The key to network security can be found in understanding the choices and
strategies available to you look to the building blocks of network security.
These include implementing user authentication, using proxy servers and
firewalls, setting up demilitarized zones, and taking advantage of port- and
packet-filtering technologies. The overview of these security solutions provided
by this article will give you an understanding of the technology. User
authentication, the first option discussed in this article, is the most basic
component of network security, and its success depends on the method used
(encrypted, plain text, and so forth), and on the ability to keep this
information from unauthorized personnel. Some of the more popular versions of
user authentication include the Password Authentication Protocol (PAP) and the
Challenge Handshake Authentication Protocol (CHAP).
Proxy servers can provide multiple functions to your network. Not only can they
provide security for your wide area network (WAN) connection, but they can also
provide services like caching, port filtering, and in some products, reverse
proxy. Firewalls can be software, hardware, or both, and they effectively block
unauthorized access to your network just as proxy servers do. There are several
types of firewalls that include software that enables them to act as a packet
filter, circuit gateway, and application gateway. You should also keep in mind
that the differences between these pieces of equipment are getting smaller very
rapidly. The desire for an allin- one security solution has created many hybrid
devices with both capabilities.
Demilitarized zones (DMZs) allow you to
set up a network between your internal network and the outside world to form an
additional protective layer from outside access. Protocol switching, a
self-explanatory function, can be very useful against specific types of
protocol-based attacks. For instance, you can set up a dead zone with some other
protocol (protocol switching) to help protect your network against specific
protocol attacks. Last, we have port and packet filtering. These two security
methodologies allow you to block specific protocols or specific ports. There are
numerous implementations of these technologies.
User Authentication
Methods
The most basic building block to any security model is user
authentication. User authentication allows for verification that the user is who
they say they are; it gives you, therefore, the ability to regulate who gains
access to your network. Without any authentication mechanism in place, any user,
theoretically, would be able to access your network and cause damage. Even for
the most seasoned network administrator, providing and maintaining usernames and
passwords can prove to be a challenge. Always remember that you are not only
trying to protect your users from outside threats, but also from unwittingly
enabling an attacker.
Authentication has become a somewhat standard
feature of most networking software and operating systems. For this reason, it
is imperative that you understand what potential issues you may face. In the
following sections we will discuss types of encryption and authentication, and
some of the common issues associated with their
implementation.
Encryption
Authentication was
designed to give an added boost to network security. However, some of the
earlier specifications called for clear-text transmission of usernames and
passwords. However, this allowed software programs, such as sniffers, to extract
your username and password for future use. To correct this problem, vendors
began to use encryption to protect usernames, passwords, and data as they
traveled through the network.
Encryption is defined as the act of taking
plain-text information and changing it using a mathematical algorithm, so that
only those with the proper encryption key can decrypt the ciphertext. These
mathematical algorithms are also referred to as hashes. At a very basic level,
plain text is encrypted into ciphertext, and then transmitted to its
destination. At the destination, the intended party has the key for the
encryption algorithm, and the ciphertext is converted back into plain text.
Think back to a time when Morse code was new. Anyone eavesdropping would hear a
series of ticks or beeps. Without the proper tick-to-character translation the
information would be useless.
A good example of encryption can be taken
from the everyday configuration of a Cisco router. You can enter an enable
secret password (that is encrypted), so that no one can get it by merely giving
the command show running-config. Look at the following sample
output. Router#sho run Building configuration... Current
configuration: ! version 12.0 service timestamps debug
uptime service timestamps log uptime no service
password-encryption ! hostname Router ! enable secret 5
$1$bhND$YR6guXVV02lvoPnv8h2lr/ enable password
lab -=snip=-
Just below the hostname, you can see the enable
secret password in its encrypted form. This password happens to be cisco, but
you would never know it from that string of characters. In the same text, you
can see the enable password in an unencrypted format.
