THE ESSENTIAL GUIDE TO

Thwarting

Hackers
BY MEL BECKMAN OCTOBER 2005

HEY CALL IT INTERNET BACKGROUND RADIATION, OR IBR. ITS THAT CONSTANT HISS OF traffic ever present on every Internet connection. Like the universes Cosmic Background Radiation, IBR lets us know that the Internet is not empty. Unlike its benign cosmic cousin, however, IBR is malevolent proof that evildoers prowl the Net seeking whom they may devour. You can see IBR with your own eyes by examining any firewall log, which will report a constant stream of probes and pokes at random IP addresses in your network. There is a hacker behind every one of these probes; none is innocent. Over time, IBR will ferret out known vulnerabilities in any network and exploit them. The average survival time of an unprotected Windows PC is measured in minutes; more secure devices might last weeks or months. But one thing is certain: If you dont find the vulnerabilities in your network, hackers will. Soon. But dont despair. The key to a hackers success is the subtle phrase known vulnerabilities. Hackers are bottom feeders; very few actually discover new security flaws on their own. Instead, they troll software bug reports and system patch announcements, then devise cunning robotic scanners or bots to seek out and exploit them. It is these bots that generate IBR, and it is them that you must repel. To that end, here are 10 straightforward steps that you can take to make your network less susceptible to attack, by dint of removing known vulnerabilities. I present these steps in order of ease with the simplest first because the more of these steps you accomplish, the more likely you are to be removed from the hackers list of low-hanging fruit. Some of the steps require

SUPPLEMENT TO iSeries NEWS 2005

THE ESSENTIAL GUIDE TO THWARTING HACKERS

MBF>LMB<DBG@'
If youre not already taking a thorough look at security on your iSeries, you could be sitting on a disaster waiting to happen. At a minimum you need: exit-point security virus detection & cleaning network intrusion detection notication & alerts auditing & reporting event & user monitoring data loss & theft prevention SOX & other regulatory compliance

MHFHGBMHK%L><NK>1IKHM><M'
e^Zkgfhk^Zmppp'[rmpZk^'\hf(mb\dbg`(
Oblbmnlhgebg^_hkfhk^ bg_hkfZmbhg%_k^^pabm^ iZi^kl%\Zl^lmn]b^l% ik^l^gmZmbhgl1fhk^& @^mZeema^]^mZbelZg]_k^^ mkbZelh_;rmpZk^lhenmbhgl [roblbmbg`[rmpZk^'\hfhk \ZeenlZm1))'2,+'...0&

SUPPLEMENT TO iSeries NEWS 2005

THE ESSENTIAL GUIDE TO THWARTING HACKERS

SECURITY RESOURCES
CERT
Securing Desktop Workstations www.cert.org/security-improvement/modules/m04.html The Spread of the Sapphire/Slammer Worm www.cs.berkeley.edu/~nweaver/sapphire/ Responding to Intrusions www.cert.org/security-improvement/modules/m06.html Patch Management and the Need for Metrics Kenneth J. MacLeod sans.org/rr/whitepapers/bestprac/1461.php

policies but bolster that with constant reminders. Here are the key points to emphasize with all users: Dont open e-mail attachments that you did not expect to receive, even from colleagues and friends. Dont click URLs in e-mails; carefully copy and paste them instead. Although inconvenient, this is the only way to avoid malicious links. Get approval before installing any freeware or shareware software. Do not install any unauthorized commercial software. Never connect computers from home to the enterprise LAN. Only secured systems, including company-secured notebook computers can be attached. Be aware of visitors attempting to use enterprise computers or network connections. Dont connect wireless equipment of any kind, including wireless keyboards and mice, to the network without prior approval. Some users will be unhappy with these restrictions, so you should also establish appropriate responses for violations. Nobody wants to play cop, but if you dont enforce these protections, nobody else will. One way to detect infringements is to periodically inventory the software installed on every computer. You can use any number of readily available desktop administration systems to do this centrally. A particularly insidious new threat that requires copious user education is Bluetooth networking. Bluetooth, also called personal area networking, is a short-range wireless technology designed to replace the cables used to attach cell phones, PDAs, keyboards, and mice to computers. It operates over a range of a few feet, but an interloper as far as 100 feet away can exploit Bluetooth. Although Bluetooth includes encryption, end users often misconfigure it, defeating that protection. Users need to be taught how to safely connect Bluetooth devices, and they need to know which devices are approved for use in your network. Your goal in constantly reminding users of security precautions is to create an atmosphere of security awareness. A great source of security awareness educational materials is the SANS Security Awareness Whitepapers Web site (see Security Resources, at left).

