Addressing Security Objectives - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

Addressing Security Objectives

If our security goal is to have complete control over what data comes into and goes out of our networks, we must define objectives that will help us reach that goal. We listed some general security objectives related to computer networks-especially those connected to an outside internetwork such as the Global Internet-as controlling physical access, preventing accidental compromise of data, detecting and preventing intentional internal security breaches, and detecting and preventing unauthorized external intrusions. In the following sections, we will examine each of these objectives in detail.

Controlling Physical Access

One of the most important, and at the same time most overlooked aspects of a comprehensive network security plan is physical access control. This matter is often left up to facilities managers or plant security departments, or it is outsourced to security guard companies. Network administrators frequently concern themselves with sophisticated software and hardware solutions that prevent intruders from accessing internal computers remotely, while doing nothing to protect the servers, routers, cable, and other physical components of the network from direct access.

In far too many supposedly security-conscious organizations, computers are locked away from employees and visitors all day, only to be left open at night to the janitorial staff, which has keys to all offices. It is not at all uncommon for computer espionage experts to pose as members of the cleaning crew to gain physical access to machines that hold sensitive data. This is a favorite ploy for several reasons:

Cleaning services are often contracted out, and workers in the industry are often transient, so that company employees may not be easily aware of who is or isn't a legitimate employee of the cleaning company.

Cleaning is usually done late at night, when all or most company employees are gone, making it easier to steal data.

Cleaning crew members are often paid little or no attention by company employees, who take their presence for granted and think nothing of their being in areas where the presence of others might be questioned.

Physically breaking into the server room and stealing the hard disk on which sensitive data resides may be a crude method; nonetheless, it happens. In some organizations, it may be the easiest way to gain unauthorized access, especially for an intruder who has help 'on the inside.'

Physical Access Factors

It is important for you to make physical access control the 'outer perimeter' of your security plan. This means:

Controlling physical access to the servers

Controlling physical access to networked workstations

Controlling physical access to network devices

Controlling physical access to the cable

Being aware of security considerations with wireless media

Being aware of security considerations related to portable computers

Recognizing the security risk of allowing data to be printed out

Recognizing the security risks involving floppy disks, CDs, tapes, and other removable media

Let's look at why each of these is important and how you can implement a physical security plan that addresses all these factors.

Protecting the Servers

File servers on which sensitive data is stored and infrastructure servers that provide mission critical services such as logon authentication and access control should be placed in a highly secure location. At the minimum, servers should be in a locked room where only those who need to work directly with the servers have access. Keys should be distributed sparingly, and records should be kept of issuance and return.

If security needs are high due to the nature of the business or the nature of the data, access to the server room may be controlled by magnetic card, electronic locks requiring entry of a numerical code, or even biometric access control devices such as fingerprint or retinal scanners. Both ingress and egress should be controlled-ideally with logs, video cameras, and/or other means of recording both who enters and who exits.

Other security measures include monitor detectors or other alarm systems, activated during non-business hours, and security cameras. A security guard or company should monitor these devices.

Keeping Workstations Secure

Many network security plans focus on the servers but ignore the risk posed by workstations with network access to those servers. It is not uncommon for employees to leave their computers unsecured when they leave for lunch or even when they leave for the evening. Often there will be a workstation in the receptionist area that is open to visitors who walk in off the street. If the receptionist must leave briefly, the computer-and the network to which it is connected-is vulnerable unless steps have been taken to ensure that it is secure.

A good security plan includes protection of all unmanned workstations. A secure client operating system such as Windows NT or Windows 2000 requires an interactive logon with a valid account name and password in order to access the operating system (unlike Windows 9x). This allows users to 'lock' the workstation when they are going to be away from it so someone else can't just step up and start using the computer.

However, don't depend on access permissions and other software security methods alone to protect your network. If a potential intruder can gain physical access to a networked computer, he/she is that much closer to accessing your valuable data or introducing a virus onto your network.

Ensure all workstation users adhere to a good password policy, as discussed in the section entitled Planning a Comprehensive Security Plan later in this chapter.

Many modern PC cases come with some type of locking mechanism that will help prevent an unauthorized person from opening the case and stealing the hard disk. Locks are also available to prevent use of the floppy drive, copying data to diskette, and/or rebooting the computer with a floppy.

