Read an Excerpt

Network Security

MORGAN KAUFMANN

Chapter One

In This Chapter

* The internal and external views of network security

* Sources of external threats

* Sources of internal threats

* General defensive techniques

* Security policies

* Security audits and vulnerability testing

* Ongoing security activities

1.0 Introduction

If you were to talk with someone whose job it is to implement network security, you would hear a lot about buffer overflows, vendor patches, denial of service attacks, and so on. But network security is much broader than the details of attacks and defenses against them. A good network security scheme begins at the top of an organization, with extensive planning to determine where the organization should be concentrating its security efforts and money.

In this chapter, you will be introduced to many of the basic concepts behind a security strategy, including the general sources of security threats (to give you a framework for formulating a security policy) and the role of organizational security policies. The chapter concludes by looking at the concepts behind a security audit to check compliance with security policies as well as the actual security of the network.

1.1 Defining Security

Network security is a very broad term. In its fullest sense, it means protecting data that are stored on or that travel over a network against both accidental and intentional unauthorized disclosure or modification. The most often overlooked part of this definition is that it includes accidental occurrences, such as an inadequately debugged application program that damages data.

Another way to look at security is to consider the difference between security and privacy. Privacy is the need to restrict access to data, whether it be trade secrets or personal information that by law must be kept private. Security is what you do to ensure privacy.

Many people view network security as having three goals:

* Confidentiality: Ensuring that data that must be kept private, stay private.

* Integrity: Ensuring that data are accurate. For a security professional, this means that data must be protected from unauthorized modification and/or destruction.

* Availability: Ensuring that data are accessible whenever needed by the organization. This implies protecting the network from anything that would make it unavailable, including such events as power outages.

1.2 The Two Views of Network Security

The popular media would have you believe that the cause of most network security problems is the "hacker." However, if you ask people actually working in the field, they will tell you that nearly half the security breaches they encounter come from sources internal to an organization, and, in particular, employees. This means that it won't be sufficient to secure a network against external intrusion attempts; you must pay as much attention to what is occurring within your organization as you do to external threats.

1.2.1 Sources of External Threats

The Internet has been both a blessing and a curse to those who rely on computer networks to keep an organization in business. The global network has made it possible for potential customers, customers, and employees to reach an organization through its Web site. But with this new access have come the enormous problems caused by individuals and groups attempting illegal entry into computer networks and the computer systems they support.

Hackers and Crackers

External threats are initiated by people known in the hacking community as crackers. Initially, the term hacker referred to someone who could write an ingenious bit of software. In fact, the phrase "a good hack" meant a particularly clever piece of programming. Outside of the hacking community, however, anyone who attempts illegal access to a computer network is called a hacker.

Hacking often involves becoming intimate with the details of existing software to give the hacker the knowledge necessary to attempt an unauthorized system break-in. Nonetheless, those who adhere to the original definition of the term hacker wanted to differentiate themselves from those who perform illegal activities, thus the term cracker.

There are many ways to classify those who break into computer systems, depending on which source you are reading. However, most lists of the types of hackers include the following (although they may be given different names).

White Hat Hackers. This group considers itself to be the "good guys." Although white hat hackers may crack a system, they do not do it for personal gain. When they find a vulnerability in a network, they report it to the network owner, hardware vendor, or software vendor, whichever is appropriate. They do not release information about the system vulnerability to the public until the vendor has had a chance to develop and release a fix for the problem. White hat hackers might also be hired by an organization to test a network's defenses.

White hat hackers are extremely knowledgeable about networking, programming, and existing vulnerabilities that have been found and fixed. They typically write their own cracking tools.

Script Kiddies. The script kiddies are hacker "wannabes." They have little, if any, programming skill and therefore must rely on tools written by others. Psychological profiles of script kiddies indicate that they are generally male, young (under 30), and not socially well-adjusted. They are looked down upon by most other hackers.

Script kiddies do not target specific networks, but, instead, scan for any system that is vulnerable to attack. They might try to deface a Web site, delete files from a target system, flood network bandwidth with unauthorized packets, or in some other way commit what amounts to cyber vandalism. Script kiddies typically don't want to keep their exploits secret. In fact, many of those that are caught are trapped because they have been bragging about what they have done.

