Network Security

Behind the scenes of a Web-based email application is a database that stores the messages and allows each user to see his or her emails, folders, and address books. However, if attackers can fool the application into giving them direct access to the database, all the information stored in the database can be compromised. This can allow an attacker to not only read email, but also alter or even delete the messages.

How the Attack Works

All the attacks in this blog could have been conducted with a technique called Structured Query Language (SQL) injection. Just as cross-site scripting injects HTML and JavaScript into an HTML page, SQL injection inserts SQL code into an application’s database code. SQL is the language used to interact with most databases, where most, if not all, Web-based email applications store their information.

Imagine that a Web-based application has a login screen where users are required to supply a login ID and password to access the system. Sitting behind this login screen is a database table containing all users of the system. The SQL code that looks up users might look something like this:

“SELECT * FROM UserTable WHERE Login = ‘” + strLogin + “‘ AND
Password = ‘” + strPassword + “‘”

In this case, the strLogin and strPassword variables contain the login ID and password the user enters. This SQL code is similar to what’s used in the vast majority of Web applications, with the biggest difference being the naming of the table, fields, and variables. The way this code is intended to work is that when a user supplies his login ID jeremy and his password mypassword, the values he enters are injected into the SQL command and passed to the database:

SELECT * FROM UserTable WHERE Login = ‘jeremy’ AND Password = ‘mypassword’

If there’s a user with the login ID jeremy and the password mypassword, the user is authenticated and allowed into the system. This is the intended usage of the system and how most users would interact with the application.

The problem arises when an attacker accesses the same application. Rather than play by the rules, the Web application attacker attempts to use the application against itself. If proper network security measures have been taken, the attacker has no access to the database containing the user information. However, to allow the user to authenticate and log in to the system, the application does have access. If the attacker can manipulate the application into doing the work for him, he might be able to access the database through the application, circumventing the network security measures.

SQL injection is a powerful technique that makes it possible for attackers to quickly and easily gain access to sensitive information. Without the proper safeguards in place, applications that are vulnerable to SQL injection essentially place their databases directly on the Internet, giving anyone who stumbles across the vulnerability access to the information stored within.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. DoS attacks are fast becoming the weapon of choice for hackers. However, you can take the following measures to counter these attacks.

1. Disable unused or unneeded network services.
2. Maintain regular backups.
3. Create, maintain, and monitor daily logs.
4. Create appropriate password policies.
5. Implement an Intrusion Detection System.
6. Implement route filters to filter fragmented ICMP packets.
7. Keep a strict vigil on the physical security of your network resources.
8. Configure filters for IP-spoofed packets.
9. Install patches and fixes for TCP SYN attacks.
10. Partition the file system to separate application-specific files from regular data.
11. Deploy tools such as Tripwire that detect changes in configuration information or other files.

With clickjacking, the attacker overlays invisible malicious content on a page so that when the user clicks a link, he is actually clicking a URL under the hacker’s control. With banner ads, attackers deploy multiple redirects via a series of banner ads, eventually directing users to a site hosting malware, which is automatically installed on the user’s computer. This attack is possible because the primary (first redirect) banner ads are benign, drawing no attention when placed on leading search engines and popular sites.

Clickjacking is the term given last September to a new class of browser-based attacks that trick users into clicking on site buttons or Web forms. Such attacks essentially hide malicious actions under the cover of a legitimate site, and theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer’s security settings to make it vulnerable to additional attack.

One of the many functions of SSL is providing for encrypted communications. Many attacks on SSL are designed to break the encryption by discovering the secret key used. Remember that SSL uses symmetric key cryptography to provide encryption. This basically means that the client and server each share the same secret key that is used to both encrypt and decrypt the communications. If an attacker can discover this secret, he can decrypt the communications.

The way that this symmetric key is generated is important. In a basic sense, combining a random number with some mathematical computation might generate the secret key. The computation will remain the same and should produce a secret key that cannot be easily deduced. Because an attacker will most likely know what the computation is because it is part of the software and public knowledge, he will be more interested in finding out what the randomly generated number is. If he can figure out what the random number is, he can simply run it through the same computation to get the secret key.

As mentioned earlier, another attack is the man-in-the-middle attack. Although several different attacks are performed from this perspective, one of the simplest is for the attacker to impersonate both parties. The attacker tries to get into a position where he appears to you as the trusted party and appears to the trusted party as you. The attacker might then try to intercept communications during the early stages, when you are just starting to set up the SSL connection. He will present to you a fraudulent certificate for your trusted party that you might accept as valid. If he can get you to set up an SSL connection through him, he will have access to all of the information you are sending to the trusted party.

