Saturday, December 13, 2008

Internet Confidentiality & Privacy

The Internet provides little assurance of privacy or confidentiality. The use of firewalls, anonymizers, and encryption can help mitigate the risks. Major considerations to keep in mind are discussed below.

Silent communications. There are thousands of rogue actors and infected computers probing machines across the Internet at any given second. These bad apples are almost certainly trying to get control of your machine through any security fault or unpatched module they can find. Fortunately, their communications are fairly straightforward to trap, since by definition they are unsolicited -- it is easy to tell the difference between a packet from a web site you just accessed from a probe from some site you never heard of before. The technological solution to this threat is called a "firewall", a program that monitors all communications and traps all illicit packets. Most operating systems now come with a firewall preinstalled. However, some, such as the Windows firewall, only block suspect incoming communications, leaving completely open access to the Internet from your machine. This is a barn-door sized hole that is eagerly used by almost every program you have on your computer to contact the home company for all sorts of reasons ranging from automatic checking for updates to transmission of usage metric data for their own proprietary purposes. The solution to this is a third party firewall protects both incoming and outgoing communications. The free version of ZoneAlarm is widely used.

Surfing leaves tracks. There is little privacy or confidentiality on the Internet. Web sites can your surfing on their site by IP address track and related system information, including system names and Internet network addresses that often uniquely identify your computer. Search engines generally record your queries together with your computer identification, building up a profile of your interests over time. To minimize these threats, you can turn your default browser settings to exclude cookies, since they can be used to build up detailed profiles of your surfing patterns over time (advertising sites with presence on many sites can even use cookies to track your surfing patterns across different sites). You can also use networked or single-pont anonymizers to obscure all your computer's local identifying information and obtain the maximum available Internet privacy.

http://www.computerservicescanada.ca/images/image008.jpg

Posting is public. When you post anything to a public Internet newsgroup, mailing list, or chat room, you generally give up the rights to the content and any expectation of privacy or confidentiality. In most countries, anything you post to a public space can be saved, archived, duplicated, distributed, and published, even years later, by anyone in the same way as a photograph taken in a public space like a city park. If you have ever posted anything to the newsgroups, you might find it interesting to search them now for the email address you used at the time, which is one reason you should disguise youe email address when posting to the Usenet.

Personal data is cross-referenced. If you give a site personal data like an email address, home address, phone number, birth date, or credit card number, be aware that the information can be easily cross referenced by a range of large service companies to assemble a detailed database of your buying habits, surfing patterns, and interests. And it usually is. If you do give a site personal information, it is a good idea to first read their Internet privacy policy to see how confidential they promise to keep it.

Tap, tap. Without speculating on who or why, Internet communications interception is technically easy to do at any of the perhaps five and twenty-five routers through which your packets are switched on the way to their destination. Software taps are easy to add. Direct physical interception through tapping into copper network cable near a house or in a switching station is straightforward with inexpensive equipment, and enables an eavesdropper to copy all of the traffic that passes over the line. Radio frequency interception of the traffic on copper lines is possible. Tapping into fiber optic line is more difficult, usually requiring a high angle bend to get a bit of light leakage, but is also technically possible.Encryption is the only sure solution.

Governments can do anything. Many national governments are large enough with enough resources that they can and do intercept Internet communications. However, because of the volume of information if for no other reason, you can be reasonably assured that no-one is taking the time to look at your specific Internet packets unless you are connected to an investigation.

The bottom line is that you have little privacy or confidentiality on the Internet, and unless your communications are encrypted and/or anonymized, you should assume they can be read by others. At the same time you need to make a realistic threat assessment depending on what you are doing -- how much do you (or others) really care?


Tuesday, December 2, 2008

About Firewalls

Introduction to Internet Firewalls

Firewalls are an excellent tool for securing a network. A firewall is system designed to prevent unauthorized access to or from a private network and basically limits access to a network from another network. Firewall that can be implemented in hardware or software, or a combination of both either denies or allows outgoing traffic known as egress filtering or incoming traffic known as ingress filtering.

In an organizational setup, firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. A firewall should be the first line of defense in protecting the availability, integrity, and confidentiality of data in the computing environment. While a company may use packet-filtering routers for perimeter defense and host-based firewalls as an additional line of defense, in the home environment, the personal firewall plays a key role by defending the network and individual host perimeters.