Protecting Network Devices

Hubs, routers, switches and other network devices should be physically secured from unauthorized access. It is easy to forget that just because a device doesn't have a monitor on which you can see data, this does not mean the data can't be captured or destroyed at that access point.

For example, a traditional Ethernet hub sends all data out every port on the hub. An intruder who has access to the hub can plug a packet-sniffing device (or a laptop computer with sniffer software) that operates in 'promiscuous mode' into a spare port and capture data sent to any computer on the segment, as shown in Figure A.2.

Figure A.2 An intruder who has access to the hub can easily intercept data

Although switches and routers are somewhat more secure, any device through which the data passes is a point of vulnerability. Replacing hubs with switches and routers makes it more difficult for an intruder to 'sniff' on your network, but it is still possible to use techniques such as Address Resolution Protocol (ARP) spoofing. This is sometimes called router redirection, in which nearby machines are redirected to forward traffic through an intruder's machine by sending ARP packets that contain the router's Internet Protocol (IP) address mapped to the intruder's machine's MAC address. This results in other machines believing the intruder's machine is the router, and so they send their traffic to it. A similar method uses Internet Control Message Protocol (ICMP) router advertisement messages.

It is also possible, with certain switches, to overflow the address tables with multiple false Media Access Control (MAC) addresses or send a continuous flow of random garbage through the switch to trigger it to change from bridging mode to repeating mode. This means all frames will be broadcast on all ports, giving the intruder the same opportunity to access the data that he would have with a regular hub. This is called switch jamming.

Finally, if the switch has a special monitor port designed to be used with a sniffer for legitimate (network troubleshooting) purposes, an intruder who has physical access to the switch can simply plug into this port and capture network data.

Your network devices should be placed in a locked room or closet and protected in the same manner as your servers.

Packet sniffer/protocol analyzer devices and programs are not used solely for nefarious purposes, although intruders use them to capture unencrypted data and clear-text passwords that will allow them to break into systems. Despite the fact that they can be used to 'steal' data as it travels across the network, they are also invaluable troubleshooting tools for network administrators.

The sniffer captures individual data packets and allows you to view and analyze the message contents and packet headers. This can be useful in diagnosing network communications problems and uncovering network bottlenecks that are impacting performance. Packet sniffers can also be turned against hackers and crackers and used to discover unauthorized intruders.

The most important part of the sniffer is the capture driver. This is the component that captures the network traffic, filters it (according to criteria set by the user), and stores the data in a buffer. The packets can then be analyzed and decoded to display the contents.

It is often possible to detect an unauthorized packet sniffer on the wire using a device called a Time Domain Reflectometer (TDR), which sends a pulse down the cable and

creates a graph of the reflections that are returned. Those who know how to read the graph can tell whether unauthorized devices are attached to the cable and where.

Other ways of detecting unauthorized connections include monitoring hub or switch lights using Simple Network Monitoring Protocol (SNMP) managers that log connections and disconnections or using one of the many tools designed for the specific purpose of detecting sniffers on the network. There are also several techniques using Packet Internetwork Groper (ping), ARP, and DNS that may help you to catch unauthorized sniffers.

Securing the Cable

The next step in protecting your network data is to secure the cable across which it travels. Twisted pair and coaxial cable are both vulnerable to data capture; an intruder who has access to the cable can tap into it and eavesdrop on messages being sent across it. A number of companies make 'tapping' devices.

Fiber optic cable is more difficult to tap into because it does not produce electrical pulses, but instead, uses pulses of light to represent the 0s and 1s of binary data. It is, however, possible for a sophisticated intruder to use an optical splitter and tap into the signal on fiber optic media.

Compromise of security at the physical level is a special threat when network cables are not contained in one facility but span a distance between buildings. There is even a name for this risk, 'manhole manipulation,' referring to the easy access intruders often have to cabling that runs through underground conduits.

Cable taps can sometimes be detected by using a TDR or optical TDR to measure the strength of the signal and determine where the tap is located.

Safely Going Wireless

Wireless media is becoming more and more popular as our society becomes more mobile, and many predict it will be next big thing in networking during the first years of the new millennium.

Large companies such as Cisco Systems, Lucent Technologies, Sun Microsystems, and Microsoft have invested large amounts of talent and money into the wireless initiative. Wireless Internet access based on the Wireless Access Protocol (WAP) is common in Europe and beginning to catch on in the U.S. Fixed wireless services are offered by communications giants such as AT&T and Sprint and companies such as Metricom (which offers the Ricochet wireless service).