Hackers can wreak havoc without ever penetrating your system. For example, a hacker can effectively shut down your computer by flooding you with obnoxious signals or malicious code. This technique is known as a denial-of-service attack.

Hackers execute a denial-of-service attack by using one of two possible methods. The first method is to flood the target computer or hardware device with information so that it becomes overwhelmed. The alternative method is to send a well-crafted command or piece of erroneous data that crashes the target computer device.

The most difficult part of implementing a personal firewall is knowing what to block. The simplest answer is that you should block all unsolicited incoming traffic. This means that unless you are browsing a Web site or making a purchase over an SSL-enabled Web site, you should block incoming traffic you have not initiated. In both Windows- and Linux-based systems, a number of ports are open by default that can be dangerous to your system. In addition, several ports exist that are really of no consequence, and it does not really matter whether you block them.

For the typical home setup, in which you have perhaps one or two machines and are not running server software such as your own Web site or mail server, blocking incoming traffic using firewall software is easy. If you’re running applications that can open ports on your system, such as PCAnywhere or Winroute Web Administration, you must be aware of what these third-party applications open on your system. Several of the ports you really need to be concerned about (whether you run Windows or Linux) and ensure that your firewall software blocks if you are not running server software include

• FTP (21)
• Telnet (23)
• Mail (25)
• DNS (53)
• Finger (79)
• Web (80)
• Sunrpc (111)
• Auth (113)
• SNMP (161)
• EPMAP (135)
• NetBIOS-NS (137)
• NetBIOS-SSN (139)
• Microsoft DS (445) TCP, (445) UDP
• R-Services (511-515)

We have already discussed lots about the Firewall , lets discuss what are Firewall Appliances .Small hardware appliances (devices that are separate from your computer) that you can connect and configure are available on the market, although they’re not as popular with home users as software products are. Appliances enable remote management of small remote offices or home offices and are used to protect several computers. Setting up hardware appliances is easier than setting up software products, but hardware appliances tend to be more costly. As for feature sets, these generally tend to be similar to software firewalls. Although we will not go into any great detail about these more expensive hardware appliances, you should keep them in mind after you have learned a bit more about the capabilities of firewalls. Several hardware firewalls include the following:

Watchguard SOHO— The small office/home office (SOHO) uses stateful inspection and NAT. One feature, LiveSecurity, is a subscription that provides software updates, technical support, and some training. This makes for a painless process in updating the features of the firewall. The SOHO also has a remote management feature and is frequently used in corporate environments to connect small home offices to the central corporate office, forming a virtual private network (VPN).

D-Link Systems DI-704— The DI-704 comes with a built-in hub or switch. This cuts down on the cost of buying a hub or switch to set up your internal network. It is not a robust appliance like the SOHO and has no VPN capability, Remote Authentication Dial-In User Service (RADIUS) capability, or encrypted remote management.

SonicWall SOHO2— The SOHO2 is on the expensive side of small appliances, retailing for about $495 for a 10-user model. It includes NAT, Web proxy, antivirus protection, multiple user IDs, RADIUS, DHCP server and client services, Web-content filtering, VPN, an intrusion detection mechanism, digital certificate authentication, centralized policy management, and customizable firewall protection.

Linksy’s BEFSR11— This model, similar to the DI-704, is cheaper than a SOHO2, but it does not have VPN capability, support for centralized policy management, built-in antivirus or Web-content filtering support, or Java and cookie filtering capabilities. It uses packet filtering to protect the system, and it has an easy-to-understand user interface.

SNAPgear PRO— SNAPgear focuses on providing PPTP and IPsec VPN capabilities. Its price competes with the SOHO2 and the Watchguard SOHO. It has a second serial port that can be used to simultaneously support a dial-up/ISDN WAN and dial-in RAS connection and supports RADIUS/TACACS+ authentication and encryption. This is a robust Linux-based firewall.

Appliances do not really fit the needs of consumers in many cases. Remote management, VPN, and authentication to RADIUS servers is not really high on the priority list for home users.

Previously we discussed the way Firewalls works. Now lets discuss the Firewall Tools that are available on the Internet. There are many tools available, each having its own set of features. You can choose whatever is appropriate for your network.