Some of the more
popular terms you will see are 40-bit encryption, 56-bit encryption, and 128-bit
encryption. All three are separate levels of the Data Encryption Standard (DES),
created by the National Bureau of Standards. The algorithm uses a key that
ranges from 40 up to 128 bits in length. The higher numbers have longer
character strings, and therefore more possible key combinations. The key is then
combined with the data using a mathematical algorithm. That serves as the
encryption that the destination must reverse using the proper key combination
(decoding).
It is not recommended to use 40-bit encryption for any type
of corporate e-commerce security because the code can be broken fairly easily
with the right program. The use of 56-bit encryption adds more to the DES
algorithm, making it a bit more difficult to break, but not impossible. Because
56-bit DES was cracked a few years ago, you should not use it to secure anything
critical within your network. However, 56-bit encryption is signifi- cant
because it is currently the highest level of encryption allowed by the US
government for exportation.
The use of 128-bit encryption has become the
standard when using DES security. The 128-bit version of DES is strong enough
that it would take someone a long time, with many high-end computers to break
it. It would take the average person so long that it probably wouldn’t be
worth the hassle. This type of encryption is not allowed for exportation outside
of the United States, but many other countries have comparable encryption
methods in place.
There are other encryption algorithms on the market
today. Many of them provide better security than the DES encryption algorithm.
Some of these algorithms include Triple DES (3DES), Blowfish, AES and the
International Data Encryption Algorithm (IDEA). Most of these algorithms use the
block-cipher method for encryption. Block cipher takes user data and segments it
into blocks of 64 bits before encoding. The block size can be anything up to 128
bits, but 64 is the standard.
3DES is a vast improvement upon its
predecessor, DES. The 3DES algorithm uses three DES strings, each with its own
key. This is a very secure encryption algorithm, but it is also very slow. 3DES
does not have to use all three keys, however; it can use only two.
AES a
symmetric 128-bit block data encryption technique developed by Belgian
cryptographers Joan Daemen and Vincent Rijmen. The U.S government adopted the
algorithm as its encryption technique in October 2000, replacing the DES
encryption it used. AES works at multiple network layers simultaneously. The
National Institute of Standards and Technology (NIST) of the U.S. Department of
Commerce selected the algorithm, called Rijndael (pronounced Rhine Dahl or Rain
Doll), out of a group of five algorithms under consideration, including one
called MARS from a large research team at IBM.
Bruce Schneier, author and
industry expert, designed the Blowfish algorithm. This encryption algorithm is
very fast and is resistant to both linear and differential analysis. Blowfish is
designed on a 256-bit key, for very high security, and the data is broken into
64-bit blocks before it is. Blowfish encryption has become the choice for many
companies because of its strength and speed.
Authentication
Methods
There are many ways in which a user can be authenticated.
The user can log into a network or system using an authentication protocol, a
security key card, or even by allowing the Remote Access Service protocol (RAS)
to use PPP dial-back for verification. In this section, we will focus on several
of the main authentication protocols for PPP connections on the market. These
protocols include PAP, Shiva Password Authentication Protocol (SPAP), CHAP, and
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
PAP is
one of the most widely distributed authentication protocols to date. It’s a
very fast authentication mechanism, but it does have a few drawbacks. When you
connect to a RAS using PAP, your username and password are sent in clear-text
format. This would allow someone to intercept your password fairly easily. The
client using PAP sends his or her username and password to the RAS, which has a
table of mated username and password pairs with which it checks the inbound
requests. The table is usually kept in an encrypted format so that you can’t
retrieve a whole listing of authentication.
SPAP is a proprietary
authentication protocol from Shiva. SPAP works a lot like PAP, except that it
doesn’t transmit the password in a clear-text mode. When the Shiva Security
Pack is added to Windows, there are some additional features added to the
security session:
CHAP is an open standard for user
authentication. This protocol differs from PAP in several ways. First of all,
the CHAP authentication method uses a three-way handshake sequence to verify the
user. The RAS will send a challenge on which the client will have to calculate a
one-way hash. The client will send its calculated hash back to the RAS, which
will also calculate a hash on the challenge. If the two match, the RAS will
allow the client access if not, the connection is dropped. After that occurs,
the challenge can be reissued at any time during the session for user
verification. CHAP is based on the Rivest, Shamir, and Adleman Message Digest 4
(RSA MD4) algorithm. This algorithm was named after the individuals who invented
it.
