Network security

<body topmargin="0" leftmargin="0" bgcolor="#FFFFFF" background="ivy.gif"> <table border="0" width="100%" height="100%" cellspacing="0" cellpadding="0"> <tr> <td width="100%" height="30" bgcolor="#0000A8"> <table border="1" height="20" bgcolor="#FFFFFF" cellpadding="2" cellspacing="0" bordercolor="#C0C0C0"> <tr> <td width="100" align="center"><a href="index.htm" target="_top"><img src="home.gif" alt="Home" border="0" WIDTH="100" HEIGHT="20"></a></td> <td width="100" align="center"><p align="center"><a href="info.htm" target="_top"><img src="info.gif" alt="Info" border="0" WIDTH="100" HEIGHT="20"></a></td> <td width="100" align="center"><p align="center"><a href="technic.htm" target="_top"><img src="systems.gif" alt="Systems" border="0" WIDTH="100" HEIGHT="20"></a></td> <td width="100" align="center"><p align="center"><a href="special.htm" target="_top"><img src="survey.gif" alt="Survey" border="0" WIDTH="100" HEIGHT="20"></a></td> <td width="100" align="center"><a href="options.htm" target="_top"><img src="contracts.gif" alt="Contracts" border="0" WIDTH="100" HEIGHT="20"></a></td> <td width="100" align="center"><a href="software.htm" target="_top"><img src="software.gif" alt="Software" border="0" WIDTH="100" HEIGHT="20"></a></td> <td width="100" align="center"><a href="contacts.htm" target="_top"><img src="contacts.gif" alt="Contacts" border="0" WIDTH="100" HEIGHT="20"></a></td> </tr> </table>  </td> </tr> <tr> <td width="100%" height="98%"><table border="0" cellspacing="0" width="100%" height="100%"> <tr> <td width="100%"><table border="0" width="100%" height="100%"> <tr> <td width="100%" height="98%" valign="top"> <p><big><big><font color="#000080"><strong>Network Security</strong></font></big></big></p> <table border="0" cellspacing="0" cellpadding="11"> <tr> <td> <p>When it comes to enhancing computer security, it is better to follow the philosophy "<i>that which is not expressly permitted is denied</i>" than "<i>that which is not expressly prohibited is allowed</i>." As the requirement for providing Internet users access to a companies World Wide Web (WWW) and File Transfer Protocol (FTP) information servers, as well as allowing internal customers access the Internet, the risks greatly increase for a skilled computer hacker to drive a wedge into the small openings within network and client security. The more access provided, the greater the risk for security breaches. </p> <p>Taking advantage of network vulnerabilities is a real threat. In a 1997 report, the <a href="http://www.gocsi.com/">Computer Security Institute</a> and <a href="http://www.fbi.gov/">Federal Bureau of Investigation</a> reported 47% of 563 U.S. companies surveyed had been attacked through the Internet. This is up from 37% in the CSI-FBI 1996 report. The report also noted 43% of respondents experienced security attacks from within their organization. Over 70% blamed hackers, while more than half believe business competitors were responsible for the intrusions. Of those reporting losses, 59% could quantify the losses, which totaled $100 million. </p> <p>A survey conducted in cooperation with a U.S. Senate subcommittee on the threats posed to the nation's electronic infrastructure reported that hackers and competitors broke into the computer systems of almost six of every ten major U.S. corporations in the past year. This survey, based on 236 out of 500 major corporations responding, reported:</p> <blockquote> <ul> <li>58% of respondents suffered computer break-ins in the past twelve months.</li> <li>Corporate competitors are believed responsible for many attacks. More than 22% of attacks sought trade secrets or documents of primary interest to a competitor.</li> <li>Nearly 18% say they lost more than $1 million due to attacks. Over 66% suffered losses exceeding $50,000.</li> </ul> </blockquote> <p>In its annual report, the Computer Emergency Response Team list nearly 2,500 reported security incidents affecting over 12,000 sites in 1995. The most serious attacks included IP spoofing, eavesdropping, and packet sniffing in which the attacker directly reads transmitted information (including confidential logon information or database contents). Further, various surveys estimate between 57% to 80% of all security violations are done from within an organization by current employees. </p> <p>Security, for all its costs and visible limitations imposed upon an organization, needs to be regarded as an enhancement that contributes to the long-term viability of an organization  as well as to the bottom line.