Alright this article is going to be concentrating on some of the more niche and what some people may consider obscure topics within the concept of network security, and giving you a basic synopsis of what they are, how they work, and how theyre implemented. Most of what is covered in articles about network security covers some of the more popular (and equally important) topics such as encryption (a topic I covered myself), proxies, firewalls, IP spoofing, VPNs, NetBIOS, etc. These are all good topics to cover and interesting and vitally important to discuss and understand. But with the growing trend of technological obscurity, I decided I'd try and write an article that covered the basics of some of the more obscure but still important topics in network security.Specifically those topics are DMZs (commonly known as de-militarized zones), vulnerability scanners (which are at this point are mostly not perfected, but have been gaining speed, and many people have been lending their expertise to the development of this technology), intrusion detection systems (a technology thats been around for a long while, but is only now becoming a particularly trusted and more perfected technology), side-channel attacks as they are commonly known (something which has been gaining more and more popularity since the famous attacks against RSA in 1995), and finally steganography (the art of hiding messages, i.e. encrypting them so to speak in images, videos, etc. something that has always been of importance in government affairs and those of big business, and something I felt deserved special mention considering the rocky times the world is in now). Please read on, and I hope you learn something from the article, and find it to be an enjoyable read. A. DMZs or de-militarized zones.
A DMZ is not really a thing or technology, but really it is more a concept of protecting certain parts of the network by implementing a variety of features.
A DMZ is usually where one puts all public services and publicly accessible data, and its designed to deflect and block any number of attacks from both the outside and the inside of the network, this makes DMZs a very important concept to cover and recently it has become more and more implemented among security systems ranging from small businesses, large corporations, and some people even like to use DMZs in their LANs.
DMZs consist of a very simple setup that goes like this. You set up the web server inside the DMZ, and setup two logical firewalls, one setup and configured to protect and block ports from within the network, stopping any insiders looking to break into the system from that direction, and a second logical firewall is setup and configured to block remote connections and ports.
Other types of technologies are optional in DMZs aside from the two logical firewalls that are standard in DMZs and necessary to facilitate the idea, which allows a good level of usability and sacrifices only a sall amount of security in the process.
Some of the technologies aside from the firewalls that are implemented in DMZs are often certain scripts consisting of certain triggers. For instance, if any attempt to tamper with the firewall remotely is made, the program may log the IP, and automatically block it off. One of the other popular technologies implemented in DMZs is a standard login program that would consist of a hierarchy of user levels, each allowing more and more service, and generally the final top level is the administrator, which is scripted to only allow a certain IP to access it, thus the administrators connection and computer are under a static IP, this tends to stop any tampering from going on, much like a root login, but without the ability to execute a superuser command from a different computer. Also, occasionally, but fairly uncommonly a program is also active in addition to both the firewalls and any accompanying scripts, that logs IPs of any attempts at logins that fail, banning the given IP from either the inside or outside of the network (this means the administrator must be an accurate typist as well, obviously). Also, since DMZs apply to networks and not single computers, inevitable routers are going to be thrown in the mix, and most of us know, using a router can cut down security to a great degree. One of the technologies that is most commonly applied to DMZs when considering routers is an ACL (access control list). Essentially the router does what is necessary according to the variety of data (packets) it receives, namely the origination address, destination address, any necessary scanning, size and thereby approximate content of the packet, etc. This helps secure the router, and doesnt compromise the security of the DMZ at all, in fact, it only strengthens it. Of course, there is only so far that ACLs can go, but of course certificates, digital signatures, etc. generally do a good job in insuring the integrity of the packets.
I think it is safe to say that for the larger web servers out there hosting any kind of public services and access, DMZs are going to become important, and a very key concept, taking advantage of some classic technology, and taking it to the next level of network security. DMZs at this point are not used in practice too much, but I still believe that theyre going to be a big part of the future of network security.
B. Vulnerability scanners.
Vulnerability scanners are a relatively new technology in network security, and for this reason, and the very nature of how they test systems, are pretty unreliable and arent particularly useful to administrators, and only useful to hackers that are facing fairly weak systems.