MS-CHAP is based on the same premises as CHAP. There are a couple of
differences that should be noted. Microsoft’s implementation is also based on
the RSA MD4 algorithm, but it adds data encryption to strengthen security. CHAP
only encrypts the login information, so MSCHAP may be a better choice in certain
circumstances. As you might have guessed, MS-CHAP is a proprietary protocol that
must be supported by your software or hardware.
Authentication
Pitfalls
Authentication is used to help protect your network, but it
is not infallible. You should make sure that you protect user information like
your job depended on it it just might. In the following paragraphs, we will look
at a couple of the pitfalls associated with authentication and what you can do
to protect yourself from them.
Social
Engineering
There are plenty of software packages that allow
crackers (malicious hackers) to cipher usernames and passwords, but the software
doesn’t pose the only threat to the integrity of your network. In recent
years, the threat posed by social engineering has become more of a problem than
ever before.
Social engineering is generally defined as an act by an
outside party that acquires network or user information through such personal
contact as a casual phone conversation. This type of thing occurs a lot more
often than you might think. Social engineering can be as easy as someone calling
and saying, Hi, this is Jim, can you give me Bill Davis’s phone number? I need
to get in touch with him, and I left my computer at work. This is a very popular
tactic of headhunters, who would love to recruit your top
talent.
Although what is listed here may not seem like much, you would be
surprised to discover what kind of information can be learned from these very
innocent-sounding phone calls. It is possible to acquire just about any
information desired if the caller is savvy enough to coax it out of you or your
users.
It is certainly difficult to know when someone is truly asking for
your help, and when that person is looking for personnel or corporate
information. Does this mean that you shouldn’t help anyone who calls you?
Certainly not, but it does mean that you should be cautious. You are more likely
to encounter this sort of thing in a large successful company, but that does not
mean than you won’t run into it if you work for a startup. The shortage of
qualified employees makes this an issue anywhere in corporate
America.
There are several things that you can do to protect yourself
from social engineering, beginning with educating your employees. Make sure
that they know how to recognize it, and what to do if they do encounter
an attempt at social engineering. You can direct personnel to transfer the
call to a central location, such as a security desk.
If you are
suspect of a call, check the caller’s credentials after the call or check your
caller ID to see if you can find out who it is. If the caller stated that he or
she works in the engineering department, but the number shows up as unavailable,
that should send up a red flag. You may even want to consider making it
corporate policy not to give out personnel or departmental information at all.
If you have a corporate directory to which everyone has access, there
shouldn’t be a reason why they can’t look the information up for themselves.
Instruct your users to be educated and cautious, because the effects of social
engineering can be disastrous.
One of the more notable computer deviants
in recent history is Kevin Mitnick. A self-described master of the TELCO switch,
he had been in and out of trouble with the authorities since the early 1980s. In
his last escapade, Kevin eluded government officials for several years before
being apprehended in 1996. His downfall came when he picked the pocket of the
wrong person, Tsutomu Shimomura, who eventually tracked him down in Raleigh, NC.
Shimomura, who is a senior fellow at the San Diego Supercomputer Center, is also
a very well-respected network security advisor for the government.
Kevin
baffled law enforcement authorities with how much he knew about the telephone
infrastructure, and it was later discovered that his expertise at social
engineering helped him significantly. According to Shimomura’s book,
Take-Down; The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted
Computer Outlaw By the Man Who Did, Kevin and a group of friends entered a
Pacific Bell COSMOS phone center and talked their way past a night guard. Once
inside, they planted phony names in the Rolodex to allow them to continue with
the social engineering at a later time. It was at this time that Kevin also
stole the switch-operating manuals, something that undoubtedly helped him in his
endeavors.
As you can see, if steps toward the proper education and
preparation are not taken now, it can be too late by the time you realize you
have been compromised. Admittedly, Kevin is a truly gifted hacker, but the point
remains the same.