</td> <td align="center" valign="top"> <p><font face="Times New Roman" size="2"><a href="http://www.gocsi.com/">Computer Security Institute</a></font></p> <p><font face="Times New Roman" size="2"><a href="http://www.fbi.gov/">Federal Bureau of Investigation</a></font></td> </tr> <tr> <td><strong><font face="Times New Roman">Every company needs a written security policy</font></strong><p>One of the first steps by any concerned company should be the implementation of a security policy that has approval from the highest levels of management. Management approval helps reduce the inevitable complaints that arise from the user community, as well as provides additional force to the policy. The policy should address </p> <blockquote> <ul> <li>the use of untrusted external resources by employees, including the ability for users to download software into a sand-box environment (a constrained run-time environment) set up to prevent code from accessing critical system resources;</li> <li>information access issues such as the required use of passwords, password management (frequency of change, validity during time of day and week, etc.); </li> <li>the use of dial up modems (who can access the network without going through a security firewall, times of day for access, etc.); </li> <li>what can be hand copied into the system from the outside such as Internet downloads done at home; and </li> <li>what actions should be taken in case of a security attack or breach. </li> </ul> </blockquote> <p>Along with a published security policy, an organization should conduct a risk assessment of its information systems and put in place risk-management protocols and procedures. </p> <p>Finally, and <em>most importantly</em>, educate users about the consequences of downloading unauthorized software. </td> <td align="center" valign="top"><a href="http://www.microsoft.com/sitebuilder/"></a><font face="Times New Roman" size="2"> </font><a href="http://www.microsoft.com/sitebuilder/"><p></a><a href="http://ciac.llnl.gov/ciac/"><font face="Times New Roman" size="2">CIAC What's New</font></a><a href="http://www.microsoft.com/sitebuilder/"></p> <p></a><font face="Times New Roman" size="2"><a href="http://www.microsoft.com/security/">MS Security Advisor</a></font><a href="http://www.microsoft.com/sitebuilder/"></p> </a><p><font face="Times New Roman" size="2"><br> <br> </font></td> </tr> <tr> <td><strong><font face="Times New Roman"><b>Security Protocols</b></font></strong><p>Regular monitoring of network activity by time of day and IP address should be conducted as part of standard security protocol. Monitoring and recording access logs help to identify patterns that are characteristic of break-in attempts, and permits a rapid response for turning off all communications to the concerned client. Saving logs are critical to the successful prosecution of a suspected hacker. </p> <p>Beyond policy, a firewall between the Internet and the local area network (LAN) is required to truly secure a site. A firewall can be software, hardware, or a combination of the two. Most Internet routers available today support packet filtering which permits a router to discard IP packets based on various criteria (<font size="3">a packet filtering firewall examines all the packets it sees, then forwards them or drops them based on predefined rules</font>). This criteria can be based on source and destination IP address, protocol type, or application type. For example, the packet filter can be used to permit only traffic destined for the Internet File Transfer Protocol (FTP) server program to reach a particular host. When properly implemented, packet filters provide a good first defense against possible intruders. While packet filters provide some protection, they are ineffective against many other attacks such as security holes within host applications. For this reason, we recommend using software firewalls that support proxy application gateways. <font size="3">With proxies, the firewall acts as an intermediary for user requests, setting up a second connection to the desired resource either at the application layer (an application proxy) or at the session or transport layer (a circuit relay). </font>Proxy servers will keep your Intranet computers from directly exchanging packets with the Internet. </p> <p>Firewalls usually include several software tools, such as separate proxy servers for e-mail, FTP, Gopher, Telnet, WWW, and WAIS. Firewalls can also filter certain outbound Internet Control Message Protocol (ICMP) packets so the server wont divulge any network information. Also, some firewalls provide