Firewall software monitors your computer for suspicious activity while you are online.� Inbound intruders are stopped before they can get in, sensitive information and Trojan Horses are stopped before they can get out.� Furthermore, a record of the attack is created, including the IP address where the attack came from.� This can help the IP provider figure out where the attack is coming from so they can track down the hackers. Overall, it is important to be smart about hackers, realizing that you are vulnerable to their attacks is an important first step.� Somebody who really wants into your computer may still find a way to do it, but the point here is to make it as difficult as possible for him or her, and to send those who are just looking for the opportunity on to an easier target.

Firewall is defined as a system designed to prevent unauthorized access to or from a private network. Firewalls can be integrated in both hardware and software. All messages communicating with the intranet pass through the firewall. The firewall inspects and blocks all messages that do not meet the security stipulations.

The fundamental principle is to give the administrator a single point where the preferred policies can be enforced. This single point of control allows the administrator to conceal characteristics of a private network and protect it.

Uses of Firewall

  • Protect the system from the hackers from logging into machines on network.

  • Provide a single access point from where security and audit can be imposed.

  • Act as an effective phone tap and tracing tool.

  • Provide an important logging and auditing function

  • Provide information about the nature of traffic and the number of attempts made to break into it.

Firewall Loopholes

Firewalls cannot protect from attacks that do not go through the firewall. The prerequisite for a firewall to work is it must be a part of a consistent overall organizational security architecture.

A firewall can't protect the network against a traitor in the network environment. Although an industrial spy might export information through your firewall, the traitor just as likely to export it through a telephone, FAX machine, or floppy disk. Firewalls also cannot protect against social engineering.

Lastly, firewalls cannot protect against tunneling over most application protocols to trojaned or poorly written clients. Tunneling bad things over HTTP, SMTP, and other protocols is widely used.

Functionality of Firewalls

1. Packet Filtering: For each packet received, the packet filters gives permit/denial decision. The filtering rules are based on the packet header information. This information consists of the IP source address, the IP destination address, the encapsulated protocol, the TCP/UDP source port, the TCP/UDP destination port, and the ICMP message type.

2. Application level gateway: Application level gateway is a proxy that is installed on the gateway for each desired application. It does not allow direct exchange of packets. If a particular application does not have a proxy on the gateway, the service is not forwarded across the firewall.

3. Circuit level gateway: Circuit level gateway is a specific function that can be performed by an application level gateway. It does not perform any additional packet processing or filtering. It copies bytes back and forth between the inside and connection. It is often used for outgoing connections.

Basic Types of Firewalls

There are two types of firewalls:

  • Network layer

  • Application layer

Network layer firewalls

These firewalls use the source, destination addresses and ports in individual IP packets in making their decisions. A simple router is not able to make decisions about nature and destination of a packet. The distinguishing characteristic about network layer firewalls is they route traffic directly though them. They are very fast and tend to be very transparent to users.

Application layer firewalls

They are hosts running proxy servers. They permit no traffic directly between networks, and perform intricate logging and auditing of traffic passing through them. Modern application layer firewalls are completely transparent.

The network layer firewalls are becoming increasingly conscious of the information going through them. At the same time, application layer firewalls are becoming increasingly transparent. The end result is going to be a fast packet-screening system that logs and audits information as it passes through.


Personal Firewalls

Personal firewalls are meant for providing protection to desktop PCs and small networks connected to the Internet. A personal firewall is a software program used to guard and protect a computer or a network while they are connected to the Internet. Generally, home and small networks use personal firewalls because they are relatively inexpensive and are usually easy to install. A personal firewall enforces the security policies of a computer or a network by intercepting and examining the data transportation (data packets) over the network. Security mechanism of a personal firewall works in two ways. Either it allows all the data packets to enter the network except those meeting a specified criteria (restricted ones) or it deny all the data packets from entering except those that are allowed. However, it is recommended by experts that denying all data packets except the allowed ones is better for the security of a network.

While simple personal firewall solutions are administered by users themselves, in a small network they are administered by a central security management system to implement a network wide security policy. The primary aim of a personal firewall is to close any loopholes that remain in a network and in known virus scanners so as to provide full protection to the computers in the network. When a data packet moves out of the network, it carries along with it the IP address of the system/network. Personal firewalls, with the help of NAT (network address translation), substitutes a fake IP address inside the outgoing Internet data packets so that the original IP address can't be traced.


