Tuesday, August 16, 2011

COMPUTER ATTACKS: TCP/IP SECURITY

TCP/IP SECURITY

Through the years, computers have been subjected to many attacks. Users were advised to choose good passwords and not to share accounts/passwords with other users. They were to also obtain a strong virus checker and firewall. Resourceful hackers, malcontents, and other attackers have found ways to compromise computer systems by using protocols such as TCP/IP (Transmission Control Protocol/Internet Protocol). Many of these attacks were anticipated long ago. Yet the the Internet itself is not well protected against them. It is to the benefit of users to understand these methods and seek defenses and configurations against them.

As with most disciplines there is a host of jargon that goes along with it that tends to confuse the lay person. The following definitions will aide in your understanding TCP/IP security.

Chronograph (CRON): A command that executes a list of one or more commands in a computer operating system at a particular time.

Demilitarized Zone (DMZ): This is a virtual region that is used to isolate a private network from a public one. It is usually bracketed by an inside and outside router, one or more firewalls, and security monitoring software watching activity inside the DMZ. The concept is to prevent network access by buffering the network from general internet traffic. If someone makes unauthorized entry into a DMZ the presumption is they are hostile and measures are taken to prevent further access to the systems.

File Transfer Protocol (FTP): This is a command that allows for the transfer of files between systems.

Global/Regular Expression/Print (GREP): A utility that is used to search one or more files for a given character string or pattern and can replaces the character string with another one.

Host Tables: This table associates IP addresses with host names on the network. Typically, it can be found in the etc/host directory on UNIX machines. It is not commonly used since most systems have addressing assigned dynamically.

Internet Assigned Numbers Authority (IANA): An organization that oversees the allocation of IP addresses to Internet Service Providers (ISP).

Internet Protocol Security (IPSec): A series of standards that provide general-purpose security for any IP-based network including Intranets, extranets and the World Wide Web or Internet itself.

Network Address Translation (NAT): Originally intended to substitute official Internet addresses for private and unregistered IP addresses. However, it became an effective method to hide internal addresses from detection on the Internet. This is often targeted by hackers in order to footprint the network and enumerate.

Port: A logical connection point on a network device used in programming which allows originating devices or programs to communicate using TCP/IP across a network or the Internet to access a destination devices or program. Ports are managed by the operating system and TCP services resident on any network device.

Port Numbers: The number assigned to a specific port corresponding to one of the 65,536 possible ports on any specific device.

Request for Comment (RFC): Internet documents used for everything from general information to the definitions of the TCP/IP protocol standards. This is part of the world wide web consortium, 3WC, democratization of internet design.

Router Table: Directs packets toward their destination. It may be built by the system administrator or by routing protocols. Hackers target this table as part of their efforts to gain access to the system.

Routing Protocols: Programs that exchange the information through packets and are used to build routing tables.

Sockets: The combination of an IP address and a port number. Sockets are expressed in this manner: (IP Address):(Port Number).

Transmission Control Protocol (TCP): A reliable connection oriented message delivery service. This protocol manages the assembly of messages or a file into smaller packets that are transmitted over telecommunications telemetry (wires, fiber optics, microwave, etc...) and received by a similar TCP layer in the destination machine where the packets are reassembled  into the original message.

User Datagram Protocol (UDP): An unreliable connectionless delivery service that provides limited services across a network or the Internet.

Virtual Private Network (VPN): A method of point-to-point connections through firewalls to automatically encrypt packets sent between networks and specific devices on those networks. The VPN can use the Internet as a private wide area network without compromising the data. Considered a reliable and secure communication.

TCP/IP Commands:  These are some of the classic commands used in command line administration of network systems. It is not uncommon for administrators to remove these commands or severely restrict access to them. In Windows 7, launching the command console by typing CMD in the start menu's  Start Programs and Files feature, one can run some of these commands.