The idea of a vulnerability scanner, is that it basically analyzes a system and then tests out a variety of attacks ranging from overflows, to DDoS attacks, brute-force attacks, firewall bypassing etc. Now, youd think that this might sound like an OK way to test systems, but because people are impish about trying to break into their own systems, the great majority of commercial vulnerability scanners merely test things from a theoretical standpoint, and we all know all too well that laboratory settings are almost always different from what occurs in practice. Vulnerability scanners might test and see if your firewalls are single, double, if a DMZ is on the system, how many public exploits exist for the given OS or program, and if theyve been patched at all by the admin, etc. and perhaps if specifically directed, might give a very specific test to some of these systems of security, attempting specific overflows, or exploits, etc. But its obvious why these tests arent very accurate at testing the security of the network, and it also seems obvious that if people arent willing to go all the way in their security, and equally far in their tests, then vulnerability scanners are going to remain nothing more than a novelty, and a very formal display of moderate security, or insecurity.
Other issues occur in deciding if the attack against a certain vulnerability was successful or not. For instance, if the scanner attempts overflowing a login program, similar to Novell or something along those lines. The goal according to the exploit is to get root access, which is not achieved by the scanner, but for instance, an error occurs that leads to the physical path of the password file (this has actually happened), that was supposed to be encrypted and/or hidden. Its hard to say if this attack was successful or not, usually the output the scanner gives is that the attempt was unsuccessful, but the result that gets logged, would be of great interest to whomever was operating the scanner at that time.
The most popular and commonly known vulnerability scanner was S.A.T.A.N., which was released originally in 1995. For obvious reasons it received a lot of bad press, and the writer got a lot of flak for the program, both because of the name, and because of its use, but since then vulnerability scanners have become more respected, and who knows, one day, they may be an effective tool in assessing the threats to systems.
C. IDSs or intrusion detection systems.
Intrusion detection systems monitor the networks for traffic and processes that appear to be malicious, or with the goal of breaking into the system, disabling it, or weakening it in any way. Any kind of probes or scans, DoS attempts or overflow attempts, especially while they are still in action, this system is designed to give an output to any administrators that the system is being compromised.
IDSs are pretty well develop, and the majority of dangerous attacks are pretty blatant, and to a good scanner, are perfectly visible, the real issue is with false alarms. Any number of things might happen to the system, if a process crashes or overflows, it very well might set off the system, after all, the level of sensitivity of the system is inversely proportionate to the amount of attacks that it notices. For this reason the sensitivity of the system is often at its most tense state, this means that literally hundreds of false alarms could go off on the system a day, especially with the growing number of computers on the network, and the amount of applications running, it is also proportionate to the level of incompetence of the users of the system (i.e. a stupid employee can easily find ways to crash any number of applications).
One issue with such systems is the speed of notification that it gives. For instance, if attacks are in action, and administrators are notified, then theres also the issue of what must be done, the issue of just what level of information needs to be relayed to the admin (and if all the information should be relayed, as one might think, how is it organized, and how long it would take for such information to be gathered, relayed, and thereby acted upon, since dangerous and malicious attacks can occasionally be executed fairly quickly).
There are mainly two basic ways that IDSs are built, and executed, and its safe to say that neither of them are particularly efficient and certainly not anything close to foolproof.
I. The most common and arguably easy to design and implement is what is known as misuse detection. Much like virus scanners look for certain strings that signify what might be malicious code, or something within their database of virii, trojans, etc. an IDS built on misuse detection searches for strings that are in its programmed database, or that could in theory be some kind of attack against the system, by scanning all the traffic coming remotely, or from within the system. However, this makes them very easy to bypass, because if a skilled attacked put a twist on existing attack code, the IDS would likely not notice because it isnt programmed to find anything that matches the code that the attacker wrote. Often enough, a small variation on popular code is enough to slip through the average system. The handling of the data that is outputted to the admins, and the relay of an attempted break-in is handled as I described above pretty much the same way in both methods.
II. The other style for designing IDS is what is known as anomaly detection. Anomaly detection works like this: a top-down hierarchy of the network of computer systems, standard processes, average traffic, number of users, etc. that is updated is created and programmed into the given IDS. Then the IDS is configured and updated with acceptable ranges of traffic, system resources, etc. and when these rules are broken, an AI program with a specific algorithm notifies any administrators, or whatever and whoever it may be programmed to do (sometimes that could be shutting down the system and cutting off all connections, though this is quite rare, and Ive never heard of such methods used as a basis for the average break-in, though when sensitive data is stored on such machines, it may be a necessary contingency). The biggest issue with this kind of setup and configuration is that every-day anomalies such as crashes or overflows in programs could very well be as an intentional break-in procedure, or could just be an accident and a small bug. The thing to keep in mind is that the IDS is not aware of the difference, and theres no conceivable way that it really could be, without being over-sensitive.
