from the outside network.

    • ARP poisoning

    • Web spoofing

    • DNS spoofing

Here are the different phases in IP address spoofing attack:

Phase – 1: The attackers identifies a target to be the attack victim and a machine trusted by the victim. The trusted machine’s ability to communicate is disabled by the attacker using SYN flooding.

Phase – 2: Using a sniffer, sampling packets and some other method, the attacker determines the sequence numbers used by the victim in the communication. The source IP address of the trusted host is spoofed by the attacker and is used to send their own packets to the victim.

Phase – 3: The victim accepts and responds to the spoofed packets. Although the packets are routed to the trusted host, it can’t process them due t SYN flood attack.

Phase – 4: The attacker guesses the content of the victim’s response and creates a response using a spoofed source address. The attacker then assumes what the appropriate sequence number should be.

ARP sends out ARP request packets to obtain a computer’s MAC address when its IP address in known. The information is stored in the computer’s cache in a table. ARP poisoning corrupts the table so that a hacker can redirect traffic to another computer’s MAC address in order to carry out a network attack. The attacker needs to be on the same local network as the computers being targeted.

The attacker sends forged ARP replies so that the compromised computer sends network traffic to the attacker’s computer. The user on compromised computer will not be aware of anything is wrong. On the other hand, the attacker will be receiving all of their network traffic, which might include clear text passwords or even a secured Internet session.

The attacker can use ARP poisoning to launch DoS attack, man-in-the-middle attack or MAC flooding to overload a switch and force it to drop into hub mode. In hub mode, a switch is so busy handling traffic that port security features are not enforced and network traffic is broadcast to all computers on the network.

In smaller network, ARP poisoning can be prevented by using static IP address and static ARP tables; whereas on large networks using switches, port security feature can be enabled that allows only one MAC address for each physical port on the switch and prevents attackers from mapping another MAC address to their attack computer. Tools such as ARPwatch or XArp can alert for any unusual ARP communications on the network.

Phishing is another term for web spoofing. Users are tricked into visiting a web site that looks like an official, legitimate web site. However, the attacker has created the page to dupe the victim into providing information such as login details, credit card details or other personal information. An attacker may user man-in-the-middle attack or DoS attack to get the user to their site instead of the real site.

For man-in-the-middle web spoofing, the attacker changes the URL in a web page to direct the user to his/her web site. The site request passes through the attacker’s computer on the way to the real site, and the page sent from the server also passes through the attacker’s computer on the way to the victim’s browser.

A DoS attack displays what appears to be the legitimate web site requested by the user, but is actually a fake web site created by the attacker. The page content redirects traffic to the attacker’s computer.

Users can be more alert by watching lookout of the sites with misspellings, poor grammar or other indicators that the site is not authentic.

Users can also disable the use of JavaScript, Java applets and ActiveX in their browsers, alternatively phishing filters can also be enabled in the web browsers.

In DNS spoofing, a DNS query made by the victim for the levitate site is responded with a server setup by the attacker. In DNS poisoning, the cache on the DNS server is hacked and the attacker creates their own domain with a DNS server. This DSN server changes the mapping forms the real site IP address to the attacker’s server IP address.

To create the hacked DNS server, the attacker requests DNS server and asks it to resolve the attacker’s domain. Since the DNS server doesn’t know the attacker’s IP address, it sends DNS query to another DNS server. Then the attacker’s DNS server replies to the client’s DNS server and also gets all of its record. This is referred to as a zone transfer which poisons the client’s DNS server until the cache is cleared or updated.

A request for a web site now sends users to the attacker’s side, where a web server is running. Alternatively the attacker could bounce forward packets going to the legitimate site so that they pass through the attacker’s site.

Another DNS spoofing technique is DNS ID spoofing. In this type of attack, the attacker uses a sniffer to intercept DNS requests and find the request ID. A fake reply is sent using the correct ID number but with the IP address of the attacker’s computer. The user is under belief that they are communicating with the server they requested but in fact they are communicating with the attacker.

