Network security fundamentals
This is the first in (hopefully) a series of security articles. These will mainly be aimed at web developers, but I hope they will be helpful to anyone wanting to learn more about the subject.
As developers we are in a constant struggle – we are required to make our applications as easy as possible for the user, but we must also make them as hard as possible for hackers to crack. An important note at this stage – traditionally hackers were good programmers, while malicious programmers/hackers were known as crackers. Unfortunately thanks to Hollywood, crackers are now known as hackers. For the moment I shall continue to call them crackers – feedback on this issue would be appreciated.
A basic corporate network from a security standpoint:
Corporate networks should be behind a firewall. Any home pc that has a permanent (broadband/ADSL) connection should also at least have at least a software firewall such as Zonealarm (www.zonelabs.com) . Firewalls basically work as follows
There are 3 areas to a firewall – Untrusted, Trusted and DMZ (demilitarised zone).
The untrusted port takes in the connection to the outside world (eg ADSL line).
The DMZ is an area of your network containing servers which the world can see, the most common example is your web server. Mail relay servers also sit in this area.
The trusted area is the inside LAN of your network. All your users sit in the trusted area. It is wise to use two totally different IP address ranges and subnets on your DMZ and trusted area’s of the network (you have no choice on the Untrusted IP – this is allocated by your ISP). This means that even if a cracker should manage to compromise a machine in your DMZ he will not have any information on how you have set the trusted area of your network up. It is also wise to have one administrator username and password for your trusted network, and totally separate ones for each of your servers in the DMZ. Again, should a cracker compromise an administration user name and password for one web server, your other web servers in the DMZ will remain safe. However, this should NEVER happen.
Prevention is better than cure – this cannot be over-emphasized with network security.
Picture this – you have an e-commerce site, people are happily purchasing goods through you, using their credit cards. Some malicious individual finds that he can’t get in and steal any information on people using your site, or their credit card details. He does however manage to place his own index.htm page on your site containing a skull and crossbones, and the words “You’ve been hacked!”. At this stage you may as well close down shop. It doesn’t matter how much you try to explain that no information was stolen – the bad press will destroy you. And promising to improve security in the future will not help either, the general public will have lost all confidence in your brand.
Initial Steps to protect your network:
Never have an account called administrator, guest, test or user. Remove or disable the guest account immediately. Rename the administrator account – but not to admin! Having too many usernames and passwords to remember can cause slip-ups in itself, but fortunately the entire trusted side only needs one administrator account. As I said above, it would be wise to have separately named administrator accounts for each machine in the DMZ area. These servers are the most likely to be attacked as they must have at least one port open to the world (80 and 443 for a web server), and when a window is open , someone determined enough will manage to find a way in.
Find a reliable port scanner and scan for open ports from outside of your network (eg. from home in the evenings). There are 65353 ports, with the first 1024 known as common ports (they have something assigned for them – if programming network software, always use a port above 1024). If one of these ports are open, there is a window in. Unfortunately to be useful, servers must have at least one port open. The main ones we are concerned with in a DMZ are 80 (http), 443 (https – secure) and 25 (smtp - for mail relay servers). All other ports should be closed down. Unfortunately Windows tends to open many ports, in order to save processing time should a program you run wish to use one of them. Nice from a user point of view, really bad from a security point of view. Portscan your network frequently from home, a friends office, etc. If you find open ports, close them down.
It is also necessary to scan both TCP and UDP ports. As many firms only check that their TCP ports are closed, crackers will hide on the UDP ports in order to break into your machines.
Another important thing is never to call your homepage index , default or home. Set your web server to look for something else (eg. companynamehome.asp), this way if a hacker does manage to copy his own version of index to your web server, it won’t be displayed as your server will be looking for something else.
Check your server logs daily. This is useful for a couple of reasons. Firstly, you can see how many people use your site each day. You can use reporting software (eg. Crystal Reports) to show this information in a more friendly format than the text file your firewall provides. Also, you will notice if someone is repeatedly looking for suspicious things on your server – I regularly see requests for cmd.exe on our logs. If someone can get to cmd.exe they have control over your machine. It will not take long to learn to spot suspicious activity. Fortunately there are things you can do about this – if you see an IP address constantly requesting things that aren’t part of your web site, perform a whois lookup on it. The easiest way to do this is to go to www.samspade.org and enter the IP address in the IP Whois field. This will give you information on which country the person is in, and who their ISP is. If this activity continues, contact the ISP. They are then required to contact the person and explain that cracking is not an acceptable through their portal.
Checking your logs regularly in this way is your best defence against crackers. If you can stop them before they get any useful information about your network, they have no way in.
Early vigilance will save you a lot of headaches and your firm a lot of embarrassment.
The methods above are just a sample of the ways you can avoid huge losses. Fortunately people are becoming more aware of the benefits of proper network security. The methods of programming you use can also have a huge impact on whether crackers can abuse your site or not. My next article will focus on these methods.
In closing I would like to say that my eyes were only opened to the importance of tight network security 6 months ago. What I found most amazing is that most crackers are not highly sophisticated individuals with great understanding of computer systems. The majority are “script kiddies” – 13 year olds who have downloaded free network security tools such as port scanners and merely learnt to run them, without any understanding of how they work. When the scanner alerts them to a vulnerability they go in and graffiti the site – they have little or no interest in stealing your data. Unfortunately, their graffiti is often enough to bring a good firm down. When I realised this, I decided that from that point onwards I wanted to have total control of my site, rather than leaving it at the mercy of such individuals. It seems to me that the best way to accomplish this is for developers to share information they same way crackers do.