198 Network Maintenance, Monitoring, and Control Figure 9-21: Opening a new TCP/IP connection from a Windows PC Figure 9-22: Opening a new TCP/IP connection from a Macintosh Note: If a Macintosh has multiple monitors, then Tim- buktu Pro shows only the start-up monitor-that is, the one containing the menu bar. Remote Control 199 Figure 9-23" Opening a new AppleTalk connection Figure 9-24" A Macintosh screen in a Timbuktu Pro window on a Windows PC 200 Network Maintenance, Monitoring, and Control Figure 9-25: A Windows 95 screen in a Timbuktu Pro window on a Macintosh File Exchange Timbuktu supports two types of file exchange, which it calls "sending" files and "exchanging" files. Sending a file transfers it to a single drop fold- er on the remote computer. Exchanging files gives the remote user com- plete control over where transferred files are placed, as in Figure 9-26. The interface for exchanging files from a Windows machine is identical to the Macintosh interface. Messaging Timbuktu Pro provides two ways to exchange real-time messages. The first is through a relatively standard chat room interface, such as that in Figure 9-27. A user can add himself or herself to a chat session, or a user can add a remote computer to a chat session (assuming that the remote user has the access rights to do so). Remote Control 201 Figure 9-26: Using Timbuktu Pro to exchange files Figure 9-27: Timbuktu Pro chat If networked computers are equipped with microphones and speakers, Timbuktu Pro provides an intercom service that allows users to speak with each other (see Figure 9-28). This can be an alternative to a long-distance phone call when the remote user has dialed in to the network from some other location, perhaps using a dedicated line. (If the remote user is paying long-distance charges to connect to the network, of course there would be no savings.) 202 Network Maintenance, Monitoring, and Control Figure 9-28" Establishing a Timbuktu Pro intercom session 5ecurily Issues People, including yours truly, have written entire books on network secu- rity, and no single book can possibly cover the entire topic. But if you talk to professionals in businesses both large and small, their overriding con- cern today is network security. We would be horribly remiss if we didn't at least try to look at the major issues facing the operator of a network of any size and introduce you to some of the ways in which you can protect your network. This chapter is an overview of both security threats and security fixes. It can't provide everything you need to know, but it will alert you to things you should watch and resources you should have at your fingertips. 203 204 Security Issues Security Threats to Home and Small Offices Is anyone really out there to get you, with your small network? Yes, they are. Well, not necessarily you in particular, but certainly the resources that your network can provide to help them with their larger attacks. You may also have content on your network that someone would want to steal. And just as important, there may be legal requirements for privacy that you must enforce. From where does the danger come? Over the Internet and from your inter- nal network. You have to be aware of dangers from both sources. Malware Malware is short for "malicious software," any software that could do something nasty to your network. There are several types of malware, each of which propagates differently and has a different goal: Virus: A virus is a self-propagating piece of software that runs as an executable program on a target machine. It is not, howev- er, a stand-alone piece of software. It must piggyback on some- thing else, such as a piece of e-mail or other application program, and is "installed" on a victim machine when the user accesses the host software. A virus's effect can be relatively benign~such as displaying a dialog box~or it can be seri- ously destructive, deleting files from a hard disk, causing a computer to reboot repeatedly, and so on. Some viruses are known to be polymorphic, meaning that they can change them- selves as they propagate so that each copy looks a bit different from all others. Worm: A worm is a self-propagating piece of stand-alone soft- ware that has effects similar to a virus. It can cause of a denial of service attack or can damage items stored on a computer. Trojan horse: A Trojan horse is a piece of software that appears to be one thing, but is, in fact, another. Some Trojan horses are installed by crackers for their use as back doors into a system they have cracked. Others might record a user's keystrokes to a file that can be retrieved later by a system cracker. Security Threats to Home and Small Offices 205 I~ Spyware: Spyware originally was intended as a tool for share- ware authors to include advertising in their software as a way to raise revenue. The spyware (originally called adware) was to be installed with the shareware, show pop-up advertising, and~ most important~send information about the computer on which it was running back to the advertiser. The idea was that the advertiser would collect only demographic information for use in targeted advertising campaigns. However, today spyware collects private information without the knowledge or consent of the person whose information is being collected and uses the victim's own Internet bandwidth to transmit the information. Malware is easily disseminated. Not only can it be delivered through e-mail, but it travels quite nicely on removable media, such as floppy disks, CDs, DVDs, and USB flash