ICSI Center for Internet Research

Characteristics of Internet Background Radiation www.icir.org/vern/papers/radiation-imc04.pdf

SANS
Security Awareness White Papers sans.org/rr/whitepapers/awareness/ Honey Pots and Honey Nets: Security Through Deception sans.org/rr/whitepapers/attacking/41.php M.B. nothing more than the investment of your time; others require the cooperation of your entire enterprise. You should take each step as soon as possible.

1. Continuously Educate Users

Hackers get into networks most often by tricking users into opening the front door: Trojan programs embedded in e-mail attachments, malicious URLs seemingly forwarded by friends, and virus infections brought into the enterprise by PCs from home. There is only one way to prevent user-induced security breaches, and that is user education. Given the barrage of routine announcements and training materials that the average corporation foists on employees, it can be difficult to make your security message heard. Your best bet is to make the message pervasive and continuous. You cant simply publish a security policy and expect users to absorb and follow it. Instead, inform users of their need for vigilance in small doses by displaying security tips in newsletters, on the corporate intranet, and in routine e-mail communications. Start with a mandatory security training session to review your

2. Lock Down Physical Security

Hackers dont just exist outside your network; theyre often inside the enterprise perimeter in the form of disgruntled and overly curious employees, authorized and unauthorized visitors, consultants, suppliers, and maintenance staff. Sometimes an inside hacker is an unsuspecting agent for hackers, such as a vendor or consultant

SUPPLEMENT TO iSeries NEWS 2005

THE ESSENTIAL GUIDE TO THWARTING HACKERS

who inadvertently plugs an infected computer into your internal LAN. But they can also be malicious; some famous hackers started their attacks by first visiting their victims, posing as potential customers or salespeople. To counter this threat, you must bolster your physical security. Start by locking up all network gear (e.g., switches, routers) in a closet or in metal cabinets. Keeping a hacker away from the key synapses in your network is essential. A compromised Ethernet switch or router can give an intruder the keys to your kingdom. The second most prevalent physical exposures are the ubiquitous Ethernet ports, of which you never seem to have enough. Unprotected ports in conference rooms, utility closets, and hallways are easy pickings for deliberate intruders and tempting lures for inadvertent ones. Its best to physically lock down these ports, but you can also protect them electronically using switch-based Medium Access Control (MAC) locking and 802.1x authentication. Use MAC locking to ensure that only the specific machines you permit are plugged into publicly accessible ports that printers, scanners, and other LAN devices use. Use 802.1x to ensure that only authorized users can plug general-purpose computers into other Ethernet ports. The 802.1x security standard has gotten a lot of press lately as a quick-and-dirty Wi-Fi protection measure, but its actually not particularly reliable in that role. However, 802.1x is very good as a guardian of Ethernet ports. You must first establish a Remote Authentication Dial-in User Service (RADIUS) server to store user IDs and passwords or to validate user IDs and passwords against your existing authentication server, such as Windows Active Directory. Then simply turn on 802.1x on both the switches and end-user computers, and users will be prompted to log in every time they reconnect their computers to your LAN. What if a visiting consultant or customer absolutely must connect to the Internet from your premises? Prepare for that eventuality by establishing a visitor hot spot network, one completely isolated from your corporate LAN and providing limited and monitored access to only the Internet. You can build such a hot spot with an inexpensive off-the-shelf firewall appliance. As I mentioned, end-user awareness is an important part of physical security. Users should have a ready avenue to report suspected abusers. You can also detect potential physical violations by monitoring the MAC address tables of your switches, which report to you any new devices appearing on your LAN. Many managed switches support this feature, and you should take advantage of it.

