Literally thousands of elements can pose security threats to your company's network, as well as to your company itself:
Outside people and hackers
The people who work for your company
The applications that your users use to perform their business tasks
The operating systems that run on your users' desktops and your servers, as well as the equipment employed
The network infrastructure used to move data across your network, including devices such as routers, switches, hubs, firewalls, gateways, and other devices
In a large network, these elements might include thousands of devices and hundreds of applications. When tackling security, at first a large number like this sounds daunting, if not impossible to tackle. However, if you use a divide-and-conquer approach, you can break up your network into areas and components, making the development of a solution easer.
To help simplify the security process, security problems are divided into three general categories:
Weaknesses in policy definitions? These weaknesses include both business and security policy weaknesses. A simple example of this type of weakness is not having a written security policy. If you do not have a policy, how can you enforce it?
Weaknesses in computer technologies? These weaknesses include security weaknesses in protocols, such as TCP/IP and IPX, as well as operating systems, such as UNIX, Novell NetWare, and Windows. An example of a computer technology weakness is the BackOrifice attack, which allows a hacker to remotely control a Windows-based system.
Weaknesses in equipment configurations? These weaknesses include the setup, configuration, and management of your networking devices. An example of equipment configuration weakness is not assigning a password to a Windows 2000 server's Administrator account or to a Cisco router's console port.
The following sections cover these three weaknesses in more depth.
The first weakness relates to definitions of business and security policies. Many times I have walked into small and some medium-size companies to face this problem: lack of a written security policy or business policy, or, in the worst case, both. For a company to develop and meet business goals, it needs a well-written business plan that includes the company's goals and policies. Likewise, to implement and maintain a good security solution that will help a company meet the objectives outlined in its business plan, you need to develop a well-written security policy. The security policy should be based on the company's business plan. This ensures that the security plan follows the restrictions placed on how the company performs its day-to-day business, and that the security plan allows the company to meet its business objectives.
At a minimum, a well-written security policy should address the following questions:
What should be protected?
How you will protect it?
How much protection should be used?
Even though these three questions are simple, in enterprise networks, the "what" and "it" mentioned can refer to 10,000 PCs, 400 servers, 2 minicomputers, 5 UNIX database servers, remote and Internet access, and many other items. However, as you are answering each of these three questions for important hardware and software components in your network, you should refer back to your company's business policies and plans, to ensure that your proposed security solution will not hinder your company in meeting its business objectives.
As an example, a corporation might have 30 remote offices that connect to a corporate office. This corporation sells widgets as its primary business. The remote offices contain sales staff who access the corporate office's database software to place orders and check the status of orders for their local customers. If you implemented a security solution that would protect the corporation's database contents, you would need to ensure that the remote offices could access this information (in a secure manner). If you could not meet this business goal, your security solution actually would create a hindrance to the company's business plan.
I cannot begin to stress how important a security policy is. However, it is beyond the scope of this book to discuss all the components that are involved, as well as how to put one together. However, here is an excellent starting place that you can visit to learn more about security policies and see some sample policies: http://infosyssec.master.com/texis/master/search/+/Top/Computers/Security/Policy/.
One of the most difficult issues to face with the development of a cohesive security policy is people and their politics. This is especially true in large companies in which each division or department has its own agenda: Each has certain goals and has tunnel vision concerning what is and what is not important for the company as a whole. As long as each department meets its goals, it is happy. You will have to deal with many people who have different ideas about what is and is not important in the network.
Each of these people is different?and, be forewarned, you cannot treat them the same. It would be convenient if each was a computer running Windows 2000 Professional; each would react in an expected manner based on the questions that you ask. However, this is not a world filled with computers; it's a world filled with people. You must consider this when you are interacting with them to learn about their issues and problems so that you can develop a cohesive security policy that meets not only their needs, but also the needs of the company as a whole.
Another weakness in policy definition is exposed when you have created all of these business and security policies but do not enforce them or follow through with them. In other words, having a security policy and then not implementing it completely (or at all), or not enforcing it, will not help you with your security problems; it actually creates security problems for you.
Here is a simpler example of policy enforcement. You might have written guidelines for choosing passwords for accounts in your security policy. To test your system, you might use a password-cracking program against your users' accounts to make sure that they do not use their names, addresses, or other easy-to-guess passwords. If you are able to break a password, you might talk to the user, explain the guidelines in the security policy, and have that user change the password to something less easy to guess.