Features and Benefits

In recent years, broadband and other faster Internet connections have become widely available which has lead to the need for software firewalls that could be implemented and maintained by average users. Currently, there are many software vendors competing for the home and small networks market and are trying to package as many features as possible into their products. Below is the list and explanation of some of the main features that personal firewall vendors offer.

Inbound and Outbound Packet Filtering: Filtering the incoming data packets according to the security policies (created by the users or administrator) is the main function of a firewall. Data packets can be filtered using any of their attributes such as protocol, source address and port number and destination address and port number. Filtering the outgoing packets is an equally important feature of personal firewalls.

Stealth Mode: Before attempting to penetrate a system protected by a personal firewall, an intruder usually tries to identify the target system and create a footprint of it. They may also scan it for open ports and information such as OS type and application versions. If an intruder is unable to find the system, then he would not be able to penetrate it. Stealth mode does not mean that the machine's IP address is invisible, but it makes the machine's most vulnerable entry points invisible to tools that intruders use to seek out targets. They essentially block any port that is not in use.

Support Custom Rules: This feature allows the user to customize the security policy other than the values that come with the personal firewall. A user can write a security policy to block data packets by IP address, port number, or protocol or can define custom ports and protocols to use applications such as video conferencing and Voice over IP.

Ad Blocking: This feature blocks unwanted advertisements from displaying in the users Web browser. There are several different types of ads used by Web sites. These include pop-up ads, animated ads, skyscraper ads, and banner ads. Some personal firewalls allow the user to change the filtering rules for the different type of ads.

Content filtering: Also referred to as "parental control", this feature gives the ability to block Web sites because of its content. Filtering can be based upon a database listing these sites, a user created list of sites, or a list of keywords found in web pages.

Cookie Control: A cookie is a small text file that a Web site places on a computer that can contain personal information such as name, address, phone number, password, etc. They can be last for the duration of the current Internet session or they can be persistent and reside on the computer indefinitely. There is also another type of cookie called a third-party cookie that can be placed on a computer to record information about the users Internet surfing habits. The cookie control feature allows the user to block these cookies from being placed on the computer. Some vendors allow the user to distinguish between the types of cookies being blocked.

Mobile Code Protection: Mobile code is active or executable code that is embedded in Web pages or HTML Email such as Java applets, ActiveX controls, and plug-ins. Mobile code can sometimes be malicious with the ability to copy files, steal passwords, copy files, and wipe out hard drives. This feature blocks the mobile code from executing and gives and alert asking the user if they want the code to execute.

Intrusion Detection: From the aspect of a home and small office user, intrusion detection is the process of monitoring the events occurring with in the computer system or network and analyzes them for signs of intrusion. If an intruder gets past the firewall, this feature give an alert to the user that something suspicious is going on.

Intruder Tracking: When an intrusion threat is detected, this feature identifies the source of the intrusion attempt. Some firewalls even display a map showing the approximate geographic location of the intruder.

Logging: This feature creates a log file that lists the data packet transmissions that were blocked by the firewall. Information in this log file includes whether the transmission was inbound or outbound, date and time that the block occurred, Source IP address and port number, destination IP address and port number, and transport protocol, such as TCP, UDP, ICMP, or IGMP.

Email Checking: Email attachments can contain attachments with viruses, worms, and other malicious code. Only certain types of attachments can contain malicious code. These attachments can be identified by their filename extensions. This feature checks incoming email for attachments with file extensions that could be malicious. An alert is usually given and the attachment is quarantined.

Application Authentication: A major threat to a computer system is a Trojan horse. It is easy to download malicious software without knowing it. Some Trojan horse applications can take on the same name, size, and directory structure as a program that is permitted to access the Internet. To combat this problem, a hashing algorithm is used to create a digital signature each time a program is executed and compares to the previously stored digital signature of that same program. If the digital signatures are not equal, then the user is alerted. Some firewall software even includes the components associated with a program's main executable file, such as DLL files, in the digital signature.


Internet Connection Sharing (ICS) Support:
Internet Connection Sharing software is used when multiple computers on home and small networks connect to the Internet through one computer called a gateway that is connected to the Internet. This feature allows the firewall software to work in conjunction with ICS software to filter data packets flowing through the gateway computer.

http://www.stillsolutions.com/uploads/images/firewall1-small.jpg

Choosing a Firewall for Home and Small Office

There are certain key criteria that should be considered when selecting personal software firewalls for home and small networks. The user should identify the criteria that are important to them and then find a personal firewall product that best meets the criteria. Some of the key criteria can be:

  • Effectiveness of security protection - Efficiency of the firewall products to protect against intrusion, Trojans, controlling outbound traffic, and denial of service.