Wireless networking offers several distinct advantages over traditional cabled networking. Laptop users can easily connect and disconnect as they come and go. Workers out in the field can maintain network communications in areas where there are no cables or phone lines. For professions such as policing, where employees work from a moving vehicle most of the time, wireless is the only way to stay connected to the department LAN. For telecommuters in rural areas where DSL and cable modem access are unavailable, wireless technologies such as satellite provide a broadband alternative to slow analog modems.

There are several different varieties of wireless networking, including:

Radio (narrow band or spread spectrum)

Satellite/microwave

Laser/infrared

The most popular wireless technologies are radio-based and operate according to the IEEE 802.x standards. 802.11b (and increasingly, 802.11g, which is backwardly compatible with b) networks are becoming commonplace as commercial 'hot spots' spring up in major cities and businesses and home computer users implement wireless networks because of their convenience. Wireless connectivity is available at hotels, airports, and even coffee shops and restaurants.

Despite the many benefits of these wireless technologies, they also present special problems, especially in the area of network security. Wireless is more vulnerable to inception of data than cabled media. Radio and microwave are known as broadcast media. Because the signals are transmitted across the airwaves, any receiver set to the correct frequency can easily eavesdrop on the communications.

The practice of 'war driving' (going out with a wireless NIC-equipped laptop or handheld system and looking for open wireless networks to which they can connect) is a favorite pastime of hackers.

If security is a priority, any data sent via radio or microwave links should be encrypted.

Have Laptop, Will Travel

Portable computers-laptops, notebooks, and new fully functional handheld computers such as the Pocket PC and Palm machines-present their own security problems based on the very features that make them popular- their small size and mobility. Physical security for portable computers is especially important because it is so easy to steal the entire machine, data and all.

Luckily, there are a large number of companies that make theft protection devices and security software for laptops. Locks and alarms are widely available, along with software programs that will disable the laptop's functionality if it is stolen, or even help track it down by causing the computer to 'phone home' the first time the portable computer is attached to a modem (see Figure A.3).

Figure A.3 Tracking programs help recover stolen portable computers

Some laptops come with removable hard disks. It is a good idea if you have highly sensitive data that must be accessed with your laptop to store it on a removable disk (PC Card disks and those that plug into the parallel port are widely available) and encrypt it. Separate the disk from the computer when it is not in use.

The possibility of theft is not the only way in which laptops present a security risk. The threat to your network is that a data theft who is able to enter your premises may be able to plug a laptop into the network, crack passwords (or obtain a password via social engineering), and download data to the portable machine, which can then be easily carried away.

New handheld computers are coming with more security devices built in. For example, the Hewlett-Packard iPAQ 5555 includes biometric (fingerprint recognition) technology to prevent unauthorized users from accessing the data.

The Paper Chase

Network security specialists and administrators tend to concentrate on protecting data in electronic form, but you should recognize that intruders may also steal confidential digital information by printing it out or locating a hard copy that was printed by someone else. It does little good to implement strong password policies and network access controls if employees can print out sensitive material and then leave it lying on desks, stored in unlocked file cabinets, or thrown into an easily accessed trash basket. 'Dumpster diving' (searching the trash for company secrets) is a common form of corporate espionage-and one that surprisingly often yields results.

If confidential data must be printed, the paper copy should be kept as physically secure as the digital version. Disposal should require shredding, and in cases of particularly high-security information, the shredded paper can be mixed with water to create a pulp that is impossible to put back together again.

Removable Storage Risks

Yet another potential point of failure in your network security plan involves saving data to removable media. Floppy diskettes, zip and jaz disks, tapes, PC cards, CDs and DVDs containing sensitive data must be kept physically secured at all times.

Don't make the mistake of thinking that deleting the files on a disk, or even formatting the disk, completely erases the data; it is still there until it has been overwritten and can be retrieved using special software.

Although removable media can present a security threat to the network, it can also play a part in your overall security plan. Removable disks (including fully bootable large capacity hard disks installed in mobile 'nesting' racks) can be removed from the computer and locked in a safe or removed from the premises to protect the data that is stored there.

Physical Security Summary

Ensuring a physically secure network environment is the first step in controlling access to your network's important data and system files, but it is only part of a good security plan. This is truer today than in the past, because networks have more 'ways in' than they once did. A medium or large network may have multiple dial-in servers, VPN servers, and a dedicated full-time Internet connection. Even a small network is likely to be connected to the Internet part of the time.

