MIS course plan

Security

by

Matthew Martin

 

Contents

 

top of page

 

Security is a key aspect of networking today. When considering security a number of different types of potential threats need to be taken into account. These can be summarised into two categories:

• Viruses (including Trojans and worms)
• Hackers

A number of different approaches are required in order to establish and then maintain the security of the system.

top of page

Security Procedures And Threats

The organisations procedures for security are an extremely important factor it tackling security issues. They need to attempt to cover a range of possibilities, yet at the same time not be so complex as to make it difficult for staff to understand or carry them out. Security policies need to take into account a range of possible security breaches:

• Physical: If someone unauthorised gains physical access to a system. That someone could be an intruder or a member of staff. This can be tackled by placing sensitive systems in locked rooms that only a select few have the keys for. Screen saver passwords are a possible consideration in this regard too.
• Social Engineering: This involves a hacker trying to use social skills to persuade staff into helping them. This may involve phoning the organisation and persuading staff that they are an engineer and that they be given passwords or modem phone numbers. Procedures can help here and also the general educating of staff.
• Remote Dial-in: Modems that are not properly built into the firewall architecture of the system are a big risk. This can often happen because a member of staff has a legitimate need for Internet access and has not bothered to ask the system administrator to set it up. Instead they have gone and set-up a modem themselves. This means that while they are dialled-up there is an unsecured (or at best a poorly secured) Internet connection. Worse still, there is a modem attached to a phone line that can be dialled into. Hackers can use war dialling in order to discover modem phone numbers.
• Usernames & Passwords: These should be checked regularly to see if they are too simple and easily guessed or cracked. A systems administrator should run software designed to crack passwords on a regular basis. Users whose passwords are too simple need to be told to change it. The enforced expiry of passwords can also be used. Passwords can easily be handed out by staff to people they do not perceive to be a threat or left on post-it notes.
• Dumpster Diving: Important documentation needs to be shredded. If someone wants to they may go through the rubbish in order to find useful information. For some organisations it may be a good idea to place all rubbish in a secure location for collection by a specialist collection company that can securely dispose of all documents.
• Software Exploits: It is rare for any piece of software to be bug-free. Some bugs provide loopholes tat allow security to be circumvented, such loopholes are termed exploits. Most responsible software producers will provide updates (patches) once an exploit has been identified. It is up to the organisation to make sure that these updates are downloaded and installed.
• Virus Infection: This can happen through staff brining in floppy discs or CDs from home, through e-mail, through web surfing. Anti-virus software that is kept up-to-date is a must. Some worms use exploits to infect systems, making updating software more important.
• Denial of Service (DoS): This is a type of attack against an organisation’s systems. It can take many forms; the aim is to bring down the servers.

Having good logging facilities provides a record of abuses. This can be useful in identifying holes in security and also the pattern of repeat attacks.

top of page

Firewalls

A firewall is a hardware or software product that provides the most fundamental protection. Typically a firewall is either a specialised piece of hardware or a piece of software typically running on a special server. In either case the firewall sits between the local network and the outside world. You can think of it as being something like a bouncer that checks incoming communications, if they are not on the list of allowed communications, then they are not allowed in. In addition the firewall checks all outgoing communications too, preventing them if they are not on the list.

Rules

Firewalls typically work using a set of rules, stating which services are allowed and denied. This can be very valuable, for instance where a hacker may try to use a computer system remotely using Telnet or access files using FTP, the ports for these services can be locked down by the firewall. In addition to ports being blocked specific software applications can also be blocked. This is sometimes used in order to stop staff from using chat rooms (IRC). It is also possible to limit access to the network according to the source of the connection, time and other ways also.

The firewall rules set is either default deny or default allow. Default deny means that all traffic is blocked unless there is a specific rule allowing it. Default allow permits all traffic unless there is a specific rule denying it. The default deny is more secure.

top of page

Logs

Any good firewall will also provide logging facilities, allowing all traffic that has been blocked to be examined by the administrator. This can be very valuable when trying to identify a hacker attempting to break into a system, since they may make many failed attempts to gain access to the system and also using software to probe the defences as they perform reconnaissance. Identifying a hacker scouting out the system at this stage can alert the administrator to the threat and may also allow the pattern of the attack to be determined.

top of page

Simple Network Set-up

It is perfectly possibly, as well as being a very good idea, to have a firewall running on a stand-alone PC. However, here that will not be considered, since we a looking at the set-up of a firewall on a network.

The simplest network set-up, but by no means the least effective, is to have firewall software running on a dedicated server, which has two separate LAN adapters (Network Interface Cards, NICs). One LAN adapter (NIC) connects to the Internet via a router, the other LAN adapter connects to the local network. All communications to the outside world are routed through the firewall server. Since the firewall server uses two separate LAN adapters, connections with the Internet are completely controlled by the firewall.

top of page

Demilitarised Zone (DMZ)

A more sophisticated arrangement is to use a DMZ. This involves using an area behind the firewall where computers are placed that provide services requiring Internet access, for such things as e-mail (POP3 & SMTP), web servers (HTTP) and file server (FTP). This is the DMZ. A second firewall is placed between the DMZ and the local network. This arrangement is said to be a deep defence.

Attackers will normally only be able to see the computers in the DMZ, computers further inside the defences are obscured. Consequently attacks will tend to be concentrated on the computers in the DMZ. The services provided by the computers in the DMZ can be carefully limited, thus limiting the range of services that can potentially be exploited.

top of page

Testing

A good systems administrator will test their firewall defences, attempting to penetrate it in order to determine how secure it actually is. This can allow the rules to be adjusted and also provide the administrator with a chance to learn what the logs look like when a particular type of attack has taken place.

 

 

by

Matthew Martin

top of page