drives. Deniol-of-Secvice Aftocks A denial-of-service (DOS) attack attempts to prevent legitimate users from accessing a computing resource. DoS attacks can take several forms: Overwhelm a network: The attack can flood a network with so many packets that legitimate traffic slows to a crawl. i~ Overwhelm a server: The attack can flood a single server with so much traffic that legitimate users can't access the server. I~ Bring down a server: The attack can cause a server to crash. You can't prevent an attacker from launching a DoS attack, but you can de- tect one in progress and take steps to mitigate its impact. In addition, you can prevent hosts on your network from being unwitting parties to a dis- tributed DoS, a DoS attack in which the source is multiple computers. The earliest DoS attacks were launched from a single source computer. They are attractive types of attacks to system crackers because they don't require any account access. The attacker launches packets from his or her machine that compromise the victim by taking advantage of the victim's natural behavior to communication requests. A distributed DoS attack uses multiple source computers to disrupt its vic- tims. This does not mean that the attack is coming from multiple attackers, 206 Security Issues however. The most typical architecture, in fact, is a single attacker or small group of attackers who trigger the attack by activating malware previously installed on computers throughout the world (zombies). In most cases, DoS attacks don't damage what is stored on a network's hosts, but they can cause major losses of business revenue because they prevent an organization from functioning normally. It is therefore impor- tant to monitor your network for DoS activity. Authentication Vulnerabilities For most networks, users are authenticated (identified as being who they say they are) by supplying a user name and password. Once an authorized pair is recognized by the computer, the human has access to all system re- sources available to that user name. But passwords aren't necessarily an adequate means of authenticating users. Poor passwords make it easy for a hacker to gain access to user accounts, which the hacker can then further manipulate to upgrade to a system administrator account. General wisdom says that users should create strong passwords~more on strong passwords shortly~and that passwords should be changed every 60 days or so. New passwords should not use any portion of the preceding password. For example, users shouldn't take a word and simply add a dif- ferent number at the end each time they recreate their password, nor should they be able to reuse passwords that have been used in the recent past. In addition, users should use different passwords for each account. Certainly you want strong passwords, but should passwords be changed so frequently? The theory behind changing passwords frequently is that a moving target is much harder to decipher. At the same time, however, a password that is changed frequently is much harder to remember, and when users can't remember their passwords, they write them down. You might find a password on a sticky note stuck to a monitor or on a little slip of paper in the middle drawer of a desk. The problem, of course, is exac- erbated when users are dealing with passwords for multiple accounts. Current wisdom states that the best user authentication includes three things: something you know (the user name and password), something you have (a physical token), and who you are (biometrics, such as a fingerprint or retina Security Threats to Home and Small Offices 207 scan). Although biometrics are moving slowly into the mainstream, physical tokens are becoming much more prevalent. In fact, U.S. banks are now re- quired by law to provide a form of authentication beyond user names and passwords for large business customers to access online banking. (Once the banks have worked out procedures for large businesses, expect to see the same thing propagate down to the consumer level.) Employees and Other Local People A good portion of the attacks to which a network is subject today don't necessarily involve compromising your security with sophistcated elec- tronic attacks. Some involve manipulation by employees and other local people. What can your employees do? They're the ones who have legitimate access to the network. If they can be manipulated into revealing information about their accounts, then a hacker can log into your network. This type of attack is known as social engineering. (It is also the technique behind many at- tempts to gather information for identify theft.) To understand social engineering, think "Mission Impossible" (the TV se- ties) on a small scale. The person trying to obtain system access typically engages in a simple role play that tricks someone out of supposedly confi- dential information. Here's how such an escapade might play out when a CEO's secretary answers the telephone. SECRETARY: Big Corporation. How may I help you? CRACKER: Good moming. This is John Doe from Standard Software. We're the people who supply your accounting software. Your IT de- partment has purchased a software upgrade that needs to be installed on your computer. I can do it over the Internet, without even coming into your office and disrupting your work. SECRETARY: Say, that sounds terrific. Is there anything I need to do? CRACKER: All I need is your user name and password. Then I'll upload the new files. SECRETARY: Sure, no problem. My user name is Jane Notsmart; my pass- word is Jane.