Network Address Translation (NAT). NAT translates the Transmission Control Protocol/Internet Protocol (TCP/IP) address on the internal LAN to another IP address for communicating across the Internet. The internal IP address is hidden (protected from <i>IP spoofing</i>) as well as permit the use of non-approved Internet addresses within the LAN. </p> <p>In order to transverse the Internet (or LAN) and ensure the message arrives at its proper destination, a formal process is followed when a client initiates communications with a server. Because of this formal process, the server does not need to look up the IP address associated with a clients request since it is already within the incoming message. Also, the server does not need look up the return gateway and hardware address because they are also contained in the message. Basically, everything the server needs to respond to a client is in the clients message. This is the root of the a problem called <i>IP spoofing</i>, where one system pretends to be another one. <i>IP spoofing</i> works because most TCP/IP servers do not attempt to verify whether a client is telling the truth about its IP address. </td> <td align="center" valign="top"> <p><font face="Times New Roman" size="2"><a href="http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM">Introduction to TCP/IP</a><br> </font></td> </tr> <tr> <td><strong><b>Firewall Protection</b></strong><p>To protect against hackers, some level of protection is required between the LAN and the outside. <font color="#000000">A firewall protects an internal network against all external network traffic (malicious and otherwise) not specifically allowed by a security policy. </font>A firewall usually acts as a proxy server to mask all of the <font color="#000000">internal networks </font>Internet Protocol (IP) addresses outbound to the Internet. In this case, outbound packets are masked to look like they originated on the proxy server. This prevents outside detection of the LAN structure. Without a proxy server, a hacker monitoring the outbound traffic will eventually determine individual IP addresses within the LAN, and then use <i>IP spoofing</i> to feed those addresses back to the LAN server. The hacker then appears as a known client to the LAN server. </p> <p>It is important to note there are several products on the market which are advertised as a proxy server. Although these products provide proxy capabilities, they have limitations when compared to firewalls. Unlike application-level firewalls, proxy servers do not provide sophisticated event statistics, reports, alarms, or audit tracking. As part of a compete security procedure, reporting and analysis is critical to preventive maintenance. </p> <p>With the ability to mask inside IP addresses comes the ability to allocate any number of addressing schemes. As defined by <a href="http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html">RFC1918</a>, the best current practice for address allocation for private Intranets is as follows. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Intranets:</p> <blockquote> <p>10.0.0.0 - 10.255.255.255 (10/8 prefix)<br> 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)<br> 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)</p> </blockquote> <p>The first block is referred to as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. The first block is actually a single class A network number, the second block is a set of 16 contiguous class B network numbers, and the third block is a set of 256 contiguous class C network numbers. <font size="3">Anyone can use any combination of these numbers, along with whatever valid subnet masking, so long as routers, hosts and firewalls are appropriately configured. Remember: you <em>must</em> use a firewall or at least a network address translator if implementing RFC-1918 <em>and</em> want to connect to the Internet. </font>Of course, with a firewall, a business can implement any network-addressing scheme.