Businesses and home users are moving more of their network activities to the Internet. At a minimum, most users have a dialup connection to the Internet, but broadband technologies such as DSL and cable modems enable users to watch online movies, purchase items online, exchange digital photos, download software, and listen to online music over the Internet.
With more home computers and business networks connecting to the Internet, there is considerably more opportunity for malicious attacks from hackers and saboteurs. The same danger applies to internal corporate networks in that companies must protect their data centers and computing resources from internal and external attack.
News stories are common of website invasions, erased hard drives, stolen corporate data, and lethal viruses. And with home users migrating to broadband “always-on” networks, hackers have a whole playground of unsuspecting exposed home networks. Users accessing their corporate networks from home also creates the potential for compromising the corporate network.
Network attacks occur for a variety of reasons: extortion, fraud, espionage, sabotage, or simple curiosity. The acts themselves involve a range of activities, including misuse of authorized systems, system break-ins, equipment theft, interception of network traffic, and reconfiguration of computer systems to allow for future access. Because of the nature of global networks, these attacks can (and often do) cross network and national boundaries.
How can home users and corporations protect themselves?
The most secure way to avoid attack is to not connect to a network. Although physical security (such as keeping computers behind locked doors) remains an issue, going off the net is the most secure way to reduce exposure to security risks.
Clearly, removing yourself from the net is not a practical option.
Instead, consider the concept of perimeter security. Traditionally, a firewall provides perimeter security. Firewalls sit between an unsafe, “dirty” side and a safe, “clean” side.
Suppose a home user puts a firewall between his computer and the Internet connection. The side of the firewall that connects to the Internet is the dirty side (meaning the traffic cannot be trusted), and the side of the firewall that connects to the home network is the clean side (where the traffic can be trusted). The firewall inspects packets going in either direction and determines whether it should permit or drop the traffic.
The firewall is the central location to perform any perimeter-related activities.
Firewalls are designed to combat network-related security threats. Examples of such threats include the following:
Passive eavesdropping—. Attackers use packet-capture programs to glean sensitive information or steal username/password combinations.
IP address spoofing—. An attacker pretends to be a trusted computer by using an IP address within the accepted range of internal IP addresses. This tactic is similar to assuming another identity.
Port scans—. Servers “listen” for traffic on different ports. For example, port 80 is where servers listen for web HTTP traffic. Attackers find ways to infiltrate servers through individual server ports.
Denial-of-service attack—. The attacker attempts to block valid users from accessing servers by creating TCP SYN packets that exhaust the server so it cannot handle any valid requests.
Application-layer attack—. These attacks exploit the weaknesses of certain applications to obtain illicit access to the hosting server.
Firewalls provide the ability to block these and other attacks by inspecting traffic, tracking valid sessions, and filtering traffic that looks suspect so it cannot pass.
Firewalls provide a barrier for traffic. However, some traffic might look legitimate, and some traffic might in fact be legitimate but unbeknownst to the user carry devious viruses or attack programs.
Although a firewall is sufficient for home use, corporations tend to have more at risk and choose to invest in extra measures to detect traffic patterns that a firewall can’t catch. Intrusion detection provides this ability.
Intrusion detection systems (IDSs) analyze data in real time to detect, log, and hinder misuse and attacks. Host-based IDSs monitor server operations for any mischievous events, and network-based IDSs monitor network traffic on a specific segment.
Network-based IDSs monitor traffic in real time, looking at each packet for mischievous data profiles. When a particular data flow is suspect, the IDS logs the finding and notifies the receiving router to deny the traffic and any future traffic from that source.
New viruses and new forms of attacks are introduced to networks regularly. For each security measure put in place, motivated attackers always find a way to work around it. There is no such thing as a foolproof security measure.
For that reason, network administrators and home users must be diligent in regularly updating their security software and profiles. Firewall updates can block newly found vulnerabilities. IDS updates can detect new forms of viruses or attacks.
The Internet is anarchy in a good and bad way. Companies and individuals have the burden of protecting themselves from probing individuals.
At-A-Glance—Firewalls and Intrusion Detection Systems
Firewalls and intrusions detection systems (IDSs) provide the perimeter defense of corporate and personal networks. As hackers become more sophisticated (and aggressive) in their attacks, so has the technology behind keeping networks safe. Firewalls and IDSs are a direct response to hackers.
With the advances in technology comes a great deal of innovation around the deployment of these systems, which is important to companies with public websites.
</division><division> <title>What Are the Problems to Solve?</title>The main goal with perimeter security is to keep the bad guys out of the network. The way to be absolutely sure of perimeter security is to not connect to anything. However, most companies rely on the Internet, and for some, it is a critical aspect of their business. The problem then is how to maintain an external presence and still stay relatively safe against attacks.
The answer is the three-part firewall system, which places external-facing servers into an intermediate zone in the network between two separate firewalls.
</division><division> <title>What Does a Firewall Do?</title>Firewalls keep both corporate and personal networks safe from attack by inspecting packets for known attack profiles and by acting as a proxy between you and the rest of the world.
Service companies sell packages of profiles they discover.
The proxy function works by using a “third party” address whenever you communicate with the world so that no one knows your actual IP address, the discovery of which is the basis of many attacks.
</division><division> <title>Are You a Good Packet or a Bad Packet?</title>In terms of a firewall system, good packets fall into two categories:
Good in-bound packets originate outside the external firewall and either correspond to a Transmission Control Protocol (TCP) session originated by an inside user (that is, it can only be a response packet) or access publicly available services such as web traffic.
</division>
At-A-Glance—Three-Part Firewall System
The clean net is the interior corporate network. The only “outside” packets allowed in have been inspected and have the acknowledgment to a TCP packet generated from an inside computer.
</division><division> <title>Inside Filter (Firewall System Part One)</title>The inside filter performs the functions of both firewall and IDS. In addition to blocking attacks such as denial of service (DoS), it inspects every packet, making sure that no externally initiated TCP sessions reach the clean net. (Hackers can gain access by spoofing a session.) The inside filter trashes any packets of questionable origin. It also inspects outbound packets to ensure compliance with corporate policy.
</division><division> <title>Isolation LAN (Firewall System Part Two)</title>The isolation LAN or demilitarized zone (DMZ) acts as a buffer between outside-facing (web) applications and the clean LAN. Servers in the isolation LAN are called bastion hosts, and outsiders use them for access to public web pages or FTP servers. These servers are secure, but are still prone to hackers.
</division><division> <title>Outside Filter (Firewall System Part Three)</title>The outside filter is a firewall that screens for TCP replies and UPD packets assigned to port numbers associated with whatever bastions hosts are present. This firewall should only have static routes assigned, and simple rules because complicated processes are prone to errors and hackers love errors!
</division><division> <title>The Dirty Net</title>The Internet is often referred to as “the dirty net” by network and security admins who, in the interest of network security, assume every packet was sent by a hacker until proven otherwise. The majority of users are honest, but this attitude can and does prevent disasters.
</division><division> <title>Hackers and Their Evil Ways</title>Hackers use a number of tools and tricks to exploit networks, including (but not limited to) DoS attacks, IP address spoofing, viruses, worms, Trojan horses, and e-mail bombs. The chapter, “Hacking” discusses this subject in detail.
</division>