3. Use Multiple Layers of Protection

There are many kinds of network security protection: hardware firewalls in routers and dedicated security appliances; software firewalls in end-user systems; antivirus and antispyware scanners; application filters to block such attacks as cross-site scripting and SQL injection; intrusion-prevention appliances to kill questionable traffic; and Virtual Private Network (VPN) servers to keep out unauthorized remote users. You should be employing several of these in your network today. An essential aspect of that employment is using these products in layers, a technique called defense in depth. The idea behind defense in depth is that you dont depend on any one protection as the sole barrier between your users and the unwashed Internet. For example, behind your Internet border firewall, you should deploy an antivirus filter on all inbound e-mail, software firewalls on all desktop machines, and antivirus and antispyware scanners. Any given route of attack should have to penetrate at least two layers of protection to succeed. Defense in depth works by dramatically reducing the ability of attackers to exploit random flaws, such as missed patches or buffer overflow vulnerabilities. However, the way to effectively deploy multiple layers of protection isnt always obvious. For example, many network administrators operate centrally administered antivirus scanners, believing them to be an enhancement over desktop-based scanners. But just because something is centrally administered doesnt mean it offers additional protection. To gain true in-depth virus protection, you should employ a deep-inspection firewall or intrusion prevention appliance that looks into every packet for evidence of viral content and squashes that content before it reaches a desktop. A new protection technology just becoming common in enterprise networks is the so-called application firewall. If uninformed users are the most common paths of entry for hackers, malformed applications are the second. Hackers often infiltrate Web servers by exploiting the common buffer overflow class of vulnerability, new instances of which operating-system and server-software vendors are constantly reporting. Application coders are rarely security experts, so getting programmers to implement secure applications is difficult. A useful way to improve the depth of application security is by using an application firewall appliance, which examines HTTP requests, HTML responses, SQL queries, and other application traffic to detect and block common hacker attacks.

4. Filter and Monitor Outbound Traffic

Just as interlopers can lurk inside your building, they can lurk inside your network in the form of viruses and Trojan horses seeking to use your LAN as a jumping-off point for attacks on new victims. After such Net vermin get into a computer behind your firewall, they begin probing your network and others on the Internet for additional machines to infect. Unfortunately, the standard

SUPPLEMENT TO iSeries NEWS 2005

THE ESSENTIAL GUIDE TO THWARTING HACKERS

practice in most networks is to permit all outbound traffic on a network, which is why recent virus and worm plagues have spread so rapidly throughout the world. The Sapphire/Slammer worm, for example, infected nearly 90 percent of all vulnerable systems on planet Earth in only 10 minutes. The solution to this problem is straightforward: Block all outbound UDP and TCP protocols except those that you know are needed by end users. Typically these are HTTP and HTTPS (TCP ports 80 and 443), e-mail (TCP 25 and 110), DNS (UDP 51), and possibly FTP (TCP 21). The most common protocol that malware uses to find and detect other systems is Internet Control Message Protocol (ICMP) Ping; blocking this one will thwart the vast majority of viruses and Trojans. As with all security, this protection is a compromise between safety and convenience. Youll undoubtedly get user complaints shortly after locking down outbound traffic, and youll have to evaluate each complaint to see whether the offending traffic is truly necessary. You can add new protocols to your outbound filters, but be judicious. Its pointless, for instance, to open all UDP ports above 1000, although some users will undoubtedly make such requests. Hand-in-hand with filtering outbound traffic is monitoring packets that those filters drop. You should investigate all such occurrences and remediate them. Sometimes its simply a matter of a misconfigured host; sometimes filter hits indicate a virus infection in progress. Being vigilant here will give you early warning of possible problems, letting you stop them before they snowball into a network outage. policies in the process. A secondary role for proxies is to cache content for speedier Web surfing. Proxies typically handle Web and FTP traffic, but they can also handle outgoing e-mail. All Web browsers, and most FTP programs, have built-in support for proxies, but using this support requires that every end users desktop be specifically configured to point to your proxy server. An easier approach is to have your firewall or internal router automatically redirect Web, FTP, and e-mail traffic to your proxy, avoiding the need to customize desktops. After a proxy is in place, you can filter all outbound protocols from end users at your Internet border, because nobody should be accessing the Internet directly. Policies you can then enforce in the proxy include limiting users to certain sites, tracking URLs that users visit, restricting the size and types of files transferred in and out, and restricting the destinations and content for email. For example, you could prohibit outbound FTP transfers for all but a few users and restrict e-mail attachments to e-mail correspondents on a preapproved white list. Proxy protection seriously inhibits virus propagation outside your network, which makes you a better Netizen and reduces the liability that you incur should your network cause a service outage for some other Internet user.

Given the vulnerability of Wi-Fi encryption, its not surprising that Wi-Fi has become the third most common path for network infiltration right behind clueless users and faulty applications.