</p> <p>Another purpose of a firewall is to perform <i>IP filtering</i> of incoming packets. After careful monitoring, unusual activity originating from a specific IP address can be identified and checked using the <font size="1">WHOIS</font> program (available on the Internet at various sites, including <a href="http://www.winsite.com/">www.winsite.com</a>) to determine the domain of the unwanted user. Once the determination is made that this user should not be doing business on the companies server, an IP filter can be used to block any further connections from the unwanted users domain while other users are still permitted access inside the firewall. </p> <p>Several Internet sites provide current information on firewall products and vendors. One site is the <a href="http://www.ncsa.com/">National Computer Security Association</a>. NCSA maintains various useful security links, such as CERT advisories, seminars, conferences, reading lists, and related links. </td> <td align="center" valign="top"> <p><font face="Times New Roman" size="2"><a href="http://www.ncsa.com/">National Computer Security Association</a></font></td> </tr> <tr> <td><strong><font face="Times New Roman"><b>Windows NT Security</b></font></strong><p>Windows NT is an Operating System (OS) released in the fall of 1992. The OS has since gone through various updates, with version 4.0 (Service Pack 4) the most recent rendition. The OS, under the proprietary ownership of a single company, does not suffer the same level of security issues as other mid to high-level operation systems such as UNIX (Solaris, SunOS, SCO UNIX, etc.), as apparent by the number of security FAQs released for UNIX versus Windows NT. It is iteresting to note Windows NT (v3.5, SP3) is only one of two operating systems that provides C2 complaince in a regular, off-the-shelf version. By the way, the other is OS/400.</p> <p>In a recent computer magazine, over a dozen users and analysts said Microsoft Corporation's Windows NT, versions 3.51 and 4.0, are "inherently secure operating systems that are as good, if not better, than competing operating systems." But Windows NT has very little security when taken right out of the box. It is therefore important to understand and modify all security options appropriate for your site. </p> <p>Windows NT does not provide suitable levels of security immediately after installation. Security gaps do occur when administrators do not understand the nuances of the OS and fail to properly implement NT security permissions. When an administrator does not sufficient implement NT's security options, internal and external hackers can get full supervisory permissions to access, delete, write, and execute other user's files. The following tips will help reduce the chances of your NT system being hacked.</p> <blockquote> <table border="1" width="95%"> <tr> <th width="5%"> </th> <th align="left" width="95%" bgcolor="#00FFFF">Tips to Reduce Your NT Systems Changes of Being Hacked</th> </tr> <tr> <th width="5%"><strong>�</strong></th> <td width="95%">Install a firewall.</td> </tr> <tr> <th width="5%"><strong>�</strong></th> <td width="95%">Use NT's NTFS file system (and not FAT).</td> </tr> <tr> <th width="5%"><strong>�</strong></th> <td width="95%">Physically secure the server.</td> </tr> <tr> <th width="5%"><strong>�</strong></th> <td width="95%">Rename the Administrator account.</td> </tr> <tr> <td align="center"><strong>�</strong></td> <td><font size="3">Under User Manager/Policies/Account, use the Maximum Password Age, Minimum Password Length, Password Uniqueness, and Account Lockout features.</font></td> </tr> <tr> <th width="5%"><strong>�</strong></th> <td width="95%">Use alpha-numeric naming conventions for user names and passwords.</td> </tr> <tr> <th width="5%"><strong>�</strong></th> <td width="95%">Set up NT to lockout an account after several unsuccessful logon attempts.</td> </tr> <tr> <th width="5%"><strong>�</strong></th> <td width="95%">Use an Administrator decoy account to divert intruders into this fake honey-pot.</td> </tr> <tr> <th><strong>�</strong></th> <td>Under NT 3.51, disable guest permissions (NT 4.0 automatically does this).</td> </tr> </table> </blockquote> </td> <td align="center" valign="top"> <p><a href="http://www.microsoft.com/ntserver/security/default.asp"><font face="Times New Roman" size="2">Security issues with Windows NT</font></a></td> </tr> <tr> <td><strong><b>Security across the Internet</b></strong><p>IP-level security includes two functional areas: <i>authentication</i> and <i>privacy</i>. <i>Authentication</i> ensures a received packet was indeed transmitted by the source identified in the packet header, and ensures that nothing has altered the packet in transit. <i>Privacy</i> enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. These features are implemented as extension headers (the Authentication header and the Encapsulated Security Payload (ESP) header) that follow the main IP header in a packet. </p> <p>IP authentication services provide client workstations authentication directly to servers, which can be either on the same network or on a external network. Another application for