In my last article, I warned of the risks of computer networks being compromised. Ironically, just as the Business Examiner was hitting the street, a new worm, Nimda, started infecting Windows based computers all over the Internet.
Fortunately, Nimda did not turn out to be terribly destructive. Other than consuming human resources to repair or replace infected computers, and the networking bandwidth wasted as it propagated, not much damage was done. This was because Nimda’s author was (relatively) nice, and I think was proving a point — they could easily have left a formatted, non-functional machine.
Nimda showed by example that we need to do better. Nimda used multiple exploits, for which there have been patches available for many months. For the Gartner Group, it was the last straw — they issued an advisory recommending that enterprises look to alternatives to Microsoft’s Internet Information Server (IIS) for web-hosting.
With the explosion of the Internet over the last few years, there are now tens of millions of computers interconnected. Unfortunately, most of these machines are not appropriately secured or managed, having been thrown online without needed security issues being addressed.
While it’s impossible to communicate everything required to secure a computer network in a single article (that requires books, and much time), I hope to give a high-level overview of how the Internet works, and so provide a context for discussing network security.
The Internet uses the TCP/IP networking protocol “stack” (of layers). These are open (as in published) protocols which have effectively taken over and are replacing other networking standards, such as Novell and token ring, even in company Local Area Networks (LANs).
Each computer on the Internet has a unique IP Number, such as 126.96.36.199. Knowing this IP number, any other computer on the ‘net can send traffic to this machine, no matter how far apart they are — the Internet will automatically route the traffic between them. A machine which has a unique IP number are known as a “full peer”.
But simply sending data (in the form of Packets) between machines is just the start of the process. In order to be useful, there must be agreement between the machines on how to interpret this data. This is done by a Server offering Services to a Client on predefined Ports, using an agreed Protocol for data representation.
Two examples are Hyper Text Transport Protocol (HTTP) services being offered on port 80 for Web pages, and Simple Mail Transport Protocol (SMTP) services being offered on port 25. HTTP and SMTP, along with hundreds of others, are known as Application protocols. They sit on top of and leverage on the TCP/IP layers to move the data about.
Security issues arise when the Services being offered by a machine are mis-configured or have a bug which exposes one or more exploits. This is why keeping up to date with security patches is so critical — once an exploit is found, it is only a matter of time before Crackers and Virus/Worm authors start to use them.
Firewalls are often used to protect machines in a LAN from attacks originating from the Internet. By blocking incoming traffic, even a computer with potential exploits can be protected from use by remote attackers. Firewalls can also be used to hide entire LANs behind a single IP number, using something called Network Address Translation (NAT).
However, a firewall in not a panacea, it is simply one means of protecting a one side of a network from the other. It is quite common to “punch holes” in a firewall to expose services to the outside world, such as port 80 in order to serve web pages. If the services exposed have exploits (such as the IIS bugs the Nimda worm used as one vector to spread itself), the firewall won’t help at all.
Another important consideration is that firewalls cannot protect machines from each other if their traffic doesn’t flow through the firewall. Again, in the case of the Nimda worm, an IIS server behind a firewall on a LAN could become infected, and then spread to other machines on the same LAN. Thanks for playing.
To combat this problem, one or more firewalls can be configured to have all machines which expose services to the Internet be in a separate De-Militarized Zone (DMZ), and unable to connect to any machines in the safe LAN zone. Extreme paranoia (often a good idea in security matters) would dictate having a separate DMZ for each server, to prevent server-to-server infections.
Lastly, firewalls can be used to look for and report suspicious behavior. A common first step in an attack involves a “port scan”, with a machine walking through a series of port numbers looking for exploitable services. When the firewall sees this, it can lock out the originating machine from connecting to any port, and raise an alert.
While firewalls are powerful weapons in the fight against crackers, there is a tendency to rely on them too much. Often, machines behind the firewall do not have security patches applied to their software because it is assumed they are protected. As explained above, this is a risky posture.
Another frequent mistake made in firewall deployment is the use of a server as a firewall. This causes problems in that the firewall’s security is then dependent upon all the other services being offered being secure. If the firewall becomes compromised, all bets are off. This kind of problem is much more common than you’d think, with people installing Zone Alarm on their ADSL or cable-modem connected machines, and thinking they’re safe.
Securing a computer network is a complex endeavor, and one which is never entirely complete — there’s always the next software bug or network compromise waiting to be discovered. Security experts tend to be paranoid and nervous people, by professional requirement, and read obsessively.
While it is important not to go too far with an organizations security posture, spending more to manage the risk than is warranted, the unfortunate truth is that the trend is in the other direction, with most networks unreasonably exposed. Bringing in, temporarily or on a full-time basis, a computer security expert may save your organization an embarrassing future disaster.
Published in the Victoria Business Examiner.