Introduction To Network Security - Part 1

1 of 5

Wednesday, 25 September 2013

Home

http://www.firewall.cx/general-topics-reviews/security-articles/267-n...

Meet The Team!

Networking Topics

Free Cisco Lab

News

Cisco KnowledgeBase

Site Map - Alternative Menu

Linux Tutorials

Recommendations

Hot Downloads

Network Security Articles

Cisco UC500 / CCME Articles

Recommended Websites

Microsoft KB

General Topics & Reviews

Nework Security Scanner

Server Anti-Spam
Web Monitoring & Web Security
NEW! Network Fax Server !!

General Topics & Reviews

Security Articles

search...

Firewall.cx Newsletter

Home

Receive Free notification

on new articles!

Introduction To Network Security - Part 1

Downloads

Search

Site Related

Basic & Advanced Catalyst Layer 3 Switch

Configuration: Creating VLANs, InterVLAN Routing
(SVI), VLAN Security, VTP, Trunk Link, NTP
Configuration. IOS License Requirements for SVI
Routing

Introduction To Network Security - Part 1

Written by Administrator

Name

Sunday, 04 March 2012 00:00

E-mail

Article Index
Introduction To Network Security - Part 1
***************

2. The Threat To Home Users

3. Threat to the Enterprise
4. Common Security Measures
5. Intrusion Detection Systems

Firewall.cx Forums

All Pages

Community Forums

Tweet

Facebook Fans

Introduction

Show your support for

Firewall.cx!

Firewall.cx
Like

2,016

Social Media Channels

Like

Send

16 people like this.

By Sahir Hidayatullah - Firewall.cx Security Advisor

As more and more people and businesses have begun to use computer networks and the Internet, the need for a secure computing
environment has never been greater. Right now, information security professionals are in great demand and the importance of the field is
growing every day. All the industry leaders have been placing their bets on security in the last few years.
All IT venodors agree today that secure computing is no longer an optional component, it is something that should be integrated into every
system rather than being thrown in as an afterthought. Usually programmers would concentrate on getting a program working, and then (if
there was time) try and weed out possible security holes.
Now, applications must be coded from the ground up with security in mind, as these applications will be used by people who expect the
security and privacy of their data to be maintained.
This article intends to serve as a very brief introduction to information security with an emphasis on networking.
The reasons for this are twofold:
Firstly, in case you did not notice.. this is a networking website,
Secondly, the time a system is most vulnerable is when it is connected to the Internet.
For an understanding of what lies in the following pages, you should have decent knowledge of how the Internet works. You don't need to
know the ins and outs of every protocol under the sun, but a basic understanding of network (and obviously computer) fundamentals is
essential.
If you're a complete newbie however, do not despair. We would recommend you look under the Networking menu at the top of the
site...where you will find our accolade winning material on pretty much everything in networking.

Hacker or Cracker?
Download Your Free
Network Scanner

There is a very well worn out arguement against using the incorrect use of the word 'hacker' to denote a computer criminal -- the correct term
is a 'cracker' or when referring to people who have automated tools and very little real knowledge, 'script kiddie'. Hackers are actually just
very adept programmers (the term came from 'hacking the code' where a programmer would quickly program fixes to problems he faced).
While many feel that this distinction has been lost due to the media portraying hackers as computer criminals, we will stick to the original
definitions through these articles more than anything to avoid the inevitable flame mail we will get if we don't !
On to the Cool Stuff!
This introduction is broadly broken down into the following parts :

System Login
Username

Password

Remember Me

Login With Facebook

Register for this site

Forgot Username?
Forgot Password?

The Threat to Home Users

The Threat to the Enterprise
Common Security Measures Explained
Intrusion Detection Systems
Tools an Attacker Uses
What is Penetration-Testing?
A Brief Walk-through of an Attack
Where Can I Find More Information?
Conclusion

The Threat to Home Users

Many people underestimate the threat they face when they use the Internet. The prevalent mindset is "who would bother to attack me or my
computer?", while this is true -- it may be unlikely that an attacker would individually target you, as to him, you are just one more system on
the Internet.
Many script kiddies simply unleash an automated tool that will scan large ranges of IP addresses looking for vulnerable systems, when it finds
one, this tool will automatically exploit the vulnerability and take control of this machine.