the service is to allow a remote workstation to authenticate itself to a corporate firewall, providing valid workstations access to an entire internal network. The Encapsulated Security Payload (ESP) provides support for privacy and data integrity for IP packets. This mechanism can encrypt either a transport-layer segment (<i>transport-mode ESP</i>) or an entire IP packet (<i>tunnel-mode ESP</i>). </p> <p><b>Transport-mode ESP</b> encrypts the data carried by IP. Typically, this data is a transport-layer segment, such as TCP or UDP segment, which contains application-level data. For this mode, the ESP header goes into the IP packet immediately before the transport-layer header. Transport-mode operation provides privacy for any application that uses it, avoiding the need to implement privacy in each application. It is possible thought to conduct traffic analysis on the transmitted packets since the destination and source addresses are in plain text. </p> <p><b>Tunnel-mode ESP</b> encrypts an entire IP packet, including its own header. The ESP is prefixed to the packet and then the trailing portion of the ESP header plus the packet is encrypted, countering traffic analysis. The entire block is then encapsulate with a new IP header containing sufficient information for routing but not for traffic analysis. Tunnel mode is useful to companies using firewalls that protect their trusted networks from external networks. In such a case, encryption occurs between an external host and the firewall or between firewalls. This simplifies the network administrators security management by reducing the number of distributed security keys.</p> <p>Tunnel-mode is used to set up a <em>Virtual Private Network</em> (VPN). With a VPN, a company has two or more private networks that interconnect across the Internet. Computers on the internal network use the Internet for data transport but do not interact with Internet-based computers outside the VPN. All implementations that conform with the ESP specification must implement the Data Encryption Standard-Cipher Block Chaining (DES-CDC) method of encryption.</td> <td align="center" valign="top"></td> </tr> <tr> <td><strong><b>What to do if your site has been hacked</b></strong><p><font size="3">Report it to the Computer Emergency Response Team (CERT). Funded by the Defense Advanced Research Projects Agency, CERT is the central security clearinghouse on the Internet. It accepts reports of intrusions, investigates them, and publishes advisories at regular intervals that recommend security countermeasures. During 1995, CERT documented more than 2,400 computer-security incidents, including over 700 confirmed break-ins. </font></p> <p><font size="3">To file a report, use the template available at <a href="ftp://info.cert.org/">ftp://info.cert.org</a>/pub/incident_reporting_formal. Also, if you care to read through CERT advisories, go to the newsgroup at <a href="news:www.zdnet.com/pccomp/interdot/internov/internet.html">comp.security.announce newsgroup</a>.</font> </td> <td align="center" valign="top"></td> </tr> </table> <table border="0" cellpadding="0" cellspacing="0" width="640"> <tr> <td width="90" valign="top"></td> <td> <p>Our experience over the past 13 years covers diverse information management and analysis issues relating to land and natural resources management, laboratory information management and analysis, systems development and troubleshooting, and system audits. </p> <p>DBC also understands today's security issues and the methods used protect one of your most valuable assest - your information. </p> <p><a href="contacts.htm" target="_top">Contact us</a> to learn more about our expertise and what we can do for your business. And we'll do it with <a href="options.htm" target="_top">reasonable pricing</a> and <a href="options.htm" target="_top">flexible contract options</a>!</td> </tr> </table> <p> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table>  <table border="0" cellpadding="0" width="100%" cellspacing="1"> <tr> <td align="left"><table border="0" cellpadding="0" height="60" width="420"> <tr> <td width="85"><font face="Arial" size="1">  </font></td> <td background="dbccone.gif" width="140"><p align="right"><font face="Arial" size="1">Send web questions to<br> Web management by</font></td> <td><font face="Arial" size="1"><a href="mailto:info@databasecamp.com">webmaster </a><br> <a href="http://www.DataBasecamp.com/">Data Basecamp, Inc.</a></font></td> </tr> </table> </td> <td align="right"><font face="Arial" size="1">August 19, 2006</font></td> </tr> </table>  </body>