Virtual intruders never set foot on your organization's property and never touch your computers. They can access your network from across the street or from halfway across the world. But they can do as much damage as the thief who breaks into your company headquarters to steal or destroy your data-and they are much harder to catch. In the following sections, we will examine specific network security risks, and how to prevent them.

Preventing Accidental Compromise of Data

The topic of network security may bring to mind a picture of evil corporate rivals determined to steal your company's most precious trade secrets or malevolent hackers bent on crashing your network and erasing all of your data just for the sheer joy of it. While these risks do exist, often the reality of network data loss is far less glamorous. A large proportion of erased, modified, or disclosed data is the result of the actions of employees or other authorized network personnel. And a large percentage of that is the result of accidental compromise of the data.

Unintended errors in entering data or accessing network resources or carelessness in use of the computers and network can cause loss of data or crashing of individual computers, the server, and even the network.

Your network security plan should address these unintended compromises, which can be just as disastrous as intentional breaches of security.

Know Your Users

To prevent accidental compromise of data, you should first know your users and their skill levels. Those with few technical skills should be given as little access as possible-allow them the access required to do their jobs, and no more (this philosophy is often referred to as the principle of least privilege, or, in government circles, as need to know.) Too many network users have, in all innocence, destroyed or changed important files while attempting to clear up space on their hard disks or troubleshoot a computer problem on their own.

Educate Your Users

Educating your users is one of the most important factors in eliminating or reducing such incidents, and an essential component of the multilayered 'defense in depth' approach to security. This does not necessarily mean upgrading their technical skills (although it can). Turning all your users into power users may not be cost effective or otherwise desirable. What is essential is to train all of your network users in the proper procedures and rules of usage for the network.

Every person who accesses your company network should be aware of your user policies and should agree to adhere to them. This includes notifying technical support personnel immediately of any hardware or software problems, refraining from installing any unauthorized software on their machines or downloading files from the Internet without authorization, and never dialing up their personal ISPs or other networks or services from company machines without permission.

Control Your Users

In some cases, establishing clear-cut policies and making staffers and other users aware of them will be enough. In other cases, you will find that users are unable or unwilling to follow the rules, and you will have to take steps to enforce them-including locking down desktops with system/group policies and, with software such as ISA Server, implementing access rules and filtering to prevent unauthorized packets from being sent or received over the network.

Fortunately, most users will at least attempt to comply with the rules. A more serious problem is the 'insider' who is looking to intentionally breach network security. This may be simply a maverick employee who doesn't like being told what to do, or it may be someone with a darker motive.

Preventing Intentional Internal Security Breaches

According to most computer security studies, as documented in RFC 2196, Site Security Handbook, actual loss (in terms of money, productivity, computer reputation, and other tangible and intangible harm) is greater for internal security breaches than for those from the outside. Internal attackers are more dangerous for several reasons:

They generally know more about the company, the network, the layout of the building(s), normal operating procedure, and other information that will make it easier for them to gain access without detection.

They usually have at least some degree of legitimate access and may find it easy to discover passwords and holes in the current security system.

They know what information is on the network and what actions will cause the most damage.

We discuss common motivations behind intentional security breaches, both internal and external, in the section entitled Recognizing Network Security Threats. Preventing such problems begins with the same methods used to prevent unintentional compromises, but goes a step further.

To a large extent, unintended breaches can be prevented through education. The best way to prevent such breaches depends, in part, on the motivations of the employee(s) concerned.

Hiring and Human Resource Policies

A good 'defense in depth' security strategy is multifaceted, involving technology, operations, and people. In many cases, the latter is the weakest link in the chain. Thus, prevention starts with good human resources practices. That means management should institute hiring policies aimed at recruiting persons of good character. Background investigations should be conducted, especially for key positions that will have more than normal user access.

The work environment should encourage high employee morale. In many cases, internal security breaches are committed as 'revenge' by employees who feel underpaid, under-appreciated, and even mistreated. Employees who are enthusiastic about their jobs and feel valued by the organization will be much more likely to comply with company rules, including network security policies.