DNS spoofing can be prevented by implementing the latest versions of DNS software and security patches. All of the DNS server in an organisation should have auditing enabled and security systems should not use or rely on DNS. In addition to it, the DNS cache size should also be limited so that it doesn’t hold on to DNS records for too long.

Using secure encrypted connection will hinder an attacker. A DNS server can also be configured to secure the cache against poisoning which puts filters in place to protect the cache from spoofing.

2. Network Devices and Security

a) The OSI Reference Model and Networking Devices

From a security perspective, the major benefit of a switch over a hub is the separation of collision domains, which limits the possibility of easy sniffing. A switch separates a collision domain creating different network segments and hence ensures that packet sniffers can access traffic only within the segment they are operating on. Modern switches have two main security features:

  • Access Control Lists (ACLs): It enables to control network access. An ACL is a list of permitted addresses. When a switch receives a packet, it can compare the address within the packet to those in the ACLs and then take action accordingly. Switch ACLs operate at either the Data Link layer or the Network layer, depending on whether they use MAC or IP addresses.

  • Virtual Local Area Networks (VLANs): are a virtual network segments enabled by a Data Link switch. Nodes on the same physical segment can be configured to interoperate as if they were on separate segments. Similarly, it is also possible to make physical network segments appear as if they were on the same segment. Virtual segments can either be restricted or permitted between each other. In this way, nodes can co-exist on the same physical network but logically separated and protected from each other. Broadcasts are limited to a VLAN. A broadcast on one virtual segment is not transmitted to other segments. This reduces overall traffic and enables subsets of nodes to communicate more efficiently. VLAN configurations are often used with VoIP telephony systems where distinct VLANs are created for voice and data traffic, enabling to isolate and protect each from other. For instance, in case of DoS attack against one of the server, VoIP phones should continue to operate. In most cases, companies select devices specifically made to support VoIP applications in order to take advantage of additional features such as bandwidth management and QoS controls.

Since ACLs enable t control network access and VLANs increase security by clustering users in smaller groups, the risk of hacking decreases because a hacker would be able to gain access only to a specific VLAN rather than the entire internal network.

Packet switching is a process in which data transmissions are split up into multiple packets, which are then each sent along different routes. At the destination, all packets are reassembled to form the complete message. Some of the important characteristics of packet-switched network are as follows:

  • Packets are small and quick to deliver: during delivery, a packet consumes the full bandwidth of the network. However, an instant later, the entire network is free for use by other computers that need to communicate. This enables many devices to share the same network and its available bandwidth.

  • Packets don’t always take the same route: routers and other internetworking devices are free to choose the best router based on distance, utilisation and transmission speed.

  • Routes are defined after data transmission begins: routers determine the route by which to send each packet after the source computer begins transmitting the data. Typically there is no route reservation as in circuit-switched networks. Packet-switched networks are well suited to provide shared access to common network transmission medium. Moreover, they offer fault tolerance because several routes between devices can be used.

When a packet leaves the sender’s end, it traverses one or more routes before arriving at its destination. If a destination node is not on a network that is connected directly to the first router in a path, the first router doesn’t send the packet directly to its destination. Instead, each router along a path will try to move the packet closer to its destination by forwarding the packet to another router.

Each router is required to forward a packet via the best available route. To choose a route, routers use one of four main techniques:

  • Manually-configured routing tables: earlier, the network administrators define the route. The administrators configure a list of network addresses connected to the router. Manually configuring routers is time consuming and prone to errors so nearly all routers now support dynamic methods of selecting routes.

  • Distance-vector algorithms: are fast and efficient for small networks with one autonomous domain. However, they don’t scale well and can’t be used for routing on large networks or the Internet. Using this algorithm, the routers dynamically assign costs to each links between nodes in a network. RIP and IGRP are the examples of distance-vector algorithm.

  • Link-state algorithms: routers using this algorithm build maps of networks showing the connection of nodes. These maps include information about link cost and availability and are built using shared data. When a router receives a packet, it examines its map to determine the best next hop for the packet. When link state data changes, routers exchange data and if a specific router has newer data, it is forwarded to all other routers. This continues until the information has traversed the entire network. As with distance-vector algorithms, link-state algorithms are most efficient within a single autonomous domain. However, most link-state protocols cannot support Inter-scale routing.