I once dealt with a company that had both business and security policies in place; however, they were not very consistent in the enforcement of their policies. If you have policies, you need to enforce them equally. This company had a written policy that prohibited the downloading of visually offensive material, but they did not enforce it equally among their employees. In most instances, an employee got a verbal warning. However, in one instance, a person was fired instead of getting a verbal warning. This was actually not the real reason for firing the individual, but the company was not happy with this person's performance and needed an excuse for firing him. The fired employee sued the company for discrimination?he was not treated in the same manner as the other employees who broke the same rule?and won a lot of money in the suit. This is an extreme example of inconsistent policy enforcement (or a lack of one), but it is better to be prepared. I have found that when you actually enforce polices and follow through with the specified consequences, your company's employees quickly find out that they are being paid to do a job and to follow the rules, even though they might not like the policies.
A lack of a change-management policy also will cause security problems in your network. A change-management policy typically is used to ensure that when changes are made in your network, such as upgrading a file server or changing an access control list on a router (used for filtering traffic), you do not inadvertently affect services for employees or resources, or create a security problem.
Therefore, before any change is made to the network, you should document it and take it before a committee that usually comprises network administrators and employees from various departments. This committee can discuss the proposed change and determine its impact on the network. Based on this information, the committee might modify the change request or might specify that the change occur at 2:00 A.M., to minimize its impact.
Having a change-management system in place enables other people to examine the proposed changes for problems, especially those related to security, and to catch them before they become a problem. Too often I have seen situations in which people haphazardly change the configurations on their networking equipment, typically without documenting those changes. It becomes almost impossible in this type of environment to determine what security holes these unapproved changes have created.
When you think of a disaster-recovery plan, thoughts of natural disasters such as tornados, floods, hurricanes, and fires come to mind first. A disaster-recovery plan is used to implement a backup solution when the absolute worst case occurs.
Disaster-recovery plans also should apply to security threats and attacks. For example, your company might be selling products through its e-commerce servers. Perhaps this is your company's only line of revenue. What would happen if a hacker flooded your network with garbage traffic, possibly affecting the service that you are providing and maybe even crashing some or all of your web servers? What ramifications would occur if your e-commerce servers are hacked and it takes two or three days to bring them back online? Is your company prepared to deal with this? Do you have a plan of action that details what steps to take to deal with the problem?
A good disaster-recovery plan, in this instance, would have a redundant system in place at a different location that could be switched to easily in less than an hour, if not minutes. By placing the resources in a separate building, you are protecting yourself against natural disasters. Also, a good disaster-recovery plan lists, in detail, steps that should be taken to simplify the problem of cutting over to the new system. This reduces the likelihood of errors occurring during the cutover.
Before you actually cut over to your backup system, if your primary system was hacked, make sure that you know how it was hacked, and implement protection measures on the backup system before bringing it online. Otherwise, the hacking attack will be repeated and you will have run out of backup options.
The Headless Chicken Syndrome
Too often I run into what I call the headless chicken syndrome, which causes people to act rashly without consulting a prepared plan of action. For example, I was performing consulting work for a company to completely redesign its network. We were taking inventory of their equipment and looking at the topology of their current network. One afternoon, we were in their data center tracing cables to see what was and was not attached to their backbone, when one of the administrators came in with a very worried expression on his face. Apparently, some external hacker was flooding a part of the network with ICMP packets, and it was affecting this company's remote sites that were trying to access the data center over the Internet through a VPN. The administrator's first action, without thinking, was to disconnect the cable from the router that was connected to the service provider, thinking that this would reduce congestion on the network. Unfortunately, in this process, the remote sites completely lost access to the corporate site, and the administrator damaged the serial cable when pulling it out (the company did not have another serial cable as a spare part). As you can see from this example, the administrator actually made things a lot worse than the problems that the hacker had caused. This whole problem occurred because the company had no documented plan of action for what to do in this kind of event.
The second security weakness relates to computer technologies. Weaknesses in computer technologies deal with the protocols and software that use these protocols. Computer technology weaknesses are divided into three general categories:
The following sections discuss the weaknesses that these three categories face.
Networking protocol weaknesses deal with the weaknesses in the networking protocols and applications that use these protocols. The most popular and most implemented networking protocol is TCP/IP. TCP/IP is actually a suite of protocols, including IP, TCP, UDP, ICMP, OSPF, IGRP, EIGRP, ARP, RARP, and others.
Some of these protocols have weaknesses that hackers exploit. A good example is TCP, which uses a three-way handshake process to set up a connection before transmitting data. During the three-way handshake, three exchanges occur between the source and destination, as shown in the top part of Figure 1-1. With TCP, the source sends a segment with the SYN flag set, indicating that it wants to establish a connection. The destination responds with a segment in which the SYN and ACK flags are set in the segment header, indicating that the connection can proceed. The source then acknowledges receipt of the destination's segment by sending the ACK flag in a segment to the destination. When this process is complete, the source can begin transmitting data.