Recommended Downloads
-

Web Security
Server AntiSpam
Network Scanner
IDS Security Manager
Web-Proxy Monitor
FTP / TFTP Servers
Cisco VPN Client
Network Fax Server

The script kiddie can later use this vast collection of 'owned' systems to launch a denial of service (DoS) attacks, or just cover his tracks by
hopping from one system to another in order to hide his real IP address.
This technique of proxying attacks through many systems is quite common, as it makes it very difficult for law enforcement to back trace the
route of the attack, especially if the attacker relays it through systems in different geographic locations.
It is very feasible -- in fact quite likely -- that your machine will be in the target range of such a scan, and if you haven't taken adequate
precautions, it will be owned.
The other threat comes from computer worms that have recently been the subject of a lot of media attention. Essentially a worm is just an

25/09/2013 7:47

Introduction To Network Security - Part 1

2 of 5

More Articles
A Networked World:
New IT Security
Challenges
Introduction To
Network Security Part 2
Host-Based IDS vs
Network-Based IDS
(Part 2 - Comparative
Analysis)
Host-Based IDS vs
Network-Based IDS
(Part 1)
Combat Intruders with
LANguard S.E.L.M
What you Need to
Know About Intrusion
Detection Systems
Keeping IDS In-House
What Are IDSes & Why
Are They Worth
Having?
Web Monitoring for
Employee Productivity
Enhancement
Security Threats: A
Guide for Small &
Medium Businesses

http://www.firewall.cx/general-topics-reviews/security-articles/267-n...

exploit with a propagation mechanism. It works in a manner similar to how the script kiddie's automated tool works -- it scans ranges of IP
addresses, infects vulnerable machines, and then uses those to scan further.
Thus the rate of infection increases geometrically as each infected system starts looking for new victims. In theory a worm could be written
with such a refined scanning algorithm, that it could infect 100% of all vulnerable machines within ten minutes. This leaves hardly any time for
response.
Another threat comes in the form of viruses, most often these may be propagated by email and use some crude form of social engineering
(such as using the subject line "I love you" or "Re: The documents you asked for") to trick people into opening them. No form of network level
protection can guard against these attacks.
The effects of the virus may be mundane (simply spreading to people in your address book) to devastating (deleting critical system files). A
couple of years ago there was an email virus that emailed confidential documents from the popular Windows "My Documents" folder to
everyone in the victims address book.
So while you per se may not be high profile enough to warrant a systematic attack, you are what I like to call a bystander victim.. someone
who got attacked simply because you could be attacked, and you were there to be attacked.
As broadband and always-on Internet connections become commonplace, even hackers are targetting the IP ranges where they know they will
find cable modem customers. They do this because they know they will find unprotected always-on systems here that can be used as a base
for launching other attacks.

The Threat to the Enterprise

Most businesses have conceded that having an Internet presence is critical to keep up with the competition, and most of them have realised
the need to secure that online presence.
Gone are the days when firewalls were an option and employees were given unrestricted Internet access. These days most medium sized
corporations implement firewalls, content monitoring and intrusion detection systems as part of the basic network infrastructure.
For the enterprise, security is very important -- the threats include:

POPULAR CISCO ARTICLES

Router Introduction
Cisco SDM Installation
Cisco IP SLA
Cisco SmartCare Service
VLAN Security
4507R-E Installation
CCME - UC500 GUI
CallManager Express Intro
VLAN Security & Tips
Wireless LAN Key Generator
Gold Cisco Lab Partners

Corporate espionage by competitors,

Attacks from disgruntled ex-employees
Attacks from outsiders who are looking to obtain private data and steal the company's crown jewels (be it a database of credit cards,
information on a new product, financial data, source code to programs, etc.)
Attacks from outsiders who just want to use your company's resources to store pornography, illegal pirated software, movies and music, so
that others can download and your company ends up paying the bandwidth bill and in some countries can be held liable for the copyright
violations on movies and music.
As far as securing the enterprise goes, it is not enough to merely install a firewall or intrustion detection system and assume that you are
covered against all threats. The company must have a complete security policy and basic training must be imparted to all employees telling
them things they should and should not do, as well as who to contact in the event of an incident. Larger companies may even have an incident
response or security team to deal specifically with these issues.
One has to understand that security in the enterprise is a 24/7 problem. There is a famous saying, "A chain is only as strong as its weakest
link", the same rule applies to security.
After the security measures are put in place, someone has to take the trouble to read the logs, occasionally test the security, follow
mailing-lists of the latest vulnerabilities to make sure software and hardware is up-to-date etc. In other words, if your organisation is serious
about security, there should be someone who handles security issues.