  • Path vector protocols: are designed to interconnect autonomous domains. A single speaker router in each domain shares its routing data with the speaker routers in other domains. However, instead of sharing node-level connectivity information, speaker router shares large-scale path information. Path vector protocols scale to the largest networks. The BGP is an implementation of path vector algorithm.

NAT routers ensure that inbound and outbound packets arrive at the correct destination. These routers masquerade internal addresses from external networks so that they can’t be accessed without the NAT device’s signal. Unless an internal node has initiated a communication session, external devices cannot find or communicate with internal devices due to the translated network addressing scheme.

There are two main causes for using NAT:

  • Availability of address: The American Registry for Internet Numbers (ARIN) regulates and assigns IP addresses that can be used directly on the Internet. A service provider has to apply and pay for the use of address ranges and need to justify the address request. NAT enables to use a private range of addresses within a network rather than requesting addresses for each new block of network devices added.

  • Security: by using private address in an organisation, it makes more difficult for hackers and automated malware on the Internet to discover and compromise internal systems.

In some cases, PAT devices are used to supplement NAT devices and enhance security. For instance, NAT is used to hide the true IP address of various internal servers and use PAT to make services running on those servers available to the public via a single share IP address and varying ports. These devices are usually routers or firewalls that perform NAT functions, mapping multiple private internal IP addresses to a single public external IP address. PAT devices use port numbers to differentiate between internal servers sharing a single address. The port number identifies which application should receive and process the packet.

 b) Firewalls and Device Security

A firewall is a device that controls traffic between networks. Typically it operates between a public network and a private internal network. Firewalls examine the contents of network traffic and permit or block transmission based on rules set by the network administrator.

Primarily, all firewalls protect networks using one or more of the following techniques:

  • Network Address Translation (NAT)

  • Basic packet filtering

  • Stateful Packet Inspection (SPI)

  • Access Control Lists (ACLs)

 Depending on the features required, firewalls can operate at one of two layers in the TCP/IP protocol stack.

Network layer: network-layer firewalls operate at the third layer of the TCP/IP protocol stack. Stateless packet filters examine IP addresses and ports to determine if a packet should be passed. Stateful packet filters monitor outbound and inbound traffic by watching addresses, ports and connection data. These filters can determine if a packet is a part of an existing communication stream or a new session.

 Application layer: an application-layer firewall can interpret the data contained in packets and enforce more complex rules. For instance, an application-layer firewall might determine that an inbound packet is carrying an HTTP request and is destined for a permitted address and port. Such packet would be transmitted, whereas packets carrying other protocols (ports) or going to other addresses might be blocked.

 A proxy server is a type of firewall that services requests on behalf of clients. A client’s request goes to the proxy server, which then sends the request to the remote server on behalf of client. Before sanding the pack, the packet, the proxy server replaces the original sender’s address and other identifying information with its own. When a response arrives, the proxy server looks up the original sending node’s information and updates the incoming packet and forwards it to the client. Like a NAT device, a proxy server masks internal IP address and blocks unwanted inbound traffic. Many proxy servers also provide caching functions so the contents of certain web pages can be saved on a proxy server and served rather than by sending requests out across a WAN link.

 Network devices are the most common target for hackers. They either try to gain virtual or physical access to a device, disrupt a network or gain access to the data being transmitted. Network devices present three main vulnerability points:

  • Built-in management interfaces: Network devices include management interfaces so that they can be monitored and configured without physically accessing the devices. Attackers might attempt to log on using default account credentials in order to gain escalated permissions and take control of a device.

  • Firmware and operating system weaknesses: are built-in vulnerabilities. Usually these result from mistakes or oversights by equipment manufacturers and problems are often found only after a device has been released and used. Most vendors quickly release firmware or software updates to resolve problems as they’re identified. Hackers can use these mistakes to access “Back Doors”, which are system access holes that were left open when the device software was created.

  • Physical attack susceptibilities: Someone could simply steal a network device so that they can work to bypass data security controls. Hackers are more likely to attempt to reconfigure the devices to block traffic or permit unwanted communications. Another form of physical susceptibility involves an access to the communication media, which can lead to eavesdropping or even network hijacking.