Some other issues to consider are if the IDS is overflowed, this is why often several IDS systems are active, so as to watch each other, in so many words. A whole can of worms is opened when IDSs are put into action on systems, and for many reasons, some companies avoid them all together. Its important that a good IDS is not an excuse for poor security, prevention to begin with is the more important goal for network security.
D. Side-channel exploits.
Side-channel exploits are cryptanalytic attacks that use obscure methods in finding holes in certain crypto-based security tools. As I said in the introduction, the spotlight on side-channel exploits first came when a side-channel exploit was used to find the keys of RSA Securitys keys by reverse-engineering the timing algorithm, this is often used these days against technologies such as Smart Cards, and other such security technologies, proving what was once thought to be foolproof, quite not.
The idea with side-channel exploits is that certain obscure but naturally occuring things (like time, in the RSA instance) are used to base algorithms off of them. So basically mathematical experts can apply a reverse-algorithm to such security technologies, by programming the given base into it, assuming the same starting point of the technology that the hacker is trying to break. One popular way is examining the trajectories of birds migrating. If the starting point was say 10 birds in a flock, starting at point A at 10 AM on Monday, and the attacker is trying to now crack this technology, he would program it to calculate up to the point of the time he will be doing the cracking. This sounds extremely difficult, and it is, and often reverse-engineering such algorithms is infinitely more difficult than devising such algorithms in the first place, and it usually takes a mathematical mind to take advantage of side-channel exploits to their fullest.
The most common attack would be attacks based on timing to one degree or another. Essentially an attacker finds out the speeds of various operations that lead to the full key to something, knowing all these speeds yields enough info about the key, that a small range of brute-forcing could discover the key in a fairly painless and timely manner. Such attacks have been pretty common among some of the more high-tech systems that are in effect today.
Tests against side channel attacks are often done with what is known as fault analysis. Fault analysis is when an analyst introduces specific faults in the system, and observes the effect, often sometimes faults have to exist in the system considering the larger the range gets, proportionately the more the system applies to, the more faults must exist, and a good deal of them cannot be avoided by any means, and there is often no way to prevent them. The only steps that can be taken is to use a different type of system, or apply different algorithms to every different section of the given system (this is what usually ends up being done).
Side-channel exploits also include various attacks against hardware. If one were to cut off the power to a smartcard scanner, one could corrrupt the whole system, since the two time pieces wouldnt match each other, and thus none of the smartcards would work with the given scanner(s).
Side-channel attacks are sensitive by their very nature (being that they are largely hardware-dependant), and it is very unlikely that if they are applied to a vast system that they will be particularly secure.
E. Steganography.
Steganography is art or science of hiding messages within other messages (usually of a different medium, like text with an image, etc.) Steganography isnt all that important to network security for the average person, and isnt a science used on a daily basis by anyone really, but I felt it warranted some mention in this article, and because I believe it is something that has a greater future to communications over the internet, one could think of it as the new age way to encrypt things, and theres no question in my mind, that it very well may be.
Firstly, steganography is both extremely similar to plaintext ciphers, and at the same time, from another direction, extremely different. Algorithms for encryption are used just like they are in text ciphers, but of course they consist of different functions, and are not interchangeable between other mediums, In my example Ill be giving an example of an image hiding a message. Most algorithms consist of a few things, one they look for the most common color and/or gradient in the image, and generally this is where the text will be placed. A level of degredation in quality is purposely done in the picture so that the message will actually be visible. As one might expect there are no real keys to steganography, and basically one must magnify the image to search for the hidden message.
Steganography is not nearly as common as plaintext encryption, and these days using it warrants interrogation, and is practically a crime, since historically steganography has been used by subversives or by warring countries to send messages to spies, etc. But I believe that in time to come, commercial, and free programs offering steganography algorithms and encryption will very likely gain some speed and popularity, after all, privacy in communications is one of the most important issues of the wired, and soon to be wireless world.
I hope you all enjoyed the article, and learned something.
Be first to comment this article