• Using Freeware and Shareware Products
• TCP Wrappers
• The TISFirewall Toolkit
• SOCKS
• SQUID
• Drawbridge
• SATAN
• Other Handy Security Software

Using Freeware and Shareware Products

There are new firewall vendors springing up almost daily. When you begin to think about how you want to implement a firewall, one of the things you have to do is to evaluate the available products and determine how they can fit into the architecture you design for the firewall. Some vendors offer a one-stop service and can provide you with everything, including packet filtering, application proxies, other security software, and even training and full-time support around the clock. If you do not have the skilled in-house resources to maintain a firewall, you might want to choose this route.

Before you decide on any specific solutions, though, you should read through this Post to learn about some of the firewall-related products available for download from the Internet. Most of these are either free or available for a small charge. Some, such as the TIS Firewall Toolkit, can be downloaded for free, yet have a “cousin” —a commercial version containing more features than the free version—that you can purchase.

Even though you might not decide to use any of these products in your firewall, simply understanding how they work can make you a better purchaser when it comes to evaluating the products you do have to pay for. In this Post, you will examine a few of the more popular products. In the Post that follow, you will look at some of them in more detail.

TCP Wrappers

This set of programs was created by Wietse Venema to help protect the network at the Eindhoven University of Technology, where he was employed at the time. The purpose of the wrapper program is to insert a layer of access control and logging into the client/server-based TCP/IP network services model.
TCP Wrappers uses a daemon process named tcpd that is started in place of the actual network services defined in the inted.conf file. In the usual configuration, the Internet Daemon (inetd) listens for incoming network service requests. It determines which service is needed by matching the request’s port number with the service as defined in the file /etc/services. Using the service name, inetd then uses the configuration information found in inetd.conf to determine which protocol to use and how to start the needed daemon process.
The TCP Wrapper daemon uses the syslogd daemon for logging purposes and sends its log data to the same place as the sendmail daemon. You can configure how syslogd operates by editing the syslogd.conf file.

The TIS Firewall Toolkit

The Trusted Information Systems Internet Firewall Toolkit— usually just called FWTK or The Toolkit—has been around for quite some time. When Trusted Information Systems (TIS) merged with Network Associates, this new company was also the vendor responsible for the Gauntlet firewall. Although Gauntlet was originally developed as a commercial version of The Toolkit, it has since been developed and enhanced and for the most part does not share the same code as The Toolkit.

Since FWTK was developed for the Defense Advanced Research Projects Agency (DARPA), the code was placed into public domain. You can download it from the Internet, but you must first agree to the license. This is done by sending an email request to TIS. In response, you receive an automated email message, usually a few minutes later, that tells you the name of a temporary directory (available for only 12 hours) from which you can FTP the software.
Major components of The Toolkit are proxies that are used for the most popular TCP/IP utilities. The software tools that are included are the following:

• netacl To provide for Telnet, Finger, and network access control lists.
• smap and smapd To provide for a secure SMTP service.
• ftp-gw To provide a proxy server for FTP.
• tn-gw To provide a proxy server for Telnet.
• rlogin-gw To provide a proxy server for Rlogin.
• plug-gw To provide a general-purpose proxy service.
• authd To provide an authentication service to enhance “strong authentication” practices.
• telnetd A Telnet server that can be used to manage the firewall.
• login-sh An enhanced login program that provides support for secure logins using token authenticators, such as a smart card.
• syslogd A replacement of the traditional UNIX logging daemon.

The netacl component is usually configured to provide service access to the firewall itself, whereas the other proxies—such as tn-gw and ftp-gw—are used to provide pass-through proxies. They enable external users to access services that reside on hosts in the internal LAN, and vice versa.

SOCKS

SOCKS is a protocol designed to work in a client/server environment. A SOCKS server runs on the firewall host and provides a proxy service. When a client outside the protected LAN wants to connect to a particular service, it does so directly if a direct connection is available. If not, it then tries to contact the SOCKS proxy server and, by exchanging messages defined by the SOCKS protocol, negotiates a proxy connection. When a connection is established, the client communicates with the SOCKS server using the SOCKS protocol. The application server communicates with the SOCKS server as if it were the actual client.