 Switch hijacking occurs when an authorized person is able to obtain administrator privileges on a switch and can modify its configuration. Once a switch is compromised, a hacker could:

  • Change the administrator password on the switch

  • Turn off ports to critical systems

  • Reconfigure VLANs to allow one or more system to communicate each other they should not

  • Configure the switch to bypass a firewall

 There are two common ways to obtain unauthorized access to a switch:

Trying default passwords: most switches come with multiple accounts with default password or even no passwords at all. Since most administrators change the administrator password for the Telnet and serial console accounts, but might not change the SNMP strings that provide remote access to the switch. If the default SNMP strings are not changed or disabled, hackers might be able to obtain a great deal of information about the network or even gain total control of the switch.

Sniffing a switched network: hackers can try to sniff a network for obtaining the administrator password entered via unencrypted methods such as Telnet, SNMP and HTTP.

 BGP is susceptible to prefix hijacking, in which a rouge router with a modified routing table is placed on the network. When the packets are sent via that router, they are either dropped or sent to the wrong destinations.

 In bus topology networks, stations are connected to a network backbone via vampire taps. Despite vampire taps are rarely used in modern networks, however in broadband copper backbones are used to span long distances, it could be susceptible to physical attack via vampire taps.

In case of Wi-Fi hijacking, a hacker configures their computer to present itself as a wireless router. The end user might connect to the hacker’s computer by mistake; enabling hacker either to intercept the communication or even accesses the victim’s files.

 Network Administrators need to take specific actions to protect a network against attacks that exploit network device weaknesses. Network attacks can be prevented by:

  • Changing default passwords

  • Disabling unwanted features, protocols and options

  • Applying firmware and software updates regularly

  • Monitoring physical and virtual access to devices

 3. Network Security

a) Secure Network Topology

Designing a secure network involves accounting for both internal and external threats and risks. A risk is represented by any uncontrolled network connected directly or indirectly to an organisation. To alleviate risks, security professionals create security zone that divide the network into areas defined by smaller levels of security trusted, semi-trusted and entrusted. Security zones can be created by placing all publicly accessed servers in one zone and restricted-access servers in another. Both zones can then be separated from external using firewalls.

Networks are commonly divided into three main zones:

  • Intranet or private network: is fully controlled by the organisation and is trusted.

  • Perimeter network: separates the intranet from the external network. It is also known as Demilitarized Zone (DMZ). This is often used for larger networks or when access to internal systems is regularly needed.

  • Extranet or public network: small networks such as SOHO or small business are often directly connected to the Internet. These direct connections are provided by an ISP. Such connections should always be secured through the use of firewall.

The Intranet typically contains confidential or proprietary information relevant to the organisation. Consequently, access to it is restricted only to internal employees. The private internal LANs are protected from other security zone by one or more firewalls, the firewalls restrict incoming traffic from both the public and DMZs. Moreover, in order to prevent intrusion, intranets use private address spaces which are not routable on the Internet.

Additional security measures include:

  • Installing antivirus software

  • Removing unnecessary services from mission-critical systems

  • Auditing critical system’s configuration and resources

  • Subnetting to divide the intranet into distinct segments and then isolating unrelated traffic

A DMZ isn’t a direct part of either a private or public network; instead it is an additional network between the two networks. Computers in the DMZ are accessible to nodes on both the Internet and intranet. Typically, computers within DMZ have limited address to nodes on the intranet. Direct connections on the internal network are blocked. DMZ can be setup in the following ways

  • Screened host: here a router filters all traffic to the private intranet and to allow full access to the computer in the DM. The IP address of the DMZ host is defined in the router configuration, which is then allowed full Internet access. But other computers on the network are protected behind the router’s firewall.

  • Bastion host: is the computer that stands outside the intranet and shield it from attack. A bastion host uses two network cards – one for the DMX and one for the intranet. Bastion hosts are also known as dual-homed hosts or dual-home firewalls. Network communication isn’t usually allowed between the two network interfaces in a bastion host server. However, if it is allowed, the bastion host must be the proxy server to the network. With this configuration, only one host – the bastion host can be directly accessed from the public network.

