Security in Wide Area Networks
A connection to the Internet opens up the local network to an infinite number of security problems and potential attackers. The problems you have with users on the local network are small when compared to an attack by someone skilled in modern hacking techniques. When a network is connected to the Internet, there is all the more reason to further increase security on all local host computers. A good firewall, to serve as a single point of control for the Internet connection, is necessary to bolster your defenses. In the next few sections, you will examine some of the kinds of problems that can occur so that you will better understand why a firewall is necessary and why an Internet connection should not be taken for granted.
Network Protocol Backdoors and Holes
TCP/IP and many of its related protocols and utilities were de-veloped years ago when the security threats to the Internet were minimal compared to the problems of today. Thus, most of these protocols and utilities were not written with security as a priority. Instead, they were designed for functionality and portability. That concept helped spread TCP/IP to many different computer platforms, and today it is the protocol suite that connects the Internet.
For more information about the TCP/IP suite and related protocols and services, see Chapter 2, "Introduction to the TCP/IP Protocol Suite," page 25
Some of the utilities that were created turned out to have significant bugs that could be used to the advantage of someone with mischief in mind. The sendmail application, for example, has been abused many times over the years to cause headaches for network administrators. Sometimes a simple program design can cause an application to crash in a way that the designer had not anticipated. Memory buffers can overflow and if the program does not trap the unexpected error, the applications could then crash or behave in otherwise unexpected ways. It is when a hacker discovers a bug such as this and uses it to gain privileges or access that this kind of programming error becomes a security problem.
Unfortunately, it will be a long time before computers are designed that can catch all the mistakes that a human can make, so you can expect to see new programs come out and over the next few months watch as bugs are discovered. It is sometimes a good idea to lag behind leading-edge technology for a short time to see what does come about.
Keep up-to-date on patches and security advisories from vendors for the operating systems and applications that you use.
Keeping up-to-date on new security advisories is not as hard as it seems. There are several good Web sites that post documents describing new security problems as they are discovered, and many times procedures, patches, or other solutions that can help defend against the problem. Check out Appendix C, "Additional Resources," for a list of Web sites and mailing lists that relate to security issues.
What Is Source Routing and Why Is It Not a Good Idea?
The IP protocol is an unreliable connectionless protocol. For the most part, the only information about a packet's destination that is available to the IP protocol is the source and destination addresses contained in the IP header. Other routing protocols implement the mechanisms for deciding which path a packet will take through the Internet to reach its final destination.
In Chapter 2, "Introduction to the TCP/IP Protocol Suite," the fields of the IP header were examined. You will remember that the Options field can be used to specify a route that the packet should take. This is called source routing, and it was developed for such uses as debugging network problems and other maintenance chores. This feature can be exploited by a hacker easily to get a packet inside your network that appears to have originated there. The packet contains a forged IP address that is valid on your network. The source routing options are used to specify a path that the packet should take to get to its destination.
Firewalls should be configured to drop all packets that have the source routing option turned on.
Not all hackers are scheming to break into your network to steal information. Some simply want to aggravate you. A denial-of-service attack is a general term for the many methods that can be used to keep you from using part or all of the network. The goal of the attacker is usually one of the following:
Overload a limited resource
Crash a network device or host computer
Reconfigure a resource to render it useless
Overloading a limited resource can manifest itself in many different ways. One simple way is to fill up a hard disk so that no one else can use it. This is why you should monitor closely any disk storage allocated to an anonymous FTP service that allows users to upload files. Obviously, you wouldn't place the root for an FTP service on the same disk as you would an operating system. Similarly, you should not place it on any disk that is used by another application or service that can suffer from such an attack.
Other valuable resources include memory, network bandwidth, and CPU time. Resources don't have to be physical components of the host computer. The SYN flooding attack works by filling up the queue that TCP uses to hold incoming connection requests for a particular port. Even if there is more memory available in the computer that can be used, it doesn't matter because the queue itself is limited by how the TCP/IP stack was implemented for the particular computer system.