6. Employ VPN Encryption on Wireless and Remote Links

Repeat this mantra until its ingrained in your psyche: Theres no safe wireless encryption. There isnt thats an established fact. All Wi-Fi encryption that is, encryption performed in wireless access points (APs) themselves is vulnerable to hacker penetration (see The Wi-Fi Time Bomb May 2005, article ID 20069 at iSeriesNetwork.com). The only proper way to secure a Wi-Fi network is via VPN encryption the same VPN encryption that you should be using for all your remote users. (Which you are, right?) At one time, VPNs were hard to set up, but those days are over. For a few hundred dollars, you can buy VPNenabled appliances that provide weapons-grade encryption. All enterprise-class firewalls have VPN servers built in, and all desktop operating systems have VPN clients built in. A VPN tunnel provides solid security from the users Ethernet port to your Internet border. Given the vulnerability of Wi-Fi encryption, its not surprising that Wi-Fi has become the third most common path for network infiltration right behind clueless users

5. Use a Proxy Server

Hackers are clever and have come up with ways to circumvent outbound filters. The most common way is simply to run their malicious traffic over a well-known port, such as HTTPs port 80 or e-mails port 25. If youre employing simple outbound filtering and monitoring, you never see this traffic. End users can also use well-known ports to operate unauthorized peer-to-peer servers, opening your organization up to intellectual property infringement liabilities. As they say in mathematics, outbound filtering is necessary but not sufficient. To really prevent outbound traffic abuse, you need a proxy server. In a security role, a proxy server intercepts TCP/IP requests from desktop computers and relays them to the ultimate Internet destination, applying certain security

SUPPLEMENT TO iSeries NEWS 2005

THE ESSENTIAL GUIDE TO THWARTING HACKERS

and faulty applications. Thats amazing when you consider that Wi-Fi didnt even exist five years ago. Not all Wi-Fi exposures are obvious either. Youre conscious, of course, of the need to secure your own APs, and you might have realized the vulnerability of users at coffee shops and airport cafes. But have you considered the wireless networks that your users might already have deployed without your knowledge? Even if you dont run Wi-Fi, you need to protect against it by prohibiting unauthorized wireless gear and monitoring for rogue APs. Commercial rogue Wi-Fi appliances exist, but you can use an ordinary Wi-Fi-capable notebook computer to easily perform a quick scan of your enterprise. If you find an open wireless network, attach to it and then use network troubleshooting tools to trace the traffic back to the offending device. This is a straightforward process easily accomplished if you have managed switches. OK, you can stop the mantra now. the field. Youre less likely to miss a critical exposure, and the cost of appliances makes them easy to justify. With VA in place, you at least have a chance of catching new vulnerabilities before the hackers do.

8. Manage Patches
You likely already apply OS patches to servers and desktops, so you realize that patches are both a blessing and a curse. Patches are a blessing because they let you stop hackers in their tracks at the same time they learn about a new exploit, but patches are a curse because they often break things and make your life more difficult. Thats where patch management comes in. On the scale of ease of implementation, all the steps Ive discussed so far have been relatively simple to carry out. But this step, and those that follow, are a quantum leap in effort and expense. Patch management is expensive because its far from a science. To manage patches, you have to know what their impact is by studying vendor recommendations and reading about the experiences of those whove already applied the patches. Alas, vendor information is often couched in terms designed to limit vendor liability rather than help you assess the need for a particular patch. Commercial patch-management tools automate this process by connecting you to an expert database of patch information that documents side effects and interactions. These tools let you rank every patch to determine whether the benefits outweigh the risks. Some patch-management tools are OS specific, such as those aimed at Windows fixes. Others are more generic but necessarily less specific in their recommendations. Sometimes patch management is an add-on module to an IP or VA appliance. This isnt necessarily bad, because the appliance is in a position to collect the information needed for patch management. Patch managers provide an important twofold service: the collection of patches from vendors in a central repository for easy deployment, and the interception of automatic patches that vendors might try to apply without your permission. Windows Service Pack 2 is a good example of a patch that you want to control but that Microsoft currently insists on installing. Youll need to undertake an extensive study of your