POPULAR LINUX ARTICLES

Linux Init & RunLevels
Linux Groups & Users
Performance Monitoring
Linux Vim Editor
Linux Samba
Linux DHCP Server
Linux Bind DNS
File & Folder Permissions
Linux OpenMosix
Linux Network Config

This person is often a network administrator, but invariably in the chaotic throes of day-to-day administration (yes we all dread user support
calls ! :) the security of the organisation gets compromised -- for example, an admin who needs to deliver 10 machines to a new department
may not password protect the administrator account, just because it saves him some time and lets him meet a deadline. In short, an
organisation is either serious about security issues or does not bother with them at all.
While the notion of 24/7 security may seem paranoid to some people, one has to understand that in a lot of cases a company is not specifically
targetted by an attacker. The company's network just happen to be one that the attacker knows how to break into and thus they get
targetted. This is often the case in attacks where company ftp or webservers have been used to host illegal material.
The attackers don't care what the company does - they just know that this is a system accessible from the Internet where they can store large
amounts of warez (pirated software), music, movies, or pornography. This is actually a much larger problem than most people are aware of
because in many cases, the attackers are very good at hiding the illegal data. Its only when the bandwidth bill has to be paid that someone
realises that something is amiss.

Best Rated Content

Product Review - GFI
LanGuard Network
Security Scanner 2011
IPSec - Internet
Protocol Security
Static NAT - Part 1
Installation of a Cisco
Catalyst 4507R-E
Layer 3 Switch
TCP Window Size,
Checksum & Urgent
Pointer - Section 5
Introduction To
Network Security Part 1
Firewall.cx - Cisco
CCIE Experts & Cisco
Press Authors
Collaboration
Annoucement
VLAN Security Making the Most of
VLANs
Software Review:
Colasoft Capsa 7
Enterprise Network
Analyzer
Interview: Vivek
Tiwari CCIEx2 #18616
(CCIE Routing and
Switching and Service
Provider)

Firewalls
By far the most common security measure these days is a firewall. A lot of confusion surrounds the concept of a firewall, but it can basically be
defined as any perimiter device that permits or denies traffic based on a set of rules configured by the administrator. Thus a firewall may be as
simple as a router with access-lists, or as complex as a set of modules distributed through the network controlled from one central location.
The firewall protects everything 'behind' it from everything in front of it. Usually the 'front' of the firewall is its Internet facing side, and the
'behind' is the internal network. The way firewalls are designed to suit different types of networks is called the firewall topology.
Here is the link to a detailed explanation of different firewall topologies : Firewall.cx Firewall Topologies
You also get what are known as 'personal firewalls' such as Zonealarm, Sygate Personal Firewall , Tiny Personal Firewall , Symantec Endpoint
Security etc.
These are packages that are meant for individual desktops and are fairly easy to use. The first thing they do is make the machine invisible to
pings and other network probes. Most of them also let you choose what programs are allowed to access the Internet, therefore you can allow
your browser and mail client, but if you see some suspicious program trying to access the network, you can disallow it. This is a form of
'egress filtering' or outbound traffic filtering and provides very good protection against trojan horse programs and worms.
However firewalls are no cure all solution to network security woes. A firewall is only as good as its rule set and there are many ways an
attacker can find common misconfigurations and errors in the rules. For example, say the firewall blocks all traffic except traffic originating
from port 53 (DNS) so that everyone can resolve names, the attacker could then use this rule to his advantage. By changing the source port of
his attack or scan to port 53, the firewall will allow all of his traffic through because it assumes it is DNS traffic.
Bypassing firewalls is a whole study in itself and one which is very interesting especially to those with a passion for networking as it normally
involves misusing the way TCP and IP are supposed to work. That said, firewalls today are becoming very sophisticated and a well installed
firewall can severely thwart a would-be attackers plans.
It is important to remember the firewall does not look into the data section of the packet, thus if you have a webserver that is vulnerable to a
CGI exploit and the firewall is set to allow traffic to it, there is no way the firewall can stop an attacker from attacking the webserver because
it does not look at the data inside the packet. This would be the job of an intrusion detection system (covered further on).

Anti-Virus Systems
Everyone is familiar with the desktop version of anti virus packages like Norton Antivirus and Mcafee. The way these operate is fairly simple -when researchers find a new virus, they figure out some unique characteristic it has (maybe a registry key it creates or a file it replaces) and

25/09/2013 7:47

Introduction To Network Security - Part 1

3 of 5

http://www.firewall.cx/general-topics-reviews/security-articles/267-n...

out of this they write the virus 'signature'.