Crashing a host computer obviously prevents it from servicing client requests. Some attacks that do this do so by exploiting bugs in the operating system or in network services. Sometimes, all that is necessary is to crash the application that provides the network service.
Reconfiguring a host can occur after an intruder has penetrated your network and has been able to modify operating system or application configuration files. This is why it is so important that the computers you use to provide network services be fully secured using the mechanisms provided by the operating system.
Chapter 6, "Using a Bastion Host," page 131 and Chapter 8, "Operating System Monitoring and Auditing Techniques," page 177, can assist you in constructing a secure host.
It is also possible to reconfigure network information, such as routing tables, by using the ICMP protocol. This type of attack can make it appear that a host is unreachable when it is actually still on the network. If the router's routing table doesn't have accurate information about how to reach a given destination, it doesn't matter if the destination node is up or down because traffic won't reach it anyway.
The problem with trying to defend yourself against a denial-of-service attack is that you only have control over your network, not the entire Internet. Some attacks can be stopped at the firewall.
The TCP protocol is connection-oriented and uses a three-way handshake method to set up a connection before the actual data transfer can begin. The TCP header uses several fields to set up and manage the connection. The Sequence Number field is used to keep track of the order of packets exchanged. The SYN Flag field is used to start a connection request. The ACK Flag field is used to acknowledge a packet. The FIN Flag field is used to terminate a connection when the sender is finished.
The three-part handshake method used to set up a connection is a simple exchange of packets, as you can see in Figure 3.1.
Figure 3.1 A three-part handshake is used to set up a TCP connection.
The sequence of events is as follows:
Host A sends a packet to Host B with the SYN bit set to a value of 1. The Sequence Number field is set to the initial sequence number that Host A will use.
Host B sets up several data structures in memory to be used in managing the connection and then responds to the connection request by sending a packet to Host A with the ACK field set to 1 to acknowledge Host A's packet. This second packet in the handshake also has the SYN bit set to 1, telling Host A that the Sequence Number field of this packet contains Host B's initial sequence number.
Finally, when Host A receives an acknowledgement from Host B, Host A sends an acknowledgement back to Host B, acknowledging Host B's initial sequence number.
Under normal circumstances, a connection is set up, and the two hosts can then begin to exchange data. What happens if the sender of the initial connection request, Host A, uses a spoofed IP address in its first packet as the source address? When Host B tries to send an acknowledgement, it never gets back to Host A. Instead, the connection eventually times out, and Host B releases the memory used by the connection.
This is the method used to cause a SYN flood. The attacking host keeps sending connection request messages with a source IP address that is unreachable or does not exist. The receiving host keeps allocating in-memory data structures and starting timers for the connection attempts until it eventually runs out of resources and then begins to refuse further connection attempts. It is important that the spoofed IP address be one that cannot be reached by the attacked host. If not, the real host identified by the spoofed IP address might send a packet to the attacked host with the reset flag set, telling the attacked host to immediately terminate the connection. Because the purpose of the SYN flood is to keep resources tied up, this is not desirable.
An intelligent packet filter can be used to prevent this kind of attack by keeping track of incoming packets that have the SYN flag bit set and applying a little logic to compare IP addresses, port numbers, and other header information. When it appears that such an attack is being attempted, the other packets arriving on the external network interface can be dropped so that they don't get to the internal host that is being attacked.
ICMP Redirects and Other ICMP Problems
The Internet Control Message Protocol (ICMP) is responsible for providing status and control capabilities for the Internet Protocol. For example, a server can send an ICMP Source Quench message to another host to tell it that it is sending packets at a rate that is too fast for the server to handle at this time. Another useful function that is implemented using ICMP is the ability to PING a network node to determine if it is reachable. PING uses the Echo Request and Echo Reply message types to do this.
For a list of message types used by ICMP and a description of their function, see "The Internet Control Message Protocol (ICMP)," in Chapter 2, p. 34
Unfortunately, there are some message types that can be exploited by hackers to cause you problems. One in particular is the Redirect message type. It was created to allow one router to tell another that a better route exists for a particular destination.