There are two versions of the SOCKS protocol at this time. Version 4 is in wide distribution and supports TCP-based applications. Version 5, which is described in several Request For Comments documents, adds support for UDP applications and authentication.
Unlike the proxy services provided by the TIS Firewall Toolkit, clients that use the SOCKS proxy protocol must first be “SOCKSified.” This means that they usually need to be recompiled to add the SOCKS client functions to the code. There are some exceptions to this. Vendors have developed libraries for Windows clients that can SOCKS-enable existing client software. The SOCKS protocol has also been adopted by a large number of software manufacturers who have enabled their clients with SOCKS functions. In addition, the SOCKS Version 4 implementation, available from NEC, includes clients for Telnet, FTP, Finger, and WHOIS. Their SOCKS Version 5 package adds clients for Archie, PING, and traceroute.

SQUID

SQUID, as the FAQ for this application states, is usually available at sushi bars. It is also the name of a proxy caching server available on the Internet. Like the TIS Firewall toolkit and several other products I have discussed in this chapter, SQUID comes in source-code format and compiles on many of the popular UNIX variants.
A proxy server, as I have discussed, works by intercepting the flow of IP traffic between and client and server. The proxy server communicates with each of these systems and acts as a man-in-the-middle so that no actual IP packets are ever exchanged between the client and server. Proxy servers can hide the identity of clients sitting behind the firewall. A caching server, however, performs a different function. Caching is the process of holding copies of “hot objects—”those that are frequently requested—so that when another object request is received, it can be retrieved quickly from the cache. By servicing requests from the cache, the response to the client is usually faster than actually querying the source of the object directly.
Objects that the caching server buffers in memory (or in disk files) include data that comes in response to requests by FTP, HTTP, and other network clients. In addition to caching these objects, SQUID also supports caching DNS lookups. SQUID is composed of several programs, including the proxy caching server (called squid), a DNS lookup program called dnsserver, and other optional applications.

Drawbridge

So far in this Post, I have covered products that work basically as proxy servers. Remember, however, that for a proxy server to work optimally, you should place it behind a packet filter instead of connecting the proxy server host directly to the Internet. You can use a screening router as a packet filter, or you can use a software solution that also runs on a host computer.

Drawbridge is a free, high-speed packet filter that, although it originally ran on a DOS platform, now runs on the FreeBSD UNIX platform. Like Drawbridge, FreeBSD is also available at no charge—hence its name! This packet-filtering application was developed at Texas A&M and was designed specifically with the academic environment in mind.

SATAN

With such an infamous name, you might think that the SATAN utility is a hacker’s tool designed to destroy your network. Actually, the term is an acronym, standing for System Administrator’s Tool for Analyzing Networks. If the name offends you, there is an option in the utility you can use to change its display name to SANTA. Regardless, this tool uses passive probing techniques to search out possible security problems in your network. SATAN is not really a proxy server or a packet filter or a firewall component at all. It is mentioned in this chapter because it is one of the more important tools that, if used correctly, can be valuable in helping you determine whether your firewall will do what you expect.

Other Handy Security Software

This post briefly covered some of the tools you can download from the Internet and use to construct a firewall. You also took a quick look at the SATAN security reporting tool. Although the main topic of this Post is firewalls, it is important for you to also be able to monitor your network so that you can be sure that the firewall is really protecting you against known methods of attack.

Computers communicate by sending electronic messages to each other. On the Internet, millions of computers send messages back and forth, so each computer on the Internet has a unique address, called an IP address, that’s used to distinguish that computer from all the others. When a message is sent from one computer to another, it’s divided into small pieces, called packets. Each packet contains the IP address of both the sending computer and the destination computer. These packets travel separately through the Internet until they reach the destination computer. Once all the packets arrive, they’re reassembled into the original message.

When a computer is connected to the Internet, it constantly sends and receives packets of information. Typically, this information is something useful. For instance, Web browsers receive packets that contain Web pages, and e-mail programs send packets that contain e-mail messages.

Sometimes your computer might receive packets of harmful data. For example, someone might send packets containing a program that scans your computer for weaknesses and then exploits those weaknesses. Other packets might contain malicious programs that can harm your data or steal personal information. To protect your computer from these threats, you should use a firewall to prevent harmful packets from entering your computer and gaining access to your data .

The Internet Connection Firewall included with Windows XP monitors and filters packets that are received by your computer. It prevents outsiders from making unauthorized connections to your computer, and it hides information about your computer from other computers on the Internet. Only the packets of information that your computer has specifically requested are allowed to pass; all others are silently discarded. In addition, the firewall can keep track of attempts to scan or compromise your computer, and it can store that information in log files.