  • Effectiveness of intrusion detection - How effectively the firewall software alerts when the system is being attacked?

  • Effectiveness of reaction - Does the software package have the ability of discovering the identity of the attacker and how well does it block attacks?

  • Cost - Price of the firewall and setting up costs could be an important criterion for small organizations.


Friday, November 28, 2008

Basic Of Data And Message Security

Server Side Security

On the server side transport security is enabled by simply switching a non-secure socket implementation with the GSISocket implementation. In addition to this change some code was added to propagate authentication information and message protection settings to the relevant security handlers, in particular the authorization and security policy handlers.

Client Side Security

On the client side transport security is similarly enabled by switching a non-secure socket implementation with the GSISocket implementation and registering a protocol handler for HTTPS that uses the secure socket implementation. In practice this means that any messages targeted at a HTTPS endpoint will, irregardless of any stub properties, be authenticated and protected. It also means that any messages sent to a HTTP endpoint will not be secured, again irregardless of any stub properties. Stub properties are only used to communicate the desired message protection level, i.e. either integrity only or integrity and privacy.

http://wso2.org/files/ws-sec-diff-tls-mls.png

Message Level Security

Server Side Security

This section aims to describe the message flow and processing that occurs for a security-enabled service. The figure below shows the JAX-RPC handlers that are involved in security related message processing on a server.

GT4 provides two mechanisms, GSI Secure Conversation and GSI Secure Message security, for authentication and secure communication.

In the GSI Secure Conversation approach the client establishes a context with the server before sending any data. This context serves to authenticate the client identity to the server and to establish a shared secret using a collocated GSI Secure Conversation Service. Once the context establishment is complete the client can securely invoke an operation on the service by signing or encrypting outgoing messages using the shared secret captured in the context.

The GSI Secure Message approach differs in that no context is established before invoking an operation. The client simply uses existing keying material, such as an X509 to secure messages and authenticate itself to the service.

Securing of messages in the GSI Secure Conversation approach, i.e. using a shared secret, requires less computational effort than using existing keying material in the GSI Secure Message approach. This allows the client to trade off the extra step of establishing a context to enable more computationally efficient messages protection once that context has been established.

Message Processing

When a message arrives from the client the SOAP engine invokes several security related handlers.

The first of these handlers, the WS-Security handler, searches the message for any WS-Security headers. From these headers it extracts any keying material, which can be either in the form of an X509 certificate and associated certificate chain or a reference to a previously established secure conversation session. It also checks any signatures and/or decrypts elements in the SOAP body. The handler then populates a peer JAAS subject object with principals and any associated keying material whose veracity was ascertained during the signature checking or decryption step.

The next handler that gets invoked, the security policy handler, checks that incoming messages fulfill any security requirements the service may have. These requirements are specified, on a per-operation basis, as part of a security descriptor during service deployment. The security policy handler will also identify the correct JAAS subject to associate with the current thread of execution. Generally this means choosing between the peer subject populated by the WS-Security handler, the subject associated with the hosting environment and the subject associated with the service itself. The actual association is done by the pivot handler, a non-security handler not shown in the figure that handles the details of delivering the message to the service.

The security policy handler is followed by an authorization handler. This handler verifies that the principal established by the WS-Security handler is authorized to invoke the service. The type of authorization that is performed is specified as part of a deployment descriptor.

Once the message has passed the authorization handler it is finally handed off to the actual service for processing (discounting any non security related handlers, which are outside the scope of this document). Replies from the service back to the client are processed by two outbound handlers: the GSI Secure Conversation message handler and the GSI Secure Message handler. The GSI Secure Conversation message handler deals with encrypting and signing messages using a previously established security context, whereas the GSI Secure Message handler deals with messages by signing or encrypting the messages using X509 certificates. The operations that are actually performed depend on the message properties associated with the message by the inbound handlers, i.e. outbound messages will have the same security attributes as inbound messages. That being said, a service has the option of modifying the message properties if so desired. These handlers are identical to the client side handlers described in the following section.

Client Side Security

This section describes the security related message processing for Java-based GT4 clients. In contrast to the server side, where security is specified via deployment descriptors, client side security configuration is handled by the application. This means that a client side application has to explicitly pass information to the client side handlers on what type of security to use. This is also true for the case of services acting as clients. The below figure shows the JAX-RPC handlers that are involved in security related message processing on a server.

