Linux Network Administratoramp;#039;s Guide (3rd Edition) [Electronic resources] نسخه متنی

7.1. Methods of Attack

As a network administrator, it
is important that you understand the nature of potential attacks on
computer security. We'll briefly describe the most
important types of attacks so that you can better understand
precisely what the Linux IP firewall will protect you against. You
should do some additional reading to ensure that you are able to
protect your network against other types of attacks. Here are some of
the more important methods of attack and ways of protecting yourself
against them:

Unauthorized access

This simply means that people who
shouldn't be allowed to use your computer services
are able to connect to and use them. For example, people outside your
company might try to connect to your company accounting host or to
your NFS server.

There are various ways to avoid this attack by carefully specifying
who can gain access through these services. You can prevent network
access to all except the intended users.

Exploitation of known weaknesses in programs

Some
programs and network services were not originally designed with
strong security in mind and are inherently vulnerable to attack. The
BSD remote services (rlogin,
rexec, etc.) are an example.

The best way to protect yourself against
this type of attack is to disable any vulnerable services or find
alternatives. A good place to start is to only install, run and
expose services that you absolutely have to. Start with no network
services and work your way up from there. Use the
netstat command to determine the ports that your
host is listening on, make sure the list is as small as possible, and
know exactly what each of them is for. Don't run any
network services on the firewall host, with the possible exception of
Secure Shell (SSH)

Track bug
databases and patch lists and keep your systems up to date. Two of
the most popular bug databases are the Bugtraq database, available
online at http://www.securityfocus.com/bid (see also
http://www.securityfocus.com/rss
for information on accessing Bugtraq via an RSS feed) and the Common
Vulnerabilities and Exposures (CVE) database, available online at
http://cve.mitre.org/ (see also
the RSS at http://www.opensec.org/feeds/cve/latest.xml).
Most Linux distributors provide tools to download and install
updates.



Red
Hat has a utility called yum, SuSE has a utility
called YaST Online Update (YOU), and Debian uses
apt-get.

Denial of service

Denial of service
attacks cause the service or program to cease functioning or prevent
others from making use of the service or program. These may be
performed at the network layer by sending carefully crafted and
malicious packets that cause network connections to fail. They may
also be performed at the application layer, where carefully crafted
application commands are given to a program that cause it to become
extremely busy or stop functioning.

Preventing suspicious network traffic from reaching your hosts and
preventing suspicious program commands and requests (this requires
software that understands the underlying protocols, such as proxy
servers) are the best ways of minimizing the risk of a denial of
service attack. It's useful to know the details of
the attack method, so you should educate yourself about each new
attack as it gets publicized.

Spoofing

This
type of attack involves one host or application pretending to be
another. Typically the attacker's host pretends to
be an innocent host by forging IP addresses in network packets. For
example, a well-documented exploit of the BSD
rlogin service can use this method to mimic a TCP
connection from another host by guessing TCP sequence numbers.

To
protect against this type of attack, verify the authenticity of
packets and commands (a combination of filtering and proxy servers
can help here). Prevent packet routing with invalid source addresses.
Use operating systems (such as Linux) with unpredictable connection
control mechanisms, such as TCP sequence numbers and the allocation
of dynamic port addresses.

Putting hosts with operating systems that
have insecure sequence number algorithms behind a Linux firewall
performing Network Address Translation allows you to continue to use
them with increased safety, since the firewall host will use its own
sequence numbering algorithms for communication with the outside
world.

Eavesdropping

This is the simplest type of attack. A
host is configured to "listen" to
and capture data not belonging to it (by putting its network
interface into "promiscuous" mode
and monitoring all packets traversing the network segment). Carefully
written eavesdropping programs can take usernames and passwords from
user login network connections. Broadcast networks such as unswitched
Ethernet are especially vulnerable to this type of attack, although
it does require physical access to the Ethernet network. Wireless
networks have similar problems and can be more dangerous since
physical access is not required; proximity is
sufficient.

To protect against this type of threat,
avoid use of broadcast network technologies and enforce the use of
data encryption.

It is more
complicated, but not impossible, to do packet sniffing in a switched
environment. Some Ethernet switches have administrative settings or
even failure modes that cause them to copy all packets to one or more
of their ports.

IP firewalling is very useful in
preventing or reducing unauthorized access, network layer denial of
service, and IP spoofing attacks. It not very useful in avoiding
exploitation of weaknesses in network services or programs and
eavesdropping.