Cyberterrorists. The cyberterrorists are hackers who are motivated by a political, religious, or philosophical agenda. They may propagate their beliefs by defacing Web sites that support opposing positions. Given the current global political climate, there is also some fear that cyberterrorists may attempt to disable networks that handle significant elements of a country's infrastructure, such as nuclear plants and water treatment facilities.

Black Hat Hackers. Black hat hackers are motivated by greed or a desire to cause harm. They target specific systems, write their own tools, and generally attempt to get in and out of a target system without being detected. Because they are very knowledgeable and their activities often undetectable, black hat hackers are among the most dangerous.

Types of Attacks

When a hacker targets your network, what might you expect? There are a number of broad categories of attacks.

Denial of service. A denial of service attack (DoS) attempts to prevent legitimate users from gaining access to network resurces. It can take the form of flooding a network or server with traffic so that legitimate messages can't get through or it can bring down a server. If you are monitoring traffic on your network, a DoS attack is fairly easy to detect. Unfortunately, it can be difficult to defend against and stop without disconnecting your network from the Internet.

Buffer overflows. A buffer overflow attack takes advantage of a programming error in an application or system program. The hacker can insert his or her own code into a program and, from there, take control of a target system. Because they are the result of a programming error, buffer overflow conditions are almost impossible for a network engineer to detect. They are usually detected by hackers or the software vendor. The most common defense is a patch provided by that vendor.

Malware. The term malware includes all types of malicious software, such as viruses, worms, and Trojan horses. The goal of a hacker in placing such software on a computer may be simple maliciousness or to provide access to the computer at a later date. Although there is a constantly escalating battle between those who write malware and those who write malware detection software, a good virus checker goes a long way to keeping network devices free from infection.

Social engineering. A social engineering attack is an attempt to get system access information from employees using role-playing and misdirection. It is usually the prelude to an attempt to gain unauthorized access to the network. This isn't a technical attack at all, and therefore can't be stopped by technical means. It requires employee education to teach employees to recognize this type of attack and how to guard against it.

Brute force. One way to gain access to a system is to run brute force login attempts. Assuming that a hacker knows one or more system login names, he can attempt to guess the passwords. By keeping and monitoring logs of who is attempting to log into a system, a network administrator can usually detect brute force break-in attacks.

Note: There is no gender discrimination intended with the use of the pronoun "he" when referring to hackers. The fact is that most hackers are male.

You will learn a great deal more about all these types of attacks (and others)—including how they work, how to detect them, and how to defend against them—throughout this book.

The Steps in Cracking a Network

Script kiddies don't have much of a plan when it comes to cracking a network. They simply find some cracking software on the Internet and let it run against a range of IP addresses. However, other types of hackers are much more methodical in what they do. Cracking a network usually involves the following process:

1. Information gathering: During the information gathering phase, a hacker gets as much information as he can from public sources. The result often forms the basis of a social engineering attack.

2. Port scanning: Port scanning is an attempt to identify open TCP ports on a target system. This can not only tell the hacker where he can target an attack, but also can indicate which applications are running on your network.

3. Network enumeration: Once a hacker gains access through an open port, he will attempt to map the network, in particular looking to distinguish workstations from servers. He will attempt to discover which applications and operating systems are running on each host as well the layout of the network itself (how subnets, routers, switches, hardware firewalls, and other devices are interconnected).

4. Gaining and keeping root/administrator access: The previous three activities will give the knowledgeable hacker enough information to plan an attack. He will then do whatever is necessary to gain access to a user account. His ultimate goal is to escalate whatever access he gains to root/administrator status so that he has access to the entire system.

5. Using access and/or information gained: If he is looking for specific information or wants to make specific modifications to a compromised system, the hacker will either copy the desired information or make the modifications at this point.

6. Leaving a backdoor: A hacker may not take advantage of a system immediately after gaining control of it, or he may need to return at a later date. He may therefore leave software behind that will give him access at will.

(Continues...)

---

Excerpted from Network Security by Jan L. Harrington Copyright © 2005 by Elsevier Inc.. Excerpted by permission of MORGAN KAUFMANN. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---