Another motivation for internal breaches is money. If the company engages in a highly competitive business, competitors may approach employees with lucrative offers for trade secrets or other confidential data. If you are in a field that is vulnerable to corporate espionage, your security policies should lean toward the 'deny all access' model, in which access for a particular network user starts at nothing, and access is added on the basis of the user's need to know.

Detecting Internal Breaches

Implementing auditing will help you detect internal breaches of security by recording specified security events. You will be able to track when objects (such as files or folders) are accessed, what user account was used to access them, when users exercise user rights, and when users log onto or off of the computer or network. Modern network operating systems such as Windows 2000 and XP/2003 include built-in auditing functionality.

If you choose to audit many events, or often-accessed objects, the security log can grow very large, very quickly. Windows allows you to set the maximum size in kilobytes for the security log by configuring its property sheet in the Event Viewer (right-click Security Log and select Properties). You can also choose whether to overwrite previous events when the maximum size is reached or to require manual clearing of the log.

Preventing Intentional Internal Breaches

Firewalls are helpful in keeping basically compliant employees from accidentally (or out of ignorance) visiting dangerous websites or sending specific types of packets outside the local network. However, they are of more limited use in preventing intentional internal security breaches. Simply limiting their access to the external network cannot thwart insiders who are determined to destroy, modify, or copy your data. Because they have physical access, they can copy data to removable media, to a portable computer (including tiny handheld machines), or perhaps even print it to paper and remove it from the premises that way. They may change the format of the data to disguise it and upload files to web-based data storage services.

In a high security environment, computers without floppy drives-or even completely diskless workstations-may be warranted. System or group policy can be applied that prevents users from installing software (such as that needed for a desktop computer to communicate with a Pocket PC or Palm Pilot). Cases can be locked, and physical access to serial ports, USB ports, and other connection points can be covered so removable media devices can't be attached. Other internal controls include physical measures such as key cards to limit entry to server rooms and other sensitive resources, as well as software controls such as user and group accounts, encryption, and so forth.

Intentional internal breaches of security constitute a serious problem, and company policies should treat it as such.

Preventing Unauthorized External Intrusions

External intrusions (or 'hacking into the system') from outside the LAN has received a lot of attention in the media and thus is the major concern of many companies when it comes to network security issues. In recent years, there have been a number of high profile cases in which the web servers of prominent organizations (such as Yahoo and Microsoft) have been hacked. Attempts to penetrate sensitive government networks, such as the Pentagon's systems, occur on a regular basis. Distributed Denial of Service (Duos) attacks make front-page news when they crash servers and prevent Internet users from accessing popular sites.

There are psychological factors involved, as well. Internal breaches are usually seen by companies as personnel problems and handled administratively. External breaches may seem more like a 'violation' and are more often prosecuted in criminal actions. Because the external intruder could come from anywhere, at any time, the sense of uncertainty and fear of the unknown may cause organizations to react in a much stronger way to this type of threat.

The good news about external intrusions is that the area(s) that must be controlled are much more focused. There are usually only a limited number of points of entry to the network from the outside. This is where a properly configured firewall can be invaluable, allowing authorized traffic into the network while keeping unauthorized traffic out. On the other hand, the popularity of firewalls ensures that dedicated hackers know how they work and spend a great deal of time and effort devising ways to defeat them.

Never depend on the firewall to provide 100 percent protection, even against outside intruders. Remember that in order to be effective, a security plan must be a multifaceted, multilayered one. We hope the firewall will keep intruders out of your network completely-but if they do get in, what is your contingency plan? How will you reduce the amount of damage they can do and protect your most sensitive or valuable data?

External Intruders with Internal Access

A special type of 'external' intruder is the outsider who physically breaks into your facility to gain access to your network. Although not a true 'insider,' because he is not authorized to be there and does not have a valid account on the network, he has many of the advantages of those discussed in the section on internal security breaches.

Your security policy should take into account the threats posed by this 'hybrid' type of intruder.

Tactical Planning

In dealing with network intruders, you should practice what police officers in defensive tactics training call 'if/then thinking.' This means considering every possible outcome of a given situation and then asking yourself, 'If this happens, then what could be done to protect us from the consequences?' The answers to these questions will form the basis of your security policy.

This tactic requires that you be able to plan your responses in detail, which means you must think in specifics rather than generalities. Your security threat must be based in part on understanding the motivations of those initiating the attack and in part on the technical aspects of the type of attack that is initiated. In the next section, we will discuss common intruder motivations and specific types of network attacks.