Password Management
The way that a lot of
users manage (or mismanage) their login information has always struck me as
funny. As the network administrator, you should be wary of your users storing
their user names and passwords in obvious locations. There are several things
that you should insist upon when thinking about password
management:
=> Passwords should not be stored in plain view. Cisco
managers refer to this as the Lion King Motif.Basically, this is the user that
has a yellow mane of Post-Its all around the monitor edge. You will often find
that the usernames and passwords will be listed along with what they go
to.
=> Passwords should not be saved to a text file on the desktop of
the computer, or anywhere else for that matter. Just as you don’t store your
PIN to your bank card in your wallet (at least I hope you don’t), you
shouldn’t store network authentication information on your
computer.
=> Require that the users on your network change their
passwords at a regular interval. A lot of networks require this every 45 days or
so, with the longest interval being about six months.
You may also want
to consider setting up a team that checks for compliance with your management
rules. In certain military installations, there are teams of individuals who do
nothing but try to guess your passwords you probably do not have the time or
resources for this, but it is one way to verify the passwords have been changed
and that they have used your requirements. It is also a good way to verify that
strong passwords have been used. Most important is to define a set of standards
for your network authentication model and then make sure that you enforce
it.
Proxy Server Functionality
A proxy server is a software
and/or hardware package that provides security plus many other functions such as
Web and content caching. They are generally set up on a multihomed PC (dual
network interface cards, or NICs), with one connection for the Internet and one
connection for your network .
Caching is usually split into two groups,
active and passive. With active caching, the proxy server will retrieve
documents that it believes may be requested by the clients. Passive caching
waits for a request before it retrieves a document and then the server will
decide if the data should be cached.
An important concept to remember
about proxy servers is that they act on Internet requests for the computers on
the local area network (LAN). When a PC on the LAN requests a file from the
Internet, the request is taken by the proxy server, and then is retransmitted
with the proxy’s public address. This will cause the proxy server to look like
the originating point of the request, and the destination will never know about
the LAN behind the proxy. Proxies can be deployed for several reasons, including
these:
=> A limited number of IP addresses are available for the
Internet. => Security is necessary, but high-end routers and firewalls
are beyond budget range. => It is necessary to speed up Web browsing
for the users on the network.
First, proxy servers may be deployed if
there are a limited number of Internet IP addresses available to you. Unless you
have IP addresses to use for every machine in the network, you will need to find
a way to manage them. A proxy server can take a single IP address and act as an
interface to the rest of the Internet. This is achieved through a process known
as Network Address Translation (NAT). You may hear people talk about using NAT
on their network when they actually mean Network Port Address Translation
(NPAT).
The difference is that when using NAT, every IP address on the
Internet has a corresponding address on the LAN. When using NPAT, there is one
Internet address for multiple IP addresses on the LAN. The association is then
kept track of with port assignments for each session opened from the
LAN.
Proxy servers can provide adequate security for a network used by
small companies, or for companies on a strict budget. Many proxy servers today
have features built into them to protect networks from outside aggression. NAT
and NPAT, as previously discussed, act as a barrier to the Internet, effectively
masking your network from the outside world.
Note that although NAT and
NPAT can provide some security, you should not rely on them to provide the only
security on your network. There are ways that NAT and NPAT can be circumvented,
particularly NPAT. Since NPAT keeps track of information using port assignments,
things such as session hijacking could be employed to allow access into the
network. Session hijacking occurs when you fool the network security device(s)
into thinking you are a trusted member of the network.
There are also
other security features that modern proxy servers can provide, including packet
sequencing and packet filtering . Packet sequencing protects you from many forms
of session hijacking because the proxy server will keep track of which packets
are to arrive next for the open session. Session hijacking occurs when an
intruder spoofs the network into thinking that he is an active member of a
session. Once that has been accomplished, the intruder can hijack the session,
and receive the data freely.
If someone outside the network attempts to
send an errant packet to gain access, chances are it won’t be the correct
packet number, and it will be discarded. Packet filtering will allow you to
block specific types of traffic that you determine.