Mwssage Processing

The client side application can specify the use of either the GSI Secure Conversation security approach or the GSI Secure Message security approach. It does this by setting a per message property that is processed by the client side security handlers.

There are three outbound client side security handlers:

The secure conversation service handler is only operational if GSI Secure Conversation mode is in use. It establishes a security session with a secure conversation service collocated with the service with which the client aims to communicate. When the client sends the initial message to the service with a property indicating that session based security is required, this handler intercepts the message and establishes a security session. It will also authorize the service by comparing the service's principal/subject obtained during session establishment with a value provided by the client application. Once the session has been established the handler passes on the original message for further processing.

The next handler in the chain, the secure message handler, is only operational if GSI Secure Message mode is in use. It signs and/or encrypts messages using X.509 credentials.

The third outbound handler is operational only if GSI Secure Conversation mode is in use. It handles signing and/or encryption of messages using a security session established by the first handler.

The client side inbound handler (the WS-Security client handler) deals with verifying and decrypting any signed and/or encrypted incoming messages. In the case of GSI Secure Message operation it will also authorize the remote side in a similar fashion to the outbound secure conversation service handler.

Network Design Services

Introduction

A Secure Network Design Service is a clean slate network architecture project concentrating on network security. Secure-Bytes technical consultants join the client's architecture team to provide strategic network security recommendations. The engagement addresses network segmentation, firewall selection, access control policies and appropriate technology identification and selection based on business needs. These services addresses security issues proactively, it is essential to consider secure architecture before implementing a network design and is invaluable for designing and implementing a network with comprehensive security architecture.





Design Services

Following are some of the Architecture designing services offered by Secure Bytes:
  • Anti-Virus Protection Architecture Designing
  • Business Continuity Architecture Designing
  • Directory Services Architecture Designing
  • Firewall Architecture Designing Service
  • IDS Architecture Designing Service
  • Perimeter Defense Designing Service
  • Routers Architecture Designing Service
  • Secure AID Architecture Designing Service
  • VPN Architecture Designing Service
  • Wireless Network Architecture Designing Service
  • Wired Network Architecture Designing Service
  • Remote Access Architecture Designing Service
  • Secure E-Commerce Architecture Designing Service
  • Enterprise Backup Architecture Designing Service

Key Benefits

Secure-Bytes facilitate the organization in following ways:

  • Identifying and Eliminating Risks before problems arises.
  • Identifying potential architecture problem areas and providing the recommendations


Sunday, November 23, 2008

Network security

Network security consists of the provisions made in an underlying computer network infrastructure, polices adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together.

Comparison with computer security

Securing network infrastructure is like securing possible entry points of attacks on a country by deploying appropriate defense. Computer security is more like providing means to protect a single PC against outside intrusion. The former is better and practical to protect the civilians from getting exposed to the attacks. The preventive measures attempt to secure the access to individual computers--the network itself--thereby protecting the computers and other shared resources such as printers, network-attached storage connected by the network. Attacks could be stopped at their entry points before they spread. As opposed to this, in computer security the measures taken are focused on securing individual computer hosts. A computer host whose security is compromised is likely to infect other hosts connected to a potentially unsecured network. A computer host's security is vulnerable to users with higher access privileges to those hosts.

Attributes of a secure network

Network security starts from authenticating any user, most likely a username and a password. Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network users. Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspecious network traffic for contents, volume and amamolies to protect the network from attacks such as denial of service. Communication between two hosts using the network could be encrypted to maintain privacy. Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.
Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypot.

http://solaranetworks.com/images/solutions/network_security.jpg


Security management

Security Management for networks is different for all kinds of situations. A small home or an office would only require basic security while large businesses will require high maintenance and advanced software and hardware to prevent malicious attacks from hacking and spamming.



Sunday, September 7, 2008

Data security

Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data.

Data Security Technologies

Full Disk Encryption

Full Disk Encryption to disk encryption technology that encrypts all of the data on the disk or a hard disk drive. Full Disk Encryption typically takes form in either software or hardware. Full Disk Encryption often referred to as "FDE," and the combination of hardware and software full disk encryption is often referred to as "end-point full disk encryption," or "end-based full disk encryption."