  • Three-homed firewall: here, the entry point to the DMZ requires three network interfaces. One interface is connected to the Internet, one to the DMZ network and the next is connected to the Intranet. Traffic is never allowed to flow directly from the Internet to the private intranet without filtering through the DMZ.

  • Back-to-back firewall: offers one of the best protections for networks. Here, the DMZ network is located between two firewalls. One between the Internet and DMZ and another between the DMZ and the Intranet – each have two network interfaces. In addition, the server within the DMZ has two network cards.

  • Dead zone: refers to a network between two routers that uses a network protocol other than TCP/IP. If a DMZ between two routers uses another protocol such as IPX/SPX, it forms a dead zone. It is the most secure of all DMZ configurations but is expensive. Network protocols switching must happen at each router for communicating among networks. This configuration is especially resistant to ping of death and SYN flooding attacks, because these attacks depend on the use of TCP/IP.

Filtering rules can be setup to control the flow of packets between the three zone – intranet, DMZ (perimeter network) and extranet. These rules are configured on firewalls and routers to ensure that unwanted packets could be dropped.

The rules can be chosen to:

  • Filter outgoing traffic: An outgoing traffic originating from a DMZ computer can be filtered. Doing this would prevent an attack in which a hacker configures a DMZ computer to initiate communications with his/her host. It also avoids DMZ computers from being used as traffic-generating agents in DDoS attacks.

  • Filter incoming traffic: An incoming traffic at the interface between DMZ and intranet can be filtered. For instance in order to block spoofed traffic, all traffic with any source network address other than that of DMZ can be blocked. The firewall between DMZ and extranet can also be configured to filter some incoming traffic such as permitting only inbound connections to the mail servers while dropping all other uninitiated inbound traffic.

While configuring filter rules, all outgoing traffic should not be denied. There may be legitimate reasons for your DMZ computers to initiate communications with remote hosts. For instance, the mail server in DMZ might contact a remote mail server to deliver messages or the local DNS server initiates contact with higher-level DNS servers in order to keep its tables up to date. It is to be ensured that all the legitimate data flows are to be known before configuring a firewall rule that might drop critical data packets.

Network Access Control (NAC) helps to ensure that computers comply with company’s security policies. NAC is a process or architecture through which computers are verified to be in compliance with policies before they are permitted to access the network. If a computer falls short, it is brought into compliance before the NAC grants its network access.

Microsoft’s implementation of NAC – Network Access Protection (NAP) is a new feature of Windows Server 2008. Other implementations of NAC include the Network Admission Control architecture from Cisco and the Trusted Computing Group’s Trusted Network Connect (TNC) system. Vendors such as Microsoft, Juniper, IBM, Computer Associates and Cisco offer NAC components and these collectively work together to support an overall NAC architecture. For example, IMB’s Tivoli network management system might be the central reporting and management console for other NAC components, such as an antivirus scanner from Computer Associates.

A Virtual Private Network (VPN) is a private communications network that enables secure communication across a public network. With a VPN, TCP/IP communications are encrypted and then packaged within another TCP/IP packet stream.

If a packet on the public network is intercepted along the way, the encrypted contents cannot be read by a hacker. Such encryption of data or packets is typically implemented using Internet Protocol Security (IPSec). IPSec was initially developed for IPv6 but many current IPv4 devices also support it. IPSec enables two types of encryption:

  • Transport encryption: Here, the underlying data in a packet is encrypted and placed within a new packet on the public network.

  • Tunnel encryption: Here, the entire packet including its header is encrypted and then placed in the public network’s packet.

IPSec encryption follows a four-step process:

i) A router opens a VPN connection between their computer and the office network. The office network and the user’s computer or their respective VPN gateways execute a handshake and establish a secure connection by exchanging private keys.

ii) The user makes a request for a particular file.

iii) The network begins by breaking the file into packets for transmission. If the VPN is using transport encryption, the packet’s data is encrypted and the packets are sent on their way to the user. If the system is using tunnelling encryption, each packet is encrypted and placed inside another IP envelope with a new address arranged by the VPN gateways.

iv) The packets are sent via the Internet to the user’s VPN device, where the encryption is removed and the file is rebuilt. If the VPN is using tunnelling encryption, the peer VPN gateway forwards the decrypted packets to the appropriate hosts on its LAN.

