NETWORK SECURITY


After completing this unit, you will be able to:
·         Understand Network Security.
·         Understand Security Measures against Network Attacks.
·         Appreciate the Need for a Firewall.
·         Understand the Encryption Methods used as Security Measures.
A.1 Introduction
A.2 Network Security
A.3 Classification of Networks
A.4 Firewalls
A.5 Summary
A.6 Self Assessment Questions
Securing data has become the most vital issue today. The network designs are prepared in such a way that intrusions and data loss is avoided. Generally speaking, Network Security is broadly classified into the two broad areas of Computer Security and Information Security.
A group of computers form a network and is invariably subjected to attacks originating from any terminal on that network. The network security is enforced by extending well known security approaches adopted for protection of non-networked systems as well as network-specific mechanisms. Enforcing various security check points has a definite effect on the usefulness of the network; rather one can have a design which ensures the optimum use of the network with maximum benefits of the network to the organization.
Security of information in transit across the network
The information on a network can reside in two forms. It can reside on a physical storage media or memory or it can reside in transit across the physical network in the form of packets. The problem of security is largely due to unethical practices by intruders to observe (capture) packets travelling across the network, or an ability to introduce spurious packets on a network. This can be restricted to some extent by enforcing certain encryption techniques to handle critical pieces of information.
Nature of Attacks
The attacks on a system’s security can be mainly attributed to the following reasons:
1.       To obtain unauthorized access to private, or secret information stored on the system.
2.       To use the system as a start point for attacks on other systems, data servers or key servers on network.
3.       Denial-of-service attacks attempt to use up system resources to inconvenience the users. A classic example is to send vast megabytes of electronic mail to a target host in an attempt to exhaust its disk space.
4.       A variation of the denial-of-service attack is where an intruder actually attempts to cause damage to the system; for example, by removing important files, changing configurations, etc.
5.       To insert spurious packets on a network.
Protecting information becomes the top most priority and the network administrator is majorly concerned with preventing the theft, destruction, corruption and introduction of information that can cause irreparable damage to sensitive and confidential data on a network.
Look at some of the common methods of attack on your network:
1.       Network packet sniffers.
2.       IP spoofing.
3.       Password attacks.
4.       Distribution of sensitive, internal information to external sources.
5.       Man-in-the-middle attacks.
We shall now look at these in detail:
1.       Network Packet Sniffers
Since networked computers communicate serially (one piece of information is sent after another), large data is broken into smaller data packets. Several network applications distribute network packets in clear text ----that is, the information sent across the network is not encrypted. (Encryption is the transformation, or degeneration, of a message into an unreadable format by using a mathematical algorithm.) Because the network packets are not encrypted, they can be processed and understood by any application that can pick them up off the network and process them.
A network protocol specifies how packets are identified and labeled, which enables a computer to determine whether a packet is intended for it or not. Because the specifications for network protocols, such as TCPI1P, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. A packet sniffer is a software application that uses a network adapter card when it sends all packets received on the physical network wire to an application for processing and captures all network packets that are sent across a local-area network. As several network applications distribute network packets in clear text, a packet sniffer can provide its user with meaningful and often sensitive information, such as user account names and passwords. If you use networked databases, a packet sniffer can provide an attacker with information that is queried from the database. One serious problem with acquiring user account names and passwords is that users often reuse their login names and passwords across multiple applications.
In addition, many network administrators use packet sniffers to diagnose and fix network-related problems. Because in the course of their usual and necessary duties, these network administrators (such as those in the Payroll Department) work during regular employee hours, they can potentially examine sensitive information distributed across the network. Many users employ a single password for access to all accounts and applications. If an application is run in client/server mode and authentication information is sent across the network in clear text, this same authentication information can probably be used to gain access to other corporate resources. Because attackers know and use human characteristics (attack methods known collectively as social engineering attacks), such as using a single password for multiple accounts, they are often successful in gaining access to sensitive information.
2.       IP Spoofing
An IP spoofing, attack occurs when an attacker outside your network pretends to be a part of your network or legal terminal. This is facilitated either by using an IP address that is within the range of IP addresses for your network, or by using an authorized external IP address that you trust and to which you want to provide access to specified resources on your network.
Normally, an IP spoofing attack is limited to the injection of data or commands into an existing stream of data passed between a client and server application or a peer-to-peer network connection. To enable bi-directional communication, the attacker must change all routing tables to point to the spoofed IP address.
However, if an attacker manages to change the routing tables to point to the spoofed IP address, he can receive all the network packets that are addressed to the spoofed address and can reply just as any trusted user on a network can.
Like packet sniffers, IP spoofing attacks are not restricted to people who are external to the network.
3.       Password Attacks
Password attacks can be implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP spoofing can yield user accounts and passwords, password attacks usually refer to repeated attempts to identify a user account and/or password; these repeated attempts are called brute-force attacks.
Often, a brute-force attack is performed using a dictionary program that runs across the network and attempts to log into a shared resource, such as a server. When an attacker successfully gains access to a resource, that person has the same rights as the user whose account has been compromised to gain access to that resource. If this account has sufficient privileges, the attacker can create a back door for future access, without concern for any status and password changes to the compromised user account.