Another benefit of a
proxy server is its caching ability. A properly con- figured proxy server can
appear to speed up Internet connections because of the ability to cache
frequently visited Web sites. Because these Web sites are stored on the proxy
server, the user doesn’t have to connect to the Internet to retrieve the
information the sites contain. This can also be a cost savings for companies
with a per-use WAN billing structure.
One negative aspect to caching is a
result of the very thing that also makes it a benefit the information is stored
locally instead of being retrieved from the Internet. If there is a Web site
that is updated frequently and your users depend on the time-sensitive material
(on stock quotes, for example, like nasdaq.com and etrade.com), you should make
sure that the proxy server is configured not to cache those sites; otherwise,
they will be viewing old material. This, of course, would depend on whether or
not the sites allowed their data to be cached.
When Would You Need
a Proxy Server?
Most corporate environments require Internet
connectivity of some sort, and that makes it likely that you will need security.
You may opt to choose a proxy server or you may choose a firewall. Please note
that most modern proxy servers have some sort of firewall mechanism built in,
but not all firewalls have the functionality of proxy servers (like Web
caching).
Another popular configuration is to cache Web content with a
proxy server and use a hardware-based firewall as the corporate security. It is
also possible to secure your corporate network with a firewall, and then install
a proxy server as a caching server and as a firewall. This way, you can
implement a DMZ for e-mail and/or Web servers.
Pros and Cons of
Proxy Servers
Like everything else, proxy servers have both good
and bad points. The first good point, as discussed, is that they speed up Web
access by caching downloaded content, which allows faster user access to
information. They also provide network security with filters, NAT/NPAT, and
other firewall features. They are available at a relatively low cost compared
with other hardware-based firewall solutions. Last, they provide logging
mechanisms for inbound and outbound data and connections.
The problem
with proxy servers is that they can have high administration requirements in
larger networks, especially if set up in a large array (Cache Array Routing
Protocol, or CARP); they also add another point of failure into your network
design, and can cause problems with proprietary network applications. In the
instance of CARP, proxy networking can become complex quickly and the skill
level of the administrator must be higher than average.
Firewall
Functionality
The previous section discussed the function of the
proxy server and that most have some sort of firewall mechanism built into them.
A firewall is hardware and/or software that acts as a protective barrier from
anything outside of your network. Firewalls can utilize a technology known as
stateful inspection. Stateful inspection firewalls keep track of connections
through sessions, and analyze incoming packets. These packets are accepted if
they are in direct response to an active session. There are several types of
firewalls including a packet-filtering firewall, application firewall, and
circuit-level firewall. They are all slightly different from each other, but
they provide the same basic functionality.
A packet-filtering firewall is
designed to grant or deny traffic based on packet-level information, such as TCP
or IP headers. Most packet-filtering gateways have the ability to block data
based on source or destination address, port number, or protocol. Most routers
employ this function, and are commonly referred to as screening
routers.
An application firewall, on the other hand, does filter, but it
filters at the application level. Applications such as Telnet, FTP, or SMTP
could be specifically granted or denied access. Most proxy servers provide this
type of firewall, although some can do all three. Something else that you will
see with application firewalls is the readdressing we spoke of with the proxy
servers. Packets originating from nodes on the LAN will be readdressed so that
they appear to originate from the firewall itself.
A circuit-level
firewall protects your network in a slightly different way than other firewalls.
The circuit-level firewall ensures that a host on the Internet does not have a
direct connection to a host on your network. The firewall will accept service
requests from local hosts, and will then check for service availability. After
it has verified the availability, it will create the session but act as the
middle man, copying the endpoint information back and forth.
Dead
Zones and Protocol Switching
A dead zone is defined as any
network segment between two routers that is not running the TCP/IP protocol
suite. Generally you will find dead zones used in conjunction with protocol
switching.
Protocol switching can be an effective way to protect your
network from certain types of attacks. It operates just as the name implies, by
switching protocols between routing devices.If you were to switch protocols from
IP to IPX, you would be able to thwart most IP-based attacks with that alone.