Consider this example. Router B receives an IP packet from Router A that is destined for Router X. Router B does have the capability of sending the packet to another hop in its journey to Router X but, on consulting its routing table, finds that there is a quicker route that Router A can use to get the packet delivered. In this case, Router B can send an ICMP Redirect packet back to Router A to tell it of this new route. If Router A is responding to Redirect messages, it updates its own routing table, and from then on when it wants to send an IP packet to Router X, it uses the new route and does not route the packet to Router B.
The problem with ICMP Redirect (and all other ICMP message types) is that the simple ICMP protocol has no method for authenticating the source of the message. It can be used to cause a denial-of-service attack on your network. It isn't difficult to forge ICMP packets. By sending Redirect messages to your routers, an outsider can reconfigure your network routing tables. In addition to this denial attack, the Redirect message can be used to cause your network traffic to be routed through one or more hosts that the attacker has control of, thereby making it easier for him to perform further malicious acts against you.
Similarly, the Destination Unreachable message is used to tell a router that the destination of an IP packet is unreachable. By forging Destination Unreachable packets, an outsider can make it appear to your clients that other important hosts cannot be reached. For these reasons, blocking incoming ICMP Redirect and Destination Unreachable messages is a good idea.
In addition to being very useful when troubleshooting network problems, the PING utility is very useful when trying to gather information about a network. One of the functions of a good firewall is to prevent anyone outside your network from gathering any information about the hosts on your network. Every little bit of information a hacker can obtain leads him closer to finding a way to break in to your network or to cause you trouble. At the firewall you might want to consider blocking at least the incoming ICMP Echo Request messages. You are still able to PING hosts outside your network because outgoing Echo Request messages and incoming Echo Reply messages are not blocked.
Ping of Death
This attack showed up a few years ago and involves sending an ICMP packet that is grossly oversized when compared to a normal Echo Request packet, which is usually 64 bytes. Instead, sending a packet that is larger than the maximum size allowable, or greater than 65,536 bytes, crashes some operating systems. The IP layer would have to break up such a packet into fragments, of course, but when they get to the destination host they are reassembled and the attack succeeds. This was not limited to just different variants of UNIX or Linux. The Ping of Death proved harmful to a large number of operating systems.
Fortunately, all major vendors have patches that can be used to prevent this attack from succeeding. If you are installing a new system using source CDs that are more than a year or two old, you might not be protected. Read the documentation and, as always, check with the vendor's Web site to look for updates and patches to all operating system software that you use.
Distributed Denial-of-Service Attacks
When a server is subjected to a denial-of-service attack from a single host somewhere on the Internet, it can be very disruptive. Just a few years ago, several new sets of tools designed for the hacker's toolkit were developed that allow the attacker to use multiple computers to mount an overwhelming attack on an unsuspecting victim. The first of these tools was called Trin00, which was followed by Tribe Flood Network (TFN). A newer version called TFN2K (for Tribe Flood Network 2000) has recently been found. A tool that goes by the name of Stacheldraht (German for barbed wire) is the newest of the crop.
What makes these tools different from those used in earlier forms of denial-of-service attacks is the distributed nature of the attack, which is coordinated by a single host managed by the attacker. In Figure 3.2 you can see a simple overview of the method of attack and start to see why it can be such a problem.
Figure 3.2 A single attacking computer coordinates attacks by multiple systems all concentrating on a single target.
This is not an easy attack to mount. The attacker must first infiltrate other vulnerable systemsthose with only weak security measures in forceso that he can build up a roster of systems to use as handlers and agents. The systems that are designated to be agents carry out the actual attack on the target system. They are controlled by the systems designated by the attacker to be handlers. At the top of this control structure is the attacker's computer.