Using IPSec, a VPN can almost eliminate packet sniffing and identity spoofing because only the sending and receiving nodes hold the keys to encrypt and decrypt the packets.

b) Browser-related Network Security and Virtualisation

Securing the clients on the intranet is a critical task. Currently, one of the biggest vulnerabilities in such computers is the web browser. When the users download software or view multimedia content, they open a wide range of possible attacks. Or just viewing a web page, particularly when it involves entering personal information or log on details, it can expose uses or their company to the risk of data or financial loss.

Phishing refers to sending email to uses to persuade them to visit a fake web site that masquerades as a legitimate destination. Phishing has become very common in recent years and many unsuspecting users have fallen victim to the scam.

IE 7 includes the following features that help safeguard against browser-based vulnerabilities:

  • Phishing Filter: helps to avoid the fraudulent web sites that prompt to enter personal information such as an internet banking details, or other login details. This tool is used to check a web site being currently accessed or to warn of possibly suspicious web sites.

  • Security Zones: offer a method for managing a secure web environment. Security zones can be used to implement an organisation’s Internet security policies by grouping sites together and assigning a security level to each zone. A security zone is a group of web sites that can be separated in order to manage security. By default, IE groups all web sites into a single zone, called the Internet zone,which applies a medium level of security. This allows users to browse web site securely but warns users before they download potentially unsafe content.

IE includes 4 security zones:

i) The Internet Zone: consists of all web sites that are not included in the other security zones. This zone is set to the medium-high security level by default.

ii) The Local Intranet Zone: includes web sites on an organisation’s intranet. All sites in this zone should be inside the firewall.

iii) The Trusted Sites: includes Internet sites designated as trusted. These sites may be of business partners or reliable public entities. The trusted sites zone is assigned the medium security level by default which enables the web site to perform a wider range of actions.

iv) The Restricted Sites: zone includes all un-trusted sites. Sites in this zone will be allowed to perform only minimal very safe actions. This zone is set to the high security level by default which may cause web pages to malfunction or be displayed incorrectly.

There can be various security levels set for each security zone:

  • Low: the low security level has minimal safeguards and warning prompts. It allows most content to be downloaded. This security should be applied only to highly trusted sites.

  • Medium-low: the medium-low security allows most content to be downloaded. This security should be applied to local intranet sites.

  • Medium: the medium security level provides safe browsing functionality. It prompts the user for confirmation before downloading any potentially unsafe content. It should be applied to local intranet sites.

  • Medium-high: the medium-high security level provides safe browsing functionality. It prompts the user for confirmation before downloading any potentially unsafe content and won’t download any unsigned ActiveX controls. This security level should be applied to all Internet sites.

  • High: the high security level provides the safest level of security. It provides the maximum safeguards and all of the less secure features are disabled. This security level should be applied only to untrusted sites.

It is possible to set custom security settings for a zone using the Security Settings inside Custom level. The Security Settings dialog box contains the Settings list box. It can be used either to enable or disable the specific security options including script support, depending on the security policies established by the organisation. The custom level options are grouped into seven main categories:

  • .NET Framework: category enables .NET framework components, including XAML and XPS.

  • .NET Framework-reliant components: category specifies whether to run signed or unsigned components.

  • ActiveX controls and plug-ins: category specifies whether to enable or disable ActiveX controls and components.

  • Downloads: category allows files or font downloads.

  • Miscellaneous: category permits or restricts a wide range of actions.

  • Scripting: category allows scripts to be run.

  • User Authentication: category specifies the method needed to log on to a web site.