You can also see from this image that we have integrated a firewall, proxy
server, DMZ, protocol switching, and a dead zone in the same LAN
topology.
Although protocol switching can’t protect you from every type
of malicious activity, it can help protect your network from attacks like the
Ping of Death or SYN flooding because these attacks depend on the TCP/IP suite
for operation. Unfortunately things such as distributed denial of service (DDoS)
attacks cannot be prevented using protocol switching and dead
zones.
Implementing Port and Packet Filtering
Port
and packet filtering can help prevent unauthorized access to your network from
outside parties. Packet filtering is implemented at the network layer (Layer 3)
of the Open Systems Interconnection (OSI) model, and can provide many ways to
filter inbound or outbound packets. If you are using IP, you can filter packets
based on many of the fields in the IP header like source address, destination
address, source port number, and destination port number.
As previously
discussed, packet filtering can allow you to specify exactly who accesses your
network and who does not. Keep in mind that packet filters can be set up to work
on inbound and/or outbound traffic. For instance, if you do not want IP address
153.26.157.5/16 to access your network, you can set up a packet filter to deny
any packet with the specified source address.
You can also set up a
packet filter, also on source IP address, to block traffic from an internal
source from reaching the Internet. This is especially handy if you don’t want
certain users to have Internet address.
Port filtering will allow you to
filter specific ports, and in essence, specific protocols or applications. For
instance, if you want to block outbound FTP traffic, you would set up a port
filter on port 20 and 21. Port 20 is used for data and port 21 is used for
control. This would allow you to block all FTP requests regardless of the source
or destination information within the IP header.
Design
Pitfalls
There are some key points that you should keep in mind when
setting up any of the discussed features in this article. No matter how obvious
they may seem, some of them could prove devastating to your security
model.
=> Proxy servers or firewalls should never be connected through
the same switch on both ports. If you connect the LAN and WAN ports to the same
switch, you have just defeated your own network security.
=> Public
sites such as Web or FTP servers should not be placed on the same segment as the
portion of the network that should remain secured. You can separate these by any
of the methods we have discussed, such as a DMZ. => Do not overload your
firewall with filters. You should use only filters that are absolutely necessary
because access problems become more likely to occur as the number of filters
increase. Filters also require hardware time for processing.
=> Apply
access lists to the edge firewall to protect access to the DMZ, being careful
not to overload it. This also applies to the screening router that is being
used.
=> Use data encryption where possible. Just because your
network is secure does not mean that your data is. => A single firewall or
proxy server may not provide enough security. You should design a layered
security model that includes multiple security measures for your
network.
And as last...
This article has covered some of
the main components and techniques for securing your corporate network. Before
you select which component(s) you need for your security model, decide how you
want to lay it out, what protocols to use, and what hardware/software
combinations are within your budget’s grasp.
A proxy server can be
useful if you are on a limited budget, and if your network requires security as
well as Web or content caching. A firewall can be used if you do not need to
cache Internet content, but you still require security for your Internet
connection. Most security solutions today include both firewall and proxy
capabilities, unless it is a specifically designed hardware firewall such as the
Cisco PIX.
The use of protocol switching and dead zones, packet and port
filtering, as well as DMZs, are several techniques for enabling security on your
network at a very low cost. The main thing to remember is not to overload your
network hardware with unnecessary protocol and port filters. The more you add,
the more likely you are to have performance or connectivity problems from
them.
Regardless of your current network status or your department’s
budget, insist on network security. Whether you get a high-end firewall
mechanism or a lower end software package, it will make a huge difference in the
event an unauthorized user attempts to get into your system.
Article By
Stanley (c) 2004 Written for Linux Exposed Add as favourites (67)
Be first to comment this article
Write Comment
Please keep the topic of messages relevant to the subject of the article.
Personal verbal attacks will be deleted.
Please don't use comments to plug your web site. Such material will be removed.
Just ensure to *Refresh* your browser for a new security code to be displayed prior to clicking on the 'Send' button.
Keep in mind that the above process only applies if you simply entered the wrong security code.
Be first to comment this article