4.       Distribution of Sensitive Information
Controlling the distribution of sensitive information is the critical issue of a network security policy. Although such an attack may not be obvious, the majority of computer break-ins that organizations suffer, are usually at the hands of disgruntled present or former employees. At the core of these security breaches is the distribution of sensitive information to competitors or others who will use it to the organization’s disadvantage. An outside intruder can use password andIP spoofing attacks to copy information, and an internal user can easily place sensitive information on an external computer or share a drive on the network with other users.
For example, an internal user could place a file on an external FTP server without ever leaving his or her desk. The user could also e-mail an attachment that contains sensitive information to an external user.
5.       Man-in-the-Middle Attacks
A man-in-the-middle attack requires that the attacker has access to network packets that come across the networks. An example of such a configuration could be someone who is working for your Internet Service Provider (ISP), who can gain access to all network packets transferred between your network and any other network. Such attacks are often implemented using network packet sniffers, routing and transport protocols. The possible uses of such attacks are theft of information, hijacking of an ongoing session to gain access to your internal network resources, traffic analysis to derive information about your network and its users, corruption of transmitted data, and introduction of new information into network sessions, etc.
Protecting Your Network: Maintaining Internal Network System Integrity
When considering what to protect within your network, you are concerned with maintaining the integrity of the physical network, your network software and network resources. This integrity involves the verifiable identity of computers and users, proper operation of the services that your network provides and optimal network performance; all these concerns are important in maintaining a productive network environment.
1.       Network Packet Sniffers
As mentioned earlier, network packet sniffers can yield critical system information, such as user account and/or passwords. When an attacker obtains the correct account information, he or she has the run of your network. In a worst-case scenario, an attacker gains access to a system-level user account, which the attacker uses to create a new account that can be used at any time as a back door to get into network and its resources. The attacker can modify system-critical files, such as the password for the system administrator account, the list of services and permissions on file servers and other servers.
Packet sniffers provide information about the topology of your network that many attackers find useful to steal the information. This information, such as what computers run which services, how many computers are in a network, which computers have access to others, and so on, can be collected from the information contained within the packets that are distributed across your network.
In addition, a network packet sniffer can be modified to interject new information or change existing information in a packet. By doing so, the attacker can cause network connections to shut down prematurely, as well as change critical information within the packet. Imagine what could happen if an attacker modified the information being transmitted to your accounting system. The effects of such attacks can be difficult to detect and at the same time would be very costly to rectify.
2.       IP Spoofing
IP spoofing can yield access to user accounts and passwords, and it can also be used in other ways. For example, an attacker can emulate one of your internal users in ways that prove embarrassing for your organization; the attacker could send e-mail messages to business partners that appear to have originated from someone within your organization. Such attacks are easier when an attacker has a user account and password, but they are possible by combining simple spoofing attacks with knowledge of messaging protocols. For example, Telnet directly to the SMTP port on a system allows the attacker to insert bogus sender information.
3.       Password Attacks
Just as with packet sniffers and IP spoofing attacks, a brute-force password attack can provide access to accounts that can be used to modify critical network files and services. An example that compromises your network’s integrity is an attacker modifying the routing tables of a network. By doing so, the attacker ensures that all network packets are routed to him or her before they are transmitted to their final destination. In such a case, an attacker can monitor all network traffic, effectively becoming a man in the middle.
4.       Application Layer Attacks
Application layer attacks can be implemented using several different methods. One of the most common methods is exploiting well-known weaknesses in software commonly found on servers, such as send mail, PostScript and FTP. By exploiting these weaknesses, attackers can gain access to a computer with the permissions of the account running the application, which is usually a privileged system-level account.
Trojan horse attacks are implemented using bogus programs that an attacker substitutes for common programs. These programs may provide all the functionality that the normal application or service provides, but they also include other features that are known to the attacker, such as monitoring login attempts to capture user account and password information. These programs can capture sensitive information and distribute it back to the attacker. They can also modify application functionality, such as applying a blind carbon copy to all e-mail messages so that the attacker can read all of your organization’s e-mail.
One of the oldest forms of application layer attacks is a Trojan horse program that displays a screen, banner or prompt that the user believes is the valid login sequence. The program then captures the information that the user types in and stores or e-mails it to the attacker. Secondly, the program either forwards the information to the normal login process or simply sends an expected error to the user, exits and starts the normal login sequence. The user, believing that he or she has incorrectly entered the password (a common mistake experienced by everyone), retypes the information and is allowed access.
One of the newest forms of application layer attacks exploits the openness of several new technologies: the HyperText Markup Language (HTML) specification, web browser functionality and HTTP. These attacks, which include Java applets and ActiveX controls, involve passing harmful programs across the network and loading them through a user’s browser. However, attackers have already discovered how to utilize properly signed and bug-free Active X controls to make them act as Trojan horses. This technique uses VBScript to direct the controls to perform the irrelevant work, such as overwriting files and executing other malicious programs.
These new forms of attack are different in two respects:
1.       They are initiated not by the attacker, but by the user, who selects the HTML page that contains the harmful applet or script stored using the