7. Run Routine Vulnerability Assessments

Network monitoring organizations, such as the Computer Emergency Response Team (CERT cert.org), report that 99.999 percent of all successful network penetrations occur through known vulnerabilities. You can use firewalls and intrusion-prevention tools to try to cover up the vulnerabilities that you must assume are there, or you can go looking for them and kill them dead. Thats what vulnerability assessment (VA) is. Once the purview of network security specialists and so-called ethical hackers, VA has become a commodity service embodied in numerous security products, both hardware and software. The hallmark of modern VA is the automation of the vulnerability detection, tracking, remediation, and verification process. The core component is a scanner that continuously probes your network inside and out, looking for vulnerabilities listed in a constantly updated database of potential exposures. The scanner has two parts one inside your network and one outside that work together to find and report problems. Common exposures, such as inadvertently open ports and missing security patches, are the meat and potatoes of VA. But advanced products also find more subtle failures, such as application holes and SQL scripting flaws. Detected vulnerabilities are ranked by severity and tracked through the remediation process. Remediation can be as simple as adding a firewall rule or applying an OS patch; on the other hand, remediation might require hours of programming changes to an application or the installation of a whole new layer of protection. VA keeps bringing old vulnerabilities to the surface so that they get attention, and it provides remediation progress reports for management. VA also performs verification tests after remediation to make sure that the problem is really fixed. You can build your own VA tool with open-source software, such as the Nessus security scanner, but youre really better off buying an appliance built by an expert in

SUPPLEMENT TO iSeries NEWS 2005

THE ESSENTIAL GUIDE TO THWARTING HACKERS

current systems to have the data necessary to select a good patch-management platform. In the meantime, be religious about applying patches manually.

10. Go on the Offensive with Honeypots and Honeynets

Nothing is more satisfying than hacking a hacker, which is exactly what network administrators were thinking when they devised so-called honeypots and honeynets. A honeypot is a decoy computer left apparently exposed to hacker attack. Its job is to attract hackers, monitor their activities, and occupy their time so they have less to spend attacking the rest of your network. A honeynet is a wireless network with the same goal: attract hackers and keep them busy while you watch. Both work surprisingly well and can alert security specialists to new hacker ploys before they become pervasive. Creating a convincing honeypot system isnt easy; if youre careless, a hacker will make you and abandon the system (or worse, set a bot to work on the honeypot occupying your time needlessly). A key ingredient of any honeypot is some attractive bait authentic-looking documents or binary files that the intruder can be tricked into believing are valuable. That aspect makes it hard to mass-produce honeypots, so if you decide to create one, youll have to do it by hand. Honeynets are somewhat easier to build because they dont actually have content, per se. You simply provide an open AP and an Internet connection and watch hackers swarm like dung flies on a . . . well, you get the idea. You dont actually have to build a honeypot or honeynet to reap the research benefits of one. Numerous academic honey-things abound on the Internet, and their owners publish their findings. Studying these prior efforts is an important prerequisite to building your own honey-thing.

9. Deploy Two-Factor Authentication

Two-factor authentication is the augmentation of traditional user ID/password checks with a physical token, such as a USB key or a biometric test (e.g., a thumbprint). As with patch management, deploying two-factor authentication is a Big Deal. The additional factor is a major change to user behavior and a serious inconvenience. However, two-factor authentication demonstrably improves the protection that passwords afford and makes it much easier to revoke authority when users change jobs or leave the organization. Simply deauthorize the token or biometric, and the user is locked out everywhere. Enterprises often roll out two-factor authentication in conjunction with an identity management (IM) overhaul. Most twofactor authentication requires a modern authentication infrastructure, such as Lightweight Directory Access Protocol (LDAP), which also happens to facilitate single sign-on (SSO) and other IM benefits. Be aware, however, that improper two-factor implementation can actually reduce rather than enhance security. If users are currently sharing passwords, and a USB key lets them simply share a token as well, youve not improved security one whit. User education and policy upgrades are essential adjuncts to two-factor authentication deployment. Beware also of the unwarranted claims of some two-factor tokens and biometrics. One major security token vendor was caught with its keys down when a security consultant discovered that the tokens encryption could be bypassed easily. And several fingerprint-scanner proponents were taken off guard by how easily fingerprints can be captured and reused using ordinary gelatin to simulate skin. So by all means, add a second factor to authentication, but do it thoughtfully, with due care.

Proceed to Advance Camp

When it comes to network security, there are no guarantees. You cant do it all, but as long as you can do more than the next guy, youll make yourself a less attractive target than he is. Take as many of these 10 steps as you can to move your enterprise fruit to higher branches.

About the Author

Mel Beckman is a senior technical editor for iSeries NEWS and the Bryan editor of Dr. I Doctor (DrIDoctor.com). He has built two regional Meyers Internet service providers and is currently president of Beckman Software Engineering, a technical consultancy specializing in large-scale, high-bandwidth networks. You can e-mail Mel at mbeckman@iseriesnetwork.com

SUPPLEMENT TO iSeries NEWS 2005

THE ESSENTIAL GUIDE TO THWARTING HACKERS

SUPPLEMENT TO iSeries NEWS 2005