Read More About Distributed Attack Tools
At the Computer Incident Advisory Capability Web site of Lawrence Livermore National Laboratory, you can find the latest advisory bulletins about recent discoveries as well as an archive of bulletins from the past few years. Bulletin CIAC-2319, "Distributed Denial of Service," covers distributed attack tools in detail and offers recommendations for defending your site against them. You can get to the CIAC Web site by using the URL:
Trin00 uses TCP/IP for communications and is capable of sending a flood of UDP packets to the targeted victim. The newer tools are more sophisticated, using encryption for their communications and allowing the attacker to choose several different types of attack. These include UDP, SYN, and ICMP floods, or a combination of them.
The distributed nature of the attack allows the agents to overwhelm the network connection of the target host. Any legitimate traffic trying to compete with this flood of packets is either shut out completely or works at a very slow pace. The encryption in later versions of these tools and the use of forged addressing information can make it difficult to track down the original computer used by the attacker to begin the onslaught. The target of this flood is not the only victim in the attack, however. The agents that were infiltrated by the attacker when he was planning the attack are also victims. These agents don't have to be high-speed servers on a business network. They can be home PCs hooked up to the Internet using DSL or some other high-speed access that stays online as long as your computer is booted up.
This gives the attacker literally millions of systems that can be commandeered into the attack forces because most home computer users don't know a great deal about how to secure their computers to protect them from the initial break-in.
Not all network links use the same size for frames of data transmitted through them. Because the Internet is a wide collection of interconnected networks, this means that it is possible for an IP packet, which is being routed through a particular link, to be larger than the size that the link allows. The IP protocol is capable of breaking a packet into several smaller packets and reassembling them when they get to their final destination.
To review the header fields of an IP packet, see "Examining the Contents of an IP Datagram" in Chapter 2, page 45
There are several header fields of an IP datagram that are used to control the fragmentation process. The Fragment Offset field indicates where in the original packet this fragment fits. Because fragments can arrive out of the order that they were sent and because fragments from different messages can be arriving at a host intermixed, the Identification field is used to identify fragments that belong to the same original message. The Flags field is used to indicate which fragment is the final part of the message. When all fragments have arrived at a host, they are reassembled and sent up the protocol stack.
Remember that the TCP protocol places its own header on messages and then passes the result down the stack to the IP protocol, which then attaches its own header to the packet. At this point as far as IP is concerned, the TCP header is part of the IP packet's payload, just like the actual data contained inside the packet. Thus, when IP needs to fragment the message, the TCP header, which is at the beginning of the payload, is placed into the first fragment (see Figure 3.3). The remaining fragments contain the rest of the TCP packet, but no TCP header information.
Figure 3.3 The TCP header is found only in the first IP fragment.
As long as the packet is reassembled correctly, there is no problem. However, this means that when fragments pass through a packet filter in the firewall, only the first fragment can be filtered based on TCP header informationsuch as the port number. Remember that the port number for TCP and UDP is used to indicate the network service that the packet is used for. This means that although the packet filter can block the first fragment if it violates some access rule you have set up, the remaining fragments cannot be examined based on TCP information and can pass through.
An old trick for getting a packet past the packet filter is to simply set the fragment sequence number field in the IP packet to a value of 1 so that it looks as if it is a fragment of a larger packet. This value would be 0 if it were the first fragment containing the TCP header information. Because the router assumes that the fragment is not the first in the sequence, there is no TCP header information to be checked, so the packet does not get evaluated against rules that the router might have to block certain ports.
Older TCP/IP stacks would sometimes reassemble multiple fragments that get through even if fragment 0 never arrives, just so long as the fragments make up a valid packet when reassembledthat is, the packet passes checks for checksum values. Another method is to simply send a packet that is already complete, with the sequence number set to 1 and the FIN Flag bit set to 1, indicating that it is the last fragment.
To be sure that your host computer is protected from this kind of attack, review the documentation that comes with it and any updates or service packs that are available.
Viruses and Trojan Horses
A firewall cannot protect you from everything. Sometimes, no matter how good the security precautions and user training, a malicious program, such as a virus or Trojan Horse program, gets into your network. Viruses can hide inside other programs or even in the boot sector of a disk. Trojan Horse programs appear to be something that they are not. Both can cause significant damage if not detected in time. This can happen when a user brings in software on a floppy disk or downloads a program from the Internet. Email exchanges can also provide an easy route into the network.