Strong User Authentication

Single Sign-On refers to authentication allowing users to log onto programs, files, folders, and computers once and without being requested to do so again. Single Sign-On technology typically is adopted within a "strong user authentication" sense. That is, users are asked to sign-on with multiple factors of authentication. For example:passwords,smart cards,finger prints,one time password..

International Laws and Standards

International Laws

In the UK, Data Encryption Ac tis used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared.

International Standards

The International Standard ISO/ICE 17999 covers data security under the topic of information security and one of its cardinal principles is that all stored information, i.e. data, should be owned so that it is clear whose responsibility it is to protect and control access to that data.

The Trusted Computing Group is an organization that helps standardize computing security technologies.

Saturday, July 26, 2008

Wireless Security

Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.

Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues.[1] Hackers have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks.

The risks to users of wireless technology have increased as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. However, there are a great number of security risks associated with the current wireless protocols and encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level.[2] Cracking methods have become much more sophisticated and innovative with wireless. Cracking has also become much easier and more accessible with easy-to-use Windows-based and Linux-based tools being made available on the web at no charge.

Some organizations that have no wireless access points installed do not feel that they need to address wireless security concerns. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that were planned to be purchased in 2005 were equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A cracker could sit out in the parking lot and break in through the wireless card on a laptop and gain access to the wired network.


Types of unauthorized access

Accidental association

Unauthorized access to company wireless and wired networks can come from a number of different methods and intents. One of these methods is referred to as “accidental association”. When a user turns on a computer and it latches on to a wireless access point from a neighboring company’s overlapping network, the user may not even know that this has occurred. However, it is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.

Malicious association

“Malicious associations” are when wireless devices can be actively made by crackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cracker runs some software that makes his/her wireless network card look like a legitimate access point. Once the cracker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the cracker is just trying to take over the client at the Layer 2 level.

Ad-hoc networks

Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer-to-peer networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security.

Non-traditional networks

Non-traditional networks such as personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk. Even barcode readers, handheld PDAs, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.

Identity theft (MAC spoofing)

Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires,[3] and the cracker can easily get around that hurdle.

Man-in-the-middle attacks

A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP (Access Point). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a “de-authentication attack”. This attack forces AP-connected computers to drop their connections and reconnect with the cracker’s soft AP. Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.

Denial of service

A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).

Network injection

In a network injection attack, a cracker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.

Caffe Latte attack

The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client.[4] By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.[5]

Counteracting risks

Risks from crackers are sure to remain with us for any foreseeable future. The challenge for IT personnel will be to keep one step ahead of crackers. Members of the IT field need to keep learning about the types of attacks and what counter measures are available.

Counteracting security risks

There are many technologies available to counteract wireless network intrusion, but currently no method is absolutely secure. The best strategy may be to combine a number of security measures.

Possible steps towards securing a wireless network include:

  1. All wireless LAN devices need to be secured
  2. All users of the wireless network need to be educated in wireless network security
  3. All wireless networks need to be actively monitored for weaknesses and breaches

MAC ID filtering

Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, it must be remembered that MAC IDs over a network can be faked. Cracking utilities such as SMAC are widely available, and some computer hardware also gives the option in the BIOS to select any desired MAC ID for its built in network capability.

Static IP addressing

Disabling at least the IP Address assignment function of the network's DHCP server, with the IP addresses of the various network devices then set by hand, will also make it more difficult for a casual or unsophisticated intruder to log onto the network. This is especially effective if the subnet size is also reduced from a standard default setting to what is absolutely necessary and if permitted but unused IP addresses are blocked by the access point's firewall. In this case, where no unused IP addresses are available, a new user can log on without detection using TCP/IP only if he or she stages a successful Man in the Middle Attack using appropriate software.

Sunday, March 23, 2008

Intoduction Of Various Networks

In the last decade, the number of computers in use has exploded. For quite some time now, computers have been a crucial element in how we entertain and educate ourselves, and most importantly, how we do business. It seems obvious in retrospect that a natural result of the explosive growth in computer use would be an even more explosive (although delayed) growth in the desire and need for computers to talk with each other. The growth of this industry has been driven by two separate forces which until recently have had different goals and end products. The first factor has been research interests and laboratories; these groups have always needed to share files, email and other information across wide areas. The research labs developed several protocols and methods for this data transfer, most notably TCP/IP. Business interests are the second factor in network growth. For quite some time, businesses were primarily interested in sharing data within an office or campus environment, this led to the development of various protocols suited specifically to this task.