While using the Internet Connection Firewall greatly increases your online security, keep in mind that it is limited to monitoring the Internet connection. It does not scan Internet content, such as Web sites, downloaded files, or e-mail messages, for viruses, nor does it protect your computer from intruders that have physical access to your computer or network

A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

Software Firewalls

A software firewall is an application that provides firewall services and is installed on a dedicated (typically) computer. Software firewalls are the oldest type of firewall available and generally work very well. The downfall of a software firewall is that you need a separate computer to run the firewall software and that, in turn, requires additional cost and administration to keep it running and secure. In addition, software firewalls are prone to the pitfalls of any other software packages, namely memory leakage and operating system instability and vulnerabilities. Popular firewall packages vary in price and capability—anywhere from free (usually included in many Linux distributions) to several thousand dollars for well-optioned versions.

Hardware Firewalls

Similar to a software firewall, hardware firewalls perform the same functionality, but, instead of requiring separate computer hardware, they are typically dedicated units. Typical candidates for hardware firewalls are routers and small network appliances, which are basically small computers with no other use but to run a basic operating system (often Linux) and the firewall application. These units can be easier to maintain because they are purposely built for the task, but can cost more because you have to purchase the hardware at the same time (instead of perhaps using a spare system for a software firewall). Sometimes, depending on the unit, upgrading or changing your firewall can come at an even greater cost because you are usually locked in to that particular brand of firewall, instead of being able to change just the firewall application as you would with a software firewall. In addition, dedicated servers can handle more data being passed through the firewall; so, if your site generates a lot of Internet traffic, you may want to take this into consideration when planning your firewall implementation.

Packet Filters

Packet filters are the most basic kind of firewall package you can use. A packet filter takes packets and routes them between trusted networks (your internal network) and untrusted networks (the Internet). The benefits of a packet filter include being typically inexpensive to purchase and implement, and featuring fast scanning of data passing by. You can also purchase basic packet filters for individual workstations.

On the bad side, they are the least secure because they cannot be used to lock down individual application data passing through to the outside world. This is because they typically operate only on the Network layer and not the Application layer. Packet filters can be used to help block data to specific ports, which can be helpful in limiting data for a particular service, such as dropping packets destined for port 21 (FTP). Packet filters can be useful tools, but should be used in concert with other firewall solutions for good security, such as a first-line firewall in front of a stateful packet inspection firewall.

Stateful Packet Inspections

This type of firewall encompasses packet filtering with a slight twist. When a packet goes through the firewall, any rules that pertain to that packet may be altered for the duration of that packet to allow the return packet through without any hassle. This is different from a typical firewall in that if you have UDP blocked, for instance, it’s blocked all the time unless you specify specific systems that can pass the information. These types of firewalls also tend to function well at the Network layer of the TCP/IP model, allowing for better overall security for your network.

Stateful packet inspection firewall solutions also improve upon the packet filter design by allowing administrators to implement user authentication to be able to connect to and pass information through the firewall. In addition, most of these types of firewalls can be configured to pass data based on application type, something that is not an option with many other types of firewall solutions. To their downfall, they can be costly, and although this is constantly changing, many of these solutions are software only. Ultimately, stateful packet inspection is the next big thing in firewall technology, something that will likely take over in the coming years due to its performance and flexibility.

Proxy Servers

Proxy servers are a type of firewall that not only can help limit what data flows in and out of your network, but can also help provide additional network performance. Most proxy servers provide caching of Web pages to help cut down on the amount of data being transferred from the Web site to the client and thus improve performance.

As far as security is concerned, proxy servers have a few useful features in that they can require authentication to allow data to pass through to that client. In addition, they can be used to limit access to a given URL from users on your inside network and can also perform filtering of requests. By filtering requests, proxy servers can scan for inappropriate words or data that should be blocked and then stop access to that data.

Proxy servers are relatively easy to set up initially, but can be difficult to achieve top performance when it comes to caching, and blocking of specific URLs and content filters in a way that doesn’t disrupt regular use by end users. In addition, proxy servers also require additional configuration on each client using the proxy server. Although most, if not all, operating systems and Web browsers have the client or capability to be configured for a proxy server, it entails additional time to configure and maintain each system, certainly something to keep in mind.

As you can see, many of the different types of firewall technologies share similar features. Do keep in mind, though, that each firewall type provides its own benefits and drawbacks as you select the type or types you need.