The problem of these destructive programs existed before the Internet became popular. However, the Internet now gives these kinds of programs a whole new breeding ground and distribution network. There are sites that post information on how to write these kinds of programs, along with sample code and instructions for defeating security devices.
Some firewalls can provide limited protection in that they can look for indications, or fingerprints, for known virus programs or Trojan Horse programs. For this kind of software to function correctly, though, you need to be sure that the vendor responds to new discoveries in a timely manner and makes the updates for your detection software available to you.
Don't depend on the screening capabilities of just the firewall to protect you from these kinds of programs. Continue to be vigilant about individual host security and use virus scanning software on all hosts on the network.
Forging email is not a difficult thing to do. The Simple Mail Transport Protocol (SMTP) is not a terribly secure protocol, mainly because it lacks good authentication procedures. If someone on the Internet can connect to your mail server, usually through port 25, she can issue the necessary commands to send email that appears to come from that server, and she can use any user as the source of the forged email.
For those who do not have the time to fool around with the SMTP protocol, it is often easy to configure a mail client so that it sends messages with a forged username. As it stands today, when you receive an ordinary email message, you cannot really be 100% sure that you know where it comes from. Because of this, spoofing email can be very dangerous to the network. Try sending an email to users on your network asking them to email a copy of their password to you. If you receive any replies, you can see how dangerous spoofed email can be. It can be a tool that enables an outsider to gather information about your network. It can be a tool that allows an outsider to get files into your network.
To help eliminate the problem of identifying the creator of an email message, you can use digital signatures. There are two benefits of using a digital signature. The signature provides for the following:
Authentication of the originator of the message.
Assurance of the integrity of the contents of the message.
Digital signatures involve using a private key to encrypt a message that can only be read using the matching public key.
For more information about how digital signatures work, see Chapter 9, "Encryption Technology," page 199
When the local network is under your control from a physical point of view, you can usually control how and when the network is accessed. Even if modems are used to allow users to dial in to the network, you can still configure their use for certain hours and use features such as call-back to help keep out potential hackers. The Internet connection, however, means that there are millions of potential hackers over whom you have no control. Any trust that you extend to other hosts on the Internet presents a possible security issue because the hacker then only has to compromise that trusted system to begin to learn more about yours.
Using a valid user account and valid password is the easiest method for breaking into a network. After all, when using a valid account and password, the intruder is not likely to get caught until someone suspects that the user is performing actions inconsistent with his job. Passwords can be guessed by the intruder, or they can be cracked by using a tool such as Crack to decipher the encrypted passwords in a supposedly secure password file.
A good password policy makes users choose passwords that are difficult to guessmore than 6 characters in length, using a combination of numeric and alphabetic characters and symbols and uppercase and lowercase letters. You shouldn't make the password policy too restrictive, however. Often, when passwords are difficult to remember, users simply write them down. This, of course, defeats the whole purpose of using a password for authentication.
Tools available to modern hackers allow the entire processing power of a fast computer to be brought to bear when trying to crack an encrypted password file. Other programs automate the process of attempting login after login to try to guess a password using common words.
Depending on user accounts, to be secure based on password security alone is not feasible when you connect to a larger network. There are simply too many tools that make it an easy defense to break. Instead, a firewall can be used as the first barrier to outsiders, and stronger authentication techniques, using one-time passwords or external physical tokens, should be considered for networks with high security requirements.
For more information about stronger authentication techniques, see Chapter 9, "Encryption Technology," page 199
Friendly Customer Service (Social Engineering)
An area often overlooked that makes all the difference for security implementation is user education. Too often, users are funneled through a process by the human resources department, where they sign papers indicating that they understand and will abide by the site's security policies. In fact, many do not understand everything they read in these documents, much less how important security can be. An easy tactic for getting information about a network is to simply ask someone who is already on the network.
