SDA MIS Directors Conference Security Talk
Network Security: Where?
There are three major categories of system security:

  • Internal system security
  • Access (Password) security
  • External security

    • Internal System Security

    One definition of the term paranoid is that you think that "they" are out to get you.

    Internal security covers the types of things that someone can do only after they have successfully logged into your system. Different systems may have internal vulnerabilities, ways that a user can gain system privileges or just access other users files and data. Internal security is usually composed of either incorrect or poor file permissions or problems with programs that have system privilege to run.

    A good place to look for information about recent vulnerabilities is the Computer Emergency Response Team (CERT). They produce advisory bulletins to let you know of current system problems as they are discovered and fixes as they become available. CERT also has a modest archive of security software that can be very helpful. A couple of packages to assist with detecting internal system security problems are COPS by Dan Farmer and tripwire.

    COPS is a program that will examine your system for bad file permissions that could cause trouble. It will also check the version numbers on many of your system programs and warn you if there are known vulnerabilities with this version. It's main drawback is that it doesn't have all of the latest information on program vulnerability.

    Tripwire takes a snapshot of your system (best done right after an operating system install) and the compares the current system with this earlier snapshot to notify you of what has changed.

    Access (Password) security

    You are not paranoid of "they" really are out to get you.

    Password security can be very difficult to deal with. Easy passwords can often be guessed by knowing something about the person who owns the account. Often the directory information from their password entry, phone book or knowing what department they work in can help in guessing their password. There are a couple of tools that are widely used to help deal with passwords. The first is a password guessing program called CRACK which uses a set of dictionaries and your password file (with passwords in it) to guess passwords. This is a "must have" tool for any hacker. When I run this on a new password file for the first time I almost always get 30-40 passwords guessed in the first 5-10 minutes.

    CRACK can tell you if your passwords are easy to guess, but the best defense is an offense. There is a program, npasswd, which is a replacement program for passwd or yppasswd which checks to make sure that the passwords is not easy to guess by crack. There is a plugin module (cracklib) for npasswd which allows you to make it test for the same rules that crack does. This requires all new passwords to be "crack" safe.

    External security

    "They" really are out to get you.

    External security deals with attacks from outside of your machine. The most common problems in this category include:

  • someone putting a sniffer on your local network
  • finding and exploiting a hole in one of the "services" that your machine is providing
  • denial of service attacks
  • mail bombs or harassment mail

    • The problem with sniffers is a difficult one to deal with. They are difficulty to detect. It is hard to consider a non-malicious use of a sniffer by someone other then a network management technician. Sniffers require system level access to a unix system, or any access to PC type of machine.

    One method for finding a hole in a system service, like mail, telnet, etc., might be to run the program suite, Satan to investigate your own site's resources. Another place to look is to frequently go through the CERT Advisories to see if there is anything outstanding that applied to your site. This can be time consuming, but knowing about late breaking security problems that may apply to your system may save you considerable embarrassment and difficulty cleaning up afterwards.

    Denial of service attacks includes things like large ping packets that crash systems and routers, Out of Band packets that bring down Microsoft systems, and a host of other possible attacks that cause the system to stop providing services to their legitimate users.

    Mail bombs are particularly difficult to deal with because they often come from outside of your organization, and can cause denial of service by taking down mail servers, filling up disks with junk mail, and not allowing legitimate work to be done in a timely manner.

    The most common solution for external security threats is to limit external access to internal services. If you have a small set of well administered machines, you can use a package called TcpWrapper to monitor and optionally restrict access to your services. From the logs generated you can monitor not only who is using your services, but who is trying to use them and failing. The logs also give you an audit trail to track things that actually get through. This method stops or at least can warn you of many types of external threats. Tcpwrapper does not work well if you have a network that also has machines on it that are not administrated with the same level of concern and cooperation.

    If you have untrusted hosts on your networks the best way to limit the external security threats is to use a firewall. A firewall is used to limit access to services. Firewalls can be configured to allow only specified protocols, from only specified locations, for specified users.

    Firewalls range in price from about $5,000 to over $150,000. The $5,000 system will be mostly for the hardware with a free set of firewall tools, while the commercial systems usually start at about $30,000 (for the same hardware) and proprietary software. The different firewall options usually differ in the level of bells and whistles, pager calls, and graphical user interfaces. The basic functions of the firewalls differs very little.

    The difficult part of installing a firewall is not the hardware or the software, but the policy decisions. The policy decisions need to be done regardless of which firewall is implemented. The varying costs in firewalls often fluctuates with the number of hours of "consulting" time that is provided to you to help decide the policy issues.

    Two common software packages that are available at no charge, for implementing firewalls include the TIS FWTK (FireWall Tool Kit) from Trusted Information Systems and Socks. These packages provide a broad selection of firewall services. These packages have been ported to many different systems and install easily. The difficult part is to decide on the policies to be implemented.

    Summary

    The only single means to achieve network security that is absolutely affective is to pull the network connection. No other single method of of security will cover all aspects of network security. A good security plan needs to have methods in place to guard all major aspects of security. Just picking a single set of security methods will not cover all of the bases. A typical implementation schedule for security tools is to put monitoring tools in first, followed by tools that provide assistance for specific types of security problems that are being experienced.