Address Resolution Protocol (ARP): Provides information about Ethernet / IP address translation. Used to detect bad IP addresses, incorrect subnet mask and improper broadcast addresses.
Command line Switches: arp -s [ip] [mac]
- a List the table of values
- ip Specifies an IP address in dotted decimal notation.
- d Deletes the entry specified by inet_addr.
- mac Hardware physical address.
- s Adds an entry in the ARP cache to associate the IP address inet_addr with the physical address ether_addr.

AT: Executes commands at a given time. Command line switches:

-l lists scheduled jobs
-r removes a scheduled job

CRON: Executes scheduled commands on a regular basis.

Find: Detects potential filesystem security problems and allows you to perform many logical tests on files.
Command line switches:
-name file name of a file or wild-carded filename
-links n any file that has n or more links is selected for processing
-size n any file that has 512-byte blocks is selected for processing.
-atime n select any file that has been accessed in the past n days.
-print prints out the name and location of any selected file

GREP: Searches the named input files for lines containing a match to a given pattern. Command line switches:
-G interprets pattern as a basic regular expression.
-E interprets pattern as an extended regular expression.
-F interprets pattern as a list of fixed strings, separated by newlines, for any match.

Last: Displays who has logged into a system in the past. It is useful for learning normal login patterns and detecting abnormal login activity.

LS: Shows the ownership, permissions, creation date, and size of every file on your computer. Command line switches:
-a lists all entries
-c use time of last edit (or last mode change) for sorting or printing
-C force multicolumn output with entries sorted down the column
-d if argument is a directory, list only its name
-i print each file’s node number in the first column of the report.
-l list in long format, giving mode, number of links, owner, size in bytes, & last modification
-n list the user and group ID numbers
-q display nongraphic characters in filenames
-r reverse the order of sort

Netstat: Displays statistics about each network interface, sockets, and routing tables.
Command line switches:
-a displays a list of all the ports that programs and users outside the network can use
-r displays the routing table
-n displays the IP address of the foreign machine

PS: Display the status of current processes.
Command line switches:
-aux or -ef Displays the user and command that started each process

Telnet: Provides remote login over the network.

Who: Provides information about who is currently logged on the system. It displays the login name, what device they are using, when logged in, and what remote host.
Command line switches:
-w show active processes started by the login name.
-d shows expired processes
-s shows name, line, and time


Network Security and Technologies

Security Planning involves a well-thought out security plan that will decide what needs to be protected, how much to invest, and who will be responsible for carrying out the security aspects. Security planning is the building block of security, but a plan must be formed before it can take effect. A strong plan usually entails a system of checks and balances. For example, system administrators manage the system on a day-to-day basis, users and support who operationally observe the network performance, and auditors who review and monitor activity and settings on the networks.  Network security also involves many technologies.

IP Security (IPSec) consists of a collection of RFC standards. It is not the only standard for Internet-related security. It is the solution when dependable, general-purpose security is needed for confidential communications via the public or private IP networks. IPSec provides three distinct forms of protection for the transfer of secure data. They are:
  • Authentication: The property of knowing that the data received is the same as the data that was sent and that the claimed sender is in fact the actual sender.
  • Integrity: The property of ensuring that data is transmitted from source to destination without undetected alterations
  • Confidentiality: The property of communicating such that the intended recipients know what was being sent but unintended parties can’t determine what was sent.
An advantage to IPSec is that it can be implemented entirely in shared network access equipment. Doing this eliminates the need to upgrade any network-attached resources.

Firewalls are systems that replaces an IP router with a multi-homed host that does not forward packets. There are four types of firewalls:
  • Packet Filtering, which is a simple static means of examining traffic based on addresses and/or packet type.
  • Circuit-level gateways that provide “openings” for all approved sessions based on an assortment of criteria.
  • Proxy or application gateways that perform a more in-depth analysis of traffic, including the higher-level application.
  • Stateful inspection, which combines features of the other types to achieve a truly dynamic way of adapting to changing traffic patterns.
Passwords are the simplest and most important part of network security. Passwords should be cleverly structured in order to avoid compromise.  Attackers enter most systems by simply guessing passwords. One form of password guessing is dictionary guessing. Dictionary guessing uses a program drawing words from a dictionary and compares each word to a password until a match is found.

