Bolster
your network's authentication
Network authentication has come a long way. In the
beginning, there was no authentication, and users shared information without any
access controls. There seemed to be no need to secure networks.
But as we all know, times have changed. We no longer use networks simply for information sharing. They run our businesses and hold our most vital secrets--and it's important that we keep those secrets secured.
Authentication 101
Authentication is the basis for network security. It currently relies on three standard methods to regulate access control. But using only one method weakens the security process. In addition, each method has its own weakness.
For example, if you use something physical (such as a smart card or token), the user could lose it, or someone could steal it. If you use some kind of knowledge (such as a password), someone could guess it or crack it. If you use technology such as biometrics, it's often costly and problematic.
These methods can leave your network vulnerable. They're only as reliable as the security of the authentication device or medium--or the ability to fake a valid response.
You can achieve greater security by combining these methods. But even with the addition of encryption, the inherent vulnerability of each method still exists. And don't forget that a hacker can always crack algorithmic encryption.
Total security requires the addition of an authentication method that someone can't break, reproduce, or crack.
A new layer
That authentication method is the addition of a location-specific digital fingerprint (LSDF). You can create an LSDF by sampling the radio frequency to create a dynamic entropy table of secrets.
You then have an authentication secret that no one can guess, reproduce, or crack. LSDF is unique to a specific location and time. It originates naturally and is unpredictable.
You can crack algorithms, but you can't calculate or derive this naturally occurring, physics-based phenomena. Now that the final layer of authentication security has arrived, how do you leverage that technology to secure your network?
Authentication in action
This security enhancement is enormous when it comes to wireless networks. The reason most companies aren't using wireless today is because the signal might extend beyond a physically controlled boundary. However, now you can secure and authenticate that wireless footprint based on the physical location of the person accessing that wireless signal.
Most organizations haven't leveraged wireless capability specifically because of the lack of security associated with a radio broadcast network. This technology is the solution to your wireless dilemma.
Final thoughts
Don't let aging authentication methods and the lack of traditional security processes keep your network architecture in the dark ages. To learn more about adding this final layer of authentication security to your network, check out the home page of Digital Authentication Technologies, Inc.
Listen
for alien devices on your network
Are you absolutely positive you know all the protocols
and ports that are open on your network? If you're not the only person with the
rights and permissions necessary to add devices to your network, you'll never
know what's really "live and on the wire"--unless you listen to your
network. By periodically scanning your network, you'll be able to maintain a
good view of what devices are connected to it, and determine whether those
devices are communicating properly and using the allowed ports and protocols.
Start scanning
Depending upon the OS on your admin workstation, you could start by using tools, such as fping or SuperScan, that allow you to quickly scan a range of IP addresses to detect live network connections. This is one way to determine if someone's adding devices to the network without your knowledge and/or approval.
However, some devices (e.g., wireless devices) will need a different tool for discovery. If you're looking for alien wireless access points (WAPs), you can use tools such as Kismet or Network Stumbler. Finding an unauthorized WAP behind your security perimeter is bad news, but not finding one that's tapped into your network is even worse.
Take action
Ideally, you shouldn't find any surprises in your network scan results. If you do, though, take these steps.
Rogue WAPs
Immediately block the IP address of the WAP device at the switch where it's
connected. This should provide you with enough time to find the physical device
while the user is trying to discover what happened to his or her network
connection.
Nonwireless
devices
If you find unknown nonwireless devices, such as printers, departmental FTP/Web
servers, etc., conduct an in-depth scan, determine exactly what the device's
function is, and block it from the network until you can physically locate it
and disconnect it.
For a more thorough examination of the rogue device, you can use Ettercap or Winfingerprint. Both utilities do an excellent job of decoding the type of OS that's running on a remote device, which should help you discover the device's original purpose. These utilities also show what services are running and what ports are listening for connections.
Final thoughts
As security administrators, it's our job to ensure that only authorized and secured devices operate on the network. Besides the obvious security reasons, there are performance gains to turning off unnecessary network protocols. Turning off unnecessary protocols helps reduce network chatter and increases bandwidth availability.
I've mentioned a lot of network tools in this week's column, all of which are free. Listen to your network and map every IP address. You might be surprised by what you find.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.
Increase
Web server security via obscurity
In many organizations, Web server security starts with
hardening the operating system (OS) and usually ends with creating a firewall
rule or an access list on a router. However, the security profile for your Web
server shouldn't end there.
Public Web servers are usually the weakest point in the security perimeter. You should take every step possible to maximize security on this public asset. Obscuring your Web server's identity by disguising and removing identifying details is a sound security principle. You can protect your Web server from hackers by changing your header information, renaming Web file extensions, and customizing error messages.