One weakness in TCP is that the destination expects the source to send a final ACK back to the destination, completing the setup of the connection. Hackers can exploit this weakness by flooding a service with TCP SYNs, without following through and completing the setup of these connections, as shown in bottom part of Figure 1-1. These connections sometimes are referred to as embryonic, or half-open, connections. The hacker's goal is to tie up finite resources on the target server and thus disrupt valid connection attempts. For example, some lower-end Windows machines can handle only 128 half-open connections before they run out of resources, which then makes new connection attempts fail.
Many TCP/IP applications also have weaknesses. Probably the four most common ones that hackers like to attack are HTTP, SMTP, SNMP, and finger. On many occasions, hackers have used exploits to gain unauthorized access to a server or to crash it by focusing on TCP/IP application attacks.
For users and servers to support applications, their respective devices run an operating system to control hardware functions. Each operating system that you have deployed is guaranteed to have one or more security holes in it. This is especially true of operating systems that are used widely because hackers have a tendency to target these in their attacks. A hacker's thought process is that if he can find a security hole in an operating system such as Windows XP, he has just opened up hacking possibilities to tens of thousands of PCs. On the other hand, if a hacker spent time trying to find security weaknesses in DOS, he would be very hard pressed to find PCs connected to the Internet that still use this operating system.
When I refer to operating system weaknesses, I am talking specifically about operating systems that run on a server, PC, or laptop. These are some of the most popular operating systems that hackers focus on:
Microsoft Windows 95, 98, NT, Me, 2000, XP, and 2003
The many flavors of UNIX, including Linux
One of the most targeted platforms is UNIX because the source code for many UNIX flavors, such as Linux and FreeBSD, is free. This makes it easier for a hacker to find security weaknesses and holes because the hacker can scrutinize the source code for possible problems. Because of Microsoft's popularity as a desktop solution, hackers also focus on Microsoft's many different operating systems. As an example, I use Microsoft Windows 2000 Professional for my personal and business use. On a semiweekly basis, I download security patches for this operating system, which gives you an idea of how busy hackers are in finding exploits of security holes in Windows.
Network equipment weaknesses refer to security vulnerabilities in equipment such as routers, switches, firewalls, and others that also run an operating system. Typically, you are dealing with the security mechanisms that are built into this equipment, such as how passwords are implemented, how authentication is performed, and what security features they support and have been implemented. However, sometimes, based on a protocol, or an application that uses a protocol such as finger or SNMP, you must scrutinize your networking equipment, look at the default configurations, and make adjustments to provide for tighter security.
When security weaknesses are discovered in a protocol, an operating system, or a particular piece of networking equipment, the person who discovered the weakness should notify the Computer Emergency Response Team (CERT). CERT then verifies the vulnerability, notifies the vendor about the problem, and publishes the problem to make sure that everyone is aware of the security weakness so that they can obtain the appropriate patch from the vendor. You can view a list of the past and current security problems at http://www.cert.org. Other popular sites include http://www.infosyssec.com/ and http://www.securityfocus.com/.
The third security weakness relates to equipment configuration problems. Weaknesses in equipment configurations are some of the hardest security problems to deal with because these weaknesses are a result of human error in the configuration or a misunderstanding about how the equipment should be configured. When I talk about networking equipment, I am talking about pretty much everything that you connect to your network, from a PC or file server to a router, switch, firewall, or other product.
You should be most concerned about controlling access to your network equipment. All user accounts should have secured passwords. This means that, for some equipment that uses default accounts, you either should change these passwords or should deactivate the accounts. You also should be concerned about the passwords that are assigned to these accounts:
Do they have easily guessed passwords?
How often are passwords changed?
Do passwords travel across the network in clear text?
If you are concerned about authentication and authorization?what users access and what they are doing on a piece of network equipment?you might want to centralize authentication and authorization into a central security server. Chapter 5, "Authentication, Authorization, and Accounting," discusses how this is done on Cisco IOS routers.
One of the most difficult tasks that you will face with an Internet connection and the configuration of network equipment is exposing the applications and services running on them to the entire world. Many of these applications, such as WWW and SMTP, are known to be sure targets of hackers because of hackers' past successes in exploiting these common applications. Another example of applications that can give a hacker a way into your network is Java and ActiveX scripts that typically are embedded within web pages. One of your users might download and inadvertently run one of these scripts, giving a hacker access to your network.
To reduce the threats to your network, disable any unnecessary services on all of your networking devices. For instance, if you have a DNS server, you should disable FTP, SMTP, and other services. Likewise, on a web server, you should disable SMTP, FTP, and other services. If you have a Cisco router, you should disable all unnecessary services, such as finger and chargen. Many of these tasks are tedious work, especially if you have 300 routers and 300 servers running in your network. The work that you put into securing these services will make it that much harder for a hacker to gain a foothold into your network, however. Disabling services on a Cisco IOS router is discussed in Chapter 4, "Disabling Unnecessary Services."
You should run only the applications that are absolutely necessary on a device. All unnecessary applications and services should be disabled, to minimize your threat exposure.