Within the last five years, businesses have begun to need to share data across wide areas. This has prompted efforts to convert principally LAN-based protocols into WAN-friendly protocols. The result has spawned an entire industry of consultants who know how to manipulate routers, gateways and networks to force principally broadcast protocols across point-to-point links (two very different methods of transmitting packets across networks). Recently (within the last 2 or 3 years) more and more companies have realized that they need to settle on a common networking protocol. Frequently the protocol of choice has been TCP/IP, which is also the primary protocol run on the Internet. The emerging ubiquitousness of TCP/IP allows companies to interconnect with each other via private networks as well as through public networks.

This is a very rosy picture: businesses, governments and individuals communicating with each other across the world. While reality is rapidly approaching this utopian picture, several relatively minor issues have changed status from low priority to extreme importance. Security is probably the most well known of these problems. When businesses send private information across the net, they place a high value on it getting to its destination intact and without being intercepted by someone other than the intended recipient. Individuals sending private communications obviously desire secure communications. Finally, connecting a system to a network can open the system itself up to attacks. If a system is compromised, the risk of data loss is high.

It can be useful to break network security into two general classes:

  • methods used to secure data as it transits a network

  • methods which regulate what packets may transit the network

While both significantly effect the traffic going to and from a site, their objectives are quite different.

Transit Security

Currently, there are no systems in wide use that will keep data secure as it transits a public network. Several methods are available to encrypt traffic between a few coordinated sites. Unfortunately, none of the current solutions scale particularly well. Two general approaches dominate this area:

Virtual Private Networks: This is the concept of creating a private network by using TCP/IP to provide the lower levels of a second TCP/IP stack. This can be a confusing concept, and is best understood by comparing it to the way TCP/IP is normally implemented. In a nutshell, IP traffic is sent across various forms of physical networks. Each system that connects to the physical network implements a standard for sending IP messages across that link. Standards for IP transmission across various types of links exist, the most common are for Ethernet and Point to Point links (PPP and SLIP). Once an IP packet is received, it is passed up to higher layers of the TCP/IP stack as appropriate (UDP, TCP and eventually the application). When a virtual private network is implemented, the lowest levels of the TCP/IP protocol are implemented using an existing TCP/IP connection. There are a number of ways to accomplish this which tradeoff between abstraction and efficiency. The advantage this gives you in terms of secure data transfer is only a single step further away. Because a VPN gives you complete control over the physical layer, it is entirely within the network designers power to encrypt the connection at the physical (virtual) layer. By doing this, all traffic of any sort over the VPN will be encrypted, whether it be at the application layer (such as Mail or News) or at the lowest layers of the stack (IP, ICMP). The primary advantages of VPNs are: they allow private address space (you can have more machines on a network), and they allow the packet encryption/translation overhead to be done on dedicated systems, decreasing the load placed on production machines.

Packet Level Encryption: Another approach is to encrypt traffic at a higher layer in the TCP/IP stack. Several methods exist for the secure authentication and encryption of telnet and rlogin sessions (Kerberos, S/Key and DESlogin) which are examples of encryption at the highest level of the stack (the application layer). The advantages to encrypting traffic at the higher layer are that the processor overhead of dealing with a VPN is eliminated, inter-operability with current applications is not affected, and it is much easier to compile a client program that supports application layer encryption than to build a VPN. It is possible to encrypt traffic at essentially any of the layers in the IP stack. Particularly promising is encryption that is done at the TCP level which provides fairly transparent encryption to most network applications.

It is important to note that both of these methods can have performance impacts on the hosts that implement the protocols, and on the networks which connect those hosts. The relatively simple act of encapsulating or converting a packet into a new form requires CPU-time and uses additional network capacity. Encryption can be a very CPU-intensive process and encrypted packets may need to be padded to uniform length to guarantee the robustness of some algorithms. Further, both methods have impacts on other areas (security related and otherwise- such as address allocation, fault tolerance and load balancing) that need to be considered before any choice is made as to which is best for a particular case.

Traffic Regulation

The most common form of network security on the Internet today is to closely regulate which types of packets can move between networks. If a packet which may do something malicious to a remote host never gets there, the remote host will be unaffected. Traffic regulation provides this screen between hosts and remote sites. This typically happens at three basic areas of the network: routers, firewalls and hosts. Each provides similar service at different points in the network. In fact the line between them is somewhat ill-defined and arbitrary. In this article, I will use the following definitions:

Router traffic regulation: Any traffic regulation that occurs on a router or terminal server (hosts whose primary purpose is to forward the packets of other hosts) and is based on packet characteristics. This does not include application gateways but does include address translation.