Routing control is necessary for a system and requires a routing table entry for every network communicated with. Without the proper routes, the system cannot communicate with remote networks. Because of this, an attacker can control which remote sites are able to communicate with the a system by controlling the contents of the routing table. Therefore, controlling access to routing tables is essential. Administrators will typically, remove commands that give access to the routing table and hide it behind the DMZ making it difficult to find and exploit. 

Security Monitoring

Systems differ on how to monitor. High level monitoring, of course, involves firewall logs, intrusion detection system logs, router logs and establishing a DMZ. The logs are all checks and run in software that looks for patterns of activity. However, as an administrator there are many things that can be done to look for activity.

In some UNIX systems, use the command ls -a | grep0 '^\.' . This will enable the administrator to look for traces of a break in. Intruders create files that begin with a dot such as .mail or .xx that are used to help them in future break-ins.  

In most systems administrators should monitor the names of programs started. Ensure that no shell programs are started. Also check to ensure that the log file is not world writable. Check for other directories under the home directory. Look for entries from outside the trusted network. No files should be world-writable. Check for unaccounted for login names and changes to the UID or GID of any account. Monitor for abnormal login patterns.  Also check for file activity for files run by 'at' or 'cron', looking for new files or unexplained changes. Attackers create scripts to re-admit themselves to a network using these commands, even after being kicked off and previous access methods closed off. One should check and monitor executable files file sizes, date changes, and changes in rights. 

Defensive Tactics

Denial of Service (DOS) is any action that prevents users from accessing system resources. These resources may be stopped entirely, degraded or interrupted. UNIX provides few types of protection against accidental or intentional denial of service attacks. Some versions let you limit the maximum number of files or processes that a user is allowed. Others let you place limits on the amount of disk space consumed by any single account. Having a low time-to-live on port wait states also aides in reducing DOS attacks. Manufacturers are offering more sophisticated hardware that also identifies DOS attacks sources and ignores those request.  

There are two types of denial of service attacks: destructive and overload attacks. Destructive attacks attempt to damage or destroy resources so you can’t use them. Attackers can do this in a number of ways. For example, deleting critical files would be considered a destructive attack. Restricting access to critical accounts and files can prevent this attack.

Overload attacks flood resources with request to the point that it is unable to process another user’s request. If the attacker overwhelms the port, others won’t be able to access it.  The system can be setup for automatically detecting overloads and restarting the device or simply ignoring the source.

One of the simplest denial of service attacks is a process attack. With this attack, one user makes a computer unusable for others who happen to be using the computer at the same time. These types of attacks are generally of concern only with shared computers.

Conclusion

The Internet’s worldwide presence, combined with its affordable access and ever-expanding capabilities, is the most common reason for network security because it has no inherent security. Networks are invaluable, but they are also vulnerable to industrial espionage or disgruntled employees. The potential exposure is especially profound when the enterprise network is interfaced with the Internet.

References:

Englander, I. (2003). The Architecture of Computer Hardware and Systems Software: An information Technology Approach. (3rd ed.). New York: John Wiley &Sons Inc.

McClure, S, (2009). Hacking Exposed 6, Mcgraw-Hill Company, ISBN 9780071613743

Slade, R. (1994). Computer viruses: how to avoid them, how to get rid of them, and how to get help.New York.Springer-Verlag.

Other posts in this series

COMPUTER ATTACKS: HACKERS

COMPUTER ATTACKS: VIRUSES

COMPUTER ATTACKS: PROBING PORTS

COMPUTER ATTACKS: TCP/IP SECURITY



No comments:

Post a Comment