Stop header broadcasting
By default, your Web server broadcasts the OS and the type/version information about the Web application that's serving the Web pages. This information isn't necessary to the clients that visit your Web site, but hackers and crackers can find it very useful. So change your Web server's banner or header information.
On UNIX platforms running Apache Web servers, you can use the mod_headers module to configure your Web header to say just about anything you like. If your organization uses a Microsoft platform, install IIS LockDown and use the configuration options under the URLScan's .ini file for replacing the header. When using these tools, be aware that they can possibly corrupt scripting platforms such as ColdFusion, ASP, and PHP.
I'd recommend checking out a product such as ServerMask from Port80 Software. ServerMask can safely remove or modify a variety of information and add minutes to multiple pages or sites on a single server without corrupting the scripting engines that deliver your content. This step could decoy an attacker into running the wrong attack scripts, which will generate multiple log entries and increase your probability of detecting an attack.
Stop file extension broadcasting
Web page extensions can also reveal the type of server you're running. File extensions like .asp or .aspx give away an IIS-powered Web server. Change the application mapping and rename your Web pages to .web. Decide on an extension naming standard and change the application mapping for that new extension.
For Apache servers, use the mod_negotitation module to stop broadcasting file extensions. When using mod_negotiation to remove file extensions from your Web pages, remember that you'll also need to use the mod_headers module to suppress the Content Location Header.
Change error broadcasting
Error messages also tend to indicate specific Web platforms. Create custom error messages for the most common Web error messages (e.g., 404 and 403) to further disguise your Web server and the OS on which it's running.
Final thoughts
Disguising your Web server won't make your site invulnerable to attacks or stop the ubercracker, but it'll definitely frustrate the efforts of less experienced script kiddies. And while obscurity doesn't take the place of a properly patched and configured server, it does enable you to reduce your target signature and force an attacker to move on to easier prey.
Don't give hackers and crackers valuable information about your servers. Security through obscurity isn't a new concept, but it's another valuable tool in your security toolbox.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.
Prevent
hacker probing: Block bad ICMP messages
While most network administrators do a fairly good job
of filtering TCP and UDP traffic, many forget to filter Internet Control Message
Protocol (ICMP) traffic. ICMP traffic is necessary for troubleshooting TCP/IP
and for managing its flow and proper function. However, ICMP is also dangerous.
Hackers can use it to map and attack networks, so it needs to be restricted.
Like TCP and UDP, ICMP is a protocol within TCP/IP that runs over IP. Unlike TCP and UDP, ICMP is a network layer protocol--not a transport layer protocol. For more information on ICMP, see its request for comments (RFC) on the Internet Engineering Task Force's (IETF) Web site.
Bad ICMP
Some ICMP message types are necessary for network administration. Unfortunately, hackers have found a way to turn a good network tool into an attack. The most common types of ICMP attacks are:
Good ICMP
Several common tools use ICMP and are necessary for normal administration, use, and troubleshooting on your network. These tools include ping, traceroute, and path MTU discovery.
Ping
When you ping a destination network address, you're sending an ICMP packet with
message type 8 (Echo) code 0 (Echo--Request) to that address. The ICMP reply
packet has a message type 0 (Echo) code 0 (Echo--Reply).
Traceroute
When you run a traceroute to a target network address, you send a UDP packet
with one time to live (TTL) to the target address. The first router this packet
hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet
is expired. The router sends back an ICMP message type 11 (Exceeded) code 0
(TTL--Exceeded) packet to your system with a source address. Your system
displays the round trip time for that first hop and sends out the next UDP
packet with a TTL of 2.
This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port--Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.
If you receive a message with three asterisks [* * *] during the traceroute, then a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.
Path MTU
discovery
When you begin a TCP/IP session between two machines, TCP/IP tries to negotiate
the size of packets that can be sent during the session. This is called path MTU
discovery. The machine that initiates the connection will send the largest
packet it can with the DF (Don't Fragment) bit set.
If any router in the path has a smaller MTU (Maximum Transmit Unit), it will drop the packet with the DF bit set. That router will send an ICMP message type 3 (Unreachable) code 4 (Fragmentation--DF--Set) back to the initiating system. On the initiating system, TCP/IP will decrease the packet size and resend the packet.
The bottom line
Without getting into vendor specifics, to keep your network healthy, disable IP-directed broadcasts to all of your routers. Letting traceroute, ping, or any of the other ICMP messages into and through your network from the Internet is an invitation for network mapping, and it could lead to an attack.
You can protect your network from attack by implementing three simple network rules:
Don't let poor configuration lead to hacker probing and attacks that are easily blocked. These three simple steps provide a lot of network security.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.