Firewall traffic regulation: Traffic regulation or filtering that is performed via application gateways or proxies.

Host traffic regulation: Traffic regulation that is performed at the destination of a packet. Hosts are playing a smaller and smaller role in traffic regulation with the advent of filtering routers and firewalls.

Filters and access lists

Regulating which packets can go between two sites is a fairly simple concept on the surface- it shouldn't be and isn't difficult for any router or firewall to decide simply not to forward all packets from a particular site. Unfortunately, the reason most people connect to the Internet is so that they may exchange packets with remote sites. Developing a plan that allows the right packets through at the right time and denies the malicious packets is a thorny task which is far beyond this article's scope. A few basic techniques are worth discussing, however.

  • Restricting access in, but not out: Almost all packets (besides those at the lowest levels which deal with network reachability) are sent to destination sockets of either UDP or TCP. Typically, packets from remote hosts will attempt to reach one of what are known as the well known ports. These ports are monitored by applications which provide services such as Mail Transfer and Delivery, Usenet News, the time, Domain Name Service, and various login protocols. It is trivial for modern routers or firewalls only to allow these types of packets through to the specific machine that provides a given service. Attempts to send any other type of packet will not be forwarded. This protects the internal hosts, but still allows all packets to get out. Unfortunately this isn't the panacea that it might seem.

  • The problem of returning packets: Let's pretend that you don't want to let remote users log into your systems unless they use a secure, encrypting application such as S/Key. However, you are willing to allow your users to attempt to connect to remote sites with telnet or ftp. At first glance, this looks simple: you merely restrict remote connections to one type of packet and allow any type of outgoing connection. Unfortunately, due to the nature of interactive protocols, they must negotiate a unique port number to use once a connection is established. If they didn't, at any given time, there could only be one of each type of interactive session between any given two machines. This results in a dilemma: all of a sudden, a remote site is going to try to send packets destined for a seemingly random port. Normally, these packets would be dropped. However, modern routers and firewalls now support the ability to dynamically open a small window for these packets to pass through if packets have been recently transmitted from an internal host to the external host on the same port. This allows connections that are initiated internally to connect, yet still denies external connection attempts unless they are desired.

  • Dynamic route filters: A relatively recent technique is the ability to dynamically add entire sets of route filters for a remote site when a particular set of circumstances occur. With these techniques, it is possible to have a router automatically detect suspicious activity (such as ISS or SATAN) and deny a machine or entire site access for a short time. In many cases this will thwart any sort of automated attack on a site.

Filters and access lists are typically placed on all three types of systems, although they are most common on routers.

Address Translation: Another advancement has been to have a router modify outgoing packets to contain their own IP number. This prevents an external site from knowing any information about the internal network, it also allows for certain tricks to be played which provide for a tremendous number of additional internal hosts with a small allocated address space. The router maintains a table which maps an external IP number and socket with an internal number and socket. Whenever an internal packet is destined for the outside, it is simply forwarded with the routers IP number in the source field of the IP header. When an external packet arrives, it is analyzed for its destination port and re-mapped before it is sent on to the internal host. The procedure does have its pitfalls; checksums have to be recalculated because they are based in part on IP numbers, and some upper layer protocols encode/depend on the IP number. These protocols will not work through simple address translation routers.

Application gateways and proxies: The primary difference between firewalls and routers is that firewalls actually run applications. These applications frequently include mail daemons, ftp servers and web servers. Firewalls also usually run what are known as application gateways or proxies. These are best described as programs which understand a protocol's syntax, but do not implement any of the functionality of the protocol. Rather, after verifying that a message from an external site is appropriate, they send the message on to the real daemon which processes the data. This provides security for those applications that are particularly susceptible to interactive attacks. One advantage of using a firewall for these services is that it makes it very easy to monitor all activity, and very easy to quickly control what gets in and out of a network.

Conclusion

There are two basic types of network security, transit security and traffic regulation, which when combined can help guarantee that the right information is securely delivered to the right place. It should be apparent that there is also a need for ensuring that the hosts that receive the information will properly process it, this raises the entire specter of host security: a wide area which varies tremendously for each type of system. With the growth in business use of the Internet, network security is rapidly becoming crucial to the development of the Internet. Soon, security will be an integral part of our day to day use of the Internet and other networks.