The whole load of signatures that your antivirus scans for what is known as the virus 'definitions'. This is the reason why keeping your virus
definitions up-to-date is very important. Many anti-virus packages have an auto-update feature for you to download the latest definitions. The
scanning ability of your software is only as good as the date of your definitions. In the enterprise, it is very common for admins to install
anti-virus software on all machines, but there is no policy for regular update of the definitions. This is meaningless protection and serves only
to provide a false sense of security.
With the recent spread of email viruses, anti-virus software at the MTA (Mail Transfer Agent , also known as the 'mail server') is becoming
increasingly popular. The mail server will automatically scan any email it recieves for viruses and quarantine the infections. The idea is that
since all mail passes through the MTA, this is the logical point to scan for viruses. Given that most mail servers have a permanent connection
to the Internet, they can regularly download the latest definitions. On the downside, these can be evaded quite simply. If you zip up the
infected file or trojan, or encrypt it, the anti-virus system may not be able to scan it.
End users must be taught how to respond to anti virus alerts. This is especially true in the enterprise -- an attacker doesn't need to try and
bypass your fortress like firewall if all he has to do is email trojans to a lot of people in the company. It just takes one uninformed user to open
the infected package and he will have a backdoor to the internal network.
It is advisable that the IT department gives a brief seminar on how to handle email from untrusted sources and how to deal with attachments.
These are very common attack vectors simply because you may harden a computer system as much as you like, but the weak point still
remains the user who operates it. As crackers say 'The human is the path of least resistance into the network'.

Intrusion Detection Systems

IDS's have become the 'next big thing' the way firewalls were some time ago. There are bascially two types of Intrusion Detection Systems :
Host based IDS
Network based IDS
Host based IDS - These are installed on a particular important machine (usually a server or some important target) and are tasked with
making sure that the system state matches a particular set baseline. For example, the popular file-integrity checker Tripwire -- this program is
run on the target machine just after it has been installed. It creates a database of file signatures for the system and regularly checks the
current system files against their known 'safe' signatures. If a file has been changed, the administrator is alerted. This works very well as most
attackers will replace a common system file with a trojaned version to give them backdoor access.
Network based IDS - These are more popular and quite easy to install. Basically they consist of a normal network sniffer running in
promiscuous mode (in this mode the network card picks up all traffic even if its not meant for it). The sniffer is attached to a database of
known attack signatures and the IDS analyses each packet that it picks up to check for known attacks. For example a common web attack
might contain the string '/system32/cmd.exe?' in the URL. The IDS will have a match for this in the database and will alert the administrator.
Newer IDS' support active prevention of attacks - instead of just alerting an administrator, the IDS can dynamically update the firewall rules to
disallow traffic from the attacking IP address for some amount of time. Or the IDS can use 'session sniping' to fool both sides of the connection
into closing down so that the attack cannot be completed.
Unfortunately IDS systems generate a lot of false positives (a false positive is basically a false alarm, where the IDS sees legitimate traffic and
for some reason matches it against an attack pattern) this tempts a lot of administrators into turning them off or even worse -- not bothering
to read the logs. This may result in an actual attack being missed.
IDS evasion is also not all that difficult for an experienced attacker. The signature is based on some unique feature of the attack, and so the
attacker can modify the attack so that the signature is not matched. For example, the above attack string '/system32/cmd.exe?' could be
rewritten in hexadecimal to look something like the following:
'2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f'
Which might be totally missed by the IDS. Furthermore, an attacker could split the attack into many packets by fragmenting the packets. This
means that each packet would only contain a small part of the attack and the signature would not match. Even if the IDS is able to reassemble
fragmented packets, this creates a time overhead and since IDS' have to run at near real-time status, they tend to drop packets while they
are processing. IDS evasion is a topic for a paper on its own.
The advantage of a network based IDS is that it is very difficult for an attacker to detect. The IDS itself does not need to generate any traffic,
and in fact many of them have a broken TCP/IP stack so they don't have an IP address. Thus the attacker does not know whether the network
segment is being monitored or not.

Patching and Updating

It is embarassing and sad that this has to be listed as a security measure. Despite being one of the most effective ways to stop an attack,
there is a tremendously laid back attitude to regulary patching systems. There is no excuse for not doing this, and yet the level of patching
remains woefully inadequate. Take for example the MSblaster worm that spread havoc recently. The exploit was known almost a month in
advance, and a patch had been released, still millions of users and businesses were infected. While admins know that having to patch 500
machines is a laborious task, the way I look at it is I would rather be updating my systems on a regular basis than waiting for disaster to strike
and then running around trying to patch and clean up those 500 systems.
For the home user, its a simple matter of running the automatic update software that every worthwhile OS comes with. In the enterprise there
is no 'easy' way to patch large numbers of machines, but there are patch deployment mechanisms that take a lot of the burden away. Frankly,
it is part of an admin's job to do this, and when a network is horribly fouled up by the latest worm it just means someone, somewhere didn't
do his job well enough.

Click here to read Part 2 of 'Introduction to Network Security'

R E L A T E D A R T IC L E S
The New GFI EventsManager 2013 - Active Network and Server Monitoring
GFI EventsManager 7 Review
Why Anti-Virus Software is NOT Enough
Finding More Information
GFI WebMonitor 2012 Internet Web Proxy Review

25/09/2013 7:47