Cookies: It is possible to control what sorts of cookie is stored on the computer by web sites in the Internet zone. A cookie is a very small file stored by a web site on the computer. Cookies provide a web site with a way to remember the visit when the site is revisited. Typically, a cookie contains a number or value that uniquely identifies the user. That identifier is matched to a record in the web site’s database. Information in that database records information about the user and user’s visit to the site. For instance, if a widget is purchased from an online store, the web site will likely save a cookie on the user’s computer containing customer ID number. When the user returns to the web site, it retrieves the cookie, determine the user’s customer ID and look up in the database and provide customized information to the user base on the last purchase. The site might also offer related merchandize or store some of the information, such as user’s address details filled on the order form.

Cookies generally do not pose a security threat. However, in limited ways cookies represent a threat to the user’s privacy. Most browsers offer options for controlling how cookies are saved on the computer. Most antispyware software scans for cookies, removes cookies from advertisers or sites known to present potential privacy risks.

IE limits the size of cookies to 4KB while other browsers impose similar limits but a bit larger. Moreover, a number of cookies stored on a computer are limited for a particular domain. Now days, most browsers can store up to 50 cookies per domain.

There are two main groups of cookies:

  • First-party cookies: can be read by only the site that sets them. The site user visits is the one that sets and uses the cookie. First-party cookies generally don’t pose a threat to a user’s privacy.

  • Third-party cookies: usually appear on websites that display advertisements, which are located on another web site and simply merged into the web page being viewed. Third-party cookies pose a threat to user’s privacy. Third-party cookies typically contain a code that identifies the site on which the advert was displayed. When possible, the third-party cookie also contains a code that identifies user. Such codes can be generated when a user buys something or provide other identifying information in a form. This kind of data exchange requires sharing agreements between the site owner and the advertisement clearinghouse. These agreements are the standard practice in the industry. As the advertisements served by clearinghouse are displayed on many web sites, user’s browsing activity can be effectively monitored by these advertising companies, which use this data to show users targeted advertisements and build a buying profile. However, they could also be collecting private identifying information.

It is advisable to allow first-party cookies and to block third-party cookies.

  • Privacy Options: It enables user to manage pop-ups which are typically sued to show advertisements. Normally pop-ups are blocked unless the user specifically needs to view them for a particular site. In IE, the settings section of the Privacy tabbed page enables to select a privacy setting relating to cookies from six available modes using the sidebar. A user can either choose Accept All Cookies, Low, Medium, Medium-high, High or Block All Cookies.

Virtualization: is a technology through which one or more simulated computers run within a physical computer called the host. The simulated computers are typically called Virtual Machines (VMs). With Virtualisation, many users and system functions typically consume far less than the full power of a physical computer. Virtualization is generally offered in three levels:

Virtual applications: with virtual applications, users share a pool of software licenses. Typically they connect to a central host operating various VMs that have been configured t run the application. The company purchases enough licenses to service the average demand. XenApp or Presentation Server from Citrix Systems is an example of a virtual application product. Apart from reducing costs, virtual applications provide centralized control over applications. Software managers control which applications user can access and also configure computer security to deny employees the permission to install local copies of software. Since the virtual applications are loaded from a locked image, users cannot make changes or apply updates and viruses cannot infect the executables.

Virtual desktops: provide multiple applications, a logon environment and local user preferences. A virtual desktop is a virtualized PC running within a VM on a host computer. End users connect to their own virtual desktop using a thin terminal or specialised Windows software. The virtual desktop environment can be configured and treated just like a real Windows computer but exists solely within software. Like virtual applications, virtual desktops provide additional security by giving IT managers a greater control over user environments. Examples of virtual desktops are XenDesktop from Citrix System and VMware Virtual Desktop Infrastructure.

Virtual servers: extend virtualization to the data centre. Instead of virtualizing end-user systems, servers are virtualised. For instance, running multiple web servers on a single host. Usage of virtual servers enables better utilisation of computer hardware and simplifies the setting up of new servers, backup and disaster recovery. A typical host is a rack-mounted blade computer without optical drives or a local storage device. Typically virtual servers store their data on the central storage device such as SAN or disk array. By using VLANs, each virtual server can be logically located within the network segments serving individual departments. Examples of virtual severs are Hyper-V Server from Microsoft, XenServer from Citrix Systems and VMware Server from VMware.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.