In an earlier section, I discussed how easily an email message can be forged. Trusting users usually respond with information when they are asked by someone in authority. In fact, users should be trained to not give out information, such as a password, even to a superior. Passwords can be changed by the administrator if access to an account is required. Accounts can be created for temporary users. There is rarely ever a need to allow more than one user to share an account or resource password.
Be sure to train users also to verify any requests they receive through insecure channels, such as email, before responding. Train users that information about their workstation, network servers, and security matters, should never be discussed on the telephone with those from outside the business.
When an intruder has gained even a small kind of access into your network, her next step is usually to create some sort of entry point that makes her job easier in the future. Creating a backdoor into a network can be as simple as creating a new user account with all privileges on an important computer. Backdoors can be created using Trojan Horse programs or by exploiting a bug in an application or operating system. A backdoor into the network can even be created by altering the configuration of the firewall or hosts that reside in the DMZ. Again, this is why individual host security should not be ignored or made second-place when a firewall is used.
Snooping: Monitoring Network Traffic
Intercepting network communications in a LAN can be as simple as connecting a host computer to the network and using a network adapter set to promiscuous mode. You can protect yourself from this by monitoring the network and placing controls on which kinds of devices can be attached to the network. On the Internet, packets can be intercepted on any link through which they travel. For this reason, insecure versions of network utilities, such as basic FTP and Telnet client software, should not be used. These applications send usernames and passwords as clear text across the network.
The Internet also offers no protection for other payloads that might be traveling in IP packets to or from your network. The only way you can ensure that you have a secure connection on the Internet is to use encryption technology, either on individual files that are transmitted or by using a virtual private network (VPN) that tunnels your network's regular protocols through an encrypted stream of data.
In Chapter 10, "Virtual Private Networks," page 211, you can learn more about encryption technology.
Because a secure communications channel is so important and because the firewall is positioned at the border of your network, you will find many firewall products that provide for VPN connections between firewalls.
IP Spoofing and Impersonation
In an IP packet, the Source Address field in the header is used to indicate the host from which the packet originated. This is one of the fields you can configure a packet filter to examine when deciding which network packets can pass through the firewall. There are some hosts you trust and some you do not. Filtering rules can be set to forward or block packets based on a host address or a network address.
How can you be sure that the source address is real? There are a number of tools freely available on the Internet that enable a malicious user to send out packets with a source address of the user's choosing. This spoofing means that your firewall might receive packets that it thinks come from a trusted host computer or network but that in fact are being generated by someone who wants to get data inside your local network.
The trusted host can be a host on the Internet that you interact with or one that is on your local network. If the spoofed IP address is an address that appears to come from inside your network, it is easy to configure the packet filter to protect you by having it simply drop all packets arriving on the external interface that have source addresses from the inside local network. This should be done on all routers connecting you to an external network because the bonds of trust between hosts on the local network are usually configured more loosely than those with hosts on the Internet.
Of course, if such a packet does get through and the target host responds, the response is sent to the host identified in the source address field, so the attacker is not be able to see the response. In many cases, this does not matter. The point is that by spoofing an IP address, the attacker can get a packet into your network. For example, if the attacker had previously been able to inject a Trojan Horse program into your network that is listening on a high port number, this method could be used to send in a packet that could instruct the dangerous program to perform some action.
If the hacker already has some knowledge about your network and is willing to take the time to do so, an even more serious attack can result from IP spoofing. This kind of attack involves disabling a host on the Internet that is known to be trusted by your network and then impersonating that trusted host. The trusted host is one that has some special kind of access to your network, so that if the attacker can get a packet into your network that appears to be coming from an existing connection that the real trusted host had set up, damage can be done. The attacker disables the trusted host using some kind of denial-of-service attack and then sends a packet to your host that appears to come from the original trusted host.
This kind of attack can be complicated and involves guessing what the next sequence number will be for the interrupted connection. This isn't too difficult if the attacker is knowledgeable about TCP and how it is implemented on your host.